How to Overcome Challenges of Blockchain Privacy Regulations
Latest posts by Aran Davies (see all)
- How to Build Hyperautomation Tools? - 5 Aug, 2022
- How Many People Does It Take to Form An iOS App Development Team? - 1 Aug, 2022
- How Many People Does It Take to form An Android Development Team? - 29 Jul, 2022
Want to know the challenges of blockchain privacy regulations and how blockchain technology overcomes them? This is a relatively unexplored market that has loads of room for growth.
In this article, we will discuss blockchain privacy regulations and the associated challenges in detail.
The relevant blockchain privacy regulations
Before we delve into how does blockchain protect privacy, let’s understand the relevant privacy regulations first. This will help us to understand what kind of challenges these privacy regulations pose to the blockchain technology.
We will briefly review two privacy regulations from the perspective of consumer rights. These regulations are as follows:
1. “California Consumer Privacy Act”
“California Consumer Privacy Act” provides several important rights to consumers, e.g.:
- Consumers have the right to know all data that a business collects about them, moreover, they can disallow businesses from selling their information.
- They can take legal actions against a data controller business that fails to secure their information.
- Consumers have the right to ask businesses to delete their data.
- They can now know what kind of data a business collected about them, from where, and for what purpose. Consumers can also ask about the entities with whom the company shared their data.
This is not an exhaustive list, and you can gain more insights here.
2. “General Data Protection Regulation” (GDPR)
The EU “General Data Protection Regulation” (GDPR) provides for a wide range of consumer rights, e.g.:
- Businesses need to obtain the consent of users before processing their data.
- Users have the right to correct information about them, moreover, they can ask the organization to delete this data.
- Organizations collecting data subjects need to anonymize it, in order to protect data privacy.
- In the case of data breaches, organizations need to notify users.
- Organizations need to secure cross-border transfer of data.
GDPR introduces a number of data rights for users like right of data portability, right to object, etc. It also ensures a procedure of handling data subject requests, in addition to notifying concerned stakeholders that assist in fulfilling such requests.
If you want more insights into GDPR, then you can read “What is the General Data Protection Regulation? Understanding & complying with GDPR requirements”.
Can a public blockchain network comply with these privacy regulations?
I will now explain why a public blockchain is bad for privacy. The limitations of a public blockchain with respect to the above-mentioned privacy regulatory compliance are as follows:
- Public blockchains like Bitcoin allow anyone to join. Businesses using such a blockchain to store users’ data will make it open for everyone to see, which doesn’t comply with privacy regulations. Only the parties with explicit authorization should see users’ data.
- Immutability of records in these blockchain networks is another impediment. Privacy regulations like GDPR allow users to modify or even delete their data, however, Ethereum or Bitcoin wouldn’t allow that.
You can read about these challenges in “Assess blockchain for GDPR compliance”.
How does blockchain protect privacy?
Let us now understand how organizations can overcome these blockchain privacy challenges, thereby complying with stringent privacy regulations. They will most likely need a combination of solutions, which are as follows:
1. Use an enterprise blockchain to implement a permissioned network
While public blockchains are permission-less, i.e., anyone can join them, enterprise blockchains allow only trusted parties to join. This is a key difference between an enterprise blockchain and a public blockchain, as I had earlier explained in “Public vs private (permissioned) blockchain comparison”.
Let’s review the following examples of enterprise blockchains in the context of permissioned access:
Hyperledger Fabric, or Fabric as it is commonly called, is a popular enterprise blockchain framework from Hyperledger Consortium. Fabric is a permissioned blockchain framework, where all participants must have known identity.
Organizations implementing Fabric use a “Membership Service Provider” (MSP). This component of Fabric works as follows:
- It offers a membership operation architecture.
- An MSP takes care of issuing user certificates, validating them, and user authentication. There are cryptographic mechanisms for these, and MSP handles them in the background.
- Setting up an MSP involves defining identity, setting rules governing this identity, and configuring business rules for user authentication. Read more about this in “Membership Service Providers (MSP)”.
- An MSP is also called “Certificate Authority” (CA) in Fabric parlance, and Fabric provides tools for MSP certificate generation. Cryptogen is one such tool, offered by Fabric.
You can read “Hyperledger Fabric in practice. Main components and running them locally” for more insights.
Corda is another popular enterprise blockchain framework, and this is from R3. This is also a permissioned or a private blockchain framework, where there is a well-developed security model around identity management.
A user needs to get an identity signed by a root authority, to join a Corda blockchain network. The security model handles authentication, authorization, and entitlements. The process of granting permissions and authenticating users uses TLS and certificates.
2. Use data-privacy solutions offered by enterprise blockchains
Enterprise blockchain frameworks have data-privacy solutions to guard sensitive data from prying eyes. You could use them to ensure the privacy of users’ data. Let’s review how you can do this using Fabric and Corda.
Hire expert developers for your next project
1,200 top developers
us since 2016
Channels in Fabric
Fabric offers a “channel” architecture, which can ensure privacy for sensitive data. A channel in Fabric can be thought of as one blockchain network, which uses a physical blockchain network as its foundation.
Channels have their own access policies and mechanisms. These policies and mechanisms control access to assets within that channel, e.g., chaincodes, i.e., smart contracts in Fabric parlance. They control access to the transaction history and the state of the ledger too.
Channels use data-partitioning capabilities of Fabric, and only the subgroup of users with access to a channel can view the information in it. You can read more about Fabric channels in “Private and confidential transactions with Hyperledger Fabric”.
Private transactions in Fabric
Fabric offers another solution to maintain the privacy of transactions, and this is called “Private transactions”. This solution maintain records of the sensitive data on a separate database, and only the cryptographic hash of the data is stored on the blockchain.
Privacy techniques in Corda
Corda offers the following privacy techniques to data processors:
- It allows for partial data visibility, by not broadcasting the transactions globally.
- Transaction tear-offs, which works as follows:
- Blockchain uses a concept called “Merkle Tree”, and this is a data structure.
- In this data structure, the lowest-level node is called a “leaf node”, and a branch node is above it.
- The branch node contains the cryptographic hash of the leaf nodes under it.
- The data element at the top is the cryptographic hash of the entire tree, and this is called the “root hash”.
- Corda structures transactions as leaves in a Merkle tree, and only a user with the root hash can see all transactions in the tree.
3. Use “Zero-Knowledge Proof” technique to store only the proof of the users’ data on the blockchain
So far, we have addressed the access control aspect of the privacy regulations, moreover, we have also addressed the aspect of guarding sensitive data from prying eyes. We now need to address the requirements of modifying and deleting users’ data.
The immutability of blockchain poses a challenge here, therefore, we need to tackle this differently. I recommend that you have a permissioned network, and use the above-mentioned privacy solutions to guard data.
Additionally, I suggest that you store only the proof of users’ data on the blockchain, and not the data itself. You need to use the concept of “Zero-Knowledge Proof” (ZKP) for this, and you can read about it in “The future of blockchain privacy: zero-knowledge proofs in decentralised exchanges”.
This approach requires you to store the actual user data on a different database. Such distributed database allows modification and deletion of users’ data, therefore, data controllers can meet this key condition of the privacy regulations.
However, you still need to prove that the users’ data was genuine, your organization collected it accurately, and no one tampered with it. For this, you need to store proof of the authenticity of the users’ data on the blockchain.
Zero-Knowledge proofs enable you to do this. With this technique, the information in question may be stored elsewhere, however, you only store the proof of its authenticity.
Another name of this technique is “Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge” (zk-SNARKs), and you can read about it in “Blockchain zero-knowledge proof in a nutshell”.
Fabric will include ZKP in an upcoming release. An IBM development team working on Fabric is developing a Fabric-specific ZKP, called “Zero Knowledge Asset Transfer” (ZK-AT). You can read about this project in “Privacy and confidentiality with Hyperledger Fabric”.
Wondering how to resolve blockchain privacy challenges?
While enterprise blockchain frameworks with their permissioned networks, privacy solutions, and innovations like ZKP can help to overcome the blockchain privacy challenges, implementing such solutions is complex. Blockchain is a niche technology, moreover, Fabric channels and ZKP involve even more advanced blockchain skills.
Planning a project like this involves careful analysis. You can read our guide “What to plan for when undertaking blockchain software development?” to gain more insights.
You should also take help from a reputed software development company, and our guide “How to find the best software development company?” can help you find one.
If you are still looking for a partner software development company for blockchain develoopment, take a look at blockchain developers community at DevTeam.Space. Write to us your initial requirements for a blockchain project via this form and one of our technical managers will get back to you for further discussion.
Frequently Asked Questions
Private blockchain networks have no problem adhering to data privacy regulations and data protection laws. However, since the data on a public blockchain is held by many different nodes, it is impossible to assure that this data can be kept private without encryption.
Encryption allows personal data to be kept private on a blockchain. The use of pass keys allows only the users with permission to access the data.
The biggest challenge of adopting blockchain technology is the relative niche skill that it entails. Blockchain programmers need to be excellent coders, understand blockchain systems, and have a good background in security methods such as encryption. If you need to hire great blockchain developers then contact DevTeam.Space today.