Using the Algorand blockchain to store GDPR consent data

Hi!

I have an idea for an application of Algorand (edited) as an underlying technology.

I know most are sick of being asked about cookie consent all the time (at least in Europe, idk about the US).
But that annoyance is only one of the problems with the status quo.
Consider this:

  • Your content data is stored in the database of a tool provider. It is not auditable by you, nor can you change it easily in one central place.
  • Websites using a consent tool also do not have much insight into what is being stored. Also, they are tied to the provider (somewhat).

Would it be feasible to store the consent data on the Algorand (edited) blockchain? For instance, the “Notes” field might be leveraged to store the actual consent data in a transaction between the website and the user. The user could have a specialized wallet like application where he can explore all his consents given and change them (resulting in a new transaction).

Obviously, many questions need to be answered in detail, but I was wondering if this all makes sense?

There has been some limited research into this topic, i.e. here https://dl.gi.de/handle/20.500.12116/20985

This forum is for Algorand not Cardano :slight_smile:
That being said, anything you can do with Cardano, you should be able do it with Algorand today (Cardano still does not have smart contracts on MainNet to my knowledge).

The main question for such an application is about privacy: everything on any public blockchain (including Cardano and Algorand) is public. You can use encryption but then how do you secure well enough the keys? Such cookie data may need to identify a specific computer and you don’t want this to leak I believe.

Disclaimer: I have not read the research linked and they may already have answers to these issues.

Thanks @fabrice - that was a rather unfortunate typo :slight_smile:
Of course I meant Algorand. I edited my original post.

Yes, encryption would be a must have feature for this, as we certainly do not want to have privacy related data open in the blockchain. I am not firm on encryption stuff and keys and whatnot, so that is a problem for me right now.

But i believe that we do not store any personally related information: All you need is the transaction id - what is stored on chain is only what the user consented to (for instance functional cookies, marketing cookies, analytical cookies and/or individual cookie providers). This would be in a JSON format, like this:

{
   "functional": true,
   "marketing": true,
   "analytical": {
      "Google Analytics": false,
      "Matomo": true
   }
} 

When the user wants to see what she consented to for that website, she can look up the transaction id (which is stored in her wallet application) and then pull up all the information about that transaction. (Ideally, the wallet application would format that and create a nice output).

Of course, the website would also need a wallet kind of application to receive the transaction ids, so it can look up the consent, when the user comes back to the website. If the user creates a new transaction in her wallet, this would be shown in the websites wallet as the most recent (and valid) transaction.

Does this make sense?

That is definitely technically possible on Algorand.

What I’m wondering is what would this bring to the user and the websites?
Would this allow to sue more easily the website in case of misuse?

Even if you do not store PII, privacy is very important.
The list of websites you go to can reveal information that you do not want to share.
It can indicate the user’s political opinions, or shameful activities that the user may want to hide.

It seems very difficult to prevent leak of such data if such data are present on the blockchain. If one website leaks its encryption key (which happens quite frequently as we know), it’s game over for all the users on this website.

Note that while Algorand addresses are pseudonymous, they are not anonymous. In particular, if website B encryption key leaked and any other website the user used will be able to de-anonymize the information!

Related to GDPR could be Algorand’s proposal for RTBF: