Data breaches, like the recent incident at DoorDash that affected 4.9 million people, have unfortunately become an all too often occurrence. It’s just the latest example of yet another highly visible company leaking the data of millions of its users through a third-party security vulnerability. Data breaches caused by third parties cost large companies millions of dollars. They also erode consumer trust by exposing their data to identity theft and countless acts of credit card fraud.
The unfortunate reality is that these kinds of security vulnerabilities happen all the time, but companies can do much more to mitigate risk. Instead of shifting blame to an outside party with hands on the data, what if these companies could transparently control data transmission within their own organizations? Today, companies from Wall Street banks to tech giants to governments are getting behind a new solution to combat data breaches.
Blockchain Addresses Security Breaches, But Only if Done Right
Blockchain technology can do just this, rebuilding trust by showing consumers exactly who has access and what personal information is shared. When access to data is dictated by a set of smart contracts that are guaranteed to execute, the margin for human errors or compromise is significantly reduced.
Logging data access is one part of the solution. Consider that every time the company accesses an element of personal user data, this retrieval is guaranteed to be timestamped and permanently stored on a public blockchain where it cannot be altered. This provides complete transparency to users by granting them full access to monitor how often their data is accessed and by whom.
The second part of the solution is access control. End users can revoke access to the company at any given time. Revoking access does not require any cooperation from the company and can be completely one-sided. In essence, access control guarantees users the right to be forgotten.
Together, these two parts shift the point of ownership of data from the company to the user. When the ownership of data is no longer in the hands of the company, the company’s liability as a custodian is in turn reduced.
The benefit for users goes further than protecting them from misuse. As owners, users are no longer held captive and are free to decide to move their personal data elsewhere. When the data is stored on a provably unbiased decentralized third-party, future access to this data can also be guaranteed.
Some argue that blockchain technologies can be vulnerable to bad actors, but a transparent, permissionless blockchain solution can introduce a “trustless” layer of security. One of the biggest advantages of public blockchain is creating a fully public database that no external parties can manipulate or control.
Adding the Missing Layer of Trust
As it stands today, consumers and app users enter data into a black hole with just about any transaction— shopping online, signing up for a bank account, or inputting their personal data into an app. All that personal data goes into a company’s database and consumers don’t really know what happens to it after. Even when an app or agreement states data may be shared, consumers aren’t likely to read the fine print. Cambridge Analytica’s user data mining is just one example where user data was incredibly vulnerable to companies misusing consumer data. While Facebook argues Cambridge Analytica violated its terms, 50 million Facebook users unknowingly were manipulated in the last election cycle by the very fact this company could mine their personal data.
We all want to trust corporations and app developers to safeguard it, but over and over this has resulted in data leaks. Over time, this black box approach has proven again and again to fail. In fact, some of the biggest and “safest” companies including banks have no way to guarantee they won’t get hacked, and users know this. This past August, Capital One suffered a hack exposing 106 million users’ records. Public blockchain can restore this trust; a company can state what data is shared and prove it through a neutral third party. This keeps data private but provides a greater guarantee than the black box used today.
A commonly asked question is how can a permissionless public blockchain respect user privacy. If the database is freely auditable by anyone, how can we guarantee that personal user data indeed remain private?
This misconception is similar to corporations’ original fear of the Internet. If the Internet is a public web interconnecting the entire world, by connecting to it, will my entire organization’s data become public as well? The answer is of course no. Relying on public infrastructure does not require data to be public. Data access on the Internet is controlled by a variety of tools such as firewalls.
Similarly, access to private data is controlled on a public blockchain using a variety of technologies. These include hashing sensitive data, encrypting it or relying on zero-knowledge proofs to provide certain guarantees regarding the underlying data without exposing the data itself.
Blockchain Can Enhance Security
Blockchain technology relies on encryption and is shared across a network of read-only computers, keeping a record safer and adding security as an impenetrable wall of gatekeepers rather than one company who can be targeted for security vulnerabilities.
The core value of blockchain is complete accountability. Any end-user can fully audit the system and verify that it indeed operates as advertised. When this is the case, there’s no need to rely on trust. There’s no need to put faith in human operators to do their jobs correctly and no reason to fear they may be compromised.
As we head into 2020, businesses should be thinking ahead about how they address data breaches deliberately, because blaming a third-party vulnerability is no longer going to cut it. The future-thinking companies who embrace public blockchain early will see a competitive advantage that wins over more customers over time.
About the Author:
Tal Kol is the Co-founder of ORBS, a company that provides practical blockchain solutions. Kol previously co-founded Appixia, a mobile app startup acquired by Wix.com, and was Wix.com Head of Mobile Engineering. He is an expert in blockchain applications and former Head of Engineering in Kin by Kik Interactive. Kol is an open-source enthusiast, contributor to the React ecosystem and conference speaker. He holds BSc summa cum laude in Computer Engineering from the Technion and is a veteran of an elite section of the IDF 8200 unit.