This is a paper that i wrote for the Sloan School about a fictional startup using a blockchain to implement privacy controls
Blockchain for Cybersecurity
The case for blockchain and cyber
Whether we are thinking about autonomous vehicles or telemedicine, we need to trust that the information and processes of digital systems can be confidential (or private when desired), have integrity to ensure correctness, are available when needed, are authentic (e.g. participants are who we think they are) and can support non-repudiation.
This was a challenge when digital systems were purpose-built applications centralized in physical datacenters. In that world, the threat surface, or number of possible attack vectors, was static, well understood and relatively small. Importantly, security controls were also centralized.
Today we live in the cloud, mobile, virtualized, bot, IoT, and microservices enabled world. In this world the network effect of rapid growth in the number of elements in value chains and the number of members in each of those elements is resulting in a nonlinear explosion of the threat surface. The monolithic controls that we have come to trust, have codified in our security operations and organizations, and even enshrined in legal requirements will simply not scale to the task.
Blockchains or Digital Ledger Technology (DLT) offers tremendous promise. By design, DLT leverages this same network effect to provide unprecedented integrity, availability and non-repudiation at the very scale that contemporary systems demand. While there is a widespread belief that DLT is inherently secure it should be noted that, in its basic form, DLT does nothing for authenticity and confidentiality. Confidentially, or privacy, can be built into DLT implementations but authenticity, ensuring that participants really who we want them to be, remains a challenge.
A specific use case
For the purposes of this report, we assume that we are a startup with limited resources and want to allow consumers to control their digital privacy.
At the edge of the any-network-any-device value chains that we call the web are applications (that do things for people) and people. The applications are healthcare portals and search engines and retail websites that need to hold information about the people they serve. Consumers certainly want control of their information and the application owners like Facebook and Amazon are required by law (especially GDPR and CCPA of 2018) to provide users the ability to do so.
Having each application control access to personal identity information is, in effect, having each application and individual keep redundant ledgers of information that can be attacked. The resulting management, audit and security cost with thousands of applications and billions of users is incomprehensible.
We envision providing both middleware with open APIs and a consumer portal. At the portal users can manage policy-based access to their personal information in one central location. Application owners who integrate with the portal through the API will delight customers with ease of use analogous to a single-sign-on for privacy and achieve economies of scale in implementing and reporting on legally required privacy controls. Properly implemented, we can use the inherent strength of DLT to leverage this enormous network to provide privacy, integrity, availability and non-repudiation.
We think about two groups of potential customers. Application owners like Google and Amazon and consumers. Consumers have established relationships with application owners that they rely on for their daily lives.
With our limited resources and the immaturity of relevant technologies, we don’t have the time or money to build a moat, so we will drive for adoption by giving away services. Once we have established critical mass, we will explore distributed applications such as word processors and search engines where users can control not just the policies for how their data can be used but the actual data itself. In doing so we will move from a value chain to a disruptive strategy.
We remain a bit bifurcated on our identity. We see the betterment of society through the improved productivity and democratization of systems, but respect the value add that companies like Google and Facebook deliver. To the application owners, we offer frictionless privacy compliance as a service but to the consumers we want to help them take back control of their personal information from the application owners. In each case, our value to one customer segment will be seen at a detractor by the other.
Since end users don’t have a good mechanism for managing their privacy across the sea of digital applications, we see little competition there. Most established application owners will not want to relinquish control of personal information, so we will seek out larger established partners who’s prefer to adapt than die.