How to protect your privacy in a DAO

Blockchains might be 100% transparent, but it’s easy enough to prevent your privacy being compromised.

The Blocknet’s superblock funding and voting system enables continued development via direct democratic governance. This is a powerful tool, and it is made all the more powerful if voters give feedback on their votes and preferences. However, for this to be workable, it is critical that people’s privacy is protected. This is a guide on how to preserve your privacy.

Contents

1. Introduction
2. Address use (and reuse)
3. “Deniablize” your coins
4. Donations
5. Voting
6. Submitting feedback

Introduction

A blockchain is (typically) a public ledger containing a complete history of every single transaction ever to have taken place on it. When you make a blockchain transaction, you spend coins at an address. Every time you use an address, it is logged to the chain, making it easy for anyone to see the entire history of events for every address. However, you may remain private by preventing any of your addresses from becoming associated with each other and with your real identity.

Address use (and reuse)

First, the basics. Your wallet stores many private keys, each of which corresponds to a unique address that you may receive coins at. It is especially important to avoid using any addresses together in one transaction, because from that point onward, it becomes knowable that the addresses belong to the same wallet. As such, if any of the addresses become associated with you at any point, then all the other associated addresses become known to be yours.

It is best practice never to reuse addresses, because this violates the forward secrecy of your blockchain interactions. If any transactions involving a reused address are linked to you, at any point, then all of the associated transactions become known to involve you. It may also be difficult to remember what addresses you reused in the past, increasing the risk that you might inadvertently send coins to this address later.

How to use addresses responsibly

Receiving coins
To avoid address reuse, every time you are to receive coins, you should generate a new address in your wallet. In the Blocknet wallet, click on the “address book” tab and then on “new address,” as follows:

The Blocknet wallet is hierarchical deterministic (HD), which means that all addresses you generate can be backed up by your storing a single seed. Provided you have a backup of your seed, generating many new addresses does not expose you to any additional risk in the event that you lose your wallet.

Sending coins
To keep your addresses isolated from one another, every time you spend coins, you should use coin control to select a specific address from which to spend, so that the wallet does not automatically choose an address — or potentially more than one address — for your transaction. Coin control is accessible from the “Send Funds” tab, on the second screen, by clicking the “Choose inputs manually” and “Select coin inputs” buttons:

When you click “Select coin inputs,” you will see a list of every spendable input to each address. You can safely select more than one input, provided all inputs are to the same address.

Note: if you would like to avoid the coins not being sent to the recipient (the change) from being sent to a change address in your wallet, you may right-click on the input you are sending from, click “copy address,” and paste it into the “Custom Change Address” field as shown above. This will send the change to a new input at the same address instead of to a new change address, which can be a less confusing way to manage your addresses, even though it is a form of address reuse.

“Deniablize” your coins

In the event that one or more of your addresses may have become associated with your identity, it is easy to dissociate them. However, beware of mixing services: most are not trustless, and so it is essential to exercise extreme caution. For example, you should never lose custody of your coins in order to mix them, so beware of sending coins to third-party mixing services, because they are likely to simply steal your coins instead.

The simplest and usually the most available way of dissociating coins is to send them to a centralized exchange that you are confident will permit you to withdraw them again without risk. When you withdraw, exchanges’ coin storage systems do not usually send you the same coins that you deposited; instead, they use coins available in their hot wallet. This breaks the link between your deposit and withdrawal, effectively breaking an association that may have existed between you and your coins.

Note, though, that this does not prevent would-be doxxers from watching the chain and noticing a likelihood that the coins deposited and withdrawn are both yours. (For example, a 5000 BLOCK deposit and withdrawal is quite easy to notice, especially if there are no other transactions of this amount around the same time.) But despite this potential appearance of an association between coins, there is a simple and powerful principle you can exploit to preserve your privacy: deniability:

An excerpt from Paul Sztorc’s blog post on deniability

Essentially, deniability is the absence of certainty that some address currently holding coins is owned by the same person who owned those coins at another address. A deniable scenario prevents a would-be doxxer from being able to prove that the coins are in your control. Paul Sztorc has written an excellent blog post explaining deniability, so it isn’t necessary to re-explain it here. In a nutshell though, to make your coin ownership deniable, you simply need to:

• Send some of the coins at one of your addresses to a new address of yours.
• Send the change to another new address.
• Do this randomly and fairly often. It is impossible for anyone to tell whether you sent the coins to someone else or to yourself.
• Be sure not to re-associate your coins by sending them back to a single address (as per the above section).

While deniability may not stop someone intent on violating your privacy from claiming that the coins are yours, they will be unable to prove that they are. And if they try to doxx you without proof, they would be exposing themselves to risk of committing either libel/defamation or harassment/intimidation, depending on jurisdiction — and of course their credibility and standing would be destroyed.

Note 1: whenever you use a centralized exchange, it is far better to use an exchange which supports your creating a new deposit address for every deposit you make. Otherwise, if anyone identifies any of the addresses you send a deposit from, they may also learn your deposit address, and worse still, they will then be able to associate any past and future deposits from any other addresses of yours with your real identity.

Note 2: when you withdraw, be sure to send your coins to a brand new address.

Note 3: voters with easily noticeable 5000 BLOCK addresses should be cautious after deniablizing their coins not to re-associate them by sending them to a new 5000 BLOCK address. If you would like to use those coins to vote or to submit feedback, it would be good to additionally (a) deposit and withdraw some from an exchange, or (b) buy some more coins and use these alongside some of your other coins for a new voting address. See the section below on submitting feedback for practical steps to ensure your privacy.

Donations

People very often unknowingly reveal their identities when they donate coins to some cause. If, for example, somebody mentions that they have donated coins — especially if they mention the amount donated — then it is often very easy to associate this with a corresponding event on chain.

To avoid this happening, it is important to:

• Not mention that you are donating,
• Or if you do make mention of this, make sure that you do so at a different time from when you make the payment.
• Check on the blockchain that between your mentioning it and making the payment, other payments have been made, so that nobody can associate the mention with your address.
• Do not mention the amount donated.
• If you do reveal yourself as a donor, and if the donation transaction generates change, then anonymise the change (as per the preceding section).

An alternative way to donate is first to send coins to an exchange, effectively mixing them, and then to withdraw them directly to the donation address.

Voting

For blockchains with a superblock funding system like the Blocknet’s, voting can present a risk to your privacy, because it is simplest to vote from all your addresses in one go. However, voting like this associates all your addresses with a single vote, and so if at any time in the past or future, any of your addresses are associated with your real identity, then someone may be able to use your votes to identify the rest of your addresses.

To preserve your anonymity, it is optimal (though more work) to vote separately for each of your addresses that are eligible to vote (i.e. addresses containing 5000 or more BLOCK). To do so, go to the “Debug Console,” which is accessible from the “Tools” tab:

To vote, you will need to paste a command in the following format:

vote proposalId position address

For example, if your address isBj1cAQLtirUs1VpY4pfWdZHG15ygkxcUnW, then to vote for the Project Costs proposal in superblock 155200, the command would be:

vote 5475850be2dc698739c4dc5239b7e1109ad35ffcd25fa4864ca9d8d6651fa52c yes Bj1cAQLtirUs1VpY4pfWdZHG15ygkxcUnW

You will need to enter a separate command for each address, and for each proposal. For example, if you have 3 addresses and want to vote on 6 proposals, you will have to enter 24 commands, one after another.

Note 1: you may also vote “abstain” or “no” on a proposal, replacing yes with abstain or no respectively.

Note 2: it is customary for proposals to include the console command, so you do not have to work it out yourself. Alternatively, in the “Proposals” tab of the Blocknet wallet, you may right-click on a proposal and copy its yes/no vote. However, be sure to include your address at the end of the command, or else the wallet will vote using all of your voting addresses!

Submitting feedback

A final way in which your privacy can potentially be put at risk is if you were to post feedback as a voter, since this immediately associates your coins with the identity you post with. Fortunately, it is simple enough to protect yourself. Here are some options:

1. If you want to publicly take responsibility for your vote, you can submit feedback using your known, regular identity (e.g. Twitter or Discord username). But take care not to mention the address(es) you voted with, or else your financial activity will no longer be private.
2. You can create an alternative account to submit feedback, and include a proof (see below) that you actually voted. This will give your feedback credibility, since without proof, anyone can claim to have voted without necessarily even holding any coins. But take care not to reveal an address that is already associated with your real identity, or else the alternative account will become associated with you and your privacy will have been compromised.
3. An optimal approach is to combine the above two approaches by first anonymising your coins (see the relevant section above) and then creating an alternative account to submit feedback from.
4. In cases where you want to take public responsibility for your vote and preserve your privacy, you may first anonymise the coins that you are going to reveal (see the relevant section above), then publicly reveal your vote, and then re-anonymise the coins.

Proving ownership of coins

Options 2, 3, and 4 above require proving that you own an address (either an address that has voted, or an address that is capable of voting in the next superblock). Fortunately the Blocknet wallet supports the construction of this proof, so it is a simple matter of following the following steps:

1. In the Blocknet wallet, click “file” and then “sign message”

2. Paste the address that you are proving ownership of into the first field:

3. In the second field, type out the message that you want to post as your feedback.

4. Click “sign message.” A signature will be generated in the third field.

5. Copy the content of all three of these fields and post them on Twitter, Discord, etc.

You have now enabled anyone to verify that you are the owner of the address you have published, and thus are a real voter. This will lend credibility to your feedback, which cannot be achieved by just making an unprovable claim.

If you follow these steps, you will be able to preserve your privacy while functioning as an active and beneficial member of the Blocknet.