SoylentNews is people
SoylentNews
Submitted via IRC for soylent_red
Zamna raises $5M to automate airport security checks between agencies using blockchain
When VChain-now-Zamna first appeared, I must admit I was confused. Using blockchain to verify passenger data seemed like a hammer to crack a nut. But it turns out to have some surprisingly useful applications.
The idea is to use it to verify and connect the passenger data sets which are currently silo-ed between airlines, governments and security agencies. By doing this, says Zamna, you can reduce the need for manual or other checks by up to 90 percent. If that's the case, then it's quite a leap in efficiency.
In theory, as more passenger identities are verified digitally over time and shared securely between parties, using a blockchain in the middle to maintain data security and passenger privacy, the airport security process could become virtually seamless and allow passengers to sail through airports without needing physical documentation or repeated ID checks. Sounds good to me.
Zamna says its proprietary Advance Passenger Information (API) validation platform for biographic and biometric data, is already being deployed by some airlines and immigration authorities. It recently started working with Emirates Airline and the UAE's General Directorate of Residency and Foreigners (GDRFA) to deliver check-in and transit checks.
Here's how it works: Zamna's platform is built on algorithms that check the accuracy of Advanced Passenger Information or biometric data, without having to share any of that data with third parties, because it attaches an anonymous token to the already verified data. Airlines, airports and governments can then access that secure, immutable and distributed network of validated tokens without having actually needing to ‘see’ the data an agency, or competing airline, holds. Zamna's technology can then be used by any of these parties to validate passengers’ biographic and biometric data, using cryptography to check you are who you say you are.
(Score: 3, Insightful) by Runaway1956 on Monday October 28 2019, @12:26PM (7 children)
Another buzzword used to sell another hare-brained scheme?
(Score: 2, Interesting) by Anonymous Coward on Monday October 28 2019, @01:07PM (3 children)
No, it's not a buzzword in this case. It's being used correctly. Replace the term "passenger" with "website" and imagine this being used to validate DNS records. It's essentially the same concept. You need to keep in mind that despite all the hooplah a blockchain is nothing more than a database with certain cryptographic guarantees as to data integrity. This is handy any time you need to federate with parties that you don't necessarily trust.
What makes a blockchain superior over a private DB in this case is that all the information is public and you can use multiple sources to verify integrity, furthermore cryptographic signature chains validate chain of custody and changes to data.
So how do you store private information in a public blockchain and yet maintain privacy?
You store the hash of the data + some seed.
For instance to validate your name is "John Doe" just have the notary hash "John Doe"+"your pubkey" and store it in a field called "passenger_name" when creating / inputting your record.
Now all you need to do to validate yourself is to supply your name and your pubkey, then sign the resulting hash (proving you have the corresponding private key). It becomes trivial to store any other information this way.
I use a similar technique in a trustless password manager I built. The owner doesn't even need to know their own information, it's all stored encrypted on the blockchain and they can access it any time they like.
Done correctly it's a good use for a blockchain.
The only issue I see here is that there would be a huge target for crackers to steal keys, but even this can mitigated by keeping the private key offline, perhaps inside the secure enclave of a smartcard. Since smartcards are already used for ID purposes, it shouldn't be much of a jump. Finding smartcards capable of ECDSA or EDDSA might be difficult though.
(Score: 2, Insightful) by Anonymous Coward on Monday October 28 2019, @01:13PM (1 child)
Yeah, I can just see my 84-year old father supplying his pubkey and signing the resulting hash.
(Score: 0) by Anonymous Coward on Monday October 28 2019, @04:54PM
Yeah I'm pretty sure your 84 year old grandfather could never use a tap to pay credit card, nor know how to insert his card into a card reader. amirite?
Because that's exactly how a system like this would likely work.
(Score: 4, Interesting) by Rosco P. Coltrane on Monday October 28 2019, @01:29PM
It might be a valid case of blockchains. But look at the context :
1/ An obscure company nobody have heard or cares about changes name...
2/ ... talks about applying blockchains...
3/ ... to sell airport security products
That's 3 good reasons to smell BS from a mile away.
Now if this is legit, this company has an uphill struggle to convince those in the know for those 3 reasons.
(Score: 2) by JoeMerchant on Monday October 28 2019, @01:14PM
True:
True until somebody leaks something, then false forever:
🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Monday October 28 2019, @01:18PM (1 child)
Chain of Trust for authentication. This provides what should be immutable end to end validation of a use, and an audit trail for when someone 'illegal' makes it through so they can do a postmortem and discover who dropped the ball. If everything, including the source identity data is on WORM hardware, then this will ensure perfect recordkeeping outside of source material/clerical error.
(Score: 3, Interesting) by aiwarrior on Monday October 28 2019, @01:26PM
Exactly. You can replace a clerical one time error, with a clerical error that can affect all the database or validity of the data gathered up to then. More, you ensure that there is one single target to hit if you want free passage.
How is there a chain of trust if the algorithms that validate the token are all sourced from one single place? From what i see the trust is basically running a counter on every time the person was real, but the source of that counter is always the same. This is no chain of trust, unless airlines/borders could have their own independent validation being fed into the system. But then if you need to run verification yourself you might as well not need the system. That is my understanding at least.
(Score: 4, Insightful) by aiwarrior on Monday October 28 2019, @01:19PM (2 children)
It seems they invented an automated escrow service. Escrow services in any form are awesome businesses, and a hallmark of rent seeking and mistrustful societies. Societies which are generally mistrustful are generally less productive precisely because there is always a cut lost due to escrow.
Basically I the traveler submit my data to the escrow. The escrow says its good and gives me a token. I go to the airline which runs my token, scans my iris and finger print and says, very well token is valid.
Now replace token with advanced block chain things and you have a unicorn. Tech startup business environment sometimes makes me sick, and I have a startup myself.
(Score: 0) by Anonymous Coward on Monday October 28 2019, @02:42PM (1 child)
In NSW Australia property buyers are forced to use a government mandated privately owned escrow service when placing down the deposit for property purchase.
Think about that for a moment.
One person lost their deposit. The scammer faked the 2factor auth and jumped the email system. Game over. Money stolen. No one wanted to be blamed or pay back the lost deposit.
How would you feel?
(Score: 2) by aiwarrior on Monday October 28 2019, @04:38PM
I know this is the use of escrows, I just do not think this is any big innovation, nor do i think that there should be a startup being an escrow. In most places escrows need to be licensed and are heavily regulated businesses. For the cases you mention escrow is useful i think. Even so this is why I loved the concept of bank checks. It is a kind of escrow but criminal fraud law is activated automatically, and everyone is in equal footing.
You can forward date the check, and you have a grace period to cancel and denounce the other party if he failed his/her agreement. In Portugal If you cancel the check and somebody tries to withdraw it and there are no funds you are charged with fraud a crime punishable by jail and you may lose access to formal financial services like a bank account for a given amount of time. Given that it became illegal to make cash payments above 3000 euros without source documentation, it makes life quite hard. On the other hand if the other part scams you, you go to the police get a formal complaint record and go to the bank cancel the check before the date is due. You automatically start a criminal case investigation also.
The check is also the binding document which is normally earmarked for a specific destination. So you can go around carrying a huge cash amount, which cannot be stolen without extortion or hostage situations, but these are extreme situations where there is not much you can do. This sounds almost as convenient as blockchain, just that it is being phased out :(
(Score: 0) by Anonymous Coward on Monday October 28 2019, @01:54PM (1 child)
But I doubt that the airlines will go for this, "we don't get the data on this passenger" type system.
(Score: 0) by Anonymous Coward on Monday October 28 2019, @02:45PM
I doubt the TSA will go for it. What will pedobears and sadists do without their unwiling victims?
(Score: 2) by donkeyhotay on Monday October 28 2019, @05:58PM
What happens when the data is in error? How does it get fixed? Who do you turn to?
(Score: 2) by arslan on Monday October 28 2019, @10:17PM
◉_◉
(Score: 2) by progo on Tuesday October 29 2019, @05:08PM
My eyes went directly here in the summary:
You can't just sprinkle "blockchain" on it and then say there won't be a major exposure event like Equifax.