this post was submitted on 29 Dec 2023
-32 points (11.9% liked)

Privacy

31872 readers
548 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Hello Privacy Subscribers of Lemmy, I'm Webhost0101. With the help of ChatGPT, I've been exploring the challenges we face with digital identity, particularly regarding the use of email addresses. I've developed a concept aimed at enhancing privacy and security in our digital interactions.

Identifying the Problem: Our dependence on email addresses as universal identifiers exposes us to various privacy and security risks. The dual nature of emails - serving both as identifiers and gateways to personal communication - presents a significant challenge. The goal is to create a system that can help gradually step away from this bad practice.

The plan

The plan involves converting email addresses into hash codes to serve as digital identifiers, with these codes usable in both digital and physical realms through personalized QR codes. This approach offers a secure and private method for identity verification. While similar systems exist that use QR codes for login purposes, this concept is distinct because it does not store any authentication keys. It only maintains a 'username,' which is the hashed email, and instructions on how to convert an email address into this username. This ensures enhanced security, as the 'Sign' system is designed primarily for identity verification without directly facilitating authentication or access.

The Concept: Creating Your 'Sign'

  1. Initial Step: Visit the 'Sign' website and input your email to start the process.
  2. Email Verification: Receive a unique link via email, confirming your email's validity.
  3. Hash Generation: Use the unique link to select from multiple hashing algorithms or a default option. This generates a hash code, presented as both a string and a QR code, encapsulating the hash and the algorithm/options used.
  4. Optional AI Art Generation: You have the option to generate AI-based art from the QR code, adding a personalized aesthetic touch.
  5. Finalizing the Sign: Enter your 'Sign' into the system, which stores only the sign including the algorithm/options used. No email addresses, names, or URLs are kept.
  6. Receiving Your QR-Art: Obtain a high-quality image of your QR-art for printing on various personal items.

Using 'Sign' for Digital Identification

  • Online Login: On supported platforms, log in with your 'Sign' rather than your email address. The service checks for a corresponding email in their database that produces the same hash with the chosen algorithm/options. Services can eventually replace emails with 'Signs' for regular users.
  • Real-Life Usage: In physical stores, use your QR-art 'Sign' when asked if you have an account/booked at table.

Security and Privacy Considerations

  • Robust Encryption and Data Protection: Implement strong encryption and secure data handling practices.
  • Multifactor Verification: Use the 'Sign' as part of a multifactor identification process, alongside other verification methods.
  • Handling Hash Collisions: Establish protocols to manage the unlikely event of hash collisions, ensuring system integrity.

Advantages and Use Cases

  • Enhanced Privacy: Limits the need to share email addresses, reducing spam and data breach risks.
  • Versatility: Applicable both online and offline, enhancing convenience.
  • Personalization: The AI-generated art offers a unique, personal touch to each 'Sign'.

Conclusion: The 'Sign' system proposes a novel approach to digital identity, focusing on privacy, security, and user convenience. It represents a potential step forward in how we handle and protect our digital identifiers across various settings.

you are viewing a single comment's thread
view the rest of the comments
[–] webghost0101@sopuli.xyz -2 points 10 months ago* (last edited 10 months ago)

I mean, a fair amount of people have point out my system is flawed and has been done better so its kinda a waste of time but i don't think these are good against arguments against it so i will try to clarify this a bit more.

The sign is not a point of entry, it doesn't matter that people can copy it anymore than people can have the same first name as you. There is very little anyone can win by knowing or copying your sign except maybe light bullying. It definiteness inst worse then what stranger can do with your email address. It is a name people can use to identify you but its not a proof of identity on its own, you'd need to combine it with something like a password for that.

At this point of time every site, every store every account is made using your email, the databases already exist. Rather then just inventing a brand new system for new sites, i though of something that could work with the current one. They only need to check their existing database once per email and change it into the hash, so now the user can login using the hash and can no longer login using he email.

The email verification thing is bog standard procedure we use today build in every account registration setup to guarantee that its the owner of the email that is making an account, i would be using it the same way to make sure you cant create a code for someone elses emai. You may wander how to do this when there is no more email in the registration for other sides. Easy, there is no initial check, its not a problem irl that people have the same name, neither is it a real problem that someone used your sign for a login, i cant see a reason why they would but next to forgot pasword there is now "Someone else has used my sign" In this case the site could still ask an email address as a secondary identifier, Cross reference the email again the code itself (as the code contains the algorithm to convert the email into the code), send standard verification mail so the owner can proof ownership. old account gets deleted and they get a new one. Using someone else sign cant be stopped just like you can pick any first and last name on facebook but because we know the signs to be unique it should be against TOS to create an account using someone a sign made with an email you don't own without permission.

This has gone on to long again, its a flawed idea, i wont actually execute it and i pretty much expected it to be shot down, the feedback is still valuable to me, which is why i did it.

I'll summarize myself and my initial intentions in a final stance.:

I firmly stand again the practice of using email addresses as usernames for online identities, there are good reasons for sites to require your email address but a username or way to login is not a good reason for such sensitive communication-information.