Data Minimization 101
You are building software and you suffer from Breach Anxiety? You are not alone. Many software systems collect and store sensitive user data, like user IDs, medical information, or other confidential documents. There is a growing regulatory pressure (GDPR, CCPA, and others) as well as user awareness about privacy issues about what happens to such data in case of a breach.
We can help you.
We have built an easy solution for data minimization, which is just what you need. I will show you how to transform a simple application into a private and secure one. The idea is very easy: wherever you collect sensitive information, you use our solution to collect it in an encrypted form, then store it encrypted, and allow only intended end-users to decrypt it.
Let me walk you through an example of a simple web form application. Imagine that you are building an app for a doctor. Your client, the doctor, has to ask their patients if they had any Covid symptoms prior to their visit. On top of everything, you have GDPR hanging over your head which requires you to somehow secure the information.
So, you have built a simple web form and are using HTTPS. But the raw data is still stored on your server, non-encrypted, and when there is a breach, you are liable.
With blindnet, you can easily encrypt the data before it reaches the internet, have it move and rest encrypted so that only the doctor can decrypt it. Neither you, nor blindnet, can make any sense of the encrypted data.
We have built a really simple SDK to show how simple and intuitive it is. There is no impact on end-user experience, no additional effort for them, just the benefit of having their data protected (even from you).
Magic.
We actually made this app for Valérie, a real dentist in Paris, facing a real issue in the context of COVID crisis. Valérie found herself obliged to comply with regulatory mandates to collect sensitive medical information (COVID symptoms) prior to patients’ appointments, and at the same time she had to respect GDPR’s strict mandates regarding the encryption and security of treatment of such data.
“Before I started asking people to declare if they had COVID symptoms, I had no idea how concerned people in fact were with their privacy. Some asked me what will I do with the data, others asked me whether I stored their answers at Google, and few of them demanded that I delete their data. The blindnet team helped me make a web form to collect this data in an encrypted way. It is compliant, and it is how it needs to be done. I am happy with the app since it reinforces the trust between me and my patients — a key element of our relationship.”, says Valérie.
Want to try blindnet in your app?
Step 0. Create a free account on blindnet.io and register your app. Use the unique app ID when you call our services so we know it is you.
While there, check out the tutorial which gives you the code to insert in your backend and frontend in order to integrate the right blindnet SDKs. Alternatively follow these steps:
Step 1. Install Blindnet SDK for JavaScript:
npm i -S @blindnet/sdk-javascript @blindnet/token-generatorImport blindnet SDK:
import { Blindnet } from ‘@blindnet/sdk-javascript’
import { createTempUserToken, createUserToken } from ‘@blindnet/token-generator’You are now ready to use blindnet in your code.
Step 2. You must then define at least one user who’ll be able to decrypt the data, and declare it to blindnet.
Connect to blindnet (we give you here a test appId an appKey in case you don’t have a blindnet account):
const appId = '3544e7cd-64a9-41b7-88dc-397bfdaeeaf3'
const appKey = 'zB5IiU0xzkVdsH4NMXxrF90ZISL5kJnTHlt7h/Wbi/qVhch7Fw8J5AQ5j2PazaG5q114uApZRH4X1/kTKVx0Cw=='
const valerieId = 'valerie'
const groupId = 'test-group'
const valerieToken = await createUserToken(valerieId, groupId, appId, appKey)
const endpoint = 'https://test.blindnet.io'
let blindnet = Blindnet.init(valerieToken, endpoint)Declare the receiving end-user (Valérie):
const { appSecret, blindnetSecret } = await Blindnet.deriveSecrets(secret)
await blindnet.connect(blindnetSecret)You can perform this declaration when the user is created, or on user login. Blindnet manages user access to encrypted data by deriving secrets from users password (read how it works here). Also, you can relax and call the ‘deriveSecrets’ function. Your application is now ready to encrypt data for Valerie’s eyes only.
Step 3. Now, when the patient Bob comes to your application, and wants to send the data, instead of just saving it to your database, you can first encrypt it.
Initialize for Bob:
const bobToken = await createTempUserToken([valerieId], appId, appKey)
blindnet = Blindnet.init(bobToken, endpoint)
Note that Bob can be anonymous with regards to blidnent SDK. Blindnet SDK only needs to know the user for whom the data is intended for (Valérie in this case).
Then encrypt the data that Bob is sending.
const bobsIllness = 'diabetes'
const { encryptedData } = await blindnet.encrypt(bobsIllness)Step 4. Now we want to show the data to Valérie.
When you want to show the data to the end-user, you just authenticate the receiving user (as you did in Step 2), and your call the decrypt function of blindent SDK that will do all the magic for you.
blindnet = Blindnet.init(valerieToken, endpoint)
const { data, metadata } = await blindnet.decrypt(encryptedData)When Valérie clicks on a patient data record, she can see the decrypted data.
Easy.
If I’ve awaken your curiosity, feel free to read more about how it works. We invite you to play with blindnet, learn and build code around it.
Also, don’t forget to drop us a line at hello@blindnet.io. We want to know what you are building.
