Shiru Café has established a branch near Brown University with a unique pricing model: here, students receive “free” coffee in exchange for name, emails, phone numbers and majors. Most students don’t find this disturbing at all: “I’m giving tons of organizations my data and not getting any goods or services back,” said Jacqueline Goldman, a Brown graduate student and Shiru customer. “Shiru is being transparent.”
This trend is another sign that companies believe data is the new oil. It is the fuel that drives advertising, analytics and decision-making of many enterprises – not to mention that modern AI only exists thanks to the massive amount of data it is trained on. Unfortunately, this valuable resource has been free to harvest for a long time. According to Jesse Leimgruber, cofounder of Bloom, “In the US alone, more than 10,000 companies are pooling and selling your personal data”. As such, the importance of protecting, limiting and safekeeping this resource has been neglected. After all, the part most data collectors are interested in is how they can use that data to maximize their profits – not to spend money and resources on safekeeping it.
The need for structural change
The European GDPR act was a step in the correct direction, forcing companies to bear more responsibility on the data they collect, store and who they collect it from. Companies failing to do so could face hefty penalties. The most case is Facebook, which could be fined up to $1.63 billion for its recent breach.
This breach was not a negligence in data protection like the recent Cambridge Analytica scandal—rather it was a delicate attack that exploited a bug in a recent Facebook update. It seems like whatever Facebook does, it is still hopeless in protecting the data of its users.
Of course, Facebook is not “alone” – Google recently managed to steal the spotlight with its Google+ breach. This breach dated back to May this year, but Google wanted to stay under the radar while Zuckerberg was testifying before the Senate, where he rightfully noted that Facebook has grown past a platform developed by students in a dormitory. These companies have more active users than many countries and in this interconnected world, they share a far greater responsibility.
Perhaps the more severe (and more frequent) hacks are those targeting the medical industry, where critical information that can be used for blackmailing is stolen on almost a regular basis. These breaches beg the question: instead of playing cat-and-mouse with the hackers, is there a way to fundamentally address this problem?
The technical response
The “problem” with computer data is that it is easily replicated – contrary to paper documents. When it comes to paper money, blockchain has done a decent job in preventing this feature; by cryptographically signing the transactions, it ensures there is just one true “owner,” and by decentralizing and spreading the data into several nodes, it effectively combats the single-point-of-failure syndrome. Even if hackers manipulate and overwrite the data, they still have to convince at least 51% of the network to accept their forgery as a valid transaction.
While this works well for monetary transactions, it becomes catastrophic when applied to personal information. Blockchain could effectively protect the ownership rights of personal data, but it does not do good on protecting it from being seen – especially as everyone would receive a copy of that data. For this reason, we have the concept of Self-Sovereign Identities, or SSI for short.
SSI is based on the principle of encryption, where public and private cryptographic keys are used to “sign” documents. Normally, these keys are generated by an app on your device and are unique to you. To simplify how this works, this cryptographic concept is based on mathematical tricks. For every document, we can generate a “hash number” that is (almost) unique to every document in the world. This hash number is obtained by reading all (or parts) of a document and, considering the values and sequence of bytes, create a unique number that represents that document.
Next, the private key is used to “sign” that document, which means a new number is generated based on the combination of the two. The good part is that this operation is unidirectional. It’s like guessing prime numbers; there is no formula for that – we just need to divide the number by half of the preceding numbers to see if it is a prime or not.
But, there is a way to verify the number and that is via the public key. By comparing the final hash with the public key we can be sure that the person is the true owner of that document, as no one else in the world has access to that private key (this is why it is so disastrous to lose your private keys – millions were lost in Bitcoin due to this error).
SSI takes this cryptographic concept and applies it to personal data: all data is stored on the user’s device, and only parts that are necessary will be shared with the outside world. This means to attest if the user is above 18 years of age, the birth date does not need to be shared; the requesting party merely receives a yes/no answer.
While the Personally Identifiable Information is not shared on the ledger, the coordination between the different parties needs orchestration, and that’s where blockchain comes in. In the previous example, an entity needs to verify a user’s age. For this reason, they turn to validators or attestators. These entities have been in contact with the individual and issued proofs, such as a driver’s license or a university degree, or a birth certificate. When users present their proofs, the validators are queried and asked to validate these claims and offer the yes/no answer mentioned above.
This format of sharing data is much more secure. “When releasing raw information to a lender or financial service, you normally need to provide the full raw info (like SSN, full name, or address)” according to Leimgruber. “With Bloom, you can share proof of verification without sharing raw info.” The companies are receiving a minimum amount of data and even the storage is decentralized, which lifts a heavy burden when it comes to GDPR compliance.
The road ahead
Blockchain and SSI show a promising future for protecting our personal data. Recently, BMW and American Express ME partnered with Bloom to improve their security and streamline the lending experience. Facebook, on the other hand, decided to kick it from its platform and preventing Bloom’s advertising campaigns. Ironically, this happened just a week after Facebook’s recent breach. While Facebook has long banned cryptocurrencies from its platform, the move seems controversial given Facebook’s history of breaches and the fact blockchain is not equivalent to cryptocurrency. Of course, the company has its own blockchain division, but whether this technology will be finally used to protect the billions of users on its platform, remains to be seen.