Internet connectivity has made life easier in a number of ways. However, it has exposed the gaping insufficiencies in privacy related-controls for the individual as well as the regulations required to grant and protect this right.
As privacy concerns have been mounting globally, many countries have taken steps to grant people rights and control over their private data. One of the most thorough and best-known of these is the European Union's General Data Privacy Regulation (GDPR). In different jurisdictions across the globe, however, similar laws exist focused on data protection.
The implications of the GDPR are likely to be felt globally. It is difficult for businesses to ignore the opportunity presented by the 512 million people strong European Union. Additionally, the GDPR promises hefty fines of up to four percent of total revenue, for those found in violation.
Sheila Colclasure, the chief data ethics officer at data collecting firm Acxiom, reiterates the role of the far-reaching European law. Speaking to Wired, she said the GDPR "will set the tone for data protection around the world for the next 10 years."
What is privacy poisoning on the blockchain?
In the context of blockchains, privacy poisoning refers to a situation in which a ledger contains the private information of an individual. The presence of this personal data leaves the ledger in a state of conflict as it relates to data protection laws. Therefore, privacy poisoning is the 'contamination' of blockchains with private personal data.
Blockchain technology has struggled to be compliant with a continuously changing legal environment since its birth in 2009. The encompassing nature of the GDPR, moreover, creates a whole new host of challenges for DLT.
Blockchains, especially in their original iterations as is seen in cryptocurrencies, are designed to be immutable. It is this feature that allows the ledgers to replace traditional financial institutions in the role they play as accounting parties in the transfer of value between two counterparts. However, this feature puts blockchains at odds with current legislation, as the GDPR enshrines the right of the individual to be forgotten. This means that people should be able to permanently delete all their data from a database. However, in public blockchains, this is not possible.
With permissioned blockchains, the right to be forgotten may be easier to enforce. Permissioned blockchains are designed to accommodate customized privacy settings and thus, it may be possible to include a feature that ensures the ledger in question is compliant. However, it is important to note that this is very much a case by case basis and is unlikely to work well in many scenarios.
Another important consideration the GDPR brings to mind is how the data created when transacting with digital currencies should be handled. For instance, when one purchases something with bitcoin and processes the payment through a service provider, what personal information does the purchaser divulge. And if so, can they delete this information?
In many cases, payment processors are required by law to acquire the personal information of their customers during the onboarding process. The service provider may be able to comply with the law and delete a person's data from their database. However, the actual transaction, as well as all related data like the wallet address, will still live on the ledger of the digital currency. The only cryptocurrency where this may likely not be an issue is the privacy-centric Monero.
Another important thing to consider is that it is possible to append data to a payment on many ledgers. For instance, Satoshi Nakamoto included a reference to the 2008 global financial crisis in bitcoin's genesis block. Thus, if a person was to add any personal data to a transaction, it would certainly amount to privacy poisoning.
Who is responsible?
Global analytics firm Gartner recently released its annual predictions at its Symposium/ITxpo 2018 in Orlando, Florida. The firm's annual forecasts are roundly considered to be a reliable predictor of things to come for the pertinent issues of the present time.
Gartner's 2018 predictions included a blockchain-related prophecy. The firm believes that the year 2021 will ring in with a significant amount of public blockchains suffering from privacy poisoning. The firm believes three-quarters of blockchains will face this fate and as a result, that more than €1bn in sanctions for GDPR non-compliance will have been levied against public blockchain operators.
While the non-compliance may present itself, it will be interesting to see how regulators will enforce these protections. Due to their design, public blockchains are decentralized. In the eyes of the law, this means they have many operators. Therefore, how will authorities go about accusations, prosecutions, and punitive measures in the face of privacy poisoning? Will the developers or creators of the digital currency in question be on the hook? Or is it the miners who secure the network? Or is anyone with a node, even a simple light client, guilty of the crime?
What is certain is that while privacy protection and subsequent enforcement are essential, it may be necessary to rework or include new definitions in the existing laws in order to adequately provide for technologies such as DLT, especially as they continue to grow in use.