The Blockchain Team met for a privacy discussion on Feb 18, 2020. The discussion was prompted by a draft of a features list for the Liberty Platform reference client, which raised some questions about desirable features, possible features, and how these could affect user privacy.
The understandings that came out of this discussion start with the need to identify the areas in the platform that need to be considered when discussing privacy.
The discussion focused almost entirely on the privacy questions that arise around tagging people - in photos or any other post.
We identified possible sources of privacy leaks:
- The blockchain itself - smart contracts and messages that are stored on chain
- DSNP - messages that are archived or gossiped throughout the network
- Us App and Reference App, i.e. applications that Project Liberty controls
- Liberty Foundation approved apps
- Applications using Liberty SDK
- Well-intentioned applications
- Ill-intentioned applications
- Network abusing applications
- Leaks due to user error, misunderstanding, or ignorance
- Intentional leaks by users
We also need to see the potentially conflicting interests:
- PrivacyUser, the user that wants privacy and control vs. EasyUser, the one that wants convenience, transparency and freedom
- PrivacyUser vs. Application developers that just want to serve EasyUser
- DSNP’s designed use vs. an Application’s actual use
- Liberty Foundation vs. Application developer needs and desires (to wit, profit motive).
Within this framework of understanding, we refocused the privacy discussion around tagging users.
On the DSNP, but not on chain
Allowing tagging of users to be part of the DSNP protocol - though not on chain explicitly - is useful to the platform and possibly to users; given that the point of the platform is to give people the ability to quit one application while still owning their data. A user that decides to change apps – for any reason – on the platform shouldn’t have to recreate all their data. On the other hand, users may not know that their social identity that they use through one app may also show up on another. Users have many reasons to keep their social activities separated and will need to know that their social identity activity can be viewed across applications. Most users are not used to this idea. Being able to tag somebody else may identify them in a space they don’t want associated with them elsewhere.
Can’t control usage, but can make it harder to behave badly
There are clear limitations to what can be controlled at each level. Liberty obviously cannot control users or outside applications entirely, however, it can attempt to make it cheap and convenient to be a good actor on the platform, and expensive and inconvenient to be a bad actor. Anyone can say, in plain text, “Ang Lee is in this photo,” and an Application can certainly include data in a tag that includes whatever identifier they want, whether it’s one that is meaningful only to that application, a simple profile name, the Liberty socialID, etc.
Some ideas that could be explored:
- A tag could be a separate metadata post, like a kind of reply
- Tags using the Liberty socialID could be detected by a user application and the user could be prompted whether to cryptographically sign the tag, thus legitimizing it. “Honest” applications could then filter out any unsigned tags.
- Tags could be a rotatable identifier instead of the social identity, such as a key list. If the key list is rotated, the ID loses its connection to the user.
- Users could set preferences for if they can be tagged or not, which “Honest” applications could abide by even if other applications do not (i.e. not showing tags that include that user, even if another application allowed the tag).
- Involve Application developers in the discussion to come up with creative ways to meet their needs that do not exploit user privacy. Help them implement solutions and where possible, enhance SDKs and the platform to make these solutions easy and convenient to use.
This also obviates the need for the Liberty Foundation in the development and dissemination of privacy (and other) standards.