on blockchains and privacy
The relationship between blockchains and privacy is an interesting one. Traditionally, a lot of people have thought of blockchains as facilitating an underworld of clandestine activities. In this way, the bitcoin blockchain formed the engine facilitating internet users across the world to transact in anonymity and buy all the drugs their hearts so desired - the unearthing of such activity led to the fall of the infamous Silk Road. And so, on one narrow view, the narrative goes that blockchains are this mysterious engine credited with powering the first truly anonymous payment system.
But therein lies an irony. While enabling (somewhat) anonymous payments to purchase substances that make the mind go brrr, these engines of mystery are simultaneously the building blocks for the most transparent public accounting systems the world has yet to see. And yes, I just used two conjunctions in a row to start a sentence. We are not in law school anymore, Alice. Actually that was three. And anyways, there is no rule providing for such a prohibition in the first place. Bite me.
Ok. So building on this idea of super anonymous but actually super public blockchains. In the case of the bitcoin blockchain, it enables users to transact in bitcoin by recording the details of every transaction on this public account (often called a ledger). This would be similar to if every time you made a purchase with your credit card, the details of the transaction were published for all to see and comb through in an online database.
Bbbbbbut what about anonymity? The user's name is not recorded on the blockchain, but rather a username of sorts: their public key. This public key is a jumbled-up string of letters and numbers unique to that person. And so, as long as the user does not reveal their ties to their public key, their transactions online are anonymous. If I happen to learn your public key, however, (such as if you sent it to me so I could send you some coin) I can then see your entire history of transactions tied to that particular key.
Therein lies a sort of blockchain paradox; anonymity insofar as you desire and succeed in protecting your public key, but total transparency in the event that you fail. And even if you've succeeded in protecting your public key, someone else might not be so diligent. For example, the popular exchange Celsius released a massive document revealing the public keys of over half a million of its customers, in one of the largest data privacy breaches the crypto space has seen.
So, the big privacy question becomes: beyond transaction data, what happens when people start regularly storing their personal data on blockchains (ignoring the fact that one's public key itself may be personal data)? Be it medical or financial records, or your metaverse persona, certain safeguards must be put in place for this. If the information stored on blockchains is immutable (i.e. permanent), how do you exercise your various statutory rights, such as the GDPR's right to be forgotten? In the event that Nintendo revives their Mii-verse, does a legislative right to data portability allow you to transfer your life from Zucc's Metaverse over to Nintendo's platform? Many avenues of analysis and critique arise from these issues that we will explore later; for example, the right to data portability may allow (and mandate) such an option in theory, but whether this is possible in practice is another matter altogether.
Most legislative initiatives have been designed and implemented with centralized models of data storage and management in mind. These models think in terms of big tech companies storing treasure troves of personal data on their millions of users, and then users must exercise their rights against said companies. But to the extent that users can be said to have gained any appreciable new control over their personal data post GDPR and other similar initiatives, such models of regulation have failed. Notions of returning control of personal data to individuals underpin many of the regulatory initiatives concerned with data privacy, but at present these amount to little more than fancy rhetoric.
Two questions arise at this juncture. First, will decentralized models of data storage and management (where users control and allow big tech companies access to their personal data, as opposed to big tech companies controlling and allowing users access to their personal data) prevail in light of the failures of centralized models? In other words, could blockchains succeed in returning control over personal data to individuals where regulation has failed? And second, how will data privacy regulation mold to protect this paradigm shift?