SC Media, "Will privacy be a stumbling block for blockchain?"
by Karen Epper Hoffman
Best known as the infrastructure underlying the wildly popular Bitcoin cryptocurrency, blockchain technology has really come into its own in the past year or so—being viewed, trialed and utilized as a means of better executing and sharing corporate documents, managing identity and authentication, even running an emerging social media network. Proponents say the beauty and attraction of blockchain is two-fold: it creates a decentralized or “shared” ledger of transactions and activities, and it is (thus far) immutable.
While most organizations have historically created centralized applications and systems, blockchain by contrast “is a protocol of trust,” says Nick Spanos, CEO and founder of Zap.org, and founder of Bitcoin Center NYC and Blockchain Technologies Corp.
“It's counterproductive when organizations rely on human trust instead of the mathematically-proven trust protocol of blockchain,” Spanos says. “All security compromises have occurred with flawed, centralized systems interfacing with but not actually built on the trust protocol -- like exchanges.”
Since the distributed ledger is pseudonymous, Spanos points out, “you know something happened or is occurring, but you don't know who the users are. It simply publicly proves that events happened.”
But therein lies one major potential issue in the ‘trust, but verify' approach upon which many private- and public-sector programs systems have typically been built, as well as the privacy laws dictated by consumer groups and regulators. Rebecca Herold, CEO of The Privacy Professor and president of Simbus LLC, says that the fact that “trust that must be depended upon to make shared ledgers work is one of the biggest risks, and brings significant privacy issues.” Since there is no central authority or third-party moderator involved in the blockchain, she sees shared ledger technology currently as “generally expensive and inefficient.”
In many industries—like financial services and healthcare, where privacy is a regulatory and legal imperative—using blockchain may present some concerns, say experts.
Arran Stewart, co-owner of the blockchain-based recruitment platform Job.com, says ultimately problems may arise depending on “the quality of how a blockchain is put together, specifically the information stored on it and the encryption of the data being held on the blockchain. Like the early stages of any technology or system, breaches, scandals, or other issues are almost an inevitability. This because of the nature of human error.”
“Someone somewhere will list information publicly that is sensitive and someone else will spend a lot of time figuring out how to get it,” Stewart adds. “This is where I envisage there being a privacy issue… Companies are already talking about putting medical records on the blockchain, which is probably the most sensitive data available.”
As Will Gragido, the director of advanced threat protection at Digital Guardian, points out, blockchain has already captured the attention of the criminal element due to the popularity of Bitcoin for making virtually anonymous transactions. “It's attractive because [the system] is decentralized and pseudo-anonymous,” he says. “There is a potential for exploitation, maybe not as much as other systems, but there is the potential.”
Invasion of Privacy?
While it's still early days for blockchain being used as an underlying infrastructure, developments have been snowballing quickly—even among organizations in the most highly regulated sectors, where there are likely to be the biggest concerns surrounding data privacy. Despite the relatively restrictive nature of HIPAA, Herold, who has several clients in the healthcare space, says there are “growing initiatives in healthcare to seriously pursue blockchain as a type of solution to privacy risks and patient data security. Many have already implemented blockchain, at least in limited ways.”
“Implementing blockchain does not fit neatly within most legal and regulatory compliance requirements that exist, and those working to meet compliance are likely new to blockchain and may not realize all the associated compliance issues,” Herold says, adding that “validating the security and privacy of blockchain is not a simple goal to accomplish.”
Vitali Kremez, director of research at Flashpoint, says while the technology implementations and even pilots here are only just emerging, he knows of at least one major Wall Street financial firm that is planning to adopt blockchain for financial transactions as opposed to using a traditional mechanism like the automated clearinghouse.
As Gragido points out, “There's a lot of talk right now, but not a lot of understanding. [Using blockchain] could be more secure, but it remains to be seen based on the implementation and the state of overall risk.”
Aside from HIPAA in healthcare and a bevy of existing industry-specific and over-arching privacy rules and regulations that could call into question the use of blockchain, the biggest issue is expected to emerge as the European Union's highly impactful General Data Protection Regulation (GDPR) comes into effect this month [May 2018].
Since GDPR will affect any company with customers in the EU and impose heavy fines on those organizations that violate this compliance, many experts are considering how blockchain might complicate data privacy either by allowing information to be too easy shared or limiting the ability for companies or consumers themselves to remove or erase their data from a purportedly unalterable ledger.
“A blockchain is essentially a shared record of past activity that is unchangeable,” says John McLeod, chief information security officer for AlienVault. “The potential privacy issues occur with how a company would process the data of that shared record and with Data Subject Rights under GDPR, as the shared record cannot be changed, Data Subject Rights are limited.”
Hence, McLeod, a panelist on a recent International Association of Privacy Professionals session on this topic, believes that in the immediate future any company affected by GDPR might have privacy concerns or issues with blockchain.
Since regulations and laws typically change at a very slow pace, McLeod expects that eventual court cases will dictate how to interpret the laws overseeing data privacy in regard to blockchain. And, to that end, he expects to see court cases emerge in this arena by the end of 2018, with the outcome “likely to change companies and improve the language of GDPR.”
Stewart points out that the related regulatory and legal concerns will likely present a “massive challenge as blockchain is universally spread.” But it will also force regulators, governments and organizations to consider more carefully how they handle their own records and the impact of cross-border data and network sharing.
“How do you tackle the issue of a European record being stored on an Indian-based blockchain network?” Stewart asks.
“Measures will need to be taken, such as being very clear to users that their information may sit on a blockchain outside of Europe or that their information could potentially be exposed so they can make the right decision for themselves on whether they share certain things with the blockchain or not,” he says.