Do we really need Equifax (Experian, Transunion, etc) if they are not protecting our data?

How to kill Equifax-style players via blockchain?

This month saw the biggest public breach in the history of credit reporting, as Equifax reported a hack affecting as many as 143 million customers. The hack exposed Social Security numbers, birthdays, and, in some cases, even credit cards. The attackers gained access as early as May, so the data has now been circulating for months. Beyond the immediate damage, the breach reveals some deep absurdities in Equifax’s business model. The company was one of the central stores of personal data, the place you checked to make sure you weren’t writing a mortgage to an impostor. But now the impostors have the same data as everyone else. If you can’t keep it secure, why stockpile the data in the first place?

The initial drama over Equifax's September data breach has mostly subsided, but the actual damage will play out for years. The company announced Monday that the total number of people impacted by its breach is not 143 million—the amount it first disclosed—but in fact 145.5 million. Its ability to casually misplace 2.5 million lives upended by the breach is alarming.

Equifax stored sensitive consumer information in plaintext rather than encrypt it. When asked by representative Adam Kinzinger of Illinois about what data Equifax encrypts in its systems, Smith admitted that the data compromised in the customer-dispute portal was stored in plaintext and would have been easily readable by attackers. "We use many techniques to protect data—encryption, tokenization, masking, encryption in motion, encrypting at rest," Smith said. "To be very specific, this data was not encrypted at rest." “OK, so this wasn’t [encrypted], but your core is?” Kinzinger asked. “Some, not all," Smith replied. "There are varying levels of security techniques that the team deploys in different environments around the business." Smith said the company's main domain was not architected to process the enormous traffic the company knew would come its way after the announcement. In all, Smith said, the independent breach-response site has had 400 million consumer visits, which would have crumpled the main site.

When it comes to printing money in America, there’s the Federal Reserve that has the power to do so by the Constitution, and there are a number of industries that "print money" by selling to a captured market. One of these industries is the credit reporting industry, where the three major credit agencies – Equifax, Experian and Trans Union – make a great deal of money by selling consumers their own data.

Credit agencies routinely collect consumer credit data from banks and credit companies that use to calculate a “credit score,” which they sell back to consumers anytime they need to prove that they are credit worthy. Like when they try to rent an apartment in NYC, where landlords want to make sure that they will pay the rent.

Besides of selling consumers their own data, credit agencies supposed to help consumers protect themselves from data abuses like identity theft. But judging from the breach in Equifax’s system, the credit rating agencies can become part of the problem rather than part of the solution. Apparently, there’s something wrong with the credit rating system.

Your Financial Data Should Be Free for You, Expensive for Others

In FinTech, as in many other areas of technology, there has been a focus on making “legacy” products more mobile, more transparent and less expensive. In fact, financial services providers should go even further on each of these aims, given the relatively low bar.

Traditionally financial data has been an asset held in the hands of big financial institutions and providers who limit availability and charge individual consumers a hefty price in order to access it. For instance, the three big credit bureaus have long held consumer credit data – needed to secure a new line of credit, car loan, or home mortgage – behind a paywall. Given the importance of credit report information and the fact that it determines the outcome of very consequential decisions, it seems to us that consumers should have free and unlimited access to their own records.

On a similar note, a recent skirmish over consumer data between big banks and sites like Mint has highlighted some of the reservations that larger institutions have in allowing more open access to consumers on their books. It seems these institutions are working on their own APIs for financial data, but consumers may question if it’s quick enough. Unfortunately, given some of the complexity and “protective instinct” that defines parts of the financial industry, we’ve seen less major efforts towards transparency and accessibility of consumer financial data. The credit bureaus continue to sell consumer data to lenders and marketers for profit while blocking consumers from easily accessing their own information on a regular basis, and big financial institutions have yet to provide great APIs for authorized access to their consumer’s financial data. This seems a bit backward.

We’re hopeful that between calls for more transparency and startups challenging incumbents, disruption brings an easier flow of data back to consumers. All of these service businesses were built for mobile and transparency, so consumers could make transactions and trades, get alerts and gain insights on-the-go.

How To Kill Equifax via Blockchain

Because Equifax’s business doesn’t rely on consumer trust, they haven’t suffered yet — though the 143 million people affected certainly will. The scope of the attack is difficult to understate, and it’s left many questioning whether large, disinterested corporations like Equifax can be trusted with so much of our personal information.

Equifax, Experian, and TransUnion collect information from past lenders, landlords, utilities, and other parties to compile a consumer’s credit report. Lenders can pay for this report to decide whether to extend a loan, and even pay for access to high-scoring individuals to whom they can advertise their services. Unfortunately, in this system, credit agencies’ incentives are aligned almost exclusively with their customers — the lenders. They don’t have a strong incentive to protect consumers’ personal information.

The credit agency problem sounds like a good fit for a blockchain. There are competing parties — lender vs consumer, lender vs lender, and consumer vs hacker. Lenders want information on consumers, but don’t want to help competitors assess risk. Consumers want access to credit, but don’t want their personal information to fall into the wrong hands.

In situations like this, blockchains can act as arbiters. But without delegated computation, consumer privacy needs fall to the wayside. Imagine for a moment we have the privacy technology we need. Contracts can offload access to private data, and request computations over that data. With this new tool, we can build an autonomous credit agency.

We need a way for consumers to assert their identities. Identity verifiers request access to that information, which consumers grant via a mobile app. The verifiers then assert that the mobile device and associated public key are, indeed, owned by the person the consumer claims to be. In this system, more verifiers means better security. The power company can assert you live at an address, based on billing and account history. While any one verifier might be hacked, it’s unlikely they all will.

Now that we have a strong identity framework, we can tackle credit history. Lenders can assert facts about their interactions with a consumer. These assertions may or may not be true — even the best-intentioned lender could have a mix-up — but they’re a best effort.

Consumers can challenge assertions. In the case of a challenge, the assertion goes to arbitration. Lenders must substantiate their claims. For consumers, most disputes will be simple— if a lender can’t substantiate their claim, or they don’t bother, the assertion is struck. Assertions about a consumer’s credit shouldn’t be public. Lenders commit to an assertion on the blockchain, and encrypt assertions with a consumer’s public assertion key.

A lender considers a loan application. They have the borrower’s public key, as well as records linking their public key and their real-world identity. The lender wants to review the borrower’s history, using their own in-house risk assessment function to decide whether to back the loan. But the borrower doesn’t want to expose their entire credit history to the lender — not only could they lose it to hackers, but the details are none of the lender’s damn business. By delegating the computation to another party, the lender can be sure the data has been properly evaluated, scoring the borrower for a loan, and the borrower can get their loan, only exposing their credit history to the non-lending party.

We just need to find a way for the lender and borrower to delegate computation without exposing the borrower’s credit history to prying eyes, or the lender’s scoring function to competitors. It could be done via multi-party computation. Secure multi-party computation (sMPC) is a class of cryptographic techniques that allow untrusted parties to work together to securely compute the output of a function. sMPC was originally devised by Andrew Yao to solve what he called the Millionaires’ Problem.

Identity Is The New Money

In these terms Akim Arhipov, CEO of BAASIS ID, blockchain-based digital KYC solution, the recent winner of startup-battle Slush Singapore, told me regarding the success of their proposal for the market: “Our main target to teach individuals to take care about their digital presence and personal data sharing. I assume, you will never know how many times you log in to third-party applications using Facebook authentication method? What did you agree last time not reading Terms&Conditions by simply ticking a confirmation box? A terrible treatment of data, caused not by systemic errors, but mostly by human factors, like sending sensitivee data by not encrypted e-mail. I want to impart the beginning of «personal data sharing literacy» age, where every peace of personal information controlled by individual, not a company.”

“Data is the new money, and data — like money before it — is only valuable if it’s being shared and rehypothecated through the wider network. Furthermore, we put our data into the safekeeping of cloud custodians for precisely the same reasons we put our money into the charge of banks: security, liquidity and utility maximization,” – Vladislav Solodkiy wrote in his new book The First Fintech Bank’s Arrival.  

Some experts like Akim Arhipov from BAASIS ID will tell you we should put it all on a blockchain, decentralizing the system and querying discrete pieces of information as needed. But all these breach should wake us up to how fundamentally broken this system is, and how urgently we need to replace it. Breaches aren’t simply security failures; they’re the inevitable result of a broken identity system. There are so many new innovative technologies – there are so few real innovations from old players.

What: presentation of The First Fintech Bank's Arrival book

About the book: https://goo.gl/qz51hy

Where: INSEAD (1 Ayer Rajah Avenue, 138676, Singapore)

When: 7th October, 13:00

Entrance: FREE -> RSVP here: https://goo.gl/ayCJSR