Blockchain threatened by “irreconcilable” differences with GDPR
blockchain and gdpr irreconcilable?

Blockchain threatened by “irreconcilable” differences with GDPR

UPDATED. Malek Murison and Chris Middleton explore why blockchain plus GDPR replaces a storage box with a Pandora’s Box of complexity and problems. Make way for tangles, miniature blockchains, and companies who make claims about compliance but offer no backup details. Who would be a regulator in such an environment?

The EU’s General Data Protection Regulation comes into effect today, as anyone who has received a “We’re sorry you’re leaving us” email knows.

However, questions remain over exactly how companies deploying blockchain technology can harness the potential of distributed, immutable ledgers in compliance with the new data laws.

GDPR gives EU residents enforceable rights over their personal data and how it is used by organisations. These include the right to ask for its erasure, mandates for informed consent, and rights over who controls and accesses that information.

Nigel Houlden, head of technology policy at the Information Commissioner’s Office (ICO) – the body responsible for enforcing data protection and privacy regulations in the UK – said this week that he has “nightmares” about the future relationship between blockchain and some of GDPR’s core principles.

Speaking this week at a Westminster eForum event in central London, he said, “What I concern myself most with right now is things like the right to be forgotten, and how that can actually work with blockchain.”

Later he added that he was “almost” at the point where he might be convinced that blockchain and GDPR could work together. But “almost” is a troubling word when it comes to regulations that could penalise companies with massive fines, and when the ICO’s role is to be a beacon of clarity.

As head of technology policy, Houlden should know the answers to these questions – which is why so many people went to the ICO website this morning that it crashed. That he doesn’t suggests that there’s a problem. So what is it?

Immutable records

The tension revolves around the ability that citizens – and, in turn, data controllers – need to permanently remove data from a given database. If personal information is stored on an immutable, open blockchain, in which each block of data contains a hash of the previous one, for example – that level of flexibility does not exist by design.

In theory, the core advantage of open blockchains and similar ledger technologies is that the distributed and inviolable nature of the data they contain means that people can’t simply remove inconvenient information at will. It’s a permanent system of record – or at least, that’s how the technology is being sold.

Storing encrypted data on the blockchain and destroying the key doesn’t solve the GDPR challenge, as the right to be forgotten requires that the data is erased.

Meanwhile, hashing can be used to verify that data on a chain has not been modified – because altered data would result in a different hash – but a hash itself can still be considered personal data if it can be linked to a person and traced across the distributed system, even if the data itself can’t be accessed.

Limitless systems

Houlden then pointed out another problem with blockchain and GDPR compliance. An open blockchain is theoretically limitless. From a security perspective this might be ideal – as it expands, the more consensus there is in the network to verify transactions – but from a compliance viewpoint, it would appear to be an escalating problem, especially when nodes are often anonymous.

As a result, it may be that these tensions around data management can only be eased with closed, ‘permissioned’ blockchains, which in theory are more vulnerable to attack. “To get its true efficiency it needs to be an open network, because then you have cyber resilience – it’s very difficult to attack 10,000 different actors,” he said, as reported by ITPro. “But having so many actors makes it difficult to pinpoint roles under GDPR.”

ICO “not convinced” by blockchain

Houlden suggested that the hype around blockchain technology may be blinding people to its failings. “At this moment in time, I’m not 100 percent convinced that blockchain is a great idea,” he explained.

“The technologies under blockchain – encryption, certification – are great things. What we need to do is maybe unwind a bit from the fascination with blockchain, and start looking at those underlying technologies, which have been around for a while and are really quite mature now.”

The slower speeds and greater complexity of many blockchain systems have been among the reasons for criticism of the technology within the banking sector, most notably by Bank of England governor Mark Carney in a speech earlier this year.

The problem of replacing trust with computing complexity has also been the spur for developing faster, leaner alternatives, such as Tangle / Directed Acyclic Graph (DAG) data models, which lose the ‘block’ and ‘chain’ aspects of distributed ledger systems.

But the inherent ‘block and chain’ aspect of the core technology hasn’t stopped banks from adopting it.

Banking on blockchain

Earlier this month, Poland became the first country to move banking records en masse onto blockchain. Biuro Informacji Kredytowej (BIK), the largest credit bureau in Central and Eastern Europe, partnered with distributed ledger specialist Billon to deploy a blockchain system for storing and securing access to over 140 million credit records, relating to 1.2 million businesses and 24 million citizens in Poland.

A key point of the announcement was that the system is fully GDPR compliant, with the on-chain data storage system including “a mechanism enabling the right to erase personal data”.

How data is either deleted, obfuscated, or rendered inaccessible was not clear in Billon’s announcement, which also said, “once published, every document is retained regardless of what happens to the original publisher, so that the guarantee of long-term duration of storage time and unblockable access to information are independent from the status of the contractual relationship between the service provider and the user”.

Internet of Business asked Billon for clarification of how the blockchain could be made GDPR compliant with regard to the right to be forgotten. The company responded:

“The right to be forgotten is exercised by a patented technology solution that permanently destroys the ability for any party to access the private data in question. The data (and hash) remain on the blockchain without alteration or deletion, however no party can ever read the original content again. The blockchain retains a publicly verifiable record of all steps made by each party involved in the ‘right to be forgotten’ process, so you can check a document was uploaded and later made unreadable, but have no way of viewing the content of that document.

“The right is executed by a multi-stage approval process that requires agreement from a sufficient number of authorised parties (typically two, a citizen and a publisher, e.g. a bank). Our solution is digital, so in principle the entire right to be forgotten process can occur online. It’s up to the bank to define that process according to their own risk and compliance requirements. Some banks may require the client to call or physically come into a physical bank in order to prove their identity.”

However, Internet of Business believes that the right to be forgotten stipulates that data should be permanently erased or deleted, not rendered inaccessible. This remains a problem with blockchains, because (as outlined above) a hash of all the original data would be identifiably different to a hash in which a citizen’s data had been erased under the right to be forgotten.

As a result, it is possible to infer that the original data still exists by comparing the hashes. In this sense, it could still be considered personal data. So while Billon’s solution certainly conforms to the spirit of GDPR, on the face of it is not compliant. We have put this further point to the company and await its response.

Turning Japanese

Earlier this week, Japan’s largest bank, Mitsubishi UFJ Financial Group (MUFG), went further than the Polish project by announcing a new payment platform based on blockchain, in partnership with US cloud provider Akamai.

The bank claims the platform will be both the fastest and most scalable of its kind, with the capacity to process one million transactions per second and offer near real-time confirmations – again challenging Carney’s view that the technology isn’t appropriate for the financial sector.

However, this is only possible, according to MUFG and Akamai, because they have adapted the traditional blockchain architecture by positioning all nodes responsible for consensus-based decision-making on the Akamai Intelligent Platform, suggesting that ‘blockchain like’ data models are replacing pure solutions, potentially still adding layers of complexity that may prove to be a challenge in regulatory terms.

Little detail has been provided on how MUFG will retain the levels of security associated with traditional blockchains, aside from a vague statement outlining “a unique design permitting high-speed and high-capacity creation and verification of new blocks within nodes.”

The concern must be, therefore, that some organisations are making their computer systems more and more complex, obfuscating important questions at the exact point where clarity and auditability are needed.

In related news, the US Department of Justice has launched a probe into cryptocurrency markets and exchanges this week, in the belief that prices may be being rigged or manipulated.

The legal question

Of course, the right to be forgotten may be overridden by some organisations’ legal and fiscal requirements to retain certain types of data – for tax, accounting, and audit purposes, for example – an area that needs clarification in GDPR itself.

Also speaking at the Westminster eForum event was legal director of law firm Womble Bond Dickinson, Malcolm Dowden. He pointed out that incoming regulations still lag behind the complexity and promise of blockchain technology.

“There is, from a legal perspective, an absolutely irreconcilable tension between blockchain, or distributed ledger technology, and GDPR,” said Dowden. “Every time a new computer, a new node, joins a blockchain system, the data that’s on the block is replicated to that computer. That is a data transfer.”

Speaking at an earlier Westminster eForum event in February, another lawyer, Andrew Joint, managing partner at Kemp Little, pointed to a more fundamental problem with some new technologies, especially artificial intelligence: they are challenging the very definition of centuries-old legal principles, such as liability.

This is important as AI, blockchain, and other technologies, such as digital twins, merge in new and unexpected forms, such as AI-driven self-organising ledgers, and digital twins that learn from IoT data.

Make way for the miniature blockchain?

Into the breach comes yet another new organisation, LegalThings.io. This morning, it announced the launch of the LegalThingsOne platform, which it claims could be a new blockchain-based digital backbone for all GDPR-compliant processing.

LegalThings One creates a what it calls a “private miniature chain” for each process. Only the nodes selected by the parties involved have this chain, similar to other distributed systems, such as Git. To safeguard the integrity of these miniature chains, each event is anchored in the Waves public blockchain – a chain of miniature chains, in other words.

When requested, nodes can erase specific processes. And because GDPR states that data cannot be kept indefinitely, this happens automatically after a specified retention period. Should laws require data to be stored for a longer period, then data can be extracted before the chain’s erasure, said the organisation in an announcement this morning.

Using blockchain to ensure compliance?

In an ironic twist, a US startup is promising to apply blockchain technology to help companies adhere to GDPR. Blockchain solutions provider ULedger has launched a set of tools that can be plugged into an organisation’s existing data management system to both harness blockchain technology and meet the new standards.

ULedger CEO Josh McIver said, “Many technology systems in their current form are not capable of meeting the regulatory requirements of GDPR, and as with other regulations, compliance can sometimes be time-consuming, expensive, and confusing.

“Our GDPR tool is designed to leverage ULedger’s API in a way that provides companies with immediate GDPR compliance, and allows them to realise the many benefits that come with blockchain technology, such as security and transparency of data.”

ULedger’s Blockchain GDPR compliance tool enables companies to “create and maintain a complete, immutable history of the company’s data, including email communications, photos, bank details, and any other data type pertaining to a person’s private, public or professional data.”

GDPR and hybrid, off-chain solutions

Again, it’s not immediately clear how ULedger’s supposedly immutable system supports GDPR’s right to be forgotten, despite its privacy benefits.

But a comment from ULedger’s VP of compliance, Dave Otander, sheds more light on the issue, and points to either a system that puts only metadata on the blockchain, or uses a hybrid of blockchain and traditional encrypted data storage.

“By virtue of ULedger’s hybrid blockchain approach, an EU-based company can host their ULedger powered blockchain on-premise with the hashing and time-stamping of the meta data for data immutability, and consensus amongst participating nodes,” he said.

“We can be thought of as a permissioned solution, whereby the customer that is regulated under GDPR remains the data controller. Our customers get the best of both worlds by keeping their information secure and private while achieving consensus by the cryptographic hash of the encrypted metadata.”

This is the point at which a customer’s right to see their personal data, or to be forgotten, can be implemented, it seems. However, Otander admitted, “To date, many are struggling with what a GDPR compliant blockchain is. Clearly, GDPR was shaped during the timeframe when data was collected, processed, and stored in a centralised manner.”

With some data in the cloud, and other information in a computing mesh, a distributed network, at the edge, or – increasingly for big number-crunching tasks – again on premise, the challenges facing GDPR compliance in many organisations are more complex than they might appear.

Agreeing with the ICO’s Houlden, Otander said that this central truth is why a public blockchain approach is very likely not a long-term solution. “Rather, a hybrid solution or a mix of off-chain applications for private data – to meet the right of erasure requirement – may become the standard,” he said.

Internet of Business says

The debate offers few clear answers to the ICO’s questions, and replaces the former clarity of data storage and processing with a tangle of often obscure, complex, competing systems, and a fog of claims that, more often than not, are never backed with a simple explanation.

Replacing simplicity and trust with overwhelming complexity – a storage box with Pandora’s Box – is, on the face of it, a bad idea. And that’s the real issue, certainly for regulators and investigators.

Either way, it is hard to avoid the impression that in some industries, such as financial services, there is a serious risk that processing complexity may become a deterrent to regulatory investigation – and that means any kind of investigation, including simple auditing. In such a world, fraud and criminal behaviour may become harder to detect, not easier, thanks to blockchain.

Can obscure, complex processes ever be transparent? That’s a question that affects other technologies too, such as neural networks and ‘black box’ AI solutions. Either way, we wish the ICO the best of luck.

Plus: In related news, the Wall Street Journal reports today that several US websites are going dark to European readers in response to GDPR. An extraordinary and self-defeating response to privacy protection.