Is blockchain compatible with privacy?

Blockchain was designed to reliably store data forever. Unfortunately, such design conflicts with modern privacy legislation trends.

Coming up on the tenth anniversary of Satoshi Nakamoto’s paper, do we really need yet another take on Bitcoin? Well, I think so. Today, I am going to focus on an aspect of this technology that needs more discussion — privacy.

The bedrock of blockchain — that every transaction is added into the history and written in “blocks” — has already backfired on more than one cybercriminal. The tremendous success of investigators in tracking down the perpetrators is a direct result of the history of their transactions being forever (as much as this adjective can be applied to the matter) inscribed in the chain of blocks. That, by the way, raises an important question: Why aren’t financial regulators embracing the cryptocurrencies already?

Of course, clarity is not always what we want. Consider privacy. This basic human right has been enshrined in the laws of many countries. In Europe, for example, the General Data Protection Regulation (GDPR) states that every person has a right to recall their consent at any time and permanently retrieve or delete any personal information they had previously agreed to share. How does that square with blockchain’s permanent record?

Here’s an example: Recently, I heard about a blockchain startup called MedRec. It enables medical practitioners to access patient data from different local storage systems. Of course, patient consent is required — but what happens if they change their minds?

To be fair, the demonstrated proof of concept didn’t keep the patient data on the blockchain itself — instead, the blocks contained information about the patient–provider relationship. But citizens of the EU are supposed to be able to revoke permission to use even that information — and, unless it’s stored on a privately held blockchain, they can’t. It’s worth noting that if the healthcare industry embraces the idea, then medical records will be kept in the public blockchain, because interoperability is a key issue for adoption.

Another example comes from the education sector. The University of Nicosia was the first educational institution to accept bitcoins as payment for their online courses. They went even further — they put the certificates of completion into the blockchain as well.

The intention is clear — that way, everyone who has specific info (namely, the hash) provided by owner of the certificate could check that they had indeed successfully completed the course. By design, this ledger contains only the hash, which is hard to reverse if you’re not an intended recipient, which means it has roughly the same level of pseudonimity as the bitcoin itself. As I stressed above, that has already proven to be useful in tracking down criminals.

Of course, the information that someone completed online courses may not be considered personal. I’m not going to argue that point here, only note that definitions of private and nonprivate information may evolve with time, but whatever’s on the blockchain is going to stay there.

Some startups go even further, pitching extra services for HR. They focus mainly on the idea of providing hiring managers with candidate information verified by a distributed ledger. This information, including entirely personal tidbits such as a person’s experience, previous jobs, and accomplishments, will be impossible to clear if people choose to retract their consent. Luckily, it seems that such startups have dropped off the radar. However, I would not be surprised if similar ideas resurfaced somewhere, somehow.

To conclude, I’d like to recall how we got here. Our understanding of which information is personal and which is not, has evolved along with the IT industry itself. Today we have a legal definition of “personally identifiable information,” which is a good start. But I believe that when applying blockchain to solving business problems, we should never forget about privacy as a basic human right.

If my data is on lots of different computers, how can it still be private? And if neither I, nor anyone else in particular, has direct control over all of those computers, what do I need to do to remove this data? Blockchain is great for lots of things, but not for everything. In the end, unremovable personal data is the opposite of privacy.