Decentralized security you can bank on
polypoly polyVerse

hen big data breaches happen – as they increasingly do – hackers who get access to company databases can get their hands on a lot of data. And as more and more data is collected by large corporations, more data is lost when there is a breach, whether through a hack or an accidental leak. Even as better security practices are established across industries, they still suffer from the fact that in a lot of cases, all the data is kept in the same place.

“But if you start with decentralised storage, the security game is a completely different one,” says Thorsten Dittmar, founder of polypoly.

The core premise of the polyPod, the product that polypoly develops, is that all data is stored with the user, and never with a service provider or with polypoly itself. If a breach of personal data happens to polypoly, it will have to happen one by one to each specific user's polyPod because of the distributed nature of the infrastructure.

Because there is no master key and no central repository of everyone’s data, there is no way to attack the system as a whole and collect the data in bulk. This increases the costs to an attacker by orders of magnitude. The potential value of breaching a single polyPod and getting access to a single user's personal data is not worth the time and effort of an economically motivated attacker. In a physical metaphor, you have to break into a safe in each and every one of the users’ homes to steal their valuables, unlike if they all kept them in a single big vault under the company's headquarters that you just have to break into once to steal everything. And as it turns out, the vault under a company's headquarters is not as safe as it may seem.

"The long term vision is that you own your data and you have very tight access control over who gets to do what with it, which is of course very different from the situation today where you pass your data on once under very unclear circumstances, and then your data gets passed around from company to company," says Nils Löber, security consultant.

Personal data is radioactive waste

A lot of companies rely on collecting massive amounts of data about massive amounts of people in order to get them to click on advertising. But in a lot of ways, data is no longer simply an asset that gets more valuable the more you have of it. It is increasingly becoming a legal and financial risk, in proportion to the amount of data gathered up.

The key selling point of polypoly to businesses is that they do not need to collect, store and process all this data in centralised systems. A significant problem with centralised systems is that all the data, that is all the value as well as all the liability, is kept in the same place. This means that the ratio between risk and reward creates a great incentive for cybercriminals to break in and steal everything all at once.

"With the GDPR, retaining a lot of data creates a lot of liability. If you follow the rules of the GDPR with a decentralised system everything will get better and cheaper for both ends, for the customers and for the industry,” says Thorsten Dittmar. At the same time as the liability associated with collecting massive amounts of personal data grows, there is also an increasingly diminishing return on investment on the data used for targeted digital advertising.

In this way, personal data has gone from being seen as oil in digital form to becoming the digital equivalent of radioactive waste. Once it was valuable but now it is toxic and the more you have lying around the worse off you are. Decentralising where the value, and thus where the liability is situated, means that the risk is spread out and that the reward for breaching someone's personal data is low compared to the current situation.

Who wants to steal your data?

Like in all computer systems, there is still the risk of undiscovered vulnerabilities that could be exploited by hackers.

"It is of course conceivable that the polyPod could contain vulnerabilities that would allow a mass exploit of devices but that would be much more difficult because you would still have to reach every pod individually rather than just cracking the defences of one central provider and then downloading the entire database," says Löber.

Building a resilient, distributed system of personal data storage reduces the overall threat of data breaches but importantly, it does not protect against any and all attackers. When designing the security architecture of the polyPods, the security team at polyPoly focuses on mitigating certain risks over others. There are three main types of attackers with different capabilities and intents that are part the threat model of the polyPod.

The main threat that polypoly takes into account is the data industry, like cloud providers and data brokers, that have a vested interest in scraping as much personal data about users as they can. As part of this threat you find financially motivated cybercriminals that are a major threat against the users who keep their data in the vaults of the data industry that are open to mass compromise. The capabilities of both the industry and the business-driven hacker is formidable, but to polypoly's benefit their intent is a mitigating factor. Because they are driven by money, simply raising the cost of attacking the polyPod by having the data distributed has a disincentivising effect.

Another threat to take into account, are the different types of lone hackers whose capabilities vary wildly. At the bottom rung are 'script kiddies' that only know how to use other people's exploits to attack a system. At the top level are accomplished security researchers that have the experience and expertise to find vulnerabilities missed by the programmers of the software. The intent of lone hackers also vary, but their curiosity as well as status is often at play. Finding flaws in a system can be like an achievement in a game. Some cross over into hacking for money, which then instantly places them in the first category of attackers. Against the low level hackers, simply having up to date security measures is enough. But against elite hackers the best defence is to invite them inside either as penetration testers and security auditors or through bug bounty programs.

Thirdly, there are the threats that are closest, that is people with personal ties to the user and physical access to their devices. A prime example is a jealous or even abusive partner. This threat has seen a whole market emerge to service its needs in the form of so-called 'spouseware' or 'stalkerware'. The capabilities of this kind of attacker are usually not great, even as the price of stalkerware is continually falling. The main problem to deal with is the fact that they often have direct physical access to the user's devices. Outside of systemic responses against the industry this type of attacker is hard to defend against because the digital attack is usually only a component in a wider system of social control comprising psychological and even physical abuse.

Lastly, there is a distinct type of cyber threat that the security team at polypoly currently puts less of a focus on.

"Then there are government agencies but that's something we will only be able to take into account insofar as mass surveillance activities are concerned. We will make those as hard as possible but we make no pretence about being able to protect users against targeted attacks from the NSA or something similar," says Löber.

Defending against a government or a state-sponsored attacker is extremely difficult. First of all, governments and security forces have practically unlimited budgets to draw from to pay for hacking software and the state hackers that use it. And because they are not driven by business incentives, they are persistent. A state-sponsored attacker does not give up trying to access your data when you take countermeasures. It looks for ways around them. The silver lining is that the targets of government attacks, as unfortunate as they may be, are a relatively small group of people. Helping them defend their data requires not only a high level of digital security, beyond the scope of what polypoly offers, but also training and psychosocial care and support.

Down the roadmap, there are conversations within polypoly of the possibility of building hardened polyPods specifically designed for users at high risk.

All power to the user

The infrastructure of the polyPod offers a defence against attackers who wish to vacuum up all data in the data breach of a cloud-based service and also against governments wishing to perform mass surveillance. But in itself its not a replacement for good security practices.

"The pod itself is not some silver bullet solution for keeping data secure, but it keeps data secure from the access of large corporations that want to sell your data. We as polypoly can only make so many security guarantees when it comes to the polyPod as it still lives in the potentially hostile environment of the user's machine," says Löber.

Rather than giving security guarantees, the polyPod offers a solution to a specific problem. Using it still requires baseline security measures such as proper password management, keeping software up to date, and being aware of phishing attempts. In this way, it does not require that the user takes extra steps to secure their devices and accounts than what is currently best practice – even as not everyone currently follows the basic steps towards good baseline security.

"As long as you have no pretence about being able to defend against the NSA, security isn't that hard to achieve once you do basic things. If the user is willing to invest some work to keep their private data safe, then arguably, they are in a better position than in the world right now where you leave the responsibility to corporations," says Löber.

A general design principle of polypoly is 'data frugality'. If the company can avoid handling user data, it does so, unless it is strictly necessary for operating its infrastructure. But putting the power over their data in the hands of the users also means putting the responsibility in their hands.

"The policy is 'power to the user' and that includes the power to shoot themselves in the foot if they so desire," says Löber.

However, polypoly has design efforts underway to make sure that the users have the best conditions under which to make decisions about their data, whether they are hardcore hackers comfortable with command line interfaces, or someone who needs a friendly and helpful graphic interface.

"To reach a mass market it will require sensible defaults made available very easily but also the user always has full freedom. It must be secure by default but allow the user to customise and do whatever they want with their data no matter what polypoly thinks about it," says Löber.

There are also ideas for built in fail-safes, to mitigate that users might run the polyPod on an unsafe device.

"There's the idea of having the pod be self-monitoring. Of course, this only goes so far because the environment is always hostile. But for example, the Pod could check whether the operating system is patched and if it's not, it could stop accepting data of a certain sensitivity," says Löber.