RSA Brings Privacy Home

RSA's Nightingale online identity management technology will give users control of personal data.

RSA Security Inc. is developing an online identity management technology that, for the first time, puts the control of personal data in the hands of users.

The technology, known as Nightingale, is set to be unveiled at the RSA Conference in San Francisco in April.

With the system, users would store their personally identifiable information on their local PC, likely in encrypted form, and grant access to it on a site-by-site basis, according to company officials. Users would then be able to give each site access to a subset of their data, appropriate for whatever transaction theyre looking to conduct.

For example, a user buying a CD online could allow the e-commerce site to access shipping address and credit card information but not age, income and medical history. RSA officials last week would not divulge the full details of how the information will be stored and retrieved. But one way to accomplish this, security experts say, would be to encrypt the data on the local machine and give each site a unique decryption key that gives it access only to the data the user has approved. The user could grant and revoke the keys at any time.

Nightingale grew out of a discussion among members of RSA Laboratories about how to limit the amount of users personal information stored online.

"Web sites are storing more and more personal information, and as this proliferates, privacy erodes," said Burt Kaliski, director and chief scientist of RSA Laboratories, in Bedford, Mass. "Youd like to have it available only when youre intentionally visiting the site. It reduces the business liability [for Web site operators] and reduces the risk that the data could be exposed."

Kaliski said several customers with whom he had discussed the technology were impressed. "It took a while to build some momentum, but once people saw what we were trying to do, we got a positive reaction," he said. "There were some wait-and-see attitudes."

Nightingale will be a challenge to Microsoft Corp.s Passport Wallet service. That service, however, requires users to store their information on Microsofts servers. Users who are signed in to the Passport service can authorize participating Web sites to access that information during purchases.

Microsoft, of Redmond, Wash., has suggested functionality similar to Nightingales in its Palladium initiative, but by most accounts, that technology is years away. Microsoft officials did not respond to requests for comment.

Potential users of the RSA technology say the idea shows promise but that drawbacks exist.

"People want control of their personal information but with the added convenience of not having to replicate it all over the Web when needed," said Bill Kannberg, CIO of Hillsborough County, Fla. "RSAs methodology is an excellent step in the right direction. [But] I have issues with RSA as a long-term-viable company and wouldnt select them for this reason. Also, I think that most users dont know who RSA is and wouldnt trust them with this data because of that.

"I think RSA will be used to get their method into the marketplace only, but Im not sure what company/companies would be trustworthy with this data for the long haul," Kannberg added.

"Theres not anyone else out there with these features," RSAs Kaliski said. "We imagine there are people working on it. This gives people a technology that allows them to implement something that makes them feel better. Despite all the work weve done, we havent [eliminated] passwords yet."