Protecting PII: A Sienna Series

Sienna Network
Sienna Network
Published in
9 min readJan 11, 2022

--

Welcome to the Protecting your PII series by Sienna Network. With this series the focus is on how to protect your PII and how it relies on privacy. The series will also touch on the legal contradictions we see and how privacy on one hand is a human right and on another hand considered suspect and borderline criminal, while privacy is also a prerequisite for protecting your PII.

The purpose of the Protecting your PII series is to discuss the topic as well as provide tips and trick for how you can protect your PII. Web 3.0 and blockchains significantly challenges this question with its open infrastructure, which is both a blessing but also problematic in order to not reveal PII.

Protecting your PII has been a huge topic over the last couple of years and EU has launched its first directive (a federal law) to regulate how PII shall be protected and what precautions companies shall make to protect its customers PII. It is know as GDPR — General Data Protection Regulation. US has a similar Act, which is called U.S. Privacy Act. With GDPR, all private companies and organisations are subject to this regulation whereas states are excepted. The regulation is a consumer protection directive and does not consider any actions or sanctions to the consumers and expect companies and organisations to take the responsibility of protecting your PII. This structure, where governments and regulators leave it to companies and organisations to protect your PII is critical and leaves a lot of open questions. Can you trust a company with your data and how well are they protected against hackers and misused by governments in the mass surveillance? This is especially problematic in countries with no rule of law and lack of respect for human rights. However, as we will see, this goes beyond what you would imagine. Other states even forbid its citizens to protect their data to make sure they can surveil and monitor the activities amongst them. Please note, this series is not an encouragement to do something illegal and you must always make sure you comply with the laws and regulations you are bound by.

The big question is what you can do to protect your PII?

Let us start with the The definition of PII
PII is Personal Identifiable Information, which is every piece of data or information that can fully or partly identify a person. This definition is by default very weak as it can cover small bits of data to biometric data, private encryption keys to your email or IP address. The complexity grows exponential as fragments of data can be used to profile you and reveal your PII. Please note, that data that can partly be used to identify a person also constitute PII. This is very well described in the GDPR

A common distinction is between probabilistic and deterministic data that can be used to track you and your PII and even the smallest data pieces can be used to track you and identify you by using a probabilistic approach to tracking. In a later episode, the series will go into details about what defines PII and make sure you get the tools to make it harder for everyone to track you.

Privacy is considered a human right — why?

United Nations, an organisation established by states around the World, has defined a human rights act that aims at protecting citizens rights among its membership states and beyond. Protecting human rights is great and should obviously be the default state amongst governments and obviously it is not. Why is this? Because governments do not always align interest with its citizens and at the extreme we see this in countries governed by dictatorship, with a bad rule of law and so on — you get the picture. Human rights covers a lot of topics including the right to privacy. This act is interesting to see if PII can be protected as well so let us look at what it covers and not least the exceptions where states can violate your privacy in order to…. well, preventing crime, public order, and much more. This part is in particular problematic as states can just make a law and then it is no longer a violation of a human right regardless of how intrusive the law is and how much it constitutes mass surveillance. As governments are already exempted from all privacy and PII protecting regulations, this should not be a problem — or should it?

The bottom line is that you have no right to data privacy from a state perspective and they have the right to monitor everything you do. This leave people with very few options in order to protect their PII to the state and this part is central to ensure no information about you is misused or ending up in the wrong hands. Human rights protection is made for a reason and even governments can do little to identify your PII if you organize it the right way.

Article 8 of the Human Rights Act protects your privacy, our home and our communications.

The article is about respect for your private and confidential information, including the storing and sharing of data about you. There is also a right to not be subject to unlawful state surveillance. Article 8 aim to protect your right to have uninterrupted and uncensored communication with others, which in particular covers tapping of your phone and reading your private communication.

There are a few — but significant — limitations to people’s right to privacy. States can make mass and individual surveillance if it is covered by law, necessary and proportionate, and following one of these purposes:
- Public safety or country’s economic well being
- Preventing disorder or crime
- Protecting public health and morals
- Protecting other people’s rights and freedom
- National security

This is de facto a motorway for governments to monitor everything they want — just make a rule or a law and states can surveil citizens as they wish. The jurisdiction of the services you use matters as some countries respect privacy and some does not.

The Five Eyes
Five eyes is a mass surveillance collaboration between US, UK, Australia, Canada, and New Zealand. This blog post is not a rage against this but rather to inform about activities by governments so you can make informed decisions about your online privacy.

A common mistake is to rely on and trust a security company located in these 5 countries as they are in general rule of law countries but also have the authority to force security companies to hand over data. Even if these security companies want to protect your PII they have no choice but terminating the company and cease activities if they receive a request for data from a national security agency — or handing out the data. With this knowledge, you have a couple of choices. First and foremost, chose a provider with no access to your data. If the company or service you use have a private key or any data about you they can potentially be forced to hand it over to authorities. In the next episodes of Protecting your PII we will discuss a couple of solutions and what we consider the best way to protect your PII. From a geographical point of view, it is always recommended to use a service or provider that is located or storing data in any of the jurisdictions covered by 5 Eyes or the extended collaboration, which now counts 14 countries*. For these agencies, social networks (which we consider spyware) are like giving kids unlimited access to candy stores and the agencies are fortunately identifying criminal activities on daily basis. The same goes for telco providers, email providers, search engines, ISPs, banks, credit card companies and similar financial and communication infrastructure services. Even companies with private encryption keys have been forced to hand it over to national security agencies — and these agencies even force the companies to no communicate it by serving them with a gag order.

You might ask how security companies can operate without any access to your data? The purpose is after all to protect them but fortunately there are some options although they are not too many but there are ways. Again, this Protecting your PII series is about information so you can make informed decisions.

Privacy by default on blockchain — a prerequisite for protecting your PII

The original design of blockchain is to be an open ledger. This means anyone can read and monitor what happens on it, what transactions have been made and even pending transactions can be monitored. It is also possible to look up the content of a wallet and see the transaction history. This is considered to be one of the super powers of the blockchain technology as it infuses trust by leveraging algorithmic consensus. While this sounds very appealing it also comes with some privacy concerns.

It does not take a lot of imagination to see how easy it is to surveil and monitor. It is easy to make the puzzle of a few informations and especially if you are a mass surveillance organization with access to multiple data sources like your IP address and wallet address. This is easy and your ISP can also do this monitoring as they are forced to log all activity about its customers.

Another hands-on issue is the simplest of them all. If you are sending or receiving funds from your wallet, the sender or receiver will get your wallet address and can monitor everything you do with it including your funds. This is also a candy store for bad actors (criminals) that want to steal your holdings and hack your wallet. As you can just look up the content it is like lining up targets to attack.

Your PII is not protected and we even see companies that provides intelligence to governments about blockchain behavior, obviously to prevent crime, fraud and more. This includes money laundering and documenting travel history of funds in order for exchanges and banks to stay in compliance. This is a delicate balance — no sober platform wants to support any criminal activity but having open ledgers is not the solution. There are other ways to make this happen and there is a difference between protecting your privacy and being anonymous. Those are two very different things although often mixed up. You can read more about privacy at the Sienna Blog.

CEX vs. DeFI
The approach to protect your PII from the public open ledger has been to use a centralized exchange with a custodial wallet. Using such a solution will limit your exposure to one entity, the centralized exchange, who — in the name of KYC — will know your identity. However, many users consider this convenient but also risky as the company behind can be compromised and eventually go bankrupt. There is a saying, that if you do not own the private key, the funds are not yours.

DeFi helps this out to a certain extend, as you will not have to identify yourself when doing transactions although it is hard to get from FIAT into Crypto (and vice versa) and hence DeFi without going through some sort of centralized entity and hence reveal your PII by identifying you in the name of KYC. Privacy preserving blockchains do not solve this issue but they do at least protect your PII while you are in the game of transactions within the privacy sphere.

This post is the first of a series where we discuss how to protect your PII. Stay tuned for more info.

About Sienna Network

Sienna is a cross-chain, privacy-first decentralized finance protocol built on Secret Network, that enables trustless financial instruments, such as trading and lending with complete privacy for multiple blockchain ecosystems.

Privacy, both for individuals and organizations, is required by law and should at all times be treated as a a fundamental human right. Sienna is on a mission to protect your PII.

What blockchain is Sienna built on?
Sienna is built on Secret Network first blockchain with privacy-preserving smart contracts, or “secret contracts” that have encrypted inputs, outputs, and state.

Read more about Secret Network at https://scrt.network

More on Sienna Network

🖥 Website: https://sienna.network/

💬 Discord: https://discord.sienna.network

💬 Telegram: https://telegram.sienna.network

🐦 Twitter: https://twitter.com/sienna_network

👥 Reddit: https://www.reddit.com/r/SiennaNetwork/

📰 Blog: https://medium.com/sienna-network

--

--