The term “personally identifiable information”, first coined in 2007 by the White House, refers to information that can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. What is now a data class of its own and utilized on a global scale, Personally Identifiable Information (PII) “must be treated as Internal Data, and elements of PII may be classified as Sensitive, Confidential, or High Risk Data,” stated in Data Classifications by UIC’s IT Security Program.

More recently, regulations and policies proposed by law enforcements, such as the GDPR in Europe, The Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, and the California Consumer Privacy Act (CCPA), necessitate lawful and proper practice from applications to address the rising concerns and issues around data security and user privacy.

Even though PII became more regulated and the improper use of PII was often punished with penalties and fines, exchanging data ownership for free web services had already become such a successful business model in Web2 (and just a normal part of the use of Web2 content for so many), that users just accepted the risk to their PII as a fact of life for using Web2.

And this is what web3 aims to solve and must solve: revolutionizing the way data is stored and returning full personal data ownership to users. No matter which specific category your product falls into — DeFi, Metaverse, SocialFi, DeSo — if you’re looking to build sustainable and robust solutions, then user privacy is core and non-negotiable.

In an ideal world, all PII should be stored locally on an individual device or decentralized personal clouds. However, massive friction to change from the Web2 model is caused by high technological entry barriers, while proper market education and proper user onboarding solutions are still in the process of being developed and implemented. Simply put, we’re just not there yet, no matter if you are web2 players or web3 players!

Nonetheless, here are a number of approaches. Without any privilege to access PII, applications can provide a more friendly private cloud that stores the encrypted version of data that can only be decrypted by the user.

The computing part can be done either on the user’s local device with Zero-Knowledge Proof (ZKP), or in user-trusted domains running Multi-Partner Computation (MPC), Federated Learning, and Trusted Execution Environment (TEE).

Trends & Possible Solutions

A popular approach is to store personal data on institutional servers but only in encrypted form — for example, this is how the Chrome browser stores user’s passwords. Data services in such a case would still be centralized, but here’s the catch — only the encrypted version of PII can be accessed by the corporation. Authorized third parties can only access the data upon user approval and only after the user downloads and decrypts the data on a local device.

Nonetheless, this approach has its limitations. Within the current state of the web infrastructure, data usage is still limited and difficult for mass scaling. Additionally, the cost of maintenance can be especially high for start up companies.

Examples of some of the more mature solutions to this issue are MPC and TEE, which have been adopted in certain situations as well.

MPC is a cryptographic protocol established for decades, allowing more than two parties to compute jointly and assess the result without ever revealing the private input from each individual party. A classic demonstration would be the “Millionaire’s Problem”. A group of millionaires can find out who’s the richest among them without telling each other how much money each one owns. Today, MPC technology is widely utilized in crypto wallets for asset security and private key management, such as Coinbase wallet and ZenGo.

On the other hand, with TEE, one party can send private information to a certified third party node, which provides a list of codes and guarantees to run only those codes for necessary information. That means the party who submits the information will know exactly what part of the information is being viewed and shared with whom. For example, if you need to prove you’re over 21 years old to purchase alcohol from a seller, you can send your personal ID and the TEE nodes will only show the age with the alcohol vendor.

Despite all these approaches, builders are still in search of the best solution out there.

But keep in mind, regardless of approach, future web3 applications should always uphold “Privacy First”. That is, builders’ top priority is user privacy and data ownership. During development, builders should practice the principle of least privilege if possible and ask for zk-proofs instead of plain text as verifiable credentials.