Tales from the Crypt: Privacy and Encryption in Asset Portfolios
In my opinion, when it comes to privacy and encryption, it all boils down to a comment by Andrew Lewis, also known as blue_beetle, who said on MetaFilter: ‘If you are not paying for it, you’re not the customer; you’re the product being sold’. When I first heard that, it really resonated with me because I am a big fan of websites that have business models which do not solely rely on advertising. I want to build a product that adds value to the ecosystem, not one that is used as a shop window for other companies.In my view, your private portfolio data is one of your most treasured assets. In a world where privacy is slowly becoming a myth, I believe we should do everything we can to protect your data and give you the option to hide it, even from us.That’s why we’ve started working on adding a simple way to encrypt your portfolio data. The principle is straightforward and it only has a few simple steps:Disassociate the portfolio contents from the live prices. This has already been done and it’s the reason why you see an initial loading screen when go to your portfolio.Have a simple way for the system to know if your portfolio is encrypted or not. We’ve already added the option to encrypt your portfolio to the interface and we’ve added the required backed fields and data structures.Actually encrypt the portfolio contents. This is what we will be working on in the next few weeks.Store and update the encrypted blob on the server.On the encryption side we’ll most probably use 256-bit AES encryption. The encryption will work with a password and a locally generated secret key.The password will never be stored alongside your portfolio data or transmitted over the network. Taking this precaution is a bit like making sure the key to a safe isn’t kept right next to it: keeping the two separate makes everything more secure. The same principle applies here. You will have to input your password each time you load your encrypted portfolio, but this is a small price to pay for peace of mind.The secret key will be randomly generated when you first encrypt your portfolio using state of the art cryptographically secure pseudorandom number generators. It will probably be a 128 bit string. You can view the secret key as a two factor authentication mechanism. The password combined with your secret key form the encryption key. This process makes your password more secure by adding random characters to it. It also guarantees that even if your password or your machine get compromised, the attacker will still have no way of accessing your portfolio. This is because your encryption key is composed of two different sets of characters which come from two different sources. One source is in your head or a password manager, the other source is on the device itself.The only downside to this approach is that we won’t be able to help you if you forget your password. The huge upside is that no matter what happens to us and our servers, your data will always be secure. For the password I suggest you use a secure password generator and manager like 1Password or LastPass.As I have mentioned on our forum, we are planning to introduce paid membership and the encrypted portfolio will be a feature of this type of membership. There will probably be two types of monthly membership and a one off encryption cost — but we will discuss this topic in a future blog post. The basic portfolio will still be free but with a limited number of coins.We’ll try to price encryption as reasonably as possible but keep in mind that it’s not a feature we can charge monthly for. You either have your portfolio encrypted or you don’t, we’ll never be able to disable it on our end. You’ll be able to decrypt your portfolio in our app as well by scanning the locally generated secret key as a QR code. You’ll also be able to back up the machine key to a file and import it on a different machine if needed. The password will only be in your head and the machine key will only stay on your devices.Even with the data encrypted, it’s worth mentioning that we will still be able to infer some of the coins you are holding. This is because you will be hitting our pricing API and our streamers to get the latest prices.To sum up, with an encrypted portfolio we will never know the amount you are holding, the buy date, sell date, buy or sell prices, where you are storing the coins or any other comments that you add to your positions.Thank you again for using our product and for trusting us with your data. We are fully aware that with great power comes great responsibility and we are doing our best to give back as much of the power as possible.Privacy and Encryption in Asset Portfolios was originally published in Tales from the Crypto on Medium, where people are continuing the conversation by highlighting and responding to this story.
Additional Info
- Read full article on: Tales from the Crypt
Leave a comment
Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.
Disclaimer: As a news and information platform, also aggregate headlines from other sites, and republish small text snippets and images. We always link to original content on other sites, and thus follow a 'Fair Use' policy. For further content, we take great care to only publish original material, but since part of the content is user generated, we cannot guarantee this 100%. If you believe we violate this policy in any particular case, please contact us and we'll take appropriate action immediately.
Our main goal is to make crypto grow by making news and information more accessible for the masses.
Our main goal is to make crypto grow by making news and information more accessible for the masses.