TechGDPR

The Limits of Blockchain Privacy and the GDPR

Monday October 22nd, 2018 by Jesse Van Mouwerik

abstract illustration of blockchain TechGDPR
There are many reasons why people are excited about the possibilities of blockchain technology—from decentralized networks to the removal of middlemen—but the most popular reason is the appeal of privacy. The myth that blockchain is immune to privacy breaches, however, is quickly unraveling. Those who feel protected solely because they’re putting today’s most disruptive form of tech to use on a new idea may have to do more to guarantee their users’ anonymity than they think.

Breaching blockchain networks is far more difficult than breaching more centralized parties, but users’ privacy can still be compromised in other ways. Web trackers and cookies are excellent examples to demonstrate this problem. These little bits of code live on websites to inform third parties about the habits of users on a given page or platform. On the everyday internet, when data such as an email address can be linked to a particular purchase history, a person’s identity can be compromised.

While trickier to unpack, blockchain activity can be uncovered in a similar way. Site visits can reveal an individual’s identity when they are matched with the public ledgers which blockchain networks rely on to make transactions. The public ledgers designed to enforce the security of transactions can then be used as a means of compromising personal data. A regulator or a law enforcement agency can then run a test on a blockchain network to identify activity it sees to be in violation of the law. In many cases, they already have.

It may be impossible to access someone’s personal data without a public and private ledger, yet advanced number crunching of public ledgers and transaction histories can find correlations that frequently link certain behaviors to a particular individual, or at the very least, vastly narrow a search to a point that’s too close for comfort. This occurs in the same way that a few “likes” on Facebook can be run through data analysis tools to make predictions about one’s purchasing habits, political opinions, and personal psychology. The use of QRNGs is one way of addressing such problems, but the technology is still a long way from solving immediate concerns.

It is also possible to link online purchases back to certain cryptocurrency accounts when a user converts such cryptocurrency into a real currency. That conversion, combined with web trackers, has contributed to why many Bitcoin exchanges are insecure. By monitoring online activity, various third parties can find correlations between an individual’s private information and purchases made using cryptocurrency.

abstract illustration of blockchain TechGDPR

These issues are not limited to cryptocurrencies alone, as all blockchain networks rely on a public and private key to function. The public-private key combo is a major component in blockchain security, but there are still ways to circumvent it. As regulators become more aware of such faults, there may become means for policing networks. As it concerns the GDPR, any vulnerability to users’ personal data is a potential vulnerability for a company.

While each blockchain project, crypto-coin, or other decentralized platform has its own unique needs and weak spots, there are many measures that can be taken immediately to ensure that these kinds of risks are minimized. Tempting as it may be to suggest a list of plugins, procedures, or protocols, the truth of the matter is that there is no one-size-fits-all solution. In many cases, the best practice is to consult professionals who can understand both blockchain technology and the legal mandates of the GDPR in a complex enough way to both improve your company’s security for users, as well as demonstrate the process to regulators.

If companies undertaking blockchain projects want to remain competitive and secure, they must begin recognizing the limits to privacy that blockchain provides and seek proactive ways to respond. The best combination of solutions will be different for every company, but the first step is recognizing that there’s no such thing as an unbreakable chain.

Jesse Van Mouwerik is TechGDPR’s Client Relations Manager and Content Designer.

Follow TechGDPR on Twitter.

Jesse Van Mouwerik

American Intern Meets the GDPR
December 12th, 2018

GDPR, Blockchain, and the Principles of Privacy by Design
December 3rd, 2018

Blocks Ascending: The GDPR Checklist for Any Blockchain Project
September 17th, 2018

What the GDPR's 'Privacy By Design' Really Means for Your Business
August 31st, 2018

California Residents Gain Strongest Data Privacy Rights in US
August 22nd, 2018

Disruptive Startups Must Also Disrupt Common GDPR Assumptions
August 16th, 2018

Your IoT Product is Not as GDPR Compliant as You Think
July 27th, 2018

How Countries are Creating Blockchain Economies
July 18th, 2018

Can Blockchain Rescue our Identity from the Digital Abyss?
July 16th, 2018

GDPR Compliance: It's a Process, Not a Product
July 10th, 2018

Artificial Intelligence (2)
Beyond EU (2)
Big Data (1)
Blockchain (6)
Data Subjects (3)
DPO (2)
IoT (3)
Privacy by Design (2)
Startups (1)
December 2018 (2)
October 2018 (1)
September 2018 (1)
August 2018 (3)
July 2018 (5)
June 2018 (1)
March 2018 (1)

Contact us to find out how we can help you with your GDPR compliance.