The Limits of Blockchain Privacy and the GDPR

There are many reasons why people are excited about the possibilities of blockchain technology—from decentralized networks to the removal of middlemen—but the most popular reason is the appeal of privacy. The myth that blockchain is immune to privacy breaches, however, is quickly unraveling. Those who feel protected solely because they’re putting today’s most disruptive form of tech to use on a new idea may have to do more to guarantee their users’ anonymity than they think

Breaching blockchain networks is far more difficult than breaching more centralized parties, but users’ privacy can still be compromised in other ways. Web trackers and cookies are excellent examples to demonstrate this problem. These little bits of code live on websites to inform third parties about the habits of users on a given page or platform. On the everyday internet, when data such as an email address can be linked to a particular purchase history, a person’s identity can be compromised.

While trickier to unpack, blockchain activity can be uncovered in a similar way. Site visits can reveal an individual’s identity when they are matched with the public ledgers which blockchain networks rely on to make transactions. The public ledgers designed to enforce the security of transactions can then be used as a means of compromising personal data. A regulator or a law enforcement agency can then run a test on a blockchain network to identify activity it sees to be in violation of the law. In many cases, they already have.

It may be impossible to access someone’s personal data without a public and private ledger, yet advanced number crunching of public ledgers and transaction histories can find correlations that frequently link certain behaviors to a particular individual, or at the very least, vastly narrow a search to a point that’s too close for comfort. This occurs in the same way that a few “likes” on Facebook can be run through data analysis tools to make predictions about one’s purchasing habits, political opinions, and personal psychology. The use of QRNGs is one way of addressing such problems, but the technology is still a long way from solving immediate concerns.

It is also possible to link online purchases back to certain cryptocurrency accounts when a user converts such cryptocurrency into a real currency. That conversion, combined with web trackers, has contributed to why many Bitcoin exchanges are insecure. By monitoring online activity, various third parties can find correlations between an individual’s private information and purchases made using cryptocurrency.

abstract illustration of blockchain TechGDPR

These issues are not limited to cryptocurrencies alone, as all blockchain networks rely on a public and private key to function. The public-private key combo is a major component in blockchain security, but there are still ways to circumvent it. As regulators become more aware of such faults, there may become means for policing networks. As it concerns the GDPR, any vulnerability to users’ personal data is a potential vulnerability for a company.

While each blockchain project, crypto-coin, or other decentralized platform has its own unique needs and weak spots, there are many measures that can be taken immediately to ensure that these kinds of risks are minimized. Tempting as it may be to suggest a list of plugins, procedures, or protocols, the truth of the matter is that there is no one-size-fits-all solution. In many cases, the best practice is to consult professionals who can understand both blockchain technology and the legal mandates of the GDPR in a complex enough way to both improve your company’s security for users, as well as demonstrate the process to regulators.

If companies undertaking blockchain projects want to remain competitive and secure, they must begin recognizing the limits to privacy that blockchain provides and seek proactive ways to respond. The best combination of solutions will be different for every company, but the first step is recognizing that there’s no such thing as an unbreakable chain.

Jesse Van Mouwerik is TechGDPR’s Client Relations Manager and Content Designer.

Follow TechGDPR on Twitter.

Do you need support on data protection, privacy or GDPR? TechGDPR can help.

Request your free consultation


Show more +