
Ask HN: How to build a back-end where no two employees can see all user data? - toss1941
Assume this is a small organization with only five employees.  How would you build the website backend that provides the highest level of anonymity for their user&#x27;s who register for and user their website or services?  Is it possible to prevent someone like even the CEO, CISO or developer from viewing all the user&#x27;s data in plain text without involvement from an escrow service or lawyer?  Or does that make it impossible to protect from fraud or other legal issues?
======
guyfawkes303
Encryption would be about the only solution I can think of. Keybase.io
achieves this. Then again, you are now building an encryption service instead
of whatever you are trying to actually build.

------
schoen
It depends partly on whether you need to process and compute on the users'
data. Some companies use client-side encryption to prevent themselves from
possessing usable user data in the first place. If you do need to process data
server-side, it's tricky to see how you can unlock the data for processing
while not exposing it to other uses. There are DRM-like approaches that
attempt to use tamper-resistant hardware that is then only allowed to run
certain software.

An example of this is the
[https://en.wikipedia.org/wiki/IBM_4758](https://en.wikipedia.org/wiki/IBM_4758)
which is pretty expensive and inconvenient to use, but can in principle be
used in high-assurance applications where you want to say that the data is
processed inside the 4758 but only in preapproved ways and can't be directly
exported. Presumably there are somewhat cheaper ways to do this nowadays...
PrivateCore was working on a way to do something along those lines on
commodity hardware, but they got acquired by Facebook.

------
stocktech
Row level security on the database for users.

~~~
detaro
Does not protect against anyone with administrative access...

