Protecting Personal Data – Could Blockchain Have Helped Prevent Equifax Breach?

  • Reference on what happened at Equifax
  • Digital identity tokens
  • Obstacles to national ID
  • Blockchain for securing personal identity
  • Upcoming events / discount codes

The Equifax data breach is another wake-up call regarding the security of personal information. Perhaps it will add impetus to the idea of enhancing ways for individuals to safeguard their personal information that is stored by institutions. Maybe some of the ideas for using blockchain technology will be helpful.

SC Magazine published an article detailing what is thought to have occurred in the Equifax breach: “Apache Struts vulnerability likely behind Equifax breach, Congress launches probes.” (https://www.scmagazine.com/apache-struts-vulnerability-likely-behind-equifax-breach-congress-launches-probes/article/687955/) The author notes,

“The incident could also ‘have wide-reaching implications for how Americans identify themselves in the future, such as when applying for banking and credit services – simply knowing a name, date of birth, address and Social Security number shouldn’t ever be enough,’ says [Alex] Smith. ‘This breach could finally be the security wakeup call the US needs to widely adopt digital identity tokens, and potentially a digital national identity scheme similar to other countries such as Belgium.’” [see “The Belgian Electronic Identity Card (Overview)” https://www.esat.kuleuven.be/cosic/publications/article-769.pdf]

There are two reasons why a national digital identity scheme may be a long time coming in the US. First, it would run into conflicts with our having 50 states and other jurisdictions like the District of Columbia, Puerto Rico, and Guam, each issuing identity credentials, such as driver’s licenses. Second, we have a history of shunning national identification (paradoxically for fear of privacy concerns), as evidenced by Congress specifically saying that no federal funds shall be spent on a national health identification number (see PUBLIC LAW 105–277—OCT. 21, 1998, “None of the funds made available in this Act may be used to promulgate or adopt any final standard under section 1173(b) of the Social Security Act (42 U.S.C. 1320d–2(b)) providing for, or providing for the assignment of, a unique health identifier for an individual (except in an individual’s capacity as an employer or a health care provider), until legislation is enacted specifically approving the standard.”).

Given these national obstacles to updating how identity is managed in the US, it seems we may have to rely on the marketplace to come up with solutions, instead of waiting for government to take the lead. I expect we’ll see some Congressional hearings as a result of the Equifax breach, but probably no meaningful legislation.

One possibility for marketplace activity is for institutions that rely on identity, such as banks, insurers, and so on, to adopt blockchain technology. Earlier this year, there was an article in Forbes on this: “How The Blockchain Will Secure Your Online Identity” (https://www.forbes.com/sites/jonathanchester/2017/03/03/how-the-blockchain-will-secure-your-online-identity/#e9d4bda55234).

I can imagine organizations making it a selling point to be able to provide customers with apps that allow them to control who and when their information can be accessed.

The idea is not new. It is discussed in “How GDPR plus blockchain leads to the future of self-sovereign identity” (http://www.janrain.com/how-gdpr-plus-blockchain-leads-to-the-future-of-self-sovereign-identity/). This article references a 2015 paper that concludes, “Personal data, and sensitive data in general, should not be trusted in the hands of third-parties, where they are susceptible to attacks and misuse. Instead, users should own and control their data without compromising security or limiting companies’ and authorities’ ability to provide personalized services.” (“Decentralizing Privacy: Using Blockchain to Protect Personal Data” http://web.media.mit.edu/~guyzys/data/ZNP15.pdf)

[Update 9/15/17: “Equifax has confirmed that attackers entered its system in mid-May through a web-application vulnerability that had a patch available in March.” (https://www.wired.com/story/equifax-breach-no-excuse/) and “Equifax (EFX) says its chief information officer and chief security officer are leaving the company…” (https://www.cbsnews.com/news/2-equifax-executives-exit-after-massive-data-breach/).

If you want to hear more on blockchain technology, here are a couple of opportunities:

  • September 18-20, 2017: A half-day workshop by renowned blockchain author Melanie Swan, plus two other blockchain presentations, including mine on Blockchain and the Internet of Things,at the 38th IEEE Sarnoff Symposium at the New Jersey Institute of Technology in Newark, NJ. See https://ewh.ieee.org/conf/sarnoff/2017/For a 20% discount, email Deepak Kataria at [email protected] and mention David Snyder.
  • October 23-24, 2017: Blockchain 360, InterContinental Times Square,
    New York City. See https://tmt.knect365.com/blockchain-360/
  • November 28-30, 2017: Blockchain Expo / IoT Expo / AI Expo in Santa Clara, CA. See https://blockchain-expo.com/northamerica/Register with promo code 42TEK20 for a 20% discount. Free Expo Pass also available. Email me at [email protected] if you want to connect there.

I am available for presentations and consulting on blockchain technology and data security: [email protected].