Episode 94 - Cryptography and Data Privacy
00:00:04:14 - 00:00:27:15
Speaker 1
This is a data privacy detective. And today we're going to talk about cryptography and other things and how it affects our privacy. And we couldn't have a better person to talk with us than Dan Draper. Now, Dan, you're the CEO and founder of Cipher Stash. That's a data storage platform for sensitive data. Thank you for joining us, Dan.
00:00:29:00 - 00:00:30:07
Speaker 2
Proud to be here. Thanks for having me.
00:00:31:14 - 00:01:10:08
Speaker 1
Now, your platform uses searchable encryption technology to protect against attacks that can leak a snapshot of an entire running system and enabled to do your work enables development teams to search data with with really good levels of protection without compromise on usability, which is an interesting balance. And thank you for talking. How does this relate to privacy and your background is in cryptography engineering and the goal of that would be really your goal is to equip the developers with skills needed to create safe applications.
00:01:10:08 - 00:01:12:01
Speaker 1
Is that a fair summary of what you do?
00:01:12:12 - 00:01:36:12
Speaker 2
Right, exactly. I think it's worth maybe framing before we get into the technology and potential solutions to it. I think it's worth framing why this is such an important thing to be, to be thinking about, to be talking about. There was a report from Forbes last year that said in the last three years, something like 50% of U.S. companies will suffer a data breach.
00:01:37:19 - 00:02:00:06
Speaker 2
You look at another report by an organization called Mine Miami. They track how many organizations and individual gives their data to. When I learned about this report, I was just floored. Something like in my personal case, I give my personal data to something like 20 different organizations.
00:02:00:17 - 00:02:02:11
Speaker 1
Those that do the math. All of those.
00:02:03:11 - 00:02:18:22
Speaker 2
Precisely. Yeah, exactly. Exactly. Yeah. So so you multiply those two numbers out and you get 50% of 2000, something like a thousand companies who are you know, the custodians of my data may have a data breach in the next three years.
00:02:19:11 - 00:02:31:22
Speaker 1
Yeah, data brokers. And it's a problem, isn't it? And this has to do with our privacy, especially our our sensitive information, because that's what more the bad actors are probably looking for. Do I have it right?
00:02:32:19 - 00:02:56:08
Speaker 2
Exactly. Yes. But there's another level or another element to this that maybe we don't think about or don't talk about enough. So I think in the in the media and in the popular culture, we always think about attackers. We think about nation states, Russia or Iran or what have you. But there's a much less sinister but far more common problem that lead to privacy issues.
00:02:56:08 - 00:03:28:10
Speaker 2
That leads to privacy issues or potential data breaches. And that's quite simply the people that are doing the best they can working within the organizations that you give your data to. But maybe make mistakes. Or once in a while they take a little sneaky, sneaky peek at something they shouldn't have a look at, or they download some customer data onto a laptop and they leave that their laptop on the bus, or they they're looking at sensitive records in the browser and they get some malware from a crypto trading site that they've been looking at.
00:03:28:10 - 00:03:36:01
Speaker 2
And all of a sudden personal data that they had no intention of giving away has now been leaked on to the dark web.
00:03:36:01 - 00:03:51:03
Speaker 1
Or they're using their PC in a public space and they go up and leave their cappuccino and their computer running and they go to the loo or the bathroom, which every form of English wants to meet. And all of a sudden data hacked data problem. Yeah, yeah.
00:03:51:04 - 00:03:52:14
Speaker 2
Yeah, exactly. Exactly.
00:03:52:21 - 00:03:58:05
Speaker 1
So so what does cryptography how does how does cryptography enter into this?
00:03:58:14 - 00:04:23:16
Speaker 2
Right. So so we look at the access and control mechanisms that that organizations can place on, on data. And so that is it. Let me use a developer example. So in many organizations around the world, a developer or a development team might have access to the data infrastructure that is used to power a product. So I'm going to make up a company, let's call it Acme.
00:04:24:01 - 00:04:45:03
Speaker 2
Acme as a health care company, they have millions of patient records in their databases. The developer team has access to those databases because they need to maintain the systems they need to to do all the kinds of things that developers do with databases, set up backups and replication and scaling and what have you. Right. I won't go into technical details, but it's a full time job to do that.
00:04:46:04 - 00:05:12:10
Speaker 2
Now. The issue is the developers need access to the database, but they don't need access to the data. And that's a that's a critical and subtle point. With encryption, we can encrypt all the data that lives in the database. And so if if a developer gets access to that, to the actual system, which is part of doing the job, they can do the things that they need to do to the infrastructure but not actually see the data.
00:05:12:22 - 00:05:22:04
Speaker 2
And so encryption at the end of the day provides a level of secrecy and control that no other system can provide, no other technology can provide.
00:05:22:12 - 00:05:36:21
Speaker 1
And technically, it's a way of pseudonymous or anonymizing data so that instead of it's Sally Smith's medical information, it's number seven. 33 is information no one knows. And Sally's right.
00:05:36:21 - 00:06:02:03
Speaker 2
Exactly. Yeah. Yeah. So sometimes we do need to to view these records still. But it's a matter of being very particular, very controlled about who has access to view those records and also to make sure that when somebody does do those records, that it's logged and tracked and logged and done so in a in a verifiable way. And so, once again, that's where cryptography comes in.
00:06:02:16 - 00:06:20:17
Speaker 1
Absolutely. But let's take a traditional database. I'm sure you work with many different companies, different developers, with a variety of companies. How trustworthy or risky are traditional databases that you see to data hacks and other leakage of sensitive personal information?
00:06:21:16 - 00:06:26:23
Speaker 2
Unfortunately, very. This is one of the big.
00:06:27:06 - 00:06:28:23
Speaker 1
Very trustworthy or a risky.
00:06:29:09 - 00:06:30:11
Speaker 2
Very risky or.
00:06:30:16 - 00:06:31:09
Speaker 1
Should be risky.
00:06:31:09 - 00:06:58:21
Speaker 2
Play. They're very risky. Yeah. This is one of the very poorly understood challenges in our industry and perhaps goes some way to explaining or understanding why we have so many data breaches. There was a paper published a few years ago, back in 2018 by some researchers at Cornell, led by Paul Grubbs. And the the paper was entitled Why Your Encrypted Database is not Secure.
00:06:59:01 - 00:07:24:08
Speaker 2
So there's that keyword there, encrypted. So we're even or even including the ability to encrypt data in a, in a database. And the team articulated about seven different areas that showed how vulnerable modern databases were to attack. Now, the problem with modern databases is that they were never designed with security in mind. You know, the first databases were developed 40 years ago.
00:07:24:13 - 00:07:45:07
Speaker 2
You know, famously, you know, one of the open source databases, it's called Postgres. Well, it's been around for many years now, is half the Internet was developed by a, you know, an ACM Turing Award recipient, Michael Stone Brecker, back in the eighties. And now he was not thinking about some of the challenges that we we have today. And he was dealing with.
00:07:45:19 - 00:08:04:12
Speaker 1
G the first generation pre IBM mobile just trying to get information to the cell. Now that was about it. They were in a world of 5G and so this is data security becoming more crucial than it used to be.
00:08:04:12 - 00:08:29:19
Speaker 2
I think it's. Yes, I do. I think it's more crucial than ever. It is it is getting easier for for those that are building applications or are the custodians of data to do the right thing. But the rate of progress that the attackers are making and the amount of data that we're storing is increasing so rapidly that any progress we make on data security is frankly not enough.
00:08:30:05 - 00:08:47:05
Speaker 2
So I think the fact that we are lagging behind the risks in some ways, you know, in cybersecurity, we've we talk about blue team and red team, blue team of the team that protect the systems defense and the red team are the of the attackers. The blue team is losing quite badly to the red team at the moment.
00:08:48:04 - 00:08:57:22
Speaker 2
And I think because so much of more of our lives is led online and led through technology, the security is more crucial than ever.
00:08:58:01 - 00:09:19:14
Speaker 1
And getting more so is quantum computing coming? I mean, who knows what the we'll need a6g what we but seven and eight but it's sort of an arms race in the technology field so help us understand the developers you're talking about. These could be systems of very good people that know what they're doing. They may not be programmers, but they understand technology.
00:09:20:00 - 00:09:32:21
Speaker 1
But why is it important for those people who are doing their best within companies to, you know, be secure with the database? They have a good understanding of cryptography and the developments in what you do.
00:09:33:17 - 00:10:01:12
Speaker 2
I don't think they necessarily need to understand cryptography at a fundamental level, but I do think that it's important that folks understand the benefits and the power of cryptography. So like I mentioned or alluded to earlier, cryptography provides incredible secrecy, the most powerful kind of secrecy that you can you can get. And only somebody that has access to what we call an encryption key is allowed to decrypt and view those records.
00:10:01:12 - 00:10:35:17
Speaker 2
But it also provides this idea of authenticity so we can prove mathematically, once again using a key that a record has not been tampered with. And so those two sort of basic capabilities are foundational in building a private and secure system. And so while you know, your average I.T person doesn't need to understand the mathematics behind it or that or the components of a of a cryptography system, they do not need to understand why those two components are so important and how to apply them in their setting.
00:10:36:10 - 00:10:48:23
Speaker 1
I'm not sure how a computer works or how we're talking. I'm in Ohio and you're in Sydney, Australia, but I know how it works and I know how to be worried if somebody else is eavesdropping on this kind of thing.
00:10:49:14 - 00:10:51:02
Speaker 2
Yeah, yeah, exactly. Exactly.
00:10:51:14 - 00:11:14:12
Speaker 1
Well, let's talk briefly, Dan, as we sort of head to home on this topic, quantum computing. Some say that cryptography will become a relic and the quantum computing and the quantum computers will be able to break any system you have. What are your thoughts on this? What is the advent of quantum computing due to the effectiveness of advanced cryptography?
00:11:16:06 - 00:11:45:19
Speaker 2
Honestly, I'm not particularly concerned. And there's two reasons why I'm why I'm not concerned. The the cryptographic systems that we have currently, they fall into two broad categories. They fall into what's called public key cryptography and symmetric encryption. Now, public key cryptography is likely quite vulnerable to quantum computing. There are some some well-known algorithms that potentially could break public key cryptography.
00:11:46:07 - 00:12:11:06
Speaker 2
It is no one's been able to do it yet. Nobody's been able to provide a stable enough quantum computer to be able to execute that. And I think we're probably ten years away from or more potentially from being able to do that. Symmetric encryption theoretically may be trackable at some point in the future, but the the it's much less clear if that's likely to be the case.
00:12:11:06 - 00:12:43:03
Speaker 2
So symmetric encryption is potentially safer for a while yet. However, even even beyond that, the National Institute for Standards and Technology Nest, they have a bunch of standards for different yeah they have a bunch of cryptographic standards and they've actually just released a new set of standards that are allegedly quantum safe. Now this uses a whole different class of mathematics, which can't be broken by these these algorithms.
00:12:43:03 - 00:13:09:10
Speaker 2
So that for any of your listeners that are particularly interested, the two algorithms that that that have claimed to allow quantum computers to break existing cryptography are called Shor's algorithm and Grover's algorithm. And no such algorithms have been discovered for these new classes of cryptography that Nest have just announced. So I think the bigger challenge is not necessarily that quantum computers will will destroy our encryption, destroy our cryptography.
00:13:09:18 - 00:13:31:15
Speaker 2
The bigger issue is to make sure that as these new standards are made available. Sorry. Excuse me. Let me set it again. You can edit that out. The bigger challenge is as these new standards are made available, the issue is to get everybody that's building cryptographic systems or implementing the right technology to upgrade and to make sure they're on the latest quantum safe technology.
00:13:31:20 - 00:13:56:03
Speaker 2
I see that as a much bigger challenge than the quantum computers itself. But in some ways, you know, there may well be a time when when, you know, an IBM or a Google or someone or maybe it's a Chinese university announces that they've broken encryption using that latest quantum computer. I think we'll have a Y2K situation. You know, the world will scramble and say, you know, we've got to we've got to upgrade our cryptographic algorithms.
00:13:56:18 - 00:14:17:06
Speaker 2
There will no doubt be some some breaches during that that time if people are not swift enough to to act on the changes. But by and large, I don't think it's a major problem. I think we're still a long way away from that being the case. And with a bit of luck, most systems will be upgraded to quantum safe encryption well before the computers are capable of breaking anything.
00:14:17:06 - 00:14:38:00
Speaker 1
We may see. The rise of quantum defense, I think is part of the facts and certainly the race in technology to defend systems will is already on and it will continue. But this is very reassuring. Without good cryptography, I think we'd all be in deep trouble.
00:14:38:00 - 00:15:03:02
Speaker 2
Right? Exactly. Yeah. I mean, the most the most basic version of cryptography that we rely on in our modern lives is what's called TLS. It's called transport layer security. And it's this idea of applying encryption what engineers will sometimes call in transit. So right now, you and I are talking across across the world. And this all of the the packets, the bits and bytes that are traveling between you and I are encrypted.
00:15:03:02 - 00:15:30:08
Speaker 2
They're encrypted in transit using TLS. And that means that anybody that's that has an interest in our conversation is unable to to eavesdrop. We use the same technology when we talk to our bank. We use the same technology when we we purchase a product from an online store. And without that encryption, it would be unsustainable. I don't think the Internet would be anything like what it is today, and we wouldn't have this interconnectedness that we have.
00:15:31:05 - 00:15:58:20
Speaker 1
Yeah, well, Dan, thank you for being our tour guide here on the importance of cryptography and how it too is evolving in this space and the importance of any developer, any person running an AI system, connecting with somebody like yourself to best protect our produce. You mentioned earlier that the hacks aren't primarily from evil actors breaking in there from 80%.
00:15:58:20 - 00:16:11:13
Speaker 1
I'm told generally people that just make mistakes, they let somebody in the door and then they come. And you want to make sure that what somebody sees isn't giving away the store, giving away the secrets.
00:16:12:02 - 00:16:32:15
Speaker 2
Right? Exactly. Yeah. And even that you can break down into two main categories. There's simple, honest to God, mistakes. They happen more than probably most people would care to admit, but they are unfortunately very, very common. We are humans, after all. There is a slightly more nefarious version of that, though, and that is when people are socially engineered.
00:16:32:16 - 00:16:40:10
Speaker 2
This this idea of social engineering is is when an attacker doesn't attack a system, they essentially trick somebody. You know, it's like a good old fashioned.
00:16:41:01 - 00:16:43:11
Speaker 1
Spear pitching with the P-H. Exactly.
00:16:43:16 - 00:16:45:02
Speaker 2
Yeah, exactly. Yeah.
00:16:45:05 - 00:16:45:22
Speaker 1
And pretending.
00:16:46:01 - 00:16:46:15
Speaker 2
So that happened.
00:16:46:15 - 00:17:03:16
Speaker 1
CEO says, would you wire the money right now, please? Yes, boss. Yes. Well, Dan, thank you so much for being my guest on this tour. And as always, I will remind us protecting your personal data begins with you.