Townsend Security Data Privacy Blog

The ongoing crisis in cryptocurrencies is casting a negative shadow on the underlying blockchain and similar Web3 technologies. I’ve never been a fan of cryptocurrencies and NFTs, and I don’t have any investments there. But I do have some technical experience with blockchain and similar Web3 technologies like the InterPlanetary File System (IPFS). I thought I would share some thoughts on Web3 technologies and their potential. A bit scattered, but here goes:

A nerd’s view

My background is in encryption technologies and data privacy. When I started learning about blockchain a few years ago I developed a sense of wonder at the technological beauty of the invention. Blockchain uses cryptography, a distributed architecture, a creative internet communications technology, an automated consensus method, and an application model (smart contracts) to create a truly different way of storing and sharing information. No really new cryptographic inventions in all of this, but blockchains are an amazing way to use cryptography in a new distributed fashion. Pretty cool stuff.

Cryptocurrencies and blockchain

Bitcoin is a cryptocurrency that is built on blockchain technologies. Almost all cryptocurrencies are built on some variation of the blockchain architecture and technology. Digital currencies were one of the first uses of blockchain, but by no means the only use. I know of efforts to use blockchain technologies in the areas of real estate, supply chain management, banking, and insurance. Blockchain is great when you need solid provenance and a resilient distributed system. But, of course, money and financial instruments have a lot of emotional appeal, and so we have been inundated with news and information on cryptocurrencies. That’s unfortunate, in my opinion.

Cryptocurrency noise and distraction

A number of cryptocurrency advocates focus on the supposed benefits of eliminating centralized finance intermediaries, like banks, that control the exchange of money. The complaints often include excessive costs of these intermediaries, limitation of some level of freedom imposed by them, and a variety of other implied nefarious activities by large banks. About cryptocurrencies we often hear something like “Look, it's built on cryptography. It’s trustless and can’t be corrupted!” Or something along those lines. As we now know cryptocurrencies are not immune to corrupt operators and practices, and when you lose money you really miss those intermediaries! It turns out that intermediaries bring with them a level of governance, regulatory control, and insurance against loss. Nice to have when things go off the rails!

Web3 applications and value

Can new Web3 technologies provide any lasting value? We can admire the technology behind Web3 technologies, but at the end of the day I believe that applications built on Web3 need to prove that they can provide better value to individuals and businesses. I think new Web3 applications need to:

• Provide a great user experience. No one wants to fuss with complicated technologies, it has to be intuitive and easy to use.
• Perform well. No one wants to wait for an hour for their data and messages to get delivered.
• Work seamlessly on our PCs and our mobile devices. 
• Be resilient in the face of hardware and network failures. Can we stop losing files now?
• Provide better security. Is there a way to avoid losses from phishing emails and poisonous websites?
• Insulate us from unwanted advertising and snooping. Do we really need to see 5,000 ads every day?

Successful Web3 applications must have a WOW factor. They have to be a lot better than what we have now. I am convinced that Web3 technologies can deliver on these goals. But it is not guaranteed this will happen.

Application challenges with blockchains

My experience with blockchain application development tells me that blockchain technology will be great for some applications, but will be difficult for general user and business applications. While blockchain technologies (Ethereum, hyperledger, etc.) seem stable, they have real challenges for application developers. Here are some issues that can impact application development:

• Blockchains can perform well with a small number of transactions, but may have difficulty with performance as usage scales up.
• Blockchains are good for small transactions, but do not handle larger amounts of data well.
• Smart contracts (blockchain applications) can be harder to code and test, and there are a limited number of experienced developers.
• By their nature smart contracts cannot be easily modified. This is good when it comes to resisting hackers, but bad when it comes to pushing code and security fixes.

But there is hope! Blockchain is not the only Web3 technology.

InterPlanetary File System 

The InterPlanetary File System, or IPFS, is a Web3 technology that may provide a much better platform for many new Web3 applications. Despite its clunky name, it embodies many of the cryptographic functions that you find in blockchain technology, but without some of the drawbacks such as smart contracts. It is an open source project maintained by Protocol Labs and freely available to use. Developing applications on IPFS avoids some of the problems associated with blockchain. While there are drawbacks in the areas of security, it holds some real hope as a new application platform. 

Today you will find that a lot of NFTs are using IPFS for storage. But I think a lot of these early types of applications will fade in importance as serious applications are developed using this technology. While IPFS has been out in the wild for a few years, and seems stable, we will continue to see the platform enhanced. I think IPFS holds promise. You can find more about it here:

https://ipfs.io

Patrick

As blockchain technologies make their way towards general acceptance in private and public sector IT systems, the critical issues of governance, risk management and compliance come into play - and blockchain teams are maturing to address these areas. One important gap to fill involves the proper protection of sensitive data in a blockchain deployment. It seems odd to discuss data protection in the context of blockchain. Isn’t blockchain based on cryptography? Yes, it is, but there remains a gap in the area of data protection. Let’s delve into this in more detail.

Blockchain’s innovative way of linking transactions and guaranteeing their immutability in a distributed ledger is based on well known and respected cryptographic algorithms and processes. The ability to extend this level of assurance across a large number of widely distributed nodes is clearly an amazing extension of modern computing. While there have been security lapses in public blockchain implementations, these have generally been related to improperly securing credentials and mistakes in implementing chaincode. Blockchain methodologies are standing up well to external attacks.

One important aspect of blockchain is its transparency. That is, everyone has perfect visibility into the transactions on a ledger and their current validity. This transparency is a core feature of blockchain - and that leads to a problem:

Some data that we want to put on the blockchain is sensitive, and we may not want to expose it to others.

There are lots of reasons why we might not want some information on the blockchain ledger to be transparent:

• An organization’s reputation suffers when they lose or expose sensitive information. This is true for both public and private organizations and a significant loss of reputation is difficult to mitigate.
• Even little bits of data in blockchain transactions needs to be protected. When sensitive data in a blockchain ledger are aggregated, it can indicate the direction of a business’s activity and leak important information about strategic developments to it competitors.
• Compliance regulations prevent storing sensitive personal information in the clear. The PCI Data Security Standard mandates that credit card (Primary Account Numbers) be encrypted. The New York Department of Financial Services (23 NYCRR 500) requires the encryption of certain sensitive information. The EU General Data Protection Regulation (GDPR) mandates the protection of sensitive information of “Data Subjects”. here are other regulations that require or recommend protection of sensitive data.
• Digital assets that represent intellectual property need to be protected from cybercriminals and state actors. The loss of key intellectual property can be devastating to a startup or mature enterprise.

Therefore, it is critical for organizations to design proper data privacy into blockchain projects from the very beginning. It is painful and potentially impossible to fix data privacy gaffs after the fact.

Some blockchain advocates suggest that the solution to this conundrum is to not place sensitive information on the blockchain at all. But this is an impossible goal. Data on a blockchain may not specifically identify an individual, but may contain enough information that it can be combined with previously leaked information to form a full picture of an individual. Remember that hackers are really good at data aggregation. Losing a little sensitive information can lead to an embarrassing loss of a lot of information.

Other blockchain advocates suggest that the answer to this problem is to store sensitive data off of the blockchain altogether. But does this really solve any problem? This approach loses the many advantages of blockchain technology, and doesn’t do anything to solve the data protection puzzle. “Out of sight, out of mind” is not a solution to any problem.

Some blockchain implementations attempt to achieve privacy through “add on” features. Hyperledger channels and collections are two examples of this. These facilities use access controls to attempt to achieve this. As good as these facilities are, access controls will not address the data protection requirements of compliance regulations, nor provide other protections that encryption provides.

For all of the reasons we encrypt sensitive data in traditional databases, we need to encrypt sensitive data on a blockchain. This doesn’t mean that we have to encrypt everything that we put on the blockchain ledger, but it means we have to have the same intelligence in regard to sensitive data on blockchains that we have in the most secure systems today.

Fortunately, we can accomplish data protection on blockchains and maintain their usefulness. In fact, not only CAN we accomplish this, we MUST accomplish this in order to preserve the usefulness of blockchain technology.

If we are going to encrypt data that we put on a blockchain, we have to address a few requirements that are specific to blockchains:

• We have to use industry standard encryption algorithms, such as AES, to meet compliance regulations.
• We have to manage encryption keys using industry standards and best practices. This means storing encryption keys away from the blockchain ledger and doing so in a provably standard and secure way.
• We have to make encryption keys available to the users and smart contracts that need them. This is a challenge in a distributed blockchain environment.
• We must authenticate user’s authority to use encryption keys.
• We must have a mechanism for restricting access to encryption keys, and for granting and revoking access to those keys.
• We know how to accomplish these tasks in a traditional, centralized IT system. Years of work have produced standardized approaches to encryption. But blockchain presents real challenges to meeting these challenges.

Fortunately, innovation in the area of protecting data on a blockchain ledger is advancing.

At BlockNKey we built a key orchestration system architected from the ground up for distributed ledger technology. NIST compliant encryption and key management, a key vault, and key access control are built into each registered blockchain node. Cryptographic keys grant permission to whomever is permitted access to the data, how it’s accessed and when it’s accessible. This enables multi-party access to the appropriate data in real time through verified and validated access points. BlockNKey is compatible with public and private blockchains while enabling proper data security with easy to use REST APIs. It will even help you if you are storing sensitive data “off chain”.

Townsend Security has partnered with BlockNKey to bring an encryption and key management solution to blockchain users. More information here.