Head in the Sand 2: ignoring the incompatibility between GDPR’s right to be forgotten and blockchain’s immutability. And the fact that most blockchains are vulnerable to ‘poisoning’.
While an enormous amount of diligence was undertaken in the preparation of the EU’s GDPR arrangements, people are already questioning its inflexibility and its inability to keep up with the changing technology landscape. In particular, GDPR’s right to be forgotten is in conflict with blockchain’s immutability and there have been calls for special provisions to be made to resolve this.
Increasingly artificial intelligence is being adopted by both sides in the battle to spot and either exploit or patch vulnerabilities, but what if the vulnerability is a fundamental characteristic of the technology, as immutability is to blockchain. Previously I’ve mentioned that public blockchain is thought not to be GDPR compliant. We know that people are meant to enter destination fields into blockchain transactions, they don’t always do so and that people have already put large files onto the Bitcoin blockchain – such as Satoshi Nakamoto’s entire whitepaper (see the picture).
The problem occurs when someone enters sensitive information onto the blockchain, which you then need to remove, but you are unable to do so due to the immutable nature of blockchain. Consider the following scenarios:
- Malicious scenario: a bad actor adds encrypted PII or child pornography onto the chain, waits till it is part of chain and then makes the encryption key public. Anyone holding the child pornography then has to immediately delete it. Likewise, the PII (it could be credit card details) if not removed would render the blockchain non-compliant with GDPR.
- Idiot scenario: an idiot accidentally enters his or another person’s PII onto the chain (possibly encrypted). A while later he has his encryption key stolen or simply asks for the PII to be removed. Again, you have the same GDPR issue.
This is called blockchain poisoning. And according to the analyst firm Gartner’s Prediction for the Future of Privacy 2019: “By 2022, 75% of public blockchains will suffer “privacy poisoning” — inserted personal data that renders the blockchain #noncompliant with privacy laws.”