Privacy and blockchain
This article needs attention from an expert on the subject.December 2018)(
This article needs additional citations for verification. (December 2018) (Learn how and when to remove this template message)
A blockchain is a public, shared database that records transactions between two parties. Specifically, blockchains document and confirm who owns what at a particular time through cryptography. After a particular transaction is validated and cryptographically verified by other participants, or nodes in the network, it is then made into a "block" on the blockchain. A block contains information about when the transaction occurred, previous transactions, and details about the transaction. Once recorded as a block, transactions are ordered chronologically and cannot be altered or changed. This technology rose to popularity after the creation of Bitcoin—the first application built on using blockchain technology—and has furthermore catalyzed other cryptocurrencies and applications. Due to its nature of decentralization, transactions and data are not verified and owned by one singular, overpowering entity, as they are in typical systems. Rather, the validity of transactions are able to be confirmed by any node, or computer, that has access to the network. Additionally, blockchain technology secures and authenticates transactions and data through cryptography. With the rise and widespread adoption of technology, data breaches have become rampant and frequent. User information and data are often stored, mishandled, and misused, causing a threat to personal privacy. Currently, many are pushing for the widespread adoption of blockchain technology for its ability to increase user privacy, data protection, and data ownership.
- 1 Blockchain and privacy protection
- 2 Comparison of blockchain privacy systems
- 3 Use cases for privacy protection
- 4 Legality of blockchain and privacy
- 5 Concerns regarding blockchain privacy
- 6 Cases of privacy failure
- 7 References
Blockchain and privacy protection
Private and public keys
A key aspect of privacy in blockchains lies in the use of private and public keys. Blockchain systems use asymmetric cryptography to secure transactions between users. In these systems, each user has a public and private key. These keys are random strings of numbers and are cryptographically related to one another. Although the public and private keys are related to one another, it is mathematically impossible for a user to guess another user's private key from their public key. This provides an increase in security benefits and protects from potential hackers or malicious users. Public keys can be shared with other users' in the network, as they do not give any information regarding personal data. Additionally, each user has an address, which is derived from the public key using a hash function. These addresses are furthermore used to send and receive assets on the blockchain, such as cryptocurrency. Because blockchain networks are shared to all participants, users can view past transactions and activity that has occurred on the blockchain.
On the blockchain, senders' and receivers' of past transactions are represented and signified by their addresses. Due to this, users' identities are not revealed. Public addresses do not reveal any personal information or identification. Rather, public addresses act as pseudonymous identities. This furthermore allows users' to have their identities relatively concealed on the blockchain. However, it is suggested that users do not use a public address more than once. This tactic avoids the possibility for a malicious user to trace a particular address' past transactions in an attempt to reveal information. Additionally, private keys are used to protect user identity and security through digital signatures. Firstly, private keys are used to access funds and personal wallets on the blockchain. Private keys also add a layer of identity authentication. When an individual wishes to send money to another user, they must provide a digital signature (which is produced only when provided with the particular private key). This process protects against potential hackers that aim to pose as certain individuals and use the individuals' funds.
As previously stated, blockchain technology arose from the creation of Bitcoin. In 2008, a pseudonymous Satoshi Nakamoto released a paper describing the technology behind blockchains. In his paper, he explained a decentralized network that was characterized by peer-to-peer transactions involving cryptocurrencies, or electronic money. In typical transactions carried out today, users put trust into central authorities to securely hold their data and execute transactions.
In large corporations, a large amount of users' personal data is stored on a single device, posing an extreme security risk if an authority's system is hacked, lost, or mishandled. On the contrary, blockchain technology aims to get rid of this reliance on a central authority. To achieve this, blockchain functions in a way where nodes, or devices in a particular blockchain network, can confirm the validity of a transaction rather than a powerful third party. In this system, transactions between users (such as sending and receiving cryptocurrency) are broadcast to every node in the network. However, before the transaction is recorded as a block on the blockchain, nodes must ensure that a transaction is valid. In other words, nodes must check past transactions of the spender to ensure that he/she did not double spend, or spend more funds than they actually own.
After nodes confirm that a block is valid, consensus protocols, such as proof of work and proof of stake, are then deployed by miners. These protocols allow nodes to reach a state of agreement on the order and amount of transactions. Once a particular transaction is verified, it is then published on the blockchain as a block. Once a block is created on a blockchain, it cannot be altered or changed. Through blockchain's decentralized nature and elimination of the need for a central authority, user privacy is increased. Peer-to-peer networks allow for users to control their data, decreasing the threat of third parties to sell, store, or manipulate personal information.
A zero-knowledge proof is a consensus protocol where one party proves to another party that a specific set of information (i.e., that a transaction is valid) is true. However, the "prover" do so in a way that does not reveal any specific information about the transaction. This can be done through complex cryptographic methods. This method, which has been recently introduced into blockchain systems using zk-snarks, has been enacted to increase privacy in blockchains. In typical public blockchain systems, a block contains information about a transaction, such as the sender and receivers addresses along with the amount sent. However, many users are not comfortable with this sense of transparency. In order to maintain blockchain's nature of decentralization while decreasing transparency, zero-knowledge proofs do not reveal or share anything about a particular transaction, other than the fact that it is valid.
Comparison of blockchain privacy systems
Private blockchains (also referred to as permissioned blockchains) are different from public blockchains. As stated, public blockchain ledgers are available to any node that wishes to download the network. Common critiques of public blockchains claim that, because everyone has the ability to download a blockchain and look at the history of transactions, there is not much privacy. However, in private blockchains, nodes must specifically be granted access to participate, view transactions, and deploy consensus protocols. Due to the fact that transactions listed on a private blockchain are not public to all, private blockchains ensure an extra layer of privacy. Since private blockchains have restricted access and nodes must be specifically selected to view and participate in a network, some argue that private blockchains grant more privacy to users. While private blockchains are being deemed as the most realistic way to adopt blockchain technology into business models in order to maintain a high level of privacy, private blockchains also have cons. For example, private blockchains delegate specific actors to verify blocks and transactions. Although some argue that this provides efficiency and security, concerns have risen that in nature, private blockchains are not truly decentralized because the verification of transactions and control are put back into the hands of a central entity.
Hybrid blockchains allow more flexibility to determine what data remains private and what data can be permitted to be shared publicly. A hybrid approach is compliant with GDPR and allows entities to store data on clouds of their choice, in the region that is needed to be in compliance with local laws to protect peoples privacy. A hybrid blockchain contains characteristics of both private and public blockchains. Not every hybrid blockchain contains the same characteristics, as much as Bitcoin and Ethereum don't share the same characteristics, even though they are both public blockchains. Interchain allows to keep sensitive business logic private, while also having control over what data is hosted on community run nodes and additional public blockchains. It can simply be the hash of the transactions to leverage Bitcoin its hash power and decentralized nature. Or, if explicitly permissioned, any other data such as a transparent overview of donations and what the funds are being used for. Other examples include decentralized authentication that provides autonomy over data. And more importantly, who may access it.
Use cases for privacy protection
After Satoshi Nakamoto spurred the creation of blockchain technology through Bitcoin (the most well-known blockchain application), cryptocurrencies rose in popularity and prevalence. Cryptocurrencies are digital assets that can be used as an alternative form of payment to typical fiat. In our current financial systems, however, there exists many privacy concerns and threats. A large hurdle in typical data-storage systems is centralization. Currently, when individuals deposit money, a third party intermediary is necessary. When sending money to another user, individuals must put trust in the fact that a third party will complete this task. However, blockchain decreases the need for this trust in a central authority; rather, cryptographic functions allow individuals to directly send money to other users. Because of Bitcoin's widespread recognition and sense of anonymity, criminals have used this to their advantage by purchasing illegal items using Bitcoin. Through the use of cryptocurrencies and its pseudonymous keys that signify transactions, illegal purchases are difficult to trace and pin to a singular individual. Due to the known potential and security that lies in blockchains, many banks are making steps in adopting business models that embrace and utilize the technology.
Health care records
In recent years, more than 100 million health care records have been breached. However, in attempts to combat this prevailing issue of data breaching, attempted solutions often result in the inaccessibility of health records. A large part of this struggle is due to the fact that health providers regularly send data to other providers regarding a specific patient. Furthermore, this passing of data between providers often results in mishandling data, losing records, or passing on inaccurate and old data. Additionally, in some cases, only one copy of an updated health record exists; this can result in the loss of important information. On top of these concerns, health records often contain highly personal information, spanning from patient names, social security numbers, and home addresses. Overall, it is argued by some that the current system of transferring health information compromises patient privacy in order to make records easy to transfer.
As blockchain technology has expanded and developed in recent years, many have pressed to shift health record storage onto the blockchain. Rather than having both physical and electronic copies of records, blockchains could allow the shift to solely electronic health records, or EHRs. Through placing medical records on the blockchain, health information would then be in the control of the patient rather than a third party, through the patient's having a private and public key. Using this technology, patients could then control who has access to their health records, making transferring information less cumbersome. Additionally, because blockchain ledgers are immutable, health information could not be deleted or tampered with. Blockchain transactions, or updated to said health record, would be accompanied by a timestamp, allowing for those with access to have updated information and a clear sense of when particular things occurred in a patient's health history.
Another popular use case that protects the privacy of individuals is notarization of legal documents. Currently, documents must be verified through a third party, or notary. This poses roadblocks, as notarization fees can be high. Additionally, transferring documents takes time and can lead to lost or mishandled information. Similar to healthcare records, many are pressing for the adoption of blockchain technology in regards to the storage legal documents. This way, documents cannot be tampered with and can be easily accessed by those who are granted permission to such documents. As a result, individual information is then protected from possible stolen information and mishandling of private information. Another potential adoption of blockchain technology is the execution of legal contracts using smart contracts. Smart contracts are a popular application of the blockchain network in which nodes automatically execute terms of a contract. By using smart contracts, people will no longer have to rely on a third party to manage contracts, allowing for an increase in privacy regarding personal information.
Legality of blockchain and privacy
With the recent adoption of the General Data Protection Regulation in the European Union, questions have arisen regarding blockchain's compliance with the act. In short, GDPR is a piece of data privacy legislation that was enacted to protect EU citizens from data breaches. This piece of legislation applies to those who both process data in the EU as well as those who process data outside the EU for people in the EU. However, personal data (as defined by the GDPR) is "any information relating to an identified or identifiable natural person". Because identities on a blockchain are associated with an individual's public and private key, it comes in question whether or not this falls under the category of personal data, since public and private keys enable complete pseudonymity and are not necessarily connected to a specific identity. Additionally, a key part of the GDPR lies in a citizen's right to be forgotten, otherwise known as data erasure. This piece of the GDPR allows individuals to request that data associated with them to be erased if it is no longer relevant, along with other conditions. Due to the blockchain's nature of immutability, there exists potential complications if an individual who made transactions on the blockchain requests their data to be deleted. Additionally, another roadblock lies in the fact that once a block is verified on the blockchain, it is immutable, or impossible to delete.
Because cryptocurrency prices fluctuate, many treat the purchase of cryptocurrencies as an investment. By purchasing these coins at particular prices, buyers hope that they can later sell them at a higher price, furthermore making a profit. However, the IRS, or International Revenue Service, are currently facing struggles due to the fact that many people do not include revenue made by cryptocurrencies in their income reports. In response to these concerns, the IRS issued a notice, announcing that people must apply general tax principles to cryptocurrency and treat the purchase of cryptocurrency as an investment or stock. Furthermore, the IRS has enacted that, if people fail to report their income from cryptocurrency, they could be subject to civil penalties and fines. In attempts to strictly enforce these rules and avoid potential tax fraud, the IRS has called on Coinbase to report users that have sent or received more than $20,000 worth of cryptocurrency in a singular year. However, the nature of blockchain technology makes these enforcements rather difficult. Because blockchains are decentralized, singular, all-powerful entities cannot keep track of purchases and activity of a user. Additionally, pseudonymous addresses make it difficult to tie identities with users, ultimately being a perfect outlet for people to launder money.
Because virtual currencies and the blockchain's protection of identity has proven to be a hub for criminal purchases and activity, the FBI and Justice Department created the Blockchain Alliance. This team, which is made up of law enforcement agencies, aims to identify and enforce legal restrictions on the blockchain to combat such activity through open dialogue on a private-public forum. This allows such leaders in the law enforcement industry to work together to fight against these illegal exploitations of the technology. Examples of criminal activity on the blockchain include hacking cryptocurrency wallets and stealing funds. However, since user identities are not tied to public addresses, it is extremely hard to locate and identify particular criminals and robbers.
Fair information practices
Importantly, blockchain has been acknowledged as a way to solve Fair Information Practices, which are a set of principles relating to privacy practices and concerns for users in modern technology. Specifically, blockchain transactions allow for users to control their data through private and public keys, allowing them to own it themselves completely. This way, third-party intermediaries are not allowed to misuse and obtain data in unsuspecting ways. Additionally, if personal data is stored on the blockchain, owners of such data are able to control when and how a third party can access said data. In blockchains, ledgers automatically include an audit trail. This ensures that transactions accurate.
Concerns regarding blockchain privacy
Although many push for the adoption of blockchain technology because it allows users to control their own data and get rid of third parties, some believe that certain characteristics of this technology infringe on user privacy. Because blockchains are decentralized and allow for any node to access transactions, events and actions of users are completely transparent. Additionally, skeptics worry that malicious users can trace public keys and addresses (which is a way to represent sender and receivers, although made up of random numbers and letters) back to specific users. If this were the case, then a user's transaction history would be completely viewable and accessible to anyone, resulting in what some consider to be a lack of privacy.
Another concern lies in the fact that, due to blockchain's decentralized nature, a central authority is not surveilling for malicious users and attacks. This creates a concern that users might be able to hack the system anonymously and escape unscathed. Because public blockchains are not controlled by an all-powerful third party, a false transaction enacted by a hacker that has a user's private key cannot be stopped. Additionally, because blockchain ledgers are shared and immutable, it is not possible to simply undo or reverse a malicious transaction.
As previously stated, private keys essentially provide a way to prove ownership and control of cryptocurrency. If someone simply has access to another user's private key, he/she are able to access and spend these funds. Because private keys are crucial to accessing and protecting assets on the blockchain, users must store the private key safely. Many have run into problems with this, as storing it on a computer, flashdrive, or phone can propose potential security risks if stolen or hacked. Additionally, if a device is misplaced or lost that contains a user's private key, they no longer have access to their cryptocurrency. This creates issues of storage, as placing physical place (such as on a piece of paper in a lock) can be stolen and placing it online can be hacked or lost.
Cases of privacy failure
In 2014, MtGox was the world's largest Bitcoin exchange at the time located in Tokyo, Japan. However, the exchange suffered from the largest blockchain hack of all time. During the year of 2014, MtGox held an enormous portion of the Bitcoin market, accounting for more than half of the cryptocurrency at the time. Throughout the month of February, hackers infiltrated the exchange, stealing what amounted to 450 million dollars in Bitcoin. Many in the blockchain community were shocked at the time, as blockchain technology is often associated with security and this was the first major hack to occur in the space. Although analysts were able to track the public address of the robbers by looking at the public record of transactions, the person (or people) who committed the heist were not identified. This is a direct result of the pseudonymity of blockchain transactions.
While blockchain technology is anticipated to solve privacy issues such as data breaching, tampering, and other threats, it is not immune to malicious attacks. In 2016, the DAO opened up a funding window for a particular project. Within this period of time, the system was hacked, resulting in the loss of what was (at the time) 3.6 million from the Ether fund. However, due to the ever-changing price of cryptocurrencies, the amount stolen has been estimated at a whopping 64-100 million dollars.
Coinbase—the world's largest cryptocurrency exchange that allows users to store, buy, and sell cryptocurrency—has faced a multitude of hacks since its founding in 2012. Users have reported that due to its log-in process that verifies login through personal phone numbers and email addresses, hackers have targeted the numbers and emails of well-known individuals and CEOS in the blockchain space. Hackers then used the emails of these individuals to change their verification number, consequently stealing thousands of dollars worth of cryptocurrency from Coinbase user wallets.
- "BlockChain Technology: Beyond Bitcoin" (PDF).
- Wieczner, Jen (2017). "The 21St-Century Bank Robbery". Fortune. 176 (3): 34–41.
- "Blockchain - What it is, and a non-financial use case" (PDF).
- "Blockchain - What it is, and a non-financial use case" (PDF).
- "Blockchain's roles in strengthening cybersecurity and protecting privacy" (PDF).
- Dagher, Gaby G.; et al. (2018). "Ancile: Privacy-Preserving Framework for Access Control and Interoperability of Electronic Health Records Using Blockchain Technology". Sustainable Cities and Society.
- Joshi (2018). "A Survey on Security and Privacy Issues of Blockchain Technology". Mathematical Foundations of Computing.
- Crosby, Michael; et al. (2016). "Blockchain Technology: Beyond Bitcoin". Applied Innovation Review.
- Guegan, Dominique (2017). "Public Blockchain versus Private blockhain". Documents de travail du Centre d’Economie de la Sorbonne.
- Wang, Yunsen. "Designing Confidentiality-Preserving Blockchain-Based Transaction Processing Systems". International Journal of Accounting Information Systems.
- Joshi, Archana (2018). "A Survey on Security and Privacy Issues of Blockchain Technology".
- Are blockchains compatible with data privacy law?
- Awarded U.S. Interchain™ Patent
- Suzuki, Bryce (2018). "Blockchain: How It Will Change Your Legal Practice". The Computer and Internet Lawyer.
- Berberich, M. "Blockchain Technology and the GDPR: How to Reconcile Privacy and Distributed Ledgers". European Data Protection Law Review.
- Heroux, Mark (October 2018). "Cryptocurrency: Compliance challenges and IRS enforcement". Tax Adviser.
- Primavera De Filippi (2018). "The Interplay between Decentralization and Privacy: The Case of Blockchain Technologies". Journal of Peer Production.
- Li, X (2017). "A survey on the security of blockchain systems". Future Generation of Computer Systems.