Australia is in the global news again for all the wrong reasons. Both it’s #1 and #2 largest telecommunications companies recently suffered major data breaches.

And while everyone’s pointing their fingers at these businesses, what’s being missed is that it isn’t their fault, and these data breaches will continue to happen indefinitely into the future so long as our current regulatory framework stays in place. When you make your way down the chain of command to find out who’s ultimately responsible, it’s not the companies at all. It’s the regulators.

The golden rule is: Do not collect what you cannot protect. And as anyone in cybersecurity would be acutely aware, it is impossible to operate in the online, digital economy and be 100% certain your servers won’t ever be compromised. Which leaves the only remaining option of: do not collect the information to begin with.

I was reading recently this article by Jameson Lopp about home security which made come to this realisation

If the regulators hadn’t forced these companies to keep such extensive amounts of personal data on all of their customers (against the company’s wishes), there would be no point hacking them and the hackers wouldn’t bother going to the effort of breaking in.

Rule number one of preventing break ins is to make it seem like, to would be thieves and hackers, or genuinely not have (if they do manage to get in) anything worth stealing.

Rule number two being, make it slightly more difficult to break into your place than your next door neighbours.

So from an Australian perspective this means our regulators should set Australian company’s free from keeping private customer data, making Australian honeypots less lucrative to would be hackers than comparable honeypots in the UK, NZ, USA etc

Cyber Security is becoming a bigger risk than ever

For some perspective let’s look at the flow of history and how every new wave of technology turns the previous era’s assets into liabilities

In our grandparents generation it was all about owning physical assets

  • Own the biggest factory: Ford, GM & ExxonMobil
  • Own the most real estate: Hilton, Marriott, etc

Then came the internet and turned the Assets of these businesses into Liabilities

  • Factories are highly imobile, and easy for unionised employees to hold to ransom and use as leverage to extort entrepreneurs for higher pay
  • Real estate is also highly imobile and easy for governments to aggressively regulate or tax

In response to this the next wave of entrepreneurs found a way around this

  • Uber: The world’s biggest taxi company, owns no cars
  • Airbnb: The world’s biggest hotel company, owns no real estate
  • Facebook & Google: The world’s biggest media companies, create no content

These companies derived their value from a new type of asset (your user data) But just when we thought that these companies were invincible the game has changed again. All this centralised data is a gold mine target for hackers:

  • Yahoo in 2013
  • Facebook in 2019
  • LinkedIn in 2021
  • Telstra & Optus in 2022

It is now a Liability to hold user data and these centralised organisations will have a high risk of failure in the future:

It is well reported that the Chinese Communist Party has stolen the AML/KYC data for every single USA citizen through its hacking of the equifax honeypot, and it would stand to reason that mean they've also done the same for every single Australian citizen too.

How blockchains help mitigate this risk

The next iteration, set to replace hackable databases are blockchains, which are essentially decentralised databases, the benefit of this being that instead of being one single honeypot a hacker can just break into and steal all data in one fell swoop, it requires the hacker to break into each and every Public/Private key pair individually. Significantly raising the cost of acquisition of the stolen data. Instead of hacking in once and stealing information of 1 Million customers in one fell swoop, you’d have to break in 1 Million times to steal that same amount of data for those 1 Million customers.

It is a testament to the strength of the bitcoin blockchain it has never itself been hacked, all that has been hacked when it comes to bitcoin are 3rd party organisations that have held private key information in insecure proprietary databases.

One pushback to this ‘don’t keep any information on file ethos’ is how do businesses prove who you are without all this information? And while this may seem logical at first glance, it’s not correct that it is necessary. KYC (Know Your Customer) and AML (Anti Money Laundering) regulations are only a very recent thing, being completely non-existent prior to the introduction of the Patriot Act in the USA in 2001, and only really gaining traction in the last 5-10 years. Banking worked just fine before KYC & AML. And so did phone companies, and utilities and every other type of business as we can think of.

KYC & AML are at best well intentioned but ineffective and at worst a ruse to keep you compliant by requiring you to give up your private personal information against your will so it can be weaponised against you, as it was against the Canadian trucker drivers who were put on the terrorism black list and de-banked with the press of a button on a keyboard for being politically inconvenient for their Government at the time.

A bank account for instance needs literally no personal data of yours whatsoever. Bitcoin is a testament to this. All that is needed is a private and public key pair to operate an account. That’s it, 2 x 256 bit numbers.

What about if they’re lending you money? They also don’t need anything other than the title deed to your house/asset. If you default and can’t pay, the only thing they need is the ability to take possession of the asset they lent you the money to buy, sell it and recoup their money. They don’t need anything else.

Are there other ways of providing information without disclosing the details?

Another potential answer to these issues are Zero Knowledge proofs. Something only theoretical, until very recently with the launching of the ZCash / ZEC blockchain and cryptocurrency.

Zero knowledge proofs are a way to prove a statement without providing any information. They prove to the party asking that the criteria is satisfied by the party answering whiles providing zero knowledge about anything else to the party asking.

While not a zero knowledge proof the following underscores the fact that it is possible to prove something without giving away exact details as required by AML/KYC

Say for example you want to buy alcohol and you need to prove you’re over 18 years old:

  • You could provide a drivers licence or passport with your precise birthdate on it, but this document also gives away a whole host of other information, like your full legal name, home address, etc
  • Alternatively you could prove you were born in Czechoslovakia, Yugoslavia, or the USSR. All these countries no longer exist, and were dissolved over 18 years ago.
  • Or you could prove you were born in Canberra hospital, which was demolished in 1991, also longer than 18 years ago

One method discloses your exact age, the others prove you’re over 18 without giving away your exact date of birth

The sooner every single AML/KYC regulation is repealed the better. Their dissolution will prevent the needless government sponsored harm of innocent people and the proliferation of their private personal information on the internet.