The data privacy protection plans that those big internet companies don't want you to know about

This article was published by Rhythm Research Blockbeats.

Recently, the "brake failure" incident involving Tesla has become the focus of public opinion, and Tesla's subsequent release of driving data from the accident vehicle has brought the key issue of the digital economy—user personal privacy—into the spotlight.

In the context of the COVID-19 pandemic, people's daily lives have become increasingly reliant on the internet, forcing many companies that previously did not engage in online business to expand new channels online.

People interact with various platforms, merchants, and applications, generating a large amount of data, and algorithms use this data to more accurately meet user needs.

With the advancement of technology, the shift in business paradigms, and the exponential growth of data monetization avenues, data has become the largest market of the 21st century. Those who possess data hold the world. However, data without privacy protection is like gold scattered everywhere, which major internet platforms greedily consume and abuse as "raw materials" they do not own.

This is a problem that cannot be ignored.

When it comes to data privacy, most users' first reaction is: I do not want to provide personal information, but I have no way to avoid it.

Indeed, the essence of internet applications in the Web 2.0 world is that users exchange personal data for services. To put it nicely, how can your food delivery reach your home without providing information? How can applications serve you comprehensively without information? Out of helplessness, you can only choose to run naked on the internet.

What is even more frightening is that everything is becoming interconnected; internet applications are no longer limited to your computer and mobile phone. Gradually, everything tangible around you will become applications that continuously gather data, at which point users will no longer actively choose to provide data but will be passively "monitored."

This should not be the case; data ownership should belong to the data producers rather than the data users (application service providers), and service providers should not use user data for rent-seeking behavior.

Are there privacy solutions in the Web 2.0 world?

When technology is insufficient, manual remedies are the only compromise. Over the years, whenever technological conditions do not allow, manual operations have become the only solution, and this applies to all problems, privacy included.

The solution to privacy issues in the Web 2.0 era is: improving legislation.

Countries have established departments related to data privacy protection and enacted legislation. In China, civil law protects data rights, criminal law defines crimes related to personal information infringement, economic law regulates data sharing and circulation, and the State Administration for Market Regulation has issued antitrust guidelines in the platform economy sector, among others.

But can these laws really guarantee user privacy? Can user data truly be protected from abuse?

The answer is no.

In December last year, the "celebrity health treasure photo leak" incident was exposed. In a certain group for purchasing on behalf of others, it started with 1 yuan to buy a photo of a celebrity's health treasure, later appearing as a package of 7 members of the "TNT时代少年团" for 3 yuan, and then a package of over 70 artists' health treasure photos for 2 yuan, with over 1,000 artists' ID numbers sold for just 1 yuan. Not only can information about celebrities be searched, but simply searching a name will display that person's photo and nucleic acid test information.

Even on a certain food delivery platform, the same order, the same merchant, the same delivery address, and the same time period, members end up spending more than non-members. The platform uses big data to implement differential pricing for different groups, and cases of rampant rent-seeking are not uncommon.

Where does the problem lie? The legislation is unclear, information asymmetry exists, and the punishment is insufficient, ultimately leading to difficulties in discovery, evidence collection, and identification, pushing platforms to take risks.

Mechanisms will always have flaws, and laws will always have blind spots; manual control is not a long-term solution.

The Web 3.0 world returns privacy to users

Imagine if users did not need to provide any information, or rather, if platforms could not obtain any of your information, yet could still provide services as usual?

This all sounds magical, but it is actually all mathematics. Yes, zero-knowledge proofs can achieve all of this.

A zero-knowledge proof is a cryptographic protocol that allows the prover to convince the verifier that a statement is true without revealing any information about the statement itself.

After reading the following little story about Alibaba, you will have a clear understanding of what a zero-knowledge proof is.

Alibaba encountered a robber who wanted to obtain the incantation to enter the cave from him, but Alibaba was afraid that the robber would not leave him alive after learning the incantation. Alibaba thought, how could he prove that he knows the incantation without revealing it?

Alibaba came up with a plan. He had the robber stand far enough away that he could not hear the incantation being recited. When the robber raised his left hand, Alibaba would open the cave door; when the robber raised his right hand, Alibaba would not recite the incantation. After repeated valid verifications, the robber concluded that Alibaba indeed knew the incantation to open the cave. Alibaba proved to the robber that he knew the incantation without revealing the incantation itself.

In real life, the user is the prover, and the service provider is the verifier. Thus, through zero-knowledge proofs, users can allow service providers to continue providing services without leaving any trace of data that can be exploited.

There are already many applications using zero-knowledge proofs on the blockchain, the most typical being the well-known anonymous coin Zcash. Zcash uses zk-SNARKs (Succinct Non-Interactive Zero-Knowledge Proofs) consensus proofs to allow users to make transfers while keeping information completely encrypted, ensuring the verifiability of transactions for nodes to validate. Specifically, Zcash addresses are divided into shielded addresses (z-addresses) and transparent addresses (t-addresses). Transactions between shielded addresses will also appear on the blockchain, and everyone will know that a shielded transaction has occurred, with transaction fees paid to miners, but the transaction addresses, amounts, and memo fields are encrypted and not visible to the public. The address owner can also choose to disclose the shielded address and transaction details to trusted third parties to meet audit and regulatory requirements. Transactions between two transparent addresses are no different from Bitcoin transactions, and funds can be transferred between shielded and transparent addresses.

Returning to the recent case of Tesla releasing driving data, Tesla publicly disclosed the accident vehicle's data without user permission to prove its innocence. If the information were transmitted to Tesla's algorithm protocol encrypted through zero-knowledge proofs, Tesla would not be able to obtain metadata, and if Tesla wanted to use user data, it would need to obtain user permission in advance. After an accident, if judicial authorities need data for evidence collection, users willing to cooperate with the investigation could disclose the encrypted information.

Imagine a future where, with the help of zero-knowledge proofs, users can prove their health without providing their name, photo, or whereabouts, or users can prove that they are immune to the COVID-19 virus without needing to disclose how they developed immunity (whether through antibodies or vaccination). Perhaps one day, people will be able to order food without providing their name, phone number, or address, and robots will deliver the food right to their doorstep.

Zero-knowledge proofs are not a brand new concept. As early as the early 1980s, the theory of "interactive zero-knowledge proofs" was proposed by Goldwasser and others, and in the late 1980s, Blum and others further proposed the concept of "non-interactive zero-knowledge proofs." But why do today's internet platforms not adopt this technology?

First, from a technical perspective, any innovation needs to undergo decades of effort and accumulation from theory to practice, and only in recent years have zero-knowledge proofs truly become a technology that can be applied. However, compared to traditional solutions, the cost of using zero-knowledge proofs is still too high, and the efficiency is low, which is unacceptable for both platforms and users.

From an economic perspective, users have formed a fixed mindset that they must provide information to receive services, making it natural for platforms to obtain information. In the face of enormous profits, it is difficult for major platform giants to compromise. From the user's perspective, most users have not yet realized the importance of privacy and the value of the data they generate, so there is no strong willingness among users to push for privacy solutions.

From the perspective of technical solutions, Aleo is a good example of a promoter. Aleo starts from on-chain applications, lowering the development threshold and usage costs for privacy applications, making privacy a default attribute of applications. This is significant for the widespread use of privacy applications, just as Cosmos SDK and Substrate have played a role in promoting the application chain paradigm.

However, user education may be the most crucial issue of all. If users cannot appreciate the importance of privacy, they will forever succumb to the control of Web 2.0 platforms, and any additional costs will be rejected. Users need to understand that ultimately, platforms are merely providers of algorithms, not owners of data, and have no right to abuse user data.