Ask HN: How to build a back-end where no two employees can see all user data?

5 pointstoss19419y ago4 comments

Assume this is a small organization with only five employees. How would you build the website backend that provides the highest level of anonymity for their user's who register for and user their website or services? Is it possible to prevent someone like even the CEO, CISO or developer from viewing all the user's data in plain text without involvement from an escrow service or lawyer? Or does that make it impossible to protect from fraud or other legal issues?

4 comments

guyfawkes3039y ago

Encryption would be about the only solution I can think of. Keybase.io achieves this. Then again, you are now building an encryption service instead of whatever you are trying to actually build.

schoen9y ago

It depends partly on whether you need to process and compute on the users' data. Some companies use client-side encryption to prevent themselves from possessing usable user data in the first place. If you do need to process data server-side, it's tricky to see how you can unlock the data for processing while not exposing it to other uses. There are DRM-like approaches that attempt to use tamper-resistant hardware that is then only allowed to run certain software.

An example of this is the https://en.wikipedia.org/wiki/IBM_4758 which is pretty expensive and inconvenient to use, but can in principle be used in high-assurance applications where you want to say that the data is processed inside the 4758 but only in preapproved ways and can't be directly exported. Presumably there are somewhat cheaper ways to do this nowadays... PrivateCore was working on a way to do something along those lines on commodity hardware, but they got acquired by Facebook.

stocktech9y ago

Row level security on the database for users.

detaro9y ago

Does not protect against anyone with administrative access...

j / k navigate · click thread line to collapse