What Companies Do With Your Personal Data And How Blockchain Protects It
Shiru
Café has established a branch near Brown University with a unique
pricing model: here, students receive “free” coffee in exchange for
name, emails, phone numbers and majors. Most students don’t find this
disturbing at all: “I’m giving tons of organizations my data and not
getting any goods or services back,” said Jacqueline Goldman, a Brown
graduate student and Shiru customer. “Shiru is being transparent.”
This
trend is another sign that companies believe data is the new oil. It is
the fuel that drives advertising, analytics and decision-making of many
enterprises — not to mention that modern AI only exists thanks to the
massive amount of data it is trained on. Unfortunately, this valuable
resource has been free to harvest for a long time. According to Jesse
Leimgruber, cofounder of Bloom, “In the US alone, more than 10,000
companies are pooling and selling your personal data”. As such, the
importance of protecting, limiting and safekeeping this resource has
been neglected. After all, the part most data collectors are interested
in is how they can use that data to maximize their profits — not to
spend money and resources on safekeeping it.
The need for structural change
The
European GDPR act was a step in the correct direction, forcing
companies to bear more responsibility on the data they collect, store
and who they collect it from. Companies failing to do so could face
hefty penalties. The most case is Facebook, which could be fined up to
$1.63 billion for its recent breach.
This
breach was not a negligence in data protection like the recent
Cambridge Analytica scandal — rather it was a delicate attack that
exploited a bug in a recent Facebook update. It seems like whatever
Facebook does, it is still hopeless in protecting the data of its users.
Of
course, Facebook is not “alone” — Google recently managed to steal the
spotlight with its Google+ breach. This breach dated back to May this
year, but Google wanted to stay under the radar while Zuckerberg was
testifying before the Senate, where he rightfully noted that Facebook
has grown past a platform developed by students in a dormitory. These
companies have more active users than many countries and in this
interconnected world, they share a far greater responsibility.
Perhaps
the more severe (and more frequent) hacks are those targeting the
medical industry, where critical information that can be used for
blackmailing is stolen on almost a regular basis. These breaches beg the
question: instead of playing cat-and-mouse with the hackers, is there a
way to fundamentally address this problem?
The technical response
The “problem” with computer data is that it is easily replicated — contrary to paper documents. When it comes to paper money, blockchain
has done a decent job in preventing this feature; by cryptographically
signing the transactions, it ensures there is just one true “owner,” and
by decentralizing and spreading the data into several nodes, it
effectively combats the single-point-of-failure syndrome. Even if
hackers manipulate and overwrite the data, they still have to convince
at least 51% of the network to accept their forgery as a valid
transaction.
While
this works well for monetary transactions, it becomes catastrophic when
applied to personal information. Blockchain could effectively protect
the ownership rights of personal data, but it does not do good on
protecting it from being seen — especially as everyone would receive a
copy of that data. For this reason, we have the concept of
Self-Sovereign Identities, or SSI for short.
SSI primer
SSI
is based on the principle of encryption, where public and private
cryptographic keys are used to “sign” documents. Normally, these keys
are generated by an app on your device and are unique to you. To
simplify how this works, this cryptographic concept is based on
mathematical tricks. For every document, we can generate a “hash number”
that is (almost) unique to every document in the world. This hash
number is obtained by reading all (or parts) of a document and,
considering the values and sequence of bytes, create a unique number
that represents that document.
Next,
the private key is used to “sign” that document, which means a new
number is generated based on the combination of the two. The good part
is that this operation is unidirectional. It’s like guessing prime
numbers; there is no formula for that — we just need to divide the
number by half of the preceding numbers to see if it is a prime or not.
But,
there is a way to verify the number and that is via the public key. By
comparing the final hash with the public key we can be sure that the
person is the true owner of that document, as no one else in the world
has access to that private key (this is why it is so disastrous to lose
your private keys — millions were lost in Bitcoin due to this error).
SSI
takes this cryptographic concept and applies it to personal data: all
data is stored on the user’s device, and only parts that are necessary
will be shared with the outside world. This means to attest if the user
is above 18 years of age, the birth date does not need to be shared; the
requesting party merely receives a yes/no answer.
Blockchain’s role
While
the Personally Identifiable Information is not shared on the ledger,
the coordination between the different parties needs orchestration, and
that’s where blockchain comes in. In the previous example, an entity
needs to verify a user’s age. For this reason, they turn to validators
or attestators. These entities have been in contact with the individual
and issued proofs, such as a driver’s license or a university degree, or
a birth certificate. When users present their proofs, the validators
are queried and asked to validate these claims and offer the yes/no
answer mentioned above.
This
format of sharing data is much more secure. “When releasing raw
information to a lender or financial service, you normally need to
provide the full raw info (like SSN, full name, or address)” according
to Leimgruber. “With Bloom, you can share proof of verification without
sharing raw info.” The companies are receiving a minimum amount of data
and even the storage is decentralized, which lifts a heavy burden when
it comes to GDPR compliance.
The road ahead
Blockchain
and SSI show a promising future for protecting our personal data.
Recently, BMW and American Express ME partnered with Bloom to improve
their security and streamline the lending experience. Facebook, on the
other hand, decided to kick it from its platform and preventing Bloom’s
advertising campaigns. Ironically, this happened just a week after
Facebook’s recent breach. While Facebook has long banned
cryptocurrencies from its platform, the move seems controversial given
Facebook’s history of breaches and the fact blockchain is not equivalent
to cryptocurrency.
Of course, the company has its own blockchain division, but whether
this technology will be finally used to protect the billions of users on
its platform, remains to be seen.
By LetKnowNews
Comments
Post a Comment