I recently had an opportunity to dive deeper into the underlying concepts and use-case scenarios for blockchain technology. This was particularly enlightening given my current field of concentration which is data privacy, specifically, the implementation of the European Union General Data Protection Regulation (GDPR). The idea which got lodged in my head is basically this: are blockchains, and privacy regulations, most notable of which is the GDPR, compatible?
Some of you may not immediately see the connection, I know I didn’t. To be perfectly honest, I really spent a lot of time in my head coming to terms with the concept. I remember the last time I thought this hard was as an infosec newbie several years ago when the concept of public key infrastructure (PKI) was first explained to me. In retrospect, that was way easier to understand.
Ask ten different typical people (not those into IT, infosec or privacy) what they think blockchains are and likely, you’ll get just one answer: Bitcoin. Ask them further about the subject or the connection between blockchains and Bitcoins and you’ll probably get shrugged shoulders and/or vague explanations of what blockchains really are.
Not so long ago I was just as clueless about blockchains as most people are, and in many ways I still am. But the more I thought I understood things, the more questions came into mind. One thing seems clear enough, and that is that blockchains are not the solutions to everything as some are hyping them to be. Truth be told, blockchains are game changers and formidable technologies in the hands of information technology, information security and data privacy professionals. But like every other piece of technology, they are not without their drawbacks and compromises.
First things first, what exactly is a blockchain anyway? According to the book “Introduction to IT Privacy” published by the International Association of Privacy Professionals (IAPP), the concept is more accurately referred to as Cipher-block chaining (CBC). CBC encrypts each block as a function of the block’s plaintext and the previous block’s ciphertext. Yes, the textbook explanation doesn’t really seem any easier to comprehend, but allow me to try and simplify it further. What blockchain technology entails is storing data in a series of sequential blocks, say block 1, block 2, and block 3. Block 1, being the first block (the genesis block) is encrypted with a randomly generated piece of data (the initialization vector) and the resulting encrypted block is hashed, that is, a value is generated which is unique to the encrypted block, and it is this value, the hash value, or simply the hash, which is used in the encryption of second block, and that second block’s hash, which is used to encrypt the third block, and so on…hence a literal block chain, now known as a single word, blockchain. The end product is a daunting piece of cryptography which is basically immune to tampering or manipulation, that is, immutable.
Immutability is achieved by distributing a blockchain among its different users, as a distributed ledger if you will, not unlike how we use peer-to-peer (P2P) networks (torrents, anyone?). While anyone can essentially add to the ledger, no one can change anything in the preceding blocks. Any attempt to do so will change the sequence of hashes, rendering the blockchain invalid. Successfully retroactively amending the blockchain will also require a consensus in the majority of deployed blockchains – the distributed ledger - which is, for all intents and purposes, virtually impossible in the case of public blockchains.
It’s this quality of immutability which makes blockchain an ideal technology in the realm of cryptocurrency, like Bitcoin, Litecoin, Ethereum, and even boxing champ and Sen. Manny Pacquiao's Pac Tokens. It establishes a ledger…a list…which in theory, can’t ever be altered and serves as a permanent transaction record.
But this level of permanence can be a bit troubling. Yes, a permanent and tamper-proof ledger serves the purpose of ensuring the integrity of cryptocurrency…but that raises the question…can you, or should you, use blockchains for recording personal information, or transactions attributable to personal identities?
Bear with me a bit further. Virtually all data protection regimes nowadays, such as the EU GDPR, and even the Philippines’ own Data Privacy Act of 2012 (DPA), are anchored on the fundamental rights of the data owner – the data subject. The rights relevant to this discussion are the rights to correct/rectification, the right to erasure, and the right to restriction of processing. But if you apply blockchain technology on personal information, that information is rendered permanent within the blockchain. As such, it can no longer be corrected or rectified, or erased, as any attempt to modify a block will invariable invalidate all of the succeeding blocks as the hash from the modified block will no longer be the same as the one used in the encryption of the succeeding block. Also, you won’t be able to restrict access to the data on the blockchain to the members of the blockchain network. If you’re a member of the blockchain network, you can see all of the data in the blockchain - not surprising really, considering transparency is one of the hallmarks of blockchain technology.
Therein lies the rub. Data stored on a blockchain is permanent, and therefore not subject to correction or erasure. Everyone within the blockchain network can view all of the information stored on the blocks. This goes against the principles of virtually all privacy regulations. This concern only started making itself apparent a few months ago, and now even has a name: privacy poisoning.
There have been a number of workarounds suggested in order to address this. One is the use of permissioned or private blockchains so that information can be amended or deleted, and that access to particular blocks containing personal information can be controlled. This however, requires some level of centralized control over the blockchain network in order to manage corrections, deletions and access. This seemingly goes against the purported strength in the distributed and democratized nature of a public blockchain, and some may even argue that this is not a true blockchain at all as is it does not eliminate the middleman, and in fact, requires one. Now, if there is still a middleman, is this setup really more different, more cost effective, or even more secure than traditional centralized databases?*
Another suggestion is to store personal information in a blockchain in encrypted form. If a piece of information is to be deleted or amended, the solution is to lose the encryption key but retain the personal information in encrypted form within the block. This in theory, maintains the integrity of the blockchain while permanently, making the encrypted personal information inaccessible. The catch with this approach though, is that no encryption method is 100% secure. Even with today’s advanced encryption methods which, using existing technology, would take billions of billions of years to crack via brute force with currently available algorithms and processing power, who’s to say that future algorithms and technologies (such as quantum computing) couldn’t make mincemeat of today’s most advanced encryption methods?
Further taking into consideration present data protection regimes, who are the data controllers and data processors in a blockchain network containing personal information? Since every member of the blockchain network has a complete copy of the blockchain along with access to the personal information stored inside of it, does that make everyone on the network a data controller? What about the entities managing the infrastructure on which the blockchain operates, does it make them data processors? In case of a breach, who do you hold liable? Do you hold liable everyone on the blockchain network? How about the blockchain itself? If ruled illegal because it contains personal information, does it make illegal the entirety of the blockchain itself? Is it still considered a valid record for past transactions?
I’m sure there a lot of other possible implications with regard to the use of blockchains and their impact on data protection and this discussion is only scratching the surface. It is only recently that we have started to recognize the vast potential and myriad applications of blockchains. I've heard and read about possible applications in the areas of smart contracts, banking, IoT, among others. This early on though, the only conclusion which we can probably all agree on is that while blockchains represent a significant paradigm shift in the way we process data, at this point we may not have dealt with all the variables when the discussion takes into account data privacy with particular emphasis on the rights of a data subject. This could result in changes down the line - either changes in our privacy laws, changes in the technology, or changes in its implementation. What those specific changes will be, only time will tell.
This article is written with the intention of sparking thought and discussion on this subject. I certainly do not claim to be an expert on this matter, so if you have inputs or thoughts on the matter, please feel free to share them.
*While not directly related to blockchains and data privacy, I am reminded of a discussion I had several years ago with a similar premise, this time involving digital certificates. The question was, is it still considered public key infrastructure (PKI) if the certificates are self-signed? Essentially one of the parties involved in the exchange of information is also the de facto certificate authority (CA). My opinion at the time is that this setup should not be considered PKI, and that it is actually more susceptible to security breaches, the certificates being totally under the control of one of the parties.
