Sensitive Compartmented Information (and your money)

For those with military experience out there, you may be familiar with SCI. Actually, you probably can neither confirm nor deny your SCI or non-SCI status. Regardless, for those not in the know, SCI is the step above top secret. You’ve heard the old saying, “It is on a need to know basis, and you don’t need to know!” Unfortunately, most online transactions performed today do not follow rules anywhere close to that, even though they don’t really need to know.

Ars TechnicaEveryone in the industry is familiar with the Heartland breach, the TJ Maxx theft, and probably half-a-dozen others. Too bad retailers, both brick and mortar and online, don’t believe in SCI. Of all the players in the industry, Microsoft has recently stepped up with a program they’ve dubbed “U-Prove“. U-Prove works with a model similar to SCI, in that it only gives the information necessary to complete a transaction and nothing else. A recent Ars Technica article has offered some editorial insights:

On the other hand, there’s no reason why a storefront like, say, iTunes, needs to know your identity; it only needs to know that the money being handed over is yours to hand over.

To use a credit card on iTunes, I have to hand over so much information that Apple, if it was a bad actor, could masquerade as me. I can’t just give Apple some electronic money; instead, I have to give them my name, address, and credit card number. In practice, the real problem with me handing over so much info to iTunes isn’t that Apple might pretend to be me—with billions in the bank the company doesn’t really need to charge things to my credit card, after all—but that hackers (both external and internal) might take this stored data and use it for their own nefarious purposes.

U-Prove aims to stop organizations from being forced to collect excessive information from their customers when, in reality, it is not needed. To the contributor’s first quote, Apple doesn’t really need to know all of my info, just that the money I’m sending them is good. Microsoft has open-sourced the U-Prove framework, enabling other applications to use the protocols. U-Prove, using a combination of many cryptographic solutions, creates a one-time unique and secure key with the necessary information contained within it, which is then decoded and used by the organization requesting the transaction.

As is the case with any new technology, adoption is always going to be the hardest part. Some retailers, such as the Amazon example used the in Ars Technica article, will not welcome the U-Prove framework as it removes many key data mining aspects of their business. Amazon doesn’t really need to know your age, unless of course you are subscribing to Playboy or buying a CD with explicit lyrics, but they use that information extensively in their advertising. In much the same way, Apple has no need for your address when purchasing a song, but they can use that information to determine the best location to place their next store, geographic and contextual marketing, and potentially track down problems in their supply and distribution chain.

The U-Prove framework has the potential to be a game changer for the way business and individuals transfer information between one another, but the implementation and adoption hurdle will be a large hill to overcome. Microsoft has begun implementing U-Prove within some of their own products such as Active Directory and some of their web technologies. Even with this show of good faith, convincing other organizations to limit the amount of data they can collect from their customers, all in the sake of privacy and security, will be a challenge.

Is U-Prove the correct way to diminish some of the risk associated with breaches like Heartland and TJ Maxx by limiting the amount of data exposed on a need-to-know basis only or are the implementation challenges to great to overcome?