Government, Governance, Data, and You
Where is your data, exactly? Do you know how it has been folded, sorted, sold, and abused since you signed up for that useful free internet tool? How much of your private life has slipped into the public domain through innocent games and chat online? They say that McDonalds may not have the best burgers in the world, but their real estate portfolio is second to none. The business of the company you subscribe to is not based on providing you with a free service, but on selling your details directly or indirectly to a hungry market. If the product is free, then you are the product.
Scandals over data breaches, misuse of our personal information, and increasingly complex regulation have brought the topic into sharp focus for individuals, corporations, regulators, and governments. The safe management of data concerns everyone, and as blockchain technology gains traction there are opportunities and threats to address on all sides. The opportunities lie broadly in the arena of authentication without knowledge, transparency for multiple unrelated parties, and process efficiency. It offers individuals a way to decentralize their data and to take ownership of their personal information and is also a useful tool for security by design in centralized organizations. The corresponding threats appear in the shifting sands of regulation and a need for developers themselves to be extremely diligent in deploying accurate code and building up intellectual property. Blockchain (as distinct from cryptocurrencies and tokens, whose regulatory environment was discussed in Chapter 3) requires careful consideration in the context of regulation. There are significant challenges for developers and innovators who must navigate the minefield of differing privacy laws across multiple states and simultaneously manage the protection of their own commercial interests and intellectual property.
This chapter addresses the journey toward owning our data, the implementation of blockchain in areas of government, and legal considerations for any organization adopting distributed ledger technology.
Value Your Data
We have become accustomed to having information about our personal lives stored digitally and often publicly. Zip code finders, telephone directories, and electoral rolls were among the first public repositories of data on the internet. These held much the same information that we once could have retrieved on microfiche and paper from our local libraries but made it available to a vast new audience whose motives for its use may not have been straightforward. As privacy awareness grew, these lists were hidden from public view. Social media gathered pace in the early 2000s and we began to share our data voluntarily, posting everything from baby scans to holiday plans for our friends and family to see. The rise of online services and connected devices through the IoT has triggered a third wave of unconscious data sharing. As Avast security ambassador and former world chess champion Garry Kasparov says, “The Soviets had spy devices: now we just pay Amazon to deliver our data.”
Privacy Versus Surveillance
We are living in a world where our personal privacy is traded off against the utility we derive from services. We are advised to make conscious decisions on data sharing, but sometimes the choice of whether or not to share data is academic if we want to access essential services. To complicate matters, every individual has a different level of tolerance across four different elements of privacy as defined by Alan Westin in his 1967 book Privacy and Freedom: solitude, anonymity, reserve, and intimacy. These behaviors are easy to see on social media, where some users share every detail of their lives, uncaring or unknowing of the risks they run in doing so. Others are more reserved, sharing cautiously, and still more crave absolute anonymity, hiding behind pseudonyms and choosing their platforms according to the level of detail that is required to participate. There is also a historical and well-documented conflict between privacy and surveillance. The fallout from Edward Snowden’s 2013 whistleblowing over NSA surveillance programs and the PRISM and Upstream initiatives were far-reaching, damaging trans-Atlantic relations over privacy and throwing the activity of the security services into the spotlight. On the other hand, the United Kingdom’s GCHQ reportedly blocked around 2,000 malicious domains a week in 20181 and its surveillance of internet activity has helped to reduce terrorist threats and the activities of offender communities. We cannot have it both ways. As a society, we have a duty to protect the vulnerable, at the cost of absolute privacy.
Why has this become such a complex issue? In 1999 David Brin addressed the growing problem and proposed a solution in his book The Transparent Society,2 which resonates with the subsequent development of distributed ledgers. He explains that prior to our collective submersion in all things digital, transactions relied upon personal trust and community transparency. You knew who the reliable characters were in your village, town, or market sector and adjusted your personal privacy settings accordingly. Equally, bad actors were controlled by the knowledge that dishonesty had a cost in terms of reputation and privilege in a small community. As the scope of transactions widened to include unknown participants in regional and national communities and across borders, secrecy in the form of encryption replaced the natural order of trust. However, our blind reliance on encryption being used effectively by a centralized data collector is dangerous. It is becoming increasingly easy to crack the layers of security around our data thanks to inventive hacking, social engineering, and phishing, and there are too many instances where human error or downright carelessness has resulted in data being collected and stored without appropriate encryption being applied—or, more worryingly, any encryption at all. Data theft is a growing problem as the information held on us becomes more valuable than the costs of stealing it, despite considerable efforts on the part of lawmakers to curb the wilder excesses of unnecessary data capture and commercialization of our personal information. As the volume of stored data grows, we must look to other solutions for protection. What Bitcoin, blockchain, and discussions of security and regulation have brought to the fore is a reimagining of transparency and trust online.
Digital Identity
According to many observers, the holy grail of technology is digital identity. The ID2020 Alliance further states that this should adhere to the core principles of portability, persistence, privacy, and user control. Work toward developing a reliable digital identity has been going on since long before the advent of blockchain, but the distributed ledger has added a decentralized authentication layer to the mix. The Estonian government was the first to use cryptography and distributed records to protect the details of all their citizens. In 2003 cryptographers Ahto Buldas and Märt Saarepera developed a formal security proof for digital identity3 and along with Mike Gault and Joichi Ito formed the Guardtime company when work on the e-Estonia program began in earnest around 2007. The goal of the researchers was to remove the need for a trusted third party in the management of identity, and they fell upon the same system of cryptographic verification via digital signature, hashing, and timestamping that also featured in Satoshi Nakamoto’s Bitcoin whitepaper. The similarity of approach and the apparently coincidental timing of Buldas, Saarepera, and Gault’s work has led to speculation that this group of developers could be candidates for the real identities behind the pseudonymous Satoshi, but they have not invited attention and Gault has denied any involvement when questioned. Guardtime has grown to be a multinational leader in blockchain innovation and was also involved in the Insurwave development discussed in Chapter 4. From digital identity, the Estonian government and Guardtime have moved on to the digital management of health care, residency, taxes, voting, and governance, incorporating blockchain technology where appropriate.
The United Nations is not far behind Estonia in its work toward the identity aspect of its Sustainable Development goals, to “provide legal identity to all, including birth registration, by 2030.” They formed the ID2020 Alliance4 in partnership with some of the largest digital providers on the planet including Microsoft, Accenture,5 Cisco, and others. ID2020 aims to provide digital identities for some of the 1.1 billion unregistered people in the world using biometrics and blockchain, and is an extension of the existing biometric identity management system developed by Accenture and used by the UN High Commissioner for Refugees. In 2018, pilot projects were run in Thailand in collaboration with the International Rescue Committee (IRC) for refugees accessing health care and building records of their education and professional skills, and in Indonesia with the National Team for the Acceleration of Poverty Reduction to improve access to energy subsidies for economically disadvantaged individuals. In a separate initiative the World Food Programme6 implemented a private blockchain to overcome two administrative headaches in an existing food aid distribution system in a Jordanian refugee camp. Their goal was to protect the full identity of refugees by making this data a step removed from day-to-day authentication processes, and to streamline the complex administration of the retailer accounts and refugee aid allowances. They succeeded in protecting the details of 100,000 refugees by enabling iris scans as their means of identity and holding only that metadata on chain. As a bonus, the proof of concept implementation saved $40,000 a month in bank transaction fees, administration costs and the prevention of fraud.
Of course, identity is a concern for enterprise as well as government: in financial services, the need to Know Your Customer (KYC) is moving toward authentication from immutable, trusted records. In July 2019, a number of banks in the United Arab Emirates formed a blockchain KYC consortium for corporate identities7 and in France in 2018 a pilot project run by 26 firms and five banks8 demonstrated that repetitive, duplicative KYC processes could be streamlined through access to a common blockchain for authentication. If this nut can be cracked, KYC is the use case that will drive the adoption of digital identity in our comfortable first world.
Protecting Ourselves
Beyond identity verification, blockchain is a tool that can be and is being used to record, verify, and keep safe many other aspects of personal data. We can construct an audit trail of the essentials in our daily lives through the simple mechanism of timestamping, rendering the details we choose to record both verifiable and unquestionable when it matters. Just because we can, however, doesn’t always mean that we should. We have gotten ourselves into enough trouble recording our lives on social media, so what benefit is there to having some of that information available for all time?
The answer, of course, is that if a problem arises which appears unsurmountable, it’s worth looking at blockchain as part of a range of available emerging technologies to see where the right solution lies. Several entrepreneurs are working on solving very specific problems around the verification of personal data.
Anne Ahola Ward watched the surge in blockchain projects which focused on tools for the blockchain itself, solutions where there were no real problems, and lofty ideas that failed to deliver the nuanced detail promised in long white papers. Very little that she saw emerging was designed to help people or had been made easily accessible for mainstream users. The lightbulb moment for Ward, in the aftermath of family tragedy, was realizing that there is a point where it actually makes sense for your assets to be digital and owned: upon death.
Most people of Anne’s and my generation have dealt with the estates of family members. There are challenges on all sides. Disputes arise over the most trivial of assets and the will of the deceased may be out of date by decades. Where there are active social media accounts there is no consistency of approach. On some platforms including Facebook, the option exists to memorialize a loved one’s profile, but others hang in the ether, subject to the vagaries of changing terms and conditions, or may be lost permanently when a service shuts down. One of the most simple but overwhelming losses is the wealth of oral history which passes down the generations. Ward’s vision is to use blockchain to protect a timestamped legacy, and the Veritoken Legacy Locket, launched in June 2019, starts with the upload of pictures, quotes, and memories, and is designed to record personal data choices and preferences. The new role of technical executor is a response to the new needs of those who remain. In the long term, keeping a legal will up to date may fall to the blockchain rather than to will attorneys. “We’re not going to live forever,” says Ward, “but our information can, so we should have power over that.”
Another initiative focusing on a specific life challenge is the Loly dating app. Speaking to founder Adryenn Ashley, this app written by women, for women, addresses a number of problems that have not been solved by other platforms and for which blockchain offers a solution. It introduces trusted user identities supported by a mechanism for building reputation through community verification and reports of good dating behavior. It meets the need for clear recorded consent or refusal during dates that can be authenticated after the fact. Ashley also reports that the roadmap includes a safe word for activating emergency calling and recording functions.
The blockchain layer in these applications is not obvious to users, which is important for adoption of such tools on their merits, not for their technology. We may be moving to a world where we can own our data and manage our privacy and our identity, but the experience must be seamless and the technology usable by all.
Governing and Governance
Government and blockchain has been described as a match made in heaven. The gradual digitization of our public services has steadily transformed our lives and, despite the challenges of deploying complex software at scale, the process has been relatively painless for most people. Blockchain has emerged as one of several useful tools in the work to streamline public services, manage registries, and protect identity. In Estonia, the use of cryptography in digital identity predates Satoshi by several years, and the introduction of distributed ledgers has been a natural evolution. In Wyoming, legislators were quick to recognize the potential of the technology and the need for good practice around it. They have started to build blockchain solutions into several areas of government and business and also drafted and passed a series of bills that have been adopted by other states. In the United Arab Emirates, Dubai has incorporated blockchain into its long-term Smart Dubai project, aiming for a paperless administration. Let’s look in more detail at the work underway in regulating for blockchain, managing registries, managing cities and citizens, and securing the democratic process.
Wyoming: the Blockchain State
The State of Wyoming is a trailblazer in blockchain regulation. Concerted efforts by the Wyoming Blockchain Coalition, including legislator Tyler Lindholm and Wall Street veteran Caitlin Long, enabled Wyoming to become the first U.S. state to provide a comprehensive legal framework for blockchain technology to flourish and benefit both individuals and companies. Several states have since adopted the same legislation. Within this suite of bills, enacted in 2018, Wyoming introduced a legal framework for digital assets. It ensures that the state recognizes direct property rights for owners of assets of all types,9 classifying them within existing laws and frameworks as intangible personal property (whether money, securities, or other assets). Land, property, shares, and securities all have their registries, and with the rise of digital assets it is logical to expect these to also benefit from formal registry structures.
Land on the Blockchain
The traditional management of asset registries has been fundamentally unchanged for generations. Where once the register was written in ink and copperplate, it has moved to computerized databases and through different software platforms, coding languages, physical storage media, and prime entry sources. Registries are on one hand a ledger of transactions, and on the other hand a specialized archive with the same authentication and verification challenges as the National Archives detailed in the case study in Chapter 4. Transfers of ownership from one party to another, or from one party to multiple owners, must be reflected accurately.
Why is blockchain relevant to these long-standing systems? Until recently, improving efficiency and reducing both costs and the opportunity for human error in the management of the archive and the ledger could have be achieved with internal robotic process automation (RPA). The registries are generally held by a single party, so decentralization may not appear to be an immediate advantage. However, the process of monitoring, updating, and validating registries is increasingly decentralized. Changes of ownership, background checks, and interrogation of the register are more likely to be processed by third parties. As a public record, there are multiple parties involved in updating the details held on the register and any individual referring to the records must have confidence in the accuracy of the inputs. Blockchain not only provides a route to achieving greater efficiency at lower cost, but also improves the update process for transactions originating with third parties such as lawyers and makes the information more accessible and trustworthy. Land registries across the world rushed to test the concept of blockchain as soon as the potential benefits became apparent. There have been land registry pilots and proofs of concept running on every continent in countries including (but not limited to) the Republic of Georgia, Sweden, the United Kingdom, New South Wales in Australia, the state of Wyoming, Honduras, Ghana, Haryana in India (as part of a United Nations initiative), and Dubai. A handful among these have made the leap to live deployment, although others are still testing their platforms or have stalled altogether.
The economic incentives for the development of efficient and accurate land registries are clear: “Land rights are essential to promote economic growth, address economic inequalities, alleviate conflict management, and support local governance processes,” say Benbunan-Fich and Castellanos in their 2018 paper10 presented to the Thirty Ninth International Conference on Information Systems. Their contrasting case studies of the projects in Honduras and the Republic of Georgia demonstrate one of the real challenges of blockchain implementation. The technology is complex, and while the use case may be ideal and the solution theoretically viable, the information systems readiness in a public organization can be the difference between success and failure. Honduras was an early adopter, starting its digitalization pilot in 2015 in partnership with Factom, an experienced blockchain developer headquartered in Austin, Texas. Despite this promising start the project stalled within a year, unable to move at private sector pace and coinciding with the start of a politically charged election season.
At the opposite extreme, Georgia, independent since 1991, had already put firm processes in place for the management of their registries and embraced the world of blockchain through benefits for bitcoin miners and partnerships with BitFury. When it came to digitization, their National Agency of Public Registry (NAPR) was “information systems ready”. The Republic of Georgia’s blockchain registry was the first in the world to be deployed live and at scale. Mariam Turashvili, head of project management at the NAPR, confirmed to me that as at July 2019 they had “more than 2 million extracts from the public registry (hashes of ownership certificates) stored on blockchain” and were actively working on the smart contracts for processing transfers of ownership and other transactions, and the legislative amendments required to implement them.
Sweden’s Lantmäteriet was one of the first public authorities in the world to move its land registry from paper to digital records, as far back as the 1970s, but technology has moved on since this time. The authority realized that the delay between any change of status or ownership and the entry on the register was compromising the transparency and trust placed in it. The delays were directly due to a heavy (and costly) manual system of signed documents, and the lack of transparency resulted from firewalls and security systems designed to protect the data but simultaneously blocking access to anyone without high level permission to write to the database. The advent of blockchain appeared to offer a solution to both challenges, and a two-year proof of concept exercise was completed in March 2018. This is not the only example of emerging technology being use in problem solving at Lantmäteriet. Natural language processing, handwritten text analysis, and artificial intelligence have been developed to improve their response to citizen requests for existing records. Blockchain is just one of many tools being used by a historically forward-thinking authority to improve its services.
Some of the most interesting early stage development is emerging in Africa. Bitland in Ghana, a Swiss partnership in Rwanda, and Land LayBy in Kenya are responding to endemic problems of fake title deeds and lack of consistent documentation. Although these are a long way from delivering a live and adopted system, they demonstrate a local response to the problem that is likely to be far more suitable and sustainable than anything imposed from outside Africa.
Although registries have been held out as one of the most obvious applications for blockchain technology, their development at scale is a slow process. The public sector is naturally cautious about the deployment of any IT system because people do not have a choice whether to use it, while the private sector races ahead, secure in the knowledge that competition in the market weeds out the weaker propositions. Land registries may have suffered from a period of hype, but the steady progress of landmark projects is likely to deliver real benefits worldwide in the next few years.
Smart Cities, Smart Lives
Land registries may be moving online, but what about our homes? This logical step in public administration also offers benefits to the real estate industry. The commercial incentive to reduce costs and improve efficiency has driven development in the private sector. California-based real estate platform Propy executed the first proof of concept property purchase on the Ethereum blockchain in October 2017, an apartment in Kiev, Ukraine, and has moved quickly to commercialize its offering. The first transaction recorded in California took place in July 2018,11 and in Europe a few months later.12 By the middle of 2019, Propy had over 60,000 properties listed and had managed sales in Bitcoin, Ether, and fiat currency in the United States, Europe, and Asia. The smart contract governing each transaction is triggered by an independent notary verifying the seller’s signature, a much simpler interaction than the traditional exchange of documents. Propy is also trialing a deed registry and a title registry to manage the sale process from end to end. This weaves into the public registry by adding the hash information to the publicly held deed at the relevant Recording Office. The building blocks are in place for public and private sector collaboration.
Transactions don’t stop with land and property. In 1999 the city of Dubai launched its ICT strategy with the aim of making the lives of its citizens happy and their interactions with government and regulators seamless. In 2016, a new element was added to the strategy: blockchain.13 Sustaining a consistent long-term vision at state level and executing it over more than two decades is rare in the west, and the rapid progress of Smart Dubai demonstrates the value of planning outside party politics. The Dubai government took the view that “Blockchain will do for transactions what the internet did for information” and set to identifying the transactions that could be made frictionless in their citizen journeys. Their practical approach was not to use blockchain regardless, but to solve specific pain points with the appropriate technology. The strategy addresses three pillars: government efficiency, industry creation, and international leadership. Speaking at the Business Blockchain Summit during London Tech Week 2019, Dr Sohail Munir, adviser on emerging technologies and digital transformation to the Smart Dubai Government, explained that the goal is for the city to become paperless by December 12, 2021(there is a celebration already planned). The city envisages the elimination of 9.57 million pieces of paper, and cost savings annually of AED 1.15 billion (approximately $0.3 billion). This is an ambitious plan impacting multiple areas of a citizen’s daily life, and it is on track to be delivered. At the time of writing, payment reconciliations and the city’s property registry are already deployed, with proof of concept systems in place for aspects of licensing, wills, vehicle management, and education.
The government machine in most countries has a need for increased accountability and transparency, which could be delivered by appropriate application of blockchain. The long-term project for the digitization of Dubai’s government and administration is one example. In the United Kingdom, blockchain as a tool for process improvement is being reviewed by the Department of Work and Pensions, the Intellectual Property Office, and the G-Cloud procurement system among others. The Canadian government published their Policy on Service and Digital in August 201914 with a specific commitment to “innovate and experiment with new technologies and solutions, like Artificial Intelligence and Blockchain.” Advances in blockchain technology rely upon support at the highest levels, and government interest in developing the use of distributed ledger technology can only speed up adoption.
Trust in Elections
Blockchain technology is an essential tool in the development of internet voting and the elimination of electoral fraud. As our lives move inexorably online, maintaining an engaged electorate becomes essential to democracy. If voting is too burdensome, relying on paper and ancient machines, then citizens will be disenfranchised. However, electronic voting is fraught with risk and is far more complex than might be evident to the voter.
Professor Steve Schneider, director of the University of Surrey’s cybersecurity center, explained to me that while tallying votes transparently is reasonably simple, transparency of individual votes is a different matter. A robust and verifiable voting system needs to deal with the eligibility and the anonymity of voters, maintain secrecy in the ballot, and demonstrate integrity. It is a considerable challenge in terms both of cryptography and cybersecurity. Writing for the New Statesman in May 2019,15 Schneider outlined potential threats to both the electorate and electoral bodies including spoof voting sites, malware on devices used to cast a vote, and system penetration or internal bad actors, particularly as an electronic system is likely to be managed by a single central administration.
Academics have been working on electronic voting systems since before the advent of blockchain, developing ways for individuals to verify independently that their vote has indeed been counted as intended, and for the public to check that the votes have been tallied correctly. Pilots such as the Verifiable Classroom Voting (VCV) system16 developed by Professor Feng Hao of Warwick University, and Schneider’s own past work, originally relied on posting results to a bulletin board, but as Schneider told me, blockchain delivered the technology to make this public record immutable and fully distributed. There are caveats. The blockchain needs to be permissioned rather than public, as electoral authorities have to run the election according to the laws of the country involved. There is a need for a two-stage consensus to ensure that voters get an immediate confirmation that their vote has been cast and recorded correctly: waiting for a Proof of Work consensus on a public blockchain would simply take too long to be practical. Trials of the Surrey team’s Verify My Vote (VMV) system17 took place in summer 2019, and while this work is a giant step toward a transparent and verifiable electronic voting system, it is likely to be some years before this is mature enough for a political or statutory election. Schneider suggests, though, that we are getting closer to using it for less high consequence elections where the voter list is under tighter control (e.g., organizational elections, union elections etc.) and the risk/benefit calculation is different.
There are elements of internet voting systems in place already around the world. Digital identities are used in Estonia to ensure that all those eligible to vote can do so while maintaining anonymity in relation to the votes cast. In turn the votes themselves can be recorded in an immutable form. Estonia’s electoral commission monitors the centralized system closely for tampering, but there is no independent verifiability in place as yet. A voting system which mimics Estonia’s approach was implemented internally by a Danish political party in 2014, and there is a project in progress through the Bitcoin Foundation to develop a blockchain-based voting system.18
In West Virginia, the Secretary of State’s office identified that for active service personnel the existing postal and electronic ballot systems were not accessible.19 The state ran a pilot program enabling 150 overseas voters to participate in the November 2018 midterm election using the Voatz mobile blockchain application.20 The city of Denver also tested Voatz in its May 2019 municipal election for 4,000 eligible active-duty military and overseas voters. In both cases election officials reported an increased turnout in the small sample. It is important to note that Voatz is a private company, not a government or academic-led initiative. The system is likely to be tallying votes rather than offering individual verifiability, but there has been criticism of a lack of independent scrutiny. Such reticence is unusual in the blockchain world, where the spirit of collaboration and open source development generally reflects the transparency of the technology. It does however demonstrate one of the challenges facing businesses working to advance applications of blockchain technology: protection of intellectual property.
Challenges for Blockchain Development
This book is intended for business decision makers who want to understand the landscape of blockchain and cryptocurrency, not for the developers who are likely to be following this fast-moving world of software through online communities and collaborative projects. However, executives must be aware of the underlying implications for system design and security in any new development in order to ask the right questions of their technical delivery team.
Automation of processes can be fraught with problems. One only has to look at the delays and complaints surrounding the launch of any public service software platform to realize the complexity and the iterative nature of automation. Changes to centralized systems of record can be managed by the data owners, but what about decentralized systems of ledger? When a process is automated and immutable, the smart contract that executes each transaction must be watertight from the outset. In Chapter 2 we addressed the problems that can arise through errors in deploying smart contracts. Code that controls transactions on the blockchain must be subject to much more rigorous testing and auditing than centralized software. Day-to-day considerations including the management of intellectual property and the protection of data must also be taken into account when solving wicked business problems and delivering smart user tools.
Branding and Intellectual Property
Who owns your website? The tangle of intellectual property, copyright, and open source materials that make up the average internet site is extraordinary. Taking a simple WordPress site, the code beneath WordPress is open source, with a large community of contributors and an open source license whose requirements must be considered when using or adapting the software. The icons and design of WordPress assets, such as the brand logo, belong to that company and there is likely to be a trademark registration in one or more countries. Your own logo may be similarly protected. The theme, which lies on top of the site and gives it its look and feel, could be an open source skin, or may have been designed by a third party who licenses its use to you, although they have no rights over your brand colors and logo. The words that you write for each page are likely to be your copyright. The images that you put on the page may be available on a creative commons license, or a paid license from an agency, or taken by you. If the picture is of an artwork, the copyright lies with the artist, not the photographer. So, who owns your website again? Where does the intellectual capital lie?
Professor Tonya Evans, Associate Dean of Academic Affairs and Director of Blockchain Law Online Certificate Program at UNH School of Law, says that intellectual capital is the most important asset of a business, but likely the least understood. Enterprises must take account of copyright in words, images or code, patents and trademarks, and trade secrets, and balance the business value with the wider needs of the market and consumers. The Cryptokitties team, in developing the Nifty license described in Chapter 5, retained their clear ownership of the cartoon style of their cats, while granting the use of each unique kitty design to the relevant token holder. This maximizes the intellectual capital for the creators, who need something to show for their work, and takes a sensible approach to the habits of online appropriation of images.
Open source collaboration in the development of blockchain is a major feature of the rapid innovation we have seen in the sector. Evans reminds us that there are always restrictions around an open source license. When code is adapted from open sources, there could be some intellectual capital to claim on those adaptations. However, as criticism of Voatz (aforementioned) has shown, holding your cards too close to your chest can backfire in public perception. Retaining trade secrets must add value to the business. If secrecy detracts from the perception of the enterprise, it could be more damaging.
The other side of the coin is the value of blockchain to your brand. It is unsurprising that many businesses have sprung up with “blockchain” in their names, as this appears to differentiate them from the competition. It is equally unfortunate that a good proportion have not lived up to the hype. Now that the market is settling and hollow projects are falling away, it is time to leverage the good things about blockchain. Speaking at SXSW in Austin in March 2019, Shontavia Johnson, Associate Vice President for Academic Partnerships and Innovation at Clemson University, considered the features of blockchain that can be used to build a brand: customer trust, efficiency, and the ability to use apps to bring communities and influencers together around your brand. Leveraging a buzzword may give short-term gains but aligning your brand with the values and principles around the appropriate use of blockchain and backing it with action has long term value. Removing the jargon and demonstrating transparency, authenticity, credibility, community, and efficiency is a worthwhile business strategy.
Data Protection
Data protection legislation is a modern extension of the privacy laws that have evolved very differently across multiple jurisdictions in the last 150 years. In the United States, privacy laws developed through the natural evolution of common law, against the background of the right to free speech and freedom of the press, as enshrined in the Constitution and the First Amendment. While the common law tort of Invasion of Privacy grants the individual “full protection in person and in property,” it has been applied through history on a case-by-case basis, and as both society and technology have developed the legislation has been trying to keep up with new contexts of privacy. In 1890, the target was the emerging technology of photography, which had resulted in some instances of overaggressive journalism. “The Right to Privacy” by Warren and Brandeis, published in the Harvard Law Review,21 remains an influential text and the concerns raised are recognizable in our modern society. Modern tort law, evolving since Warren and Brandeis, protects from “intrusion of solitude, public disclosure of public facts, false light, and appropriation.” Federal law places limits on government intrusion, while individual states have added other protection piecemeal. This complexity of legislation has resulted in a patchwork of laws and regulations that can sometimes overlap or contradict one another. In the digital arena, for example, the California Consumer Privacy Act 2018 (CCPA) and the Biometric Information Privacy Act 2008 in Illinois are independent and unrelated pieces of legislation addressing very specific elements of privacy. Developers have a challenge to ensure that the data their systems are designed to capture and retain will pass muster under a variety of different laws.
The situation is further complicated by the cross-border adoption of software. Blockchain inspires a vision of a connected, decentralized world, but this requires conforming operations in different jurisdictions. Four letters strike fear into the heart of all tech firms: GDPR. The General Data Protection Regulations, which took effect across Europe in 2018, are onerous and have specific implications for immutable records in distributed ledgers.
How did European legislation develop in this way? In Europe, something is private unless declared otherwise, while in the U.S. privacy is an inalienable right, but invasion of such privacy is defined sector by sector and case by case. The difference can be traced to one major historical event and its legacy: The Second World War. After the war, the Council of Europe was formed, and in 1949 work began to develop the European Convention on Human Rights (ECHR), a very strong declaration in favor of democracy, freedom, and the rights of the individual. In 2009, the European Charter of Fundamental Rights combined the ECHR and individual pieces of legislation from different states into one Charter, which is legally binding on all states in the European Union. The right to personal privacy is explicit. This blanket protection is the starting point for regulation in Europe, with subsequent case law allowing limited access to personal data. The General Data Protection Regulations emerged from this background, restricting the actual collection of personal data unless this is done for a specific reason or, failing that, is collected with “informed consent,” which is a complex minefield.
Case Study: SDQ
Professor Mike Smith is based in Europe and the Strengths and Difficulties Questionnaire (SDQ) he operates is being used worldwide. Mental health assessment, particularly with children, is a very sensitive area, and Smith’s experience offers insights into the care developers should be taking over data capture and retention. He explains that he has always avoided collecting any demographic data. For completeness it is important to capture age and gender, which are relevant in the assessment, but these will not result in personal identification in a data set of multiple records. However, the precise date of birth of a subject is not collected because this could very easily be traced to one individual given other contextual information about the sample.
Although SDQ is unwilling to collect personal details, these are essential in a medical setting because clinicians cannot risk attaching data to the wrong patient. The solution to this problem requires blockchain and is permissible under GDPR because it is an example of security by design. It is a powerful mechanism for data protection.
Data is concealed by strong encryption and tokenization, rendering the stored information unintelligible in a manner that would take years for a bad actor to reconstruct. The unique ID of this data can be bound to patient information at the clinical side, local to the medical professional, and the stored information for that ID can only be decrypted by the keyholder. Each transmission of data is timestamped, providing an access audit trail for the unique ID but without knowledge of the contents. This protects SDQ by keeping track of the opaque “blobs” of data, proving that the information is still stored and has not been lost or maliciously deleted. Although this structure prevents a bad actor with partial information from accessing the stored data, there are considerations around custodianship of private keys: if a key is lost then valuable data is lost with it and cannot be retrieved. Solving this challenge once again falls to developers, to ensure that the security of data is not compromised by measures to protect decryption tools.
Looking to the Future
While enterprises can move quickly to meet challenges, and game developers follow their imaginations to break barriers, the path of innovation for government and governance is necessarily slower. The management of our personal data, our lives, and of nation states is not a straightforward task but the public sector is rising to the challenge and adopting new technologies more rapidly than we have seen in the past. Blockchain technology can enable some fundamental changes to the way we live, and it is refreshing to see so much innovation emerging from a traditionally slow sector. While many of the applications are not yet deployed at scale, the fact that they are live and being trialed and scrutinized bodes well for future adoption.
In our final chapter, let’s turn to some of the as yet unrealized opportunities around blockchain, and the threats that lie ahead.