Legal Discussion: GDPR & IPFS Permenant Storage of PoH User Data

Hello all.

An interesting discussion came up in the PoH Telegram group pertaining to data protection laws (thread begins here)

Currently, we use IPFS for PoH profiles, which stores user data permanently, as is natural with most blockchain technology. This means people are technically unable to remove their information from the system.

Storing user data on the Ethereum blockchain through IPFS could create legal liability for Proof of Humanity if it conflicts with data protection laws such as the EU’s General Data Protection Regulation (GDPR). Under GDPR, people have the right to request the deletion of their personal data. This is known as the ‘Right to be forgotten’. If Proof of Humanity is unable to delete a user’s personal data upon request, it could potentially be in violation of GDPR and face legal consequences down the line.

If we are to scale PoH, It is important to ensure compliance with relevant data protection laws, including implementing appropriate measures to protect the data and ensure individuals’ rights are respected. This may include implementing processes for handling data deletion requests, but I am uncertain how this is possible due to the permenance of blockchain data?

Possible Solutions:

1. Implement a clause in the registration policy that clearly indicates the permanence of the profile on the blockchain and that the user consents to this fact when registering - But this action feels like negative reinforcemant, rather than a positive solution.

2. Use a “hashing” system to anonymize user data: Some preliminary studies on this here. I’m not technical enough to know if we can implement this retroactively or in a removal-request system.

3. Implement a system for data obfuscation: For example, “differential privacy,” which adds a layer of noise to data sets to obscure individual data points while still allowing for statistical analysis. There is a study here on the topic. Again, I am uncertain if we can apply this.

4. Consult with formal legal counsel: I would be happy to do this on behalf of the DAO as a researcher if I was given authorization to do so in a contracted role or with a grant for my time. @federicoast , perhaps you might have some advice as a blockchain legal specialist?

Let me know if there are alternative suggestions or technical ways to solve this I might be unaware of.

Hi. My personal thought on this is that PoH is not responsible for deleting user data upon request since they are not the ones storing it. I think this rule only applies to the IPFS nodes pinning the data. Also, IPFS does not store data permanently, it simply distributes the data across a peer-to-peer network. The nodes in the network need to pin the files (volunteer unpaid storage space) to keep them in the network and can unpin them whenever they want, which is why we have centralized paid pinning services like Pinata to ensure there are nodes willing to host the data.

Hi there!

Thank you so much for the input and additional information about IPFS storage Liability is the main concern here, we don’t want the DAO to somehow end up in a court hearing over data protection violations. The ultimate goal of this thread is for me to document the removal/hiding process in case it comes up again the future and so I have a clear answer to give on the topic.

So in the event a member of PoH makes a user-data / profile removal request on the grounds of GDPR, where do you believe we should point them?

Additionally, the recent issue with malicious actors submitting sexually explicit content to the registry highlights the need for a process to remove or hide submissions.

Information on removing or hiding data stored in IPFS online seems to be a bit… Sparse. What exactly is the process, if anyone could advise on this?