In my last post I mentioned about Solid Project, and while digging more into it I got more questions on privacy issues. Let us break it down from beginning:
What is Solid Project & WebID?
Solid is a specification that lets people store their data securely in decentralized data stores called Pods. Pods are like secure personal web servers for data.
If you dig into the the actual specification, you will find this paragraph about WebID.
In line with Linked Data principles, a WebID is a HTTP URI that, when dereferenced, resolves to a profile document that is structured data in an RDF 1.1 format. This profile document allows people to link with others to grant access to identity resources as they see fit. WebIDs underpin Solid and are used as a primary identifier for Users in this specification.
One person can have more than one WebID (say one for work, one for personal details, one from Government). And the services will use the WebID you provide, or provided by your digital wallet (some Solid application running somewhere) which in turn comes from a Government provided service. The WebIDs provided by an agency (private or government) can be verified based on the issuer.
Now this WebID is the unique thing in the Solid world, the core of the Linked Data. If one service can get the WebID for someone and identify the person, they (or any other service) can corelate the same WebID usage in all other services. You don’t need magical code, just find the unique WebID usage.
For government issued WebID, this becomes even easier, as the person has no choice of providing the ID. Instead whatever mechanism the agency use to identify, will provide the same WebID every time (after identifying to the IDP service). One similar usage is documented in flow diagram here.
In my mind this is a privacy nightmare. The WebID spec has section about security considerations, but nothing about privacy implications.
One way of dealing with this could be having a separate service providing
random (but unique to each to application asking for the resource based on
aud) pseudo WebIDs to the IDP, and IDP provides it back to the client
(wallet). I will write a separate blog post with sequence diagram to explain it
better. Maybe it will work, maybe not.