This post exposes the challenges in security and regulation of personal data protection posed by blockchain technology.
There are countless blockchain applications currently under development with uses other than cryptocurrencies in practically all sectors:
- The financial industry (banking transactions between entities, means of payment, insurance policies).
- Logistics (traceability and management of merchandise),
- Energy (integration of generation means to the electrical grid),
- Health and pharmaceutical (records, medical management, tracing of medicines),
- The audiovisual industry (management of rights through the value chain of the work)
- Tourism (management of reservations, contracts, rates, loyalty actions, identity management, luggage tracking),
- Industry 4.0 (construction of secure communications in industrial networks through real-time updated registration of reliable IoT devices integrated into the operations network)
- Public Administration (management of licenses, transactions, events, movement of resources and payments, property management, identity management).
It should be noted that the application of the Blockchain in the field of digital identity is a system to validate identities irrefutably, securely, and immutable. Allowing citizens to decide who controls the use of their data by third parties. This technology enables tracing compliance with contractual and regulatory obligations in the legal and regulatory field: Privacy Laws.
The proliferation of blockchain platforms will have significant economic implications for companies, organizations, and governance. Training is needed as the technology is complex and transversal across the organization.
Blockchain security
The Blockchain is a conceptually secure technology thanks to its distributed nature, the irreversibility of transactions, and the heavy use of encryption. Vulnerabilities usually arise from implementing platforms and applications. They link to computer code programming and communication protocols or simplify the blocks’ validation and consensus mechanisms.
Once a vulnerability is identified, patching without affecting the service is challenging due to the distributed architecture and the Blockchain’s immutability. The problem is worsened by the diversity of programming languages and protocols and by the lack of technological standards. This fragmentation reduces the chances of error detection and the implementation of controls over the code and disperses developers’ experience under constant pressure to shorten delivery times.
Integrating blockchain platforms with IT systems supporting the company’s business processes or interoperability between different blockchain platforms is still very incipient. This limits efficiency and increases cybersecurity risks. It can take years to reach a degree of maturity and technical consensus that facilitates the convergence of security standards and interoperability between platforms. Therefore, developers and companies must inevitably incorporate security methodologies from the early stages of development. IT systems and cybersecurity departments must participate.
Specific Risks
Platforms, services, and networks share security risks with information technologies. Some examples are confidentiality, privacy, key management, cryptography, identification, and patching of vulnerabilities or awareness of social engineering threats. But they also offer specific risks:
- The hijacking of the consensus mechanism through the coalition of users (51% attack). One-off acquisition of large cloud computing capacity to alter the validation. For example, denying transactions or reallocating an asset already spent)
- Mining of side or parallel chains (sidechains) due to less mining capacity. The possibility of attacks could block a side chain and reverse the transactional load by overloading the root blockchain.
- Distributed denial of service attacks by injecting a high number of spam transactions.
- Attacks focused on the managing entity’s capabilities of an authorized blockchain.
The mining nodes aggregate as the number of blocks in a chain increases. The possibility of an individual node signing a Block and obtaining the reward decreases. This centralization can risk a reliable consensus if a few pools dominate the Blockchain. Concerning the widespread use of smart contracts to carry out transactions, they are exposed to errors and vulnerabilities derived from their coding.
In addition to programming errors, blockchain technologies face risks that have to do with cryptographic techniques that ensure the integrity of the transaction’s data, such as the custody of private keys, wallet software, or the hypothetical weakening of cryptographic algorithms through quantum computing in the future.
The importance of taking care of the non-technological aspects derived from incorporating a blockchain platform into business processes or operations, particularly those related to organizational and business process impacts.
Privacy design
The Blockchain raises new and complex questions regarding protecting privacy rights and using personal data. In particular, when transactions manage personal data or the blocks’ information, reference the participants’ data in applying the privacy laws.
Characteristics such as the decentralization of data processing and storage make the interpretation of the Law difficult. National regulatory authorities and International institutions promote regulatory analysis and issue guidelines and reports that are mandatory references for developers.
It is unavoidable to start any design of a blockchain platform or application by conducting an exhaustive analysis of the impacts on privacy. You must evaluate the convenience of adopting more appropriate alternative solutions to the Blockchain—the need and proportionality of the management’s design options.
You should evaluate the use of a public blockchain since private ones pose fewer regulatory difficulties. In public blockchains, all users can trace transactions from origin to destination or download the full ledger, which hinders the exercise of the right to be forgotten. Equally sensitive is the use of smart contracts that may be the source of personal data leaks.
Blockchains can contain two categories of personal data: those that identify the issuer and receiver of the transaction through public keys (metadata) and the transaction’s information (the data itself). The regulatory tensions that capitalize on the debate between authorities and developers revolve around identifying two roles: Who controls the data and processes it? Other problems are:
- Anonymization of personal data,
- Exercising rights such as rectification,
- Portability across jurisdictions of personal data.
Likewise, the design must pay special attention to the obligations derived from outsourcing or the governance rules in international data transfer, particularly between public blockchains.
Bottom line
The rapid growth of Blockchain is transversal to all sectors of activity in the public and private spheres. It has enormous potential as a paradigm of decentralization and empowering individuals and organizations.
The Blockchain is a secure technology, at least theoretically, exposed in its implementation to errors and vulnerabilities typical of any information system. In addition to those specific to this technology, lack of standardization and diversity of protocols and fierce competition between private organizations and governments (CDBCs).
Privacy laws are different across countries, but they all have something in common:
- They demand the identification of who controls and who processes data.
- Anonymization of personal data, at least.
- Rights enforcement such as rectification, “right to be forgotten,” or portability of data
Applying security and privacy principles by design is mandatory from the initial design phases and considerations resulting from integrating the blockchain platform into business processes or operations, such as the impacts on the organization and the business processes. Facing these challenges requires building multidisciplinary teams that have participation from the beginning of the legal/regulatory, cybersecurity, and companies’ IT systems.