Online privacy is by no means a new topic of debate. From the very beginnings of the internet, people have been concerned with the increasing degree of governmental surveillance that technology could allow. The concerns we have now, however, are different from the ones the cypherpunks of the 1990s used to have. Instead of fearing the Orwellian Big Brother, we now worry more about the big corporations that own and sell our personal data – with results varying from their databases being hacked and our data being leaked, to the manipulation of elections and the like.
Blockchain technology, the apparent panacea to the world’s many problems, has been often cited as a potential way to build more secure and resilient systems to protect individual privacy. In fact, the very origins of blockchain are closely tied to privacy concerns, with Bitcoin only being possible thanks to the cryptographic technology developed since the 1970s. The distributed ledger can indeed be a strong ally in the struggle for the protection of personal data, but to leave it at that would be to ignore the important fact that it can also go against it. In Europe, especially, the introduction of the new General Data Protection Regulation seems to be on a collision course with blockchain. So, how is it exactly that the same technology can have opposite effects depending on the context of its application?
Blockchain as a privacy-enhancing system
For starters, how can blockchain help to protect individual privacy – beyond the somewhat obvious possibility to transact pseudonymously with others, bypassing the control of a central authority? A very interesting potential feature of the system is the creation of “self-sovereign identities”, owned by the individuals and designed to make sure that only the information strictly necessary to a given transaction is revealed. They would give users the ability to control which aspects of their identities are shared, with whom and under which conditions – a point that incidentally goes in line with Hughes’ Cypherpunk Manifesto, in which he says that “privacy is the power to selectively reveal oneself to the world”.
In order to explain how that would work, suppose that you go to the liquor store. There, in order to buy a bottle of your alcoholic beverage of choice, you need to show your ID and prove that you are not underage. The only piece of information required to “authenticate” this transaction, then, is your birth date. The clerk doesn’t need to have access to anything else (for example your name, social security number or address). Your privacy with regard to these other details about yourself is thus ensured.
Now let’s move the case to the online realm, supposing that you’d like to access a website that requires you to be older than 18. As with the previous example, your date of birth is the only thing that needs to be verified. What tends to happen is that, in order to prove your age, you log in using the credentials of, let’s say, Facebook. With that, you not only reveal your age, but all of the information available on your public profile, including your email address, list of friends and pictures – which is not only completely unnecessary but also potentially very risky.
If you used a blockchain-based digital wallet, however, the situation would be very different. Instead of disclosing your birthday and a host of other personal information, it would simply check your age and answer the question of whether or not you are old enough to be granted access. With the use of the so-called zero-knowledge protocols, the website only gets a “yes” or “no” in order to determine your access, having “zero knowledge” of your actual birth date or anything else.
A good example of this is the Sovrin Network, run by the nonprofit Sovrin Foundation. The project involves precisely the creation of self-sovereign identities to allow for the verification of credentials in a privacy-safe way. In it, individuals, companies (and even things) can have their own digital wallets, which contain information verified by trusted sources such as banks and governmental agencies. This verified information can then be used to directly access services and content in different platforms, having the perks of both being one single repository of data (instead of the usual panoply of different logins and passwords for each website) and allowing the user to selectively choose which information will be revealed about him or her.
Blockchain and the clash with the GDPR
On the other hand, however, blockchain can also pose some challenges when it comes to the protection of privacy. One of the most notable will be on how to make sure that companies that rely on it will remain compliant to the General Data Protection Regulation (GDPR) – a hot topic since the regulation will come into force on May 25th. The new European regulation was created to enhance the protection of personal data (broadly defined as “any information relating to an identified or identifiable natural person”), so it might seem odd that it would clash with a technology that was designed for the same goal. Nevertheless, that is currently an issue.
The key factor here is that the GDPR assumes a structure that simply does not exist in the blockchain space. The regulation was drafted envisioning a world of centralized services and databases (think Facebook or Google), which is, in essence, the very opposite of how distributed ledgers work. Think, for example, of questions such as how to deal with the right to be forgotten or to rectify information, required by the law, when the blockchain is an immutable ledger. In the case of public ledgers, there might not even be a central actor capable of responding to the such a request.
Even more, what happens if a blockchain is hacked or if encrypted data is stored in a ledger and the encryption is broken? Would anyone even be liable if these things happened?
This is a crucial moment to discuss the interplay between blockchain and the privacy rules determined by the GDPR, since it will determine the future of the technology in the continent – and, by extent, how our privacy will be protected or violated. While it is clear that many points of tension exist, the debate as a whole is still very recent, so it might still be a little too soon to announce the European blockchain doomsday. Yes, some blockchain-based companies will have to change in order to be compliant. Some might even realized that their core business is no longer possible under the new law. However, even if it is decided that blockchains and the GDPR are completely incompatible, it is hard to believe that European authorities will simply rule out the use of the distributed ledger and miss out on all of its possibilities for growth and development. In the same way that companies will adapt to the legislation, EU authorities will have to find ways to deal with the evolving technology.
The bottom line is that every technology can be both an ally and an enemy when it comes to the protection of individual privacy, and blockchain is no different. Ultimately, it is the choices we make and support in regard to projects being developed and public policies being put in place that will shape and determine our degree of privacy.
