In November 2019, security firm Risk Based Security called last year the “worst year on record” for breaches, with almost 8 billion records affected. Third-party control over personal data makes privacy something that is no longer a given.
Blockchain technology seems to have heralded a new era in data security. However, as the technology has become more common on the internet, questions have arisen concerning its ability to securely store data. The reason lies in complete transparency that may not be good for confidentiality, as recently claimed by blockchain analytics firm Chainalysis.
Once upon a privacy
As people’s lives become increasingly digitized, the issues of data protection and privacy become paramount. Any action made online is a speck of gold dust for some companies. Data is gleaned and compiled into databases to be sold or auctioned off to the highest bidder by browsers and social media giants. Johnny Ryan, chief policy and industry relations officer of Brave browser on Feb. 21:
“RTB [Real-time-bidding, an auction for online ads] is the biggest data breach in the world. Personal data are being broadcasted to thousands of companies.”
Ryan’s words resounded with the growing number of data breaches, highlighting the fact that most modern business models are based on the collection and sales of users’ personal data, as browsers like Chrome and social networks like Facebook sell the data to those who pay for it.
Facebook and multimedia design platform Canva are among the most eminent data breachers, with data of 540 million and 139 million users affected in 2019, respectively. Top entrepreneurs and billionaires have also been affected, for example, Jeff Bezos, the CEO of Amazon, was hacked in 2018 while using WhatsApp.
Because it’s centralized
Statistics show that centralized companies leak user information more often than one may think. Data security is often disregarded for the sake of convenience, as companies resort to third-party resources like Dropbox and Google Docs, the security of which has been regularly questioned.
Most data collected by third-party companies is in centralized databases characterized by a domino effect single point failure capability. Even worse, data breaches either go unnoticed or are not divulged.
The simplest way to check is by entering an email on the website Have I Been Pwned, which provides statistics on how many times a user’s personally identifiable information has been found online. The total number of breached accounts has reached almost 9.5 billion according to the site’s statistics.
Is blockchain the user privacy panacea?
Blockchain is generally considered to be confidentiality-oriented and, therefore, can become an ideal solution for the problems that arise with traditional storage systems. For example, private blockchains can provide strictly enforced access to data based on permissions.
There are many solutions offered, such as homomorphic encryption, which allows computations to be carried out with encrypted data without preliminary decryption. This method was initially used on MIT’s Enigma network, which divides data into pieces, encrypts it, and randomly distributes it over the network in little portions. None of the network nodes can read this data, but users can decrypt it.
Security and privacy are thus preserved, and only users with matching decryption keys and proper credentials are granted access. Cryptographic techniques such as zero-knowledge proofs and zk-SNARKs already use homomorphic encryption — and Zcash (ZEC) is one example that applies such techniques.
The quintessence of blockchain technology is that it negates the need for third-parties, thus ensuring a higher degree of safety. The introduction of features like decentralized identity control prophesies a significant reduction in identity theft.
For instance, in May 2019, Microsoft announced its intention to use distributed registry technology to create a decentralized identification system called Decentralized ID, or DID, based on the Microsoft Authenticator application. Developers believe that blockchain technology is perfect for storing personal information since it eliminates the need to give consent to use private data. As a result, users’ identities will not be duplicated and distributed among different service providers like social media companies or online stores.
Similarly, SDS, the internet technology division of Samsung, has recently integrated QEDIT’s zero-knowledge proof in its enterprise-oriented Nexledger blockchain. The SDS team believes that the integration will allow it to provide parties employing corporate blockchains to record and validate transactions on a shared ledger without disclosing confidential data.
The principle of storing personal information to protect user data was introduced by Jeff Pulver, the American who pioneered VoIP. The Pulver Order was passed by the Federal Communications Commission on Feb. 12, 2004, and made it possible for people to freely use communication apps like WhatsApp.
In 2018, Pulver offered to use a blockchain-enabled communication network based on new authentication layers and decentralized solutions. The new solution, called Debrief, is said to be the most secure business communication network available for peer-to-peer audio and video calling, messaging and decentralized file storage. The technology aims not to expose users’ confidential information unlike services such as Facebook or Zoom.
The secret lies in a decentralized storage system and secure blockchain authentication protocol that are impervious to hackers. Pulver claims that Debrief’s data encryption algorithms do not allow the data to be edited or tampered with once it is placed on the network.
Each recipient on the network receives the same piece of information as it is entered in real-time. Therefore, for a hacker to tamper with or edit the information on one recipient’s computer, the other computers on the network would have to validate the change, which they would never do. Pulver explained at the time that: “By refraining from centralized control, we will be removing the weak link from the equation — the third-parties.”
MedRec, a project launched by MIT, pursues a similar goal but in the health care industry. The project uses blockchain technology to enable the secure exchange of health care information between patients and service providers. As a result, the patients can retain full control of their personal data and grant access to the service providers rather than the other way around.
MedRec has already run a series of pilot tests with research partners and is currently working on fine-tuning the system. The use of MedRec can reduce health care data breaches and foster the development of new Health Insurance Portability and Accountability Act-compliant Electronic Health Record solutions.
General Motors also supports blockchain technology. In 2018, the company filed a patent on self-driving cars that store data on a distributed ledger and can share it with other vehicles and entities connected to the system, ensuring traffic safety and compliance with the multiple regulations of the transportation industry.
Data privacy does not agree with blockchain
Speaking about blockchain technology and data security, Vijay Rathour, a partner at the digital forensics and investigations group of Grant Thornton, compared the technology to bank vaults made of glass: “They’re very secure. They’re one-way vaults — i.e., you can put precious things in them but not take it out. The contents can be seen by the world.”
However, according to Rathour, even after acknowledging all of these qualities, bank vaults can be used to hold blood money or stolen assets. Simply put, the effectiveness of the vaults doesn’t mean that what’s inside them is also good. Rathour further explained:
“Is it [data stored on blockchain] suitably anonymised? Would I want my passport visible to the world in a glass bank vault for the world to see? No. But I would probably enjoy the benefits of an encrypted version of my passport being held on the ‘cloud’ securely in this blockchain.”
Blockchain has many inherent advantages that make it a perfect match when it comes to privacy, and it offers useful data protection features that allow it to comply with the General Data Protection Regulation. Meanwhile, there are other aspects that make it inapplicable.
Though immutability is good for data privacy, there are two stumbling stones: First, immutability comes into conflict with information storage laws. Second, errors or inaccuracies on a blockchain cannot be corrected. Thomas Stubbings, chairman of the Cybersecurity Platform of the Austrian Government, suggested:
“Indeed, the key feature of a blockchain is protecting the integrity of data by rendering it immutable. However, exactly that feature can become a problem if the data is not required, wanted or correct anymore. It is virtually impossible to remove it. This creates a new sort of privacy problem.”
Jonathan Levin, co-founder and chief strategy officer of cryptoanalytics firm Chainalysis, has recently stated that full transparency is not entirely a godsend either, as blockchain technology can be used to trace individuals and link personal information to them. Levin told:
“The two extremes of total anonymity and complete transparency are bad. Complete anonymity opens the door to illicit activity… On the other hand, complete transparency means no privacy at all.”
Teemu Alexander Puutio, an expert in compliance and an adjunct instructor at the New York University School of Professional Services, told that there are several ways data can leak out from cryptographically secured ledgers. He reiterated that Bitcoin (BTC) is pseudonymous, and, thus, its users can be tracked down and identified, adding:
“For example, network traffic analysis has been recently used to attain 95% accuracy of identification and theoretically simple methods of observation and Bayesian probabilistic analysis have allowed researchers to identify thousands of accounts in a few months. These worries are further compounded by the fact that data stored on blockchains are typically immutable and fully public — at least to the verifier network.”
Puutio also referred to a survey published in January 2019 that found that only a small portion of blockchain platforms are able to achieve high levels of data security.
One of the basic features of blockchain — the inability to selectively delete information — may be a double-edged sword. One of its negative aspects relates to the fact that a 51% majority of the nodes is needed to edit data, greatly complicating the implementation of the provisions of Article 17 of the GDRP, which gives the “right to be forgotten.”
Stubbings told that there is a new threat called “blockchain poisoning,” which takes advantage of rendering blockchains incompliant with GDPR by inserting personally identifiable information that can never be removed. He said:
“This can result in the worst case in a blockchain which becomes unusable… The problem is quite new and even EU privacy experts are not clear about how to deal with that, especially as no one owns public blockchains, it is just a number of nodes. So, who is liable? No one? Everyone who holds a node? It is a tricky issue, and it might hamper the — otherwise very promising — evolvement of blockchain as a valuable security instrument.”
In the end, data consistency turns out to be the main barrier that must be overcome in order for blockchain technology to become a viable solution from the GDPR standpoint.
Blockchain technology is good, but…
The world is still centralized, and data can be lost while in the control of a handful of operators. Governments are stepping up with regulations, but they are insufficient at ensuring the safety and security of user data. Summing up the role of blockchain technology in data security, Rathour told:
“Blockchains are good, but there is still art and science in putting and holding and curating data held in them. Just like databases, cloud computers and many other mechanical options available to those responsible for holding our data.”
Though a critical mass of users demanding decentralized data storage would make blockchain technology the de facto storage medium, the immutability factor does not allow it to comply with the GDPR requirements. Blockchain technology still has a way to go before becoming the all-in-one data storage solution. Full immutability and transparency are two sides of the same coin, and the coin is still spinning.
In the end, “developing light-weight cryptographic algorithms, as well as other practical security and privacy methods, will be a key enabling technology in the future development of blockchain and its applications,” as suggested by the authors of the Security and Privacy on Blockchain survey.