Our Recent Posts


No tags yet.

Selective Disclosure: Privacy in the Age of Blockchain Technology

Published May 1, 2018

A few months ago I had the privilege to participate on a panel discussing blockchain related concepts with Morgen Peck. Morgen is a freelance writer whose articles can be found in Scientific American and IEEE Spectrum, among other publications. A few months prior to meeting Morgen in person, I discovered her work for the first time while listening to a RadioLab podcast called The Ceremony that centers around Morgen’s witness to the creation of the cryptocurrency Zcash (WNYC The Ceremony). For those who aren’t familiar with Zcash, it’s basically a cryptographic currency that has the ability to completely obfuscate from representation on the blockchain a sender of a currency transaction, the receiver on the other end of the transaction, and the amount involved. This is made possible by a cryptographic convention that Zcash’s creator Zooko Wilcox perfected called a zero-knowledge proof.

Your bitcoin transaction history on the bitcoin blockchain is available for all to see for eternity. You are in a sense exposing your own behavior through your purchase patterns pseudonymously. If you are ever purposely or inadvertently associated with your public key, your personal economic patterns would be exposed to the world in what could be considered a significant breach of your individual privacy. The zero-knowledge proof allows you to avoid this issue by confirming that all the transactions involving Zcash are in fact legitimate. It relies upon a mathematical proof that confirms enough of a fact pattern to verify the transaction and empowers the user to reveal only the information she wishes to reveal. With Zcash, instead of sending a message instructing the movement of funds from account A to account B, a zero-knowledge proof is generated that says someone is associated with a certain amount of money and provides confirmation that the selected amount of money has not yet been previously spent, facilitating the move to the selected destination; no other facts are revealed. This process confirms there was no double spend; in other words, a zero-knowledge proof substantiates that the coins used in the transaction are available. Within Zcash there are two types of addresses, “transparent” and “shielded.” The power of how much information to disclose is in the hands of the user: if the user doesn’t care if her transactions appear pseudonymously on the public blockchain, she would select the “transparent” option; if she wishes to conceal her transactions, she would select the “shielded” option. The shielded option would obscure the sender of funds, the receiver of funds, and the amount. How is this possible and how is the dignity of the blockchain preserved? A zero-knowledge proof is an encryption protocol that provides you with what is required to know something for a fact without revealing any details about what it is you are attempting to confirm. This protocol facilitates selective disclosure.

As I wrote about in my last post (McCalmont/Venezuela), in Venezuela, US dollars are purchased on the black market, outside the purview of the Venezuelan government. Zcash is working with AirTM, the peer-to-peer exchange, to allow the privacy afforded by Zcash to assist Venezuelan citizens in their hedge that will protect them from the rapid devaluation of their sovereign currency the bolívar. AirTM machines exist on the smartphones of users and providers, with many sovereign and cryptocurrency exchange options offered. If a Venezuelan citizen uses Zcash to facilitate the currency exchange process, and if they select the “shielded” option, their transactions will take place outside the view of the repressive Venezuelan government, economically protecting citizens and contributing to an economic base that will potentially aid in the countries’ overall economic recovery.

In addition to this form of control over data points that make up our intimate individual privacy, a number of blockchain dependent developments have also evolved. I wrote a number of months ago about my experience in obtaining Estonian digital identity (McCalmont/Estonia). This compact between myself and the government of Estonia allows me to conduct all forms of business with the government of Estonia without any involvement of a third party. My card is considered so authentic and reliable through blockchain technology combined with biometric information that a photo of my face for verification is considered irrelevant. My information is “owned” by me, it’s portable, and it eliminates any need for third party involvement. This protocol fits perfectly with the expectations laid out by the European Union’s General Data Protection Regulations (“GDPR”), scheduled to be enforced beginning May 25, 2018. GDPR reorients privacy-related matters around the individual versus the third party benefitting from information provided by and linked to the individual. In the current environment the developer builds the platform first and asks questions later, so if the developer is benefitting from violating individual privacy, they’re applying the Facebook motto of, “move fast and break things.” In other words, let’s seize on this over-expansion of the platform, as the more information we as a company can collect, the better for our business model; we can “apologize” later. GDPR forces developers to consider the impact of their projects on individual privacy prior to the collection of information. The ability to selectively disclose information needs to be in the control of the consumer. The GDPR categorizes consumer information as their own, and the consumer has the right to “opt-in” to the act of information collection prior to the information’s actual collection. The consumer cannot be coerced into providing the information by the withholding of services sought by the consumer.

The recent controversies involving Facebook is an illustration of what happens when our privacy is compromised by the social media behemoth for the company’s economic benefit. Blockstack, a company positioned as an internet for decentralized applications, is working on a digital identity product that you, the subject, will control over different social media applications. The subject will own their personal information and will not be dependent upon any third party when interacting with various social media applications. Selective disclosure will be the centerpiece of this new methodology, as the subject will decide what information to share and what not to share with the various applications.

The most intimate areas of our personal information center around our health; one could argue that health records contain some of the most personal information associated with each one of us. The disintermediation of third parties that house medical records linked to individuals is beginning to take effect at a very rapid rate. The idea of selective disclosure applied to this form of record keeping will save society from a data breach that could expose victims to a lifetime of illegal scrutiny of their physical and/or mental condition, from insurance companies to potential employers, in addition to bad actors looking to exploit perceived health problems on the part of their victims. An individual’s medical history can include lab test results, intimate written thoughts on the part of the doctor, and historical diagnoses. Ownership of this information by the patient will protect the data from centralized risk, as in the case of Equifax, where consumer files linked to 143 million Americans were compromised. Decentralized selective disclosure will protect your privacy from broadcast to the entire world. At a simple level, when you buy an alcoholic beverage in a restaurant and show the bartender your driver’s license, a lot of superfluous information is exposed for no reason, such as your home address, signature, and identification number. On a larger scale, if a nurse practitioner is providing you with an antibiotic for an ear infection, he may not need to know the details of your last hernia procedure.

I feel at times the upbeat nature of my blog posts are too optimistic, but then I observe events taking place within the areas of anti-corruption (McCalmont/Anti-corruption), sanctions compliance (McCalmont/Economic Sanctions), identity management (McCalmont/Identity), and now privacy, and feel completely vindicated in my optimistic views. Blockchain applications are taking place at an extremely rapid rate. It was announced a few weeks ago that the Government of Mexico is using blockchain technology to track bids for public contracts in order to halt corruption in that space. Regulation is finally catching up with blockchain developments in the areas of asset transfers over blockchain and decentralized exchanges (UK Regulation). My optimistic view of regulation is not popular within certain sectors of the crypto/blockchain community, but I truly believe that regulation is necessary for blockchain technology to proliferate on a universal scale. As I’ve indicated in prior posts, in my former role at an asset management firm I worked extensively under the supervision of the Luxembourg financial regulator the Commission de Surveillance du Secteur Financier (“CSSF”). With the Grand Duchy hosting (at last count) 143 banks alongside thousands of investment funds, what will happen in Luxembourg impacting the financial sector through regulation will not stay in Luxembourg. LuxTrust SA is an information technology provider to the Luxembourg government, and they’ve contracted with Cambridge, Massachusetts-based Cambridge Blockchain to upgrade their operations to comply with GDPR using blockchain technology (LuxTrust). The revolution is taking place RIGHT NOW!