In a constantly and rapidly changing world, I wonder if a large part of the blockchain’s appeal isn’t its durability, its steadfastness, its immutability. And this characteristic – that it can’t be changed – is definitely one the very many advantages of the blockchain, and the future services running on it. Cut out the corruption, inefficiencies, fraud and plain old human error in transactions in one fell swoop.
But, what happens when the irresistible appeal of the blockchain, and we’ve hardly even begun to scratch the surface of what it will enable, comes up against the immovable object that is the General Data Protection Regulation (GDPR)? I’ve had a bone or two to pick with the GDPR before, both in terms of the likely burden it places on small and medium businesses , and also the impracticability of the right to request your personal identification be erased and the knock on effects this can have of actually running a business.
Now, I’m wondering what impact this right to be forgotten will have on the potential of the blockchain, given that it seems to be entirely at odds with how the blockchain operates, and hence the value and disruption it, as a decentralised ledger, can deliver.
A quick recap. The, as yet mostly untested, GDPR gives individuals the right to request an organisation delete their personal identification information in certain circumstances. These include that the data is no longer needed for the reason it was originally collected; when the individual withdraws their consent that their data be stored or objects to its being processed; if the data is being stored in breach of the GDPR; to comply with a legal obligation; or if the personal data belongs to a child.
As yet, it’s unclear what erase means, especially within a digital context. Does it mean erase entirely or just make it inaccessible? In my previous article I discussed some of the knock-on effects this can have in the pre-blockchain world, but now let’s consider what this means for a world built on the blockchain.
Unlike central registries controlled by a single authority, say a bank, public blockchain ledgers are spread out over a number of anonymous computers, connected on a peer-to-peer basis. The people involved don’t have to know, or even trust, each other. Transactions are announced to the group and recorded by everyone. At set intervals a section of the ledger, called a block, is locked irreversibly using cryptography and a piece of information from the previous block, and added to the chain. Working on the principle that the majority is honest, if any copy of the block on the network doesn’t match that of the others it is replaced with information the majority agree on. In other words, the longest chain is the true one.
Although best known for powering crypto-currencies, blockchain can also be used for many other things. For instance, Malta is looking at a blockchain-based land and health registry. And Estonians can log into their blockchain healthcare registry and see exactly who has accessed their details. The savings alone that blockchain offers are staggering. Goldman Sachs estimates that the securities industry could save $11 to $12 billion in fees by using blockchain to remove errors in the clearing and settlement of cash securities.
So, what happens then, in the case of Estonia say, when a citizen requests their personal identification information be erased in compliance with the GDPR. Leaving aside the havoc this will play with their ability to access healthcare, how does this play out? Do all the nodes on the blockchain have to agree to roll back their chain and amend the block? In principle this could happen, but it would be a lengthy process, and will put the chain out of action for the duration. And what about subsequent blocks that contain information based on the data in the amended block? Or a computer that was part of the original chain, but has since exited, for whatever reason. It would be impossible to track them down to see if the data is still lurking somewhere on their hard drive. And what happens if the network of blockchain nodes simply refuses? There is nothing really in it for them, after all, and it goes against the spirit of blockchain, which is a fiercely protected thing. Plus, who will the EU or national GDPR enforcers punish? Who are the data controllers and processors now?
Of course, private, permissioned, blockchains are a slightly different matter as it can be easier to gain consensus from the nodes for a deletion. But again, this starts impacting the value of blockchain and its immutability and decentralised nature, as well as raising issues around governance: as accountants, we know that you don’t correct an incorrect debit by deleting it, but rather with a credit.
Alternatively, and maintaining a level of governance, are solutions such as the one Accenture has prototyped that allows blocks to be edited, re-written or removed without breaking the chain. Plus, the edit leaves a “scar” so it is clear that the block has been changed. Accenture argues that the ability to modify the blockchain is required to make it commercially viable. Their prototype, they further argue, doesn’t downgrade blockchain to a regular database though, as organisation still get the benefits of data resiliency, integrity and security supplied by the built-in cryptography. Purists would definitely not agree, and I would have to say that they have a point.
Nevertheless, this is a stark illustration of how regulation and security very often lag innovation, and, if we are not careful, can bog it down or stop it in its tracks altogether. With GDPR still in its infancy, and the plan being to finetune the regulation during the first court cases, I wouldn’t want to be one of the vanguard guinea pig organisations that this gets tested on.
As published in Accountingweb – 28th November 2018