DEV Community

Cover image for How have I ensured the privacy and anonymity of my website users? šŸ¤”
Alex Fedorov for Foundsiders

Posted on

How have I ensured the privacy and anonymity of my website users? šŸ¤”

Over the course of the past month, Iā€™ve built the first version of FelloWageā€”a website that allows users to share their salary information and view information shared by others.

Of course, I wanted to keep the information of my users private and anonymous. When somebody is looking at the wage entry, they shouldnā€™t be able to tell who this entry belongs to.

On the other hand, to keep the quality of the shared data high, users should be able to update their salary entries when they change over time. Thus the wage records need to be somehow connected to the respective user accounts.

This poses an issue: if I implement it in the most obvious way (a database foreign key relation), then the website operator (me), effectively, has access to this connection between the user account and a salary record. Also, legal authorities coming with a court order will be able to see this as well, and in the unfortunate case of a successful cyber attack, the hackers will get their hands on this data too.

Privacy problem

This is not good enough! How can we do better?

We are looking for a solution where:

  • the wage entry is readable by all users of the system,
  • the connection between wage entry and the user account is readable ONLY by the user account owning that entry,
  • user accounts are readable to the system (at least partially) for the purposes of the login system.

In my scenario, since the user sign-up verification is a manual process, I needed the system to be able to write this connection without the presence of the user.

If we sum it up: only the user should be able to read a connection record, and the system should be able to write this record (but not read it).

Assymetric encryption

This sounds to me like asymmetric encryption, where the system knows the userā€™s public key, and the user knows their own private key. The system uses the public key to encrypt the information when it needs to write it, and the user can read that information using their private key.

Of course, the next challenge is UX. We canā€™t have the users use private keys every time they want to login.

Thatā€™d be too clunky.

Asymmetric encryption

Passphrase-encrypted private key

Then it has stricken me: what if I do the same thing SSH keys do when you set them up with a passphrase?

Now the system will store both types of keys:

  • the public key, and
  • the private key encrypted using the userā€™s password.

Now, even if I were to drop into the raw SQL in my database console, I wouldnā€™t be able to tell who owns which wage entries anymore! And the user can still see and manage their own entry.

As a bonus, Iā€™ve found this method of securing the userā€™s data quite convenient, and I used it for other information as well, where Iā€™m sure that only the user will need access to this data.

Of course, we still need to make sure that the users create strong passwords that are not vulnerable to dictionary attacks, and werenā€™t part of any breach. Iā€™ve used zxcvn by Dropbox library and ā€œHave I Been Pwnedā€ API for that.

Thank you for reading!

Iā€™m glad youā€™ve gotten to the end of this post! If you are interested in more behind-the-scenes posts like this, you should subscribe to our newsletter.

The next post that is in the making is a deeper dive into the implementation details and challenges of the solution from this article. Donā€™t miss it, grab our newsletter here! šŸš€

Thank you for your support!

Top comments (11)

Collapse
 
mslavov profile image
mslavov

This is great. Seems a lot of people, including me, are thinking about the same problem.
Maybe it's my lack of understanding, but I would like to ask: where does decryption happen? Since you keep the private key passphrase encrypted, I would assume this happens on the server side. Does it mean that when data needs to be accessed by the user you get the password from the request, here assuming you are not keeping the user password plain text, then decrypt the data and send it back. What I'm trying to understand is: can the system owner alter the system to gain access to the user's data?

What I was thinking about is to keep the private key passphrase encrypted within the client app ( + mailing it as a backup) and provide the user with ability/instructions to transfer the private key, between clients/browsers. So, essentially the server keeps only encrypted data, the client handles decryption, etc. This still doesn't guarantee 100% privacy, i.e. as a service owner I can alter the client to send the data I want to the server.

Anyway thanks for the post, it gave me a different perspective to think about.

Collapse
 
waterlink profile image
Alex Fedorov • Edited

Yes, it does happen on the server, and then the result of decryption (private data) is stored in the encrypted session that is available only when the client communicates with the backend.

Of course, as the owner of the system, I can always modify it to eventually get access to anything (when the user finally logs in).

I would be violating my own terms of service and privacy policy though by doing that and will be liable for this. And I donā€™t want that kind of liability on my shoulders.

Now, the client-side encryption is awesome! Especially, if you are dealing with power users or niche, where folks will overcome the initial UX struggles to start using the authentication key like this. In fact, certain bank systems allow you to log in only if you use a separate private key file on a special crypto-device that you have to connect to your computer.

And for banks or other crucial systems, and especially in B2B and for enterprises, that might work.

For the B2C software thatā€™s going to be a huge block preventing people from using your product, unfortunatelyā€¦ Especially, if the product, like FelloWage, relies on a lot of user sign-ups and data shared before it becomes valuable for other users.

Collapse
 
davel_x profile image
davel_x

How do you manage (if you do) the 'lost password' process ? Is the user allowed to change his password without giving the old one first ? It should break the 'link' between the encrypted record and the actual record, isn't it ?

Collapse
 
waterlink profile image
Alex Fedorov • Edited

I store the same encrypted data in 2 forms:

  • normal encrypted data (password-based)
  • the same encrypted data for recovery (recovery-file-based)

When users create their password, I create 2 types of asymmetric key: password-based and recovery-file-based (this one is essentially a super-strong generated password).

As soon as this file is generated, it gets sent to the user over the email. Itā€™s not stored anywhere else.

Now, when the user wants to use the ā€œForgot Passwordā€ feature, theyā€™ll have to upload the recovery file.

The system then decrypts the data using the recovery-code-based private key, re-encrypts that using new userā€™s password and issues a new recovery-code for the user.

Collapse
 
shepherd_06 profile image
Ibtehaz

This is actually a great concept. I was wondering how to protect my users' data. <3

Collapse
 
waterlink profile image
Alex Fedorov

Be careful with this technique, as it is a double-edged sword. This type of encryption is very CPU intense. Thatā€™s why it is so secure.

In my stress-testing setup (3-5 most expensive Heroku dynos), Iā€™ve seen registration and login take up to 30 seconds when the system is loaded with 300-500 simultaneous users trying to signup or login. And thatā€™s with a quite fast statically compiled language.

(unfortunately or fortunately, we didnā€™t get close to these numbers during the launch on PH šŸ™ˆ)

Collapse
 
shepherd_06 profile image
Ibtehaz

Okay.. :D good to know :D

Collapse
 
monfernape profile image
Usman Khalil

An interesting read. Loved the concepts

Collapse
 
rohansawant profile image
Rohan Sawant

I actually have already visited the site and I wondered how you were securing everything. This clears things up!

Nice!

Collapse
 
sebbdk profile image
Sebastian Vargr • Edited

I wonder how this works with data laws.

If a user requests data deletion, is it okay to just remove the user data and then keep the now unrelatable data, or would we need to delete that too?

Collapse
 
waterlink profile image
Alex Fedorov

We allow the user to delete their wage entry in the UI of the application if they so choose when they are logged in. Because remember, the entries are still connected, itā€™s just that the user only can see and manage this connection.