Privacy by Design – A startup case study (Microdesic)

Privacy by Design is the concept of baking privacy concerns into your processes, design and development of a service that may impact individual’s privacy. Most start-up avoid this process because it prevents them from “getting things out the door.” The curse of the Minimally Viable Product is that it forgoes “secondary” concerns like privacy and security in favor of rapid development. However, failure to think about these things can be disastrous for startups, because it may lead to creating a business model that is antithetical to privacy considerations. Privacy is not just about the security of information you collected, it about creating a system in a way that performs the ultimate task without sacrificing privacy. One of the Privacy by Design principles identified by Ann Cavoukian is “Full Functionality; Positive Sum not Zero Sum.” To achieve this pinnacle the business model must incorporate privacy.

I’ve been recently working on a start-up with some associates that, while the point of the startup is to promote a privacy enhancing technology, the system still has some privacy implications. Over the next few weeks, I’ll be posting a review of the design process and how we baked privacy into the product. First a little background.

2 Microdesic Logo

Often times, anonymity is antithetical to payment systems because the risk of fraud and the need to pin some fraudulent activity on an individual in order to sanction them or pursue legal action. In order to do this, there is an inherent need to tie identity to transactions, thus if a transaction is deemed fraudulent, the individual become liable. The subsequent result is that (1) transaction privacy is lost: merchants know the identity of their customers, payment systems know all transactional history (when, where, what was purchased) and (2) identity fraud becomes an issue because bad actors seek to take over identities with good reputations.

Microdesic seeks to solve this problem using strong cryptography to divorce transactions from identity, allowing individuals to “pay” for a service or good without sacrificing their identity. In the real world, individuals can use cash to preserve their privacy, but using digital payments invariably means giving up privacy. Bitcoin and other cryptocurrencies prevent fraud by being persistently online. You can’t spend what you don’t have in the constantly updated Blockchain. However, they aren’t useable in environments where one can’t access the Blockchain (i.e. offline situations), similar to how one can use cash. Using blind signatures (a 20-year-old technique thanks to David Chaum), Microdesic prevents fraudulent activity by unblinding of the individual’s identity, which can lead to the aforementioned sanctions. So that’s the gist of the system: compliant activity results in provable anonymity, fraudulent activity results in reidentification and sanctions. The purpose of the Microdesic system is to provide other businesses with an alternative to the standard quo of privacy invasive digital payment methods, something more akin to digital cash.

Now that you understand that the PURPOSE of the Microdesic system is to facilitate privacy friendly transactions for businesses (in other words address a specific privacy issue in the offerings of our business customers), we can start to address the Privacy issues in the Microdesic system itself. Just because the purpose of Microdesic to address privacy issues faced by businesses, doesn’t automatically absolve it of privacy issue. And to be sure, Microdesic could be any service or startup, and the analysis would be the same.

The next series of blog posts will address the following:

  • Potential privacy issues in the Microdesic system (using the Solove taxonomy)
  • Mitigating controls to address the issues identified
  • Reviewing the Privacy by Design principles at play.