Once Upon a Service ...
29 Nov 2005A friend of mime has an interesting problem. He provides pre-paid services and wants to give away free accounts with small credit to allow people to test the service. To keep the cost down, he wants to bring up a self-registration web form that will automatically create the account. And the problem is: how to stop users to sign for a test account ever again and again and thus abuse the "free sample" service?
He cannot ask for a SSN (or local "birth number" version), as we have privacy laws here. To minimize the chance to get in conflict with law he does not want to gather any unnecessary personal information, so he will get only name and some contact info (phone/email) - and even that as an optional fields. He may use persistent cookies to mark that account was already created for specific user. But it is trivial to remove a cookie and it will not stop the abusing attack. He cannot limit by IP adresses, as it will discriminate users behind proxies. I start to believe the problem cannot be effectively solved with current technology.
But, could an "identity system" help here? Imagine that we have such system globally deployed - any system of your choice. Can such a problem be solved?
The solution should allow each physical person to sign for the free account no more than once. To do this, we need to represent the idea of "physical person" in the digital world. Computers cannot see or feel, they know only about data, therefore we need to represent each person as a data record. And it must be exactly one data record for each physical person.
But, how could we do this? We will need the database of all the persons in the world. Technically, we could do this. The centralized database will not do, but we can split it up by countries. Enforce strong registration policies, destroy some civil liberties, wait for some 100 years and we can have a sound database with acceptably low error ratio. Well, I have strong feeling that such a database cannot be constructed in practice. But let's pretend for a while that it can be done ...
If we've got the global database, we have two options:
- Assign each person's data record an unique identifier and keep the list of identifiers that already signed-up for the service.
- Indicate that the account was assigned in the person's data record. For this to work the service must be able to alter the attribute in the person's data record and at the same time the person must not have the same ability.
As for the first option, we cannot use "global" identifier of a person. If we do, our really-unimportant-service can collude with other also-unimportant-services and track the user activity. That identifier will be the "SSN equivalent". We have to use "local" identifiers, generated especially for our service. That adds to the management overhead and it may not scale. And it may allow the central database to track user's activities anyway.
The second option may be feasible, provided that the global database itself is feasible. But ... what if our service will not store only the yes/no flag, but inserts some kind of identifier there? Then we are back to option 1. And scalability is limited as well.
That looks pretty bad. No good solution. Or is there any other way I've missed? Can "modern cryptography" help? What about systems similar to Stefan Brands' digital credentials? Any ideas anyone?