What mechanisms exist, if any, to protect a user’s privacy and data for web applications? I ask because I would like to create one myself, and was wondering if there’s any way of guaranteeing my users their privacy beyond my word that I wouldn’t look in the database. I imagine big companies have complicated procedures and a way of locking down their data, but how does a single person, or a small startup do it?
I’m planning on using Google App Engine. I mention it in case that can offer a solution.
To clarify, I’m asking less about security measures I can employ to protect data from third-parties, and more about measures I can employ to guarantee users’ privacy from myself / other server administrators.
There are two basic tools: encryption and hashing.
Encryptiong comes in two flavors: Symmetric where the same key is used for encryption and decryption.
PKI where you have two keys and what ever you encrypt with one you can decrypt with the other and vice versa.
Hashing converts some data into a more or less unique number or String without a feasible way back.
Depending on what you actually want to protect you can use these tool to obtain almost anything you need.
Examples: Passwords get stored as hashes. To check a password convert it again and compare it to the hashes => You as the application provide don’t have the password.
You have the application create a key for each user and encrypt everything you want to protect from your own eyes with that key. The challenge is that now the user has to keep that key secret and protected, which users aren’t very good at. Also searching this kind of encrypted data is bound to be really slow.
Possibly the biggest risk to private data are hacks against your application. Spend some time on OWASP to learn about the most important attacks and how to fight them.