There are many sorts of digital identities which we are all familiar with. A very common type of identity is a local identity within a website. In its purest form, such an identity has a username and a password, where the user must remember their password to access the account.
This local type of digital identity is pseudonymous. Instead of using your personal identity, you create a localized digital identity which is, without other information, separated from your personal identity.
In practice, however, users forget their usernames and passwords. In order to fix this, we introduce mechanisms to recover accounts. The most common method is using a user's email address. Now, when a user signs up, they provide an email. When the user forgets their username or password, they are sent a message to their email with instructions on how to reset their password. Unless users have unique email addresses per account, this approach is not pseudonymous anymore and instead allows websites to talk to each other behind the scenes and correlate this user's activity across different sites.
From the website's perspective, they have gained a new feature of account recovery. From the user's perspective, they have:
This is arguably not the greatest situation, but the alternative of losing their account is probably worse in many cases. If a user really wanted to, they could create a new email for every account and retain the previous model.
From the email provider's perspective, they have evolved into more than an email provider. They now are the stewards of the identity of their users in some sense. Though the user has their own password and username on the website, control of the email address fundamentally determines control of the account in question.
On the internet, a notion of an identity provider has now emerged. There are certain digital service providers like Google, Apple, Facebook, etc. who allow you to create accounts on other websites using your accounts with them. This is a natural extension of the account recovery approach, and has the nice property that users only have to remember one password instead of one for every different service (though you should use a password manager anyways!).
However, the problems of privacy are exacerbated. These services mostly have a policy of one account per person, so you really are limited to a global identity when using these services. Further, they provide your email address, name, and even photo to the relying services, so your identity is tracked all across the web as you utilize these identity providers.
The security issue, on the other hand, is somewhat mollified. Instead of seeing it as a problem that your account security is hinged on the identity provider, it can be seen as an advantage that you are secured by the extremely battle tested identity provider. Security is an area where all of these identity providers collaborate and create standards. Plus, they have competitive dynamics which encourage them to be the most secure identity provider out there.
So now we see the problem. We are helped by the convenience and security of the identity providers provisioning us with secure digital identities across diverse functions of the internet. We are harmed because these identity providers allow us to be tracked across diverse functions of the internet.
Instead, we want a system that satisfies the following requirements:
The above is imprecise, but there is one imprecision that I want to highlight: the threat model. In particular, whether one trusts the identity provider not to collude with relying parties or not. In a sense, there are two valid sets of requirements, one where you assume the identity provider is trustworthy in this sense, and one where you don't. There are solutions for both sets of requirements, but account recovery is much more annoying for users when you don't trust your identity provider not to collude with relying parties.
On my team at Google, we've implemented cryptographic tools to solve problems like these in the authenticated-pseudonyms repository.
I'm currently proposing a candidate solution as a new approach within the Federated Identity working group in the W3C. Hopefully, we can create positive momentum towards allowing more privacy and more security simultaneously.