Webshopping with privacy
“If your mind isn’t clouded by unnecessary things, then this is the best season of your life.”
– Wumen Huikai
It seems unavoidable to give away a lot of personal information while interacting through the internet. We are obliged to register and log in to services in order to use them. While it may seem counterintuitive, communication and transactions can be privacy friendly; the technology exists to achieve that! In this blogpost, we discuss a recent technical proposal we put forward for webshopping with a high level of privacy. We emphasize that such an approach has advantages not only for the buyers but also for other stakeholders, including the webshops, the banks and the delivery companies.
Current web-shopping model
There has been a profound change in the way we shop in the last 20 years. One used to walk into a store to collect items and then paid by cash. Increasingly, we obtain things online using webshops. Webshopping includes registering personal details and authentication credentials (typically, username and password), placing products in the ‘shopping cart’, logging in using the authentication method, paying by some financial service (such as a bank or by PayPal), and finally, initiating product delivery. While in the traditional brick-and-mortar scenario, buyers can remain anonymous and no personally identifiable information (PII) is stored about them, in the online case PII is often registered by several companies, including the webshop, the bank and the delivery company. Gradually, our shopping activities have become highly traceable
and identifiable. Moreover, behavioural and other related information is stored basically forever, with no transparency regarding where it is stored, how it is used and with which parties it is shared.
This huge amount of information places great technical and legal responsibility on the aforementioned companies in terms of protecting personal data. Over the time, the companies have also become victims of hacking. Under certain data protection regulations, including EU’s General Data Protection Regulation (GDPR), the companies risk paying high penalties in the case of data violations on their part or failure to report data breaches. And it is not only security problems that arise. Because buyers give away a lot of personal information, including static data (name, address, credit card number, etc.), dynamic data (e.g. purchased items), metadata
(e.g. the bank knows the location and time of purchase) and derived data (combined
information, behavioural patterns, etc.), data collection and processing may result in different kinds of privacy harms (exclusion, undesired identification, secondary use, etc.). For the companies that process customers’ personal data, strict compliance with data protection regulations becomes inevitable. Furthermore, GDPR makes privacy by design and by default mandatory for such companies. This is why both companies and customers have a common interest in countering these security and privacy issues.
Webshopping without disclosing personally identifying information
There are privacy-friendly approaches to web shopping. In contrast to the fully identifying webshopping paradigm, anonymous online marketplaces such as Silk Road, Agora maintain anonymity for both sellers and buyers. However, they often become platforms for black markets. In this blog post, we introduce a significantly new approach, called attribute-based webshopping. This technology focusses on achieving buyers’ privacy, while not hiding sellers and products from the public eye. As a result, we strike a balance between the overly-exposing and the overly-hiding paradigms in web shopping.
In this new way for shopping, a buyer does not create an account at webshops. In fact, for these webshops, the buyer can remain anonymous. A buyer reveals only a minimum amount of information required to complete a shopping transaction to the participants: webshop, bank and delivery company. The main idea behind our scheme is that the business stakeholders in a shopping transaction learn as little as possible during each interaction with the buyer.
Whenever it is plausible, buyers are not identified, and no linkable information (not even a pseudonym) is revealed about them. This can be achieved by using attribute-based credentials (ABCs), which can cryptographically guarantee that the minimum data is revealed in each transaction.1 The data minimization principle states that “a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose.”2
The attribute-based shopping scheme retains the four main steps as it also happens in current webshops. However, the steps are more separated; the user controls the initiation of each of them. The technical links between these steps are carefully designed attribute-based credentials.
First, the buyer collects products in her shopping cart, and when it is ready, she closes it. As a result, the buyer receives the total sum to be paid and a cart identifier. Second, the buyer selects a payment method – possibly independently of the web shop – and contacts the financial service, which we call a bank for simplicity. The actual payment is done with some means, and as a result, the buyer receives evidence in the form of a credential from the bank that proves that the cart amount has been paid. Third, the buyer proves to the webshop that she has reserved the money at the bank to pay for the shopping cart, using the bank-issued credential. Then the web shop collects the products according to the cart, packages them and forwards them to the delivery company. Alternatively, we describe another option in which a locker facility can also be used to hand over the products. Fourth and finally, the buyer contacts a delivery company of her choice and provides the delivery address. This company collects the buyer’s package from the webshop and dispatches it to the buyer’s address. (If the buyer chooses locker delivery, the webshop sends the buyer’s package to the locker from where she can pick it up.)
The attribute-based webshopping scheme ensures minimal information exchange between the buyer and each company. The webshop knows only about the buyer’s order details, but it does not know the identity information of the buyer nor about the payment details. Also, the buyer’s bank learns only how much money has to be debited from the buyer’s account, but it does not learn the identity of the webshop or the purchased items. Lastly, the delivery company learns only the necessary dispatching details (name, address, etc.), and nothing about the purchased items or the payment. (If the locker pick-up mode was chosen, then, unlike In comparison with the widely used, identifying webshopping process, our approach has many benefits for the participants. Most importantly, buyers do not need to register and authenticate
to webshops. This is not only privacy friendly, but also more convenient. Their interaction with companies are more privacy-friendly and they have more control over disclosure and dissemination of their personal data. Specifically, a webshop does not discover a buyer’s identity, her financial information and shipping details corresponding to her shopping cart. A bank that processes the payment does not discover the link between the webshops and the buyer.
This technical solution offers advantages not only for the buyers, but also for companies. Because webshops do not collect and process personal data in our scheme, they do not have to worry about data-protection regulations such as GDPR. As there is no long-term relation between the buyer and the webshop, our proposal is flexible, which may also help small companies. For instance, a webshop, offering specific products that buyers purchase only once, can provide a quick service without collecting any superfluous data from its customers. Finally, banks (or financial institutions) can benefit from the new scheme by being able to offer ‘shopping-with-privacy’ as a new service in the form of anonymous payment credentials.
IRMA’s role in webshopping transactions
IRMA efficiently implements attribute-based credentials. You can use its smartphone
application, the IRMA app, for authentication and signing. With a prototype implementation we demonstrated that the IRMA system also enables one to carry out transactions for webshopping.
Brinda Hampiholi & Greg Alpár