GDPR Lock Cybersecurity

 

This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.

 

2018 has been a disaster for personal privacy. More than a decade after social media became the de facto digital activity for billions of people, we are beginning to see the consequences of that behavior.

Although Web platforms frequently promote themselves as “communities,” they are actually profit-hungry corporate platforms that feed on user data to satiate their continual need for higher profits.

For instance, Google and Facebook, two of the world's most prolific Web platforms, generated more than $150 billion in revenue last year, even though neither platform is particularly well known for selling an actual product. In this case, the popular adage “If you're not paying for it, you're the product” feels particularly apt.

Indeed, for years, online platforms harvested their users' data and sold it to advertisers who processed that information and returned it to their users in the form of targeted advertisements. This approach has been incredibly lucrative, and it helped foster the Internet's prodigious growth. Users had the illusion of navigating an incredibly compelling and inexplicably free ecosystem while companies profited from their activity.

Unsurprisingly, mounting privacy concerns were validated in March when Facebook's Cambridge Analytica scandal was fully uncovered and reported around the world. The debacle played out over several years as Facebook users unknowingly agreed to have their data and their friends' data culled for advertising purposes. Eventually, that information was weaponized by the Russian government to subvert the 2016 U.S. presidential election.

Politics aside, this revenue dynamic has contributed to diminished civil discourse, the virality of fake news, and the hyper division facilitated by the exploitation of our worst biases and prejudices. In short, the emergence of the big data movement hasn't truly benefited many people, although corporations have profited immensely from its propensity.

In general, people were rightfully aghast when they recognized the extent of the data ecosystem that they operate within. After years of unbridled growth and expansion, Facebook announced slowing user growth. Investors punished the company in a broad sell-off that plunged their stock more than 20% in a single day. The drop was so precipitous that The Wall Street Journal described it as “the biggest-ever one-day loss in market value for a U.S.-listed company.” Of course, a falling stock price isn't the only change impacting the era of big data.

Governments Step In

The general malaise regarding user data was so intense that governments were inclined to take action.

In the U.S., Facebook CEO Mark Zuckerberg was hauled before Congress for two days of grueling testimony about his platform's data policies and general role in the digital culture. Since then, he's been on a perpetual world tour testifying before other governments about the burden of his platform's prowess.

Meanwhile, in May, the European Union's General Data Protection Act (GDPR) officially went into effect. This milestone legislation is intended to protect consumer data by giving them more control over how it's used. As the barrage of emails alerting users to changing privacy policies indicates, GDPR is sweeping legislation that returns data control to its users.

For example, GDPR gives users more ownership over the methods used to collect their data, provides consumers with more opportunities to opt-in to personal data collection, and places an onus on companies to justify what they do with their users' data.

Perhaps the law's most critical feature resides in Article 17, which affords consumers the right to be forgotten. Under this arrangement, consumers can request that their information is deleted, and companies are legally compelled to acquiesce.

This is great news for consumers who have been powerless to control their online information for most of the modern digital age. As Enza Iannopollo, a security and risk consultant at Forrester Research Inc., told The Wall Street Journal, “GDPR is an opportunity to better engage with customers ….This is something that helps both sides because when financial services are clear with customers, customers are more willing to do what a company is asking them to do.”

Iannopollo's sentiment highlights the public relations opportunities afforded by GDPR, but the logistics are immensely challenging.

The Limits of GDPR

GDPR's requirements open up a quagmire of new problems for companies and consumers.

It's possible that bad actors can take advantage of the changing norms to defraud consumers. For instance, a cybercriminal could request a user's information be deleted without the actual user's knowledge. It's possible to imagine a cybercriminal changing a customer's address before shipping expensive items and subsequently discarding this information under the guise of GDPR. This could cover the tracks of a criminal without actually protecting the customer in a practical or realistic way.

Moreover, it can be extremely difficult for consumers to verify that companies are GDPR compliant, especially regarding the established right to be forgotten.

The Blockchain As a Solution and a Hindrance

To remedy these challenges, many commentators are positing blockchain technology as a ready solution for establishing GDPR compliance. Indeed, despite its relative novelty, the blockchain offers several compelling contributions to this debate.

Initially conceived as the accounting mechanism for Bitcoin, the blockchain is uniquely adept at creating perfect records that are readily viewable by a broad audience.

Furthermore, a tokenized ecosystem could allow companies to interact with the customers without collecting data from them. Under this model, users can participate in a platform in a verified manner, while withholding their personal information in lieu of a proxy token that affirms their identity, financial information, or other credentials.

Many blockchain-based platforms addressing everything from the sharing economy to the digital ownership rights are pursuing this approach. Most notably, the spirit of accountability and transparency posited by the blockchain feels uniquely appropriate for this moment.

At the same time, the blockchain's permanence makes it a bit of an enigma for the GDPR era. Anne Toth, head of data policy for the World Economic Forum, wonders the same thing. “Blockchain is not designed to be GDPR-compatible. Or rather, GDPR is not blockchain-compatible the way it is written today,” she writes.

If the blockchain can't delete data, its strengths become liabilities for companies striving to comply with the new law. With billions of dollars in investment capital and many industry experts describing the blockchain as the Internet 3.0, this particular feature could be extremely problematic.

A Modified Blockchain Approach

While the blockchain is a compelling storage architecture, some adaptations can be made that improve functionality and help companies achieve GDPR compliance.

First, companies can store their users' data off-chain while producing a link to that data in the form of a hash. In this way, user data can be deleted without disrupting the blockchain. The blockchain is not a one-size-fits-all approach to data management, but it is uniquely adept at storing hashes that are produced when a file is analyzed through an algorithm. The hash cannot be traced back to the original file, but if any changes are made to the data, it updates the algorithm as well. It's a smart approach that combines the prowess of blockchain architecture with the practical demands placed on businesses. The modified approach uses the blockchain's permanence to create comprehensive records of when, who, and how personal information was shared.

This process can be facilitated by the blockchain's smart contracts, which make the entire process quick and automatic. In this format, user information can be designated to be stored only on users' devices or other approved locations rather on than a company's existing infrastructure. This decentralizes the data without neglecting GDPR responsibilities.

Conclusion

It's clear that the onset of GDPR regulations and a quickly changing consumer sentiment about the sensitivity and value of their personal data will reorient a company's interactions with their customers and their information. There will be some pain points in this transition, as Facebook investors recently demonstrated, but it doesn't have to be a unilateral downturn for the tech industry.

The right technology can help, and the blockchain movement will play a critical role in many company's tech development. However, it would be foolish to presume that the blockchain is a wholesale solution for GDPR. By modifying blockchain implementation, it's possible to retain its benefits while mitigating its detractions.

We've entered a new era of data management, and it seems likely that the companies that adopt the most compelling solutions will be the first to reap the benefits of the change.

 

Michael Smolenski is the CEO and founder of Lightstreams. An ex-Goldman Sachs Software Engineer and the founder of several startups, he has won a number of blockchain awards for innovative solutions in micro-insurance and real estate.