Blockchain Technology — A Review

What is a Blockchain?

A blockchain, as its name suggests, is a virtual chain made of blocks, where each block contains information. Alternatively, it can be described as a digital ledger, where each block of data represents a distinct transaction on the ledger, with the transactions occurring across a decentralized peer-to-peer network. This peer-to-peer network consists of a network of computers (each called a “node”) connected together, which allows the participants in the blockchain to transfer information across the internet without the need to involve any centralised third party. Each block in a blockchain comprises of (i) the transaction data (ii) a timestamp recording the creation of the block and (iii) a cryptographic hash which is unique to each block, akin to a “fingerprint”. When a node initiates a transaction, it sends across a message to the other nodes in the network. Each transaction is verified by the nodes, without relying on any external party for authentication, before it is added to the blockchain. This verification process is as follows. Each node in the network has its own set of public and private cryptographic keys. Whenever a transaction is initiated by a node, it generates a digital signature with its private key. The digital signature is proof of the authenticity of the data present in the block. Once the transaction has been examined by every node, there is an electronic vote amongst them to decide the validity of the transaction. If a majority of the nodes hold the transaction to be valid then it is written into a block and the newly created block forms a part of the chain.

Decentralisation makes the Blockchain Stronger

A blockchain establishes a decentralized network that allows the participants in the blockchain to transfer information across the internet without the involvement of any centralised authority. The information that is transferred is not stored by the blockchain in any fixed location but is replicated multiple times across a network of nodes. When nodes communicate with each other, they become “peers” and form a peer-to-peer network. Thus, instead of having one central server, there exists several distributed and decentralized peers. Whenever any new block is added to the blockchain, this information is spread across all the nodes in the network which in turn simultaneously update their own blockchains. By spreading information across a network, rather than storing it in one central database, a blockchain becomes more difficult to tamper with.

Origins of Blockchain

Blockchain came into vogue in 2008 as the underlying technology for Bitcoins, which has been hailed as the world’s first decentralized cryptocurrency. In the words of its creator (who used the pseudonym ‘Satoshi Nakamoto’), Bitcoin was created since there was a need for “an electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted third party”1.

Types of Blockchains — Public and Private

A public blockchain is one in which anyone can join the blockchain network and participate within the blockchain. Public blockchains are decentralised, in the sense that no one has control over the network. Bitcoin and Ethereum are examples of public blockchains.

Smart Contracts

Smart contracts are more than mere agreements. They are a set of protocols embedded in computer codes and stored in a blockchain which provide for the negotiation, finalisation and enforcement (or implementation) of such contracts. Once committed, parties would be bound by the protocols wired into such contracts by the programmers. Thus, parties in different countries could enter into such agreements without worrying about bias or prejudice. There would be greater transparency and accountability. More importantly, transaction costs would be lower since there would be no middle-men involved.

Storing Land Records on a Blockchain

It is possible to store details of ownership of land and the underlying transactions on a blockchain. Since all underlying transactions would have been verified by users, the changes of fraud or forgery become minimal, if not non-existent. The verified block becomes an immutable record accessible to the public for viewing. These blockchains would ideally be over a private network, with only a few government entities, like the registrar’s office having the power to add information to the blockchain. The scope of such entities can be regulated by the guidelines embedded in the blockchain.

Degree Certificates

Circulation of fake degree certificates is endemic in India. This is partly because verification of a degree certificate is difficult and many fake certificate holders get away with their crimes. Blockchain technology offers a solution to this problem by shifting the entire process of issuance and verification of the certificates on the blockchain. Digital certificates issued on a blockchain can be verified through an app. The app will be accessible by the issuing university and each of the graduating students and will allow verification by third parties. Moreover, the records cannot be tampered with, since blockchain technology does not allow for any modifications to be made to the information already stored in the chain.

Fighting Drug Counterfeiting

Counterfeiting of drugs is rampant in the pharmaceutical industry. There is a lack of transparency in the supply chain through which manufactured drugs reach consumers, due to which the authenticity of the drugs cannot be easily verified. Without transparency in the supply chain, it is nearly impossible to trace the source of any fraud, identify the perpetrators involved, or verify the authenticity of the drugs. Fake drugs may contain highly toxic substances which could be fatal to human life, hence there is a need for an efficient drug tracking system. The main feature of blockchain technology that can be utilized in drug traceability is its security, as each block added to a blockchain is immutable as well as timestamped. Pharmaceutical companies that manufacture drugs can register their drugs on to a blockchain before such drugs are shipped, to ensure their traceability. Every package shipped by such a manufacturer will have a unique ID that will be inserted in the block. Each block in the chain will be linked to the next one and as the drug moves along the supply chain among different entities, it can be traced easily at any given stage. End users can scan the unique ID stamped on the wrappers to verify the genuineness of the drugs they have purchased.

Security Threats to Blockchain Users

Since every node in a blockchain stores details of all transactions, which can be scrutinised by anyone in the network, malicious users may access and trace public keys and addresses to specific persons. If and when an individual user of a blockchain is traced, every transaction undertaken by such an individual through blockchain may be permanently exposed.

Blockchain Technology and Data Privacy Law — A Clash of Ideologies

The immutability of data and transparency are two important pillars on which blockchain technology rests. The immutability of data implies that data cannot be erased and transparency requires data to be exposed to public view. These two requirements conflict with data privacy laws across jurisdictions.

Penalties for Breach of Data Privacy Law by a Blockchain Operator

What happens if a data fiduciary who operates a blockchain breaches any of the provisions mentioned above?

Technological Solutions for Data Privacy Compliance by Blockchains

It is obvious that even under existing Indian data privacy law (that is, the IT Rules), blockchains tread on the privacy rights of Data Principals. Rights to erasure and to restrict or prevent continuing disclosure cannot co-exist with immutability or permanence of data that blockchain technology trumpets about. This issue will become even more acute in India once the PDP Bill comes into effect. The EU has been grappling with this conflict for some years now, which came into sharp focus after the General Data Protection Regulation (“GDPR”) came into effect. Various technical solutions have been offered to this paradox, such as “forking” or using hashes. “Forking” attempts to rewrite the data held on a blockchain by getting most nodes on the network to agree to create a new version of the blockchain which includes the changes that the Data Principal wants to reflect and to then continue using that version rather than the original. Another solution which has gained prominence is that of hashing the personal data, where only “hashes” of personal data would be inserted into the blockchain, rather than the data itself. Hashes are mathematical derivations of data which cannot be reverse engineered to expose the data which is being represented. In a blockchain, hashes are used to verify the underlying data by repeating the hashing algorithm on that data and comparing the result with the stored hash. With a blockchain of hashes, rather than the underlying data, it might be possible to delete the data without having to alter the blockchain2. At the end of the day, it is accepted by all and sundry that it would be very difficult, for technical reasons, to remove personal data contained in a blockchain.

Possible Legal Innovations for Data Privacy Compliance by Blockchains

Consent from the Data Principal

If we assume, for argument’s sake, that personal data contained in a blockchain cannot be erased, where does that leave those who either initiated the blockchain or are participants in the blockchain? One of the fundamental principles of data privacy law is that the Data Principal’s consent is required for the processing of his/her personal data. It could be argued that by participating in a blockchain, a Data Principal is deemed to have given his/her consent for the permanent storage of his/her personal data in the blockchain, for the accessing of such data by all users of such blockchain and has permanently waived his/her right to seek erasure of such personal data. This argument might hold water under the IT Rules, but the PDP Bill requires express consent for such a waiver, especially if the data involves sensitive personal data. Therefore, before any user is given access to a blockchain, such user must be informed in clear and explicit terms that (i) it would be impossible to remove or erase his or her personal data from the blockchain, (ii) immutability of data and transparency are vital for the smooth functioning of the blockchain, and express consent obtained from such participant for permanent storage of his/her personal data in the blockchain.

Withdrawal of Consent by the Data Principal

The arguments stated above for the harmonious co-existence of blockchain technology and data privacy rights come unstuck in the face of the Data Principal’s right to withdraw consent for the processing of his/her personal data. As mentioned above, Section 20 of the PDP Bill provides that a Data Principal shall have the right to restrict or prevent the continuing disclosure of his/her personal data by a data fiduciary where such disclosure was made with the consent of the Data Principal and such consent has been withdrawn. The IT Rules give Data Principals an unequivocal right to withdraw consent with respect to any information provided, including sensitive personal data. Sections 7 and 11 of the PDP Bill also make it clear that a Data Principal has the right to withdraw his/her consent for the processing of his/her personal data. Prior to the processing of personal data on the basis of consent, the PDP Bill requires that the Data Principal be informed of his/her right to withdraw consent and of the procedure for communicating such withdrawal.

Irrevocable Consent by the Data Principal

Having regard to the near impossibility of erasing data from a blockchain, would it be possible to obtain ‘irrevocable’ consent from the Data Principal before s/he is given access to the blockchain? Would such irrevocable consent be valid under law, given that the IT Rules and the PDP Bill place so much emphasis on the right to withdraw consent?

Best Efforts Erasure or Restriction of further Disclosure

Another line of thought for resolution of this conflict is that, once consent is withdrawn, the data fiduciary who operates the blockchain only has to make the best efforts for the erasure of personal data or for the restriction or prevention of the continuing disclosure of his/her personal data. If any personal data remains un-erased or if disclosure continues unrestricted despite such best efforts, the data fiduciary shall not be liable for the penalties mentioned above, especially since the Data Principal was informed of the difficulty in erasing personal data from the blockchain.

Conclusion

Blockchain is the technology of the future and is here to stay, notwithstanding legislative impediments. Law is usually slow in keeping up with technological advancements. In our considered opinion, the PDP Bill ought to be amended (before it comes into force) to provide that data fiduciaries who operate a blockchain can obtain prior, ‘irrevocable’ consent from Data Principals for the processing of their personal data after providing Data Principals with sufficient information regarding the salient features of blockchain technology and the importance of immutability of data in the blockchain. The provisions of the PDP Bill dealing with the Data Principal’s right to withdraw consent should be disapplied in cases where the personal data is stored in a blockchain.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store