On 23 October 2020, i3-MARKET held a webinar “Three pillars for building a Smart Data Ecosystem: Trust, Security and Privacy“, co-organised with the BDVe project.
“Data is the oil of the 21st century”
Vasiliki Koniakou from the Athens University for Economy and business introduced the webinar and the i3-MARKET project by highlighting the overarching importance of data in today’s economy. Indeed, during the last decade, the amount of data has increased exponentially, and so has the company’s reliance on data to improve their processes and overall performance. As we are moving to a data-driven and digital economy, data transfer has become a top priority for the EU.
In response to the massive amounts of data issued, collected and processed, data marketplaces emerged as new business models. They act as a digital intermediaries, as they allow data sellers, data buyers and third parties to come together and trade data and data-related services. Although data transfer is a blooming sector, there are numerous challenges related to trading data.
One particular set of issues concerns Trust, Security & Privacy. These issues are closely interrelated: The lack of transparency of data trade created a low level of trust, as well as poor security levels and a lack of data privacy. These issues are of major importance for the data economy, especially since the GDPR came into force two years ago. Rather than reacting to legal requirements, i3-MARKET’s ambition is to proactively apply and shape its design choices based on Trust, Security & Privacy, according to Value sensitive design (VSD).
To this end, i3-MARKET leverages on blockchain technologies to build an interoperable and decentralised Backplane and provide the trust, security and privacy features. Throughout the project, the i3-MARKET partners will be paying special attention to regulatory aspects around sensitive data assets.
Trust: Everything under control
Focussing on the trust issue, Alessandro Amicone from GFT Italia explained how i3-MARKET plans to bring back trust to the data trading ecosystem through the use of blockchain technologies.
A trustful governance will be enabled through a consensus-based governance: Every change to the system will have to be approved by all the nodes of the network. This will allow to avoid attacks to the chain’s integrity.
The identity of the other stakeholders will be confirmed through verifiable credentials. Verifiable credentials are issued and cryptographically signed by trusted stakeholders of the network.
The accounting of payments and data exchanges will be verified through a non-repudiation protocol, enabled by a communication protocol with cryptographically signed proofs. This would also to ensure the authenticity of the data via a proof-of-origin for the data.
Security: Unlock the data with a key
Aghiles Adjaz from IDEMIA then introduced i3-MARKET’s approach to security. While blockchain relies on secure consensus protocols and state of the art cryptography, people tend to underestimate the prerequisite for this security. The key for the blockchain should always be safely and securely stored. To illustrate this crucial point, Mr. Adjaz compared it with having an armoured or reinforced door and hiding its key under the doormat – needless to say that it is pointless. Unfortunately, this defective key security is currently often the case in the practice of blockchain, which allows hackers to easily get access to cryptoassets.
To tackle this issue, the i3-MARKET solution will be based on a hardware wallet which relies on a secure element (tamper-resistant hardware platform), that will securely host applications and keys against software and hardware attacks. The hardware wallet will provide cryptographic functionalities and, most importantly, will be blockchain compatible. In addition to the traditional two authentication factors which are the possession of the wallet (What I have) and the PIN (What I know), i3-MARKET proposes to have an additional one, which is the biometry (What I am). With this proposition, i3-MARKET is aiming to provide the best user experience possible, where the user will be able to unlock his key by just presenting his fingerprint or his face.
Privacy: Meet and overcome GDPR requirements.
Finally, Juan Hernandez from UPC explained how i3-MARKET intends to give back control to users over their identity and sensitive data. In order to meet – and even overcome – the GDPR requirements, i3-MARKET’s privacy approach is based on 3 pillars.
1. Self-sovereign identity
Self-sovereign identity is a key concept for privacy. Nowadays, people have a lot of identities/accounts online (Google account, Facebook, Github). People’s credentials and sensitive information are stored there, which are gold mines for hackers to steal sensitive data, especially since a lot of people are using the same password for several accounts. Some solutions are existing, for example federated authentication, ie. signing in on a website or platform with a Google or Facebook account. But this still means that an external identity provider is managing one’s user identities, and can profile someone by knowing where and when one is logging in.
The main purpose of self-sovereign identity is to give control back to users over their identity. In the digital world, the simplest way of having an identity is to have a public key, which is complementary to the private key stored in your wallet. This is supported by blockchain: we can publish our public key (identity) in a blockchain, and it can be verified, thus we don’t need an external trusted organization that manages identities. During transactions, one would be able to disclose information (claims) in a selective manner, for example name, surname, nationality, gender, age, etc. This is known as zero knowledge protocols and zero knowledge proof: Only the necessary data is disclosed, and there is need to store user’s data, as it can be checked in real time at any time.
As a result, the self-sovereign identity concept is better for users, but also very convenient for administrators or organisations: They don’t need to store personal and sensitive data, thus there is no risk of data leaks. It allows to meet the GDPR requirements of data minimization and reduces the costs, e.g. data storage costs.
2. Explicit user content
The GDPR is very specific about the importance of explicit user content, as it states that the data subject should have consented to the processing of his/her personal data and has the right to withdraw the consent at any time. The i3-MARKET solution allows to gather explicit user content via a verifiable credential. This means that the consent can’t be faked and that no operation will be allowed without proper user consent. Thus, the data can only be sold or processed under the agreed conditions. Currently, the i3-MARKET partners are working on a revocation system for verifiable claims.
3. Auditable Accounting
In i3-MARKET, there will be a reliable accounting system backed up by a blockchain. The idea is to be able to monitor selected operations, e.g. asset modification and deletion of sensitive data. This means that it would be possible at any time to verify who performed a transaction. This would also allow for reliable proofs, for example a proof for the payment of data or for a contractual agreement. Through a non-repudiation protocol, proofs cannot be repudiated by the involved stakeholders. Backed up by a public blockchain, these privacy-guaranteed proofs of data exchange will support any future claim regarding a data trade.