Are Distributed Ledger Technologies like Blockchain Really the Solution to Increasing Privacy Concerns?
The day is October 24th, 2018, at the International Conference of Data Protection & Privacy, in Berlin. Tim Cook, CEO of Apple, is speaking to a room full of data enthusiasts about the need for stronger privacy regulations in the United States. Behind Cook is the new General Data Protection Regulation in the European Union, growing surveillance across the globe, and a regular parade of data breaches in the news. Cook argues that stronger regulations and, critically, better enforcement are needed to protect individual control over personal data. The status quo is growing stale, with studies showing increasing concern over privacy across the globe, even as new technology collects more personal data now than ever.
Some critics, however, ask why do we need more regulations? Why not instead use new technologies, such as blockchain, for better privacy protection? It should come as no surprise that many are looking to technology for a solution to privacy problems. Daconomy is one; the Sovrin Network and NuCypher are others. Their business models and technology suggest a new premise for privacy: by using blockchain to provide users encrypted tokens for holding personal information, which can then be given, and revoked, as needed.
The movement to use blockchain as a privacy solution
First, a quick consideration about blockchain technology. I’ve written about blockchain and privacy before, and although aspects of the technology continues to improved, my opinion remains the same. There are significant benefits to integrating blockchain into business practices, but for personal data, it still seems to fall short. Notably, no blockchain solution exists that can delete or permanently obfuscate the data it holds. This puts personal data on blockchain in direct violation of GDPR Article 17, the ‘Right to erasure'. There is also the concern over how blockchain can allow users to access their own data without opening the door for others, although the growth of integrating privileged access management solutions shows promise in this area.
Blockchain privacy startups however, aren’t viewing privacy through legislative or regulatory frameworks. Instead, they suggest a new level of privacy protection, using technology that allows grants total control over personal data. If a person's data is on a blockchain, there is automatic encryption. Better still, what if the blockchain allows the individual to grant or withdraw access to their data at any point? Here, the argument of requiring data deletion carries less weight: why does right to erasure matter if I can remove access to the data entirely?
I give props to Daconomy and related innovators. These are credible startups who are engaging experts and bring good ideas to the table. There’s even a part of me that wants to get on board; challenging preconceived definitions and notions of what works and what doesn’t in any industry is a must. What I can’t give a pass on however, is the idea that technology alone can solve the privacy problem. Blockchain won’t fix privacy concerns.
Case study: could blockchain have prevented this?
Consider a case closer to home here in Canada, with a revelation of Nova Scotia grocery-store pharmacist who ‘snooped’ on patients. The case, which made rounds in the local media, centred around an employee use of personal data accessed from the provincial drug information system. Unlike many cases that arise public fury, in this case there were no stolen records, no sold data, no case of identity fraud. Instead, the situation is simply creepy as all heck: a local pharmacist and otherwise trustworthy member of the community caught spying on patients. Results from the Privacy Commissioner of Nova Scotia's investigation are unnerving. The pharmacist accessed health information on her child’s friends, schoolteachers, personal coworkers, individuals with whom there had been altercations, and others.
Unfortunately, it’s hard to see how putting personal data on an encrypted blockchain would have stopped the breach. From a process point of view, everything worked fine: the data was encrypted, access was limited to those who needed access (local pharmacists), the database had undergone a heavy impact assessment prior to launch. The grocery chain employer had a privacy policy on record, insured all pharmacists undergo privacy training, and regularly updated their team on advice to keep current. Yet a privacy failure still happened.. why? Simple: in a pharmacy, and in many other cases, humans still need to look at the data to use it.
Other concerns worth considering
There are other considerations before pointing to distributed ledger technology for privacy protection. As suggested, default, all data residing in a blockchain undergoes encryption, a significant part of the security. However, would that encryption truly protect against a law enforcement warrant requesting the data? International justice departments and proponents continue to argue for law enforcement encryption backdoors, while cryptography professionals continue to argue against the logic of this request. Would an individual in control of their data via blockchain have the right to withdraw access if a legal request is made? What if the legal request is made to the company providing the blockchain retention base?
Personal data is unique to other types of information because we use it to make decisions on people. Critically, collection of personal data grants some level of power over human beings. As John Dalberg-Acton famously said: “Power tends to corrupt, and absolute power corrupts absolutely”. If information is power (and of this there are few doubts, why else would everyone be scrambling to collect it?), there will always be a risk of corruption. Technology alone can't stop a breach of trust.
Protecting privacy through technology and beyond
Don’t get me wrong: technology does have an important place in privacy protection. Encryption of personal information ensures only those who need access to information can see it in the first place. Audit logs, particularly if regularly monitored, can catch privacy violations early by spotting red flags. If your team is considering investing in stronger security architecture, don’t toss those efforts out the door. However, the technology cannot be the be-all and end-all to privacy protection. Even if our data resides in a blockchain, what assurances do we have that everyone who has access is trustworthy? How can we assure that that organizations know they are accountable for the personal data they use and collect? How do we encourage them be responsible with private data, and require employees to be the same?
This is why regulations, with enforced penalties, are important. They are not perfect, but they do emphasize to organizations that they must do better. Ideally, they also provide accountability framework and recommendations to safeguard trust. Companies in compliance with the GDPR must demonstrate that employees are conscious of data responsibilities when handling. In addition to the European Union, other countries, including Argentina and Morocco, are expected to improve privacy legislations to follow suit. California has a new Customer Privacy Act.
In the case of the Nova Scotian pharmacist, the parent company will (hopefully) be taking community concerns to heart. Recommendations to avoid future snooping include providing audit reports to local management, and all employees signing a yearly Confidentiality Oath. For other organizations it is an excellent reminder why there's more to privacy than solid data protection solutions. For effective privacy, integrating an aware and accountable corporate culture is critical.