Autonomous Blockchain Privacy Concerns

Updated: Jul 12, 2020

Blockchain enterprises globally are beginning to introduce networks that are envisioned to act as the foundation and gateway for next-generation businesses. In their intended role, these networks will serve as the infrastructure for entrepreneurs to provide innovative decentralized applications to potential consumers. What is arguably the most interesting aspect of these networks is that when they become large enough, the operators of them hope to cease having control and allow the networks to scale and operate themselves. The goal is to have networks that provide platforms for businesses that can autonomously scale without oversight or intervention (“Autonomous Commercial Blockchains”).

This dynamic is interesting because it creates an unforeseen gap in Canada’s current federal privacy laws, specifically, how privacy regulations will regulate autonomous commercial blockchains where personal information is collected, used and disclosed for commercial reasons. Under the Personal Information Protection and Electronic Documents Act (PIPEDA), federal legislation governing how organizations collect, use and disclose personal information for commercial purposes, recourse for data breaches and other data privacy violations are affected by going after “organizations” that are accountable for breaching privacy rights. However, these autonomous networks may not be considered “organizations” under current privacy law definitions. This creates the possibility of individuals’ privacy rights being breached without an accountable entity.

What is An Autonomous Commercial Blockchain?

A blockchain is a network based on distributed ledger technology that provides for information and data to be collected, used and disclosed by a community in an anonymous and immutable manner. With recent inroads in blockchain innovations, different blockchain development enterprises have begun implementing capabilities for blockchains to incorporate governance rules and policies into the protocol. In doing so, these rules and policies are imposed on the participants of the network and are enforced on an automated basis without the need for external intervention. The purpose of incorporating self-governance into the protocol is for the facilitation of the network to autonomously scale and develop. This has allowed for the creation of increasingly sophisticated Decentralized Applications (DApps) and Decentralized Autonomous Organization (DAOs).

DApps and DAOs are the desired output resulting from the combination of automated governance and operations. These applications and organizations generally operate autonomously for commercial purposes. DApps are applications that are based on blockchain technology that operate using the resources of its network participants that in theory do not require a centralized intermediary. Some examples of existing DApps include decentralized cloud storage host Storj, MakerDAOand social media platform Karma. In the case of Storj, its protocol allows network participants to both use the decentralized cloud storage application, or receive remuneration to help develop it, without having to deal with any intermediaries, oversight or human intervention.

Decentralized Autonomous Organizations are a “set of smart contracts that encode the bylaws of the entire organization” that does not require any human involvement. People generally think of DAOs as general partnerships because of the high-profile scandal involving “The DAO”. However, that decentralized organization required extensive human intervention (was not autonomous) and was structured as a decentralized general partnership which is why it has been generally considered to be a partnership. In each example of DApps and DAOs, the creators of these networks have attempted to structure their organizations’ relationships to the networks as one of the contributors and not as owners of them.

There are different approaches to commercializing these kinds of networks. Typically, organizations that create Autonomous Commercial Blockchains do so to produce value measured in two different ways: (i) increasing the value of the currency/tokens provided to participants for validating transactions; and (ii) their ability to charge consulting fees to participants or enterprises who hope to exploit the financial opportunity that the network may bring. The organization that creates the network will generally retain a large reserve of currency/tokens so that they can participate in any price appreciation. In either case, the more useful the network is to participants, the more value the organization may be able to realize.

Where Do Canada’s Privacy Laws Fall Short?

When information is provided to an organization, like Facebook or Google, it is stored and processed on their servers and made accessible through their platforms to other users or business partners depending on the consents received when collecting the information. In the event of a data breach, or if they are found to misuse the information collected, PIPEDA would hold the organization accountable to the individuals whose privacy rights they breached. If their business partners were found to misuse the information, then they too may be liable for the privacy violations. For this reason, privacy laws put the onus on organizations engaged in commercial activities to (1) obtain consent from users when collecting information and (2) to protect the information collected and prevent it from being used in ways that the organization lacks consent for.

Based on the current definitions, Autonomous Commercial Blockchains may not be captured by Canadian privacy legislation. For example, under PIPEDA an “organization” includes “an association, a partnership, a person and a trade union.” Autonomous Commercial Blockchains typically do not operate under a corporation (a person) and the participants who assist in its growth act independently of one another, potentially ruling out the other examples. This may result in a situation where information is collected, used and disclosed for commercial purposes on an Autonomous Commercial Blockchain without an accountable “organization.”

In the absence of an accountable organization to be reprimanded for privacy violations, the privacy rights of individuals who provide personal information for a commercial purpose are not enforceable and thus lack the necessary protections. Under the decentralized model of a blockchain network, there is no central authority or corporation that collects, retains and distributes the information inputted into it. This divergence from most conventional business structures makes it clear that the current privacy regulatory structure may be incompatible with emerging blockchain technologies.

If privacy laws do not adapt to encompass activities on theses blockchains, then consumer rights may be harmed and regulatory reactions to future data violations may be disproportionate to the harms caused. When a blockchain network is used as a tool by an organization, any potential data breach would leave the organization utilizing it accountable. However, when the network is self-managing, and participants utilizing it for commercial purposes are not associated or partners, there is a legislative grey area of who should be responsible for an attack, data breach or the exposure of personal information on the network that results in privacy violations.

Potential Solutions to Fill the Gap

Changes to PIPEDA that could “catch” Autonomous Commercial Blockchains include:

1. Creating a definition for Autonomous Commercial Blockchains in the legislation like what the OPC is considering for Artificial Intelligence;

2. Consider Autonomous Commercial Blockchains as an extension of organizations that hold a signification portion (10%) of the tokens or voting rights in the networks;

3. Holding the DApp or End-Commercial Providers responsible for privacy breaches to the network; or

4. Requiring registration of Autonomous Commercial Blockchains that designate organizations accountable in the event of security breaches of the networks or privacy violations (like FINTRAC registration for Money Services Businesses that engage in “Dealing in Virtual Currency”).

What if the Network Only Shares “Public Keys”?

Many blockchain enterprises argue that due to the anonymous nature and intended anonymous use of the technology, privacy laws should not apply for networks that only transact using public keys. When transacting over a blockchain, users will share their public key with other users to provide where funds or token should be directed on the network. Participants of a blockchain will also possess a corresponding private, key which provides them with access to any assets sent to the public key address.

When participants on a blockchain network engage in transactions using a public key, information like an IP address may be linked to the transactions. Under PIPEDA, personal information includes “any factual or subjective information, recorded or not, about an identifiable individual.” It is also “information that on its own or combined with other pieces of data, can identify a person as an individual”. Public keys may therefore be considered personal information because if it can be traced for a transaction to a specific IP address or other identifiers, it can be identifiable of the person. For this reason, even if an Autonomous Commercial Blockchain only allows for transacting use public keys in the hopes of avoiding privacy regulations, it may still be considered to be sharing personal information and governed under privacy laws.

Final Thoughts

Autonomous Commercial Blockchains in their proposed form may currently be situated within a blind spot of Canada’s privacy legislation that should be addressed. In the absence of legislative changes, Canadians that share their information with these networks may find themselves lacking necessary protections and recourse in the event data breaches. If an Autonomous Commercial Blockchain that collects information from Canadians were to experience a privacy breach before legislative changes address them, the resulting legislative response will likely be overbroad and burdensome to the remaining networks. Therefore, it may be prudent to begin exploring ways for privacy laws to properly capture these new networks.

*Cover photo credit to Su San Lee