Digital Pseudonyms: One More Way to Make Working From Home Secure
The recent decision by the digital payment processing company Block (SQ) to close its offices in San Francisco to allow employees to work remotely highlights a growing trend since the COVID-19 pandemic began: a Great Migration out of office work and toward working remotely. But for various reasons, that migration is facing resistance from other employers.
One major reason to insist on employees showing up at the office in consumer-facing companies – not just Big Tech but insurance, health care and all manner of others – is the databases they maintain on customers. Despite the rise of an entire industry devoted to protecting them, breaches of these databases continue unabated. According to the Identity Theft Research Center (ITRC), the number of recorded data breaches in 2021 increased by 17% over 2020.
David Chaum, a pioneer in cryptography and in privacy-preserving and secure voting technologies, is the creator and founder of the xx network. In 1995 his company, DigiCash, created and deployed eCash, the first digital currency, which used Chaum's breakthrough blind-signature protocol. This post is part of CoinDesk's Future of Work Week series.
Given what one commentator calls “an entrenched lack of transparency” on the part of affected companies, this estimate is probably low. IBM (IBM), meanwhile, estimates the average cost of a data breach at over $4 million. (It’s worth noting that some of the most expensive breaches last year were in the cryptocurrency/blockchain space, though these were mainly robberies rather than thefts of personal information.)
In response to these threats, some companies are building “air gap” security around the servers holding their consumer databases. They are requiring employees who work on and with them – or simply supply fresh records from customers – to interact with them only over local comms completely disconnected from the Internet. How well this will work remains to be seen.
Either way, such solutions do not address the underlying problem. In the 1980s, in the early days of computerization and the internet, I began to worry about all the information being stored on individuals by organizations – and being shared by them. Almost all these records were (and still are) headed by a universal unique identifier such as a driving license, state ID card number or social insurance number.
Read More: 'I Jumped in With All 4': Legendary Cryptographer David Chaum on the Future of Web3
These records could potentially be combined to create what I called a “virtual dossier” on every individual, in which their medical, financial, legal and employment histories as well as things like credit card numbers and billing addresses could be viewed together, simply by accessing the separate records via these identifiers.
Random numbers, opaque envelopes
To address this threat, which is now, sadly, a reality, I devised a protocol called digital blind signatures, a variation on the now well known and widely used digital signature technique. To understand how this works using a paper analogy, imagine a randomly numbered card inside an opaque envelope that is stamped from the outside with a seal like the signets once used to seal letters with wax.
The impression of the seal embosses the card inside with the signature, but once the envelope has been removed the signer has no way to determine which specific number was on the card signed. Blinding conceals a cleartext number by transforming it into cyphertext in such a way that it can be digitally “embossed” with a signature. Removing the envelope in the analogy is equivalent to the cyphertext later being decrypted [unblinded] to obtain the now signed form of the cleartext number.
This signed, unblinded number serves as a digital pseudonym that contains a credential – a digital signature of the issuing organization. A further enhancement of the technique allows the user to show the unforgeable credential to multiple organizations using different pseudonyms. In this way the individual credential holder can, for example, prove to multiple lenders that their credit rating falls within a certain range, without these proofs being linkable through an identifier and without revealing anything more.
In the same way, individuals can prove that, for example, they have paid their taxes, that they live in a certain census district, that they have received a particular vaccination or that they have tested negative for some infection within a certain period, that they hold a valid license in a particular trade or profession, that they have no criminal record and so forth. In no case are any of these credentials linkable to each other or to any other information about the individual. Organizations can store the pseudonymous credentials they receive from individuals so that the individual and the organization can maintain an ongoing relationship if desired.
Read More: Internet Privacy Is an Inalienable Right | Opinion
If some combination of credentials is required by an organization, additional proven cryptographic techniques can make a single pseudonym into a multiple credential (“multicred”) as needed, again without compromising the privacy of the pseudonym’s owner. Specifically, various individual credentials can be “stamped” on the same pseudonym by several different organizations using multiparty computation.
Protecting personal information
In general terms, multiparty computation allows a set of parties to collectively perform any agreed-upon computation, such that each party can choose secret inputs and verify that the resulting output is correct and where all secret inputs are optimally protected. In this case, none of the signers can learn the identity or the signature of any of the others, but they can each readily check that their own signature on the multicred is valid.
Switching to these digital pseudonyms, unlinkable to their owner or to each other, would render pointless the efforts of hackers and phishers to access vast troves of personal information because the information will no longer be identifiably personal. Individuals will, of course, still need social insurance numbers and driving licenses, but most organizations will not need to record them, let alone use them as identifiers for records on individuals with whom they have transacted business.
Read More: Web 3 Is More Than Fun and Games; It’s for Work | Opinion
Hence, the staffers who maintain and secure these pseudonymous data collections need no longer work inside digital air gaps or Faraday cages. They can work from home because neither the company nor bad actors using stolen records can build “data portraits” of individual customers or clients.
Switching to a system of pseudonymous digital credentials would benefit organizations by reducing the ever-growing cost of maintaining and securing records of essentially unnecessary data and the often even greater long-term cost of breaches.
And it would be a step towards what I believe must be a fundamental bedrock principle of Web3 and of true democracy going forward: Individuals should control all their personal information.
Back to the list