How do I create a web application where I do not have access to the data?

Question

Premise: The requirements for an upcoming project include the fact that no one except for authorized users have access to certain data. This is usually fine, but this circumstance is not usual. The requirements state that there be no way for even the programmer or any other IT employee be able to access this information. (They want me to store it without being able to see it, ever.)

In all of the scenarios I've come up with, I can always find a way to access the data. Let me describe some of them.

Scenario I: Restrict the table on the live database so that only the SQL Admin can access it directly.
Hack 1: I rollout a change that sends the data to a different table for later viewing. Also, the SQL Admin can see the data, which breaks the requirement.

Scenario II: Encrypt the data so that it requires a password to decrypt. This password would be known by the users only. It would be required each time a new record is created as well as each time the data from an old record was retrieved. The encryption/decryption would happen in JavaScript so that the password would never be sent to the server, where it could be logged or sniffed.
Hack II: Rollout a change that logs keypresses in javascript and posts them back to the server so that I can retrieve the password. Or, rollout a change that simply stores the unecrypted data in a hidden field that can be posted to the server for later viewing.

Scenario III: Do the same as Scenario II, except that the encryption/decryption happens on a website that we do not control. This magic website would allow a user to input a password and the encrypted or plain-text data, then use javascript to decrypt or encrypt that data. Then, the user could just copy the encrypted text and put the in the field for new records. They would also have to use this site to see the plain-text for old records.
Hack III: Besides installing a full-fledged key logger on their system, I don't know how to break this one.

So, Scenario III looks promising, but it's cumbersome for the users. Are there any other possibilities that I may be overlooking?

Answer 1

If you can have javascript on the page, then I don't think there's anything you can do. If you can see it in a browser, then that means it's in the DOM, which means you can write a script to get it and send it to you after it has been decrypted.

Aren't these problems usually solved via controls:

1. All programmers need a certain level of clearance and background checks
2. They are trained to understand that rolling out code to access the data is a fireable or worse offense
3. Every change in certain areas needs some kind of signoff

For example -- no JavaScript on page without signoff.

If you are allowed to add any code you want, then there's always a way, IMO.

Answer 2

Ask the client to provide an Non-disclosure Agreement for you to sign, sign it, then look at as much data as you want.

What I'm wondering is, what exactly will you be able to do with encrypted data anyway? Pretty-much all apps require you to do some filtering of the data, whether it be move it to a required place, modify it, sanitize it, or display it. Otherwise, you're just a glorified pipe, and you don't have to do any work.

The only way I can think of where you wouldn't be looking at the data or doing anything with it would be a simple form to table mapping with CRUD options. If you know what format the data will be coming in as you should be able to roll something out with RoR, a simple skin, put SSL into the mix, and roll it out. Test with dummy data in the same format, and you're set.

In fact, is your client unable to supply dummy data for testing? If they can, then your life is simple as all you do is provide an "installable" and tell them how to edit a config file.

Answer 3

I think you could still create the app in the following way:

1. Create a dev database and set up a user for it.
2. Ask them for: the data type, size, and name of each field that needs to be on the screen.
3. Set up the screens, create columns in the database that accept the data type and size they specify.
4. Deploy the app to production, hooked up to an empty database. Get someone with permission (not you) to go in and set the password on the database user and set the password for the DB user in the web app.
5. Authorized users can then do whatever they want and you never saw what any of the data looked like.

Of course, maintaining the app and debugging is gonna be a bitch!

--In answer to comments:

6. Ok, so after setting up the password for the Username in the database and in the web app's config, write a program that connects to the database, sets a randomized password, then writes that same randomized password to the web config.

7. Prevent any outgoing packets from the machine except to a set of authorized workstations - so you can't install your spyware.

8. Then set the Admin password on both servers to the same random password, then delete all other users on the servers, delete the program, and delete the program source code.

9. Wipe the hard drives of the developer machines with the DOD algorithm, and then toss them into an industrial shredder.

10. If the server ever needs debugging, toss it in the trash, buy a new one, and start back at #1.

But seriously - this is an insolvable problem. The best answer to this really is:

Tell them they can't have an application. Write your stuff on paper. Put it in a folder. Lock it in a vault. Thrust, repeat.

Answer 4

Wouldn't scenario 3 just expose all the data to the magic website? This doesn't sound like a solvable problem (at least I can't think of a solution).