How will your personal data be sold to a startup, in which he invested 70m rubles of IIDF

In Kommersant there was a material about the investment by the state fund of the IIDF 70 million rubles in a startup IDX (Identity Exchange). The mission of a startup is to create a platform for the sale of personal information about individuals and legal entities. We will understand what IDX offers.

The essence of the service is that the IDX partner company, to which the user has already transmitted its data once, can verify their accuracy at the request of another organization. At the same time, IDX does not transmit the data itself between partners, but verifies digital signatures and hashes of encrypted information.

The client goes through the identification procedure, for example, during a personal visit to the office. The IDX data provider company (hereinafter referred to as “Company A”) sells information about the passed identification to other market participants.

“IDX is built as a gateway, there is no personal data there, which means there is no risk of leakage,” confirms Akado Telecom Operations Director Mikhail Medrish. “We can participate in the project as a supplier of information about the accuracy of the data and are interested in the services themselves, since our potential customers may already be identified in other networks,” he explains the meaning of cooperation with IDX.

Akado is a provider of information for IDX about his clients, company A.

The risk of data leakage when using the system is reduced to zero, the representative of the IIDF says. The platform is based on the mathematical method of “proof with zero disclosure” (Zero-knowledge proof), the use of which allows you to ensure the reliability of the information obtained without decrypting it, he explained.

Consider the process of the sale by company A of personal customer data using the IDX gateway. Suppose the structure of the user profile:
')

{ "passport":12345, "first_name": "Igor", "last_name": "Barinov", "dob_year": 1970, "dob_month":01, "dob_day":01, "active": true } 

Company B, requesting information, forms attribute groups for the client of interest, hashes them and sends them through the IDX gateway to all participants selling personal data.

Sample information requested:

hash (passport + first_name + last_name + dob_year + dob_month + dob_day).

Substitute the values ​​from the structure:

sha2 (12345IgorBarinov19700101)

We get the hash:

f3d34b680defecbc9e1916faed596aedde723289c21b3c671952239f81437661

Company A, which has information about the client, confirms the presence of the record and returns metadata in the answer, which with the name and passport will be part of the personal data, but in the case of ZKP (Zero Knowledge Proofs) it is not.

For example,

 {"request":"f3d34b680defecbc9e1916faed596aedde723289c21b3c671952239f81437661", "dead":false, "phone_number":"5555555555" } 

and signs the structure with its private key. The IDX gateway forwards the seller’s personal data response to the personal data buyer and takes into account the fact of the transaction. The data buyer checks with the public key the integrity of the message and the addressee. IDX billing deducts the personal data buyer’s payment of the personal data seller and commission.

Brief conclusions:

- using hiding data in hashed structures, IDX startup organizes a platform for trading personal data.
- the state fund finances the company organizing such a platform
- knowing the user's personal data, a third party can legally obtain data and metadata for all services used by the user, whose providers sell personal information through the IDX gateway

Disclaimer: the author is not related to the company IDX, Akado, IIDF and considerations about the principles of operation are based on OSINT (open data).