Blockchain Versus the GDPR
The EU’s General Data Protection Regulation (GDPR) takes effect on May 25, 2018. It will require all businesses that process EU citizens’ personal data to take lots of measures to protect their privacy. The GDPR also provides EU citizens with a right to erasure: to be able to require that businesses holding their data irrevocably erase the data upon request (also known as the “right to be forgotten”). This right is not absolute and has many exceptions (archiving in the public interest, public health purposes, etc.). But this may end up putting the GDPR on a collision course with blockchain technologies in unexpected ways.
Once data is written to a blockchain, it can be essentially impossible to erase it. This is actually considered a desirable feature of blockchains, but it also may make it impractical—perhaps even impossible—to delete personal data of an EU citizen from a blockchain. And this property of a blockchain is something that simply cannot be altered by legislation.
In the case of the blockchain that the Bitcoin cryptocurrency uses, for example, adding blocks to the chain is the result of performing a significant volume of computations on certain cryptographic calculations. Once a result is accepted as being part of the Bitcoin blockchain, replacing it requires a prohibitive amount of computing power.
Deleting or editing a block that is N blocks back from the end of the Bitcoin blockchain requires an industrious Bitcoin miner to do more work than it took to add all N of those blocks to the blockchain, and this work must be completed before a miner adds the next block. Even for blocks that are close to the end of the chain, this is extremely difficult; for blocks that have been on the blockchain for a significant length of time, it is essentially impossible.
But the information on the Bitcoin blockchain is just information about transfers of Bitcoins from one user to another user, and these users are essentially just identified by a particular public key. Can information that anonymous really be a threat to someone’s privacy?
It turns out to be very hard to make data of any kind truly anonymous. Instead, the best that we can do is make it pseudonymous. If we know nothing at all about a person’s identity, he or she has perfect anonymity but absolutely no accountability. If we know everything about a person’s identity, then we have perfect accountability but absolutely no anonymity. Pseudonymity is the range of possibilities between these two cases (including both of the extremes), so it may be useful to think of it as implementing a trade-off between anonymity and accountability. Most personal information falls between the two extremes, even if the data is strongly protected.
For example, the very fact that a person is a citizen of France reveals some information about him because only about nine percent of EU citizens are French. Or the fact that a person has an account at a particular bank reveals some information about him: of the roughly 750 million EU citizens, only a small fraction probably have an account at any particular bank.
Perfect anonymity is very uncommon, perhaps even impossible. Most cases of what we think of being anonymity are more appropriately considered to be a form of pseudonymity, and many forms of anonymization of personal information are more appropriately considered to be forms of pseudonymization.
Research suggests even anonymized data is enough to uniquely identify many people. A good example of this can be found in “Unique in the Shopping Mall: On the Reidentifiability of Credit Card Metadata.” This paper describes how researchers looked at three months of credit card records for 1.1 million people and found that they could uniquely identify 90 percent of individuals from just the date and location of only four of their credit-card transactions. Women and more affluent customers were even easier to identify because their purchases had even more structure than average.
Even anonymous credit card transactions are enough to uniquely identify many people, so it is not hard to believe that anonymous Bitcoin transactions are also enough to uniquely identify many people. And because of this, it is not hard to imagine a situation in which EU regulators decide that the Bitcoin blockchain is a violation of the GDPR. But it is also hard to imagine that they will be able to do anything about it.
This article originally appeared in the August 2017 issue of ISSA Journal.
About the Author
Luther Martin, HPE Distinguished Technologist, is a frequent contributor to articles and blogs. Recent articles include Relax! Good encryption practices won’t affect app performance in TechBeacon Magazine, The Security of Cryptography and the Wisdom of Crowds in the ISSA Journal, and Bring Your Own Things in Connect Converge Magazine.