Compliant Privacy — Simple Explainer.
Internet users have a right to have their data handled appropriately and according to the various global privacy and security laws. Jurisdictions such as the EU have gone as far as requiring internet-based companies to inform their consumers on how their data is being used immediately they visit their website or transact on their platform. The consumers then have to consent to the agreed-upon terms on handling personal data by that site.
Privacy compliance, therefore, is the practice by online-based companies to adhere to existing regulations and laws on how public data is handled. The regulations and laws put in place are meant to protect internet users against having their personal data being collected, used, or stored without their consent.
Such privacy regulations guarantee consumers know-how companies use their online personal data and protect them in scenarios where there are breaches or infringements of their rights.
Compliance for On-Chain Privacy.
Consequently, blockchain-based companies and applications must also adhere to the existing measures put in place by the various governments to protect not only their residents but also their privacy when transacting online.
By design, transactions on the blockchain are meant to be public and easily available for anyone to perform on-chain analysis and verifications. User privacy is more or less automatically guaranteed on the blockchain since public addresses are not directly linked to the personal information of their users. (But, such incidences do happen in the case of malicious doxing or unintentionally, as was the case with Jimmy Falon exposing his Ethereum address when sharing his Bored Ape NFT on live television.)
Privacy Compliance When using Mixers Such as Tornado Cash.
One might assume that cryptocurrency mixers such as Tornado Cash do not need to comply with user privacy regulations because mixers already provide privacy services by breaking the link between the source and destination addresses.
However, this is not the case. Tornado Cash also adheres to the strict privacy compliance guidelines set in place. Tornado Cash has implemented a compliance tool that allows its users to show the origin and destination of their digital assets should proof of such information be required.
Tornado Cash achieves this through the use of privacy notes. The mixer is designed to produce a private note at the time of deposit. The same note is used later on to withdraw the funds. The private note can also be used to generate cryptographically certified proof of the entire transaction by simply keying it into the Compliance tool mentioned above.
The compliance tool goes a step further by generating a downloadable PDF report of the required transaction, as highlighted in the screenshot below, courtesy of the team at Tornado Cash.
Tornado Cash has Since Been Sanctioned by the US Treasury’s OFAC.
However, Tornado Cash’s attempt at being compliant with privacy regulations was not enough, as its hands-off approach to monitoring illicit transactions has led to sanctions.
On August 8th, 2022, the US Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Tornado Cash for its role in the laundering of over $7 billion in digital assets since its creation in 2019. The amount includes over $455 million stolen by the Lazarus Group in the Axie Infinity Hack, $96 million from the June 2022 Harmony Bridge exploit, and $7.8 million from the Nomad Bridge hack of August 2022.
The US Treasury’s OFAC has gone a step further and sanctioned several USDC and Ethereum addresses linked to Tornado Cash. These addresses are now in the OFAC’s specially designated nationals and blocked persons list (SDN), which means many crypto and blockchain projects are now blocking transactions related to them to comply with sanctions. Examples include Infura, Alchemy, Circle, and even Ethereum’s largest mining pool, Ethermine.
BlockWallet Also Offers Privacy and Compliance Tools.
Similarly, BlockWallet, a privacy-oriented wallet, makes it easier for average crypto users to leverage the type of privacy demonstrated by Tornado Cash due to its superior UX/UI design. Users of the wallet get to decide to whom they reveal their financial information.
In addition, BlockWallet has a compliance tool that allows for the generation of cryptographically authenticated proofs that prove the origin of user funds. BlockWallet’s compliance tool also uses notes in a manner similar to Tornado Cash.
A note is generated when initiating a deposit through Blockwallet. The same note is then used when withdrawing funds and can be used with BlockWallet’s compliance tool to create a compliance report in PDF format. As with Tornado Cash, users of BlockWallet can therefore provide the entire transaction history and origin of their funds to anyone they desire to share such private information with.
Differences Between On-Chain and Off-Chain Privacy.
To note is that the focus on on-chain privacy can often lead to the assumption that it also covers off-chain privacy.
On-chain (or on the blockchain) privacy generally revolves around transactions within the respective network. In the two examples demonstrated above through Tornado Cash and BlochWallet, on-chain privacy is guaranteed by obfuscating the entire movement of funds on the public blockchain of Ethereum. This type of privacy is also achieved within the networks of commonly known privacy coins such as ZCash, Monero, and most recently, Litecoin through its MimbleWimble upgrade.
Off-chain (or away from the blockchain) privacy involves the protection of internet metadata such as IP addresses and other personal information linked to one’s real-life identity. Malicious actors can use such metadata to carry out targeted attacks such as phishing or even NFT frontrunning.
Compliance for Off-Chain Privacy.
As was demonstrated with applications providing on-chain privacy protection, such as Tornado Cash and BlockWallet, applications also need to also be compliant with existing privacy and security regulations meant to protect users’ data.
OMNIA’s Compliance with Off-Chain Privacy.
In the case of OMNIA, the protocol complies with the existing personal information protection regulations and laws to safeguard users’ personal information, but at the same time ensures compliance with other regulations, such as AML, for example.
Furthermore, the OMNIA protocol provides a truly decentralized solution for off-chain privacy by utilizing mixnets to obfuscate network traffic to guarantee no personal metadata is leaked to third parties. OMNIA’s services help its users protect their privacy between the application layer (wallet, decentralized exchange, dApp, etc.) and the blockchain nodes of the respective network that actually implement the consensus mechanism.
OMNIA also complements on-chain privacy with off-chain privacy. OMNIA’s impact is at the network layer from the user’s device to the blockchain node that is mining the specific transaction. The protocol currently supports the five blockchain networks of Bitcoin, Ethereum, BNB Chain, Polygon, and Avalanche.
The team at OMNIA is well aware that full anonymity when transacting on the blockchain is sometimes abused for illegal activities such as tax evasion, money laundering, and other non-financial crimes. Therefore, the OMNIA team is fully committed to addressing such concerns by implementing strict measures at the privacy relayers dAPI gateways that act as entry points to blockchain networks by automatically rejecting the submission of transactions linked to illicit activities or part of any sanctioned lists.
Regarding the latter, open-source lists of sanctioned addresses or on-chain oracles do exist. However, utilization of such information requires technical knowledge on de-serializing transactions to extract addresses, then reading from the oracle and comparing them. While de-serializing a transaction to extract the signatory address might be easy to do with existing tools, there is also the need to ‘simulate’ the transaction execution and see the final movements of the assets (what assets will be transferred and to whom) in order to compare the final destination of assets against sanctioned address lists.
OMNIA is solving the hurdle of de-serializing the transactions by simulating a dry-run to assess if the ultimate beneficiary is a sanctioned address or not, thus easing the compliance part for its clients.
It is important to note that all the information being processed is public information already available on-chain without any correlation to personal or sensitive information, thus maintaining privacy while still being compliant. Since the blockchain request goes through the OMNIA mixnet, the entire off-chain privacy is assured, and the final node processing it will not be able to deduct any metadata or behavioral information about its users.
It is also worth highlighting that the open-source oracles and sanction lists may not be maintained in real-time. OMNIA’s integration goes a step further by offering benefits from the real-time update of the sanctions lists.