Block Chain and Personal Privacy:

In the current culture of the internet and content providers, the use of Personally Identifiable Information (PII) is easily abused because of the ease of transfer, ability to be copied, and can be securely[1] stored.   Content providers, healthcare professionals, and the government all lazily protects this information for the people it serves once an actor agrees with the following enforcement principals: Enforcement of Validity (2) and Enforcement of Separation of Duty (2). 

The mentality that once an entity evaluates the integrity and background of its actors of interaction there is an assumption of Trust.  This establishes the Enforcement of Validity (2) and naively maintains that as long as an entity can guarantee that all actors maintains this level of Trust, Risk can be eliminated.  By establishing a base metric of Trust passing an artifact between actors, with equivalent baselines, allows for a network to be established and maintain a Secure System.  So long as an artifact stays within the rules defining the Enforcement of Separation of Duty, that there is little to no Risk of violations or risk of to be committed in a Secure System by un-trusted actors. 

While great lengths have been made by agencies to maintain the integrity of PII and ensuring that the use of it maintains low risk, the core facets of a system measured by its ability to maintain Reliability, Availability, Maintainability, and Redundancy (3) can be violated when evaluating current implementations of PII as a system(4).  For the context of this post, PII will be thought of as a Secure System. 

An application of the Block Chain can serve as a Trusted System of Personally Identifiable Information, can establish a framework that minimizes risk and adds Reliability, Availability, and Maintainability to a system with its current implementation that cannot do so.

Here is what that application could look like:

The framwork enables the system to establish a Secure System for Personally Identifiable Information (PII).  There are three interactive roles for the system.

• Actors
• Requestors
• Source of Identity[JM1] 
• Transaction definitions are handled via contracts.

An actor is the lowest privileged of all the users that represents an individual or taxable identity.  This type of user can be used to login throughout the network against sites defined as requestors or request transactions between other actors or requestors.

Requestors have no login privileges.  Requestors can ask for validation against actors and/or requestors to verify their identities.  Requestors can only see information that they have contracted between the privacy application and the requestee.  Requestors must also establish a contract between the Source of Identity they are choosing to use.

Source of Identities(SOI) are the entities that are the true rule of authority.  These entities define what/who PII are and can define their own identifiers.  An example of these entities would be Governments.  New sources are needed but not yet defined.  This type of entity is useful for private networks or to gate access to certain parts of the digital world.  Source of Identities must maintain their contracts between them and the requestors.

Contracts set the rules between the communications.  At a basic level all requestors can use an alias of the privacy application as a method of authentication, but the Requestor cannot get any additional information for the Actor it is serving.  Contracts between requestors that need to use information from a Source of Identity

Requestors can ask for authentication requests between users and if they need to check details about a user, the Source of Identity must have already given them permission to be able to view that information as well as having an agreement between the user and the requestor.  If any link is broken a request is automatically denied.

When a requestor is created, they may choose a Source of Identity, doing so will give the Requestor and the Source of Identity to negotiate what information the Requestor will be able to see about a User or another Requestor.

The goals of this system is to:

Authentication and Verification:

•  Authenticate actors to actors or actors to requestors while never passing PII
• Be the Authority of validation to prove identity.
• Creation of unique links between actors and actors or actors and requestors.
• Ensure that enforcement of validity is maintained in the system between actors and/or requestors at all times
• Allow explicit control of actor’s permission of their information between other actors or requestors.

Communication:

• Allow for validation of information without passing identity revealing information
• Maintain channels of communication over insecure mediums
• Ensure transparency of the system and maintaining individual privacy
• State transitions of the system only act in consensus

Storage:

• Ledger of interactions between entities.
• Eliminate the need of PII to be stored externally on system (either the privacy application or by Sources of Identity). 
• Limit the ability of requestors to store PII.

Recoverability:

• Recover from PII breaches.
• Delete aliases between actors and requestors.

Redundancy:

• No single point of failure.  Distributed processing and storage.

1. Jøsang, Audun and Lo Presti, Stephane. Analysing the Relationship between Risk and Trust. Trust Management. Berlin, Heidelberg : Springer Berlin Heidelberg, 2004, pp. 135--145.

2. A Comparison of Commercial and Military Computer Security Policies. Clark, D. D and Wilson, D. R. s.l. : IEEE, 1987. 1987 IEEE Symposium on Security and Privacy. pp. 184-194.

3. Jackson, Yvonne, et al. The new Department of Defense (DoD) guide for achieving and assessing RAM. Reliability and Maintainability Symposium, 2005. Proceedings. Annual. s.l. : IEEE, 2005, pp. 1--7.

4. Corresponding Security Level with the Risk Factors of Personally Identifiable Information through the Analytic Hierarchy Process. Lin, Iuon-Chang, Lin, Yung-Wang and Wu, Yu-Syuan. 10.1770, s.l. : Journal of Computers, 2016, Vol. 11.