‘Taking Back Control Of Our Data’: Block(chain)ing Privacy
Imagine your refrigerator ordering
eggs and milk when you have completely forgotten you would be having
guests and would need to bake a cake. Or your washing machine taking
care of detergent supply on its own. Or your self-driving car charging
itself when low on battery and handling the whole process of
(self)-maintenance, so that you never ever have to worry about this
again, and with your data and private life completely protected. Science
fiction? Yes and no.
Blockchain and the Internet of Things
(IoT) have a lot in store and promise to deliver to some of these
visions of the future, while at the same time giving back citizens
‘control of their data’. ‘Blockchain’ has become the latest
buzzword in the tech community garnering the attention not only of geeks and hackers, but also of regulators and legal scholars. But what’s the fuss all about?
Quot capita, tot sententiae
The well-known saying that there are as many opinions as there are heads describes well the situation in answering what “the” blockchain is ( not). For starters, blockchain is the technology underlying the peer-to-peer cryptocurrency Bitcoin, but this is only one of its many applications.
In simple terms, the blockchain is… a chain of blocks, each block containing: (1) public header, i.e. a reference to the previous block in the chain; and (2) private data (transaction), i.e. the substantive content. The chain is formed by the sequential linking of each block to the previous one. Thus, by using the owner information stored in the public header one could go back in the chain to find information about all previous blocks up to the first, the genesis block. This mechanism could be likened to the chain of endorsements on paper-based transferrable documents. Linking is secured by means of public key cryptography ensuring that only the block’s data owner may decrypt it using the private key, while the various nodes in this peer network act to provide ‘consensus’ about the state of transactions.
The key advantages of blockchain are: (a) decentralisation: the consensus peer-to-peer model enabling the blockchain to run without the need of a central authority; (b) trust and provenance: by using cryptography; (c) resilience and irreversibility: by using distributed computing power protecting the network from collapse if one node fails and by ensuring that any modification of data is recorded.
Blockchain promises contracting parties honesty in their transactions by ensuring permanent, incorruptible and immutable records, eliminating the need of trusted third parties. Key applications of blockchains have been foreseen in ‘proof services’ such as identity, membership etc., smart contracts and decentralised autonomous systems and services in the IoT. However, scientists and legal scholars have admitted the pros of blockchains could push the boundaries of privacy and data protection law. Why?
When virtues become vices: Block(chain)ing privacy and data protection
The saying goes that a (block)chain is only as strong as its weakest
link. In legal terms, it reads: a blockchain is only as strong as its
It is notorious that trusting personal data in the hands of a third party is an open invitation for attacks and misuse. By decentralising trust, blockchains eliminate the need of a trusted third party. However, the irreversibility and transparency they create could make them unsuitable for personal data processing and may impede the exercising of the right to be forgotten. With risks ranging from breaching the pseudonymity of data subjects, through disclosing personal data by metadata, to the (im)possibility of removing data from a blockchain without hampering the whole system, privacy and data protection are high on the agenda.
Certainly, most of the information in a blockchain transaction would be covered by Article 2(a) and recital 26 of the Data Protection Directive and Article 4(1) and recital 26 of the General Data Protection Regulation as ‘personal data’. This could include anything from names, addresses, financial data and phone numbers to ‘sensitive’ health information. Considering the distributed peer-to-peer architecture of the blockchain, which by definition involves multiple transfers of (personal) data, it would be extremely difficult to determine the data controller, the legal basis and the purposes of data processing, the way individuals may exercise their access rights, especially these involving modification or erasure, and how their privacy would be guaranteed against the inherently transparent nature of the blockchain. That is not to say blockchains and the right to privacy are irreconcilable. It only goes to show we are in need of solutions.
Suggested technological solutions have varied from the development of decentralised systems combining repurposed blockchains with off-blockchain storage solutions enabling users to take control of their own data without compromising security, through compilers enabling developers to automatically generate effective cryptographic protocols, to private blockchains, abolition of the storage functionality altogether, or encrypting using public key encryption. Some of these systems claim to be capable of implementing data protection by design measures by enabling the programming of legal requirements into the blockchain itself to be automatically enforced.
“The first thing we do, let’s kill all the lawyers”
Whenever human societies have faced the advent of a new technology, however ‘disrupting’ or not it may be, lawyers have raised their voices. For good… in most cases.
In search of privacy-preserving implementations of the blockchain, the tech community has come closer to developing or, more precisely, ‘tweaking’ blockchains to balance between the benefits of decentralisation, trust and provenance and observing individuals’ privacy. These ‘tweaks’ are, however, insufficient if considered in a broader context where the inevitable clash between the individualistic foundations upon which the current legal system is built and the emerging collectivistic trends of decentralisation and non-formalism is likely to put to the test the very design of law as a regulatory system targeting the individual being.
The blockchain is probably here to stay. We are witnessing the advent of IoT. Decentralised networks and distributed computations have already been spotted as feasible solutions to dealing with the growing needs of the IoT ecosystems and the bottlenecks created by existing infrastructure. Nowadays, one could even see a simulation of the benefits of such an ecosystem when combined with blockchain technology. Against this background, the disruptive power of the blockchain may be a chance for citizens to ‘take back control of our data’ (or lose it altogether) but also for the whole society to make sure that today’s technologies ‘encode’ at the very least the values we want to live with tomorrow.
This article was first published in CiTiP Blog and is reprinted here with the author's full permission.