Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
Another day, another apparent attempt to exploit people's greed and ignorance initial coin offering (ICO).
This time it's the turn of - wait for it - the “ GDPR Cash token”, which promises access to “a community of GDPR experts” who can help businesses find their way around all 11 chapters and 99 articles of the EU's General Data Protection Regulation, due to come into force on May 25.
It seems pretty easy to become one of these “experts” - the white paper makes no mention of any prior qualifications, simply saying:
Experts can register on our platform at no charge and will be listed on our websites. They will receive bonus tokens upon registering.
Here's a screenshot from their website:
(By the way, “GDPR tokens are not securities”! “GDPR tokens are non-refundable and are not intended for speculative investment”, you got that, SEC?)
It's not clear whether the GDPR Cash token will actually itself be compliant with the GDPR - the white paper does not detail how it will make sure it is obeying the new rules.
But what is clear is that there are some big questions around how blockchains, the “immutable” distributable ledgers underpinning decentralised currencies like bitcoin, and GDPR, which aims to protect EU citizens' data and codifies the right they already have to be forgotten, can co-exist.
As Michèle Finck, Oxford EU law lecturer and senior researcher at the Max Planck Institute, told us:
The GDPR was created for a world in which we have centralised data silos that collect, store and process data. Blockchains essentially decentralise all of those processes. So you certainly can’t deny there’s a tension between GDPR and blockchain, because they represent different visions of what the database is. As a result, it’s very hard to figure out what a GDPR-compliant blockchain would be.
One of blockchain's key selling points is that once data - either transaction data or otherwise - are stored and confirmed across its distributed network of nodes, they are then locked into the ledger for time immemorial.
The process works as follows: groups of data are bundled up into blocks that are then processed and chronologically chained on top of each other through a hashing process that makes it almost impossible to change any of the data without altering all other blocks - hence the famous “tamper-proof” distributed ledger that, we are told, ensures its reliability.
But GDPR is designed to give people the right to request their data back, which would not be compatible with a public blockchain as described above.
The apparent conflict between open blockchains and the new data privacy laws inspired Jerry Brito, director of DC-based bitcoin advocacy group Coin Center, to write a Medium post last week in which he argued GDPR was “incompatible with open blockchain networks” and that Europe was “closing itself off from the future of the Internet to its detriment” in bringing in the new regulation.
Brito's comments were followed up by a report in The Verge (that Brito himself tweeted a link to) that said he was seeking an exemption from GDPR for blockchains, which caused a bit of a stir online.
Although Brito told us that report was a misrepresentation of what he believed, he stuck by what he had said in the report, which included the following:
We’re optimistic that our European friends will come to see that their legitimate privacy concerns are best addressed not through law, but through decentralising technology itself.
Who needs the law when you have disintermediated trust to keep data secure and safe?
He continues:
Open blockchain networks, cryptocurrency, and general encryption are the backbone of a new more secure and private Internet on which individual have more control over their data, and firms are less incentivized to track and spy on their users.
That does sound lovely. But how are we meant to control data when it is forever stored on an amazing technicolour dreamledger?
Sure, with a transaction, you can reverse a transaction by sending one back in the opposite direction. But what happens if some revenge porn gets onto the ledger? How would you go about reversing that? (The bitcoin blockchain already contains links to illegal pornography, according to a report published earlier this year.)
Crypto security firms like Chainalysis and Elliptic have also shown the fact that open blockchain networks like bitcoin's and Ethereum's are merely pseudonymous - as opposed to anonymous - means that these networks are not so private after all. Cryptocurrency addresses can be linked back to real-world identities by tracking transactions and online activity.
Here's Finck:
What people in the blockchain camp are mostly arguing is that blockchains can be good for privacy and data protection. I think that is right in theory, but it isn’t right in practice right now. If you look at the public blockchains, they’re really not good for privacy at all.
So what about companies that run private, so called “permissioned”, centralised blockchains, like Ripple, or the ones being built by banks?
As we've pointed out here before, there's really not much difference between those private blockchains and any other centralised database systems, so there's no reason they shouldn't be compatible with it.
What's important, therefore, is that running a blockchain doesn't suddenly become a golden ticket for a company to get past data privacy laws just because it's difficult to apply a legal framework to it.
Distributed ledgers sound great. But we'll stick to the rule of law - flawed as it may be - to protect our data privacy for now, thanks.
Related links:
When capitalism wants to data mine you - FT Alphaville
Taking the block out of blockchain... - FT Alphaville
EU warns member states over data protection reforms - FT
What the EU’s tough new privacy rules mean for Big Tech - FT
Why blockchain is a belief system - FT Alphaville
Comments