By Nitesh Emmadi and Harika Narumanchi
Blockchain is transforming businesses across the world. A secure, distributed ledger, it helps companies cut out intermediaries and maintain secure records of every transaction at a fraction of the cost of traditional systems.
It’s only 10 years since the blockchain concept was introduced. But things have moved fast. From being used as the infrastructure for trading cryptocurrencies like Bitcoin, blockchain has become integral to many firms.
Today, all types of business data – from the details of transactions and shipments to customer information – are held in blockchains. They help banks process payments faster and the precious-metal industry verify and track gold shipments.
Businesses use what’s known as private or permissioned blockchains, to which access is strictly controlled. That means only people authorized by the company can use them.
But what about personal data? Corporate blockchains are likely to contain a lot of information about individuals. Retailers, for example, capture a mass of data about the preferences of their customers as well as storing details about what they buy and how they pay for it.
And this is where blockchain bumps into data protection law.
Many countries have laws to enable citizens to find out what data is being held about them and to protect them from the misuse of their personal data. Europe’s General Data Protection Regulation (GDPR) is a case in point.
GDPR applies to all personal data held about EU citizens, wherever in the world that data is stored. Individuals have the right to see what companies hold about them and to request deletion under certain circumstances. It enshrines the right to keep private data private.
Making transactions visible
GDPR’s core principle “privacy by design”, mandates that systems used to capture and store personal data must be built to ensure the privacy of the people whose data they process. This requirement applies to blockchains as it does to all other business systems.
In many ways, permissioned blockchain is designed to ensure privacy of users and confidentiality of transactions.
To achieve privacy of users, pseudonyms are used. Pseudonyms are virtual identities which can be derived, for example, from a public key that is associated with the person’s real identity. To achieve confidentiality of transactions, encryption is used. The encryption of transactions payload guarantees the transaction data is available only to authorized parties.
Advocates of the technology often talk about its transparency, but this can confuse those concerned about privacy. The transparency they are referring to is the visibility of the transactions recorded in the blockchain, not the personal identifiable information.
Essentially, blockchain makes the existence of a transaction or record visible to users but not the name of the person involved. So while the person’s real identity is secure, you will still see all of the transactions completed by their pseudonyms.
In a permissioned blockchain – the type used by most corporations – even this data is restricted to those who have authority to access it.
Accountability through transparency
Nevertheless, transparency is essential in blockchains. One of the defining characteristics of the technology is the accountability and traceability it provides.
GDPR requires that data collected on individuals must be relevant to the purpose and not be stored for longer than necessary. This applies to any business.
But the requirement to store data for only as long as is necessary is more problematic for blockchain users. Blockchain data is stored permanently, so companies need to think carefully about what this requirement entails.
Removing all evidence of a person’s transactions would destroy the integrity of a blockchain and falsify the record. One of the great strengths of the technology is the security that multiple records provide as a defense against fraud.
But that is not to say personal details cannot be either archived or deleted if data regulations determine that it is no longer necessary.
It is possible to protect the personal data that lies behind the pseudonym by using techniques like chameleon hash for archiving or off-chain storage mechanisms to store personal identifiable data thus preserving the integrity of the blockchain but ensuring that the personal identification data is no longer present.
GDPR also requires every organization that handles personal data to identify a data controller who is accountable for compliance with the regulation. Any individual who manages a device in a blockchain is potentially also a data controller.
That is certainly the view of the French data regulator CNIL. In guidance issued last year, it said anyone entitled to write in a blockchain or send data should be considered a data controller under the regulation.
GDPR places strict onus on data controllers to ensure compliance with its terms and to report any failure to do so. It requires organizations to self-report breaches to data regulators and imposes hefty fines for those who don’t comply – up to $20 million for the largest firms.
All of which means companies need to ensure staff who are using blockchains are trained to comply with the rules.
Everyone is responsible
From the users’ perspective, every stakeholder in the system being a data controller is a good, logical move, but only if all of those data controllers are trusted.
Blockchain’s strengths are also its weaknesses. Distributed data means a hacker can compromise any of the blockchain nodes and steal the information.
Having so many distributed participants increases the need to ensure each is monitored to make sure it complies with data protection laws.
Encryption and permissioned blockchains certainly protect personal data and restrict who can access it. But as blockchain continues to evolve, privacy must also remain integral to its design.
The authors are researchers at TCS Cybersecurity and Privacy Research and Innovation, India