Initiatives focus on health care, state government and the IoT
28 December, 2015
NSTIC pilot: Galois
Creating secure data storage and access for the IoT
Galois focuses on cyber security, primarily serving the U.S. government, and with its NSTIC pilot funding the company will pilot a project to build a tool that can enable the storing and sharing of private information online.
The data storage system will rely on biometric authentication. Project partners also plan to develop transit ticketing on smartphones and integrate the secure system into an Internet of Things (IoT) enabled smart home.
The project starts with a product already built by a Galois spin off company. Tozny is a password-free mobile system that enables users to access websites or apps just by logging into their mobile phone.
“When your phone is the key, it makes it easier to use and more secure than passwords,” says Isaac Potoczny-Jones, Identity Research lead at Galois and CEO of Tozny. “This new NSTIC funding will support our development of a new privacy preserving personal data service. The goal is to give users control not just over the login process but also in the storage and sharing of their own personal private data.”
This NSTIC funding will support development of a new privacy preserving personal data service. The goal is to give users control not just of the login process but also of the storage and sharing of their own personal private data.
Tozny will be integrated with two production pilots. In the first, Galois is partnering with smart home company IOTAS for its work in apartment buildings.
“Their approach is neat in that it focuses on apartments instead of having users directly purchase and integrate smart home products in their own homes, which can be a little bit of a barrier to adoption,” Potoczny-Jones says. Instead, renters find those products already integrated when they move in. “We’re integrating our password-free authentication system as well as our personal data service with their smart home IoT system.”
The other pilot involves mobile transit company GlobeSherpa, which handles mobile tickets for Portland’s TriMet and a number of other U.S. based transit systems. Again, the team will integrate the password-free login to remove the challenge for users trying to type in letters and numbers as they run for the bus or do any number of things on the go.
“We want to give them a way to log in securely without a password and to store personal data such as what buses they ride and when, along with their habits, and in the end integrate these two systems together so we have the smart home system and the bus system,” Potoczny-Jones says. “With the user’s consent, they can choose to enable the sharing of data like ‘I’m on my way home from work, so I’d like my home to start warming up,’ for instance. These little pieces of information about your life are very private – when you’re home, when you’re traveling, and what kind of appliances you have. So you want the users to have as much control as possible over the storage and sharing of that data.”
Tozny will serve as the developer and tactical lead on the project. SRI International, a nonprofit research institute, will provide a biometric authentication platform for login. “We’re looking at a gait-based biometric that enables passive identification of the user, again with their consent and with privacy preserving infrastructure in place,” he says. “It can identify the user while walking around, so by the time they get the phone out of their pocket to make a purchase of a ticket or to perform some other action, we already have a pretty high confidence of user’s identity.”
Galois was awarded $1.85 million for the first year, with work beginning in October. The pilot spans two years, so the company hopes the government will come through with additional funding. The partners will spend that time trying to prove that security and privacy can be built into new technologies from the ground up. He says that can only happen if security is easy to use by default.
“That means easy for end users but also really easy for software developers and for companies to adopt and integrate into their product. We really aim to make privacy and security something that every single user can count on, and build a level of trust between users and the companies that process their information,” Potoczny-Jones says. “We can all do a lot more on the Internet if we all trust each other to do the right thing, and security and privacy are the foundation for those trust decisions.”