D2.2: Set of use cases and scenarios

Title: SCENARIO: SHOPPING USING PSEUDONYMS

Scenario: Shopping using pseudonyms

Another mechanism to avoid profiling and linkability when two parties are involved in a transaction is the use of pseudonyms. This mechanism will be explained in this scenario which is derived from the Identity Management Systems (IMS): Identification and Comparison Study (ICPP, SNG, IPTS 2003).

However, it should be noted that the use of pseudonyms cannot avoid profiling in all situations: The pseudonym, especially when it is (at least temporary) unique, can be profiled itself or used to build a profile. In other words, the right to use a pseudonym does not mean that you automatically have a right to prohibit the use of the movements and actions of the pseudonym to build a profile. On the contrary, there are laws which explicitly allow pseudonym-based use-profiles as long as it is not combined with data on the bearer of the pseudonym. If your pseudonym is "black ‑ 29 years ‑ female – looking for a job", then a) a profile can be applied to the pseudonym and b) your actions and movements under that pseudonym can be recorded (anonymously) to enhance the profile that might apply to that pseudonym. When reading this scenario, one should take this into account.

This scenario uses different pseudonyms in different contexts (so-called pseudonym domains) related to different steps of the purchase process to guarantee the buyer’s anonymity (cf. Figure 1).  

Figure : Steps and used Pseudonym Domains (PDs) in the shopping scenario

The first step in the purchase process is the consultation step. In this scenario the customers already use a pseudonym, which cannot be traced back to them (Pseudonym Domain 1).  

For the actual purchase (step 2), a different pseudonym is used that cannot be related to the consultation pseudonym (Pseudonym Domain 2). This pseudonym may be linked to a certain reputation to assure the seller that the payment will be made. Alternatively, a special, individual pseudonym might be assigned with respect to each seller: Every time the buyer gets in contact with the seller, the seller-specific pseudonym is re-used in order to establish a reputation and at the same time to avoid the linkage of the customer’s data with those at other sellers. As explained in the study, a personal pseudonym or the processing of customer data is not necessary for the demands of warranty services. 

Of course, this is not always easy to achieve. When the goal is "to establish the reputation of a regular customer and at the same time to avoid a linkage of the customer’s data with those at other sellers", this has to be built with explicitly taking into account actual practices of loyalty cards (see also further the chapter “ ” in this document) that are often not stand-alone loyalty programs but interconnected programs: The customer can win points in different stores and shops, all part of the loyalty program.

To handle credentials of different sellers and to guarantee and possible perform the payment (step 3), a trusted third party (for payment usually a bank; Pseudonym Domain 3) can be used. 

Even the shipment (step 4) can be carried out using pseudonyms. A possible solution could be the use of a pseudonym given by the customer which the seller cannot assign to personal data but which the company can assign to an address (e.g., iprivacy.com) (Pseudonym Domain 4). Alternatively, a pickup point where the buyer can collect the delivered goods after identity verification (password, PIN etc.) could be used (Pseudonym Domain 5).