Blockchain and Data Protection Guide
Blockchain is one of the most innovative developments in modern technology. As a secure ledger, the blockchain organizes the growing list of transaction records into a chain of blocks, with each block being guarded by techniques using cryptography to maintain the security of its transaction records. New blocks can only be added into the global blockchain after they have successfully completed the decentralized consensus procedure. However, blockchain technology and data privacy laws and regulations have mostly been developed independently by private companies keen to secure their data. Significant ambiguity and complexity currently exist for organizations in applying data privacy requirements to blockchain technology and associated services. There is a need for a more centralized approach towards using blockchain for data security.
Characteristics of Blockchain Technology
Blockchain gained immense popularity and quickly became part of popular culture during 2017’s unexpected cryptocurrency boom.
The blockchain technology is built on pre-existing concepts and techniques in distributed transaction processing and encryption. Software developers and blockchain pioneers brought these ideas together in an innovative manner to launch Bitcoin in 2009, giving rise to the first publicly available “blockchain” network. Soon enough, there emerged other cryptocurrencies that used the same technology that Bitcoin used. Market players and developers quickly recognized this technology’s potential beyond its original use to record trustworthy, peer-to-peer transfers of value. Thus there emerged multiple blockchain applications, currently being used in:
- Smart contract development
- Supply chain management
- Asset registers
- Record keeping tools.
Blockchain technology has also been widely used in industries like:
- Real estate
- Health care
What is Distributed Ledger Technology? (DLT)
This is one of the core elements that are common to all blockchain networks, irrespective of their application.
“Distributed ledger technology is a software infrastructure that provides a synchronized and shared data structure that multiple participants can access and modify over a peer-to-peer network.” The ledger is tasked with linking new data blocks with previous blocks to form a chain, using a cryptographic hashing process. The participant hides in the blockchain network are programmed to store a copy of all the transactions for recording purposes.
How this technology helps in maintaining network security
With the rise in the amount of data available publicly, security concerns and risks have also risen. Let us look at the security and privacy requirements for online transactions:
- Consistency of The Ledger- While making transactions and clearing dues between financial institutions, the architecture of these processes differ from institution to institution and often involves manual tasks. This not only leads to the generation of high transaction fees, which ultimately have to be borne by the clients, but it also leads to a higher possibility of errors and inconsistencies between the ledgers held by the different institutions.
- The integrity of Transactions- Investments, asset management, equity, bonds, income vouchers, warehouse receipts, and other assets involves online transactions that are managed by different intermediaries. This process involves high transaction costs and also increases the risk of forgery manifold owing to multiple work points.
- Availability of System and Data- While creating an online open-source network, it is imperative that the users are able to access the data wherever they wish to. This involves access to high system-level and transaction-level data. In case of an attack on the network, the system-level data should still be running, and the transaction-level data should be accessible only to authorized personnel, to prevent misuse.
- Prevention of Double-Spending- While creating a decentralized network, one of the most important features to be kept in mind is the prevention of double-spending, that is, spending the same coin more than once. Centralized traditional financial institutions use a third party for this purpose, but a decentralized network using blockchain relies on good security measures to prevent double-spending.
- Confidentiality of Transactions- Maintaining user data confidentiality is one of the biggest challenges of blockchain technology. Insensitive fields like finance, this need is all the stronger. Thus most of the networks are operated under the minimal disclosure agreement, which includes; (1) users’ transaction information cannot be accessed by any unauthorized persons ; (2) the system administrator or the participant of the network cannot disclose any user’s information to others without his/her prior permission; (3) all user data should be stored and accessed consistently and securely even in the rare case of a cyber attack. Security should be the main concern.
- The anonymity of Users’ Identity– Since it is quite difficult to ensure proper and fully secure data sharing among users, some financial institutions have to bear high transaction costs simply because user authentication has to be done several times. This also greatly increases the risk of disclosure by some unauthorized intermediaries.
- Linking of Transactions- This is different from the problem of identity anonymity because this involves using the history of the user’s transactions, like account balance, frequency, and type of withdrawals, etc. Thus by using this statistical data about a user combined with some background information, it is possible to guess the identity of the user. This information may be misused by rival institutions and such.
REGULATIONS SURROUNDING BLOCKCHAIN
1.DPA and GDPR
Data Protection Act (DPA) is a United Kingdom Act of Parliament which was passed in 1988. This act was mainly developed to control the way in which personal information is used by organizations and even government bodies. It protects people and lays down rules about how data about people can be used. The DPA also applies to information or data stored on a computer or an organized paper filing system about living people. In case an organization is found to flout DPA norms, they risk prosecution by the Information Commissioner’s Office (ICO) where fines can reach up to £500,000 and even imprisonment.
The Data Protection Act was replaced in May 2018 by the General Data Protection Regulations (GDPR). A key part of the GDPR lies in a citizen’s right to be forgotten, or data erasure. However, one loophole that exists in this act is if a consumer makes some transactions using the blockchain network asks for data erasure, the blockchain’s immutability may lead to potential complications because data once stored can never be fully erased to maintain transparency of the network.
Since cryptocurrency prices tend to fluctuate over time, the purchase of cryptocurrencies is often tried as an investment by tax collectors. More often than not, the buyers of crypto coins, sell these gain later at a higher price, thus making a capital gain. IRS(Internal Revenue Service) is tasked with ensuring that people pay taxes on the profits made from buying and selling cryptocurrencies. IRS has enacted that if people fail to report their income from cryptocurrency, they could be subject to civil penalties and fines, just like they would be treated in a normal case of tax fraud. To make things easier for them, IRS has enlisted the help of Coinbase, to report users who have made transactions exceeding $US20,000 worth of cryptocurrency in a year. However, this is easier said than done, because the decentralized nature of blockchain makes it difficult for an individual company to keep track of all the transaction histories of a user. Moreover, pseudonymous addresses make it difficult to link identities with users, making it a perfect outlet for people to launder money.
Blockchain’s decentralized nature and identity protection features have made it a hub for criminal transactions and activity. Thus the FBI has teamed up with the Justice Department to create the Blockchain Alliance. This team aims to identify and enforce legal restrictions on the blockchain to combat criminal activities through open dialogue on a private-public forum and also gives law enforcers the right to combat the illegal exploitation of the technology. A few examples of criminal activity on the blockchain include hacking cryptocurrency wallets and stealing funds. This is easier because the user identities are not tied to public addresses, making it difficult for financial institutions to locate and identify criminals.
Fair pieces of information practice
These are a set of principles relating to privacy practices for users. Blockchain transactions allow users to control their data through private and public keys, allowing them to own it. This ensures that third party intermediaries are unable to access and, in turn, misuse the data. Blockchain technology allows the owners of the data to control who can access it and when. In blockchains, ledgers automatically include an audit trail that ensures transactions are accurate.
PRIVACY AND SECURITY TECHNIQUES USED IN BLOCKCHAIN
In this section, we shall look at a selection of techniques that can be leveraged to enhance the security and privacy of existing and future blockchain systems.
Bitcoin’s blockchain technology does not guarantee anonymity for users: transactions use pseudonymous addresses. However, these can be verified publicly. Thus any data analyst can easily track the user’s transactions by a simple analysis of different addresses being used in making bitcoin exchanges. More importantly, these addresses often conceal the real identity of the user and, if compromised, can leak all their transactions, not limited to bitcoins only. To deal with this problem mixing services are used. These mixing services (also known as tumblers) are designed to prevent users’ addresses from being linked. Mixing involves the random exchange of one user’s coins with another user to prevent anybody from tracking their coins through ownership. However, mixing does not offer any protection from coin theft.
2. Anonymous Signatures
Digital signature technology is used to provide anonymity to the signer. Among the anonymous signature schemes, group signature and ring signature are the two most important and widely used anonymous signature schemes.
(1)GroupSignature- Given a closed group, any of it he group’s members can sign to officiate a message for the entire group anonymously by using their personal secret key, and any member with the group’s public key can check and confirm the generated signature and thus ensure that the signature of some group member is used to sign the message. The process of signature verification reveals nothing about the true identity of the signer except for their membership in the group.
(2) Ring Signature. A ring signature is similar to a group signature because it can also achieve anonymity through signing by any member of a group. The term “ring signature” originates from the signature algorithm that uses the ring-like structure. The ring signature is anonymous if it is difficult to determine which member of the group uses his/her key to sign the message.
Ring signatures differ from group signatures because, in a ring signature scheme, the real identity of the signer cannot be revealed in the event of a dispute, since there is no group leader with complete access to all information in a ring signature.
Homomorphic Encryption (HE)
Homomorphic encryption is a powerful tool used in cryptography. It could perform certain types of computations directly using ciphers, and also ensure that when thus encrypted data is decrypted, it will generate the same results if the operation had been performed simply using plaintext. One can use homomorphic encryption techniques to store data securely in the blockchain without changing the nature of blockchain properties. This ensures that the data on the blockchain is encrypted and protected, thus addressing the privacy concerns associated with public blockchains.
Attribute-Based Encryption (ABE)
Attribute-based encryption (ABE) is a cryptographic method, in which attributes are the defining and regulating factors for the ciphertext, which is encrypted using the secret key of the user. Only this user can decrypt the data using their own personal secret key. This technology prevents malicious users from accessing other users’ data and ensures that one can only access that data, which can be unlocked using their own personal key. This is called collusion resistance.
The following table lists a few more methods used for data protection:
THE FUTURE OF BLOCKCHAIN PRIVACY MANAGEMENT
Many current blockchain technology applications still have a long way to go in terms of privacy and data protection. Processing personal data on a public blockchain, which is not properly encrypted, may, in the absence of clear regulatory guidance, involve significant financial and identity risks. In order to convince more and more users to join the blockchain revolution, companies have to prioritize data protection at the earliest. Blockchain technology offers great data transparency and integrity features, and this potential can be tapped to improve privacy vastly.
Researchers in this field envision a future when “self-governing blockchain-enabled identity and data management solutions provide the preferred way to maintain and demonstrate data privacy.” For the time being, policymakers can support innovation by recognizing decentralized data storage models and enforcing data privacy laws and regulations.
- https://www.davispolk.com/files/blockchain_technology_data_privacy_issues_ and_potential_mitigation_strategies_w-021-8235.pdf
Anangsha Saha is an undergraduate student of economics at Lady Shri Ram College for Women, Delhi. She wishes to work in the field of finance in the future.