Soul-bound tokens are not designed for privacy, verifiable credentials are—and they can be deployed now
By Sam Curren
Privacy by design means, as the European Union explains, “nothing more than ‘data protection through technology design.’” But in this case, “nothing more” means quite a lot. As a company building identity solutions for enterprises around the world, privacy by design is non-negotiable. Privacy preserving technology is seen as a given technological starting point and not a bolt-on feature. The business vibe shift, so to speak, is that privacy is a digital right and that decentralized identity technology is a superior solution to the imperfections of data privacy law. With decentralized identity, you get authentication and you get privacy by design in a way that generates security by design.
So what is there to say about a new technology that doesn’t do this? Apparently lots. The paper “Decentralized Society: Finding Web3’s Soul” has generated much discussion as a more advanced and beneficial way of applying an NFT-type technology to encode “social relationships of trust” in Soul-Based Tokens.
It’s a thoughtful and provocative paper with many interesting ideas that go beyond the scope of the single, critical point we wish to address. So, we’re going to go straight to section 8.4 where the arrow strikes Achilles in the heel. Soul-Based Tokens, the authors admit, “ are initially public[,] making them inappropriate for sensitive information like government-issued identification.”
In fact, it’s worse than that. Anything rendered as a Soul-Based Token can be correlated by virtue of being recorded on-chain. It’s a recipe for creating honeypots of personal information that can be read, anonymously, by anyone. Even little bits of what might be considered ‘mostly harmless’ private information when correlated can present unexpected privacy problems. What this means is that the only information safely applicable for use in a Soul Bound Token is so impersonal as to be of little practical use.
This is a marketplace non-starter. (not that there is a market-ready Soul-Based Token system to deploy). The ability to share sensitive information in a privacy preserving way and without writing any of it to a blockchain is precisely what companies and governments want from decentralized identity solutions and it’s what verifiable credential technology gives them.
Verifiable credentials enable “social relationships of trust” (what we at Indicio call “Trusted Digital Ecosystems”) because they are verifiable without checking in with the source, they give the data owner control of their data, and they enable that data to be shared through privacy preserving mechanisms (selective disclosure and zero knowledge proofs).
Again, we focus on this section of the paper because it is the flaw that stops the vision taking flight. New ideas have to be evaluated in terms of the technologies we have available today and the issues that exist in the identity space and the marketplace. Verifiable credential technology is being implemented right now because it works to solve the issues that currently exist in the identity space and in the marketplace.
Don’t misinterpret our focus on delivering technology today as a lack of enthusiasm for the technologies of tomorrow. Every technology we have today was once a new idea that developed over time, and we look forward to seeing how the ideas animating Soul-Bound Tokens (and other new developments) will mature over time.
Meanwhile, we’re focused on delivering solutions now, and we’re happy to explain why open source verifiable credential technology is the best solution available.