On Privacy
by Christian Zimmermann, Jendrik Poloczek, Felix Machart, Oct. 10
Privacy is under attack. The most successful corporations of our time have built their entire business model on surveillance capitalism. The blockchain is – in its most fundamental form as a public ledger of all transactions – a privacy hell. In this multi-disciplinary essay, we summarise where Greenfield stands on this issue and explore how crypto-native solutions can address the tension between public interest and the personal need for privacy.
The Right
Privacy is a basic human right and an indispensable fundamental building block not only for a digital economy and life but also for an open society.
Privacy, as we understand it, does not only entail the right to be left alone, but also the right of the individual to decide, on the basis of self-determination, if and within which limits personal and transactional data shall be disclosed and how that data can be used. This includes the right of the individual not to disclose one’s own digital identity and to live an anonymous digital life. Privacy enables the individual to decide which information about his private or digital life should be communicated to others. It is a necessity for the individual to exercise his freedoms in an open society. Without privacy and without knowing who has access to and advocacy over the use of one’s own personal information, the individual is forced to adapt his behavior as a matter of precaution to the majority and/or to the authorized view for fear of retribution. This not only restricts the individual’s freedom of action but also the common good, as an open society is dependent on the self-determined participation of its constituents and free adversarial thinking. Even if you have nothing to hide, you should still fear surveillance, as data collected by legitimate actors is potentially subject to breach and not every initially benevolent actor is guaranteed to remain so. Lastly, the power dynamics and interactions in modern society are shaped by information asymmetries in favor of big corporate or government players. These asymmetries can be leveled by a privacy layer.
The Attack
Despite its importance, privacy has come under attack and has been eroded in the real world and digital space alike.
The most successful corporations of our time have built their entire business model on surveillance capitalism, centered around the capture and commodification of personal data for the core purpose of profit-making. To maximize data collection and ad-revenue, evermore elaborate systems to maximize interaction and attention spent have been concocted, which not only manipulate people’s behavior by creating artificial dopamine hits, but also further tribal thinking and outrage to drive interaction. Governments and in particular their foreign intelligence agencies have been no better, often engaging in unrestricted data collection and analysis without concern for the privacy rights of those affected or existing legal due process requirements for such an infringement. History has shown time and time again that the governments and corporations we are forced to rely on with our data either cannot be trusted to handle it safely, limit its collection to the required minimum or use it solely for the intended purpose. Protective measures, such as the European GDPR regulation, have been good-willed but only resulted in an administrative nightmare without much real-world effect.
Blockchain in its most fundamental form is a privacy hell. It is a public ledger of all transactions. While necessary to ensure verifiability, any interactions, be it salary payments, recent purchases, or donations to political opposition, are transparent and traceable by default. We are just at the beginning of a new industry trying to analyze, dissect and process this rich new stream of data which is much more detailed and comprehensive than anything seen before. Further, in a world where most parts of the global internet infrastructure are owned by a few, there is a very real threat that discourse on and interactions with (new) protocols can be eavesdropped and tampered with. Any concentration of validators is the most obvious example. The use of wallet addresses instead of real-life (IRL) persona only offers a thin layer of protection. Doxxing becomes all too easy given enough data points. Further, even if an IRL connection is not possible, such insights are just as harmful for a digital personality. Just because I choose to live a digital life it should not mean that I am forced to live a public life.
For the reasons set out above, we need privacy on the blockchain to ensure that it can be used to its fullest economic and social potential and to allow individuals to exercise their freedom of action in the digital realm. Privacy is not convenient but necessary when re-writing the fabrics of society with a neutral crypto base layer.
The Limitations
In an ideal world one could take the cypherpunk view that all communication and transactions should be strongly encrypted and offer complete anonymity. But if we want to build an open society, there are limits.
My individual freedom ends where I infringe upon the freedom of my neighbor without legitimate cause. Likewise, there might be public interests which are of such particular importance that they outweigh my right to privacy, and yes, prevention of child abuse, money laundering and terrorist financing are among these potentially overweighing causes. But any such infringements must have a clear regulatory basis, be appropriate, adhere to the principle of least interference and follow due process.
All too often, this is not the case. Most recent case in point, in our opinion, are the OFAC sanctions against the mixing protocol Tornado Cash, a smart contract application running on the Ethereum blockchain that preserves privacy by allowing users to deposit assets from one address and withdraw them using a different address. In our opinion OFAC overstepped its authority by sanctioning a neutral tech solution that has predominantly been used for legitimate, privacy-protecting use cases, harming legitimate users in the process.
As a first-generation privacy-preserving application on the blockchain, Tornado Cash was a crude tool for a legitimate cause. Of course, it did have its shortcomings, most notably its inability to determine whether users are bad actors and/or to account for potential outweighing public interests. But instead of sanctioning a neutral technology, OFAC should have, in our opinion, sanctioned the concerned bad actors, and regulators should have focused on providing the necessary legal frameworks which allow the next generation of developers to perfect the technology. To this end, regulators have to stop trying to use the old, existing IRL solutions on the blockchain.
The Crypto-native Solutions
Regulators are not really acting and are far too often stuck in their old ways. Therefore, it is again upon the community to build the next generation of privacy-preserving tools despite the regulatory uncertainty.
Two areas in which the need for privacy on the blockchain and public interest are bound to clash first are the state’s interest to prevent money laundering/ terrorism financing as well as tax avoidance. However, given the advances in zero-knowledge cryptography and other areas of protocol design, it will in our opinion increasingly be possible to prove compliance, without revealing all transaction data and preserving privacy. Some examples:
- Enforcement at the edges
We are convinced that there is a solution space in which the technological infrastructure can remain uncensored and privacy preserving, while regulatory compliance is enforced at the edges of decentralized networks. Centralized entities such as exchanges or traditional businesses will need to be compliant in their local jurisdictions, which means that in order to process payments either as part of a sale of goods and services or as part of a fiat/crypto or crypto/crypto transaction these entities need to perform risk-based analytics. Cryptographic proofs of funds stemming from known counterparties as well as tax-compliant business operations can allow such entities to whitelist user transactions in a privacy-preserving way.
- Anti-money laundering
Many jurisdictions will require businesses such as virtual asset service providers to perform know-your-customer (KYC) checks and risk-based monitoring of potentially illicit transactions. Instead of performing individual KYC checks, wallet addresses/ digital identities could get reusable attestations of identity verification by a KYC provider of their choice that can be probed by court order of the responsible jurisdictions if necessary. Based on such attestations, counterparties can prove cryptographically that transactions have been conducted with compliant addresses while not revealing any personally identifiable information on-chain and potentially preserving complete transactional privacy.
- Tax compliance by design
End users as well as businesses could opt-in to a privacy-preserving protocol that automatically calculates and enforces tax payment. Subsequently, they can prove correct execution with the help of zero-knowledge cryptography. This approach offers the combined advantages of significantly increased efficiency on both the side of the taxpayer as well as tax authorities since the whole process is automatically conducted and verified. All residual, off-chain business cases can be processed in the traditional way, while settling balances as part of an annual tax statement.
These are just some examples. If developers also manage to make such solutions convenient and seamless for the end user, we will have a future with privacy on the blockchain. We for one are looking forward to it.