Blockchain and privacy

Maybe you have noticed it. Privacy is an issue. A bit strange since there are only 6 days left until the new EU General Data Protection Regulation (GDPR) will become fully enforceable throughout the European Union.

So before end of May 2018 all organizations that process data of EU citizens must comply with this General Data Protection Regulation. Determining how to design and improve your systems to meet the GDPR is not straightforward. Since real objective information on digital trends is always hard to find a common perception is that blockchain technology is an easy solution for solving privacy challenges.

So gives a blockchain technology you a privacy-by-design head start?

Short answer: NO! With a clear WARNING since blockchain technology by default does not fill in privacy by default principles.

So now the long answer. A blockchain can be regarded as a distributed ledger, shared by untrusted participants, with strong guarantees about accuracy and consistency. A blockchain has ledger entries that are complex since complicated encryption technology is used. But the concept is the simple: The ledger is a set of ordered entries to which new entries can be added, but old entries can not be deleted or modified.

Blockchains are decentralised by design. There’s no central administration that decides who has access, and what rules must be followed. There is no single point of control, and no single point of failure. All participants in the blockchain can have a copy of the entire ledger. These copies are updated when blocks are added.

By default a blockchain doesn’t have a concept of a user, so there is by default there is no concept of user privacy concerned with personal data.  On top of a blockchain technology blockchain enabled applications can be created. E.g. digital currencies as Bitcoin, Ethereum coins or Monero.

The privacy ambiguity for blockchain is mainly caused by the way coins like Bitcoin have implemented and deals (or not deals) with the concept of a ‘user’.

In order to use coins it seems logical that you known what coins are yours, but your friends can not see your coins. The same goes for transactions. You do not want the complete world to see your digital currency transactions. For bitcoin a (generated) “user address” is public, but they don’t identify users by default. But since a lot of technology can be used to track users e.g. IP addresses do not make the mistake to think that your bitcoin transactions are by default private for eternity. So the main problems regarding privacy for blockchain enabled technologies is to be solved by application developers. So the people who develop Bitcoin applications, wallets e.g.

Encryption, hashing and tokenisation technologies are all used within blockchain enabled software. But these techniques do not provide anonymisation, only pseudonymisation. Encrypted data can often still be traced back to a person if sufficient effort is invested by experts or persons who holds the key to decryption. Also be aware of hasing: hashing is under the GDPR considered as a technique for pseudonymisation, not anonymisation. So hashing a name or number does not render it anonymous.

In general Bitcoin payments are considered easily traceable to the sender’s address. A digital coin that is designed with more privacy for users in mind is Monero. However also Monero still is not perfect. But if you really care about your privacy when using a digital coin Monero is still a safe choice. But also Monero developers are looking to further improvements to improve privacy. One such promising improvements is using e.g. the Invisible Internet Project (I2P). I2P claim to protect users from passive network monitoring, so that not only payments are untraceable, but people snooping the network traffic cannot tell you are using Monero, bitcoin or any other kind of transaction or coin.

So by default: Blockchain and many applications (e.g. digital coins) are not private by default. So be aware, especially when blockchain enabled applications make claims about privacy by default.

This blog post will be added (after rewrite) as an extension on the ‘Open Reference Architecture for Security and Privacy‘. We are working on an renewed version. Please join us!