Holochain Forum

Deleting an entry complies with GDPR right to be forgotten?

I understood an entry into the DHT can be marked as deleted, but the data is not removed, as it is immutable.
If an actor is capable of doing this on its own data, it should be able to do this everywhere such data is stored, i guess Holochain has covered this, but i like to be sure of that.

Secondly, the data that is marked as deleted should not be readable anymore by no one, or the claim of deletion cant be made. I am totally not sure if Holochain can guarantee this, so i like to get an answer from core devs on this.

If deleted data somehow stil can be made readable, i am afraid European privacy lawyers will never advice using Holochain.
I am talking here about any kind of public data that a user has published on any kind of public app. It is a feature of HOlochain to link a persons data with its agents’ identity, so this means - in GDPR law terms - that any kind of the linked data is also considered as personal data and the same rules apply.

So even if an Individual thinks he did not publish anything personal, legally this still becomes personal data.
So this deleting is a big thing.

2 Likes

Hi @yeff I added your question to our weekly community report/inquiry. I’ll be meeting with our devs this week and will ask if they have time to respond. In the meantime, others are welcome to provide their input.

Hi, @yeff. This is a tricky question indeed, and a lot of ink has been spilled both in Holochain land and beyond. Here’s how I see it:

  • All data is subject to being copied and retained by others, and can’t truly be deleted once it’s out there. This is true of centralised services, decentralised services, even notes written on paper. Even if you can’t take a screenshot or photo, you’ve got it in your mind and can spread it as gossip.
  • New distributed technologies, however, can amplify the spread of information much more than the tools previously available to us.
  • GDPR is meant to create fiduciary responsibility for organisations who are in a power asymmetry with the people whose data they host (IOW: protect users from big companies).
  • It doesn’t have anything to say about people sharing things amongst themselves – AFAIK, it doesn’t have the power to compel someone to flush out their email archive.
  • Distributed tech is a blind spot in GDPR. It’s got the peer-to-peer qualities of human social interactions, but the vast data distribution power of big platforms.

My feeling is that distributed systems occupy an awkward middle ground between personal interaction and client/corporation relationships. Because they can spread personal data much more quickly than personal interactions in ‘meat space’, and they can spread data into domains where they aren’t necessarily expected to go, we need to think about ways to wield this power responsibility.

Here are the facts about Holochain:

  • When data in a DHT is deleted, it isn’t truly deleted; it’s only marked as obsolete.
  • Even if there were an obligation to actually scrub the bits from your hard drive, there’s no verifiable way to prove it to the satisfaction of the person who asked you to delete the data. (This may change with future CPU features, but isn’t available right now.)
  • The DNA of a Holochain app allows the developer to exercise discretion in what can be returned to the UI — for instance, if you never allow deleted records to be retrieved via get_entry(), then the user will never see it.
  • However, a motivated individual could look in the database that holds their local shard of the DHT; there’s a chance that it holds the deleted data they’re looking for.
  • I have heard that Holochain might in the future offer peers the option to garbage-collect deleted data so at least they aren’t opened up to legal liability. Don’t quote me on this though; I’m interested in hearing the core devs’ response.

This is an issue for users of every digital system, centralised or distributed. The most that a piece of technology can do is make promises and hope that the people actually operating it will uphold those promises. This is a social problem, not a technological one.

6 Likes

I still needed to thank you, @pauldaoust for this detailed answer. I know people are now very busy with Heloport issues and so, but it would be good to get a sort of vision on the last point from core devs, on that garbage collection of so-called deleted data.

thanks for your thanks @yeff! I don’t know if I have a clearer picture yet, but it seems that the GC would be on validation dependencies only; example scenario:

  1. Entry B is valid only if entry A is valid and contains the word “beep”
  2. Validator pulls entry A from the DHT and checks its validation signatures
    a. If it’s invalid, fail validation for entry B and proceed to step 4
    b. If it’s valid, proceed to step 3
  3. Validator passes entry A into entry B’s validation function, which returns a result
  4. Regardless of the result of previous steps, validation is now finished and entry A can be GC’d.

I’m hoping that one day we’ll learn that Core intends to allow nodes to optionally GC deleted entries, but I suspect that won’t come soon — the nodes are supposed to have a ‘covenant’ that they’re holding every entry within their advertised neighbourhood for the purpose of validation, not just the live ones.