Welcome to Hard Fork Basics, a collection of tips, tricks, guides, and advice to keep you up to date in the cryptocurrency and blockchain world.
This article will explain what you need to know about privacy poisoning. To understand why it’s as scary as it sounds, we’ll need to start with some background.
It starts with GDPR
Unless you’ve had your head under a rock this year, you’ve probably heard about the EU’s General Data Protection Regulations – or GDPR as most call it.
GDPR states that users should have the right to control their data, and that companies that process this data should be held accountable if this is prevented in some way.
However, this creates a paradox as public blockchains are supposed to be immutable. The unchangeable nature of data stored “on chain” and the right to control our own data under GDPR simply appear to be irreconcilable.
In the eyes of the law, it’s perfectly fine for a blockchain to store encrypted personally identifiable data, so long as the owner can control, amend, and delete it as they see fit. Sadly, as most public blockchains rely on a decentralized and immutable history of records most of them won’t be compliant with GDPR and they risk being “privacy poisoned.”
So, what is it?
Privacy poisoning sounds kind of scary, and it is, but the concept is simple.
Privacy poisoning is when personal data is added to a public blockchain that makes the blockchain in question contravene privacy laws, such as GDPR.
If personal information on a blockchain cannot be altered, is no longer needed, or is no longer accurate, then that blockchain is breaking the law. If the blockchain in question reveals the identity of individuals, it is also breaking the law.
The most obvious problem is that permissionless blockchains – like Bitcoin’s or Ethereum’s – are immutable. One of the key regulations of GDPR is the right to be forgotten; the right to have your data deleted. You can see how that could lead to a problem for a blockchain.
If someone were to add personal data – such as addresses, names, dates of birth, credit card numbers, and so on – to an open, immutable permissionless blockchain it could be considered “privacy poisoned.”
That said, the distinction should be made between permissioned (private) and permissionless blockchains. Recent research from academics in the UK has found that private blockchains would be compliant with GDPR as they offer much greater control and privatization of the data they store.
Who should be held accountable?
But how can a decentralized system be held accountable? Who should be sanctioned if a blockchain is privacy poisoned? Well, that’s a very difficult question to answer, and that’s the really scary part.
It seems that the EU didn’t fully account for how blockchains work when drawing up its GDPR. There’s a distinct lack of clarity over how GDPR should apply to blockchain, and that opens the system to potential abuse.
If we consider blockchains as data processors or controllers, it is their responsibility to be compliant, but no one owns public blockchains. As the name suggests they are, for the most part, run by the public. They are also not companies made up of people that can be held accountable, but a series of nodes spread across the entire globe.
If governments and regulators do find a way to hold blockchains accountable, they could use the very characteristics that make a blockchain what it is, against them. That said, regulators will have a very hard time deciding who to fine when a blockchain has been “privacy poisoned.”
So far, there haven’t been any documented cases of blockchains being privacy poisoned, but that doesn’t mean it hasn’t happened.
Whatever action European governments and regulators take against a blockchain that contravenes GDPR laws will undoubtedly set a precedent. That is assuming governments can find someone or something to take action against.
Published November 12, 2018 — 16:21 UTC