The International Organization for Standardization recently published Technical Report number 23244:2020 on ‘Blockchain and distributed ledger technologies – Privacy and personally identifiable information protection considerations.’
Its approach is broadly in line with the recommendations of the EU Blockchain Observatory and the “CNIL”. After reminding readers of the increasing numbers of privacy requirements globally, it lists some of the privacy risks associated with distributed ledger technologies and suggests solutions to mitigate those risks. Several of these privacy solutions form part of the survey being conducted by the Blockchain Chamber of Commerce. The survey remains open, and participants are invited to contribute.
ISO 23244 mentions that off-chain and on-chain data storage should be considered when examining privacy solutions. Where data stored on-chain needs to be amended or deleted, potential solutions include creating a ‘hard-fork’ in the chain or the cessation of that chain. Off-chain storage solutions include using ‘hashes’ which allow the proof of the existence of the data to be stored online.
Some more specific privacy solutions include:
- Pedersen commitments are a form of cryptography which enable a certain set of data to remain private, while ‘committing’ to that data by publishing a hash of that data.
- Zero knowledge proofs are cryptographic protocols which prove the existence or truth of a certain set of data, without revealing the underlying data.
- Ring signatures create a signature among a group of potential signatories, which does not reveal which of those potential signatories is using the ring-signature at a given time or for a given transaction.
- Stealth addresses allow a sender to generate a one-time use payment address.
- Layering of cryptographic measures allows the entirety of a transaction to remain private. There are generally three points in a transaction where data can be revealed: the sender’s identity, the recipient’s identity and the transaction details. Different privacy solutions cater to one or all of these three areas. Layering or combining different solutions can achieve privacy at each of these areas, as illustrated in the table below:
Privacy impact assessments
ISO 23244:2020 mentions some of the privacy threats and vulnerabilities that organizations should consider and mitigate against when carrying out their Privacy Impact Assessments. Risks discussed include: poor password management, poor coding practices, poor security (physical and cyber), uncontrolled access to data, attacker writing sensitive data into the ledger, and exploitation of obsolete hardware, middleware and software.
ISO 23244:2020 suggests that privacy policies might wish to state how the blockchain and DLT system can:
- Constrain any access to PII to those people who ‘need to know’ and for ‘explicitly stated purposes’ only;
- Collect, store and notarize the consent and notice of the individuals whose data is being processed;
- Ensure transparency, for example by notifying individuals regarding the processing or access by third parties;
- Ensure data minimization by deleting it once the purposes of the processing have been completed;
- Ensure the data remains accurate and up to date; and
- Enable individuals to view and ask for their data to be amended or deleted.
This Technical Report should be helpful for the blockchain and cryptography industries generally by increasing awareness among developers about the technologies available to them to develop a privacy-compliant system. This in turn will help promote confidence in the wider non-blockchain/crypto community about the security and privacy of data and will assist in its wider acceptance in general commerce.
By Ash Costello
“Ash Costello is a Privacy and Financial Services Lawyer, Author & Speaker, with a particular focus on the privacy requirements and challenges of blockchain, digital identities, payments systems and cryptocurrencies. She previously acted as Global Head of Legal for a multinational financial services organization, and spent years working in private practice in London’s financial services law firms.”