Why don't we protect identity like Top Secret information?
Do you know how many spies the United States has inside Iran right now?
I don’t know the answer either. The reason for this is because the number and names are classified Top Secret at the highest levels of the US Government. So I’ll ask the question again. Why don’t we protect identity like Top Secret information?
This is the question I asked myself when I learned how the Special Access Program(SAP) works. SAP is what protects Top Secret/SCI information. In the federal government, there are various levels of classification for information.
Here is a brief description of each classification level.
Unclassified — A security classification assigned to official information that does not warrant the assignment of Confidential, Secret, or Top Secret markings but which is not publicly-releasable without authorization.¹
Confidential — Applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security.²
Secret — Applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security.²
Top Secret — Applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security.²
Top Secret/SCI — Many people believe that SCI is a classification higher than Top Secret(TS). This is false. Top Secret is Top Secret. SCI means sensitive Compartmented Information. It is simply a different method on how certain TS information is protected.⁵
Let’s say we wanted to take out a high-value target(HVT) in a military operation. In order to protect the execution of that military operation, we would classify it as Top Secret/SCI. What does that look like?
The name of the operation would be classified TS/SCI
The assets involved in the mission would be TS/SCI
The location of the target would be TS/SCI
The day and time of the operation would be TS/SCI
You get the idea. Everything surrounding that military operation would be sensitive compartmented information. The reason the TS/SCI program works so well is that not one person involved in the actual mission has the complete picture of the whole operation. Everyone involved has only enough information to do their job and complete the mission.
I took these same policies and procedures and designed a company around them. The name of the company is Mass Address. Mass Address is a decentralized identity platform that seeks to provide American citizens with exclusive control over their identity online. It will operate on the premise of something I call permissive privacy. This means just because you have my information doesn’t mean you can use it. It’s an entirely new standard I am hoping the market will adopt.
In today’s day and age, citizens hand over their most sensitive information to companies with the hope that they will protect it. A company might spend every dollar they have protecting your information but still have a data breach. Why? There are a number of reasons. Insider threat⁶, Zero-day attack⁷, etc. So what’s the solution?
One of the worlds most famous hackers gave us the solution years ago,
“A company can spend hundreds of thousands of dollars on firewalls, intrusion detection systems and encryption and other security technologies, but if an attacker can call one trusted person within the company, and that person complies, and if the attacker gets in, then all that money spent on technology is essentially wasted.”
~Kevin Mitnick
The secret to protecting identity is to eliminate the insider threat. With Mass Address, no employee can see or even access your identity. It is 100% private. Unlike all of the other identity providers in the market, your identity isn’t stored on a database but rather a decentralized network of servers that each store 1 piece of your identity.
With Mass Address, there are no profiles. You create a singularity. A singularity that cannot be duplicated. If your identity were stored on a database, the information could be stolen in a breach or sold to unauthorized 3rd parties. This practice happens every day in the world but it’s impossible with Mass Address.
Mass Address seeks to be a bridge between your identity and your online accounts. The sole purpose of the company is to maintain the bridge. Mass Address cannot censor you, delete you, or profit from your identity. It’s simply a bridge.
There are many more pieces of information that make up your identity. I just used a few screenshots I made for the Pioneer.app competition to help you understand what’s involved. The secret to Mass Address isn’t the technology, it’s the people. Only 1 administrator is used per server. The name of the server is classified. The encrypted data on the server is classified. All of the administrators who work on the servers are classified. Nobody who works on or near any part of the actual network is identifiable for security reasons.
— Mass Address employees are hired through a shell company so as to hide their identity. This eliminates social engineering and Google Dorking.
— Mass Address infrastructure is purchased through a shell company so if the vendor is ever breached, the hardware we use isn’t leaked online. This is critically important because hackers use information like this to gather information before attacking their target. It’s called Footprinting.⁸
— Mass Address server error messages are intentionally changed to deceive the hacker into thinking we use a specific Operating System when in fact we do not.
— Mass Address servers communicate over the dark web
— And much much more
Mass Address is the name of my startup and I’ve been building it for 5 years. I hope I can get this technology into the hands of the American people soon.
A citizen's identity should not be treated as a commodity that can be bought and sold.
Sources: