Blockchains and the evolution of regulations

As a technology that aims to reshape the structure of financial interactions across many legacy industries, blockchain is naturally poised to both impact and be impacted by existing regulatory frameworks.

Unlike the other technological innovations from the past, however, its connection with regulations is much more nuanced and complex. Blockchain technology is, in fact, not only in an antithetical relationship with some specific regulatory systems, but it’s also, at the same time, a potential tool for the regulator and the corporate subjects of the regulations to keep track of the compliance process in a distributed tamper-proof ledger of records. The so called reg-tech (regulatory technology) market has been steadily growing in the last years as the asymmetry between the increasing difficulty of transnational regulations, the potential fines associated to them and the inefficiency of the current regulatory-compliance tools keeps getting wider. To be compliant with regulations is a huge financial burden for most companies and cost cutting in this exposes them to risk of fines from regulators. Blockchains can not only provide immutable auditable records, but also streamline a more decentralised corporate governance process that would prevent those in the corporate upper echelons from committing fraud.

Over the course of our current article, we’ll review the current blockchain landscape and its place within our current legislative system and what type of legal challenges the blockchain ecosystem will have to overcome.

In order for blockchains to be adopted in institutional settings, they face the dilemma of having to comply with two apparently contradictory sets of regulations.

The regulatory paradox

On the one hand, regulations such as KYC -know your customer- and AML — anti-money laundering- mandate digital systems to establish their users’ identities, which therefore entails the process of storing large amount of personal data for identification purposes. However, on the other hand, recently crafted regulatory frameworks such as GDPR require the same digital systems to make any personal data available to its owner and, more importantly, to be also able to amend and erase sensitive information if its respective user demands it.

The last requirement falls under article 17 of GDPR and it’s commonly referred to as the “right to be forgotten”. The compliance with such a requirement is proving to be especially tricky for blockchains, whose reputation and one of the main strengths lie in their tamper-proof immutability, whereas traditional CRUD databases can easily implement GDPR-compliant standards. However, simply pulling the plug on blockchain technology adoption and completely switching back to NoSQL and relational databases would be to betray the principles that were meant to inspire GDPR. In the era of big-tech where data is often branded as “the new oil”, users’ personal information is often at the epicenter of both tech-corporations’ predatory data-mining practice and also cyber-criminals that are after that same data. Especially in the last decade, cyber-crime organizations have become increasingly sophisticated and we’ve witnessed a rise in the frequency of data theft and data breaches — some of the readers might remember the many cyber-attacks that have been waged against the both healthcare and financial systems in the last few years, which have caused countless of personal data to be exposed to malicious third parties. Perhaps the most catastrophic of them has been the Equifax data breach, the monumental consumer credit reporting agency, where more than one hundred million people’s personal data was compromised.

GDPR and the rise of privacy-aware blockchain solutions

GDPR is meant to be the European response to restore data sovereignty and safeguard users’ privacy. Some legal experts have suggested that GDPR might be fundamentally incompatible with most of blockchain-related innovation — but also with AI and big data-related tech-. Nevertheless, the ethos guiding more privacy-aware regulations is well-intentioned insofar as there’s currently a technological and legislative gap when it comes to data protection and the GDPR is an effort towards the right goal. In fact, from a technological perspective, blockchain can also be regarded as a solution to data protection, but improvements are still needed from a privacy standpoint and GDPR has helped to highlight some of its current design flaws. In the light of these facts, going back to CRUD databases would expose the end-user to the same attack surface that has led to data loss and the numerous catastrophic data breaches that have taken place in the last years, where a server-side compromise of the databases is usually the most common vector of the hack.

We’ve previously mentioned the Equifax and the UK NHS as a case-study of data breaches. A growing number of governments and private entities are exploring blockchain-based solutions to make their financial sector more resilient towards data breaches. Some of these solutions leverage the combination of blockchain, off-chain layers and cryptographic techniques such as secure multiparty computation to both overcome the current scalability shortcomings of blockchain systems and to still make a meaningful use of personal data without violating the privacy of its users.

In Estonia, a blockchain technology has been implemented to the health-care system in order to safely manage time-stamped records of patients’ data and more solutions are being explored in the digital identity sector.

Deploying a blockchain solution for the management of healthcare and financial records can improve the data availability and resiliency towards a large attack surface that ranges from ransomwares to DDoS attacks. As a data provider would become a node on a blockchain network, a network or hardware failure wouldn’t entail data loss or even a downtime in the data availability due to the higher tolerance of blockchain’s decentralized architecture. For a similar reason, it would also make DDoS attacks an ineffective attack vector as targeting a specific node on the network wouldn’t affect the overall availability and integrity of the data. And as the second-layer solutions will improve, the management of the data on a node could be reduced to just securing the cryptographic properties of the system in order to access the actual patients’ records on the network without forcing the user to either give up control of his data or overly disclosing personal information to third-parties.

Blockchains: a leap forward in security and a step back in privacy?

The regulatory and privacy conundrum has made the divide between public and private blockchains even wider. Currently, private and consortium blockchains are ahead of the game, as they’ve been designed to be as institutionally-friendly and regulatory-compliant as possible at the expense of a fully decentralized approach.

In particular, the Hyperledger projects — and specifically Hyperledger fabric- have been making relevant progress when it comes to GDPR-compliance and privacy. Hyperledger fabric’s architecture implements a granular control of data accessibility both at the chaincode-level and network-level (through channels). In fact, until recently, the only way to enforce confidentiality was by creating new channels where only the authorized transacting parties would have access to some specific data. As a network grows, however, the overhead that is associated with the creation of a new channel -which includes managing new policies, refactoring the membership service provider and possibly the chaincodes- would make such an approach rather inefficient. As a solution to such a problem, private data collections have been introduced.

Private data collections in hyperledger

A private data collection is a collection of data whose hash is stored on the blockchain ledger, whereas the data itself is stored either on some form off-chain storage or sideDB (side-databases). The private data itself will then only be accessible to the authorized parties and will be distributed via a peer-to-peer protocol. At the same time, the hash of that data will be stored on the public ledger and will be accessible to everyone so that it represents an evidence of the transaction. Such an approach allows to granularly differentiate between sensitive data and data that can be public, without giving up on a peer-to-peer and partially decentralized architecture and overly increasing the network overhead.

Public blockchains and regulatory compliance

As for public blockchains, it’s reasonable to assume that the current state of most of the projects is most likely not GDPR-compliant. However, the extent to which it’s not GDPR-compliant is still unclear, as there are many grey areas that need to be clarified by the related jurisprudence.

One of the most contentious points is whether the hashed data still qualifies as personal data under the GDPR. Blockchains are based on asymmetric encryption, whereby a public key is freely shared with third-parties which will then use it to encrypt messages in a secure way. Subsequently, the owner of the public key will use the respective private key to decrypt the aforementioned messages. On blockchains such as bitcoin and ethereum, a user’s address and identity on the ledger is represented by a hash of their public key. The networks that follow this approach are defined as pseudonymous. Their transactions history is fully transparent and each party on the network is linked to a public key which can eventually be traced back to an IP address and the person associated with that IP address.

According to GDPR, all the data that can make a person identifiable on a network through the deployment of means that are likely to be used still falls under the notion of personal data. As blockchain analytical tools become more efficient and widely used, this could eventually expose many blockchain platforms to legal liabilities.

On the other end of the spectrum, there are public blockchains that follow a privacy-by-design approach. In the case of Monero, for instance, a cryptographic technique called ring signatures is implemented to mix together groups of transactions in such a way that a specific transaction cannot then be traced back to a specific public key. This approach is likely to be GDPR-compliant insofar as public keys don’t make a subject identifiable on the network, but at the same time makes the process of meeting the requirements of KYC and AML regulations extremely challenging.

So are public blockchains bound to fall short of overcoming the regulatory paradox?

Zero-knowledge proofs

A growing amount of interest has been generated by zero-knowledge proofs as they promise to enhance on-chain privacy in a regulatory-compliant fashion. Zero-knowledge proofs are an advanced, and still mostly experimental, cryptographic technique where one party can uncontroversially prove the truthfulness of a statement without providing any additional information to back up their knowledge regarding that statement. They could be used to mathematically prove that a party satisfies the requirements mandated by KYC and AML regulations without disclosing any personal data that would expose the transaction to GDPR liabilities.

A working implementation of a zero-knowledge proof-based architecture has been achieved by the Zcash blockchain. As more proof-of-concepts of this cryptographic technique transition from the ivory tower of academia to real world use-cases, we can expect them to be more widely adopted in the public blockchain ecosystem.

In our current article, we placed the emphasis on the regulatory frameworks that concern data protection in the digital world. As in BrikkApp we’re building a hyperledger-powered real estate investments marketplace, the focus of our next chapter in the “Blockchain and Regulations” series will be on the specific regulatory challenges at the intersection of blockchain, the real estate market and online investments and how we’re addressing them. Lastly, we’ll delve into how regulations are evolving to keep up with the innovative fundraising, asset tokenization and crowdfunding enabled by blockchain technology. As we’re also starting another article series on consensus protocols in the blockchain ecosystem, follow our BrikkApp medium account to be kept up-to-date!