Blockchain’s role as a privacy enhancing technology

Many of us hear the word “blockchain,” mentally file it under “something to do with Bitcoin,” and then swiftly move on. But there is more to this new technology than the cryptocurrencies, like Bitcoin, that use it. And lawmakers need to start thinking now about its long-term implications.

Top of mind is blockchain’s potential to enable greater data privacy and data security, says Florian Martin-Bariteau, who runs the University of Ottawa’s Blockchain Legal Lab, a research team investigating the practical uses of the technology — and the legal issues those uses raise. He’s also on a panel at the forthcoming CBA Access to Information and Privacy Law Symposium in Ottawa (Oct. 19 and 20) that will compare uses of blockchain in other industries.

“The blockchain technology is actually a protocol for information or asset exchange, and an infrastructure for data storage and management,” he says. “It is literally a chain of blocks of information which are interlinked in a secure way.”

Many of us hear the word blockchain, mentally file it under something to do with Bitcoin, and then swiftly move on.

It’s an idea that goes as far back as 1991, when it was conceived as a kind of secure spreadsheet — a way to timestamp documents in a ledger that could not be edited or tampered with. He describes it as a digital notary system. The technology has since developed to become, as Martin-Bariteau puts it, “a secure, immutable database shared by all parties in a distributed network.”

Its utility where privacy is an issue is plain to see. Versions of the technology — data management systems, decentralized and unified authentication systems — are currently under development at several startup companies, from those still at the drawing board, to those ready to begin marketing their systems. Investors are interested, and expectations are for significant growth in this market.

But part of the attraction of blockchain — the notion that data can’t be edited, altered or erased — is also part of the challenge it creates. For example, in the European Union and elsewhere, GDPR compliance includes the right to erasure.

This has enormous implications for any system that requires registered users as part of its design. For example, one possible new implementation currently under review is to use blockchain as a tool for government services. The idea is to create a decentralized authentication system that would allow citizens a secure, simplified access to those services.

Martin-Bariteau is clear about the risks involved. “You need to be very careful about the information you register on an immutable ledger,” he notes. “You want to avoid including any personal information, so you need to design your implementation, or advise your clients to design it, in a way that it can use personal information without storing it.”

This is, he says, technically feasible, but must be worked out at the very beginning of any project: “With blockchain, ‘privacy by design’ or ‘privacy by default’ take on a new meaning that you must fully understand. If you fail to address this, you will not be able to go back later and fix it. You will have to restart and rebuild from scratch.”

His advice? “Study and learn about blockchain like you would any other technology before using it. And for regulators and legislators, before regulating it.”

Martin-Bariteau has been awarded a grant through the Canadian Bar Association’s Law for the Future Fund for a project that will focus on developing a legal framework for smart contracts under Canadian law