Blockchain and privacy

Event report

[Read more session reports and live updates from the EuroDig 2019]

At the beginning of the session, Mr Arvin Kamberi (DiploFoundation) gave an overview of blockchain technology. He explained that its main features are consensus-based ledgers, immutability, using cryptography for security and verification, and its distributed nature. In essence, the blocks of data chained by cryptography create a tamper-proof online database of any digital data. This can strengthen privacy online. He reminded that the Internet is built on the open protocols, governed by the massive standardisation and interoperability efforts in a multistakeholder model. The UN Secretary General’s High-level Panel on Digital Cooperation report is titled ‘The Age of Digital Interdependence’, and we should discuss the emerging technologies in the same way.

The session moderator, Mr Jorn Erbguth (University of Geneva) talked about the relationship between the EU General Data Protection Regulation (GDPR) and blockchain. Erbguth stressed that the biggest threat to privacy currently is the huge collection of personal data that is controlled by single actors. When thinking about decentralisation, blockchain could be a solution, but how do we bring together its immutability and the right to be forgotten together? The question is whether blockchains can be GDPR-compliant. Immutability makes change impossible, and the right to be forgotten requires data to be removed. Erbguth noted that the problem could be avoided by using the hashing as a fingerprint that can be put on the original data to verify its credibility, but without the data itself being put on the blockchain. However, the issue of ownership and control remains. The GDPR demands clear responsibilities and a hierarchical model of data processing with a controller, processor, and data subject. This does not match blockchain’s peer-to-peer model where people are on the same level.

Ms Galia Kondova (University of Applied Sciences and Arts Northwestern Switzerland) talked about the self-sovereign identity (SSI) on closed blockchains. The SSI means that users can control their own data, not based on registered accounts (such as on Facebook or Google), but based on personal credentials on the blockchain. These together form the SSI that identifies the user to different entities, such as banks, government services, or retail services. Simultaneously, once in possession of own data, the user has responsibilities related to storing and privacy. On a closed blockchain, the SSI is being co-managed on three different layers. The verification of our credentials takes place offline in the micro ledgers and this complies with the GDPR.

Ms Lisa Trujillo (Independent Technologist and Privacy Researcher) presented the use of the SSI on permissionless blockchains. The permissionless network is a more fully decentralised and open governance model. The challenge is privacy and transaction speed. In regard to our rights, freedoms, and responsibilities, the SSI is coming forward as the fundamental building block and a defining point of the future success of blockchain-enabled innovation. Trujillo stressed that we should focus more on understanding the place of trust. There is either a high number of participants who do not know each other or a low number who do know each other. This demands trust and an incentive for people to join and know that the huge network is stable. In a permissionless blockchain, all parties agree on a certain state of the system, and this enables the transaction between distrusting parties and without the need for a trusted arbiter.

The audience was then separated into two working groups, to discuss the advantages and disadvantages of using blockchain-based services around identity and the SSI. One group discussed the dangers of wallets with the user information being hacked and problems of monopolies around providing the SSI services. The other group discussed the need for education of citizens to be able to trust, use, and benefit from the SSI, and the usability and centralisation issues.

Ms Anja Grafenauer (Privacy by Blockchain Design) presented current standardisation initiatives as they reduce legal uncertainty. Grafenauer noted several proposals about privacy and personally identifiable information protection, as well as the work of the International Telecommunication Union on the security of the distributed ledger technologies. She pointed out the JPEG White Paper (‘Towards a Standardized Framework for Media Blockchain and Distributed Ledger Technologies’)  and the work of the German Institute for Standardization. Grafenauer also spoke about the need to create a common language between law and information technology about personal data in blockchains.

By Jana Misic