Wanted: a new architecture for secure storage and retrieval of data

If we as a society want to continue with our insatiable need to store our personal data in the cloud, then something at a fundamentally basic level needs to change — and indeed, it is. What started out as a whitepaper published in 2008 describing a “A Peer-to-Peer Electronic Cash System”, what we now know as the Bitcoin network, has evolved into a secure platform for secure and immutable storage and retrieval of digital records. The underpinning technology, known as “blockchain”, is well past proof-of-concept; the first large scale enterprise networks are already up and running (and not “just” for cryptocurrencies).

Core concept #1: keep personal identity and data records separate

Just as was implemented in the Bitcoin network, personal identity of users is not stored on blockchain networks. If you were to explore the publicly visible Bitcoin network which has recorded every bitcoin transaction ever conducted since the very first transaction, you would find no data that links a bitcoin “account number” or transaction with a person — neither send or receiver. Identity on the network is reduced to a single, anonymous “Public Key”: a unique 256 bit number that is associated exclusively with a single owner. So where is the data describing who the owner is? It’s in the custody of the owner — in the case of bitcoin, the owner is in possession of a hardware device (“cold storage”) which stores an impenetrable “Private Key” which enables communication with the owner’s accounts and conducting of transactions: the sending or receiving of bitcoin to other users.

Now remove the word “bitcoin” from this description, and consider it as simply a piece of data (which is what bitcoin is) and you understand the concept. Personal records can also be stored on a blockchain network without any information which identifies who that record belongs to. Only the user with the unique matching private key is able to access and unlock the record and send it to parties that the user trusts. Records can be sent in whole, partially, or as anonymised data that could be used, for example, by medical researchers in exchange for compensation (via anonymous token compensation).

Core concept #2: keep records distributed, encrypted and immutable

The second cornerstone of blockchain-based storage is decentralisation of data. Instead of all data being stored on a central server, which makes for an easy target for hackers, data is stored redundantly on multiple server “nodes”, each holding an exact copy of the private-key-encrypted data. For example, the Bitcoin network has over 9000 nodes located all over the world. In this way, data is protected by massive redundancy — an attempted hack on any single node or nodes would be detected and corrected by the other nodes. Only a simultaneous attack on 51% of all nodes would be successful — a task requiring prohibitively large computing power. At the same time, malicious destruction of nodes does not bring down the system — other nodes step in to fill any gap in the network.

Companies that are offering identity solutions

Headquartered in San Francisco, Civic has developed a cellphone-based blockchain solution as described above but with additional multi-factor authentication such as fingerprint recognition built-in. Through Civic’s decentralized authentication architecture with blockchain node and biometrics on a user’s mobile device, their solution enables a user to verify their identity without providing a username, password, third-party authenticator, or physical hardware token. Applications include access to personal health and financial records to hotel check-in.

Danish NewBanking is a “RegTech” company that operates a blockchain-based identity platform for personal data management. Anyone can create an account for free to easily and securely store, manage and share their personal information with companies or organisations that they trust. Conversely, companies and financial institutions on their platform can gain permissioned access to personal information of their customers easily and cost-effectively.