Pairwise Pseudonymous Identifiers

Pairwise pseudonymous identifiers (PPIDs) are defined in the OpenID Connect standard for representing users with opaque and random identifiers that are unique to different clients for increased the user privacy.

Increasing Privacy with Pairwise Pseudonymous Identifiers

When using PPIDs, the client does not know about the user's actual identifier, which may be an email address, employee number, social security number, or other ID that contains Personally Identifiable Information (PII). Even when the user ID does not include sensitive information, PPIDs are helpful in increasing privacy by creating a unique ID for each client. As a consequence, different clients are not able to collude or share information about users. The combination of user and client creates a unique identifier which represents the user for that particular client.

PPIDs can represent be used in two ways:

• PPIDs per individual clients
• PPIDs per sector identifiers or "client groups"

PPIDs for individual clients

As shown in the following figure, Alice logs in using her email. Instead of sharing her email, a PPID is provided to each client. If clients cloud_app_1 and www_1 share usage and behavioral statics about Alice later, their data won't be possible to correlate with each other. Also, if either client is breached, the attackers won't obtain Alice's PII. Instead, they will only gain a opaque and random ID. In these ways, Alice's privacy is enhanced by the PPID.

PPIDs using sector identifiers

There are times when multiple clients are working together in legitimate ways. This often comes up when two clients need to access or store user preferences, products, shopping carts, medical records, etc. In such cases, clients may be placed in the same group or "sector". This will allow clients within this sector to obtain the same PPID for a user.

Using sectors, the pairing is not client-based but rather sector-based. In such a situation, the above figure would look more like this:

As shown in the figure, client cloud_app_1 is grouped together with a mobile app cloud_app_1_mobile_app. This grouping is designated by configuring both clients with the sector ID cloud_app. As a result, while www_1 continues to receive a different PPID for Alice, the grouped clients in sector cloud_app receive the same PPID for Alice. Even clients within sector cloud_app can share user information with each other, they and client www_1 cannot share such information.

Conclusion

Hopefully this short writeup taught you what a PPID is, how it can be used to enhance user privacy. A more detailed view on how to setup PPIDs using the Curity Identity Server can be found in the PPID Howto guide.