The research arm of payment card giant Visa has published a paper describing the event of LucidiTEE, a blockchain system for orchestrating sensitive data among multiple parties.
For example, the paper outlines a system that might allow banks and fintech applications to share data without counting on intermediary data aggregators.
While Europe has relied on legislation like GDPR to line standards for securely sharing customer data, US banks had to develop agreements with data aggregators.
Visa, the world’s largest card payment network, has been quietly developing a blockchain system that would upend how banks transfer customer transaction data to consumer financial applications like Mint and Credit Karma.
In a paper published by Visa’s research and development arm, researchers describe a system called LucidiTEE. It outlines a system for sharing sensitive personal data on a blockchain, crunching that data within a trusted execution environment (TEE) and using history-based policies to make sure that every of the parties receive an output of the computation. (The system’s name may be a combination of TEE and therefore the word lucidity).
The first application of LucidiTEE is sharing data between customers and financial apps. Such a configuration might spell trouble for aggregators like Plaid, Envestnet Yodlee, Finicity, consistent with people conversant in Visa’s thinking.
LucidiTEE could also allow banks to share data to coach machine learning algorithms for tackling fraud or keep financial data tracking apps from selling anonymized customer data to tech giants like Google.
Visa didn’t answer multiple requests for comment.
The paper, published on the Cryptology Eprint Archive, describes LucidiTEE as “the first system to enable multiple parties to jointly compute on large-scale private data, while guaranteeing policy-compliance even when the input providers are offline, and fairness to all or any output recipients.”
Visa was a founding member of the Libra Association until it dropped out right before the association launched. The financial services giant has also experimented with a blockchain-based business-to-business payment service originally developed alongside blockchain startup Chain. it’s designed to perform international business transfers without the assistance of a typically slow correspondent banking network.
Visa Research produces work for the whole security and cryptography community, therefore the research might be haunted by a rival firm. But Visa can profit off of the property within the future.
The system was tested on Tendermint and Hyperledger Fabric, both available within the property right . But it also can be used on a forkless public blockchain employing a proof-of-stake consensus system, like those on Algorand or Ethereum 2.0, which is scheduled to arrive next year.
The trouble with aggregators
While the paper is undergoing a referee process and is subject to changes, it illustrates Visa’s desire–like most large financial firms–to be ready to not have customer data touching multiple different companies and to permit consumers to urge closer to controlling their data.
Fintech apps have encouraged banks to figure with third-party data aggregators to tug , clean and normalize financial transaction data from customers. The philosophy of the “open banking” movement is for banks to share data with fintech apps offering services direct to consumers.
Data aggregators became a key a part of the banking industry because many consumers are using applications like budget tracker Mint, micro-investing tool Acorns and peer-to-peer payment app Venmo. San Francisco-based Plaid, the most important of those aggregators valued at around $2.56 billion, powers several personal financial apps, also as cryptocurrency exchanges Gemini and Coinbase, to be ready to access consumers’ financial data.
Data aggregation startups popped up as an alternate to screen scraping, where customers would give fintech applications sensitive login credentials for those apps to then scrape customer transaction data, said Brian Knight, senior research fellow within the Financial Markets working party with the Mercatus Center at Mason University.
Banks were still reluctant to share information with aggregators until the passage of the Dodd-Frank Act which required financial institutions to form consumers’ records available in an electronic format. Aggregators argued they were the consumer’s agent. The U.S. Department of the Treasury sided with the aggregators during a recent fintech report, but the buyer Financial Protection Bureau hasn’t commented on the difficulty , Knight said.
In place of regulation like Europe’s General Data Protection Regulation (GDPR), banks and data aggregators have formed informal and formal agreements about how the aggregators would handle customer data. Banks are selective about this process, however. When two parties differ on data-sharing standards, banks are known to chop off aggregators, stopping customers from accessing financial apps.
For LucidiTEE to figure within the customer transaction data space, the industry would also got to adopt a standard data categorizing standard that each entity would wish to follow. choose whether or to not take the leap, banks would wish to weigh the value of sticking with data aggregators or integrating into a replacement system, consistent with Knight.
“Part of the matter with blockchain adoption is that it seeks to get rid of intermediaries, and while intermediaries can charge rent, they will also add value,” Knight said.
After reviewing Visa’s paper, Salt Lake City-based data aggregator Finicity said the proposed system wouldn’t provide the extent of service that data aggregators provide today.
“It is straightforward when described as an exchange of knowledge , but once you layer on the multitude of use cases, data intelligence, variances in data, security, privacy, regulation and more, it becomes far more sophisticated,” Nick Thomas, co-founder of Finicity, said in an email.
Thomas said that Finicity, a founding steward of the ID-focused Sovrin Foundation, is watching blockchain for data privacy, however.
“It is usually about giving consumers more granular and secure control over their financial data, and doing so during a way that they will be more informed and make smarter financial decisions,” Thomas said.
LucidiTEE enforces history-based policies–similar to smart contracts but with the power to read the whole blockchain. That ensures that, even when users are offline, their information isn’t computed during a way they didn’t authorize.
The paper assumes a “malicious setting.” The system it describes uses protocols to make sure outputs are sent to each party has been given access to outputs. The blockchain would act like an escrow account where users would put the policy they’d wish to enable, like sharing encrypted data to Mint reciprocally for charts showing where the consumers spent money.
According to the paper, LucidiTEE’s blockchain ensures the trusted execution environment — an encrypted domain where computers crunch sensitive data — only does certain computations. during this way, the corporate holding the TEE can’t tamper with it, and each party on LucidiTEE doesn’t need to run a TEE.
The ledger then stores all cryptographic hash digests of encrypted inputs and outputs also as what functions were run, for history-based protocols to review when subsequent computation is completed .