How secure is blockchain?
Blockchain can be robust, secure, and trusted – as long as the technology is executed properly.
Blockchain technology is transforming the way we do business by allowing consumers to cut out the middleman in numerous vital services, reducing costs and boosting efficiency. In this way it has the potential to reduce poverty throughout the developing world.
But is it secure? More specifically, can blockchain-based technologies simultaneously offer trust and privacy to ensure private and tamper-free records?
This issue should concern those development institutions, businesses and governments exploring blockchain for more efficient delivery of aid, money remittances, smart contracts, health services and more. Likewise, social entrepreneurs must ask the same question as they pursue the potential for cheaper international payments, clearer property rights and broader access to finance.
Blockchain is perhaps best understood as a decentralized ledger that can diminish costs by removing intermediaries such as banks and effectively decentralizing trust. The technology appends entries to the ledger which are validated by the wider user-community rather than by a central authority.
Each block represents a transactional record and the chain links them. The distributed computer network confirms the record and lists the blocks of transactions sequentially – hence the blockchain.
Importantly, nothing of value is on the blockchain, just as with printed money or a bank’s database, and the controversial cryptocurrency Bitcoin is simply an application of blockchain.
So, is the block really immutable? The answer is no.
Perfect immutability does not exist; blockchain, like any other network, is technically prone to modification. But because the computers, or nodes, on a blockchain network are distributed, the mathematical puzzle and computing power required to make changes makes modification nearly impossible. To alter a chain, one would need to take control of more than 51% of computers in the same distributed ledger and alter all of the transactional records within a very short space of time – within 10 minutes for Bitcoin. To date, this has never happened.
What about security and privacy?
Although it may be difficult to achieve simultaneous security and privacy in a conventional information system, blockchain can do so by enabling confidentiality through “public key infrastructure” that protects against malicious attempts to alter data, and by maintaining the size of a ledger. The larger and more distributed the network, the more secure it is believed to be.
Other perceived concerns about blockchain include limited scalability, insufficient data privacy and a lack of harmonized industry standards.
For example, even with privacy-enhancing technologies such as encryption and identity management, blockchain transactions can be seen throughout network nodes. These produce metadata and statistical analysis can reveal information even from encrypted data, allowing for pattern recognition.
Data privacy is a particularly thorny issue in the EU, where the General Data Protection Regulation (GDPR) which takes effect in May imposes stricter conditions for consent and data retention, requiring businesses to protect the personal data and privacy of citizens for transactions in the EU. It also disallows personal data from leaving the EU, giving citizens “full and ultimate control over all their data”.
This is a problem for both public blockchains, which do not control who hosts a node, and private blockchains (also called permissioned blockchains) as data cannot be deleted here. The new regulation also recognizes the “right to be forgotten”, which conflicts with the “immutability of transactions” on blockchain.
Vitalik Buterin, co-founder of Ethereum, another blockchain system like Bitcoin and Hyperledger, has noted that there is indeed a “scalability trilemma” in which only two of three properties—decentralization, security, or scalability—can be attained.
In distributed ledger protocols, every node stores and processes all transactions and maintains a copy of the entire “state” of account balances, contracts, storage, and so on. Running a full node allows users to have privacy and security but it is cumbersome as the number of transactions is constantly increasing, making scalability difficult.
If developers increase the size of a block in order to accommodate more transactions, the volume of data that needs to be stored also grows. Thus, as each node reaches capacity, only a few large companies will have the resources to run them, putting decentralization and scalability at odds. Developers are looking for ways around the trilemma.
It is worth noting that private blockchains do not face such scalability problems and can handle significantly more transactions per second.
To get around data privacy issues, a blockchain operator may store personal data and the reference to this data off-chain with a “hash” of the information – a one-way transformation of data to an unreadable piece of information.
Storing data off-chain means that personal data needs to be held by the individuals themselves or in a more traditional database. Know-your-customer documents, such as a scanned driver’s licence or passport, can be stored off-chain using traditional technology, such as a standalone database and application systems.
But storing data off-chain reduces transparency and immutability and increases the risk of lost or stolen personal information as it is spread across other networks.
An emerging solution is “self-sovereign identity”, a digital concept allowing an individual to control personal information and have better control over with whom they share it. As blockchains become components of businesses, institutions and systems, it will be important to interpret laws and application designs to maximize synergy and balance regulation, innovation, competition and data privacy.
Notably, the privacy of blockchain depends on users. If encrypted, and keys are held securely, it is not an issue. In many ways, blockchains are more secure than a centralized system.
Blockchain's potential is clear
Two major Australian banks have successfully used blockchain for bank guarantees relating to commercial property leasing of a shopping center operator. The digitized guarantee created a single information source with lower fraud potential and greater efficiency.
Blockchain’s “irreversible” and encrypted data blocks can also help to fight cybercrime, as a hacker’s attempts to change data will be flagged immediately. As applications of blockchain for cybersecurity emerge, companies and governments are signing up.
US defense contractor Lockheed Martin announced last year that it is integrating blockchain into systems engineering, supply-chain risk management and software development.
Meanwhile, several Indian states are exploring blockchain-based systems to improve information efficiency and enhance cybersecurity. In 2017, Andhra Pradesh signed up Swiss cybersecurity company WISeKey International to ensure citizens’ information stored in databases remains secure with blockchain.
Recently, Irish company AID:Tech became the first organization in the world to deliver international aid to refugees transparently using blockchain.
In short, blockchain technology can be robust, secure, trustworthy, and private. Ultimately, security is ensured by solid architecture, secure design practices and effective workflow policies.
So, do the potential benefits of blockchain outweigh the risks? In short, yes, as long as it has been executed properly.
Any system has vulnerabilities. In today’s technology-driven financial sector, supervisory and regulatory frameworks need to enable innovation while ensuring stability, consumer protection and competition. This means that new digital products and services must be designed and developed with regulatory, cybersecurity and data-privacy compliance integrated from the outset.
This blog was first published by the World Economic Forum and relates to the 2018 ADB Annual Meeting seminar New Technologies in Finance: Opportunities and Challenges for Asia. Follow the 2018 ADB Annual Meeting on Twitter @ADB_HQ using the hashtag #ADBManila.