This post exposes the challenges in security and regulation of personal data protection posed by blockchain technology.
There are countless blockchain applications currently under development with uses other than cryptocurrencies in practically all sectors:
The financial industry (banking transactions between entities, means of payment, insurance policies),
Logistics (traceability and management of merchandise),
Energy (integration of generation means to the electrical grid),
Health and pharmaceutical (records, medical management, tracing of medicines),
The audiovisual industry (management of rights through the value chain of the work)
Tourism (management of reservations, contracts, rates, loyalty actions, identity management, luggage tracking),
Industry 4.0 (construction of secure communications in industrial networks through real-time updated registration of reliable IIoT devices integrated into the operations network)
Public Administration (management of licenses, transactions, events, movement of resources and payments, property management, identity management).
It should be noted the application of the Blockchain in the field of digital identity as a system to validate identities in an irrefutable, secure, and immutable way, which would allow citizens to decide who controls the use of their data by third parties. This technology enables tracing compliance with contractual and regulatory obligations in the legal and regulatory field: Privacy Laws.
The proliferation of blockchain platforms will have significant economic implications for companies, organizational, governance, and training is needed as the technology is complex and transversal across the organization.
The Blockchain is a conceptually secure technology thanks to its distributed nature, the irreversibility of transactions, and the heavy use of encryption. Vulnerabilities usually arise due to the implementation of platforms and applications: they are linked to computer code programming, communication protocols, or simplifying of the blocks' validation and consensus mechanisms.
Once a vulnerability is identified, it is challenging to patch without affecting the service due to the distributed architecture and the Blockchain's immutability. The problem is worsened by the diversity of programming languages and protocols, that is, by the lack of technological standards. This fragmentation reduces the chances of error detection and the implementation of controls over the code and disperses developers' experience under constant pressure to shorten delivery times.
The integration of blockchain platforms with IT systems supporting the company's business processes or interoperability between different blockchain platforms is still very incipient, limiting efficiency and increasing cybersecurity risks. It can take years to reach a degree of maturity and technical consensus that facilitates the convergence of security standards and interoperability between platforms. Therefore, developers and companies must inevitably incorporate security methodologies from the early stages of development, with the IT systems and cybersecurity departments' participation.
Platforms, services, and networks share security risks with information technologies, such as confidentiality, privacy, key management, cryptography, identification, and patching of vulnerabilities or awareness of social engineering threats. But they also offer specific risks:
The hijacking of the consensus mechanism through the coalition of users (51% attack) or one-off acquisition of large cloud computing capacity to alter the validation (for example, denying transactions or reallocating an asset already spent)
Mining of side or parallel chains (sidechains) due to less mining capacity or the possibility of attacks could block a side chain and reverse the transactional load by overloading the root blockchain.
Distributed denial of service attacks by injecting a high number of spam transactions.
Attacks focused on the managing entity's capabilities of an authorized blockchain.
As the number of blocks in a chain increases, the mining nodes tend to aggregate since the possibility of an individual node signing a Block and obtaining the reward decreases. This centralization can put at risk a reliable consensus if a few pools dominate the Blockchain. Concerning the widespread use of smart contracts to carry out transactions, they are exposed to errors and vulnerabilities derived from their coding.
In addition to programming errors, blockchain technologies face risks that have to do with cryptographic techniques that ensure the integrity of the transaction's data, such as the custody of private keys, wallet software, or the hypothetical weakening of cryptographic algorithms through quantum computing in the future.
The importance of taking care of the non-technological aspects derived from incorporating a blockchain platform into business processes or operations, particularly those related to organizational and business process impacts.
The Blockchain raises new and complex questions regarding the protection of privacy rights and the use of personal data. In particular, when transactions manage personal data or the blocks' information references the participants' data in applying the privacy laws.
Characteristics such as the decentralization of data processing and storage make the interpretation of the Law difficult. National regulatory authorities and International institutions promote regulatory analysis and issue guidelines and reports that are a mandatory reference for developers.
It is unavoidable to start any design of a blockchain platform or application by conducting an exhaustive analysis of the impacts on privacy, evaluating the convenience of adopting more appropriate alternative solutions to the Blockchain, or the need and proportionality of the design options that the management chooses.
Using a public blockchain should be evaluated since the private ones pose fewer regulatory difficulties. In public blockchains, all users can trace transactions from origin to destination or download the full ledger, which hinders the exercise of the right to be forgotten. Equally sensitive is the use of smart contracts that may be the source of personal data leaks.
Blockchains can contain two categories of personal data: those that identify the issuer and receiver of the transaction through public keys (metadata) and the transaction's information (the data itself). The regulatory tensions that capitalize on the debate between authorities and developers revolve around identifying two roles: Who controls the data and processes it. Other problems are:
Anonymization of personal data,
Exercising rights such as rectification,
Portability across jurisdictions of personal data.
Likewise, the design must pay special attention to the obligations derived from outsourcing or to the rules of governance in the international transfer of data, in particular between public blockchains.
The rapid growth of Blockchain is transversal to all sectors of activity in the public and private sphere. It has enormous potential as a paradigm of decentralization and empowerment of individuals and organizations.
The Blockchain is a secure technology, at least theoretically, exposed in its implementation to errors and vulnerabilities typical of any information system, added to those specific to this technology: lack of standardization and diversity of protocols, and fierce competition between private organizations and governments (CDBCs).
Privacy laws are different across countries, but they all have something in common:
The demand the identification of who controls and who processes data.
Anonymization of personal data, at least.
Rights enforcements such as rectification, "right to be forgotten," or portability of data
The application of security and privacy principles by design is mandatory from the initial phases of the design and considerations resulting from integrating the blockchain platform into business processes or operations, such as the impacts on the organization and the business processes. Facing these challenges requires the building of multidisciplinary teams that have participation from the beginning of the legal/regulatory, cybersecurity, and companies' IT systems.