Murphy’s law states: “Anything that can go wrong will go wrong.” It always happens with centralized services. A year ago, we saw how half a million Facebook accounts were leaked online, exposing personal data. We will see it many times more with other services. The recent Twitter hack underscores this once again. The accounts of Elon Musk, Bill Gates, Jeff Bezos, Kanye West, Kim Kardashian, Mike Bloomberg, Joe Biden, Barack Obama, among others, were hacked to push a fraudulent offer with Bitcoin (BTC).
Writing for the BBC, cybersecurity commentator Joe Tidy opined: “The fact that so many different users have been compromised at the same time implies that this is a problem with Twitter’s platform itself.” All accounts were vulnerable; it was just a matter of choice for the hackers: Using celebrities is better to “endorse” scams.
The problem is that even if Twitter or any other service with similar architecture continues building the cybersecurity walls around its system, it will become more complicated and expensive, but not safer. The current paradigm of centralized services cannot offer a safer solution for users’ authentication.
I have recently written about new technologies that could protect data and digital identity, using the example of Australia and the European experience and how public key certificates could be protected with blockchain technology against distributed denial-of-service and man-in-the-middle attacks. Although my analysis was quite technical and thorough, perhaps it would be better to take a step back and comb through some general yet pertinent details that may enhance data protection.
Here is some terminology for you to use when asking your service provider, your online store or your government about whether they are protecting your personal data:
- Decentralized identifiers, or DIDs, is a general framework by W3C with various methods to create and manage personal identifiers in a decentralized way. In other words, developers of online services do not need to create something new if they want to use the potential of decentralized technologies. They can utilize these methods and protocols.
- Selective disclosure protocol, or SDP, which was presented last year at the EOS Hackathon by Vareger co-founder Mykhailo Tiutin and his team, is a decentralized method for storing personal data (using DIDs) with cryptographic protection on a blockchain. With SDP, the user can disclose carefully selected pieces of information in any particular transaction.
- Self-sovereign identity, or SSI, is a concept that, in simple terms, allows users to be the sovereign owners of their personal data and identity, not third-parties. It implies that you can store personal data on your device, not on Twitter’s or anyone else’s server. To illustrate the power of the SSI concept, think about this statement: It is easier to hack one centralized system storing millions of accounts than to hack millions of personal devices. But the issue is much deeper. If we ever face a digital dictatorship, the root of this problem will be the absence of the right to control and prohibit third parties (including the government) to store and operate your personal data. The terrible experiment with Uighurs in China is a case in point. The citizens do not have the legal right to say no to the government collecting their personal data. Of course, the Chinese government created accounts without their consent to obtain records of what it considers to be inappropriate behavior.
To put things into perspective, let’s go through a hypothetical situation.
Use case: Alice and her digital identity
Alice generates her cryptographic pair: a private and public key. The private key encrypts transactions, using a digital signature; the public key decrypts them. The public key is used to verify whether Alice signed in, signed the contract, signed the blockchain transaction, etc.
To protect the private key, she will store it on a secure hardware device with PIN protection, for instance, on a smart card, a USB authentication token or a hardware cryptocurrency wallet. Nevertheless, a cryptocurrency address is a representation of a public key, meaning Alice can use it as her coin and token wallet.
Although the public key is anonymous, she can also create a verified digital identity. She can ask Bob to certify her identity. Bob is a certificate authority. Alice will visit Bob and show her ID. Bob will create a certificate and publish it on a blockchain. “Certificate” is a file that announces to the general public: “Alice’s public key is valid.” Bob will not publish it on his server the same way other traditional certificate authorities do now. If a centralized server were ever disabled in a DDoS attack, no one would be able to confirm whether Alice’s digital identity is valid or not. In the MITM attack someone can fake her identity. This would be impossible if the certificate or at least its hash sum were published on-chain.
With a verified ID, she can perform official transactions, for example, registering a company. If Alice is an entrepreneur, she may want to publish her contacts, such as a telephone number. Using a blockchain is a safer choice because when data is published on social media, a hacker can break into an account and replace it to redirect calls to another number. None of this would be possible on a blockchain.
If Alice goes to a liquor store, she can use her verified DID. The seller, Dave, will use his app to verify and confirm Alice’s DID instead of her paper ID. Alice does not need to disclose her name and date of birth. She will share with Dave’s app her identifier, which Bob certified, her picture and an “Above 21 y.o.” statement. Dave trusts this record because Bob is a certificate authority.
Alice can create various pseudonyms for online shopping, social media and crypto exchanges. If she loses her private key, she will ask Bob to update his record on the blockchain to announce that “Alice’s public key is invalid.” Therefore, if someone stole it, everyone who interacts with her public key will know that they should not believe transactions signed with this key.
Of course, this is a simplified scenario, but it is not unrealistic. Moreover, some of these processes already exist. For example, the Estonian e-Residency card is nothing more than a smart card with the user’s private key. With this card, you can remotely register a company in Estonia or even sign contracts. Being integrated into a larger market, Estonian digital signatures are recognized across the European Union. Unfortunately, its governments still do not protect certificates on blockchains.
Knowledge is power. Users should know that their cybersecurity is not only in their hands, as one might say. Software and social media giants ought to make the shift to improve security standards, and users ought to demand it.
The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.