When Blockchain Meets the Right to be Forgotten: Technology Versus Law

Posted 2nd May 2018 by Jane Williams

Over the past few years, the popularity of the blockchain and cryptocurrencies has increased and has reached important notoriety, not only in scientiﬁc and IT journals, but also in the media. Although there are many kinds of cryptocurrencies in circulation nowadays, the most popular is Bitcoin.

The Bitcoin hype

Since Bitcoin began attracting the attention of the ﬁnancial, security and IT communities, several other blockchain implementations have been appearing. One of these is Ethereum, which is a programmable blockchain [6]. Rather than the pre-deﬁned operations in bitcoins, Ethereum allows users to create their own operations, serving as a platform for many diﬀerent applications based on blockchain like cryptocurrency, smart contracts, decentralised ﬁle storage, among others. This feature is possible because the “Ethereum Virtual Machine (EVM)” is a Turing Complete Machine. The EVM let the developers create their own applications, giving them the freedom to design their own implementations for speciﬁc services. The “etoken” required to make transactions within the network and to pay the nodes for processing services is called an “ether”.

Although the blockchain in Ethereum is similar to Bitcoin, they have some diﬀerences. Unlike Bitcoin, Ethereum’s blocks contain a copy of the transaction list and their last state. Additionally, the blockchain replication process is also diﬀerent. Although both blockchain and Bitcoin use Proof-of-Work to select the new block to append to the chain, Bitcoin is based on CPU consumption and Ethereum on memory. As an alternative to Bitcoin and Ethereum, The Linux Foundation has proposed a new blockchain project called Hyperledger. This project is a blockchain framework to develop new services and applications based on a permission-based ledger. Even though Hyperledger can be used for a wide spectrum of applications, one of the most popular is for Smart Contracts development. The Hyperledger project consists of ﬁve blockchain frameworks:

Fabric
Iroha
Sawtooth
Burrow
Indy

The most popular implementation is Fabric, which is a modular blockchain framework that gives the ﬂexibility to change diﬀerent components by plugging and play. Moreover, their blockchain replication process between the nodes is cost-eﬃcient and is capable of processing about 3.500 tps [1], thanks to their consensus algorithm based on Practical Byzantine Fault Tolerant. This makes Hyperledger Fabric one of the best options for customising a blockchain implementation. Based on this new business-oriented blockchain network, the use of these technologies is turning from ﬁnancial transactions to business process management. Any business-oriented solution involves management of conﬁdential and/or private information. With the arrival of the new European General Data Protection Regulation (GDPR), the openness and immutability of blockchain pose a problem from the new regulation point of view.

Personal data in the blockchain and the right to be forgotten

Blockchain and the European Data Protection Regulation is coming into force this month. They are currently two of the new key topics that are always generating the same question about the regulation’s application to the technology. More precisely, GDPR and blockchain are often mentioned with a potential clash between distributed ledgers and some principles or rights conferred by the regulation. The most popular and debated of them, presented as the biggest challenge for blockchain’s implementations in the regulation scope, might be the right to be forgotten.

Eﬀectively, the blockchain’s immutability ensures that nothing can be deleted from the ledger. As much as an analysis can be done, the ﬁrst question to ask is how the blockchain would trigger the GDPR application and all the ensuing consequences and requirements. The broad GDPR scope requires processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. And to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the oﬀering of goods or services or the monitoring of their behaviour taking place in the EU. Considering the territorial scope, blockchain obviously does not admit any borders. The ledger’s participants can be located anywhere in the world and including the EU area. On the other hand, the material scope is much more vast than countered, insofar as data processing and personal data have large meaning.

Indeed, data processing means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”, while personal data could gather “any information relating to an identiﬁed or identiﬁable natural person” 1.

To summarise the process, in a blockchain system, transactions are initiated with a combination of private and public key, the last one being seen on the public ledger can lead to identifying the participant if that public key is used several times. Thus, a public key can be considered as personal data, by analogy with a decision of the European Court of Justice about the IP address too.

Also, personal data could be included in a transaction with a hash, thus considered pseudonymised data, which triggers GDPR’s application too. Theoretically, the blockchain ecosystem should be under the scope of the GDPR, but consequently raises the question to know “who” has to be compliant. The regulation determines four diﬀerent roles according to the text: the data controllers and the data processors, being responsible and having to demonstrate their compliance with; the data subjects concerned by the processing; and the third parties, authorised to process personal data under the authority of the controller or processor. Therefore, to comply with GDPR, data controllers and processors must be clearly identiﬁed, and here is the challenge.

Blockchain VS GDPR

In a public blockchain conﬁguration, based on a decentralised architecture where all the peer-to-peer network can add transactions without any control or authorisation of a central authority, everyone could be considered as a controller because of his action, and at the same time as a processor because of the copy held in the computer. The situation seems easier in case of private schemes, clearly identifying an administrator. The blockchain is a new structure and architecture, not anticipated by the classic scheme considered in the GDPR. In the ‘ﬁat’ world, there’s always an identiﬁed data controller, also considered as a ‘central authority’, but into a blockchain public scheme, the absence of central authority is fundamental.

In a nutshell, the blockchain technology as a protocol cannot be well qualiﬁed as a data controller or processor. The responsibility is “transferred” to the people orbiting around the blockchain, considered as “third services”. Any actor (developer, miner, or simple reader), considered as a network third party, will be in charge of the compliance with data protection laws. Especially, it can concern all the exchanges proposing wallets (and who must comply with the recent KYC regulations), all the project managers creating or using blockchain as a service with diﬀerent use cases.

To conclude, each blockchain or project involving that technology must be precisely analysed to identify the obligations imposed, as the respect of data subject’s rights. In the present case, if the blockchain’s third services are bound by regulation, the likelihood of each right implementation in the protocol must be analysed, with a special focus on the right to be forgotten.

GDPR’s main goal is to give back power to the data subjects on their own data, but this is posing a huge challenge for blockchain projects and implementations. The principle of the right to be forgotten, also known as the right to erasure, is not new. This right really entered in the European Union sphere in 2014, with a judgment of the European Court of Justice 3. In this case, Google Spain was involved, and judges ruled that European Union’s citizens could ask to search engine operator store move contents indexed in the search results, excepted if the content had a speciﬁc signiﬁcation for the public interest. On that day, the European Court of Justice created the ‘right to be de-indexed’. With that impulsion, the European legislator decided to follow the path and deﬁne a fundamental data subject right formalized in April 2016, passing the GDPR Act: the right to be forgotten was deﬁnitely born, mentioned in the Article 17.

Recognised for the ﬁrst time as a deﬁnitive lapse of numeric memory, the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay “taking account of available technology and the cost of implementation”. Therefore, it implies that the data controller must notify other controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

Although to compare with most rights, the right to be forgotten is not absolute, and many exceptions are listed in the third point of the Article 17 of the GDPR: to exercise the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest in the area of public health, for archiving purposes in the public interest, scientiﬁc or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims. After all, if the request is justiﬁed, the responsible of the blockchain system may have to remove the data, but that obligation is technically hard to handle in the marginal architecture.

From a legal point of view, the key feature of the blockchain technology seems to conﬂict with the right to be forgotten and requires a clear position of the Article 29 Working group (G29), or from the national data protection authorities with a common position about blockchain implementations facing the regulation. However, in the meantime, it does not imply that blockchain projects cannot be compliant with the regulation.

Technical Approach

The Blockchain is a distributed database which is based on records organized as a chain of blocks. The management, updates and the operations of the database are performed by a peer-to-peer network. One of the main characteristics of blockchain is their resistance to malicious modiﬁcations. This security level is achieved by using block timestamp and hash pointers that link the last block of the chain to the previous one.

The blockchain design is such that any modiﬁcation made on a block compels the regeneration of the following blocks in the chain, determining an exhaustive process which is extremely diﬃcult to achieve. The state replications and updates to the blockchain are based on a consensus algorithm. This ensures that any updates in the main chain will be performed by an ‘honest node’. The process to select the honest node that will have the right to add a new block, will depend on the kind of blockchain implementation. The most popular consensus technique in blockchain is Proof-of-Work, which corresponds to solving a cryptographic puzzle [4]. Other alternatives for consensus schemes are based on the agreement between the network peers in a democratic scheme [2] or according to their assets [3].

The main principle of blockchain is to create a new database model that is maintained by a network of nodes instead of a central server. Each node has a local version of the chain, and the process to update it is deﬁned by a consensus protocol that ensure that nobody can change or delete a value previously recorded. This principle makes blockchain technology suitable to be used to record data for accountability, ﬁnancial transaction settlement, system logs, and any other applications where history must be immutable.

Nevertheless, databases are used in a wide range of applications in banking, telecommunication, healthcare industry, government, NGOs, among others. Hence, the new challenge of the blockchain technology is the management of private information in a decentralised, open database specially designed to keep their records immutable and allow everybody to read it. From the privacy-preserving point of view, blockchain technology can be protected by using multiple cryptographic protocols. With these mathematical functions, we can hide information from anybody that is not allowed to have access to the data.

Applications

One of the most popular cases of privacy-preserving blockchain implementation is Zcash. Their model considers private transactions by using a homomorphic encryption scheme and a novel consensus algorithm based on Zero Knowledge SNARK [5]. Although Zcash has proposed a secure scheme to protect the data stored in the blockchain, this is not enough to comply with GDPR. The new European regulation deﬁnes that any private information that is protected under a scheme that allows the retrieval of the private data in some way is considered as pseudo-anonymised data. In this case, the system must give the user the option to be forgotten from the platform. This is a big challenge for any blockchain-based service, considering that the main principle of the design is to deny the removal of previously stored records.

By now, we have seen that the right to be forgotten has been solved in projects like MyHeathMyData (MHMD), which avoid the recording of private data into the blockchain. In the case of MHMD, the platform allows data access to hospitals, research centres, pharmaceutical, among others; within a network of healthcare institutions. The blockchain platform is been used as a decentralised system for controlling, monitoring, and enforcing the GDPR guidelines during the data sharing lifecycle. Under this model, MHMD records information about the data treatment, keeping the private data inside of a central server at the data controller facilities. Finally, the business logic implementation and the traceability is achieved by recording metadata that can be mapped to the private data by using a special mapping function that is also hosted outside of the blockchain. Hence, the right to be forgotten is enforced by removing the link between the blockchain and the private data in the mapping function.

Another alternative that complies with GDPR and the right to be forgotten is the approach purposed by BC Diploma. They presented an alternative to solve the issue by eliminating the way back that any cryptographic algorithm has, the secret key. By destroying the secret key, we can make extremely diﬃcult decrypt the ciphered text. However, we cannot state that level of security need to recover the private data is so high that the data can be considered anonymised after the secret key destruction. The impossibility to aﬃrm that “destroying the secret key makes impossible to recover the encrypted data” can be proved in diﬀerent ways. However, one of the strongest arguments against that statement is that the major encryption schemes are not resilient facing attacks by using quantum computing.

Mirko Koscina is a PhD student in information security at École Normal Supérieure (ENS) and Research Project Manager at Almerys. Aurélie Bayle is a PhD student in private law at the University of Montpellier and Data Protection Officer at Almerys.

The agenda for CybSec and Blockchain Health is now available to download. Take a look.

View the reference list here

Tags: bitcoin, blockchain, cryptocurrency, european union, GDPR, regulations

Click here to cancel reply.