{"id":8286,"date":"2018-06-28T12:54:57","date_gmt":"2018-06-28T12:54:57","guid":{"rendered":"https:\/\/davidgerard.co.uk\/blockchain\/?p=8286"},"modified":"2022-06-30T16:16:10","modified_gmt":"2022-06-30T16:16:10","slug":"ibm-the-gdpr-and-blockchain-whatever-that-word-specifically-means","status":"publish","type":"post","link":"https:\/\/davidgerard.co.uk\/blockchain\/2018\/06\/28\/ibm-the-gdpr-and-blockchain-whatever-that-word-specifically-means\/","title":{"rendered":"IBM, the GDPR and &#8220;blockchain&#8221; \u2014 whatever that word specifically means"},"content":{"rendered":"<p>Gyula Pal from IBM Blockchain argues that <a href=\"https:\/\/www.ibm.com\/blogs\/blockchain\/2018\/06\/the-gdpr-blockchain-blind-spot-regulating-data-and-everything-else\/\">the EU&#8217;s General Data Protection Regulation is short-sighted<\/a> in not carving out an exception for blockchains \u2014 and that this is a symptom of government&#8217;s <i>fundamental<\/i> incompetence with new technologies, as they can only look backwards:<\/p>\n<blockquote><p>Without regulators learning the technology behind blockchain, GDPR will only be a victim of its own intent. Once this is changed, not only will blockchains not be blocked by GDPR but effective food safety, carbon cap and trade, and a transparent jewellery supply chain, will be regulations that can be effectively enforced, collectively marking the beginning of the era of proactive regulations.<\/p><\/blockquote>\n<p>Of course, all of these use cases are prospective IBM marketing pitches \u2014 and none of them somehow require the database to be a permissioned blockchain, rather than a database with some other architecture.<\/p>\n<p>(I&#8217;m pretty sure that if the authors of the GDPR did understand blockchains, they&#8217;d be delighted to have drafted the antidote.)<\/p>\n<p>But what\u00a0<em>specifically is<\/em> Pal asking for?<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/davidgerard.co.uk\/blockchain\/2018\/06\/28\/ibm-the-gdpr-and-blockchain-whatever-that-word-specifically-means\/ibm-blockchain-window\/\" rel=\"attachment wp-att-8348\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-8348\" src=\"https:\/\/davidgerard.co.uk\/blockchain\/wp-content\/uploads\/2018\/06\/ibm-blockchain-window.jpg\" alt=\"\" width=\"550\" height=\"275\" srcset=\"https:\/\/davidgerard.co.uk\/blockchain\/wp-content\/uploads\/2018\/06\/ibm-blockchain-window.jpg 704w, https:\/\/davidgerard.co.uk\/blockchain\/wp-content\/uploads\/2018\/06\/ibm-blockchain-window-300x150.jpg 300w\" sizes=\"auto, (max-width: 550px) 100vw, 550px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<h3>What is a &#8220;blockchain&#8221;? It&#8217;s whatever I&#8217;m selling<\/h3>\n<p>&#8220;Blockchain&#8221; is a buzzword \u2014 it has no specific, agreed-upon meaning. There&#8217;s a spectrum from Bitcoin-style cryptocurrencies to literally just the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Merkle_tree\">Merkle tree,<\/a> as in <a href=\"https:\/\/davidgerard.co.uk\/blockchain\/2017\/09\/06\/estonias-smartcard-security-problem-is-probably-not-blockchain-related-but-what-is-estonias-blockchain\/\">Estonia&#8217;s KSI Blockchain<\/a> \u2014 which was only renamed &#8220;Blockchain&#8221; for marketing purposes.<\/p>\n<p>You get bad legislative attempts to define &#8220;blockchain&#8221; or &#8220;distributed ledger technology&#8221; \u2014 and the EU <a href=\"https:\/\/davidgerard.co.uk\/blockchain\/2018\/02\/16\/a-bad-eu-motion-coming-up-for-vote-2017-2772rsp-distributed-ledger-technologies-and-blockchains-building-trust-with-disintermediation\/?ho1\">has one in the works<\/a> \u2014 but I&#8217;ve yet to see a legal definition of &#8220;blockchain&#8221; that would include the things sold as &#8220;permissioned blockchain,&#8221; but wouldn&#8217;t also include any <a href=\"https:\/\/davidgerard.co.uk\/blockchain\/2018\/02\/10\/do-you-need-a-blockchain-probably-less-than-wust-and-gervais-think-you-do\/\">Git repository.<\/a><\/p>\n<p>This is because the <em>actual<\/em> meaning of &#8220;blockchain&#8221; isn&#8217;t a specific technology \u2014 it&#8217;s the hype around a particular set of unrealistic promises:<\/p>\n<ul>\n<li>totally decentralised, with no central controller!<\/li>\n<li>immune to bad actors!<\/li>\n<li>the blockchain is immutable and incorruptible!<\/li>\n<li>money and data can flow instantly and internationally for near-free!<\/li>\n<li>secured by math \u2014 unbreakable!<\/li>\n<\/ul>\n<p>The promises were originally made for Bitcoin\u00a0\u2014 which had failed most of them by 2014 \u2014 and then lifted wholesale to try to market very un-magical and mundane Merkle trees to business. The product is the hype itself.<\/p>\n<p>IBM&#8217;s &#8220;blockchain&#8221; products are distributed databases with centrally-administered access, whose architecture is that the nodes send each other their <a href=\"https:\/\/en.wikipedia.org\/wiki\/Write-ahead_logging\">write-ahead logs<\/a> in a format that uses a Merkle tree.<\/p>\n<p>That is \u2014 Pal is arguing for special treatment for distributed databases, as long as they use a <i>particular data structure<\/i> to communicate between nodes.<\/p>\n<p>I think this is unlikely to fly with the EU.<\/p>\n<h3>Special pleading, on the blockchain<\/h3>\n<p>Pal&#8217;s post is generic business special pleading. But I&#8217;d have expected IBM to be better at it than this.<\/p>\n<p>(I suspect the post is at least partly intended for internal consumption. IBM&#8217;s <a href=\"https:\/\/www.theregister.co.uk\/2018\/01\/02\/hyperledger_at_three\/\">having a hard time<\/a> coming up with real-world production uses for Hyperledger, despite a couple of years&#8217; vendor-subsidised pilot programmes intended for <a href=\"https:\/\/www-03.ibm.com\/press\/us\/en\/presskit\/50610.wss\">press releases<\/a> \u2014 per <a href=\"https:\/\/davidgerard.co.uk\/blockchain\/table-of-contents\/\">chapter 11<\/a> of <a href=\"https:\/\/davidgerard.co.uk\/blockchain\/book\/\">the book,<\/a> IBM is responsible for quite a lot of business blockchain press articles.)<\/p>\n<p>There were a fair few <a href=\"https:\/\/www.weforum.org\/agenda\/2018\/05\/will-gdpr-block-blockchain\/\">pleas<\/a> for special treatment for blockchains in the last few months before the GDPR kicked in \u2014 arguing that this business innovation was so very important, and had such huge potential, that the EU should definitely consider workarounds for them personally.<\/p>\n<p>But there&#8217;s no way the legislators were going to give a hoot at that late stage.<\/p>\n<p>I can understand businesses not quite getting around to starting the hard work until the last moment \u2014\u00a0 but how did blockchain people miss an existential threat like this for two years? Did they think the EU wasn&#8217;t serious?<\/p>\n<h3>Cambridge Analytica, on the blockchain<\/h3>\n<p>The GDPR is antimatter to a lot of blockchain use cases \u2014 specifically, the ones that first assume a <a href=\"https:\/\/davidgerard.co.uk\/blockchain\/2018\/03\/22\/blockchain-identity-cambridge-analytica-but-on-the-blockchain\/\">complete surveillance panopticon.<\/a><\/p>\n<p>IBM has a few of these. Their pitch is <a href=\"https:\/\/www.ibm.com\/blogs\/blockchain\/2018\/06\/self-sovereign-identity-unraveling-the-terminology\/\">&#8220;self-sovereign identity.&#8221;<\/a> IBM <i>really, really<\/i> want to sell this to you. And Pal thinks the GDPR makes this impossible.<\/p>\n<p>But \u2014 what does a blockchain get you that you don&#8217;t get with a perfectly ordinary database, like IBM has sold for <a href=\"https:\/\/www.census.gov\/history\/www\/faqs\/innovations_faqs\/what_is_the_connection_between_the_census_bureau_and_ibm.html\">all<\/a> <a href=\"https:\/\/en.wikipedia.org\/wiki\/IBM_and_the_Holocaust\">manner<\/a> of administration of people&#8217;s personal data for a century or more?<\/p>\n<p>Any data aggregation containing <a href=\"https:\/\/ico.org.uk\/for-organisations\/guide-to-the-general-data-protection-regulation-gdpr\/key-definitions\/what-is-personal-data\/\">personal data<\/a> \u2014 an even wider category than <a href=\"https:\/\/en.wikipedia.org\/wiki\/Personally_identifiable_information\">Personally Identifiable Information<\/a> (PII) \u2014 <em>must be redactable.<br \/>\n<\/em><\/p>\n<p>A permissioned blockchain offers no new integrity guarantees over just putting a plain data dump in a tamper-evident Merkle tree. Whoever controls the permissions, controls the database \u2014 and has GDPR responsibility. You&#8217;re just making it ridiculously harder to perform legally-obliged redaction.<\/p>\n<p>No business wants the phrase &#8220;Cambridge Analytica, but on the blockchain&#8221; next to their name.<\/p>\n<p>Personal data in a proof-of-work blockchain \u2014 that&#8217;d be flat-out insane. If you knowingly and deliberately put personal data into a blockchain that you literally don&#8217;t control, your next question will be whether <a href=\"https:\/\/gdpr-info.eu\/art-83-gdpr\/\">20m EUR or 4% of your global turnover<\/a> is greater than <a href=\"https:\/\/www.crypto51.app\/\">the cost of running a 51% attack.<\/a><\/p>\n<p>Of course, some people \u2014 such as the UN&#8217;s <a href=\"https:\/\/davidgerard.co.uk\/blockchain\/2017\/11\/26\/the-world-food-programmes-much-publicised-blockchain-has-one-participant-i-e-its-a-database\/\">World Food Programme!<\/a> \u2014 still think doing that is a great idea.<\/p>\n<h3>What to do: don&#8217;t be silly<\/h3>\n<p>Dealing with the GDPR is not onerous \u2014 unless your business model is to abuse people&#8217;s personal information &#8230; or you were silly enough to put personal data into an append-only ledger.<\/p>\n<p>There&#8217;s no GDPR police looking to catch you out. Certainly for the next few years \u2014 until everyone gets a handle on best practices \u2014 you&#8217;ll get points for sincere effort.<i><\/i><\/p>\n<p>But, just to restate the obvious \u2014 DON&#8217;T PUT PERSONAL DATA INTO AN APPEND-ONLY LEDGER.<\/p>\n<p>You wouldn&#8217;t check personal data into a Git repository and expect redaction to be easy \u2014 have you ever had to remove a binary blob from a Git repo? Tedious, wasn&#8217;t it?\u00a0\u2014 so don&#8217;t even think of doing it with a blockchain.<\/p>\n<p>Anyone trying to sell you a blockchain for personal data is a charlatan, and thoroughly deserves to have their business model broken.<\/p>\n<br><br><div align=\"center\"><p><a href=\"https:\/\/www.patreon.com\/bePatron?u=8420236\"><img src=\"https:\/\/davidgerard.co.uk\/blockchain\/wp-content\/uploads\/2021\/10\/become_a_patron_button.svg\" alt=\"Become a Patron!\" title=\"Become a Patron!\" width=217 height=51><\/a><br><p style=\"align:center;\" class=\"patreon-badge\"><i>Your subscriptions keep this site going. <a href=\"https:\/\/www.patreon.com\/bePatron?u=8420236\">Sign up today!<\/a><\/i><\/p><\/div>","protected":false},"excerpt":{"rendered":"<p>The problem with special rules for &#8220;blockchains&#8221; is that there&#8217;s no definition of &#8220;blockchain&#8221; other than &#8220;whatever I&#8217;m trying to sell you right now.&#8221;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[74,491,758,316],"class_list":["post-8286","post","type-post","status-publish","format-standard","hentry","category-uncategorised","tag-blockchain","tag-gdpr","tag-gyula-pal","tag-ibm"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/posts\/8286","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/comments?post=8286"}],"version-history":[{"count":89,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/posts\/8286\/revisions"}],"predecessor-version":[{"id":8508,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/posts\/8286\/revisions\/8508"}],"wp:attachment":[{"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/media?parent=8286"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/categories?post=8286"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/tags?post=8286"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}