Privacy in Web 3.0 Applications: Facilitating Public-Private-VWO Sector Collaboration

(Crediting Raymond Yeh with this idea, through another post he shared via LinkedIn. Encouraged by the number of ideas coming in through various channels — the tech world is truly welcoming to the new and uninitiated, I’m again emboldened for the week ahead.

I could’ve deliberated longer before writing this post, but I write to consolidate good ideas, for sharing and discussion. Glad to learn more, and write more.)

Let’s backtrack a little to my past life as a policy officer working in the social sector with Voluntary Welfare Organisations (VWOs):

“Yong Kiat, I don’t think it’s possible.”

“Why not? I’m not saying I’m not supporting your proposal. I’m just saying, perhaps you can collect some data on your end to make a more robust case.”

“You don’t understand, data privacy is a huge thing on the ground. You don’t just collect data like that, and we don’t have proper systems for this.”

“I see… let’s try to explore another way to make a stronger case then.”

You see, policy is all about prudent choices on how to allocate scarce resources. We err on the side of being data-driven, and we fear making a call without evidence. Yet on the ground, it is hardly the case that all VWOs are equipped with data collection protocols and systems that inherently protect the privacy of the individual from whom they’re collecting data from. How do we collaborate then, when government requires data and abhors double-dipping, and when VWOs or companies may not have the means to facilitate privacy when collecting data through their services?

As we enter the new social compact of the 2020s, can we create a data ecosystem where VWOs, or even private sector companies, can collaborate more with the public sector?

Web 3.0 has something to say about that. So sit back, and let’s go!

Identity, Privacy & Security in Web 3.0

One of the cool things about Web 3.0 and owning your identity on your own personal digital wallet is that you get to show only the relevant part of your identity when you wish to make a claim about yourself.

For example, in some countries, you need to show only your driving license to be able to rent a car. You flash your driving license for verification — but because it has your photo, birthday, address, passport number etc., you end up revealing a great deal about yourself that might be unnecessary for the actual claim.

In Web 3.0, you can actually set up your wallet in such a way that people request only for the credentials that they need, and you show only the credentials that you need to prove your claim.

How does this work? Well, through Zero Knowledge Proofs (ZKPs)! Think of it as a cryptographic technology that allows one party to prove to another that they know the value of something without sharing what that something is. An over simplified example would be the following scenario:

I wish to prove to you that I own the key to a box. I don’t have to share the key or describe the key to you — I simply use the key to open the box, and by opening the box, I’ve demonstrated that I have ownership over the key.

So ZKPs are immensely important in Web 3.0, because on the privacy front, they allow users to privately share information to a verifiable registry (e.g. a decentralised network or blockchain) while giving the networks assurance that the information has been authenticated. Similarly, on the security end, users are also assured that information received from the networks is authentic. All without the need to know who the intermediaries or nodes are.

Harkening Back to Personal Disability Credentials

Previously, I wrote about issuing verifiable disability credentials, so that individuals may have the power to verify their own eligbility for certain government disability grant payouts. But one unexplored issue was the issue of privacy:

If one were to register his DID on a public network, or to receive VCs with a source known to issue VCs of a certain type (i.e. disability), it might subject the individual to discrimination. For example, employers who do not practice fair employment processes may discriminate against this person even before any interviews take place.

And for all you know, we could be dealing with the issuance of mental disability certificates as well, or even mental health issues for that matter. How do we protect these people? Blind or blanket privacy would also introduce new problems like “double-dipping”, and also prevent collaboration between the public and VWO sector (as signposted in my introduction).

To borrow the words of Geek.sg, a practical instance of such disability credentials must respect the dignity of individuals, allowing:

• individuals to prove their extent of physical (or mental) disability; and
• individuals to conceal their personal identity to protect themselves; and
• government to prevent abuse of the disability status or double-dipping; and
• VWOs & private sector organisations to collaborate in terms of the provision of any additional social support

But with the ushering of ZKPs and Web 3.0, you can now effect something like the following:

1. We could still have the government, or some other centralised agency, issue the disability certificates. But now we know that the personal privacy of the individuals can be protected.
2. VWOs or private sector companies who have their own initiatives to assist these disabled individuals (e.g. further subsidies or reimbursement schemes) can then collaborate, using these certificates to verify individuals who qualify for these benefits.
3. The disabled individuals, in the entire process of claiming these additional benefits, can then generate a proof that satisfies the double-constraint of “disabled” and “no claims made yet”, without divulging further info about themselves in an exposed data trail.
4. VWOs, as they administer their own charity grants, now come into possession of what we call “completely deidentified claim proof” at the onset of data collection. They can now use this data for their own submissions of proposals, and better convince the poor policy officer cracking his head to help them make a stronger case.
5. If government is concerned about “double-dipping” (e.g. some VWOs are helping to administer government-grants), there can even be a common system in place for the VWOs to verify that the individual seeking benefit has not made any claims.

Glad for new ideas everyday to share.

(Much of the idea has been extracted from the Geek.sg post I referenced, do check them out!)