Security firm Risk Based Security called 2019 the worst year on record yet for breaches. By last November, almost 8 billion records were already affected. Third-party control over users’ data makes privacy something that is no longer guaranteed.
Nonetheless, the inception of blockchain technology appeared to have introduced a new era in data security. The technology has become quite common on the internet, with issues coming up concerning its ability to store data securely. The reason arises from complete transparency, which is not suitable for confidentiality, as claimed by Chainalysis recently.
With people’s lives becoming increasingly digitized, data protection and privacy are becoming highly relevant. Any action online becomes a speck of valuable activity for some companies as data is collected and compiled into databases ready for sale or auctioned off to the highest bidders.
The chief policy and industry relations officer of Brave browser, Johnny Ryan, said:
“RTB [Real-time-bidding, an auction for online ads] is the biggest data breach in the world. Personal data are being broadcasted to thousands of companies.”
Ryan’s words reiterated the increasing number of data breaches noting that many modern business models are majorly based on the collection and sales of users’ private data. Social media networks like Facebook and browsers like Chrome sell data to anyone who pays for it.
Facebook and Canva are the most notorious data breachers with 540 million and 139 million users affected in 2019, respectively. Billionaires and top entrepreneurs were also affected like it was the case with Amazon’s Jeff Bezos, who was hacked while using WhatsApp in 2018.
Statistics reveal that centralized companies have in the past leaked user information quite frequently. Data security is normally disregarded for convenience purposes, with companies engaging third-party resources like Google Docs and Dropbox, whose safety has been regularly questioned.
Most of the data that is collected by the third-party companies is stored in centralized databases that are characterized by domino effect single failure points’ capability. In worse case scenarios, data breaches go unnoticed or are not divulged.
The site Have I Been Pwned offers statistics on how many times a user’s personally identifiable information has been found online. The total number of breached accounts has now reached around 9.5 billion, according to the site’s statistics.
Could blockchain be the user privacy universal solution?
Research and studies have concluded that blockchain is generally confidentiality-oriented. Hence, it can become a perfect solution for the challenges that come up in traditional storage systems. For instance, private blockchains can offer strictly enforced access to data based on set permissions.
Many solutions are available, which include homomorphic encryption. This encryption enables computations to be conducted using encrypted data without the need for any preliminary decryption. The strategy was originally used on MIT’s Enigma network, which divides data into pieces and then encrypts it while randomly distributing it over the network in little segments.
None of the existing network nodes can read this data, although the users can decrypt it. Privacy and security are therefore preserved, and just the users that have matching decryption keys and ideal credentials gain access. Cryptographic techniques, including the zero-knowledge proofs together with zk-SNARKs, already use homomorphic encryption. One such example that applies to such strategies is Zcash (ZEC).
The essence of blockchain is that it negates any need for third parties, which guarantees a higher level of safety. The unveiling of various components like decentralized identity control forecasts a considerable reduction in identity theft.
A perfect example is when Microsoft announced its aim to use distributed registry technology in May 2019 to develop a decentralized identification system known as Decentralized ID, or DID. The system is based on the Microsoft Authentication application.
Developers are convinced that blockchain technology is ideal for personal information storage because it gets rid of the need to offer consent to use private data. As a result of this phenomenon, users’ identities are never duplicated or distributed among various servers and service providers like online stores and social media companies.
In the same context, the internet technology division of Samsung recently integrated QEDIT’s zero-knowledge proof to perform meticulously in its enterprise-oriented Nexledger blockchain. The SDS team thinks that the integration will enable it to offer parties using corporate blockchains to record and authenticate transactions on an active shared ledger without disclosing confidential data.
The principal of personal information storage to protect user data was introduced by the American, who pioneered VoIP, Jeff Pulver. The Federal Communications Commission passed the Pulver Order on Feb. 12, 2004. The commission then made it possible for people to use communication apps like WhatsApp freely.
Pulver requested to use a blockchain-enabled communication network based on decentralized solutions and new authentication layers in 2018. The new solution was known as Debrief, and it is claimed to be the most secure business communication network that is currently available for peer-to-peer audio and video calling, messaging, and decentralized file storage services.
The technology strives to ensure that it does not expose any users’ confidential information, unlike other services such as Zoom and Facebook. The solution lies in the decentralized storage infrastructure and secure blockchain authentication protocol that are impenetrable. Pulver asserts that Debrief’s data encryption algorithms do not permit the data to be edited or tampered with after it is uploaded on the network.
Every recipient on the network gets the same piece of information as it is entered in real-time. Hence, for any hacker to succeed in tampering with the information on one recipient’s computer, the other computers on the network must validate the change. Unless there is an extensive conspiracy, that validation would never happen. At that time, Pulver said:
“By refraining from centralized control, we will be removing the weak link from the equation — the third-parties.”
A project launched by MIT, known as MedRec, is designed to pursue a similar goal, although it focuses on the health care industry. It uses blockchain technology to support the secure exchange of health care information between service providers and patients. Eventually, the patients can retain total control of their data while simultaneously granting access to the service provides instead of the other way around.
MedRec has run a series of pilot tests with research partners, and it is now working on fine-tuning the system. Using MedRec can minimize health care data breaches and enhance the development of new Health Insurance Portability and Accountability Act-compliant Electronic Health Record solutions.
Notably, even General Motors support blockchain technology. The company filed a patent in 2018 on self-driving cars. The vehicles can store data on a distributed ledger, which they can then share with other vehicles and entities linked to the system. The technology ensures that traffic safety and compliance with the many regulations of the transportation sector is achieved.
Data privacy not in agreement with blockchain
Blockchain technology is recurrently acquiring use cases in many industries of the global economy. Nevertheless, analysts are convinced that although the transparency associated with the technology helps augment various processes, it also seems to compromise data privacy and sometimes security.
Vijay Rathour, who is a partner at the digital forensics and investigations group of Grant Thornton, while speaking about data security and blockchain technology compared technology to bank vaults that are made entirely of glass:
“They’re very secure. They’re one-way vaults — i.e., you can put precious things in them but not take it out. The world can see the contents.”
But, Rathour stated that all of these qualities do not stop bank vaults from holding stolen assets or blood money. Consequently, the effectiveness of the vaults does not mean that whatever is inside them is also good. On the contrary, it means that the vaults are just impenetrable to store anything irrespective of its origin. Rathour explained:
“Is it [data stored on blockchain] suitably anonymized? Would I want my passport visible to the world in a glass bank vault for the world to see? No. But I would probably enjoy the benefits of an encrypted version of my passport being held on the ‘cloud’ securely in this blockchain.”
Blockchain is concurrently ‘good and bad’
Blockchain technology has many in-built advantages that are known to make it a perfect match in matters of privacy. Furthermore, it provides useful data protection features that allow it to comply with the General Data Protection Regulation (GDPR). Yet, other aspects make this technology inapplicable.
Although immutability is admirable for data privacy, numerous hiccups exist. First, immutability comes sternly into conflict with various information storage laws. Secondly, any errors or inaccuracies that mistakenly input on a blockchain network can never be corrected. Commenting on that issue, the chairman of the Cybersecurity Platform of the Austrian Government, Thomas Stubbings, said:
“Indeed, the key feature of a blockchain is protecting the integrity of data by rendering it immutable. However, exactly that feature can become a problem if the data is not required, wanted or correct anymore. It is virtually impossible to remove it. This creates a new sort of privacy problem.”
The co-founder and chief strategy officer of Chainalysis, Jonathan Levin, recently stated that full transparency is not utterly advantageous since blockchain technology can also be used to trail individuals and connect a lot of personal information to them. Levin explained that the two extremes of complete anonymity and absolute transparency are sometimes inadequate.
Complete anonymity, on the one hand, opens the door to illicit activity while, on the other hand, full transparency means that there is no privacy at all.
Teemu Alexander Puutio is an expert in compliance and an attachment instructor at the New York University School of Professional Services. He explained that there are many methods through which data can seep out from the cryptographically secured ledgers. He said that Bitcoin is pseudonymous. That makes its users vulnerable to tracking and identification.
For example, 95% accuracy of identification and theoretically easy methods of observation were achieved via network traffic analysis. Puutio also said:
“Bayesian probabilistic analysis has allowed researchers to identify thousands of accounts in a few months. These worries are further compounded by the fact that data stored on blockchains are typically immutable and fully public — at least to the verifier network.”
Furthermore, just a little segment of blockchain platforms can deliver high levels of data security, according to a survey that was published in January 2019. Blockchain’s inability to selectively delete information may act as a double-edged sword.
Its negative aspect relates to the fact that a 51% majority of the nodes are obligatory for data editing to take place. For this reason, it significantly complicates the use of Article 17 of the GDPR provisions that give the ‘right to be forgotten.’
One analyst also stated that there is a new threat known as ‘blockchain poisoning.’ This threat inserts personally identifiable information that cannot be erased, ultimately rendering blockchains incompliant with the GDPR.
In the worst-case scenario, the blockchain becomes impracticable. This challenge is entirely new, and even the European Union experts are yet to know how to combat it since nobody owns public blockchains.
Such challenges may obstruct the evolvement of a growing blockchain technology space. In due course, data consistency seems to be the primary barrier that must be fully overcome for blockchain technology to become an ideal solution from the GDPR point of view.
Blockchain technology is great, although…
The current world is still centralized to a great extent. Thus, data may be lost while in the control of a handful of operators. Governments are increasing regulations, although they are inadequate at guaranteeing the safety and security of user data. While summing up the role of blockchain technology in data security, Rathour said:
“Blockchains are good, but there is still art and science in putting and holding and curating data held in them. Just like databases, cloud computers and many other mechanical options available to those responsible for holding our data.”
The immutability factor does not let blockchain comply with the GDRP requirements even though a critical mass of users demanding decentralized data storage may make the technology the de facto storage medium.
Blockchain technology still has a considerably long way to go before it becomes the all-in-one data storage solution. Full transparency and immutability are the two sides of the same coin, and this coin is still spinning.
“Developing light-weight cryptographic algorithms, as well as other practical security and privacy methods, will be a key enabling technology in the future development of blockchain and its applications.”
That is a clear suggestion by the authors of the Security and Privacy on Blockchain survey.