In a constantly
and rapidly changing world, I wonder if a large part of the blockchain’s appeal
isn’t its durability, its steadfastness, its immutability. And this
characteristic – that it can’t be changed – is definitely one the very many advantages
of the blockchain, and the future services running on it. Cut out the
corruption, inefficiencies, fraud and plain old human error in transactions in
one fell swoop.
But, what happens
when the irresistible appeal of the blockchain, and we’ve hardly even begun to
scratch the surface of what it will enable, comes up against the immovable
object that is the General Data Protection Regulation (GDPR)? I’ve had a bone
or two to pick with the GDPR before, both in terms of the likely burden it places on small and medium businesses , and also the impracticability of the right to request your personal
identification be erased and the knock on effects this can have of actually running a
business.
Now, I’m wondering
what impact this right to be forgotten will have on the potential of the
blockchain, given that it seems to be entirely at odds with how the blockchain
operates, and hence the value and disruption it, as a decentralised ledger, can
deliver.
A quick recap.
The, as yet mostly untested, GDPR gives individuals the right to request an
organisation delete their personal identification information in certain circumstances.
These include that the data is no longer needed for the reason it was
originally collected; when the individual withdraws their consent that their
data be stored or objects to its being processed; if the data is being stored
in breach of the GDPR; to comply with a legal obligation; or if the personal
data belongs to a child.
As yet, it’s
unclear what erase means, especially within a digital context. Does it mean
erase entirely or just make it inaccessible? In my previous article I discussed some of the knock-on effects this can have in the
pre-blockchain world, but now let’s consider what this means for a world built
on the blockchain.
Unlike central registries controlled by a
single authority, say a bank, public blockchain ledgers are spread out over a
number of anonymous computers, connected on a peer-to-peer basis. The people
involved don’t have to know, or even trust, each other. Transactions are
announced to the group and recorded by everyone. At set intervals a section of
the ledger, called a block, is locked irreversibly using cryptography and a
piece of information from the previous block, and added to the chain. Working
on the principle that the majority is honest, if any copy of the block on the
network doesn’t match that of the others it is replaced with information the
majority agree on. In other words, the longest chain is the true one.
Although best known for powering
crypto-currencies, blockchain can also be used for many other things. For
instance, Malta is looking at a blockchain-based land and health registry. And
Estonians can log into their blockchain healthcare registry and see exactly who
has accessed their details. The savings alone that blockchain offers are
staggering. Goldman Sachs estimates that the securities industry could save $11
to $12 billion in fees by using blockchain to remove errors in the clearing and
settlement of cash securities.
So, what happens
then, in the case of Estonia say, when a citizen requests their personal
identification information be erased in compliance with the GDPR. Leaving aside
the havoc this will play with their ability to access healthcare, how does this
play out? Do all the nodes on the blockchain have to agree to roll back their
chain and amend the block? In principle this could happen, but it would be a lengthy process, and will put the
chain out of action for the duration. And what about subsequent blocks that
contain information based on the data in the amended block? Or a computer that
was part of the original chain, but has since exited, for whatever reason. It
would be impossible to track them down to see if the data is still lurking
somewhere on their hard drive. And what happens if the network of blockchain
nodes simply refuses? There is nothing really in it for them, after all, and it
goes against the spirit of blockchain, which is a fiercely protected thing. Plus,
who will the EU or national GDPR enforcers punish? Who are the data controllers
and processors now?
Of course, private,
permissioned, blockchains are a slightly different matter as it can be easier
to gain consensus from the nodes for a deletion. But again, this starts
impacting the value of blockchain and its immutability and decentralised nature,
as well as raising issues around governance: as accountants, we know that you
don’t correct an incorrect debit by deleting it, but rather with a credit.
Alternatively, and
maintaining a level of governance, are solutions such as the one Accenture has
prototyped that allows blocks to be edited, re-written or removed without
breaking the chain. Plus, the edit leaves a “scar” so it is clear that the
block has been changed. Accenture argues that the ability to modify the
blockchain is required to make it commercially viable. Their prototype, they
further argue, doesn’t downgrade blockchain to a regular database though, as
organisation still get the benefits of data resiliency, integrity and security
supplied by the built-in cryptography. Purists would definitely not agree, and
I would have to say that they have a point.
Nevertheless, this
is a stark illustration of how regulation and security very often lag
innovation, and, if we are not careful, can bog it down or stop it in its
tracks altogether. With GDPR still in its infancy, and the plan being to
finetune the regulation during the first court cases, I wouldn’t want to be one
of the vanguard guinea pig organisations that this gets tested on.
No comments:
Post a Comment