Atala Prism and Personally Identifiable Information

The IOG team gave a great update earlier across a broad range of topics.

One point that got me a little worried was an update around Atala Prism where they mentioned that DID documents will be stored on the Cardano public blockchain.

My question is if these DIDs will just be for public organisations, or if they will be for individuals too?

If they are for individuals, even if the DID documents contain no personally identifiable information (PII), the DID itself, if identifying a user, could be seen as PII with correlation concern and GDPR risk.

Also with a public blockchain there’s no way to adhere to the “right to be forgotten” if you bake PII into a block. This opens up all types of legal issues if a DID of an individual is publicly associated with them and they want it removed.

In the SSI community this is where things like Peer DIDs (Peer DIDs: a secure and scalable method for DIDs that's entirely off ledger - YouTube) and KERI (Key Event Receipt Infrastructure (KERI): A secure identifier overlay for the internet with Sam Smith - YouTube) come into play.

Hopefully at a minimum you generate a new DID and key pair per relationship to reduce correlation risk.

I expect the Atala team knows all this already, but wanted to raise it just in case given how important the area is. Also for others like me who may be interested in the Self Sovereign Identity space.

2 Likes

@miked … nice catch, even if it is an issue already known about & accommodated by the Atala team. I would love to read here how they have anticipated this. :innocent:

1 Like

Hey miked, Prism member here.

First of all, I appreciate your interest on our project, let me try to answer.

The approach we are following is that public organizations need to publish their DID on Cardano, also, we are evaluating an alternative approach to not do so in some scenarios.

In the case of individuals, the goal is to give them the choice, most of them shouldn’t ever need to get any of their DIDs published on Cardano. so, individuals get a new private DID generated by default when interacting with a new institution.

About KERI, we looked into it time ago, the plan is to revisit it in the future to see what we can take from it.

2 Likes

Hey Alexis appreciate you responding and glad to see you’re over this topic. I had a feeling you would be.

Prism has so much potential in the SSI space, can’t wait to see how it progresses alongside Cardano.

1 Like

I am planning on writing my masters’ thesis on SSI and GDPR compliance. Of course it would be awesome to include Atala Prism and the Africa project in such an early stage! However, I am afraid that there’s still insufficient info to do so… The above is something of interest for me and I am wondering what the status is as of now. Maybe someone is able to guide me to some useful publications?

Thanks in advance!