Privacy
In the age of digital transformation, privacy is paramount. When building with attestations, it's essential to prioritize privacy to protect users and maintain trust. This page delves into how to think about and implement privacy-first solutions using attestations.
A Privacy-First Mindset
The blockchain's defining feature of immutability is a double-edged sword. While it ensures data integrity, it also means that once data is onchain, it's permanent. This permanence underscores the importance of handling personal or sensitive data with extreme caution.
Strategies for Privacy-First Attestations
Below are a few concepts to consider when building with privacy in mind.
Private Data Attestations
Private Data Attestations are a way to attest to nearly an infinite amount of arbitrary data, generate a merkle tree of that data, and then only attest to the merkle root onchain or offchain. The data can then be provided to specific individuals and allow them to selectively disclose or verify the data against the merkle root.
For example, a university could attest to a student's entire transcript by creating a merkle tree of the courses and grades, and then only attesting to the root onchain. The student can then provide specific courses to employers without revealing their entire transcript.
📘 Read More: Private Data Attestations
Offchain Attestations
Create attestations completely offchain, allowing for selective disclosure on a need-to-know basis while still benefiting from the authenticity of the digital signature. Below is an example of an offchain attestation. It's completely private, the easscan.org server doesn't even know it exists. The data is completely encoded in the URI fragment of the URL and can be passed peer-to-peer through the browser or stored anywhere the creator would like.
📘 Read More: Offchain Attestations
Offchain Computations
Perform computations offchain and attest to the results onchain. This method ensures that raw data remains private, but the computation's outcome can still be verified. For example, a platform could verify a user's age offchain and then only attest to whether the user is over 18 on-chain, without revealing the exact birthdate, or even that the verification had to do with a birthdate.
Encryption & Hashing
Always encrypt sensitive data, even if it's offchain. When attesting to encrypted data, ensure that only authorized parties have the decryption keys. For example, if you're storing a user's educational credentials, encrypt the attestation data offchain. When a third party needs to verify it, they can be given a decryption key to access the specific data they need.
Zero Knowledge Proofs (ZKPs)
ZKPs allow one party to prove to another that a statement is true without revealing any specific information about the statement itself. It's a powerful tool for privacy-preserving attestations. For example, you can generate an attestation onchain or offchain and then allow the recipient or issuer of the attestation generate an ZKP from the attestation data. Which then can be selectively shared to those who need to know without disclosing the addresses or data involved.
Best Practices
- Avoid Onchain Personal Data: Never attest to personal or private data directly on-chain. Always use hashes or other privacy-preserving methods.
- Educate Users: Ensure users understand what data is being attested to and how it will be used.
- Regularly Review Privacy Practices: As technology evolves, so do privacy concerns. Regularly review and update your practices to stay ahead.
Wrapping Up
Privacy isn't just a feature; it's a right. As builders, it's our responsibility to ensure that we're not only leveraging the power of blockchain and attestations but doing so in a way that respects and prioritizes user privacy. With a privacy-first mindset, we can create solutions that are both powerful and trustworthy.