Remembered most important privacy (GDPR also) issues and if they can be solved by the system or by the application, excluding anonymity or pseudonymity which isn’t a privacy issue as long as they can be easily done:
0- We are excluding those privacy leaks from any kind of security issue, considering that security it’s way enough or not really a privacy concern;
1- first of all, privacy isn’t a security issue, but an app-level matter of design (also Holochain architecture supports. E.g. modularity, separate DHT’s for groups, and so on);
2- Can’t be solved: then, assuming that every agent have their own source-chain which is definitely a block-chain, then it’s normal to not really can scrub data within, just not available, and that is specific to a distributed network (very scalable);
3- Can’t be solved: also is that even suppose to purge (data, not header) and withdraw (even header), even validated by another entry already valid, it cannot really scrub any data, just hidden it and hinder it at the conductor level, no access from the app-level. Just by hacking the conductor, instructing others that malicious conductor is a regular application, with the same code hash;
4- Can’t be solved: remained data deleted or purged-withdrawn will actually stay there until completely restore again into a new version (of DHT),
5- Can’t be solved: yet been distributed the bad actors can still steal others’ data prior to being detected by posting something and being warranted as malicious. But here also can be done by hacking the conductor (again). Or even read them another way, however, a motivated individual could look in the database that holds their local shard of the DHT; there’s a chance that it holds the deleted data they’re looking for.
6- It is normal to be so: finally being open to all and F/LOSS (e.g. a big social network) what can you really prevent? excluding the deleting own data before propagated to anyone else by bridging.
7- Actually not needed: Whatever it could be GDPR is meant to create fiduciary responsibility for organizations who are in a power asymmetry with the people whose data they host (IOW: protect users from big companies). It doesn’t have anything to say about people sharing things amongst themselves – AFAIK, it doesn’t have the power to compel someone to flush out their email archive. So it’s good the feeling that distributed systems occupy an awkward middle ground between personal interaction and client/corporation relationships, as long as the community (actually developers) have their own interest and concern to protect their own data to be used in various bad scopes.
It’s bad to say it, but here are weak reasonings for not being privacy (GDPR) compliant:
A- Excluding bad actors which can read others’ data or those who will be warranted at the first try, if they did not actually delete the data;
B - Reasons as that an agent holds a little amount of data, even it would be more bad agents, they cannot find so much, as long as from a graph database;
C- Many privacy issues cannot be solved completely, in respect of 0- that is not a security issue. Or that they are too complex (excluding social issues, big communities, big events where a lot ‘knows too much’ vs pseudonymity)
D- But in general, distributed tech is a blind spot in GDPR. It’s got the peer-to-peer qualities of human social interactions, but the vast data distribution power of big platforms. Even in Holochain’s DHT agent-centric approach, even with its higher security.
E- That it depends on social, not on tech (excluding those kinds of issues when someone saw it and remembered it or even had stolen it because was granted before)
F- Reasons as low chance to happen from GDPR compliance verifications, as encountered all sorts of issues, mostly that nobody really knows all the issues as they won’t be fixed until court issues happen.
G- worse than this, most in centralized systems: even if there were an obligation to actually scrub the bits from your hard drive, there’s no verifiable way to prove it to the satisfaction of the person who asked you to delete the data, as long as they’re centralized and can have a lot of hidden backups to share to other entities for financial purposes. But actually not addressed to really distributed networks. But even so, this may change with future CPU features but isn’t available right now, and also the centralized system cannot prove that they deleted everything.
Finally: Cross-CMS privacy group was formed to share common functionality however just looked and doesn’t seem much has progressed in 3 years.
So, Holochain seems to be 99.9% privacy compliant with higher security and at the discretion of the application level atomicity. And even near GDPR compliant, as it’s not needed to protect ourselves from ourselves, in respect to developers code, and not even so, as long as a really open for community and for developers large distributed.