One of the beautiful parts of Internet Identity is that it prevents applications from tracking users across the IC. It assigns a new principal for each canonical canister frontend URL
(https://<canister_id>.ic0.app) that one interacts with. This is great for user privacy, but can be a headache for developers that want to track users across their ecosystem, or users that don’t like logging in more than just once.
The new Canister Chosen Alternate Origins opens the door for a single application to track users across multiple 3rd party applications on the IC.
The new Canister Chosen Alternate Origins feature works as follows,
A frontend canister can provide a canonical canister frontend URL (
https://<canister_id>.raw.ic0.app) as a
derivationOrigin, meaning that Internet Identity will issue the same principals to the frontend (which uses a different origin) as it would if it were using one of the canonical URLs.
Additionally, in order for Internet Identity to accept the
derivationOrigin the corresponding backend canister must list the frontend origin in the JSON object served on the URL
https://<canister_id>.ic0.app/.well-known/ii-alternative-origins (i.e. the canister must implement the
http_request query call as specified here).
This means that any canister application that lists another canister application as it’s derivationOrigin will be able to track a single principal across multiple applications.
When users see a login screen for the newly proposed Canister Chosen Alternate Origins feature like the example shown below, many users won’t think twice that they are authenticating to a different service than the current canister. There is no warning, and most users don’t have canister-id urls memorized to the point where they associate them with a specific app.
If we allow users to be tracked across the the IC, we lose the user privacy shield provided by Internet Identity. Every canister application a user logs into gets a unique principal, and therefore users cannot be tracked across the IC without providing that information willingly (i.e. phone number, etc.)
Other auth providers may choose to run on top of Internet Identity to allow a single sign-on type of experience, but now there is no option that guarantees this same level of privacy.
In designing this feature, DFINITY did not anticipate that 3rd party applications could voluntarily or through incentives/coersion set a canister url that they do not own as the derivation origin. Why might they do this?
- User tracking for Advertisement
i. Advertisers or investment firms may see a large application or service on the IC, let’s call it “big social app A” as an avenue for tracking users across the Internet Computer.
ii. They may see the potential revenue associated with tracking users across the IC, and acquire a significant stake in that application, directing efforts towards the application developing “premium features” (SEO, analytics, visibility of NFTs) that many 3rd party applications would benefit from.
iii. In return for the “premium features” 3rd party app, “app canister B” would need to do is list
<big social app A's canister>as their derivation origin. However, this means now that a user logging into app canister B would unknowingly be logging into big social app A.
iv. Hopefully app B trusts big social app A, because now when a user logs into big social app A, social app A can now make calls into app B’s backend and query/update that user’s data
- Powerful interests/governments
i. Government of country C has outlawed crypto, or wants to tracks users across the IC for tax reasons
ii. Big social app A decides to decentralize themselves through the SNS or sell a significant stake to fund future work, and country C is a big buyer, directing efforts towards the application developing “premium features” (SEO, analytics, visibility of NFTs) that many 3rd party applications would benefit from.
iii. See step 1-iii)
iv. Now unbeknownst to app B and all of it’s users, the government of country C is tracking all of their user data and can manipulate user information in app B through their logins to big social app A.
Especially in the crypto space, there should be more IC native protections around user privacy and tracking - we can’t always trust big money interests.
For those who missed this feature & release (including myself, it all happened super fast):
- On Monday of this past week (July 11th), a forum post titled Release Announcement: Canister Chosen Alternative Origins was published
- Just one day after (July 12th) a System Canister Management (non-governance) proposal for it was submitted to the NNS, meaning that because >99.99% of us default follow the DFINITY foundation on this topic it passed instantly, with over 4 million votes for, and only 2,097 votes against.
The Canister Chosen Alternate Origins feature is already live on the IC, and I know of at least one large application that is already using it.
I would love to hear from DFINITY, the II team, and @frederikrothenberger regarding my concerns and to find a potential solution, even if that means rolling back this change (if there is enough push-back from the community).