What personal information does an OpenID provider make available to the consumer?

Question

The issue of a foremost interest is whether my email address gets transmitted to the consuming service.

For example, if I use Google to login here to SO, does SO know my gmail address?

Does he know my name I entered in gmail settingы to be used for outgoing mails?

Does an OpenID provider transmit anything else?

Now, the hammer question: I understand that a consumer gets some kind of encrypted/hashed value to uniquely identify the provider-managed account. What if I wanted to reset this value to gets desassociated with my Google OpenID from all sites and re-register there again from scratch?

I find it quite stupid and user-unfriendly that SO (and probably other sites) do not inform their users of these privacy issues. You sign in and you don't know at all how private you are going to be. Nonsense. This is probably written in some OpenID specs, but would an ordinary user read them let alone understand them?

Answer 1

I believe the OpenID spec does not specify whether ANY personal information is shared. As such, this question will have different answers depending on which OpenID provider you choose to use.

I would guess that most providers don't make anything exception your username available. However, you would really want to read their individual statements on the issue.

Answer 2

Try reading this article about OpenID privacy.

Answer 3

If you want to drop open ID from GMail, you should look into setting up an openID delegate on your blog or some other HTML URL you control.

Also, whenever I sign up for a new site using my OpenID, I get the -option- of transferring my stored fields (name, email, etc) into the site's registration page. I could just as well enter blanks or made up names when I sign up.

When you use your openID, you are essentially associating the openID with your user data for the page you sign up for. The only pieces of registration it replaces are Username, Password.

If SO asks for an email when you register, you (should) have the same options as you do when you sign up using a temporary anonymous account.

If I registered a username maxwellbatgmaildotcom on a Web site, this is not obfuscating my email address too well, nor is using an OpenID which contains data that you don't want flying around.

If you want to use an OpenID that doesn't reveal any of this information, get an OpenID or delegate one at a URI which doesn't translate easily into sensitive information.

Answer 4

There's a "learn more" link on the Google sign-in request page that answers some of these questions with regards to Google's current policies. That includes:

What information does Google share with these websites?

Google sends a random code to third-party sites to enable you to sign in to these sites with your Google Account. This code doesn't reveal any personal information. Please note: the security of your Google Account will not be compromised by signing in to other sites with your account.

What other information does Google share?

When you sign in to a third-party site using your Google Account, a site may ask Google for the email address associated with your account, so that it can contact you. [...]

And while it says that about the email address, and StackOverflow does currently send a sreg request for the email address, but Google isn't sending an email record in response. (Probably because Google supports a different standard for email address exchange.)

How a provider chooses to disclose personal information is up to that provider. That's also why SO can't make any blanket statement to "inform their users about these privacy issues," because all the private data is in the hands of the provider, and it's the provider's responsibility to manage it according to your wishes.

You may want to choose your provider based on that. Fortunately, most providers are pretty explicit about what information is being requested and released.

As for your question about changing Google's hashed identifier... I'm not aware of anything in their user interface that allows you to do that. You'd need to use another OpenID. (Either another Google account or an OpenID from another provider.) But that's a feature request for Google.

Answer 5

With OpenID, you are delegating your authentication to your provider. Do they expose your email address to sites you use it to authenticate with? Do they reveal your information to anyone who asks? Do they let anybody authenticate using your ID? Will they disappear tomorrow, leaving you unable to authenticate? It depends on the provider, and you have to trust them, or switch.

It's incidental to your question, but this is why it is a good idea to use a simple public-facing web page which delegates your OpenID to a provider, which you can switch without changing identities.