Bringing data minimization to digital wallets at scale with general-purpose zero-knowledge proofs

Today, digital identity management for individuals is either inconvenient and error-prone or creates undesirable lock-in effects and violates privacy and security expectations. These shortcomings inhibit the digital transformation in general and seem particularly concerning in the context of novel applications such as access control for decentralized autonomous organizations and identification in the Metaverse. Decentralized or self-sovereign identity (SSI) aims to offer a solution to this dilemma by empowering individuals to manage their digital identity through machine-verifiable attestations stored in a "digital wallet" application on their edge devices. However, when presented to a relying party, these attestations typically reveal more attributes than required and allow tracking end users' activities. Several academic works and practical solutions exist to reduce or avoid such excessive information disclosure, from simple selective disclosure to data-minimizing anonymous credentials based on zero-knowledge proofs (ZKPs). We first demonstrate that the SSI solutions that are currently built with anonymous credentials still lack essential features such as scalable revocation, certificate chaining, and integration with secure elements. We then argue that general-purpose ZKPs in the form of zk-SNARKs can appropriately address these pressing challenges. We describe our implementation and conduct performance tests on different edge devices to illustrate that the performance of zk-SNARK-based anonymous credentials is already practical. We also discuss further advantages that general-purpose ZKPs can easily provide for digital wallets, for instance, to create "designated verifier presentations" that facilitate new design options for digital identity infrastructures that previously were not accessible because of the threat of man-in-the-middle attacks

Addressing the sustainability of distributed ledger technology

The work proposes policies to improve the environmental sustainability of distributed ledger technology (DLT). While the proof-of-work (PoW) consensus protocol requires large amounts of electricity, several DLT protocols consume much less, while still being sufficiently reliable and decentralized. To move from a PoW protocol to a greener system, such as proof-of-stake (PoS) or proof-of-authority (PoA), the consensus of the majority of miners (measured by their computing power) is required during the transition period to preserve the security requirements. Given that miners have an incentive to maintain the status quo, this paper illustrates various policies designed to bring about the transition. We aim to show that the current policy approach adopted by banking and financial regulators, based on the principle of technological neutrality, may need a reappraisal in order to consider the ‘sustainability’ criterion. Policymakers should not stifle financial innovation; nevertheless they should intervene if technology is a source of negative externalities

MEDIATING THE TENSION BETWEEN DATA SHARING AND PRIVACY: THE CASE OF DMA AND GDPR

The Digital Markets Act (DMA) constitutes a crucial part of the European legislative framework addressing the dominance of ‘Big Tech’. It intends to foster fairness and competition in Europe’s digital platform economy by imposing obligations on ‘gatekeepers’ to share end-user-related information with business users. Yet, this may involve the processing of personal data subject to the General Data Protection Regulation (GDPR). The obligation to provide access to personal data in a GDPR-compliant manner poses a regulatory and technical challenge and can serve as a justification for gatekeepers to refrain from data sharing. In this research-in-progress paper, we analyze key tensions between the DMA and the GDPR through the paradox perspective. We argue through a task-technology fit approach how privacyenhancing technologies – particularly anonymization techniques – and portability could help mediate tensions between data sharing and privacy. Our contribution provides theoretical and practical insights to facilitate legal compliance

Mediating the Tension between Data Sharing and Privacy: The Case of DMA and GDPR

The Digital Markets Act (DMA) constitutes a crucial part of the European legislative framework addressing the dominance of 'Big Tech'. It intends to foster fairness and competition in Europe's digital platform economy by imposing obligations on 'gatekeepers' to share end-user-related information with business users. Yet, this may involve the processing of personal data subject to the General Data Protection Regulation (GDPR). The obligation to provide access to personal data in a GDPR-compliant manner poses a regulatory and technical challenge and can serve as a justification for gatekeepers to refrain from data sharing. In this research-in-progress paper, we analyze key tensions between the DMA and the GDPR through the paradox perspective. We argue through a task-technology fit approach how privacy-enhancing technologies-particularly anonymization techniques-and portability could help mediate tensions between data sharing and privacy. Our contribution provides theoretical and practical insights to facilitate legal compliance

Yes, I Do: Marrying Blockchain Applications with GDPR

Due to blockchains’ intrinsic transparency and immutability, blockchain-based applications are challenged by privacy regulations, such as the EU General Data Protection Regulation. Hence, scaling blockchain use cases to production often fails to owe to a lack of compliance with legal constraints. As current research mainly focuses on specific use cases, we aim to offer comprehensive guidance regarding the development of blockchain solutions that comply with privacy regulations. Following the action design research method, we contribute a generic framework and design principles to the research domain. In this context, we also emphasize the need for distinguishing between applications based on blockchains’ data integrity and computational integrity guarantees

An In-Depth Investigation of Performance Characteristics of Hyperledger Fabric

Private permissioned blockchains, such as Hyperledger Fabric, are widely deployed across the industry to facilitate cross-organizational processes and promise improved performance compared to their public counterparts. However, the lack of empirical and theoretical results prevent precise prediction of the real-world performance. We address this gap by conducting an in-depth performance analysis of Hyperledger Fabric. The paper presents a detailed compilation of various performance characteristics using an enhanced version of the Distributed Ledger Performance Scan. Researchers and practitioners alike can use the results as guidelines to better configure and implement their blockchains and utilize the DLPS framework to conduct their measurements

Love at First Sight? A User Experience Study of Self-Sovereign Identity Wallets

Today’s systems for digital identity management exhibit critical security, efficiency, and privacy issues. A new paradigm, called Self-Sovereign Identity (SSI), addresses these shortcomings by equipping users with mobile wallets and empowering them to manage their digital identities. Various companies and governments back this paradigm and promote its development and diffusion. User experience often plays a subordinate role in these efforts, even though it is crucial for user satisfaction and adoption. We thus conduct a comprehensive user experience study of four prominent SSI wallets using a mixed-method approach that involves moderated and remote interviews and the User Experience Questionnaire (UEQ). We find that the examined wallets already provide a decent level of user experience, yet further improvements need to be done. In particular, the examined wallets do not make their novelty and benefits sufficiently apparent to users. Our analysis contributes to user experience research and offers guidance for SSI practitioners