Privacy

Regulatory evaluations of privacy-focused networks.

Disclaimer: This article is written by Dot.alert() contributors for educational purposes only. This article should not be used as a substitute for competent legal advice from a licensed professional lawyer or attorney in your country.

Blockchain networks are primarily built to provide access to a ledger of finalised transactions and participants' data. In the Polkadot ecosystem, a growing number of builders are proposing an alternative standard for their network infrastructure. They are developing a variety of protocols and tools designed to give users more control over the type of information that they want or do not want to see stored on-chain.

Legal Frameworks:

Identity Management

Public keys are universal identifiers for all accounts created on blockchain networks, with the digital ledger logging transactions between public addresses. Within the Polkadot ecosystem, address formats are variations in the use of public keys which allow pseudonymous stakeholders to use their accounts across different chains. Network participants further have the option to customise their account addresses by generating Vanity addresses and Account indices. Finally, Pure proxies (i.e accounts devoid of private keys) can serve as placeholders in multisig setups, hereby bypassing the link between pseudonymous ownership and account management.

Other solutions exist to help prominent network entities anchor their organisation or brand as part of their staking, voting, and crowdfunding operations. At a basic level, they can register on-chain identities to link their contact details to all the accounts that they own. They also have the option to use naming services and custom domains when disseminating important information in the community, in a process that is both trustless and verifiable. Finally, members of these organisations can create Decentralised Identifiers (also called DIDs) to provide professional credentials, KYC information, and unique user profiles across various Web3 platforms.

Regulators have long advocated for caution when interacting with public ledgers, due to the pseudonymous nature of blockchain networks operations. This is because transactions are permanently available and can be used to link individuals with their public addresses. Nevertheless, they acknowledge that Decentralised Identity protocols can contribute to compliant authentication procedures in the digital realm, which could support the onboarding of financially-excluded population (also called "the unbanked") into financial services. Another important use case for Decentralised identities could emerge to facilitate individuals' access to digital assets in the context of inheritance.

Overview of Subsocial SDK's building blocks that contribute to defining user profiles within the network.

Privacy-preserving Protocols

Zero-knowledge proofs (also called ZKPs) are cryptography protocols that empower participants to verify a statement against a claim without revealing the statement itself. This makes ZKPs ideal for managing personal information privately within Web3 services such as DID, DeFi, Metaverses land sales, NFT issuances, or DAOs. In the Polkadot ecosystem, ZK SNARKS are integrated as a core technology for use cases such as obfuscating Public addresses, issuing private tokens, encrypting account balances, and certifying/recovering digital assets. These privacy add-ons require willing contributors for trusted setups (i.e the more participants, the better) ahead of the full deployment of network infrastructure.

Trusted Execution Environments (also called TEEs) are special areas within computing hardware where code is run in isolation and data is processed privately. They are used to protect applications against attacks and to prevent access to sensitive data by third-party programmes. In the Polkadot ecosystem, TEEs technologies give stakeholders the opportunity to migrate from centrally-controlled cloud providers, into confidential computing as part of their node operations. Another privacy-focused solution involves the deployment of Decentralised private clouds infrastructure alongside private smart contracts.

Current data protection laws mandate that digital platforms, regardless of their nature, should implement the principle of "data protection by design", which includes the right to be forgotten. This is because a lot of economic value is extracted from personal data generated by millions of individuals upon verification, authorisation, and processing of credentials. Within permissionless and decentralised blockchain networks, privacy-preserving protocols follow through on these regulatory guidelines because they ensure that users' data can never be accessed in the first place.

Mantapay offers Privacy-enhancing swaps for a range of digital assets.

Risk Management:

Operational Risks

Although there has been a lot of research done in relation to cryptographic proofs and encryption algorithms, the practical implementation of privacy technologies is still experimental. The most established privacy solutions have traditionally involved the creation of a special-purpose blockchain in combination with the issuance of dedicated coins. This contrasts with current propositions that focus on providing privacy services on top of permissionless public blockchains.

Since the focus of privacy developments has been shifted on to customising the way platforms handle users data, the possibility of a glitch in the de-anonymisation process becomes more likely. A failure in these decentralised protocols could end up revealing sensitive/personal information, which would leave users/entities with no real recourse. The onus is therefore on privacy services providers to continuously review and upgrade their solutions to meet the highest standards for data security.

Legal Risks

In the context of privacy-preserving protocols, the nature of the data stored on-chain itself is still the subject of many discussions and debates. This is because the definition of what constitutes "personal data" can vary from one law to another, and from one country to another. More often than not, it is in the course of lawsuits and trials that a relevant definition emerges, which can muddle the mission of privacy services providers in the long run.

IntegriTEE's privacy solutions work within the scope of data and consumer protection laws.

While privacy-focused services architect their solutions in response to users' and businesses' needs, they do not always take into account recommendations from legislators. Most projects are touted as a bold move against Big data extraction by proprietary platforms, which is seen as a mean to empower users to control their data. However, the non-personal data processed between platforms might still contain some personal information in the eyes of the law.

Jurisdictional Risks

Privacy-by-default is an approach that has garnered a lot of support from blockchain and non-blockchain users, in light of recurrent hacks and tampering done on centralised platforms. This has given birth to formal activist movements that pro-actively fund, research, and develop privacy solutions within the Web3 stack. But there are also more and more individually-maintained initiatives and dapps specifically designed to counter governments' surveillance.

Regulators acknowledge that, while anonymisation protocols might help decentralised platforms comply with certain policies, it can also go against others laws. Privacy tools are still a long way from gaining legitimacy in most countries, because they are generally associated with use cases involving unlawful activities, tax evasion, and money laundering.