Cove Identity | Blog

End-to-end control of your digital identity and documents

Passwords are Passé

Coveidentity | Jan 9

An alpha-numeric string wouldn’t save you

The massive data breaches in the last year have proven one thing for sure, data on the cloud isn’t safe! Not even in the hands of large enterprises who spend billions of dollars every year on shoring up their security.

And the problem has been lurking for a long time, we have just been ignoring it. Passwords are an archaic way of validating ownership. It worked fine till we were limited to an ISP account, one or two email accounts or probably even an eCommerce account or two. But that’s not the case any more. There are a plethora of web apps that one might consume in a day and almost every single one uses email to sign-on. And most users use same or similar passwords across all accounts. So if a hacker cracks one access using brute force, he can hijack your email as well. The web of inter-connectivity is complex and makes the whole online presence vulnerable.

We have been lulled into complacency. We are so used to using our email for signing up, we don’t even realize the exposure we are subjecting ourselves to when we give access through our email. As more breaches started being reported we were told to create a ‘strong’ password. It’s a band-aid companies have been using to keep us signing up on their services, assuring us that stronger passwords would be harder to crack.

Security structures are a trade-off between convenience and privacy. One can create a perfectly secure environment with eyes on the subject and a complex verification system but no user would consume that service. But you wouldn’t want a so-easy-to-use system that anyone can answer a couple of questions and get access to your account. A clever way to authenticate users, without loss of privacy or compromise on security, is through a zero-knowledge proof. Zero-knowledge proof is a method by which one party (the prover) can prove to another party (the verifier) that a given statement is true, without conveying any information apart from the fact that the statement is indeed true. The protocol never requires the user to enter any sensitive information on the (potentially compromised) device that they are logging in on.

An easy way to demonstrate how zero-knowledge proof works is through the following example:

Two balls and the colour-blind friend

A generic square placeholder image with rounded corners in a figure.
Software engineers Konstantinos Chalkias and Mike Hearn at a blockchain related conference in September 2017, showing live demonstration of this example

Imagine your friend is colour-blind (not being mean!) and you have two balls: one red and one green, but otherwise identical. To your friend they seem completely identical and he is skeptical that they are actually distinguishable. You want to prove to him they are in fact differently-coloured, but nothing else, thus you do not reveal which one is the red and which is the green.

Here is the proof system:

  • Process: You give the two balls to your friend and he puts them behind his back. Next, he takes one of the balls and brings it out from behind his back and displays it. This ball is then placed behind his back again and then he chooses to reveal just one of the two balls, switching to the other ball with probability 50%. He will ask you, “Did I switch the ball?” This whole procedure is then repeated as often as necessary.
  • Logic: By looking at their colours, you can of course say with certainty whether or not he switched them. On the other hand, if they were the same colour and hence indistinguishable, there is no way you could guess correctly with probability higher than 50%.
  • Inference: If you and your friend repeat this “proof” multiple times (e.g. 128), your friend should become convinced (“completeness”) that the balls are indeed differently coloured; otherwise, the probability that you would have randomly succeeded at identifying all the switch/non-switches is close to zero (“soundness”).

The above proof is zero-knowledge because your friend never learns which ball is green and which is red; indeed, he gains no knowledge about how to distinguish the balls.

Zero-knowledge proof finds tremendous application in block-chains and authentication. It can be used to guarantee that transactions are valid despite the fact that information about the sender, the recipient and other transaction details remain hidden. And is a similar way it is being fostered as a sign-up tool with no compromise on security and complete anonymity. Applied in a decentralized platform there is no concern of one company tracking all your moves.

Check out more about our zero-knowledge system to store and share your vital information securely and try out the app here.

Dawn Of Self-Sovereign Identity

Coveidentity | Dec 11

What is the scale of the internet? It’s almost impossible to precisely quantify the size of this dynamic, ever-growing behemoth. But data stored on the internet should give us a fair idea. This again is no easy task. There are millions of websites out there, each storing their own data on the cloud and tracking that is impossible. One can make an informed guess, though, by calculating the capacity of the data centers across the globe. This number currently stands at 770 Exabytes. That is 770 X 10¹⁸ or 770000000000000000000 bytes! That is HUGE! And the fact that this was all done in the last 50 years (the earliest networks came out in early 1970s) makes it all the more incredible.

This rapid growth has come at a cost. Internet is was built without standards, especially as far as processes related to user data management are concerned. There is no universally accepted user identity management protocol. The approach is Silo-based. Every entity retains and maintains its own database and the same user across different entities is mapped differently. This not only makes the process of knowledge transfer highly inefficient and costly but also makes the data itself vulnerable.

Identity in general has the following traits:

Claim, proof and attestation. Claim is an assertion to an identity made by someone, for eg. My name is John Doe. Proof is a piece of evidence supporting that claim, like a document, for eg. a passport or license, in this case. Finally, attestation is validation of that claim from a recognized authority, for eg. a Notary who would confirm that the document belongs to a certain person.

Digital identity is a sum of all these traits but stored digitally on the cloud in silos managed by the various organizations.

In order to make the system more organized and reliable, user identity management has evolved gradually over time. From being centralized and silo based, it has switched to a decentralized structure. The companies running the cloud storage have started offering solutions to manage user identity that ensure data is not stored in one location and is more secure. But this does not solve the silo issue. User identity is still held privately by each entity and data transfer is still cumbersome.

The obvious evolution, and one that has already started, is towards user-centric/self-sovereign data. Here the data will be stored on the blockchain or other distributed systems but an individual will have sole access to their identity/data. Once validated they can shared an approved token with new services they sign-up, rather than revealing complete details to everyone.

Today, for eg., signing up with a service which legally needs to ensure you are of a minimum age requires you to share your date of birth and also it’s proof. They don’t really need that data, though, and in any case it’s vulnerable once shared, they just need to make sure you are of a certain age and your claim is validated by a recognized authority. This is where validated, self-sovereign identity comes in. You share an approved token with the service and they sign you up. The only information the token carries is that you are above a certain age and that it has been validated. Complete security and desired level of anonymity.

Identity Theft, Fake News, Big Concern for Parents and Teens

Coveidentity | Dec 4

Today, more than 3.7 billion people on the planet have access to the internet, that’s almost 40% of the population. The number was less than 1% in 1995! We have come a long way in the past two decades. Internet is the largest source of information today and everyone wants to be connected to it all the time but being connected to the largest database comes at a price. For some the loss of privacy is a necessary evil, for others it is an abuse which they are trying to eliminate. Because of the novelty of the problem, little precedent can be invoked, still policy makers and technologists and users are coming up with creative ways to solve the problem.

An August 2017 U.S. survey revealed that only 17% of the internet users felt that their data was ‘Very Secure’. With news of massive data breaches coming out and companies owning up to laxes at their end, this number will surely go down. More and more people are realizing that some of the largest companies they had faith in couldn’t secure their data.

As response to another question to judge user’s faith in companies being able to keep their data safe, only 3% said they completely trusted Facebook with their data. And Facebook is a place where people unknowingly share a lot. And it doesn’t stop there. A lot of websites and applications use ‘Social Sign-ins’ and since we ‘trust’ social networks to keep our data secure we readily use them to register on to these websites and apps. As seen below, Facebook is the most preferred social sign-in and that in-spite of the fact that user trust sits at mere 3%.

Due to this vulnerability, which people are realizing today, they are most concerned about identity theft through online hacking. Identity theft for stealing money is the most obvious reason but another alarming concern is the malicious use of one’s personal information, to humiliate, harass someone or damage their reputation in some other way.

A July 2016 survey of U.S. online users about online harassment through the invasion of privacy has revealed that 5% of internet users in the United States had harm caused to them through the exposure of sensitive information. Online identity theft, device security and fake communications are some of the biggest fear parents have when it comes to their children’s online safety. Some 50% of surveyed parents said they have already discussed identity theft with their children. Furthermore, an initiative called ‘right to be forgotten’ was backed by the EU court and forced Google to remove/amend results on request. This was a landmark decision and is paving the way for giving users back the rights to their data.

Data is Knowledge and Knowledge is Power

Coveidentity | Nov 27

“Siri, how does my calendar look like today?” and the AI powered personal assistant responds with your day’s itinerary and even provides recommendations about weather and traffic. How does this happen? It’s because of the meetings we ourselves added to the calendar and the assistant also knows our location and the place we work. When the entries were made, it was just data, but it was converted into knowledge by the computing power at the hands of the virtual assistant.

At the dawn of computing, all the knowledge that a computer had about us was probably a name. But as the computing power grew exponentially so did the amount of data we fed into these systems. And using that data and all that computing power, a virtual avatar of anyone can be created.

Why do companies store data?

Data is knowledge and knowledge is power. Not only can the companies, who store swathes of data, create our virtual avatar, they can also predict with pretty good accuracy where we would eat next, what would we order and if we would require a cab back home or not! The power wielded by these companies eventually translates into huge amounts of money for them and for that very reason, they try and collect it at every possible point in time. Whoever has the most data, is the most powerful and thus the richest. No wonder the four largest brands in the world are tech companies and data is a big play for all of them!

Why should it be an issue?

Companies and the consumer, both benefit from this knowledge. For consumers, the level of personalization is like a dopamine trigger! “I think real-time personalization and artificial intelligence are the big technologies,” says Greg Grdodian, CEO of Reach Marketing, an integrated marketing solutions provider. “Everyone wants that individualized experience. And both of those technologies will help you get there and maximize every engagement.”

Personalization is not a concern, but privacy is. If you look at the number of data breaches that have happened lately, and that too at the hands of some of the most reputed companies, you surely will be concerned. Companies might not be directly selling your data but they themselves are prone to attacks and that is when things get scary.

A social network might only be profiling you, anonymously, to send you targeted ads. An ecommerce company, again might just be storing your data to make that checkout process simpler. But when a black hat gets access to the two repositories, he can use the two anonymous profiles to get access to ‘virtual you’ and once there he can even clean up your bank account.

What are the companies doing to keep our data safe?

There are dozens of apps that a person uses on a regular basis. Some are developed by startups and others by large enterprises. While all these companies do their best to secure our data, some are better positioned, because of the availability of resources, than others to achieve this goal.The most advanced today, like Apple and Google, are using tools like differential privacy to keep our data safe but even that does not make the system foolproof. “In some cases you simply can’t answer the questions that developers want answers to,” said Yonatan Zunger, a privacy engineer at Google. “We basically see differential privacy as a useful tool in the toolbox, but not a silver bullet.”

What is the safest bet?

A zero knowledge, decentralized system with private key for consumers. That is the only way to keep data private and secure!

We cannot the blame the companies alone for the incidents like money being stolen from credit cards, when we willingly provide these companies all the information without even thinking of the consequence. We need to realize the value of our data and also that the if we, at the very first step, will not provide open access to it, no one will be able to hack into our virtual selves!

Check out more about our zero-knowledge system to store and share your vital information securely and try out the app here

Our public roadmap is live

Coveidentity | Sep 19

I am a strong believer in companies being as transparent as possible with their community and we try to live up to that value in everything we do here at Cove.

So in that spirit of transparency, we are publishing our public roadmap so that our community and contributors can see what we plan to build out for Cove over the next year and a bit. The roadmap focuses more on the headline implementations rather than the nitty gritty details of an internal roadmap so if you’d like more clarity or details on any item please reach out to the team. We’d love you to have a read and vote, comment or send us any suggestions you may have about the roadmap and our upcoming plans.

As a customer-centric company, we are always responding to the needs and feedback of our community so some of the items in the roadmap may have be removed or elevated in priority and new items may be added in the future.

Have a look at our public roadmap here on Trello

Registration is now open for our pre-sale with up to 40% discounts available. You can register on our token sale website.

How Cove differs from the alternatives

Coveidentity | Sep 14

After we announced our impending token sale, many people responded by asking us what the difference is between Cove and similar products in the market. This is totally understandable as it helps the community place us as a product. I tried to respond to these queries in a previous blog post which spoke about our offering in more detail and didn’t mention any of the similar products out there, showing them the respect they deserve. But some of the community are still asking questions so we’re going to attempt to do a more direct comparison. We are not saying we are better, that’s up to the market to decide, we are just trying to explain where we are different to similar product.

The simplest way to define Cove’s positioning in the market is that we are the first company (that we know of) to combine zero-knowledge cloud storage with self-sovereign identity to give users full control of their online identity.

Cove combines zero-knowledge cloud storage with self-sovereign identity to give users full control of their online identity

Cove follows 4 key processes to achieve this: effortless digitization, unbeatable encrypted storage (ensuring full privacy), safe sharing and aggregated validations. Some of these processes exist in the app right now, some are on the roadmap for development in the near future. Let’s compare these to similar products out there:

Secure Storage and Sharing

A file storage and syncing app that has created massive utility for people for larger files storage and sharing. Cloud storage is a really big space, Dropbox is a $10bn company despite being in the presence of Google Drive. We think there is a lot of potential in the fledgling zero-knowledge segment of this space.

So Dropbox are strong on storage and sharing but don’t offer full privacy, encrypted file storage, secure sharing or aggregated validations yet.

Google Drive
Super convenient to use as a cloud based hard drive, well integrated with Gmail and other Google apps and pretty much the standard for file sharing and storage

Privacy and zero-knowledge file storage are a major challenge for Google Drive, they will never be able to compete here as their business model relies on having access to your data.

The next generation of decentralised storage, Storj shreds encrypting files across peer storage devices. Its a brilliant and scalable concept that we admire and enjoyed a well-funded ICO.

While Storj is a great storage solution, they haven’t shown any signs of entering the validation space yet.

Authentication apps

Google and Facebook let you sign in to several websites without creating the logins there.

Of course the challenge here is that they are both hungry to monetise your data so they can see it all.

Civic is another great ICO-funded company that we have a lot of respect for. They raised the standards for running an ICO and have a really good product. Civic is a secure identity platform that helps individuals and companies protect against ID theft. The platform also allows users to login to several website without creating logins there. We expect to see some big developments from Civic as they expand their features and business partner network.

Civic is possibly the leader in identity management / self-sovereign identity and will be exploring decentralized storage options with IPFS in the future.

We respect all of the players mentioned above here and look forward to growing with them and learning from each other. A lot of the digitization and storage features we mentioned in the beginning are available on the Cove app so if you’d like to try it out, please download it from either the iOS or Android app stores.

Pre-registration is now open for our pre-sale. You can register on our token sale website.

No more Equifax type breaches with zero-data sign ups

Coveidentity | Sep 13

Another day, another big data hack, this time at Equifax. Having your data stolen from some big company database is now pretty much an expectation for anyone who interacts with online services.

Data is more valuable than oil, yet most big companies are using haphazard systems and outdated technology to secure our most valuable asset. It’s akin to storing gold behind a white picket fence, any opportune thief is going to go for that gold, it’s too easy. The challenge with these big companies is that they move too slow, don’t innovate enough and don’t want to spend money securing other people’s data so it’s left up to you to take back control of your own data.

This kind of control is available to us right now thanks to advances in technologies like blockchain, encryption, decentralised storage and biometric security and there are companies out there such as Cove looking into ways to use these technologies to help users control their own data, which is generally referred to as self-sovereign identity.

So here are some use cases of how Cove could help you keep control of your data using these technologies:

Zero-data signup

I’ve put this at the top because a lot of our community are excited by this idea. With Cove it will be possible to sign up for a service without sharing any of your personal data with tthe company. If companies trust our verification system, they could set a minimum verification score for each data point they require (eg name, date of birth, email) and simply trust that the data is accurate and valid and not even need to see it to create a user account. They would then communicate with you through the Cove app making it a sort of decentralised communications system. You have full control over how you’re communicated to and don’t share any data, the company gets more signups because it’s so simple and safe, and is still able to interact with their users.

Controlled sharing with companies

Some companies will need some of your data for good reason eg KYC. In those situations, through Cove you could provide them access to those data points or verified documents stored in decentralised encryption and you could revoke their access should you need to.

Controlled sharing with peers

Your friend needs your passport details to book a flight for you, this is valuable data to a hacker and really shouldn’t be emailed or permanently shared with anyone. As soon as you share this data with a friend you place the responsibility protecting your identity with them. With Cove, you could share the data encrypted and only allow your friend to see the information and once they’re done, their access is revoked and they can no longer see the document or data, re-securing it and preventing hackers from intercepting it later when somebody’s email gets hacked.

Decentralised storage

The obvious problem with centralised storage is that if there is one mistake or breach, everyone who has data stored in that same place is vulnerable but with decentralised storage, if a breach happens, only one person’s data is vulnerable and if that person is using Cove, that data is encrypted anyway so the breachers wouldn’t be able to see anything useful.

Biometric security

We’re building a system that aims to provide full end-to-end control of your data and identity meaning that when you store it, sign up for something, share it with others etc, your data is as secure as it can be. So with all the other options closed off, the key access point for you to access your data is your phone. The advent of phone-based biometrics makes it really difficult for someone to access Cove on your phone, keeping that important access point secure.

So as you can see above, a paradigm shift is under way in terms of who controls their data and how we share it with people and companies. The benefits to you the end user is enormous but it will take a lot of convincing to get companies to get onboard as they love to hoard our data but if we all work together on this, the reluctant ones will be forced to interact with users on their terms or risk losing business.

Registration is now open for our pre-sale. You can register on our token sale website

Why and how regulators should embrace ICOs?

Coveidentity | Sep 11

The history of the financial investing world is full of innovations that created new avenues for opportunity but also encouraged fraud and ‘irrational exuberance’, forcing authorities and regulators to step in and protect citizens from the dangers of unregulated financial activities. Bitcoin, cryptocurrencies and ICOs are simply the latest in a long line of financial innovations that should and will be embraced by regulators to ensure they are conducted in the correct manor. Let’s take a look through some of the key events in financial history and how they have led us to where we are now.

The Solomon vs. Solomon ruling allows for future financial innovation -1896)

One of the largest events in the evolution of human innovation was the verdict in the landmark case of Solomon vs. Solomon Corporation in 1896 in the UK which meant that shareholder running the company were segregated from the liabilities of the company itself. Business owners and shareholders could become more enterprising, and if their business did not work, they will not have to be held hostage to the demise of that company. Arguably, if this ruling did not happen, we may not have witnessed the tremendous innovation we saw in the last 120+ years from millions of entrepreneurs.

The great depression leads to the SEC and the enforcement of regulation — 1934

In the early nineteen hundreds, ravenous, inexperienced investors were pumping money into the stock market which was growing in importance (sound familiar?). This inevitably led to Black Tuesday and the great depression. The US government responded by setting up the SEC and giving it far reaching powers to enforce financial regulation.

Regulation failures set the scene for the birth of Bitcoin — 2008

On the 15th September 2008 we witnessed the $653bn bankruptcy of Lehmann Brothers the largest corporate bankruptcy in history, despite being highly regulated by several global authorities.

This and other bankruptcies (eg Enron’s $60bn bankruptcy in 2001) lead some people to question whether the current corporate structures we find in large corporations are the right way to go. Let’s examine this.

There are various stakeholders involved in governing a company. Directors such as the CEO and CFO hold shares in the company and focus on short term profitability to satisfy their shareholders and their fiduciary duties. Then we have shareholders who hold great influence over company directors and are notoriously driven by short-term profits. The regulators seek to minimize the opportunities for companies to engage in unsavory tactics to generate profit. Most customers of the company have very little say in how things are run. It is this structure that led to the thinking around a different financial model after the 2008 financial crisis.

Disaffection leads to the foundation of Bitcoin — 2008

The world’s first cryptocurrency, Bitcoin was introduced in a whitepaper in November 2008, a few months after the Lehmann Brothers bankruptcy, for one major reason — to get away from a centralized system where financial institutions, states and regulators were not trusted and users had more say in how things are run. Bitcoin has been one of the major disruptions of the 21st century. Who would have imagined in 2009 that people would be giving away almost $5,000 of their real hard-earned money for 1 virtual coin of a digital currency which nobody owns, no central bank guarantees, is not backed by any gold or any other asset.

Enter the ICO — 2013

The incredible rise in the value of Bitcoin led to the creation of the most exciting funding innovation in recent history — the Initial Coin Offering (ICO). Simply put, an ICO is the advanced sale of a platform’s crypto-currencies or tokens, to fund the development of fund raising company’s platform and product. These tokens can be easily sold and traded at anytime, on all cryptocurrency exchanges depending on their demand, providing liquidity to investors and vital early stage funding for entrepreneurs. These tokens are essentially the incentives, for several market participants to use and grow the platform in a decentralized manner. Such incentives are paramount in making a decentralized eco-system operate sustainably.

Much like the cryptocurrencies that fund them, ICOs have experienced exponential growth in 2017 and in the past few months have raised more money than early stage VC funding has, a cool $1.5billion. Companies like Filecoin, Bancor, Tezos, have each raised more than $150 million in a matter of hours making ICOs an incredibly successful instrument to raise funds for the development of a new application or platform.

Why ICOs make sense

These are the key reasons, why ICOs have enjoyed so much success:

  • There is a willingness among the community to decentralize control, away from large corporations
  • Investors are participating very early on in the process, hoping to repeat the success of early stage Bitcoin investors who saw its value rise from a few cents to $5,000+ within 7 years, creating generational wealth for some investors.
  • The surplus money people generated from early investments into cryptocurrencies are being re-invested into new cryptocurrencies.
  • A genuine desire to fund some interesting causes and projects that are closer to the crypto-investors’ hearts.
  • Limited liquidity (supply) of tokens means that as the use of token and platform grows, the value of tokens should grow as well, generating strong returns for the early-stage crypto-investors. ICOs are also beneficial to smaller investors as early stage crypto-investments are not limited to private investors or VCs, anyone can take part in a token sale, similar to the concept of Kickstarter, where people fund or support projects which they feel would be successful and effective.

Looking at ICOs from a regulator’s perspective

It is a regulator’s job to protect investors from unscrupulous activity and with ICO investments at record levels, it’s no surprise that regulators have stepped in to limit unsavoury activity and encourage best practice within the ICO community. The challenges regulators face include founders raising funds through ICOs with nothing but a whitepaper then disappearing, difficulty governing cryptocurrencies that are hard to track and companies choosing ICOs over traditional fund raising methods to avoid being regulated under the usual securities laws.

  • Regulators have started to respond since July 2017:The SEC has said that if the token is a security, then it falls under the Securities Act
  • Canada, Singapore, Hong Kong, have echoed similar statements with a warning to investors to be cautious in their investment process.
  • China has banned all ICOs within the country. The ban is thought to be temporary while they figure out how to regulate ICOs. Sooner they come with guidelines, better it would be for removing such wide blanket bans.

But if we take a step back, the idea of Bitcoin was to get away from centralization, including regulation. If we introduce new coins / tokens in some regulated environment, are we not defeating the purpose of cryptocurrencies? Are we not trying to create new breed of tokens that can shift the economic structure of companies but then regulating them back so they become securities? Realistically, regulation is unavoidable as there is now far too much money involved in ICOs and cryptocurrencies, so much like the peer-to-peer funding industry actively sought out and encouraged financial regulation, the ICO industry should work with regulators to draft laws that protect investors and prevent illegal activity whilst still encouraging innovations in technologies and corporate structures. These would be my suggestions to regulators who would be considering regulating ICOs:

1. Introduce KYC processes within ICOs

This can be useful for various compliance requirements such as:

  • Tax laws (helping tax authorities figure out if some investors had realized or unrealized profits on their tokens).
  • Ensuring any country-specific compliance is met.
  • Protecting against money laundering.
  • Allowing for a certain accredited investor base for certain kinds of ICOs.

2. Introduce guidelines for ICO documentation and process

Potentially inspired by existing IPO and other fund raising processes:

  • Clearer disclaimers marked in the ICO papers about investment risks.
  • Ensuring company exists by including its registration / audit reports, etc.
  • Including comprehensive details about the team, product and business.
  • Post investment audits are periodically shared with the investors

3. Classify the tokens before regulating them

As Canadian regulation says, each token is different and should be evaluated independently (CSA staff notice, 46–307 “Crypto currency offerings” released by CSA Canada):

  • Tokens that are cryptocurrencies like Bitcoin or Ether could be regulated in a similar way to the fiat currencies.
  • Tokens that mimic securities — that give ownership in the company, are for profit investments, etc. may be regulated within existing or enhanced Securities laws.
  • Tokens that are for in-platform use only may continue to be unregulated or lightly regulated if needed. In principal, they are very similar to loyalty points, frequent flyer miles, vouchers, or even tokens for games. These are typically not treated as securities and for now are generally not regulated.

ICOs have witnessed incredible growth in the last few months but may face some challenging times while regulators figure out what to do to them and certainty returns to the market. But I truly believe that constructively curated regulation that encourages ICOs to challenge imperfect corporate structures can lead us to a much better decentralized digital world.