We Can Have Extreme Privacy
In year 2023 alone, nearly 6 billion records were officially compromised through data breaches and cyber attacks. In our world were many services we use are available online, the odds of your personal information falling in the wrong hands are high.
There is no easy solution. Legislation such as the European Union GDPR or the United Kingdom DPA allows to access the personal information retained by these services and have it erased. But erasure does not help if you want to keep using the service provided.
In this article I will introduce a scheme which proposes to take access to PII (personally identifiable information) away from online services and put it into the users hand.
What is personally identifiable information used for?
There are several uses for PII:
- Cross-reference data between different systems or services
- Communicate with the user
- Personalise the user experience
- Verify the user identity
Can all that be done without access to personally identifiable information?
Access to PII is required at some point in order to verify the user identity and cross-reference data between different systems or services.
However at a later time it is no longer required. For example many services don’t require to verify the user identity for each interaction — a login form or a designated device is enough (it is another story if you are opening a bank account or applying for a travel visa).
For cross-referencing, after a reference number is agreed between the two systems or services then PII is no longer needed for this purpose.
Personalising the user experience does not require the service to access any PII. The app or client application can simply fill in the blanks where the person’s name or other personal information should go.
That sounds quite limiting for app makers…
Yes, it requires a rethink of the user interface to do some personalisation on the client side.
For more involved use cases, the modern Web has a special weapon: Websockets. Websockets became widespread around 2010 and allow a two-way communication where the server receives information from the client.
That means even if the server does not have access to PII at other times, when the user is making use of the service the server can request the information it needs from the client.
What about communicating with the user?
It is difficult to communicate when you don’t know the name, phone number, address or e-mail of the person.
All the service can do is leave the message somewhere in hope the user will check it up. But actually, there is already a technology that works that way: push notifications.
In most implementations of push technology, the client does a quick request to the Push server to see if there is something to receive or not. This requires some kind of identification for the server to present the information to the right person, but PII is not required.
Extreme privacy relies on push notifications for user communication.
All right, then how does the extreme privacy scheme work?
As you can surmise from the previous paragraphs the scheme only allows the client to access PII related to the user.
When setting up the user account, a secret key is created on the client. The secret key is communicated to other clients offline. That could be done through a QR code or an animation for devices equipped with a camera or through Bluetooth for example.
The user PII is encrypted by the client and sent to the server, which stores it in encrypted form. Only the secret key allows access to the data.
After authentication the server sends the encrypted PII to the client which has full control over it. Any update to the PII is sent back to the server in encrypted form for safekeeping. Simultaneous updates are signalled to the client as an error.
The server relies on the client to fill in a template with the appropriate personal information. If required, it can use Websockets to request a specific piece of personal information from the client — provided the client is actively interacting with the server. The client only choses to communicate that information with a server it trusts. For off-band communication, the server uses the polling variant of Push technology.
Does extreme privacy protect from data breaches?
Yes it does.
By ensuring only the client can access the PII encrypted on the server, the scheme forces an attacker to target the individual user devices instead of big servers yielding a huge haul of valuable information. The burden of security is largely moved from data repositories to user devices.
You will still need to run an anti-virus. You will still need to practice good cyber hygiene. But that is all in your hands, not in the hands of some large organisation driven more by efficiency and cost savings than by your personal privacy.
I hope you enjoyed. Let me know your thoughts.