Last week, Forbes examined the promise of privacy in P4 protocol in the article (“Zcash Out To Prove Privacy Is Key To Crypto Adoption With GDPR-Complying Use Cases” by Darryn Pollock). Pollock’s article included a link to TechGDPR’s Zcash GDPR assessment. In addition to the article in Forbes, ZCash has published its own statement, as has its spin-off company, Least Authority. Now is a great time for TechGDPR to provide a summary of our conclusions to add to the discourse.
Before getting into the details, I first want to emphasize that TechGDPR works with a wide variety of clients, and we approach our specialized consulting for each client with the utmost confidentiality–unless, that is, a client states otherwise. Zcash is among our clients that have taken steps to publicly discuss this GDPR-compliant assessment. It is with permission of both Zcash and Least Authority that TechGDPR released our report.
Zcash GDPR assessment on the P4 protocol
In October 2018, TechGDPR conducted a GDPR compliance assessment of the P4 protocol specification on behalf of the Zcash Company and Least Authority. This assessment reflects important conversations among regulators, compliance advisors, and implementers of blockchain and other cutting edge technologies in the context of the GDPR and other privacy-protecting regulations.
Data gathered while utilizing the P4 protocol is mostly anonymous, and only a few types of data could potentially be flagged as personal, and therefore in scope of the GDPR. The risk of identifying natural persons through the use of Least Authority’s S4 storage service is significantly mitigated by the use of zero knowledge proofs in Zcash’s shielded transactions. Other regulations, such as financial regulations, anti-money laundering regulations, and know-your-customer regulations, may be triggered by anonymous online services. And although new regulations around the world are attempting to make services providers responsible for their users’ content, Zcash has been favorably received by financial regulators.
The assessment conducted by TechGDPR (PDF available here) asserts that implementation of P4 does not likely raise any major issues regarding GDPR compliance, apart from the consideration whether or not to allow customers to use S4 for data processing under GDPR, and how to effectively prevent this (see finding #11: “Possible role of data processor”). A few matters require highlighting as they may become an issue in the future as the usage of the service changes (finding #2: “File deletion, garbage collection”), or the interpretation of the GDPR evolves further (findings #1: “Logging IP Address” and #3:”Consequences of maintaining a full node”). The biggest concerns are related to the processing of data within S4, not within P4. The P4 protocol itself only presents concerns if subscribers insist on paying from transparent addresses.
TechGDPR also concluded that as long as Zcash transactions cannot be linked back to a natural person, because they are private or because no link between the t-address and the user exists, the transaction within Zcash and payment information itself should be considered anonymous and therefore out of scope of the GDPR.
In our opinion, the P4 service allows for as close to anonymous usage as you can get with current technology, with important caveats regarding user practices and user volume. The full benefits of P4 can only be realized if the user is extremely cautious with how they use it, as is the case with most privacy-preserving solutions today. Least Authority has tried to make it harder for users to make mistakes (i.e., by requiring Tor), however, it is still possible to gather some information through leaked metadata or trivial mistakes by the user that may, over time, be enough to link the usage back to a person. As the user base grows, maintaining anonymity will become easier to establish a relationship between specific users and their data or metadata will become increasingly difficult.
Privacy-enhancing technology, including P4, is not perfect. It is difficult to use, and requires perfect handling by both the user and Least Authority. Still, technologies like P4 go a long way toward challenging the advertising-surveillance model of the modern internet, and illustrate how blockchain-based technologies could show a new way forward.
Zcash looks forward
A statement released on Friday by Zcash declared, “We are at the beginning of what promises to be a longer journey toward privacy-by-design in the realm of blockchain technology.”
Total anonymity may not be possible, but the policies outlined in the GDPR show legitimate demand and P4 demonstrates that we can get pretty close.