09 May 2021 · 4 min read

How a Next-Generation Blockchain Addresses "Privacy Poisoning"

Disclaimer: The Industry Talk section features insights by crypto industry players and is not a part of the editorial content of Cryptonews.com.

Blockchain

The introduction of the EU's General Data Protection Regulation (GDPR) in 2018 marked a pivotal moment in the history of data privacy. Intended as a blow to the unchecked data harvesting of big tech firms such as Facebook and Google, the regulation brought in far-reaching legislation, putting significant responsibilities on to companies as data processors.

Intriguingly, given that blockchain advocates are also often vocal proponents of privacy rights, GDPR also throws up some interesting problems in the context of data stored on a blockchain. It contains clauses that stipulate data must be "kept in a form which permits identification of data subjects for no longer than is necessary" and perhaps even more critically, introduces the "right to be forgotten."

The latter allows any citizen of the EU to request that their data be permanently deleted. Furthermore, it doesn't matter whether the data processor is in the EU or outside; EU citizens' rights must be upheld.

Blockchain vs. the GDPR

These rights are at odds with one of the core features of a blockchain – that data and transactions are immutable. Nobody can delete or change a transaction once it's taken place. In the context of Bitcoin, where addresses aren't tied to any personal data, the ramifications aren't significant. However, in terms of enterprise blockchain and applications requiring identifying information to create an account, the impact could be considerable.

Gartner dubs the blockchain issue “privacy poisoning.” The firm also believes the solution is to "establish privacy-by-design principles at the onset of the blockchain architecture, including a ban on free text, where personal data would be stored." It would seem that few platforms have taken this advice very seriously. However, perhaps because it has its roots firmly in Europe, Concordium is an exception. The enterprise blockchain project has been flying somewhat under the radar over the last year as the team has been focused on iterating its testnet. However, it recently picked up an impressive 36 million USD in its fourth funding round, putting the total valuation at 1.5 billion USD.

With a mainnet set to launch this June, could Concordium become the first platform that empowers enterprises to achieve the optimal balance of privacy and compliance?

A Hybrid Approach to Balance Privacy and Identity

Concordium was founded on the principle that the current paradigms of blockchain pseudonymity introduce an unacceptable level of risk for enterprises. Even if the vast majority of users on a public blockchain network are honest actors, the fact that there's no way to weed out the small minority of bad actors means that enterprises can't demonstrate compliance with regulations. Therefore, from the outset, Concordium has been designed to provide a way to identify individuals using a unique hybrid on- and off-chain approach that also ensures privacy. The project's solution also successfully navigates the complexities of the GDPR.

When a user, whether an enterprise or individual, signs up for an account on Concordium, they undergo an off-chain identity verification process with an identity provider accredited by the Concordium Foundation. Once they've provided a copy of their credentials, such as a passport or company registration documents, the provider uploads an encrypted, zero-knowledge proof to the Concordium blockchain, which serves as the basis for opening an account.

This proof allows them to transact freely with any other user, and the counterparts to a transaction can use the proof as a basis for validating their identity. However, the counterparty doesn't see the ID documents themselves, which are only ever retained in copy, off-chain, by the identity provider.

Real-World Enterprise Use Cases

In the real world, this identity solution could cover a range of identity types and use cases. For financial institutions, it would allow them to carry out KYC checks and verify credit scores.

Now that the world is opening up to global travel again, someone could have their passport, driver's license, and vaccination status documents verified. They could then use them as the basis for pre-flight vaccination screenings, checking into a hotel, or renting a car. From the vendor side, they'd only receive a confirmation of what they need to know – the person is immune from COVID-19, they have a valid passport, and perhaps the country of issuance, and they have a valid driver's license.

In the "bad actor" scenario, Concordium provides a failsafe that allows the user's identity to be revealed to a legally qualified authority. So if the hypothetical traveler trashed their hotel room and the hotel reports the incident to the police, Concordium enlists the services of a trusted party called an anonymity revoker.

In an on-chain process, the anonymity revoker instructs the identity provider to provide the off-chain identity documents to the police. However, neither the anonymity revoker nor the identity provider can act in isolation.

A Stellar Team

The team at Concordium brings significant experience from both industry and academia. Based at Denmark's prestigious Aarhus University, the research team is headed up by Professor Ivan Damgård, co-creator of the Merkle-Damgård construction, widely used in legacy and newer blockchains.

The project's CEO, Lone Fønss Schrøder, brings executive-level experience from a long career at shipping giant Moller-Maersk and sitting on the board of multinationals such as IKEA and Volvo. Concordium's founder, Lars Seier Christensen, established Denmark's Saxo Bank in 1992, which went on to become one of the first banks to launch online trading.

Industry credibility is undoubtedly critical. However, it's the platform's ability to meet enterprise demands for compliance while baking user privacy into its foundations that make Concordium stand out among enterprise offerings. June's mainnet launch will be one worth keeping an eye on.