Release
07/09/2021


FR

Zero-knowledge to protect privacy

To create a user-friendly solution for our visitors and customers, Irene Silberstein investigated the idea of a single sign-on (SSO). It seemed a good idea for the user. Indeed, We offer several topical websites, and a feature to recognize the user on any website tempted us.

However, the heavy processes offered by various 'identify protocols' let us think that we could possibly take a lighter path. We are adepts of coding the web for performance and appreciate the lightest solutions.

It was only once we started to adapt a first form that the evidence appeared:
We do not need to assess identity at all. Even the name of the user is not a need, a pseudo is OK.

We only need a verified email address and a timezone to communicate with the user: offer downloads, newsletters if the user subscribed to any content, conduct a project, an audit, or quote.

A website URL might also be useful when a user wants a website audit.

No identity, no personal data are needed in our case.

Thus, we started to question the significance.

As a member of professional networks in the Information and marketing areas, we always applied strict privacy rules and processed data confidentially.

Besides, we don't use cookies and do not log chat.

Strangely, before we did not consider the exact nature of the data we might share with a user or a client. If we had, we would have uncovered that we don't use nor keep personal data at all.

Moreover, we always ask the person who requests an information, a quote or a service if we shall keep or delete the (non personal) data shared once replied.

Beyond that, our research for privacy-friendly practices led to several discoveries and to zero-knowledge privacy solutions. We must credit three companies for their zero-knowledge privacy approach: Spiredoak (USA) in the storage area, Ivpn (Gibraltar) for their excellent VPN and Tutanota (Germany) for their secure email.

NOTE: To make things clear: we are NOT talking about zero-knowledge proof or zero-based proof nor zero-based privacy [a cryptographic methods that involve a third party - the verifier -].

On our side, we came out with two dead-simple solutions and made the decision to build and test them:

Zero-knowledge login

This solution permits the owner of the email address to manage the login without the website publisher's knowledge. More importantly perhaps, this solution gives the business the choice to NOT store any personal data, not even the email address.

Besides, we found that our solution relies on meaning, not on mathematics.

Indeed, 'identity' and 'character' are not of the same nature

and correspond to opposite angles.

Another difference is that: to understand the usage we do not need to track. And what is needed is about usage.

One more difference:

Our security shield results from the absence of user's personal data in any log file;

That's because user's personal data are not needed to understand usages nor to collaborate.

Forget the Email List

A solution to eliminate the need to maintain even a distinct list of email addresses for sending newsletters.

Both solutions are presently Github project repositories.

Creative Commons License:

attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0)

https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode

A discussion and a commented toolbox

In our series to publish on iSkiv.co.uk, "Small Business and Privacy Series", we highlight :

The significance of Privacy concepts

The Usefulness of Ethics in the Digital area

The risks involded for the business

Privacy Tools, concepts & services for small businesses

To help small businesses protect their privacy and their customers' data, We crafted a commented kit of practical tools, concepts and services for Privacy.

Indeed, web developers, coders, security experts, privacy specialists do a fantastic work to provide us with smart tools for day to day usage.