Comprehensive Explanation

chain-link-confidentiality

Conceptual Definition

Chain-link confidentiality (CLC) is a fundamental privacy protection mechanism in the KERI/ACDC ecosystem that establishes legally binding confidentiality obligations across a sequence of data disclosures. Unlike traditional one-time confidentiality agreements, CLC creates a perpetual chain of obligations where each recipient inherits and must maintain the confidentiality constraints established by the original discloser.

The mechanism operates by chaining together a sequence of Disclosees, where each party in the chain:

1. Receives disclosed data subject to specific usage constraints expressed in legal language
2. Becomes bound by those constraints as a Disclosee
3. Must apply the same constraints when acting as a Discloser to the next party in the chain

This creates what the concept's name suggests: a "chain link" where confidentiality obligations are transferred and maintained across multiple parties, ensuring that the original data rights and usage constraints persist throughout the data's lifecycle.

Key Properties

Dynamic Negotiation: Confidentiality terms are negotiated on a per-event, per-data exchange basis rather than through static, universal agreements. This allows constraints to be tailored to the specific data being shared in each exchange.

Legal Enforceability: Usage constraints are expressed in legal language that can be enforced through confidentiality laws, creating a bridge between technical disclosure mechanisms and legal privacy frameworks.

Third-Party Protections: Constraints explicitly apply to both second parties (direct recipients) and third parties (downstream recipients), preventing unauthorized exploitation as data moves through the disclosure chain.

Scope and Boundaries: CLC specifically addresses the legal and contractual aspects of data sharing, distinct from the cryptographic chaining of ACDCs in a directed acyclic graph structure. The document explicitly contrasts:

• Issuance chaining: The cryptographic chaining of ACDCs that establishes verifiable provenance
• Confidentiality chaining: The legal/contractual chaining of confidentiality obligations across Disclosees

These are fundamentally different concepts serving different purposes within the system.

Historical Context

The concept of chain-link confidentiality is grounded in legal scholarship, specifically referencing Woodrow Hartzog's work on chain-link confidentiality. This academic foundation provides:

• Legal frameworks for enforcing downstream confidentiality obligations
• Theoretical basis for how confidentiality can be maintained across multiple parties
• Models for expressing and enforcing data usage constraints

Traditionally, confidentiality agreements have been bilateral contracts between two parties, with limited mechanisms for ensuring that confidentiality obligations persist when data is shared further downstream. The challenge has been creating legally enforceable frameworks that:

1. Bind parties who were not signatories to the original agreement
2. Maintain enforceability across jurisdictional boundaries
3. Provide clear remedies for violations at any point in the chain
4. Scale to complex multi-party data sharing scenarios

Chain-link confidentiality addresses these challenges by creating a contractual framework where each disclosure event establishes new obligations that reference and incorporate the original constraints.

KERI's Approach

Integration with Presentation Exchanges

Within the KERI/ACDC ecosystem, chain-link confidentiality is implemented through the IPEX (Issuance and Presentation Exchange) protocol. Disclosures via presentation exchanges may be contractually protected by chain-link confidentiality, creating what is called a "Chain-Link Confidential disclosure".

This integration means that when presenting verifiable credentials or ACDCs, the presenter can impose ongoing confidentiality obligations that bind all future recipients. The technical implementation involves:

1. Schema Disclosure First: Before sharing actual data contents, the schema of the data is disclosed, allowing recipients to understand the structure and nature of information without exposing sensitive content.

2. Contract Presentation: Legal contracts expressed as Ricardian contracts are disclosed and must be agreed to before data contents are shared.

3. Cryptographic Verification: The IPEX protocol uses CESR-Proofs to cryptographically verify acceptance of contractual terms.

4. Content Disclosure: Only after legal agreements are cryptographically confirmed are the actual data contents exchanged.

Primary Mechanism for Digital Data Rights

Chain-link confidentiality serves as the primary mechanism for granting digital data rights by binding information exchange to confidentiality laws. This approach:

• Bridges Technical and Legal Domains: Combines cryptographic verification (through KERI and ACDC) with legal enforceability (through confidentiality law)
• Enables Compliance: Meets regulatory requirements for data protection and privacy while maintaining cryptographic verifiability
• Provides Recourse: Creates legal remedies for privacy violations at any point in the disclosure chain
• Supports Graduated Disclosure: Works in conjunction with graduated disclosure mechanisms to progressively reveal information while maintaining control

Distinction from Cryptographic Chaining

A critical aspect of KERI's approach is the clear distinction between two types of "chaining":

Cryptographic Chaining (via SAIDs and DAG structures):

• Establishes verifiable provenance of credentials
• Creates cryptographic commitments between ACDCs
• Enables verification of credential chains
• Operates at the technical/cryptographic layer

Confidentiality Chaining (via CLC):

• Establishes legal obligations between parties
• Creates contractual commitments for data usage
• Enables enforcement of privacy constraints
• Operates at the legal/contractual layer

Both mechanisms work together but serve distinct purposes. The cryptographic chaining proves what was issued and by whom, while confidentiality chaining governs how that information may be used and shared.

Supporting Technologies

KERI's implementation of chain-link confidentiality leverages several core technologies:

• CESR (Composable Event Streaming Representation): Provides encoding framework for contracts and proofs
• SAIDs (Self-Addressing Identifiers): Ensures cryptographic binding of contract content
• CESR-Proofs: Enables cryptographic proof of contract acceptance
• Ricardian Contracts: Supports machine-readable legal agreements
• IPEX: Coordinates the exchange of schemas, contracts, and data contents

Practical Implications

Use Cases

Enterprise Credential Sharing: Organizations can share verifiable credentials with partners while maintaining control over how that information can be used, stored, and further disclosed. This is particularly important for the vLEI ecosystem, where legal entities need to share credentials while maintaining control over information usage.

Regulated Industries: Healthcare, finance, and other regulated sectors can use CLC to ensure that data sharing complies with privacy regulations (GDPR, HIPAA, etc.) by embedding regulatory requirements directly into disclosure contracts.

Supply Chain Transparency: Companies can share supply chain data with downstream partners while restricting how that information can be used or shared with competitors, enabling transparency without compromising competitive advantage.

Privacy-Preserving Presentations: Individuals can present credentials to verifiers while imposing restrictions on data retention, usage, and further disclosure, maintaining control over personal information even after initial disclosure.

Benefits

Legal Enforceability: Unlike purely technical privacy mechanisms, CLC creates legally binding obligations with clear remedies for violations, providing recourse when privacy is breached.

Scalability: The chain-link mechanism scales to complex multi-party scenarios without requiring all parties to be signatories to a single master agreement.

Flexibility: Per-event, per-data negotiation allows constraints to be tailored to specific use cases rather than relying on one-size-fits-all privacy policies.

Transparency: All parties understand their obligations before receiving data, reducing ambiguity and potential disputes.

Downstream Protection: Original disclosers maintain control over their data even as it moves through multiple parties, preventing unauthorized exploitation.

Trade-offs

Complexity: Implementing CLC requires coordination between technical systems (KERI/ACDC) and legal frameworks, increasing implementation complexity compared to simpler disclosure mechanisms.

Jurisdictional Challenges: Enforceability may vary across jurisdictions, requiring careful consideration of applicable law and dispute resolution mechanisms.

Overhead: The schema-contract-content disclosure sequence adds latency and complexity to data exchanges compared to direct disclosure.

Legal Costs: Drafting, reviewing, and enforcing contracts requires legal expertise and may involve litigation costs if violations occur.

Monitoring Burden: Original disclosers may need to monitor compliance throughout the disclosure chain, which can be resource-intensive in complex scenarios.

Not Absolute Privacy: CLC provides legal protections but cannot prevent technical attacks or unauthorized access through system compromises. It complements but does not replace technical security measures.

Relationship to Other Privacy Mechanisms

Chain-link confidentiality works in conjunction with other KERI/ACDC privacy features:

• Selective Disclosure: CLC can protect selectively disclosed attributes, ensuring that even minimal disclosures are subject to usage constraints.
• Partial Disclosure: Contractual protections can be applied at each stage of graduated disclosure.
• Compact Disclosure: Even when only SAIDs are disclosed, CLC can govern how those references may be used.
• Contractually Protected Disclosure: CLC is a key component of the most elaborate disclosure mechanism in IPEX.

Implementation Considerations

Contract Design: Effective CLC requires carefully drafted contracts that:

• Clearly specify permitted and prohibited uses
• Define obligations for downstream disclosures
• Establish remedies for violations
• Address jurisdictional and choice-of-law issues
• Provide mechanisms for dispute resolution

Technical Integration: Systems must:

• Present contracts in human-readable and machine-readable formats
• Obtain cryptographically verifiable acceptance
• Track disclosure chains for compliance monitoring
• Integrate with existing legal and compliance frameworks

User Experience: The disclosure process must balance security with usability:

• Contracts should be understandable to non-lawyers
• Acceptance workflows should be streamlined
• Users need visibility into their obligations
• Systems should provide clear feedback on compliance status

Conclusion

Chain-link confidentiality represents a sophisticated approach to privacy protection that bridges technical and legal domains. By creating perpetual chains of confidentiality obligations that bind all parties in a disclosure sequence, CLC enables organizations and individuals to share verifiable credentials while maintaining control over how that information is used. Within the KERI/ACDC ecosystem, CLC serves as the primary mechanism for granting digital data rights, providing legally enforceable protections that complement the cryptographic security of the underlying infrastructure. While implementation requires careful attention to both technical and legal considerations, CLC enables privacy-preserving data sharing at scale, making it particularly valuable for enterprise, regulatory, and high-stakes credential scenarios.