Blockchain Needs To Remember The Right To Forget

Blockchain, Opinion | February 26, 2019 By:

In May of 2018, near the peak of blockchain mania, the European Union (EU) rolled out the General Data Protection Regulation (GDPR) in an attempt to prevent the gross exploitation of data that had become commonplace by internet giants like Facebook, Google and Amazon.

The GDPR protects individuals by laying down strict rules for data use and management by companies, including the “right to be forgotten” and requiring data to stay within the borders of its native country.

The “right to be forgotten” forces companies to delete user data after an individual leaves the network and keeping data within the borders of a single country helps secure data and ensure companies are not conducting shady schemes outside legal jurisdiction.

Violating these laws can lead to fines of up to 4 percent of a company’s global annual revenue, which can be hundreds of millions of dollars for large corporations.

The GDPR helps combat an incredibly pressing issue in our digital world. Companies have profited off user data without curtail for far too long. Facebook has, at some point, conspired with nearly every tech company you can think of to circumvent its own privacy policies.

But the GDPR comes with a catch. The legislation is in direct conflict with another effort to empower users to take back control of their data: blockchain.

Blockchain’s promise of data protection is well storied at this point. The short and sweet version is that blockchain uses transparency and immutability to provide trust, security and user-control. Self-executing smart contracts can keep sensitive data outside the grasps on any greedy intermediary and the decentralized nature of the networks help protect against hacks and abuse.

However, concepts like immutability and widespread decentralization are at odds with the two aforementioned GDPR rules: “the right to be forgotten” and bordered data management.

Debate has raged online between GDPR stalwarts and blockchain enthusiasts. GDPR critics claim the legislation has kneecapped blockchain, stifling the tech’s potential, while GDPR proponents have called on blockchain networks to bend over backwards and adjust.

With the rampant abuse of user data in the last decade or so, the EU seems unlikely to back down and amend their legislation any time soon, but how can blockchain technology move forward and comply without destroying the systems that make it so useful in the first place?

Let’s take a look at several possible solutions…

  • Off-chain storage – This tactic keeps sensitive user data off the blockchain, allowing a continuous blockchain record and the ability for data to be deleted. Unfortunately, off-chain systems largely defeat the purpose of blockchain by storing data via traditional methods, meaning data is more vulnerable to hacks, edits and other trickery.
  • Deletion of Encryption Keys – Deleting encrypted keys keeps sensitive data on the blockchain but throws away the ability to access the information. This method essentially deletes the data by rendering it inaccessible, but does not technically erase it. The GDPR explicitly calls for the deletion of data, and while the deletion is not clearly defined in the legislation, making something inaccessible and destroying it all together are not the same thing.
  • Anonymization – While there are a couple different ways to go about anonymizing data, most solutions involve the some version of our already defunct off-chain storage method. On-chain pointers connect mainchain information to sensitive  off-chain information. Once the off-chain data is destroyed, the link is broken and the on-chain information is anonymous. However, this method still leaves data on the mainchain, and while tough, identifying information could still be obtained from the blockchain.
  • Centralized Back-End Systems – Another proposition is to completely overhaul the concept of blockchain and create centralized back end systems, that allow data to be anonymized without interrupting any chains. While this would allow GDPR and blockchain to peacefully coexists, you have basically gutted the fundamentals of blockchain by doing so. Centralized back-ends give data control back to companies and require users to once again trust companies with their information behind closed doors. That worked great the first time?

A better solution? Public-private deletable blockchain infrastructure.

Public-private deletable blockchain infrastructure could remedy blockchain and GDPRs incompatibility by preserving blockchain functionality while protecting user data in accordance with the GDPR.

Software giant SAP’s Chief Technology Officer, Dr. Juergen Mueller, has been advising Lition, a German tech startup, in the development of their blockchain platform with true deletability through the use of private side chains that stem from the mainchain.

Lition’s network tracks metadata in the mainchain to ensure network functionality. This is where things like consensus are maintained, token balances are tracked, and transparency is provided. Smart contracts are executed on the main network, but invoke private permissioned sidechains where sensitive data is kept. These side chains can be deleted, destroying the information contained with in them, while preserving the block hashes to maintain network integrity.

The public private infrastructure is the first protocol that both allows true deletion of data and abides by the fundamentals of blockchain.

The GDPR and blockchain initiatives were both attempts to reclaim our information and put an end to the rampant abuse of data Silicon valley’s top dogs have orchestrated for too long. Although they emerged from different ends of the ideological spectrum, permanent deletion versus untamperable transparency, the end goal was mostly the same.

Through the use of public-private deletable platforms, we will be able to diversify our tool set for the fight to take back our digital identities. The GDPR doesn’t cripple blockchain, rather, it challenges it to innovate and incorporate all the best strategies to ensure our data is secure and protected.