Traditional confidentiality agreements typically create a bilateral relationship between two parties—a discloser and a recipient. Once the recipient shares that information with a third party, the original confidentiality obligations often do not automatically transfer. This creates a "confidentiality gap" where data can leak through successive disclosures, even if the original disclosure was protected.

Hartzog's chain-link confidentiality model proposed that confidentiality obligations should be structurally embedded in the disclosure itself, such that anyone receiving the information automatically inherits the confidentiality constraints. This approach draws inspiration from property law concepts where certain rights and restrictions "run with the land"—they attach to the property itself rather than just to specific parties.

In the context of digital identity and verifiable credentials, this legal framework becomes particularly important because:

• Digital data is easily copied: Unlike physical documents, digital credentials can be replicated perfectly and shared instantaneously
• Multi-party verification: Credentials often need to be verified by multiple parties in a transaction chain (e.g., a credential verified by a bank, then by a regulatory authority, then by an auditor)
• Correlation risks: Each disclosure creates opportunities for data correlation and privacy leakage
• Regulatory compliance: Data protection regulations like GDPR require ongoing control over personal data even after disclosure

KERI's Approach

Within the KERI ecosystem, chain-link confidential disclosure is implemented as a core privacy mechanism for ACDC presentations through the IPEX (Issuance and Presentation Exchange) protocol. The KERI approach integrates legal confidentiality frameworks with cryptographic verification mechanisms to create a comprehensive data protection system.

Integration with Graduated Disclosure

Chain-link confidential disclosure works in conjunction with KERI's graduated disclosure mechanisms. Graduated disclosure allows an ACDC holder to progressively reveal information through multiple stages:

1. Compact disclosure: Initially revealing only SAIDs (Self-Addressing Identifiers) of field maps
2. Partial disclosure: Revealing some but not all field maps
3. Selective disclosure: Revealing specific attributes from selectively disclosable sets
4. Full disclosure: Revealing complete details of previously compact or partial disclosures

At each stage of graduated disclosure, the discloser can impose contractual protections through chain-link confidentiality. This means:

• The initial compact disclosure comes with confidentiality terms
• Further information is only revealed after the recipient agrees to additional terms
• Each progressive disclosure carries forward all previous confidentiality obligations
• New obligations can be added at each disclosure stage

Distinction from Cryptographic Chaining

The ACDC specification makes a critical distinction between two types of "chaining":

1. ACDC Issuance Chaining: The cryptographic chaining of ACDCs in a directed acyclic graph (DAG) structure, where credentials reference other credentials through cryptographic commitments (edges)
2. Chain-Link Confidentiality Chaining: The legal/contractual chaining of confidentiality obligations across a sequence of Disclosees

These are distinct mechanisms that serve different purposes:

• Cryptographic chaining establishes verifiable provenance and authenticity of credentials
• Confidentiality chaining establishes legal obligations and usage rights for disclosed data

However, they work together synergistically: cryptographically chained ACDCs can be disclosed under chain-link confidentiality protections, with the cryptographic structure providing verifiable authenticity while the confidentiality framework provides legal protection.

Dynamic Per-Exchange Negotiation

A key feature of KERI's implementation is that chain-link confidentiality is dynamically negotiated on a per-event, per-data exchange basis. This means:

• Confidentiality terms are not static or one-size-fits-all
• Each disclosure event can have tailored confidentiality constraints
• Terms are negotiated based on the specific data being shared
• Different attributes within the same ACDC can have different confidentiality levels

This dynamic approach allows for:

• Context-appropriate protection: Sensitive attributes get stronger protections
• Flexible business models: Different disclosure scenarios can have different terms
• Regulatory compliance: Terms can be adapted to meet jurisdiction-specific requirements
• Risk management: Protection levels can match the sensitivity and value of disclosed data

Primary Mechanism for Digital Data Rights

Within the KERI ecosystem, chain-link confidentiality serves as the primary mechanism for granting digital data rights. This is accomplished by:

1. Binding information exchange to confidentiality laws: The contractual terms reference applicable confidentiality statutes and regulations
2. Expressing constraints in legal language: Usage restrictions are written in legally enforceable terms
3. Applying to both second and third parties: Constraints explicitly cover direct recipients and all downstream recipients
4. Creating enforceable obligations: Violations of confidentiality terms create legal liability

Relationship to Presentation Exchanges

Chain-link confidential disclosure is specifically designed for presentation exchanges in the IPEX protocol. When a holder presents an ACDC to a verifier:

1. The presentation can be structured as a contractually protected disclosure
2. The verifier must agree to confidentiality terms before receiving full disclosure
3. If the verifier later shares the information, they become a discloser to a new disclosee
4. The new disclosee automatically inherits all confidentiality obligations
5. This chain continues for all subsequent disclosures

This mechanism is particularly important for issuance exchanges, where the Issuer discloses a newly issued ACDC to the Issuee. The Issuer can impose confidentiality terms that will bind not just the Issuee, but anyone to whom the Issuee later presents the credential.

Practical Implications

Use Cases

Chain-link confidential disclosure addresses several critical use cases in verifiable credential ecosystems:

Enterprise Credential Sharing: When a legal entity receives a vLEI (verifiable Legal Entity Identifier) credential, they may need to present it to multiple parties (banks, regulators, auditors, business partners). Chain-link confidentiality ensures that each verifier is bound by the same confidentiality obligations, preventing unauthorized data aggregation or correlation.

Healthcare Records: Medical credentials containing sensitive health information can be disclosed to healthcare providers with confidentiality terms that prevent unauthorized sharing with insurance companies, employers, or other third parties.

Financial Services: Financial credentials (credit scores, account balances, transaction histories) can be disclosed to lenders with terms preventing sale to data brokers or use for marketing purposes.

Supply Chain Verification: Product provenance credentials can be disclosed to supply chain participants with terms preventing disclosure to competitors while allowing regulatory inspection.

Educational Credentials: Academic credentials can be disclosed to employers with terms preventing sharing with background check services or credential verification companies without the holder's consent.

Benefits

Privacy Protection: The primary benefit is maintaining privacy control even after disclosure. Unlike traditional credentials where the holder loses control once disclosed, chain-link confidentiality maintains legal protections throughout the data lifecycle.

Regulatory Compliance: Helps organizations comply with data protection regulations (GDPR, CCPA, etc.) by maintaining documented consent and usage restrictions even as data moves between parties.

Reduced Correlation Risk: By imposing legal consequences for unauthorized correlation or aggregation of disclosed data, chain-link confidentiality reduces the risk of privacy-invasive data practices.

Flexible Business Models: Enables credential holders to monetize their data by imposing usage fees or restrictions on downstream use, creating new economic models for data sharing.

Trust Enhancement: Verifiers are more willing to accept credentials when they know their own obligations are clearly defined and that they won't face unexpected liability from downstream disclosures.

Trade-offs

Legal Complexity: Implementing chain-link confidentiality requires careful legal drafting to ensure terms are enforceable across jurisdictions and clearly understood by all parties.

Enforcement Challenges: While the mechanism creates legal obligations, actual enforcement requires legal action, which may be impractical for low-value disclosures or across international boundaries.

User Experience: Requiring recipients to review and agree to confidentiality terms at each disclosure stage can create friction in the user experience, potentially slowing adoption.

Verification Burden: Verifiers must track and manage confidentiality obligations for all credentials they receive, creating operational overhead.

Jurisdictional Variations: Confidentiality laws vary significantly across jurisdictions, requiring terms to be adapted for different legal contexts.

Technical-Legal Gap: The mechanism bridges technical (cryptographic) and legal (contractual) domains, requiring expertise in both areas and creating potential for misalignment.

Despite these trade-offs, chain-link confidential disclosure represents a significant advancement in privacy-preserving credential systems, providing a mechanism for maintaining data rights and confidentiality protections even in complex multi-party disclosure scenarios. When combined with KERI's cryptographic verification mechanisms and graduated disclosure capabilities, it enables a new generation of privacy-respecting verifiable credential applications.