A modular privacy-preserving solution: Sismo

Goksu D.
16 min readDec 20, 2022

--

During the last few years, we all observed all asset classes going crazy and it is hard to deny the great role of the Covid-19 outbreak and almost all Western governments’ printing money and sending stimulus checks. But one asset class was extremely volatile even when compared to others: Cryptocurrencies. Bitcoin’s price movement from ~$3700 to ~$68000 to nowadays’ ~$17000 is a crazy ride that is truly hard to argue against.

During this run, NFTs, Web3 products, Play-to-Earn, and many other terms found their places in our daily vocabularies and some even became permanent parts of our lives. Surely, cryptocurrencies as a vehicle of investment have been hard on all of us lately; but I think that this hardly is a fair assessment of blockchain technology.

Whether you are a cryptocurrency investor, an employee at a tech company, or just a tech enthusiast, it would be very surprising if you have not heard the term “Web3” by now. Even though some consider it to be a buzzword, this is far away from the truth itself. “To understand what Web3 is, one must understand how Web2 works” would say Yoda. After all, who am I to know better than a 900-year-old Jedi? So, let’s begin our story with a brief introduction to Web2.

Photo by Shubham Dhage on Unsplash

What is this Web2? A new kind of ‘net?

Simply, almost every single website you use daily, including Google, Facebook, or even IMDb, is a product of Web2. For now, as a rule of thumb, you can assume that every website that does not require you to use a cryptocurrency wallet throughout its flow is Web2. “But, hey, I really like <insert a website name>, I have been using it for so many years, what’s wrong with that?” you might ask. Well, let’s get started then.

I would be shocked if you have not heard “If you’re not paying for the product, then you’re the product”, one of the most repeated and perhaps overused phrases of recent years. “Those ****rs at Company X ask me to pay $10 per month to use their word processor, but instead I can use Google Docs for free”. Ah, I heard this so many times, and I am guilty of the same sin as well. It is not that Google is omnibenevolent; Google is a company after all and by definition, it exists to make money. So, excuse this overly simplistic view here, instead of asking you to pay for a product, they use the data you put into their services to make money. Fair trade? I’d say hardly.

Even if you have no problem exchanging your data with those companies’ services, you still might have grounds to be concerned about your digital identity and anonymity, especially in light of scandalous events like the Facebook-Cambridge Analytica data scandal of recent years. This event has shown the world that even some of the largest companies in the world not only sell your data but also use your own data to affect your political decisions.

But even if you are somehow certain that your mind is of the purest Valyrian steel that no one can even put a dent in it, the story does not end here: Even a company that stores your data for purely benevolent reasons can be attacked, and whether by their own incompetence or not, you might be a victim of a cyberattack on those companies or even on yourself.

In fact, Keeper Security’s 2022 US Password Practices Report shows that “55% of respondents in our survey have been the victim of a cyberattack at least once, with almost a fifth (18%) of respondents saying money was stolen as a result. On average, respondents lost $378”.

So, even if it is far from your own fault, it is very likely that most companies will not cover your losses. You feel a bit optimistic? Go read the terms of service the next time you sign up for a service provider. Many years passed since then, but I still cannot get over the fact that once I saw a clause saying more or less that “This company cannot be held responsible in case the user financially suffers due to a technical error on our servers” on a brokerage company’s terms of service contract for futures trading services.

This is not all at all: Most Web2 companies loot your data, hide them behind walls, and make you think that you cannot do anything with your own data.

Those companies practically claim that your personal data belongs to them! And, quite sadly for all of us, at some time, we forget that they keep our data hostage, and even more, they think that we cannot do anything about this.

But that could not be farther away from the truth! In today’s world, our digital lives and social identities are evolved beyond their antiquated infrastructures. We could do much more with our data, like using your Uber driver reputation to get a loan, your Airbnb host reputation to get a discount on others’ Airbnb’s, or even your Twitch influencer profile to attend invitation-only super-classy events. But, instead, those companies keep your data hostage, they act as if they can do whatever they want with it, and in fact, they do whatever they want with it: Even selling it in their competitive environment is not out of the question.

Web2 vs. Web3 + Sismo

Sismo was recently featured in a list of Vitalik Buterin’s most exciting projects.

As Sismo put on their manifesto; our digital identities are currently being held hostage by a headless conglomerate of centralized corporations and governments which are posing a threat to our sovereignty as individuals. Their centralized infrastructures, designed in the early 2000s, have become obsolete — and dangerous. Never have the tech giants commanded so much control over our personal data as they do today, nor has the government ever been able to access our digital information more freely: we are promptly losing our mandated ability to keep both our public and private institutions in check.

The Sismo team, who is strongly concerned about such matters, believes that self-sovereign accounts are a unique opportunity to take back control of our digital identities and start a new era for societies.

But do not get us wrong: Sismo is not some libertarian utopia, and they are not anti-governments. All they want is to protect what makes us human at the core: our personal sovereignty, our freedom to think, and the ability to impact the world around us.

In short, it is very simple: Web2 works mostly for “them”, not for you.

A vast improvement over Web2, based on blockchain technology, that nowadays we call Web3, has been taking over the ‘net. But what is this Web3? Why does everyone think it is magic? To not bother you with technical details, this is one of the best explanations of it I have ever seen:

“Web 2 has been top-down oriented. Websites (applications) are anchoring information — it’s an app-centric flow. Apps own users. Web 3 is address-centric. The users are embedded in the protocol, and they do not require apps or websites to create accounts or online identities.” (Source: https://zeeprime.capital/social-web-3)

Web3 meeting Web3, or me saying “surfing the ‘net”

Still too technical? Perhaps this is better:

Web2 products own your data, and those companies silo your data; this is why you have to create new accounts for every website. On the other hand, Web3 products enable you to own your own data, whether with the aid of an account, a wallet, or an online identity.

Especially considering the rise of decentralized identity solutions, like Sismo, ENS, Sign-in with Ethereum, and many others, the whole landscape of the Internet is going through a massive change: What you do with your own data is completely up to you. Furthermore, as most of the security is backed up with cryptographic solutions and blockchain technology, which are proven again and again to be rock solid since the dawn of decentralized technologies, you have much less to worry about. These are all thanks to the fact that your personal data are stored on blockchain wallets, which the security is ensured by cryptographic measures. No one with access to your wallets can access your private data.

As you are the sole owner of your wallet in which your data is stored, your data is protected by default.

Since you own your own data, you protect your digital privacy and anonymity by default, and you are less prone to cyberattacks. Furthermore, by participating in this Web3 movement, even if you act solely for your own benefit, you still make the world a much better place.

One of the most powerful primitives offered by cryptography is self-sovereign accounts, which contain the owner’s data. They are controlled by a private key, and anyone can create such an account without needing permission. Bitcoin wallets, Ethereum wallets, and Decentralized Identifiers (DID) are all examples of sovereign accounts.

Decentralized applications, deployed on blockchains, serve users that come with their own sovereign accounts. The personal data generated when interacting with these applications form a digital identity — but unlike in web2, this is a sovereign identity, fully owned by the user and stored on-chain. Sovereign accounts can also store data from traditional accounts (e.g. GitHub, Twitter, national passports) that have been ported on-chain.

Since self-sovereign accounts are ruled by private keys, we can actually do much more with them than just interacting with decentralized applications. These are extremely potent accounts that can use cryptography to perform many different (sovereign) actions!

For example, we can log in with our sovereign accounts to traditional centralized applications, where email + password logins are replaced by a wallet signature, such as Sign-In-With-Ethereum. When we do so, we bring our sovereign data to the application we choose.

Another powerful sovereign action is the ability to generate Zero-Knowledge proofs and selectively reveal only some of our personal data.

But even if Web3 addresses do wonders to protect your anonymity, as by default they have no identity, your decentralized accounts have no visible connection to you. This is not very convenient, considering how our online and offline social interactions work: After all, how would you know that this wallet belongs to me in the case that you want me to send some ETH, right?

So, the tradeoff is this: Decentralized identity solutions protect your anonymity; but, due to this anonymity, they might not bear any visible public connection to you.

Furthermore, it turns out that even though many Ethereum users have multiple accounts, around 73% of those users do not retain a public connection between their addresses to protect their privacy, resulting in a fragmented history and reputation over multiple accounts, even though we live in this world of open and interoperable protocols where we are accustomed to reusing everything. Especially considering that most tokens bear governance powers, most NFTs bear rights, etc., this is a waste of both financial and social power.

Web3 meeting Web2.

But the future is now. Web3 is opening the gates and when they are open, privacy becomes even more essential. And we are here to help you to preserve your privacy.

ZK Badges

Sismo uses zero-knowledge proofs (ZKP) to help you there. If you have not heard it before and you think it might be too technical for you, fear not! I got your back.

All you need to know about ZKPs at this very moment is this: Thanks to them, you can prove a generality without specificity: You can prove that you are a human (by having a proof-of-humanity registration in your wallet, yeah, still too technical) without revealing that you are THIS human. As you did not reveal which human you are, your anonymity and digital privacy are preserved.

In slightly more technical words, thanks to ZKPs, you can prove that your address is among all addresses with verified proof-of-humanity profiles, without revealing your address. If you are interested to learn more about ZKPs, the wonderchild of Ethereum and the blockchain world, Vitalik Buterin, has authored many pieces on them, but those two should suffice to get you started: 1, 2.

Now that you are familiar with zero-knowledge proofs, it is finally time to introduce you to Sismo. Sismo enables you to aggregate parts of your identity, ZK Badges, into specific different personas, destination accounts, which you can use for different needs and functions: You might want your potential employer to see that you spent most of your time gambling which might affect your application negatively. But still, we all are sums of our different personas and we might have reasons to keep them apart. You can think of Sismo as an identity or rather persona middleware.

Those personas are composed of ERC1115 Non-Transferrable Token representations known as zero-knowledge (ZK) badges on Sismo: As how they are created is not revealed thanks to ZKPs, they enable you to transfer your personal data to your wallet in a way which ensures user and data privacy.

The formula is very simple: Thanks to ZK badges, you can prove that you are an X without revealing which specific X you are. The limit is truly the sky! You can participate in private voting, private airdrops, private group chats, and much more.

All those great privacy-preserving benefits are, in addition to ZK badges, thanks to source and destination accounts: Source accounts are used to prove the eligibility of a badge (for instance, that you are over 18 years old) and destination accounts hold those badges that your source account proved its eligibility. As there will be no public link between your source and destination accounts, your privacy is preserved. You can think of this as Tornado Cash, but for data.

Just in case your mind is not blown away, here is another example: You are a big user of Ethereum with more than 1000 transactions on the ledger and want to join this invite-only online chat room that is open only to die-hard Ethereum supporters. They ask you to provide some kind of proof that you are such a person, and what is better than your ZK badge that says that “The owner of this badge has +1000 transactions on Ethereum” without revealing your Ethereum wallets’ addresses? Consider Pokémon GYM badges, but much cooler with brilliant functionality!

ZK Badges go well beyond shiny, perfect-looking badges that you use to show off. ZK Badges (and specific sets of ZK Badges) act as new primitives or atomic units for Web3 apps that want to use novel identity systems. Equally, you can think of ZK Badges as parts of your personas: Surely, the “Voted 2 times in the ENS DAO” ZK Badge is a part of X the Cryptocurrency Enthusiast’s persona, while it hardly is of X the Football Player. So, ZK badges form personas, and different personas form your digital identity.

In short, ZK Badges are used as proofs of parts (or the sum) of your digital identity: Whether it is to join an invitation-only chatroom exclusive for top Ethereum supporters, log in to a social media website, participate in voting, or even gain access to adult content which requires you to be over 18 years old.

Using Sismo, users can generate a wide range of attestations, under the form of ZK Badges, such as “Donated to Gitcoin grants”, “Voted 2 times in the ENS DAO” or “Sent 100+ transactions on Ethereum”. With these attestations, they can gain access to premium features within gated services or prove their reputations in apps and protocols consuming said attestations. In addition, to use those badges for so many purposes, you can even go ahead and mint your Badges on our app.

But, surely, cookie-cutter badges will not work for everyone and every purpose. The Sismo protocol allows multiple types of Badges’ co-existing together as different smart contracts can make different tradeoffs on privacy, decentralization, and/or scalability. You might want to have a ZK badge showing that “This person donated 0.3 BTC to Edward Snowden” with the highest possible degree of privacy, but a ZK badge labeled “This person is an employee at Magical Web3 Co.” needs more scalability than privacy and perhaps decentralization.

Now you understand ZK Badges’ utilities and how they are used, you might be wondering how to obtain them. Sismo enables you to obtain badges in two different ways.

The first one is by creating ZK Badges. You can use Sismo’s No-code UI or follow our tutorial to code a more complex group to create ZK Badges that you and other users can add to their accounts if they meet the eligibility criteria set. Firstly, you will choose a custom of group accounts, or rather a list of addresses; to this, you can come with your JSON or use our tool to generate your groups (Subgraph, BigQuery. Then, you’ll choose the metadata for your ZK badge, including a description and an image (Jpeg/SVG). If any help is needed, you can come to us, and we will help you create your PRs and make your ZK Badge available in Sismo UI!

The second way to obtain ZK Badges is by minting them: If your account meets the eligibility criteria of a ZK Badge set by its creator, then you can obtain the respective ZK Badge. For instance, Sismo’s “Ethereum Power User ZK Badge” requires you to be part of the top 0.1% of the most active users on Ethereum. If you are eligible for this badge, meaning in fact you are part of the top 0.1% most active users on Ethereum, you can obtain this ZK Badge. Anyone that meets the eligibility criteria set by the badge’s creator can obtain ZK Badges, and this process is called minting.

Sismo’s end goal is to enable diverse and interoperable Badges that can be meshed together in creative ways and facilitate real innovation on authentication and reputation systems.

A Bright(er) Future Ahead

Even though I consider myself to be an extremely rational realist and not a moonboy by any standards, I personally believe that the possibilities that blockchain technology will bring to our lives are infinite. The era of “Hey, use our token to gain access to our platform. It is just a poor knockoff of Twitter with 20 users at most, but power to the cause!” projects seem to, thankfully, be over; but Web3 with its many real-life applications is here to stay.

As we save our data from the claws of those predatory Big Data companies, like Google and Meta, we need newer and better ways to protect our data; and blockchain technology is simply perfect for such tasks in hand. Especially as our digital lives get a bigger and bigger part of our whole identity every day and people naturally get more concerned about their digital identities and anonymities; decentralized solutions to these issues could not be more welcomed.

Even though Sismo made so much progress in the last ~15 months, I truly believe that this is only the beginning. You better bring your sunglasses because the future ahead is eye-blindingly bright! Surely, ZK Badges are a terrific start, enabling you to prove parts of your personas or even create personas that the sum of could create your complete digital identity, and they act as the very foundation of your digital identity, but they are just starting.

As Sismo’s mighty king, ZiKing, has hinted in a post recently published, the Sismo team is working on a new version of their app, not only merging the Playground and Curated environments but also a new UX enabling Sismo users to select and multiple badges and much more: A much more dynamic and interactive user experience is coming soon.

Following that, the next step of Sismo’s evolution is “Prove with Sismo”. Let’s say that a physical goods shop PGS is selling Ziki Gen[0] Hats, but only to those of Gen[0]. You add the hat to your cart, you open the checkout window, and the shop asks you to prove you are a Gen[0]. How would you prove it? With “Prove with Sismo”, it takes a few clicks, and hopefully only a few days till you get that sweet swag on your hands.

Although “Prove with Sismo” is just so cool, there are still lots of work to do, the Sismo team thinks. A decentralized single sign-in service, that is similar to social login services which you are very likely to be already familiar with, will be a massive improvement over “Prove with Sismo”. I believe that I managed to draw a fairly detailed picture of how those companies work, how they make money, and how they use and hold hostage your data, throughout this piece; so you should have a fairly good understanding of how great a step a decentralized single sign-in service would be. No company hoarding your data, no company selling your data, no company holding your data hostage, no company trying to manipulate your personal, moral, and political beliefs USING YOUR OWN DATA. Your data belongs solely to you, and it is only natural that you decide how and when to use your data.

After that, Sismo believes that a mobile Sismo app that connects to all your apps is the next evolutionary step. All your apps are connected to one control center, but this time you are the one who commands this spaceship. The control of your phone, your digital mobility, belongs to you. But why stop there and not introduce and improve them even further, right? As the ultimate pinnacle of your digital privacy, Sismo’s mobile app will enable you to sign into your apps and selectively reveal what you consent to. Now, you obtain absolute power over your data: All the data you use to log in is shielded by Sismo, and only the necessary personal information that you give your content to is shared with mobile apps. Buh-bye Web2! We enjoyed the ride for some time, but it was a tragedy to get to know you.

Sismo believes that digital privacy and anonymity is a basic human right, especially in this day and age. This is not just another company trying to make big bucks; other than having its professional goals, what truly matters (and we all feel it in our hearts) is pursuing this ethical goal. For this, Sismo aims to become the infrastructure for Web3 apps, which they believe to be the next evolutionary step of our digital lives. Imagine today’s session cookies, sauce them with the highest degrees of privacy and anonymity; make it crazy futuristic, add lots and lots of that sweet Web3, and voila! Your Sismo is ready.

I hope you enjoyed this piece!

If you are interested in Sismo, you might want to:

Disclaimer: The kind reader should note that even though I have been financially compensated to produce this piece of writing, all opinions stated within belong solely to me. No hard request to change any parts of its content is made by Sismo at the publication date. No opinion within this piece should be taken as a piece of financial advice; in fact, you should not take any financial or whatsoever action based solely on any opinion within this piece. That’s the main point in case I could not make it clear enough. Be your own person, make your own decisions, and do your best to understand others’ opinions, points, truths, and lies. It’s a wild world out there, but still, I personally believe that all there is to a good life is to be a decent person and not be a d**k.

--

--