Privacy Precautions
Overview of how precautions to preserve user privacy
Galactica's technology provides new ways to preserve user privacy. The main paradigm shift is using zero-knowledge cryptography to prove statements, such as being KYCed, without disclosing any more personal details, such as name, birthday, etc.
Galactica strives to make privacy the new default and to be simple enough to work in practice. But maintaining privacy is still a task that needs care and endurance. Here is a list of best practices and hints how to preserve privacy on the current version of Galactica:
Be cautious with public disclosures. ZKPs always disclose some statement about the user of a wallet address. Read the confirmation message in Galactica Snap for Metamask carefully to check what information is shared.
Selective disclosures submitted from a wallet stay publicly viewable on-chain. They can aggregate into a better picture of the person behind it. For example someone could guess the identity of a user, if the same wallet proves the birthday to DApp 1, the postal code to DApp 2 and the profession to DApp 3.
Users can prevent such aggregation by splitting on-chain activity over multiple wallets. This works well with the DApp specific HumanID concept because Human IDs on different DApps are not connected unless done so by the user.
ZkKYCs can be used from all wallets of a user. The authorization by the wallet holding a zkKYC is verified privately in the ZKP.
When splitting activity over different wallets, users need to take care to not obviously link them together by actions, such as direct fund transfers.
Be aware of general internet tracking threats that could link together wallet activity. This includes IP addresses, ISP and VPN services, cookies and the RPC node used to submit transactions.
Side note: Galactica's team is investigating automated wallet activity splitting and compliant mixers for fund transfers between them.
Naturally, DApp builders should only require the minimum amount of selective disclosures. For example, proving to hold a valid zkKYC should be sufficient for KYC purposes. DApps do not need to gather more personal details to comply with KYC requirements.
Users should check the ZKP generation confirmation for details about fraud investigation. Especially which institutions are involved and if
k
ofn
secret sharing is used.
Last updated