6.3.5. Privacy Concern

As discussed in the potential security vulnerabilities, lacking a key rotation mechanism would imply the same public address is possible to be mapped to an actual registered node. The system role identifier of each registered node could further be mapped to a true identity of the representative organization or entity of the supply chain industry, by other registered nodes running on the same blockchain network if the decentralized solutions are developed in a setting with *permissioned blockchain implementations*.

Although public addresses stored on-chain could be obfuscated with hash functions applied, events could be emitted when methods of the deployed smart contracts are invoked, whenever there is a new transaction initiated on product record operations related to the same public addresses. The related events are later received by the event listener of every blockchain service instance. With more events emitted involving the same set of public addresses, it is more likely a specific public address could be mapped to an actual registered instance, and so its transaction volume could still be derived by other users of the decentralized solutions, which could potentially be its competitors. In addition to public addresses, these data fields could directly relate to physical entities and cause privacy concern if there is no privacy-preserving technology in place for these sensitive data fields. If the NFC tags are not deactivated properly when the respective products are consumed or transferred, it could possibly lead to a privacy threat based on any unencrypted or unobfuscated data field of specific product records stored in the NFC tags. Privacy-preserving technologies are required with use cases defined, based on chosen mechanisms on data processing and validation procedures to be included in the decentralized solutions.
