iXledger Platform: Data Privacy
We address several aspects to data privacy and update you on our weekly activities…
Written by our dev team.
We have been working on providing data privacy, but the privacy issue comes in multi-fold. Let’s walk you through some cases.
Firstly, as the data on blockchain is publicly viewable, sensitively information needs to be encrypted. For instance, an insurer’s quote should only be viewable to the intended customer.
Secondly, permission for access needs to be flexible. For instance, certain insurance quotes may require the customer to upload an evidence file, which is viewable by multiple permitted insurers.
Thirdly, things become more complicated when General Data Protection Regulation (GDPR) is taken into consideration. GDPR allows a customer to ask for removing their personal data. This contradicts the blockchain’s immutability nature.
Note that data privacy also refers to another issue: transaction anonymity. For example, Zcash allows users to conceal transaction details (e.g. amount and involved parties). This is based on zero-knowledge proof, which has been added to the Ethereum Metropolis upgrade. In our case, it’s certain fields in the contracts, instead of the transaction details that need to be concealed; in addition, in addition to making the fields secret, they also need to be shared in a secure way.
Among the abovementioned issues, GDPR-compliance is the most interesting challenge. For instance, for data removal, there are many interesting suggestions. The so-called “redactable blockchain”, is very curious, yet highly controversial by its nature. It has been proposed by Accenture. Read here.
Click here to read the academic research and experiments on this idea. However, we don’t think it’s a correct solution for the data privacy issue.
Another proposal is from the European Commission Joint Research Centre. This suggests storing data access permissions on chain, and actual data off-chain. Our idea is very close to this approach.
Our solution can be divided into two logical layers.
Data encryption and permissions are handled by the control layer; the GDPR compliance issue is handled by the storage layer. For GDPR in-scope data (i.e. those the user can ask for deletion), they are stored off-chain on a decentralised FS. Their access permission, however, are still on-chain (similar to the above-mentioned IEEE paper’s proposal). Other GDPR-out-of-scope data will still be on the blockchain.
Before passing data to the storage layer, the control layer makes sure private data is encrypted. The encryption process is similar to the TLS protocol. To encrypt a piece of data, a random symmetric key is generated. The data is then encrypted by this random key (with AES-256). Each permitted party has an asymmetric key pair (e.g. RSA). Before the symmetric key is distributed to a party, it is encrypted with the party’s public key. Thus, the symmetric key becomes only decryptable with the corresponding private key. There is no private information exchanged in this process. Also, as the symmetric keys are randomly generated, having access to one piece of data does not automatically grant access to the others.
We are pleased to be proceeding as planned; we have completed the following functionalities set in Sprint 6.
- Submissions & Request For Information (RFI) — RFI is a formal way of requesting and returning additional information.
- Submissions: Messaging and RFI — Exchange of instant messages between market participants.
- Submissions — When insurers receive submissions, they can provide quotes against them.
Sprint 7 (4 December, 2017)
The dev team will be working to implement the following functionalities on the iXledger platform:
- Submissions Contract template
- Digital signing
- Market Reform Contract (MRC )— Both brokers and insurers can associate documents with submissions.
Click here to view our remaining sprints and general FAQs.
Tuesday 28 November, 2017, we attended two of the following events:
- Decentralised vs Centralised Blockchain in insurance event, organised by Martin J, and the Founder of Distlytics, Gary Nuttall. In an event with 30+ attendees, Co-founder of Etherisc, Stephan Karpischek, and Gary Nuttall were the two speakers. One topic was decentralisation of insurance (which serves Etherisc’s concept). Gary Nuttall also shared his thoughts about blockchain and the applicable usage areas in insurance. Click here to read the event overview.
- TXF Private Insurance 2017, a conference based on Political Risk & Trade Credit Insurance. Ingemar Svensson, CEO, was part of the InsurTech and Innovation panel alongside, Co-founder of Euler Hermes Digital Agency, Christophe Spoerry.
What are your thoughts on data privacy and GDPR?
Get involved — follow us on social media and join our communities.