Data breaches continue to make headlines around the world.” Verizon’s 2019 Data Breach Investigations Report, issued Wednesday, was direct and to the point. “No matter what defensive measures security professionals put in place, attackers are able to circumvent them. No organization is too large or too small to fall victim to a data breach… Regardless of the type or amount of your organization’s data, there is someone out there who is trying to steal it.”
Well, maybe and maybe not. Clever threats require clever solutions, and one organization that claims to have designed just such a solution is the Tide Foundation. No data breach hits harder than a largescale, public compromise of consumer names, contact details and financial records. And this is where the non-profit’s technology aims to step in. First, to prevent companies breaching consumer data by denying them indiscriminate access on any level, and, second, to rebalance the commercial value of the data itself by compensating consumers when their data is monetized – if they actually want it to be monetized.
Tide is so confident in the quality of their tech that they have issued a challenge, “come hack us if you can,” they have said, and we’ll be forced to rethink. “The callout is asking for anyone in the blockchain, security or wider developer community to have a play, have a crack and test our claim,” co-founder Michael Loewy told me. “It’s truly an unbreakable encryption standard. We’d be equally happy if a contribution from the community helps us improve the standard. To put our money where our mouth is, we’ve placed a Bitcoin behind our protection, so if anyone gets through it’s there for the taking.”
The challenge can be found here. Tide has stored the details of a single Bitcoin in “the simplest website setup possible, in a database record behind a web server.” If you can break in with the correct username and password, you get the Bitcoin and the bragging rights. Tide has removed typical defenses, including firewalls. The twist, though, Michael explained, is that “we used our unique protection mechanism for the data and the website authentication. Even if you crack the whole thing, you won’t be able to crack the authentication or extract the data. But if you do, the Bitcoin is yours, and we’re back to the drawing board.”
The idea behind Tide is relatively simple, the protocol is anything but. “Tide’s technology is ground-breaking and like nothing I’ve seen before,” explained Professor Willy Susilo. The head of cyber at Australia’s Wollongong University is an adviser to the company, alongside the likes of Andrew Edwards, former U.K. chairman and CEO of Leo Burnett, and Tom Dery, former global chairman of M&C Saatchi. “Unlike many theories I’ve come across,” Susilo said, “they’ve developed a novel approach using cryptography and managed to apply it in a practical product that real people can interact with.”
Tide’s protocol is “end-to-end and decentralized,” in layman’s terms, “blockchained,” making use of Distributed Ledger Technology (DLT) across its entire architecture. “Current blockchain technologies,” they explain, “offer two layers of decentralized capabilities: the chained-blocks used as an immutable, verifiable data repository and smart-contracts acting as consensus-based, deterministic, programmable logic allowing execution of more complex processes – hence, dubbed as blockchain 2.0.”
Tide has developed a third layer, while still using those other two. This additional layer, dubbed Decentralized Automated Trustee (DAT), emables a unified authority capable of performing actions on behalf of users and in their absence if offline. “This proprietary additional layer enables Tide to offer capabilities that don’t exist and can’t exist in the blockchain world, such as authentication and automation.”
Michael told me that for “the Tide Protocol to become a fully end-to-end ‘trustless’ solution, it has expanded the scope of blockchain to include capabilities that weren’t previously possible.”
Put (a lot) more simply, Tide’s protocol, call it Blockchain 3.0, can be deployed into an organization by a system integrator, to encrypt legacy and newly acquired data such as customer records. Each information record has its own encryption key. And the encryption key for each consumer’s information record is controlled by that specific consumer. “The information that ties the person to their information is encrypted, Tide facilitates the encryption. And the key for every person’s encryption sits with the person themselves,” explained Yuval Hertzog, another co-founder who owns the technology side of the house.
This means the consumer can set specific permissions as to when and for what purpose their data can be accessed. It means consumers can withdraw or change those permissions whenever they want. And it means consumers can be compensated if and when the organization monetizes that data externally.
This latter point theoretically creates a secure market in data trading; but unlike the privacy breaches and scandals now making headlines, the consumer participates in the market and sets the rules for their own data. If a hotel chain is selling my data to other travel companies, maybe I get a free night or even a monetary (crypto) payment if I prefer. Each consumer can view a log of when and why their data has been accessed. The protocol is integrated into the organization’s systems, making it seamless, even “invisible” for the consumer who engages with the organization as normal.
So how does this help a massive data breach, especially from an insider threat? It does so by raising an alarm with all those keys accessed at once. Systems can be put in place to shut it down. And for a largescale marketing campaign? It would run as usual, but records would only decrypt when the permissions were right. Michael told me that this equates to “monetization of people’s data in a way that doesn’t require any additional input. We are trying to solve what you could consider a moral or even a human rights issue for individuals in a way that is profitable for businesses.”
Let’s take an example, I said to the Tide team, for a no-name global hotel chain that could theoretically be breached. “What they would do,” Yuval explained, “is adopt the Tide protocol. Personal profiles would be encrypted, retrospectively and for all new information coming in. Whenever this data is used by a hotel chain employee, they need to ask for permission through the Tide protocol, integrated into the hotel’s systems, with just a click of a button. They would say why they need the information, what fields they need to access. The Tide protocol would reach out and ask each consumer for their permission. Only where the permissions matched would the records decrypt.”
Clearly, this doesn’t happen in practice. It’s automated. You set your preferences and Tide does the rest. “The Tide protocol protects the hotel company from the liability of exposure from a data breach or GDPR or other privacy rules,” Yuval explained, “where a fine could take down a company. And so, first and foremost, the company benefits.”
Tide claims that the technology, now being attacked by more than a thousand hackers chasing that totemic Bitcoin, takes password protection to a new level. “The idea of holding a crypto wallet or encryption keys is a gigantic problem to solve,” Yuval said to me. “This increases the security of username and password by a factor of – it’s a very large number – a factor of over a million. For the user, nothing changes. Within the system, the password is broken down into bits and that means false positives go up massively. To crack one password takes the time it now takes to crack a database.”
The idea of a firewall around each consumer’s own data, of sharing monetization, of providing logs and automated permissions, that’s a game-changer if it works. “We’ve been in stealth mode,” Michael said, “now this is a call out to the industry, for forward-thinking CEOs and CIOs to embrace privacy.”
Tide was born out of the team’s prior business, a marketing platform called Ziva. “We helped brands engage with consumers through the new medium of IoT,” Michael explained, “more interesting than cookies and browser behavior. We grew quickly, attracting enterprise level clients who pushed back and asked questions.”
The catalyst for the actual tech was Kellogg’s. Ziva architected a campaign. It was sent to head office for a rubber stamp. And head office said no, wary of the potential for a security breach with this small marketing start-up having access to their data. The campaign in question was a “Special K Fitness Challenge,” with participants sharing data from wearables with rewards based on the number of kilometers completed.
“They didn’t want Kellogg’s name dragged through a data breach,” Michael told me, “one they had no control over, one that included their most sensitive data. The solution was what we’re doing with Tide. It solved the data breach issue and secured the Kellogg’s green light. It also made it easier to comply with data privacy legislation. And that spawned Tide.”
“It’s ground-up technology,” Yuval said, “we looked for an existing solution and couldn’t find one. So we developed an encryption method that didn’t exist before. It took us six months to patent it, for the sole purpose of protecting the Tide ecosystem so no one adopting it can be exposed to a patent suit.”
Tide has filed for a patent on the authentication, eliminating the need for private keys and providing crypto users with a standard base of a username and password authentication. The company explained to me that “this mechanism can be applied to any cryptographic-key system (blockchain projects, crypto-wallets, crypto-exchanges, encryption software, p2p communication systems). It can also be applied to significantly improve on any existing authentication mechanism that exists today.”
The business is based in Australia. Initial customers, though, are likely to be much further afield. “Most of the customers we’re talking to are in the U.S. and U.K, and Europe is good for us given GDPR,” Michael said to me.
With Tide deployed, theoretically, there would have been no Marriott, no Equifax, no VW Group breaches. That’s the claim. So, is this a call out to CEOs and CIOs, I asked, are you going so far as to say to them “we can stop data breaches?”
“This is more a callout to consumers,” Michael, the marketing guy, told me. “Saying to them – shouldn’t you be expecting this from the companies and organizations holding your data. And to businesses, hurting with GDPR risk. And to policymakers. To governments trying to enforce privacy laws but they’re not practical.”
No-one can fault their ambition. Now we’ll see if any of those hackers can fault their technology.