The Business Challenge
The General Data Protection Regulation (GDPR), California Consumer Privacy Act and others like them have given organizations worldwide reasons for pause in their customer-facing IT decisions.
How should customer information be collected, stored and managed to ensure accuracy, privacy, security, and enforce the right to be forgotten?
At 1Kosmos we set out to develop solutions with GDPR compliance in mind. “Privacy by Design” starts by putting the customer in control of their own data and removing all other access to their data, except with explicit consent by the individual to share specific personal information. To do this, we needed to eliminate central storage, take away the keys to their PII from administrators, create one and only one key and put it under sole control of the user.
Our distributed ledger developed to W3C DID standards, verification to W3C VC standards, and biometric authentication certified to FIDO2 standards achieve precisely this goal providing users sole access and control of their information, which is encrypted, never in the clear, and secured to the highest standards available.
The BlockID Advantage
Privacy by design secures personal information under user control and eliminates threat of data breach
During enrollment, information collected from scanned credentials is encrypted and stored in a distributed ledger to the W3C DID standard, accessible only via a FIDO2 certified private-public key pair.
The private key is secured in the TPM / Secure Enclave of a device and under sole control by the user via their live biometric selfie. The corresponding public key is stored on 1Kosmos Cloud infrastructure built on a distributed ledger.
Without the private key, the data cannot be decrypted. There is no central authority overseeing data access other than the user in possession of the private key.
Data is only transmitted after user consent is given. This happens via an explicit permission request and confirmation via the mobile app.
Since there is no user store and no centralized storage of user information, there is no honey pot of personally identifiable Information to secure against the threat of data breach.
Identity documents are verified securely to retain privacy and prevent unwanted disclosure to unauthorized parties
When users scan their identity documents (e.g, Drivers License), we’ll scan the front of a driver’s license and the “PDF417” barcode on the back, performing real-time ID card detection and classification. For passports we’ll read the “MRZ” data, perform UV, white light and ink-depth checks, and scan the embedded RFID chip.
Within minutes, we verify the validity of those credentials and the information they contain to W3C VC standards using artificial intelligence (AI) and leading third-party verification services, if necessary. This can create a digital credential for practically any machine-readable document on the Web including educational degrees/certificates, vaccination records, financial statements, etc. that is cryptographically secure, private, and verified.
This information is never stored in the clear or shared without consent and is under the sole control of the user.
Our mobile app has built in zero-trust checks to verify the patch level, device security, jailbroken status, etc, to ensure device integrity, particularly in bring-your-own-device environments.
At all times personally identifiable information is the under the control and consent of the user
The 1Kosmos BlockID platform works on the principle of public and private cryptographic keys in which the private key is stored on the user’s device (Secure Enclave) and cannot be accessed by anyone else, while the corresponding public key is stored on 1Kosmos Cloud infrastructure built on a distributed ledger.
Because the personal information stored in our distributed ledger is sharded and encrypted, it is not readable without the private key. If the key is destroyed, access to the information is gone and recoverable only via the lost / stolen procedure that follows the Bitcoin Improvement Proposal 30 (BIP39) recovery standard.
In practice, BIP39 is a mnemonic phrase or in our case a set of 12 random words selected from a list and assigned to a user. For a lost or stolen device, this word list can be used to regenerate the Private-Public key pair. Purposely destroying the list and the key essentially removes any realistic probability the data can be recovered.