In GDPR vs Blockchains - The Conflict and GDPR vs Blockchains - Convergence we focused exclusively on the challenges of GDPR compliance. However, the reality is that even
if we satisfied the GDPR lawmakers we are still far from a happy ending.
Privacy, Anonymity and Oversight
The highest degree of privacy is complete anonymity, which unfortunately raises other complications. In a decentralized platform
anyone can transact, whether or not one is law abiding. The argument from a law enforcement perspective
is that whereas we have a right to privacy, we do not have a right to anonymity when it comes to enforcement.
Law enforcement agencies require data access for various reasons, including taxation and national security. So on one hand we have
laws requiring privacy, but on the other we can have enforcement agencies requiring privileged access to the same data. Whereas from
a legal perspective making such a distinction is fairly straight forward, implementing something that satisfies both needs, is considered
to be very difficult.
The conflict between privacy and oversight is nothing new and is certainly not unique to blockchains. One of the most popular such
conflicts arose between the FBI
and Apple in relation to the 2015 San Bernardino terrorist attack. One of the terrorists used an iPhone for his communications
and the FBI wanted Apple to develop a backdoor for breaking its security. Apple refused to comply claiming that such a backdoor could
be used against any iPhone, undermining the privacy of all users.
This is a good example of the fundamental conflict that arises when providing a backdoor or some sort of privileged access. This
conflict is true both for centralized applications like iOS as well as for decentralized blockchains.
In the blockchain space,
news that the US wanted a crack-down on privacy coins has been circulating for some time. Furthermore, last January some
to delist privacy coins like Zcash and Monero, without providing an explanation. Yet, the most logical explanation seems
to be that these centralized exchanges were fearing that some sort of enforcement was forthcoming.
When looking at such news, one might think that this only concerns single purpose blockchains providing private coins. This is not
the case. First of all, privacy coins are very similar to private fungible tokens running on DLT platforms. Thus, enforcement in
this space is relevant to them too.
Secondly tokens are an important building block in various applications, not related to decentralized finance DeFi. A common
example is the one using a private token to represent a vote in an election. The technologies used for building DeFi private
tokens are the same used in non-DeFi applications. Thus, a broad crackdown on blockchains providing privacy is potentially
debilitating to a much broader set of applications.
Even though this discussion largely concerned US enforcement, this is still very relevant to European business entities. Any business
with global ambitions, that is implementing a GDPR compliant DLT application, cannot ignore the impact of such enforcement. Furthermore,
a similar crack-down could also happen within the EU. So again, we end-up with a lot of uncertainty. This time, around whether we are
providing too much privacy.
Most blockchain privacy solutions today are built on top of elliptic curve cryptography, a technology that is not quantum resistant.
Thus, we are working with technologies whilst knowing that on the horizon there exists a technology that could break their fundamental
This threat is real, so much so that NIST is currently leading the research for
post-quantum cryptography standards.
If we look closely at privacy solution implementations, we see that some rely on storing encrypted data on-chain. This data should
only be readable by the intended transaction recipient. The permanent storage provided by blockchains, means that such data is
permanently available for its privacy to be attacked.
This can be an issue with GDPR article 5 that requires that data must be secured from "unauthorised or unlawful processing". Thus, as
quantum computers advance in their computational power and their potential of breaking today's encryption becomes clearer, the
responsibility for complying with this article will grow accordingly.
In ICT, cryptographers have always been regarded to be the champions of applied privacy. The blockchain community harbours a movement
of the most extreme privacy supporters. It is hard to see a conflict of intents between them and GDPR lawmakers.
The privacy limitations in today's blockchains can be attributed to a number of factors. One of these is the success registered in
applying deanonymization techniques.
Another is the need for decentralized blockchains to mature further. DLT platforms, could certainly provide better built-in privacy
support. Also maturing are the privacy preserving technologies themselves. Research around Zero Knowledge proofs and other technologies
gained significant momentum in the last few years. This push confirms the community's commitment towards privacy.
However, in the long term, the biggest challenge seems to be reconciling privacy and oversight. Today we have a situation where the
technical community/industry is expected to provide solutions for conflicting needs. Privacy coins like Monero and Zcash are testing the
waters for the rest of the industry. The ongoing crack-down might define what kind of privacy blockchains can provide.
Revising GDPR to clarify the uncertainty of how it applies to a decentralized world would be beneficial to everyone. The outcome might
be that decentralized entities require more individual responsibility. Ideally this would give the industry a clearer path of how it can
innovate with minimal regulatory risks. The public would also benefit from having a clearer understanding of how far the law can go.
Decentralization can be a tool for much more effective direct democracy. It can bring about more
transparency in institutions bogged by bureaucracy. There might be the need for us to change our ways, where "us" includes everyone,
including those setting the rules.