Data Mining Protection: Taking A Privacy Roadtrip with IRMA

If you have ever clicked “I Agree” on Facebook or an Apple device without really going through it, it might be worth your while to go back and read up. Do you know where your data is going?

A few months ago I went to get a haircut at my local barber shop. The work was done and I walked to the register to pay. The kind lady who had done my hair asked me something I had somehow never seen coming: “Would you like to fill out this customer loyalty card?”

My barbershop, a place that had always remained unchanging, the last bastion of complete digital disconnection, had entered the digital age of nonsensical data gathering and targeted marketing. I regretted it instantly.

A casual look at the contents of ones’ wallet now tells you exactly how far the broad-spectrum gathering has already gone. All the credit card-shaped slots in my wallet are full and I have a stack of at least 40 similar cards at home that I don’t use.

All those customer loyalty cards are there for one key reason: data mining. Many organizations are trying to get to know as much about you as they possibly can. Very often this includes things about you that they have no purpose for.

Whether they want to be better at targeting their sales efforts at you, or to resell that information to third parties, the endgame is almost always about profit.

And the reselling of such data doesn’t just happen occasionally – it’s big business. According to a McKinsey Global Institute study from 2012, Data is a $300 billion dollar a year business that employs 3 million people in the US alone.

You’ve probably never heard of companies like Acxiom, but you can be sure that they know all about you. Information that you gave one company is happily sold to another company without your knowledge and in most cases, with unknowing consent.

With the ever increasing digitalization of our society, it’s becoming more and more obvious that all that information gathering and sharing comes at a great cost: our privacy. Fortunately, there are some great initiatives on the horizon that help combat the broad-spectrum data mining that is going largely unchecked.

IRMA is one of those initiatives that can help a great deal. IRMA stands for I Reveal MAttributes, and essentially comprises a whole new way of approaching identity, authorization and authentication.

It is a project of the Privacy & Identity Lab, which is a collaborative union between research-oriented institutes in the Netherlands such as the Radbout University Nijmegen, the Tilburg Institute of Law, Technology and Society (TILT) and TNO.

Using the underlying technologies of Idemix (IBM) and U-Prove (now Microsoft), IRMA is essentially a new form of identity smartcard that can be ‘loaded’ with various sets of ‘credentials’ from different sources, such as the local authorities.

Information such as Date of Birth, Nationality or Place of Residence can be stored on the card and you can use those attributes in transactions both online and offline in a variety of scenarios.

For instance, when voting on local elections: You must show that you are a resident and you currently have to show some proof of ID before you are allowed to vote. In theory, this means you are no longer anonymous.

With the IRMA card, this is a thing of the past. You’d simply present your card and they would only see that Yes, you are a resident of that town. They would also see who issued that credential to you (such as the government), but nothing that compromises your identity.

The same scenario plays out when purchasing liquor. In the Netherlands, the minimum age for purchasing alcohol is 18 and shop owners are legally required to ask for ID. What they really only need is to verify whether the buyer is over 18 or not.

This attribute is stored on the IRMA card, and that is all it will tell the store owner: “Yes this person is over 18”. Neither your age or your date of birth is transmitted, just the indicator of whether you are over 18 or not. Again, nothing but this attribute and the source of the attribute is shared.

The project is still under development, so it is hard to say exactly how it will eventually turn out. But the concept is very promising. If users are indeed capable of choosing additional attributes to store on the card, which is currently the direction it is heading, it can theoretically replace virtually every card in your wallet today.

Naturally users can only load attributes up to a point, some information must always come from highly trustworthy sources, but should be plenty of room for user freedom.

Imagine, just having to carry one single card. Driving license?  Passport? Customer Loyalty cards?

Every one of these items has attributes that are just as easily stored on an IRMA card. Provided the physical and cryptographic properties are secure enough, we may even be able to replace our bank cards with the same single IRMA card.

If you’d like to learn more, visit the project site. One of the lead scientists, professor Bart Jacobs, explains the whole project much more eloquently than I ever could. Find it here: