Out-Law / Your Daily Need-To-Know

Open Data Institute highlights privacy risks in use of blockchains

Out-Law News | 14 Jul 2016 | 4:33 pm | 2 min. read

Public blockchains are "probably unsuitable" for storing personal data, the Open Data Institute (ODI) in the UK has said.

In a report on applying blockchain technology in global data infrastructure the ODI warned that storing personal data on the distributed ledgers within blockchain technology could pose "significant new privacy issues".

"The irreversibility and transparency of public blockchains mean they are probably unsuitable for personal data," the ODI said. "We need to be careful when designing blockchain systems not to infringe on people’s privacy, and to account for a world in which we have doxing, identity theft and the right to be forgotten."

"Some of the proposed uses for blockchain – such as to record auditable benefits payments – threaten to expose this kind of information about a much wider range of people, the benefits they receive and with whom they spend them," it said.

A government-backed trial started last month to record benefits payments and track recipients' spending, according to a report by the Financial Times. The trial involves the "anonymous capture of data", the Department of Work and Pensions has said, according to a report by The Register.

The ODI said, though, that "blockchains do not have to expose personal data directly to reveal private information about people".

It said: "A blockchain recording visits to health practitioners (including midwives, mental health teams and AIDS clinics) does not need to include the entirety of someone’s health records to reveal information about them. Much like phone records … or browsing histories, this metadata may be sufficient to reveal personal details."

The ODI said that blockchains can be designed to "limit the level of disclosure", such as by using a "permissioned distributed ledger" approach, under which "trusted nodes" control what data is publically viewable and what data should not be shared.

"The security of all the nodes in such a trusted network needs to be guaranteed as every node will have a copy of all the relevant data, and the network needs to be protected against spoofing, but, in general, if you have a trusted network many privacy issues are no more problematic than they are in centralised systems," the ODI said.

The Institute also said that blockchains can also be used "purely to provide a timestamp for information held elsewhere". However, it said this means blockchain users have to address "the burden of robust, distributed data storage" using other data storage technologies.

Data in blockchains can also be encrypted, but this raises a number of complications, the ODI said.

"The main problem with this approach is that if the decryption key for encrypted data is ever made public, the encrypted content is readable by anyone with that key; there is no way of encrypting the data with a different key once it is embedded within a blockchain," the ODI said. "Conversely, if the key is ever lost, the data cannot be read. And there is the problem of sharing the key for the data amongst all those who legitimately need to be able to read it."

The ODI said that blockchain should only be used "when it is the right tool for the job at hand".

"Success in data infrastructure design will come from convening sectors (such as finance, agriculture, or healthcare), identifying common challenges and then determining which technology approaches – whether blockchains or not – are the most appropriate in helping to address them," it said.