The Limits of Blockchain Privacy and the GDPR

Monday October 22nd, 2018 by Jesse Van Mouwerik

abstract illustration of blockchain TechGDPR
There are many reasons why people are excited about the possibilities of blockchain technology—from decentralized networks to the removal of middlemen—but the most popular reason is the appeal of privacy. The myth that blockchain is immune to privacy breaches, however, is quickly unraveling. Those who feel protected solely because they’re putting today’s most disruptive form of tech to use on a new idea may have to do more to guarantee their users’ anonymity than they think.

Breaching blockchain networks is far more difficult than breaching more centralized parties, but users’ privacy can still be compromised in other ways. Web trackers and cookies are excellent examples to demonstrate this problem. These little bits of code live on websites to inform third parties about the habits of users on a given page or platform. On the everyday internet, when data such as an email address can be linked to a particular purchase history, a person’s identity can be compromised.

While trickier to unpack, blockchain activity can be uncovered in a similar way. Site visits can reveal an individual’s identity when they are matched with the public ledgers which blockchain networks rely on to make transactions. The public ledgers designed to enforce the security of transactions can then be used as a means of compromising personal data. A regulator or a law enforcement agency can then run a test on a blockchain network to identify activity it sees to be in violation of the law. In many cases, they already have.

It may be impossible to access someone’s personal data without a public and private ledger, yet advanced number crunching of public ledgers and transaction histories can find correlations that frequently link certain behaviors to a particular individual, or at the very least, vastly narrow a search to a point that’s too close for comfort. This occurs in the same way that a few “likes” on Facebook can be run through data analysis tools to make predictions about one’s purchasing habits, political opinions, and personal psychology. The use of QRNGs is one way of addressing such problems, but the technology is still a long way from solving immediate concerns.

It is also possible to link online purchases back to certain cryptocurrency accounts when a user converts such cryptocurrency into a real currency. That conversion, combined with web trackers, has contributed to why many Bitcoin exchanges are insecure. By monitoring online activity, various third parties can find correlations between an individual’s private information and purchases made using cryptocurrency.

abstract illustration of blockchain TechGDPR

These issues are not limited to cryptocurrencies alone, as all blockchain networks rely on a public and private key to function. The public-private key combo is a major component in blockchain security, but there are still ways to circumvent it. As regulators become more aware of such faults, there may become means for policing networks. As it concerns the GDPR, any vulnerability to users’ personal data is a potential vulnerability for a company.

While each blockchain project, crypto-coin, or other decentralized platform has its own unique needs and weak spots, there are many measures that can be taken immediately to ensure that these kinds of risks are minimized. Tempting as it may be to suggest a list of plugins, procedures, or protocols, the truth of the matter is that there is no one-size-fits-all solution. In many cases, the best practice is to consult professionals who can understand both blockchain technology and the legal mandates of the GDPR in a complex enough way to both improve your company’s security for users, as well as demonstrate the process to regulators.

If companies undertaking blockchain projects want to remain competitive and secure, they must begin recognizing the limits to privacy that blockchain provides and seek proactive ways to respond. The best combination of solutions will be different for every company, but the first step is recognizing that there’s no such thing as an unbreakable chain.

Jesse Van Mouwerik is TechGDPR’s Client Relations Manager and Content Designer.

Follow TechGDPR on Twitter.

Jesse Van Mouwerik

GDPR’s Right to be Forgotten in Blockchain: it's not black and white.
August 13th, 2019

What is the difference between personally identifiable information (PII) and personal data?
June 27th, 2019

Personal data and cold calling under the GDPR
June 25th, 2019

Blockchain & DLT under the GDPR explained to the European Commission
June 4th, 2019

One year of GDPR: GDPR enforcement and awareness
May 25th, 2019

Our first open GDPR Canvas workshop
May 21st, 2019

WiFi-Tracking and Retail Analytics under the GDPR
April 8th, 2019

How to develop Artificial Intelligence that is GDPR-friendly
February 28th, 2019

Is total privacy GDPR compliant? Zcash report shows how “Privacy by Design” handling of personal data gets us close.
February 5th, 2019

The GDPR + Blockchain: Reflecting back and looking ahead
January 8th, 2019

Artificial Intelligence (3)
Beyond EU (5)
Big Data (2)
Blockchain (10)
Court Cases (1)
Data Subjects (6)
DLT (1)
DPO (2)
European Commission (1)
GDPR Canvas (1)
GDPR Status (1)
IoT (4)
Privacy by Design (7)
Speaking (1)
Startups (1)
Terminology (1)
WiFi (1)
Workshop (2)
Article 17
Artificial Intelligence
Big Data
call center
Cold calling
European Commission
GDPR Analysis
GDPR so far
gdpr workshop
gdpr year one
one year gdpr
open workshop
personal data
personally identifiable information
Privacy by Design
Retail Analytics
right to be forgotten
right to erasure
August 2019 (1)
June 2019 (3)
May 2019 (2)
April 2019 (1)
February 2019 (2)
January 2019 (1)
December 2018 (2)
October 2018 (1)
September 2018 (1)
August 2018 (3)
July 2018 (5)
June 2018 (1)
March 2018 (1)

Contact us to find out how we can help you with your GDPR compliance.