Provenance Does NOT Equal Blockchain, or Audit Trail, or Authentication
A Brief Note on Misconceptions
Provenance, simply put, captures the origin and life journey — including the ownership history — of a physical or digital asset, be it a diamond, a medical implant, a commodity, user data, or anything of value.
Although the term provenance is often associated with the art world, recording and sharing provenance data can provide significant value across sectors and industries. In some cases — e.g. supply chains — entire business models depend on it.
In recent conversations, I’ve found that many people have the misconception that using a blockchain automatically means that they are in possession of a provenance capability. However, that is far from the truth. People also confuse the term provenance with audit trail and authentication.
No, no, no!
Blockchain, a Safe Home for Provenance
When you acquire an Internet domain, you essentially purchase the name or home for your site, but you still need to build the website itself, right?
In a similar vein, you can set up a distributed ledger network, but does that mean that you have a provenance solution in your hands? Absolutely not.
A blockchain or distributed ledger — whether permissioned or permissionless — is a safe home that makes provenance information transparent and trustworthy. However, you need capabilities to capture and record, as well as query (the right) provenance data.
When it comes to provenance, you need to be able to:
- Define assets. The W3C’s provenance ontology (PROV-O) standard refers to an asset as an entity — physical, digital, conceptual, or other kind of thing — that has some fixed aspects.
- Describe the individuals and organizations (aka the agents in PROV-O speak) interacting with, or bearing some form of responsibility over the existence of those assets or entities.
- Capture the processes or activities that generate or use those assets.
In other words, you want to have the whole picture, and trust that it’s true. Who created what and why, who updated what and why, when and where changes were made, and what influenced those changes, provide altogether a critical foundation for assessing authenticity, trustworthiness, and traceability — simply put, integrity — of an asset.
In short, provenance is not intrinsic to blockchains or distributed ledgers, however, it can be implemented using them. A blockchain or distributed ledger records provenance information immutably. The immutable and decentralized nature of distributed ledger technology (incl. blockchain) enhances and strengthens provenance by making it more concrete and trustworthy.
Provenance vs. Audit Trail
Although provenance and audit trail are both critical concepts when it comes to data integrity and reliability, they are not the same thing.
While a blockchain or distributed ledger can be used as an audit trail, provenance sits above a blockchain or distributed ledger.
An audit trail mostly focuses on activities, and primarily benefits an IT, privacy, or security office, as it helps with regulations and compliance. Provenance provides value to all parties in a network, including the creators and owners of an asset, and anyone involved in using, influencing, and moving that asset.
According to NIST, an audit trail is “A chronological record that reconstructs and examines the sequence of activities surrounding or leading to a specific operation, procedure, or event in a security-relevant transaction from inception to result”.
NIST defines provenance as “The chronology of the origin, development, ownership, location, and changes to a system or system component and associated data. It may also include the personnel and processes used to interact with or make modifications to the system, component, or associated data”.
However, I actually prefer the W3C Provenance Working Group’s definition, which concisely and eloquently describes provenance as “Information about entities, activities and people involved in producing a piece of data or thing, which can be used to form assessments about its quality, reliability or trustworthiness”.
Provenance vs. Authentication
Provenance is not authentication either. Provenance is fundamental to establishing the authenticity of an asset. It can be used as input to the process of authentication. An asset or object that is authenticated by a certain party is in itself a provenance activity that must be recorded.
A provenance activity — as defined by PROV-O — is something that occurs over a period of time and acts upon or with assets (entities in PROV-O speak). This may include consuming, processing, transforming, modifying, relocating, using, or generating assets. Simply put, a provenance activity is any process that generates or uses an asset.
Provenance ≠ Blockchain/Distributed Ledger
Provenance ≠ Audit Trail
Provenance ≠ Authentication