Blockchain and your right to be forgotten

The promise of blockchain could be undone by recent advances in the protection of personal identification information.

Kevin Phillips
By Kevin Phillips, Founder and CEO of IDU Holdings.
Johannesburg, 30 Nov 2018
Kevin Phillips is founder and CEO of IDU Holdings.
Kevin Phillips is founder and CEO of IDU Holdings.

It's inevitable that in times of rapid innovation and change that the world starts getting out of sync with itself. Things like laws, regulations, infrastructure and mindsets always need a bit of time to catch up with the vanguard.

This is nothing new: when motorised cars first hit the streets, they had to be preceded by a servant waving a red flag to warn other road users about the car's imminent arrival.

So yes, the first cars only moved at walking pace, despite their clear advantage in the speed department. Even without being slowed down by the flag waver, motor car drivers had to wait for tarred roads to replace streets churned up by horses' hooves, plus the addition of new road signs, traffic lights and appropriate rules of the road, to really start thriving.

We see this happening again today with, for instance, the London taxi industry's attempts to regulate Uber in order to "level the playing field", instead of rethinking the way it has been operating for the last 150 years.

We are, in my view, reaching a similar tipping point, where the promise of blockchain could be undone, or severely delayed, by recent advances in the protection of personal identification information.

On the one hand, you've got blockchain, and its promise of a better, disintermediated database infrastructure that could power everything from smart contracts, to healthcare records to voting, to, I'm sure, a myriad of other capabilities that we haven't even thought of yet.

Key to the public blockchain's utility is its disintermediation ability: it doesn't need a central controlling authority to work. And, second, its immutability: it cannot be changed.

These two features mean it can drive quicker, cheaper and more trusted transactions between people who don't have to know, like or trust each other. Think about the value of corruption-proof contracts for one thing: misspending and misappropriating funds would be a thing of the past.

But, what happens when the irresistible appeal of the blockchain comes up against the immovable object of your right to be forgotten?

This right is explicit in the European Union's General Data Protection Regulation (GDPR), which any South African company dealing with customers in the European Union has to comply with, and is implied by the local Protection of Personal Information Act (POPIA), which says people can request their personal information and records be corrected or deleted.

I've had a bone to pick with POPIA and GDPR before, wondering if they are going to hamstring data-driven innovation. Now I'm wondering what POPIA and GDPR mean for blockchain. The right to be forgotten means that, in certain circumstances, individuals can ask companies to amend or delete their personal identification data. As yet, it's unclear what erase means, especially within a digital context. Does it mean erase entirely or just make it inaccessible?

The thing is, resistance to change is built into the public blockchain, and indeed, is one of its very appealing features. So how does a request to have personal identification information deleted or changed play out? Do all the nodes on the blockchain have to agree to amend the block, roll back their chain, and then adjust all the subsequent blocks?

Blockchain can drive quicker, cheaper and more trusted transactions between people who don't have to know, like or trust each other.

In principle, this could happen, but it would be a lengthy process and will put the chain out of action for the duration. And what about subsequent blocks that contain information based on the data in the first block that has now been amended? Or a computer that was part of the original chain, but has since exited, for whatever reason?

It would be impossible to track them down to see if the data is still lurking somewhere on their hard drive. And what happens if the network of blockchain nodes simply refuses? There is nothing in it for them, after all, and it goes against the spirit of the blockchain, which is a fiercely protected thing.

Then, who will the POPIA or GDPR regulators fine if there is a breach? Who are the data controllers and processors now?

Of course, private, permissioned blockchains are a slightly different matter as it can be easier to gain consensus from the nodes for deletion. But again, this starts impacting the value of blockchain and its immutability and decentralised nature, as well as raising issues around governance and audit trails.

This is a stark illustration of how regulation and security very often lag innovation, and, if we are not careful, can bog it down or stop it in its tracks altogether.

There is no question we need to protect personal identification information, but at what expense? For how long should we be slowing down traffic instead of focusing on getting the rest of our world up to speed?