Creative Commons is pleased to serve as an OpenID service provider for users who join the Creative Commons Network. All users of OpenID, including those who chose a service provider other than Creative Commons, should understand how OpenID works before using OpenID as a way to simplify their website login experience. This is especially important before you access any of your sensitive, personal information on any website using your OpenID.
As an OpenID service provider, we at Creative Commons commit to:
- Helping our users understand how OpenID works, including what happens (and where your information is sent) when you log into a website using your OpenID, and
- Providing our users with a description of how we use and, more importantly, will not use the information that our computer servers log about the websites accessed using their OpenIDs.
In both cases, we will endeavor to provide that information and assistance in clear, easily understandable, human readable formats in keeping with our underlying philosophy about all things legal.
We also believe that in addition to having access to the information described above, users of OpenID should:
- Educate themselves about the security issues and other risks associated with using OpenID (as they should with any other relatively new web technologies that manage personal information), and
- Retain the freedom to choose an OpenID service provider that the user determines to be trustworthy.
About OpenID; How it Works (the basics)
OpenID is a free, open, and decentralized standard that allows you to create a single digital identity that you can use to log into many different websites. You can use your OpenID instead of having to remember login information for each different website you visit. Today, there are already many thousands of websites that allow you to login using an OpenID. OpenID is available through various service providers, including Creative Commons if you join our network.
When you log into an OpenID-enabled website using your OpenID, the website you are visiting transfers you to your OpenID service provider, as specified by your OpenID (which is your CC Network profile URL). Once at your OpenID service provider, you can log in and, if you choose to do so, provide information back to the website you are visiting. Once you have logged in, your OpenID service provider transfers you back to the website you are visiting, thereby giving you access to the area of the website (such as your account or profile information), that would have otherwise required you to enter your website-specific login.
Privacy and Data Sharing
Service providers, including Creative Commons, collect personally identifiable information about you when you register for your OpenID. In addition, whenever you use your OpenID to log onto a website, the servers used by your service provider maintain a log of the websites you visit and when you visit them. Service providers are able to use that information themselves, or to give or sell that information to others for a variety of purposes, including to market and advertise goods and services to you and others based on your website usage and similar information they receive from others who also use of their services.
- No Linking: CC does not link information from our OpenID server logs to the personal information you submitted to us to establish an OpenID (or otherwise).
- No Access: Just as any OpenID provider could, CC is able to technically access your website account tied to our services and login on behalf of its OpenID users. Creative Commons will never do so.
- No Retention: Creative Commons discards non personal information from our OpenID server logs once we have used the information to improve our websites and OpenID services, and for system administration purposes (such as debugging).
- Notice: CC will use reasonable means to notify you if we are ever required to provide a third party with your non personal information, unless prohibited by law.
Security and Other Risks: Select a Trustworthy Service Provider
Despite its attractions, users of OpenID should be aware of security and other risks associated with OpenID. Here are some of the security and other risks you should be aware of before using OpenID:
- OpenID requires trust in one's OpenID provider
An OpenID provider can technically access any web-based account tied to any OpenID corresponding to this provider. Specifically, Creative Commons could, technically, log in on behalf of any of its OpenID users to any of the accounts these users have opened using their Creative Commons OpenID. Though Creative Commons will never do this, it is important to realize, when opening an OpenID account, that this capability exists and is inherent to the OpenID protocol.
- OpenID is vulnerable to DNS attacks
When an OpenID URL is not protected by SSL (and many are not), the OpenID protocol is vulnerable to DNS attacks. An attacker who can alter the result of a relying-party's DNS lookup of the OpenID host can masquerade as the OpenID provider of a given user and gain access to the corresponding account at the web site in question. Of course, a simpler version of such a DNS poisoning attack against non-SSL-protected web sites can also be used for highly effective phishing attacks directly against users of a web site. The incremental risk in the case of OpenID may be negligible, though the incentive to carry out such an attack, given the increased value of an OpenID account, may be higher. Creative Commons uses SSL for all connections to its network.
- OpenID may increase the risk of phishing
OpenID transfers separate logins at different web sites to a single, centralized login experience. This makes the OpenID login process valuable to users, but a more appealing target to potential attackers. In addition, the OpenID protocol expects the relying party — i.e. the site the user to which the user is logging in — to redirect the user to her OpenID provider, when the relying party may not always be trustworthy. As a result, a number of security experts believe that OpenID increases the risk (and efficacy) of phishing attacks against OpenID users. This is particularly relevant when the OpenID provider provides password-based authentication, which is the case for most OpenID providers.
It is particularly important for OpenID users to be aware of the simple phishing countermeasures they can take: (a) check the lock icon and URL bar to ensure they are indeed visiting their OpenID provider and the connection is properly authenticated, (b) refuse to log in if the web site certificate is in any way invalid, and (c) use OpenID-specific browser enhancements when possible.
You can learn more about OpenID by visiting http://www.openid.net.