Digital identity, the blockchain and the GDPR: A round peg in a square hole?

Can an immutable record and GDPR data subject rights co-exist? Why blockchain might not be able to deliver on data privacy requirements.

3 blockchain
Getty Images

Sometimes in the tech industry you have to work with opposing needs or even contradictions. Often, we find ourselves in a situation of balancing human nature versus security or legal versus technology. An example of the former is in the area of password policies where you would naturally expect a strong password requires a complex policy. The reality is more complicated. People write complex passwords down, which makes them vulnerable.

This contradiction in terms is where we find ourselves with the blockchain and data privacy. The blockchain creates an irreversible (sometimes public) record of something that seems, on the surface, at least, to contravene the expectations of privacy law.

In the world of digital identity, the idea of self-sovereign identity (SSI) is being floated. SSI, in a nutshell, is a way to use blockchain technology to decentralize digital identity. At the same time, new and improved data privacy legislation is being enacted, including the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

These regulations have set a high bar for data privacy, and the heady heights of this bar are reached through user choice and control. The question that is being asked is, “Can you accommodate the nuances of data privacy and user control when you create an immutable ledger of identity and data using a blockchain?”

Identity on a blockchain

Before answering the question above, we need to think about what “identity on a blockchain” actually means. Currently, the industry discussion around blockchains and identity is to promote the idea of SSI, but there are other ways of using blockchain to register a digital identity or attribute status (for example).

SSI is based on the idea of using a decentralized network that manages a “root of trust” based on a consensus algorithm. Sovrin is making headway in the SSI field and has built up a “decentralized, global public utility, for self-sovereign identity” based on the backbone of a trust framework, overseen by a board of trustees. Other blockchain identity systems use the blockchain in a more layered approach to registering information about an identity.

An “identity” that is registered to the blockchain is done so using a cryptographic mechanism that uses a hash, a.k.a. a one-way transformation. The ledger creates an immutable record. The public nature of many blockchains used in identity, along with this immutability and hashing, are creating much discussion around privacy. How can you achieve certain data subject rights expected in regulations like the GDPR?

The GDPR data rights and blockchain registered identity data

The GDPR sets out a framework for privacy based on the ethos of having to consent to the processing of your personal data. It also sets out guidelines on maintaining confidentiality and integrity of personal data--i.e., data that can be linked to an individual. The GDPR is an EU diktat, but other countries, including the U.S., are starting to formulate similar legislation. Within the GDPR framework sits eight data subject rights - the right to:

  1. Be informed about your data 
  2. Access your data  
  3. Rectify your data 
  4. Erase your data (data deletion) 
  5. Request the restriction of data processing 
  6. Port data elsewhere 
  7. Object to use of data
  8. Prevent automated decision-making including profiling

Let’s look at some of these data rights and requirements in terms of identity data registered to a blockchain.

Personal data: The basics of privacy

When SSI uses the blockchain, it stores a hash of a user's attribute. In the case of certain SSI frameworks or layered blockchain systems, the manner in which personal data is registered is such that it is pseudonymized. Either zero-knowledge proofs or another mathematical treatment of these data can be performed, such that data presentation can be minimized.

Sovrin, for example, uses a concept of decentralized identifiers (DIDs), which help prevent correlation between the user and the data. Other methods such as BitCardIDs use a mathematical proof to perform data obfuscation or minimization--e.g., present an age over rather than a date of birth. This establishes a degree of privacy by design and default into the backbone of any identity system based on the framework.

Consent

This is an ethos as much as a function in an identity system and needs to be designed in from the outset. Consent is something used to create a relationship. However, the immutable nature of the blockchain is a positive force in terms of consent receipts. It can be used to create a record of taken consents and revoked consents, over time.

Making changes in an immutable record – rectification

The right to rectification of data that is found to be incorrect, could be challenging if personal data is recorded on a blockchain. It is true that the blocks are immutable. However, they are time-stamped and new blocks can be added to update previous entries. The issue left is the access to the incorrect block. This is where the design needs to be carefully considered and private, permissioned blockchains, may be the best option.

Making changes in an immutable record – erasure

The right to erasure (to allow data to be forgotten) is another sticking point on the chain. How can you possibly square the round peg of immutability with the square hole of erasure? This, on the face of it, is a tricky conundrum. You can’t, as such, erase the immutable record of a blockchain without breaking the chain altogether - each block is dependent on the previous. You can’t even use a permissioned private ledger and remove access, as this is not strictly erasing the data.

The only way to possibly comply with this requirement is to decouple the data from the registration on the chain. An option is to register a status or a reference, such as “KYC checked,” or a minimized/pseudonymized data set, rather than full personally identifiable information (PII). This is not always feasible SSI platforms.

The use of the blockchain for identity records has some advantages over traditional database storage. It offers a potential for anonymity and data minimization - especially when coupling identity with financial transactions. It also offers transparent but confidential transactions. Security may also be improved as single points of failure are reduced.

Like many technology layers, the blockchain has both benefits and failings. In the end, as with other technologies like encryption, it is in the implementation and the associated platform controls that these issues can be resolved. You need to choose your options carefully, from fully public, SSI frameworks like Sovrin to private permissioned ledgers. The choice needs to be done with data privacy and regulations like the GDPR in mind.

Copyright © 2018 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)