No doubt about it—online privacy took a beating in 2018. What was once questionable—the idea that our personal data can remain secure with sufficient safeguards—now seems merely quaint. Months after the Cambridge Analytica scandal revealed Facebook’s slippery use of its users’ information, the company experienced a massive breach that compromised millions of accounts. Marketing firm Exactis placed 340 million people’s data on a public server. The litany of attacks on companies that included Macy’s, Under Armour, Ticketfly—and let’s not forget the entire city of Atlanta and the culmination of a five-year campaign by Iranian hackers that affected over 300 universities—approached dog-bites-man territory. Has it really been nearly a year since a hack of India’s biometric identification database allowed one to purchase the personal data of nearly any of the country’s billion-plus citizens, via WhatsApp, for less than ten bucks a pop?
All this porousness has naturally led forward-thinkers to wonder if blockchain-based solutions are the answer to our data woes. Companies like Civic are offering ambitious decentralized solutions for protecting sensitive personal information. Microsoft and Mastercard are said to be collaborating on a decentralized identity system—a welcome development, given the leak of credit card information belonging to Kmart shoppers and Delta flyers, linked to glitches in software the companies use. Original e-cash pioneer David Chaum, whose early work was inspired by a belief in the importance of private transactions, reemerged this year with a technology he claims solves some of the scalability and security issues endemic to that space. But most companies are taking a cautious approach to using blockchain to safeguard data. As the year came to a close, the security firm Netwrix estimated that blockchain solutions for IT management would rise in 2019, but not become widely adopted.
There are many reasons this caution is prudent. In 2018, computer scientists in Qatar revealed how they were able to trace the identity of people conducting bitcoin transactions over the anonymous Tor network. Though not the first study to reveal bitcoin’s traceability problem, the Qatari project revealed that even Tor offered no ultimate guarantee of privacy. This year saw the rise of a cottage industry, led by companies like Chainalaysis and Elliptic, devoted to making bitcoin transactions less private. Detective work by Chainalaysis played a crucial role in a precedent-setting case in the Netherlands, helping police identify the major players in a bitcoin money-laundering scheme. Stateside, the Department of Homeland Security ended the year by soliciting proposals from the startup community that will help authorities conduct forensic analysis of blockchain-based transactions.
Besides the obvious conflict between those who see blockchain as a privacy haven and those who want to erode these protections, the public’s growing demand for more control over personal data is leading to a potentially serious conflict for blockchain advocates. In April, the European Union implemented the General Data Protection Regulation (GDPR), guaranteeing E.U. residents certain powers in protecting personal data collected by corporations. Among these is “the right to be forgotten”—people must have the options to remove data connected to their activities. But blockchains, immutable by design, operate on the principle that there is no “forgetting.” The stage is set for “privacy poisoning,” blockchain-speak for what happens when information stored permanently on a distributed ledger conflicts with regulations that guarantee the right to make it disappear. No documented cases of this so-called poisoning have yet occurred, but a recent study by Gartner predicts that by 2022, 75% of public blockchains will suffer poisoning. In 2019, the search for an antidote will likely gain urgency.
Moving forward, to assess how blockchain can improve our lives in ways that balance privacy protections with other concerns, we can start by deciding how much we are willing to accept the uncertainty that still exists. Consider, for instance, one of the most dynamic spaces within the industry for blockchain products, the various proposals to use blockchain technology to manage medical records. To be sure, we want these records to remain private and secure–but the benefits are tangible enough to think of blockchain as a useful alternative. Quick access to medical records by first responders could be improved, especially when patients cannot communicate. In July, Walmart filed a patent for a system that would include a wearable device, which would contain medical information, and a biometric scanner that would decrypt a patient’s private key. Blockchain technology could conceivably approve electronic health record (EHR) systems, which are often essentially siloed by residing on the computer system of a patient’s doctor or healthcare provider. A system of public and private keys would make it easy for new providers to access this information, especially useful given how often our current system forces us to change insurers and providers. This is why healthcare records management companies like MTBC are beginning to integrate blockchain into their EHR software. Blockchain could also, in theory, give us all more control over how our health data is monetized, possibly allowing us to receive compensation for what we now provide for free, the rationale behind startups like CoverUs.
If blockchain can help us maintain and update our health data securely, could it provide a way to maintain our identity in a broader sense? The concept of “self-sovereign identity,” which has been around since the early days of public-key cryptography, is receiving renewed interest as blockchain technology has matured. The basic idea is that the ways we construct an “official” identity, which we we currently outsource to various centralized parties (think of your DMV-issued drivers licence), could exist in a decentralized form on a blockchain. An open-source platform launched last year by the nonprofit Sovrin Foundation, the first of its kind, uses recent developments in blockchain technology that allow public keys to be stored on public ledgers, along with documents containing information related to the key-holder. If an entity, such as a mortgage lender that wants to know aspects of your credit history, needs to verify some aspect of your identity, you’ll provide information without totally relinquishing it. If these systems gain traction, in the future you’ll have more control over the kind of personal information that companies like Equifax and Exactis have done such a poor job of safeguarding.