polypoly Logo
Henrik Chulu

A million safes are stronger than a single big vault

Illustration: Bart Sparnaaij

Decentralising where user data lives reduces the amount of data compromised in a breach and removes the economic reward for attackers.

When big data breaches happen, as they increasingly do, hackers who gain access to company databases can get their hands on a lot of data. And as more and more data is collected by large corporations, more data is lost when there is a breach —  whether through a hack or an accidental leak. Even as better security practice are established across industries, they still suffer from the fact that in a lot of cases, all the data is kept in the same place.

“But if you start with decentralised storage, the security game is a completely different one,” says Thorsten Dittmar, founder of polypoly.

The core premise of the polyPod, the product that polypoly is developing, is that all data is stored with the user —  never with a service provider or with polypoly itself. If a breach of personal data happens to polypoly, it will have to happen to each specific user’s polyPod one by one because of the distributed nature of the infrastructure.

Because there is no master key and no central repository of everyone’s data, there is no way to attack the system as a whole and collect the data in bulk. This increases the costs to an attacker in orders of magnitude. The potential value of breaching a single polyPod and getting access to a single user’s personal data is not worth the time and effort of an economically motivated attacker. To use a metaphor; you’d have to break into a safe in each and every one of the users’ homes to steal their valuables, unlike if all the valuables were kept in a single big vault under a company’s headquarters that you just have to break into once in order to steal everything. As it turns out, the vault under a company’s headquarters is not as safe as it may seem.

“The long term vision is that you own your data and have very tight access control over who gets to do what with it. This is of course very different from the situation today, where you pass your data on once under very unclear circumstances and then your data gets passed around from company to company,” says Nils Löber, security consultant with polypoly.

Personal data is radioactive waste

A lot of companies rely on collecting massive amounts of data about massive amounts of people in order to get them to click on advertising. But in a lot of ways, data is no longer simply an asset that gets more valuable the more you have of it. It is increasingly becoming a legal and financial risk, in proportion to the amount of data gathered up.

The key selling point of polypoly to businesses is that they do not need to collect, store and process all this data in centralised systems. A significant problem with centralised systems is that all the data, that is all the value as well as all the liability, is kept in the same place. This means that the ratio between risk and reward creates a great incentive for cybercriminals to break in and steal everything at once.

“With GDPR, retaining a lot of data creates a lot of liability. If you follow the rules of GDPR with a decentralised system, everything will get better and cheaper for both ends —  for customers and for the industry,” says Thorsten.

As the liability associated with collecting massive amounts of personal data grows, there is also an increasingly diminishing return on investment on the data used for targeted digital advertising.

In this way, personal data has gone from being seen as oil in digital form, to becoming the digital equivalent of radioactive waste. Once it was valuable, but now it’s toxic, and the more you have lying around the worse off you are. Decentralising where the value, and thus where the liability is situated, means that the risk is spread out and the reward for breaching someone’s personal data is low compared to the current situation.

Who wants to steal your data?

Like in all computer systems, there is still the risk of undiscovered vulnerabilities that could be exploited by hackers.

“It is of course conceivable that the polyPod could contain vulnerabilities that would allow to mass exploit devices, but that would be much more difficult because you would have to reach every polyPod individually rather than just cracking the defences of one central provider, then downloading the entire database,” says Nils.

Building a resilient, distributed system of personal data storage reduces the overall threat of data breaches but importantly, it does not protect against any and all attackers. When designing the security architecture for the polyPods, the security team at polypoly focuses on mitigating certain risks over others. 

There are three main types of attackers with different capabilities and intents that are part the threat model of the polyPod.

The main threat that polypoly takes into account is the data industry, such as cloud providers and data brokers, that have a vested interest in scraping as much personal data about users as they can. Here, you’ll find financially motivated cybercriminals that are a major threat for the users who keep their data in the vaults of the data industry that are open to mass compromise. The capability of both the industry and the business-driven hackers is formidable, but to polypoly’s benefit their intent is a mitigating factor. Because they are driven by money, simply raising the cost of attacking the polyPod by having the data distributed has a discouraging effect.

Another threat to take into account is the different types of lone hackers whose capabilities vary wildly. At the bottom rung are ‘script kiddies’ that only know how to use other people’s exploits to attack a system. At the top are accomplished security researchers who have the experience and expertise to find vulnerabilities missed by the software programmers. The intent of lone hackers also varies, but their curiosity as well as status is often at play. Finding flaws in a system can be like an achievement in a game. Some crossover into hacking for money, which then instantly places them in the first category of attackers. For low-level hackers, simply having up to date security measures is enough. But for elite hackers, the best defence is to invite them inside either as penetration testers and security auditors, or through bug bounty programs.

Third are the threats that are closest, that is people with personal ties to the user and physical access to their devices. A prime example of this is a jealous or even abusive partner. This threat has seen a whole market emerge to service its needs in the form of so-called ‘stalkerware’. The capabilities of these kinds of attackers are usually not great, even as the price of stalkerware is continually falling. The main problem to deal with is the fact that they often have direct physical access to the user’s devices. Outside of a systemic responses against the industry, this type of attacker is hard to defend against because the digital attack is usually only a component in a wider system of social control and psychological, and even physical, abuse.

Lastly, there is a distinct type of cyber threat that the security team at polypoly currently focuses less on.

“There are government agencies, but that’s something we will only be able to take into account insofar as mass surveillance activities are concerned. We will make those as hard as possible but we make no pretence to be able to protect users against targeted attacks from the NSA or something similar,” says Nils.

Defending against a government or state-sponsored attacker is extremely difficult. First off, governments and security forces have practically unlimited budgets to draw from to pay for hacking software and the state hackers that will use it. And because they are not driven by business incentives, they are persistent. 

A state-sponsored attacker does not give up trying to access your data when you take countermeasures. They look for ways around them. The silver lining is that the targets of government attacks, as unfortunate as they may be, are a relatively small group of people. Helping them defend their data requires not only a high level of digital security, beyond the scope of what polypoly offers, but also training and psychosocial care and support.

There are discussions within polypoly of the possibility of building hardened polyPods specifically designed for users at high risk of these types of attacks, down the road.

All power to the user

The infrastructure of the polyPod offers a defence against attackers who wish to suck up all data in the data breach of a cloud-based service, and also against governments wishing to perform mass surveillance. But in itself, it’s not a replacement for good security practices.

“The polyPod itself is not some silver bullet solution for keeping data secure, but it keeps data secure from the access of large corporations that want to sell your data. We as polypoly can only make so many security guarantees when it comes to the polyPod as it still lives in the potentially hostile environment of the user’s machine,” says Nils.

Rather than giving security guarantees, the polyPod offers a solution to a specific problem. Using it still requires baseline security measures, such as proper password management, keeping software up to date, and being aware of phishing attempts. In this way, it does not require that the user takes extra steps to secure their devices and accounts beyond what is currently best practice, even as not everyone currently follows the basic steps toward good baseline security.

“As long as you have no pretence to be able to defend against the NSA, security isn’t that hard to achieve once you do basic things. If the user is willing to invest some work to keep their private data safe, then arguably they are in a better position than in the world right now, where you leave the responsibility to corporations,” says Nils.

A general design principle of polypoly is ‘data frugality’. If the company can avoid handling user data, it does so, unless strictly necessary for operating its infrastructure. But putting the power over personal data into the hands of the users also means putting the responsibility in their hands.

“The policy is ‘power to the user’ and that includes the power to shoot themselves in the foot if they so desire,” says Nils.

However, polypoly has design efforts at work to make sure that the users have the best conditions under which to make decisions about their data, whether they are hardcore hackers comfortable with command line interfaces, or someone who needs a friendly and helpful graphic interface.

“To reach a mass market it will require sensible defaults made easily available, but the user will also always have full freedom. It must be secure by default, but allow the user to customise and do whatever they want with their data no matter what polypoly thinks about it,” says Nils.

There are also ideas for built in fail-safes, to mitigate the risk if users might run their polyPod on an unsafe device.

“There’s the idea of having the pod be self-monitoring. Of course, this only goes so far because the environment is always hostile. But for example, the pod could check whether the operating system is patched and if it’s not, it could stop accepting data of a certain sensitivity,” says Nils.