Cryptographer Stefan Brands has a new company, Credentica, that allows people to disclose personal information while maintaining privacy and minimizing the threat of identity theft.

I know Stefan; he’s good. The cryptography behind this system is almost certainly impeccable. I like systems like this, and I want them to succeed. I just don’t see a viable business model.

I’d like to be proven wrong.

Posted on February 15, 2008 at 5:02 AM25 Comments


Erik February 15, 2008 5:26 AM

That’s good to know. I was reading up on the company and was very interested in it’s capability, but was waiting to see an endorsement or snake-oil commentary from you 🙂

I’d like to see this work as well, since it seems to be an excellent model for many individual to company and individual to government relationships, but I’m not sure how one makes money doing so without massive buy-in across many private and public domains, which seems unlikely.

kats February 15, 2008 7:18 AM

@Erik: That’s what people said of OpenID as well at first. It also required a lot of buy-in, but it eventually got there. Whether or not Credentica will make it is up in the air, but there is hope 🙂

I think that going forward there are going to be even more data-theft incidents, and eventually somebody’s going to start suing the companies for being irresponsible with their data. A few multimillion dollar settlements later, it’s going to become financially/economically beneficial for the companies to start investing in technology like this.

Erik February 15, 2008 7:48 AM

@Kats – true enough for OpenID, but the big difference is that OpenID is oriented towards a standards based protocol, where Credentica is supposed to find a way to make money out of their technology (from my admittedly very brief review of a few articles).

Now if OpenID could be extended to use this kind of technology whereby it’s not simply furnishing raw data, but supplying validated boolean responses to questions without supplying the underlying source data. (ie are you over 18 without having to supply the actual birthday and or a credit card)

Canary in the Coal Mine February 15, 2008 8:14 AM

The remaining and significant problem is:

Credentica will readily and secretly spill its guts to government.

TimH February 15, 2008 8:53 AM

@Canary in the Coal Mine

“The National Security Letter provision of the Patriot Act radically expanded the FBI’s authority to demand personal records like Web site visits and e-mail addresses without prior court approval. The provision also allows the FBI to forbid or “gag” anyone who receives an NSL from telling anyone about the record demand.”

Frank B February 15, 2008 9:12 AM

@Canary and TimH,

Luckily, Credentica is a Canadian company so the PATRIOT act doesn’t apply. Unfortunately, Canadian law isn’t as clear as it could be about third parties cooperating with the authorities…

Lyle February 15, 2008 9:49 AM

I seem to remember Stefan trying to commercialize his e-cash protocols a while back, too. Same problems with the business model…

paul February 15, 2008 10:09 AM

Yep. Brand and other people he’s worked with have been around this mulberry bush for 20 years now, maybe longer. He does good work, but as long as it doesn’t cost companies or governments anything to collect extraneous data and then accidentally disclose it to the world (at great cost to the people whose data is disclosed, but they don’t count) there won’t be any focused demand.

wm February 15, 2008 10:28 AM

It looks like an interesting system.

I’m not sure I’m too keen on the unique token ID bit, though. I can see that this is required for Verifier-driven revocation (as described in the white paper on Credentica’s web page that Bruce linked to), but there are many applications where the Verifier doesn’t need (or shouldn’t have) revocation powers. Examples include proof-of-age certificates (if I’m old enough now, I’ll never stop being old enough) or driving licences (where only the Issuer should have revocation powers).

From my understanding of that white paper, Issuers can revoke tokens without needing the token ID, by using the Embedded Info field (which the user can keep secret from Verifiers, so it doesn’t matter if this contains a unique identifier).

The trouble with a unique token ID that Verifiers always see is that, even though they don’t see your name, they can connect you from one transaction to the next. If they build up enough transactions, they may be able to correlate your behaviour against another database to identify you.

I’d like to see a version of this protocol without the token IDs (for those circumstances where this is appropriate).

(And I wish they’d picked a company name that didn’t remind me of Gattaca the first time I read it! 🙂

Required disclaimer:
The views expressed above are entirely those of the writer and do not represent the views, policy or understanding of any other person or official body.

Jarrod February 15, 2008 11:06 AM

Bruce, I have Applied Cryptography, which I’m sure has something in it to cover this, but it’s at home at the moment, a place I won’t be for another twelve hours or so. Can you provide a brief explanation of how this system might work?

Leo February 15, 2008 2:21 PM


I’m no expert but I’d guess that it’s based on zero knowledge proofs, which are discussed in section 5.1 of my copy of Applied Cryptography.


“A few multimillion dollar settlements later, it’s going to become financially/economically beneficial for the companies to start investing in technology like this.”

Only if those lawsuits hold up on appeal, which might take a change in the constitution of the Supreme Court, in the U.S. at least. The settlements would also have to significantly eat into the profits made by extorting people to protect data about them. Even when appellate courts agree with a civil ruling they often reduce the settlement.

It’s fascinating living in a society where extortion and usury are standard business practices.

Pas B February 15, 2008 5:02 PM

Apology for briefness: Rushing out the door. Only hyperskimmed the Wired article, but the close caught my eye:

“I remember when I saw my first driver’s license scanner at a bar in Boston,” Shostack says. “I didn’t want the bar capturing everything on my license so they could prove due diligence in not letting minors drink. U-Prove lets me prove my age, without providing anything else about me.”

Made me think right away of liability. And that may be the business model: Companies limiting their liability. I’m in one where this is a big effort: We don’t want to know, not to mention inadvertently reveal, any more than we have to. What we can’t do, we can’t be sued for nor lose reputation for betraying.

Terry Cloth February 15, 2008 8:20 PM

@Nicholas Jordan:

Unfortunately for your theory, the car was stopped at the time of the hot-coffee incident.

Marcus Barton February 16, 2008 4:56 AM

Surely this is ideal. So long as the cryptography and implementation is impeccable, this should be the global gold-standard. If governments were as serious about liberty as they say they are, then this increases it without decreasing security. My opinion is that governments and especially their security agencies will not wish this adopted because it prevents their fishing expeditions.

Anonymous February 16, 2008 8:43 PM

The trouble with a unique token ID that Verifiers always see is that, even though they don’t see your name, they can connect you from one transaction to the next.

Yes, and if you ever use two different credentials at the same time, they become “linked”. Permanently, if you assume a global shared database.

And if you routinely use two different credentials sequentially, those will eventually become linked.

Not that this is a criticism, I think Brand’s stuff is great. It’s just a caveat. This wouldn’t be a silver bullet for privacy problems, even if it did succeed commercially.

Jakob Pagter February 18, 2008 4:18 AM

I’m no expert on privacy technologies, but does anybody know how this relates to IBMs idemix technology?

William February 18, 2008 1:59 PM

I think there isnt a business model until people generally as consumers and taxpayers demand services to this sort of standard. Stefan Brands has several times taken the trouble to explain to my government (I pay tax to the UK) the privacy problems they face and how to solve them. But they’re werent interested…until it started coming out that they were carelessly losing peoples’ personal details on an industrial scale. And people started to care. Soon someone may risk losing an election because they didnt take personal privacy seriously. Then Stefan has a market. Shame it’ll take so long….

Anonymous October 9, 2008 6:45 AM

Yes. The well known Brands model was invented in his paper Untraceable off-line cash in wallet with observers, which was implemented in the CAFE project,trial at 1993,which involve 7 european countries.

In the project, Brands used the wallet with observers to prevent double spending problems, which is still an important issue for the anonymous e-cash.

I get to know that in CAFE project, Stefen Brands model was integrated together with T. Okamoto’s multiple coins plus multiple denominations notions, if not mistaken.

Although after that, some cryptanalytic flaws in Brands model was discovered by Yiannis Tsiounis and Chang Yu Cheng in their papers, but both of them convincingly performed patches in their PhD thesis, which able to show that their patched versions of Brands model are robust against cryptanalytic attacks.

Mark October 14, 2008 12:31 AM

One of the E-Cash research are focusing on multiple coins plus multiple denominations.

Parallell with this, there are various other E-Cash research focus on performing attacks, and propose solutions to overcome the E-Cash flaws.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.