Data Privacy and Ownership at UnstoppableDec 09, 2022
Share this article:
Unstoppable provides Web3 domains, which offer the infrastructure for people to own and control their data. People add data to their Web3 domains, and can allow apps, games, and metaverses to access that data to make their experience better and more personal. Unlike in Web2, Unstoppable is building a system where people – not companies – own and control their data.
At Unstoppable, your data is yours, and you control what you share. We do not sell your personal data.
Today there are three primary sources of data for your domain identity: data you add, such as profile data, data on the public blockchain, and other metadata such as engagement data from our website, mobile app, and APIs. Data can also be added from partners that you choose to share that data, like Relic tickets proof of attendance.
In this post, we’ll outline where and how profile data is shared and how you’re in control of your data.
Overview of your data with Unstoppable
Initially, when you buy a domain through Unstoppable, only your wallet address is associated with the domain. The smart contract creates a record of your ownership of that domain on the public blockchain, including your Web3 domain and your crypto addresses.
On-chain data is public – that’s the nature of blockchains – and shows that your domain is yours forever. Your Unstoppable profile is linked to one or more wallet addresses on-chain that can be used to send and receive crypto payments with your human-readable name. These addresses are publicly viewable on chain to ensure security for crypto payments. Other on-chain data, like what community you are part of, can be seen through badges you earn and choose to show off on your profile. Importantly your profile also enables you to have private off chain data in addition to public data, which we’ll talk more about shortly.
Control the data you share through Login with Unstoppable
You’re in control of the off chain profile data you share – both with Unstoppable, and with the apps, games and metaverses you log into. Login gives you the option to share off chain profile data with your favorite apps, games and metaverses across Web3, so they can make your experience better – for instance, to offer rewards or to display your domain on a leaderboard. Sharing data through Login is completely optional and opt-in.
Every time you use Login, you get full visibility into what data the app is requesting to access. These requests fall under two buckets: required and optional. If the app has designated a piece of data as required, you have the option to not proceed with logging in. If the data request is optional, you can select which pieces of data you want to share with the app and still log in using your domain.
In the example above, our partner Bandit, an NFT aggregator, is requesting a few pieces of data from a user. The domain records and wallet address are required, so if the user didn’t want to share that information, they’d close out of the Login experience. The three other pieces of information, email, profile information, and social media, are optional. This means the user can uncheck those pieces of data and still log in. Only the data the user has explicitly entered as part of their profile is shared.
A side note on email: We never share your private email address with apps. If you authorize us to share your email address, we share a temporary email address that forwards to your personal email address. Thanks to Unstoppable Email, you can also opt in to sharing your email@example.com email with anyone you don’t want to share your private email with, adding an additional layer of privacy by using our proxy service. Alternatively, you can use your domain to create a new email address and encrypt your emails easily with our email partner Skiff, adding another layer of protection.
As part of our login experience, the user signs a message granting access to the data with the transparency of what they are agreeing to share:
Here’s how Bandit personalizes the user’s experience based on the UD.me profile data:
The user’s name, PFP NFT, wallet address, social handles, and NFTs are all used to make their Bandit profile more personal. Rather than start from scratch from the walled gardens of data, like we do in Web2, the user gets to bring their data with them to this new platform. Login data is stored off-chain, and access is restricted to only get shared when a user signs a message with their private key, just like sending crypto. Your keys, your data.
Giving you more visibility and control with App Access
It’s not enough to just own your data. We also want to make it easy for you to see and control what data you’ve shared with applications. That’s why we introduced App Access, a simple management solution on the Unstoppable website that lets you see all the applications you’ve ever connected with using Login with Unstoppable, along with key information such as your last login date, frequency of logins, and the specific data (scopes) you’ve permissioned to each individual application.
If at any point you want to revoke access for an app, you can do so by expanding the app within the App Access management section and then either revoking all or some of the data:
Clicking the “-” next to an individual data point such as Email will revoke the app’s access to that data. Selecting the preferences icon, next to a grouping of data such as Personal Information, allows you to have more fine grained permissions for each data point:
Unchecking a value and pressing the “Confirm” button will save your election not to return that piece of data to this app in the future. Alternatively, by clicking the larger “Revoke Access” button, all data will no longer be accessible to the app.
If you want to opt back in, simply go through the login experience again and sign with your wallet to share data. You get transparency into both revoked and active apps, and you can easily filter, sort, and search for specific apps.
Many crypto users have connected their wallets directly to apps using just their address, permissioned smart contracts, and then have forgotten about it. This is not good security practice. We believe using Login with Unstoppable will prove a much safer way to connect with apps over time as we continue to improve monitoring and security features for your domain name - something you won’t get by just connecting your address. Expect more features from us in 2023 to protect your security when connecting with apps, going above and beyond what you currently get connecting your naked address without a domain.
Adding more privacy into UD.me profiles
Every domain owner can optionally build out their UD.me profile. Now, you can also pick and choose what data to display publicly or to only share with the apps, games and metaverses you authorize.
You have the power to toggle public or private settings, or even delete the data completely from the UD servers. You can visit or share your ud.me/domainame.tld to see which data is public.
Where we’re headed
At Unstoppable, we default to more privacy, not less. This is complicated by the fact that most blockchains are public by default. Over time, we expect to offer more options for where to store your data: whether that’s at Unstoppable, on IPFS, within your mobile device, on one or more blockchains, or on cloud storage, will ultimately be up to you. Verified off-chain data tied back to an on-chain identity, as we’ve built with UD profiles, will be an important component of a more private future internet.
We’re building more ways for you to have better data privacy. Our first experiments with shielding your email address by using a proxy address to forward email is an example. We want to make sure you have good up to date information on who has accessed your data, what data they accessed, and enable you to turn off their access whenever you want. In Web2, it’s likely that your data is held in thousands of websites right now, and you have no idea what they each have. In Web3, we want to make it easy for you to see who has access to what at all times, and eventually to make monitoring this data much easier for you.
We also want you to be able to see what you’re sharing when you sign into an app, whenever you want to review your profile page, and ultimately in real time whenever a sign in happens so you can monitor your data in real time. Imagine, for instance, knowing instantly if your wallet has been compromised because you receive a notification of an unknown sign in.
The promise of Web3 is that you have ownership and control over your digital identity. Why should big tech companies profit off your data? In the future, we could envision a system where you can opt in to monetizing your own data – for instance, share your Twitter name with an app, game or metaverse for a reward. We’re committed to building tools to make owning and controlling your data easier for you.
Our commitment to you: We do not – and will not – sell your personal data without your explicit consent. It’s your data. You own it.