SOLO or "Why a public key is NOT personal information"
SOLO by CoinPlus
"SOLO" is the name of a new "hardware wallet" by a company called CoinPlus which has recently become available on Amazon. I found it on both amazon.de and amazon.fr but you need to know what you are looking for
It's basically a run-of-the-mill plastic card with a Bitcoin (BTC) public address printed on one face that comes shrink-wrapped for the rather hefty price of 12€. There's also an Ether ETH variant, as well as a steel (sic!) one!
The innovation is on the back of it and concerns the private key:
As you can see, there are two "secrets" covered by shiny scratch plastic. If someone has sent you BTC (or ETH for the Ether variant) to the public address on the recto, and you want to access that sum, then you have to do the following:
- download and install on your smartphone the CoinPlus app, available on AppStore and Google Play
- scratch both the first secret and the second secret
- carefully enter them in the respective fields in the app, which will generate a private key
- import the generated key pair into a BTC (or ETH wallet)
- use your BTC
The two secrets are supposedly printed on the card by two different legal entities in a process that CoinPlus claims to have a patent for. The idea is that in the fabrication process no person can see both secrets (the second is not yet printed when the first is covered, the first is already covered when the second is printed).
Therefore to have the private key you need to scratch the back of the card which is evident. If you buy a card where both secrets are covered then you can be sure that no one but you owns the private key ...
If you trust the CoinPlus story, that is ... Because ... what if there is collusion between two employees from the two companies that write a secret each? Or what if someone discovers a way to scratch the secrets and copy them and then cover them back in a way that is not visible?
Also you depend on the CoinPlus app - what if, precisely when you need it, in 10 or 20 or 30 years time, you discover that it hasn't been updated because the company went under and the app doesn't work on newer phones anymore !?
Why would anyone use this product?
Frankly, it's not obvious what is the target of this product. If you really want to use your crypto, this is by far not a convenient / practical product. Such a product is useful if you simply want to put BTC into cold storage ... on a credit card rather than on a Ledger nano S or a Trezor ... Someone who is quite familiar with credit cards would feel less overwhelmed by a Solo than by a Ledger or Trezor ...
The typical person I have in mind is a rich sheikh from a petro-state that has got his cash, his real estate, his gold, his luxury cars, his stocks and bonds and now wants to play a "systemic hedge" and diversify into BTC ...
Speaking of rich sheikhs is a good opportunity for me to insert here what I think is the best ever ad, for the 1993 Renault Clio Baccara (only in Arabic and French, sorry!)
"Pas assez cher, mon fils!" / "Not expensive enough, my son!" says the ageing Sheikh to his son to explain why he wants him to swap his little Renault Clio Baccarat for something more ... "princely"
A quite narrow population, these ultra-rich sheikhs, I'd say ...
Anyway, I wanted to test end to end, especially since I got one as a present. I've sent 2 mBTC from Binance to the public address on my Solo and realized two things:
- Although the SOLO has NFC (you can read the public key with NFC Tools), it would have been soooo much more practical to offer a QR Code ! Apparently it's for the next version. As it is, I entered the public key by hand, which was a pain
- Binance is quite expensive when withdrawing BTC: I paid 0.5 mBTC to withdraw to the Solo
I checked the blockchain and sure enough, it worked, the public address of the Solo has now 1.5 mBTC
I then followed the steps explained above and entered the private key provided by the app in Electrum (not something straightforward if you are not into crypto I must say, so the sheikh will probably need to hire someone if he ever needs to touch the BTC on the card)
I then used the private key to send the 1.5 mBTC back to Binance
Computing the margin of Binance on BTC withdrawals from the actual blockchain fee (0.00192mBTC) is left as an exercise to the reader.
As this is (at first glance) a test, I should have published this under my "lighter" account, @sorin.lite (check it out and follow if you want to avoid "blockchain-babble-induced headaches" from this account).
But in the end I decided to publish here under @sorin.cristescu because the moral has nothing to do with the Solo, which is a product I cannot recommend to anyone I know - because I know no rich sheikh (... yet, but please introduce me to one if you happen to count one among your contacts) ...
The moral has to do with ... GDPR ! As I had reported in this article:
Blockchain and GDPR - a Call to Arms!, during a workshop organised by the EU Blockchain Observatory and Forum, I had to argue with many lawyers and "data protection officers" on the topic of public keys.
By severly contracting and overly simplifying a nuanced opinion of the arcane body called "Article 29 Working party" (which said that under specific circumstances, when it is relatively straightforward to combine and corroborate information, a public key may constitute "personal information"), almost everybody in that workshop was taking the position that a public key is personal information (and therefore subject to GDPR)
The Solo is the best physical, tangible example why that position is wrong: the Solo can be used just as a bank note. Charge it with, say 1 BTC and then it can change hands without ever anyone needing the private key. Heck, even without taking it out of the wrapper!
By using the public key, anyone can ascertain that the Solo holds 1 BTC and it can thus change hands a random number of times - in effect taking "off-chain" the money exchanges. "I give you the Solo, you do something for me that we both agree is worth 1 BTC".
At no point these exchanges carry the tiniest amount of "personal information". The correct position requires lawyers (including Dr. Michèle Finck) to refrain from over-simplifying and take the stance that in most cases public keys are NOT personal information.
In order to infer from a public key who the physical person is, a fair amount of skill, time, effort, determination is required, which is simply not warranted the necessary cost and time (outside of law enforcement which is explicitly not in scope of GDPR, see Art. 19).
Thus according to the same GDPR, it would fail the test of "reasonably likely to be used" (Art. 26 of GDPR)
To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.
Other posts on blockchain technology that you might enjoy:
- Virtual Currencies - an EP report July 2018 - Part 1
- Why Blockchain Is a Revolution
- Blockchain in large organizations
- European Financial Transparency Gateway
- Blockchain, Credentials and Connected Learning Conference
- Decentralized Learning: The Future of Student Mobility in Europe
- Poker Champion Tony G turns MEP Blockchain Champion!
- Blockchain and GDPR - a Call to Arms!
- Blockchain Global Expo 2018 @ London Olympia
- Blockchain Global Expo 2018 - day 2
- Sovereign identity on blockchain
- Toward a pan-EU blockchain infrastructure