Blockchain: Privacy, Security and Identity
Last August, we published a post regarding the hype around blockchain and identity. Since then, the excitement has transitioned into near-hysteria, fuelling the incredible growth of cryptocurrency. While the hype is fun, what we’re more interested is real-world effects; how can blockchain improve consumer privacy, security and access to financial services?
An interesting paper by the IMF, Fintech and Financial Services: Initial Considerations, examines fintech with a specific focus on distributed ledger technology (DLT or blockchain) and its impact on cross-border payments. The paper explores how fintech and financial services plan to meet consumer needs such as trust, security and privacy, and describes how governments will ensure that the proper safeguards and oversight are implemented.
In other words, it’s not just about the technology. There are many factors that are going to influence how this all plays out; just because a technology can enable something doesn’t mean it will. All the hype surrounding blockchain tends to focus on the technology, rather than the social, economic and legal implications that will, in the end, determine adoption.
Privacy and Data Collection
Whose data is it anyways? The digital revolution has created a data-driven culture. Our Personally Identifiable Information (PII) is being used more and more as our digital footprint multiplies with every profile created online, every financial request made through an app, and every social media update.
Perhaps the most important information is personal financial data; people have a deep emotional relationship with their personal finances. Trust is vital, which points to the success of banks, as they are one institution that has a history of keeping information confidential and secure.
This desire to keep financial dealings private — anonymous transactions — is one of the initial driving forces behind cryptocurrencies. While in democracies there are certain rights to privacy — in the vein of “I can do what I want with my money” — it has also created another channel for money laundering, drug dealing, and corruption.
Some cryptocurrencies are promising full transaction anonymity through so-called zero-proof technology. According to Emin Gün Sirer, a computer scientist at Cornell University, zero-proof technology is “a way to prove something to someone without revealing any of the information that goes into that proof.”
Joseph Mari, Senior Manager of Major Investigations in the Anti-Money Laundering Financial Intelligence Unit at the Bank of Montreal, states zero-proof “essentially eliminates one of blockchain technology’s most celebrated features when it comes to AML—the ability to trace transactions” and we need to “visualize what it would take to effectively monitor existing banking products on a blockchain that utilizes zero-proof technology.”
Businesses have a right to combat fraud and limit their risk. They also have valid reasons to collect and analyze profiles to create better services, deliver a better user experience and grow their business.
The trade-offs between the individual rights to privacy and the organizational rights to collect data is one of the most important decisions of our era. Regulators are responsible for establishing and enforcing rules and regulations to protect consumers and businesses from financial crime, fraud, and nefarious activities. How do we balance individual privacy rights with the regulators rights to monitor (and control) money use?
Consider the new European GDPR laws that are coming into effect this year as an opening point to the new opportunities and privacy restrictions that are being introduced by technology.
Considerations for two of blockchain’s most powerful capabilities, transparency and immutability, will need to be accounted for. As the IMF notes, “existing legal frameworks protect data from disclosure as well as ensure access to necessary financial information by imposing obligations on intermediaries holding the data. This approach is difficult to take when the data is held within an open network, lacking a ‘data controller.’ Moreover, ledger immutability that is characteristic of some DLTs may be at odds with a person’s right to rectify or erase personal data.”
Another major blockchain consideration is security for users, businesses and society in general. People want digital transactions to be quick, seamless and stress-free.
Blockchain promises to quickly and accurately check an individual’s credentials, enabling a better transaction model. It’s important here, to remember the data handling axiom, “garbage in, garbage out.” In other words, the quality of data output depends on having quality data input. In regards to blockchain, who inputs that data? Who vouches for, or guarantees the data quality? Who can overwrite the inevitable mistakes and ensures the data quality?
As the IMF states, “concerns over privacy and the security of personal information maintained on the ledger, unless participation in the relevant network is limited to trusted counterparties, or technologies are used to limit the available information on the ledger (e.g., restrictive disclosure).”
Security then, is a matter of trusted handlers, much like it is today. While the technology is different, a trusted institution is at the core of effective identity. While it is possible that a new type of institution will spring forth to manage identities, we’ve trusted governments to handle basic identification procedures for hundreds of years; are we comfortable with outsourcing this fundamental process to another entity? Will institutions of trust collaborate with blockchain technology to deliver services with security at the forefront of all transactions?
In any case, however the data quality is maintained, the need for regulatory compliance is essential. Allowing criminals, terrorists and tax-evaders to use blockchain to hide transactions and escape legal responsibility is a non-starter. At the minimum, to comply with AML/KYC laws, cryptocurrency account ownership will require identity verification. The regulation of blockchain transaction monitoring is a crucial question going forward.
How we balance privacy and security on the blockchain will be one of RegTech’s most interesting questions as we deploy the technology deeper and deeper into society. We must be careful to not stifle innovation as we respect individual rights and ensure security is upheld.