Privacy and Blockchain: How to Make it Work?

Private blockchains have been a subject of debate for a long time now. Ensuring compliance by design, as well as solving a variety of practical and regulatory challenges is the way to go. Here’s how to make it work while ensuring longevity. 

The Current State of Public Blockchains

The digital era has revolutionized the ways in which information and value are transferred, shared, and stored. This has consequently led to inescapable tensions between how to balance transparency and privacy in an increasingly interconnected world. And as an essential component of Web3’s core architecture, blockchain technology is facing increasing scrutiny from a privacy policy perspective, given the technology’s decentralized, immutable nature and simultaneous claims to being both privacy and transparency-enhancing. 

What many people fail to understand, however, is that public blockchain can be structured in a way that preserves users’ self-sovereignty and user context – which is everything when it comes to the transparency vs. privacy debate. As a result, there is a credible case to be made that recognizing and complying with users’ privacy rights on public blockchains is both possible and beneficial – particularly when it comes to enterprise blockchain adoption. 

The Transparency vs. Privacy Debate

First off, it’s clear that the transparency vs. privacy debate surrounding the blockchain sector is not unique to this industry, but rather part of a broader debate that involves a vast spectrum of societal interactions. Therefore, before we dive into blockchain technology’s unique challenges within this space, it’s necessary to quickly provide some clarity on the perennial tension between transparency vs. privacy, writ large. 

It’s clear that public/private institutions and individuals can reap multiple benefits from increased information-sharing, transparency, and open data from both an efficiency and accountability standpoint. Entire new markets have been made possible through the seamless sharing of information across previously siloed businesses and databases, and the speed at which businesses and public sector agencies can detect and respond to real-world events in real-time is increasingly crucial to their success. At the same time, these developments have also galvanized an important policy movement that seeks to protect consumer privacy within an ever-increasing array of digital environments. This movement involves both broad, regional consumer privacy protections like Europe General Data Protection Regulation (GDPR) framework as well as industry-specific regulations like the U.S.’ Health Insurance Portability and Accountability Act of 1996 (HIPAA) law. These large-scale, simultaneous shifts towards enhanced transparency and privacy are often in opposition to one another, but the fact is both goals are equally important and here to stay. 

As a result, the private sector needs to offer more secure and customizable ways for end-users to determine how their own data will be used, and the public sector needs to develop policy frameworks that allow for more flexibility and protects individuals without infantilizing them or creating a nanny state. In other words, in practice, the transparency vs. privacy debate largely comes down to an issue of privacy vs. protection, where “privacy” is defined as one’s ability to control what kind of information is collected about them, and “protection” refers to how this collected data is stored and secured. In other words, when organizations and individuals alike have more self-sovereignty in terms of determining how their data is used, it will be possible to establish conditions defined by modular, customizable levels of data accessibility as opposed to full data transparency. 

Blockchain Technology’s Privacy “Paradox”

Blockchain technology is increasingly revolutionizing the way people transfer information and value – both in terms of creating/exchanging cryptocurrencies and in regard to sector-specific applications in the world of financial services, supply chain management, healthcare, and more. As a result, the amount of personal information stored in these networks is growing at a meteoric pace, which has potential implications when it comes to consumer protection, business efficacy, and in some cases even national security. Given this context, it’s completely understandable why regulators are scrutinizing blockchain more closely, and the onus is on blockchain proponents to show how information stored within their systems can be simultaneously secure and shareable. 

In order to accurately diagnose the challenges and opportunities within the realm of blockchain privacy initiatives, it’s important to make a distinction between private and public blockchains. The main difference between public and private blockchains is the fact that private blockchains control who is allowed to participate in the network, participate in its consensus protocol, and maintain the network’s shared ledger. In other words, not everyone can validate/execute transactions or validate/authenticate the blockchain changes, and a private blockchain’s owner or operator has the right to override, edit, or delete entries on the blockchain’s ledger. As a result, private blockchains are not truly decentralized given that they essentially operate as a closed, secure database based on key cryptography concepts. One can even state that entirely private blockchains are nothing more than standard databases—just with a different underlying technology. 

By contrast, anyone is free to join and participate in the core activities of a public blockchain network. This makes public blockchains more decentralized and therefore censorship-resistant by nature. Given the regulatory scrutiny the blockchain industry faces, the potential benefits of public blockchains can be seen as a double-edged sword, and public blockchains have been broadly criticized for their openness and data immutability. However, the bottom line is blockchain technology can be either privacy-preserving or unremittingly transparent depending on a network’s specific design and application, but many existing policies treat the industry as a monolith instead of taking a more contextual approach to regulation. Private blockchains are little more than glorified databases that lack many of the fundamental benefits blockchain technology offers, and a big part of the industry’s current regulatory issues comes down to a misunderstanding of the way information is stored on private vs. public blockchains.

The Important Privacy Implications of Public Key Cryptography

Blockchain technology is enabled through public-key cryptography (PKC), which is a way to validate the authenticity of a digital message or transaction using asymmetric encryption. PKC users identify one another via public keys, which essentially function as a mailing address in the sense that they are publicly visible, alterable, and pseudonymous. From there, PKC users involved in any given on-chain transaction need to validate their identity via a secret private key in order to verify and execute that transaction. In other words, a private key unlocks the proverbial mailing address provided by the public key, thereby providing its owner exclusive access to any materials stored inside. Public key cryptography facilitates accountability for blockchain users while protecting individual data.

PKC’s combination of public and private keys enables a form of “trapdoor function,” i.e. a one-way mathematical function that is easy to solve in one way, but nearly impossible to reverse engineer/crack from the other side. While it is theoretically possible to crack a PKC-encrypted message, it would likely take a supercomputer thousands of years to reverse engineer these functions. While some people worry about the risks of quantum computers undermining PKC-based security protocols, practical applications to quantum computing remain on the far horizon. And as quantum computing near market-readiness the entire digital ecosystem, not just the blockchain industry, will need to grapple with the potential consequences.

At present, the important thing to keep in mind is that PKC is the key to recording and protecting private data stored on blockchain ledgers, as well as making this data security yet flexibly shareable. However, since the owners/operators of a private blockchain have the necessary administrative credentials to alter records and transactions on their network even when PKC is deployed, this form of encryption is ultimately meaningless unless applied within a public blockchain in which centralized control over base-layer on-chain transactions is not centralized. In addition to underpinning many core functions of blockchain technology, PKC’s one-way encryption also directly enables one of the most important blockchain use cases – decentralized identifiers.

PKC Enables Decentralized Identity Services

While the concept of decentralized identities (DIDs) has existed in the abstract for decades, it wasn’t until the advent of PKC-enabled blockchains that this theoretical concept could be translated into working applications. In general, every DID system must be:

• Decentralized: As implied by its name, a DID must be fully owned by the person who creates it and be permanent and non-reusable. This means a DID holder is in control of the relationships they form and the information they share, and therefore relies on a peer-to-peer network rather than a traditional client-server network architecture.
• Privacy-Enhancing: DID owners control how their information is shared and used, and therefore every request to use a DID owner’s personal information requires explicit consent from the owner. As a result, a DID can’t be decommissioned or destroyed by anyone except the owner.
• Portable: A DID must be interoperable and device- and network-agnostic in order to achieve true user self-sovereignty.

Given the above qualities, individuals and businesses using a DID can therefore perform their activities in an unidentified manner by having their identities discretely and securely authenticated at any essential touchpoints. This means users can perform transactions in a manner in which their identities and transactions inputs/outputs are kept private, but can be shared in a way that is provably immutable and verifiable. In other words, DIDs enable online data to be recognizable without being identifiable.

The evolution of DID services has led to an overall weakening of institutional gatekeepers, and while service providers are free to set their own user terms, meaningful privacy vs. transparency decisions will increasingly be made at the user level rather than by third-party platforms and data authenticators. These DIDs play a central role in what is arguably blockchain’s most promising solution to the wide range of regulatory pressures – private smart contracts. 

The Remedy? Public Blockchains with Private Smart Contracts

Blockchain technology offers multiple compelling advantages for a wide range of enterprises, but most businesses are deeply risk-averse when it comes to blockchain adoption. This sentiment is understandable given the wide-ranging ramifications of their decisions, and fully decentralized decision-making was never a practical approach for most organizations. However, by ensuring the authenticity of on-chain data through public blockchains and relegating more granular data exchange and access permissions to private smart contracts, enterprise blockchain users can get the best of both worlds. This is because public blockchains can be structured in a way in which applications and the underlying data they pull from are stored in separate layers. This feature enables businesses to automate a wide range of processes via smart contracts while retaining the immutability of their data, which is a central benefit of blockchain adoption.

The potential for smart contracts to reduce overhead and costs and speed up operational processes is well documented. However, smart contracts can also confer a variety of privacy-enhancing benefits since they can be tailored to whatever purpose a user desires without altering the underlying encrypted data. A core benefit of blockchain for most organizations is the reliability of the data stored on a network, and unless you can ensure the validity and immutability of this data you may as well use a centralized database. In other words, not only can organizations control what external entities can use their data and for what purpose – it also means they can use features such as weighted keys or even security-focused smart contracts to dictate who within their own organization has access to key information and processes, and how many/which users are authorized to make changes to specific types of business decisions. 

Additionally, public blockchains that rely on smart contracts to execute business decision-level operations have significant, positive privacy-enhancing benefits when applied to systems that can be compromised by a single point of failure, such as back-end IoT and healthcare data management systems. And although privacy policy frameworks like GDPR have stipulations on to what extent consumer data can be utilized in fully automated processes, the fact that this data can be effectively anonymized even while shared via PKC means there are practical solutions to this issue. As a result, smart contracts give businesses and other organizations more granular and flexible control over access permissions, which can in turn be used to benefit their end-users in a provably responsible and discrete manner.

Decentralized Networks and End-User Privacy Compliance 

Over the past few years, some regulators have expressed greater comfort with blockchain technology and other DLT-enabled products. But even though decentralized identifiers and user-friendly smart contract configurations address many potential regulatory concerns, there are still several privacy challenges that the blockchain industry as a whole must contend with – both in terms of overarching privacy frameworks and industry-specific regulations in sensitive industries like healthcare and financial services. And while these laws are multifaceted and in some cases only tangentially applicable to this emerging industry, there are several considerations featured in multiple policy frameworks that are worth highlighting. These challenges are generally aligned with key features of blockchain technology that are generally seen as potential benefits:

• Data immutability: Many privacy laws require businesses to give consumers the right to access, delete, and opt-out of data processing at any time, as well as the right to correct incorrect personal data, which may conflict with blockchain’s immutable nature. And even though the future of the “right to be forgotten” movement is uncertain, the ability for users to request their personal information be deleted from organizations’ CRM systems and other databases is increasingly becoming a requirement for many privacy laws. Additionally, it can be argued that blockchains can only ensure the verifiable transmission and storage of data but are not capable of guaranteeing the “legitimacy” of the content stored in the block beyond the block’s metadata.
• Decentralization: Blockchain’s distributed nature makes it essentially impossible to identify a specific liable party for the personal data processed within the ledger. This is a particularly thorny challenge for public blockchains given their fully distributed nature, and it’s difficult to envision a world in which regulations unambiguously permit fully decentralized organizations to operate freely without the ability to hold a single individual or legal entity responsible for what happens on the network. 
• Information access: In many cases, anyone can anonymously access the information stored on a public ledger, without any limits to how often they do so, or records of when, where, and by whom this information was accessed. Although this is a serious issue when it comes to end user privacy and protecting businesses’ sensitive data and operational advantages, from a blockchain technology standpoint there are a variety of potential solutions that can effectively address this issue.
• Automation: Although not all policy frameworks have specific situations on to what extent user data can be utilized in automated processes, Article 22 of the GDPR states that “the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” This policy presents a potential issue for smart contract deployments, although the anonymization of user data may present a workable solution to this obstacle. 

The above is just an overview of the key privacy-focused challenges the blockchain industry faces, and any deeper exploration should entail a more context-laden discussion involving the specific policy framework and blockchain application at hand. Regulations are also evolving over time and data could be stored locally, i.e. not on any blockchain, in some cases to ensure compliance until a better solution is ready. However, blockchain proponents should be aware that some privacy-related laws are more easily addressed than others, and that no single project checks off all the regulatory boxes right out of the gate. This is in large part due to the fact that these laws were largely drafted prior to the popularization of blockchain technology and cryptocurrencies, and that the legal ambiguities many projects are faced with are generally not deliberate on anyone’s part. Public sector policy generally has a hard time keeping up with the market, given the frenetic pace of private sector innovation, but these regulatory frameworks are constantly evolving and indisputably consequential.

Ultimately, Blockchain Enables Transparently Immutable Data, with User-Controlled Privacy Options

Given the permissionless, decentralized, and immutable nature of public blockchains, these projects continue to face a variety of practical and regulatory challenges. However, many of these issues come down to what types of data is being stored on a blockchain and how this data is being protected, and simply saying that an application using blockchain isn’t legally compliant is a complete misnomer. Web 3.0 will inherently be more transparent than Web 2.0, but user context is everything when it comes to issues involving transparency and privacy. Even if the internet of the future emphasizes more transparency, there should and will be uncompromising privacy options for specific communications, transactions, and records of organizations and individuals who choose to fully exercise their right to privacy.