Worried About Privacy Poisoning? Permissioned Blockchain is your Solution
June 13, 2019

By: Andre Boysen, CIO, SecureKey

In the digital age we’re living in today, cyberattacks are becoming a norm. Recent research from Statistics Canada found that more than one in five Canadian companies were hit by a cyberattack in 2017 – an alarming trend that continues to worsen. Earlier this year, cyber security expert and former CIA analyst declared Canada as an attractive target for bad actors and one of the first countries criminals target with new attacking methods.

Privacy Poisoning

Businesses are recognizing this and investing in advanced technologies to protect against bad actors. Perhaps one of the most prominent technologies businesses are turning to is blockchain. Yet without the right design metrics in place, organizations may be adding to their risks. A new type of cyberattack that has recently emerged and one that can render some blockchain implementations unusable is privacy “poisoning[1],” where hackers load private data or illegal material into a blockchain in individual transactions. Remember, a key property of blockchain is immutability – once written, data cannot be removed without destroying the entire blockchain. So, attackers, after first injecting their own PII (personally identifiable information), then assert a privacy complaint – resulting in a network in conflict with local laws and data that isn’t able to be used without costly steps put in place.

An important distinguisher in this instance is that this practice is a bigger problem with public blockchains, but it can also cause hassles on poorly designed private blockchains. One way to protect against this attack is a private, permissioned blockchain – one that requires permission to read the information on the blockchain and places restrictions on who is allowed to participate in the network. Implementing a private, permissioned blockchain would prevent against privacy poisoning by allowing participants in the network to destroy copies of private keys to render the encrypted data permanently inaccessible[2]. A second method to protect against this attack would be to not use blockchain directly with PII so that removing a user who wishes to be forgotten can be accomplished operationally without affecting other transaction data.

Benefits of Private Blockchain

Going back to cyberattacks, permissioned blockchain has proven to be particularly important with respect to secure digital identity. To protect identity information, consumers must be provided with full control of when their information is shared and with whom, and that only the intended recipient is receiving the information they need.

This is what we at SecureKey are tapping into with our new Verified.Me network. Through our app, Canadians connect to their trusted organizational relationships so they can help verify their identities to interact with services they desire, while providing the relying party with increased identity certainty. There is the potential for less fraud and lower costs on the service providers’ end, a better customer experience for users, and better privacy protections for everyone.

Our use of a private-permissioned blockchain is a helpful ingredient to the success of the platform because of the following three factors:

  1. It is a method to implement our world-leading triple blind® privacy model: In the network, blockchain does not permanently store consumer data but, instead, stores proofs that users consented to sharing their data. By adding in this layer of technology, consumers can confidently share their information on a case-by-case basis with assurances that it will not get into the wrong hands and only permissioned data will be shared. With Verified.Me, the financial institutions don’t know the destination to which the information is being shared by the user, the receiving party only knows what they need to without revealing the specific source, and the network provider doesn’t see any of the information at rest or in motion, unless required by law with the cooperation of the network participants involved in the transaction.
  2. It is an integrity proof method for sharing data: Integrity is key to an ecosystem approach. With so many parties involved, it’s critical that there is an established level of security and trust among all participants. Blockchain provides a high degree of certainty to receiving parties in three ways: 1) by ensuring that the data came from a reliable source, 2) that it has not been altered since originally written by an authoritative source and 3) that information is being presented by the person it belongs to. This is a very high bar which has a number of benefits not provided by today’s services at the counter for in-person proofing.
  3. There is an established level of resiliency: One of the most problematic challenges organizations face today are denial-of-service attacks, which flood a network with traffic until it ultimately crashes, cutting off legitimate users from accessing their information (e.g., websites, email, etc.). This becomes much more difficult when multiple trusted organizations band together and run nodes – demonstrating a hose vs. sprinkler effect. With more participants involved, there are more areas that a hacker would need to access, making the network more resilient than those using a single point of entry.

It’s evident that there is a need for awareness and education on the differences between public and private permissioned blockchain to prevent against attacks like privacy poisoning. Verified.Me is setting the stage as a network that is protected against privacy poisoning and one that will set a precedent for secure identity in the future. To learn more about Verified.Me and the technology behind it, visit https://verified.me/how-it-works/.