EOSCommunity.org Forums

Eden Identity Data

I can see on the staging Eden app at https://eden-dev.vercel.app and in the codebase that various forms of personal information are stored on the blockchain:

  • Name
  • Bio
  • Profile picture
  • Links to social media
  • And possibly a video with them in it

This is a problem for two reasons:

  1. Legal and ethical - Data hosted on the EOS (or WAX testnet) blockchain is immutable and cannot be deleted. Putting personal information on the blockchain that cannot later be deleted will cause all operators of the blockchain (anyone with a node) to operate illegally under several regulations, namely GDPR. This is because it will not be able to comply with the Right to be forgotten as stipulated in GDPR. GDPR is not the only regulation. More than regulation, the ethical practice of an immutable public identity with a reputation should be considered.
  2. Scalability - This data is probably not processed in smart contracts and only used for display. This adds unnecessary computational and storage burden on the blockchain infrastructure, which in turn is reflected in transaction fees.

The legal and ethical problem is by no means easy to solve. How does Eden team think about this? Do they have any solutions?

One strategy I would like to propose is to use a self-sovereign identity #SSI application architecture. This can be done in many ways, but in general uses the principle of personal data controlled by the user. It is designed for and users blockchain has part of its architecture, and is currently heavily supported by the EU and starting to get traction within several US states, the US federal government, Canada, not to mention industry adoption by Microsoft and IBM. There is an EOSIO SSI working group that is creating the building blocks to use SSI with EOSIO chains meeting once a week on Monday - announced here which is open and voluntary to join.

5 Likes

i wonder why there cant be some sort of sponsor system… either where you need 3 or more sponsors to join

continuing on that… there are loads of creative ways to facilitate Account creation/verification without personal information… some i have seen or can think of:

  1. Have Temp-member status…

then have a “level 2” consensus group approve or decline all temp-members to full member
(level 2 consensus = every member was voted on to be in the level 2 group from a previous group to do this) and each each approval requires 2/3+1

  1. have membership tiers (i.e. dan, genesis, gen+1, etc) and each new member requires approval from someone from 2 different tiers, Each tier can… comes to consensus on what their minimum requirement is (such as the new member needs to meet with teir members on zoom or whatever)

the above work in the same framework of consensus, while also mitigating sybal attacks, while also NOT recording personal information… or maybe i misunderstand why the need for personal information

  • Name
  • Bio
  • Profile picture
  • Links to social media
  • And possibly a video with them in it

Is all public stuff anyway and the idea is transparency, so fitting to put on a Blockchain to ensure we have the full picture now and for those who want to look up the history of it all.

This SSI thing also appears to be a proprietary paid for product isn’t it?

The personal info is a good idea IMO, as it brings a human and social familiarity to the Eden community. It just shouldn’t be put on an immutable blockchain. Without personal info on Eden, we are only a username and it’s all very impersonal, which many people will find off-putting. It can be done that way but it will be a different experience for users. The current personal information is not verified, does not get used for votes or consensus and is not part of account creation, it just (AFAIKT) makes the platform human.

The sybil attack prevention is about invitations and is currently not linked or used in the personal information.

Sure put it on the blockchain, just saying this is a very tangible legal risk for the operators of EOS and EdenOS.

SSI is a large ecosystem of open-source implementations based on Worldwide Web Consortium (who create and maintain HTTP, TCP and many other standards that make the internet work) standards. The vast majority is open source and, as with any industry, there are some closed source implementations. SSI is to identity what HTTP is to the internet, well there are some differences of course but you get a bit of an idea.

1 Like

A great example here of why this is a problem conseptually (not just legally)

"Psshh, privacy — what’s the worst that can happen?"

Short answer:

Nazis take over your civil registry to more efficiently find and round up Jews in order to exterminate them.

Long answer :point_down:#SSI pic.twitter.com/lGmumQNKuG

— Jesse Szepieniec :ship: (@jessems) May 20, 2021

2 Likes

Europa Chain (EOSio based) has ways to follow the Righ to be forgotten; maybe we could implement something similar
OTOH from reading around, EOS transactions have some fields that are not included in the consensus, maybe we could use those for allowing the deletion of some stuff after a few election periods

I would like to join Eden, but my real name is unique and I live in a small place and don’t feel comfortable to single out myself in this immutable way

context-free-data is theoretically prunable. Practically, it takes the whole world to work in concert to actually remove it. One website hosting unpruned block logs, or one node refusing to prune, is all it takes for it to live on.

There’s a tension between right to be forgotten in Europe and the 1st amendment here in the U.S. eosio’s architecture, when deployed as public chains, leans towards the free speech side of things.

I don’t see how there is any tension.
Isn’t the right to be forgotten a form of free speech?

It gives person A the right to limit what person B says. There are a few exemptions to the first amendment that the Supreme Court has upheld, based on historical precedent, but it’s not likely to grant new exemptions, since they have no precedent. In the U.S., a right to be forgotten would be new.

No, the right to be forgotten can only be exercised about yourself.

You HAVE TO REQUEST that some information about YOU from the past should not be indexed by the search engines anymore.

It doesn’t even affect the original document (e.g. an newspaper article)

Do search engines have free speech rights? In at least some court cases in the U.S. (maybe not be all), the answer was “yes”. If that holds, then if either Congress or state legislators pass a law requiring take down, courts may rule it violates the 1st amendment.