Big user data has become the fuel of the modern business. It helps businesses to better target their offers and to improve their services. It includes the users’ interests, behavior, shopping habits, hobbies, visited locations and much more.
This kind of data reveals to businesses that a particular user has visited certain webpages about a specific product, has placed something in their cart, or engaged with a video about a specific brand. This data brings knowledge, which allows businesses to choose how to appeal to this user.
But with gathering this data comes a big risk — the more data a business collects, the more appealing this database is to hackers.
Let’s just look back at 2018 — the year of data breaches.
Last year there were massive breaches starting from thousands of compromised users to billions.
Recent breaches:
What happened? — A Facebook bug enabled attackers to see everything in users’ profiles.
When did they announce the breach? — September 2018
What was affected: Hackers gained access to sensitive user data — including locations, recent searches, relationship status, contact details and others. In some announcements it is mentioned that hackers could also see users’ private messages.
What happened? — A personality test app (a type of game-like survey) in Facebook collected user information from everybody who installed it. Due to Facebook’s data sharing policies, the app was able to gather data on millions people by accessing their friends. The data was used to better target ads concerning President Trump’s presidential campaign.
When did they announce the breach? — 2018
What was affected: They had behavioral user data, user preferences and interests.
What happened? — Initially, Wall Street Journal reported that Google had a software glitch which exposed the personal profile data of 0.5M Google+ users. Then Google revealed that they had a second data breach, which affected 52M users, which lead to the decision of shutting down Google+ services in April 2019.
When did they announce the breach? — November 2018
What was affected: Up to 438 different 3rd party applications had access to private user information due to a big. The bug exposed users’ information that wasn’t public such as — name, age, email address, occupation, private data shared between users. Google advised users to delete their own profiles.
What happened? — Hackers were able to access one of Quora’s systems.
When did they announce the breach? — November 2018
What was affected: Hackers had access to users’ names, email addresses, encrypted passwords, contacts and demographic information and every public and private actions linked to the account — such as answers, questions, upvotes, downvotes , direct messages, comments etc.
What happened? — Hackers gained access to Marriott’s Starwood Hotels’ database and stole guest information.
When did they announce the breach? — September 2018
What was affected: Hackers gained access to information including phone numbers, email addresses, passport numbers, reservation dates, payment details.
What happened? — India’s government ID database wasn’t properly secured and the system gave anyone access to Aadhar information.
When did they announce the breach? — March 2018
What was affected: Private information was exposed such as — names, ID numbers, bank accounts, biometric information. Anyone in the database could use the data to open a bank account, buy a SIM card or apply for financial aid. This carries a great risk.
What about GDPR? Wasn’t it supposed to solve the problem of data handling?
In short, GDPR stands for General Data Protection Regulation, which is said to be “game-changing” the data privacy law set out by the EU, enforceable from May 2018.
Even though the law is from EU, all companies that are dealing with users from EU are obliged to comply with it. This means, that companies operating on the international level are obliged to comply with GDPR.
What is the goal of GDPR?
The main goal of this legislation is to increase the levels of protection for individuals. In order for companies to comply with GDPR they should follow those requirements:
- Obtain consent from users — users should be aware how is their data used.
- Timely breach notification — notify users immediately in the span of 72 hours after a security breach.
- Right to be forgotten — give users the ability to request that the company totally erases their data.
- Privacy by design — companies should design their systems with the proper security protocols from the start.
- Users should gain a greater level of control over their data.
But do you think big companies followed the requirements strictly? Or did they fake their compliance?
Even though those big data collecting companies (Google, Facebook, Amazon) are claiming to be compliant with GDPR, here’s what actually changed after the big hype:
- People are still not aware how is their data used, sold and processed
- The right to be forgotten — doesn’t work in all cases, especially if the user initiated checkout/purchased a product from a company. That’s because companies are obliged by law to keep up your personal data for accounting and legal reasons.
- The centralized approach of storing data proves to not be following the “privacy by design” requirement. We can conclude this by taking a look back at 2018’s breaches.
For example, after the GDPR enforcement, Facebook designed a manipulative update on the Terms of Service acceptance screen.
After clicking “see your options” the user received that “It’s all set in”, making the user automatically consent to something that the user doesn’t understand.
Do you still believe users know how is their data used, sold and processed?
Moreover, all those “Terms and Conditions” acceptance bars are meaningless. A research shows that 90% of users claim to not read them at all.
The result after GDPR
- The big data collection companies are still collecting data but with users’ “consent”.
- Users are still not aware of how is their data used.
- User’s are still treated as “products” and do not get a penny from their personal data.
So, what’s the persisting issue?
We still have companies that collect user data, while users are not aware how is the data handled, processed, stored and sold.
Due to the centralized approach of storing user data, companies’ data centers have turned into golden trezors — a target for attackers, which leads to massive breaches.
Why is the current data collection approach broken?
It all starts with the user visiting a website or performing an action online. Once the user clicks “I accept Terms & Conditions” and “Allow Cookies”, the user agrees that the data collected is owned by the company that collects it. This data includes behaviors, interests, demographics, social data etc.
Moreover, in order for this data to make sense for businesses and for them to be able to use/sell it, it has to be processed into audience segments and user profiles. It is then stored in a centralized server, which turns into a golden trezor — a target for attackers.
That means for users that their data is completely in the hands of companies. But do those companies take the safest measure the guard your data?
In short, the problem is the following:
- User data is owned by the entity collecting it, which allows for sell & resell of the data for monetary reasons
- User data is stored in a centralized server, which has a single point of failure
What does a single point of failure mean?
It means that once the data center is hacked, all of the data is compromised. As shown above with the recent data breaches, those number of users affected can reach up to billions with a single successful attack.
In short, the problem lies somewhere between data ownership and data storage. And should users rely on third-party companies to take care of their data?
What could potentially change the current status quo?
Enter Mimirium — a software that uses decentralization technologies and local storage for user data while giving the data ownership to the user. Mimirium doesn’t stand for improving the status quo of privacy, but to radically change it.
In short, users’ data will be stored and encrypted on their own devices. Companies will still be able to request parts of the data, but users will willingly accept or refuse data exchange and will be rewarded each time when their data is used.
How does Mimirium change the model?
Here are the differences of storing user data locally on users’ device:
- Instead of trusting a corporation to guard users’ data, users will have full control over their own personal data.
- Users’ data is more secure when it is physically on users’ device and only the user has the decryption key for it.
- There’s no single point of failure, which lowers risk of massive data breach. This makes attacks less likely, because hackers will have to spend resources for hacking multiple devices, instead of focusing efforts on a single object. Decentralized systems lack central points of failure which would disarm the entire system.
It’s also better for businesses:
- It is more efficient in terms of processing power — data is stored and processed on user’s device, instead of being transmitted for processing on a central server. Users’ local device has local machine learning algorithms, which process users’ data, therefore sparing the required centralized server resources businesses currently employ.
How is this achieved?
Mimirium software is installed on the user device and it stores the user data locally on the device. The locally stored data is encrypted and the encryption key is solely in control of the user.
Due to the decentralized approach of storing and processing user data, it is almost impossible to hack the whole database. Moreover, it would be even hard to find a single user in a decentralized and anonymized database, except if the intruder has physical access to the device.
Raw user data never leaves users’ device. The data is processed locally and secured by using Homomorphic Encryption (PHE), Zero-Knowledge Proofs (ZKP) and Secure Multiparty Computation (SMC) technologies. This means that when the data is requested from a business (or another 3rd party) only aggregated and anonymized information is shared.
In simple words, 3rd parties will not receive any raw data and will not be able to identify who is the owner of this data.
What GDPR tries to solve legally, Mimirium solves technically by using modern technologies.
Example:
When Facebook & Google+ got hacked all of users’ data got breached. Usually, when this happens, hackers employ various techniques to decode partially the data and decrypt massively users’ passwords. And there’s a high chance that your data will also be compromised.
However, if you are using Mimirium and you take ownership of your own data and store it locally hackers would find it a lot harder to compromise your data. They’d have to hack your personal device, which makes it a lot less likely if you are not a “golden” target. Moreover, you can keep your decryption key on a safe place, not locally on your device, making your data more secure.
In short
It’s time to finally address the underlying problem — namely how is personal data handled. The current data collection companies are treating users as “products” and are not using the safest measures for their data. Blockchain technologies open the doors to a new innovative approach — a decentralized user database with anonymization.
- Users’ data will be stored on their device and will be encrypted, following the best practices from GDPR
- Users will finally be aware which data is requested from them — and will willingly allow or disallow each time the data is requested
- Users will receive monetary reward after a successful data sharing with businesses
The future is now — data ownership should switch to the user and the data should be stored in a decentralized approach and on the user’s personal device. That way the risk of a breach will be mitigated, because it will be a lot more expensive to hack multiple accounts separately.
So, don’t be an easy target. Be an active participant in building the future and take ownership of your data.
Visit Mimirium for more information.
Follow us and be the first to receive new information about our development here: http://t.me/mimirium
