Common Blockchain Misconceptions - Part 2 of 3
THOUGHTS OF THE WEEK
Standard Kepler CEO David Tang recently authored a few articles on the subject of blockchain and cryptocurrency misconceptions. Last week in part 1 we had a look at the first 4 of a total of 8, and this week we will continue by taking a slightly deeper look at misconceptions 5 and 6.
5. “Use of blockchain increases system security”: I don’t know the origin of this misconception, but we often hear our clients saying that they want to improve their system’s security by “putting everything” on a Blockchain. They fail to realize that blockchain does not equate absolute security. In fact, only some blockchains are secure, a lot of blockchains are not.
Before we discuss whether using blockchain improves system security, we need to know how blockchain secures itself and its limitations in doing so. Blockchain secures your data in two ways: Firstly, it maintains data integrity by making sure that the data recorded on it can neither be altered nor removed. Secondly, it secures the ownership of your account with public/private key cryptography. This means that your account is secure as long as your private key isn’t exposed (normal password protection is significantly easier to crack compared to public/private key cryptography).
In the case of smart contracts, the above characteristics of blockchain makes it possible to achieve security on a new level: a program deployed on blockchain cannot be altered or removed, meaning that hackers cannot change your program code or make it misbehave. But there are also limitations. For example, if the deployed code has bugs then blockchain won’t allow you to fix these bugs as the program code cannot be changed once launched. Also, the public/private key encryption adds an element of user unfriendliness to your system, since users cannot choose their private key and the keys can be long and hard to memorise. Back to the question, can blockchain helps improving your system security? The answer is that it depends.
If you just want to secure the data integrity: Yes, blockchain can help. Putting your data on a public blockchain can make your data largely immutable.
If you want to make your program secure: Usually no, sometimes yes. Yes if your program is coded flawlessly; No if your program is not flawless, and most programs are far from perfect and do contain bugs.
If you want to hide your data from hackers: No, there are better ways to hide your data securely. Putting the data on a blockchain without lowering the data usability is impossible.
If you want to give your users the ability to store their encrypted data securely, and make sure that only they can decrypt their own data: Yes, you can do this with blockchain, but make sure you really need this level of security and that you are willing to make the relevant sacrifices in usability to users.
6. “Use of blockchain protects user privacy”: Well, using Bitcoin can protect your privacy, and so can many other cryptocurrencies. But here lies a very common misconception that start-ups, VCs and a lot of laymen (non-laymen as well) have been reiterating. Blockchain protects privacy because it can verify a transaction without needing your personal information. However, it does not protect your privacy by preventing other parties from misusing your information without your permission. Consider the following example from a project:
“A user installs an application that uses our platform for preserving her privacy. As the user signs up for the first time, a new shared (user, service) identity is generated and sent, along with the associated permissions, to the blockchain in a Taccess transaction. Data collected on the phone (e.g., sensor data such as location) is encrypted using a shared encryption key and sent to the blockchain in a Tdata transaction, which subsequently routes it to an off-blockchain key-value store, while retaining only a pointer to the data on the public ledger (the pointer is the SHA-256 hash of the data). Both the service and the user can now query the data using a Tdata transaction with the pointer (key) associated to it. The blockchain then verifies that the digital signature belongs to either the user or the service. For the service, its permissions to access the data are checked as well. Finally, the user can change the permissions granted to a service at any time by issuing a Taccess transaction with a new set of permissions, including revoking access to previously stored data. Developing a web-based (or mobile) dashboard that allows an overview of one’s data and the ability to change permissions is fairly trivial and is similar to developing centralized-wallets, such as Coinbase for Bitcoin.”
What projects such as this one suggest is that all user data is uploaded and stored on a blockchain platform, and that services (apps) can only access this data with user permission. Most importantly, you can revoke the permission at any time. Does this not sound like Facebook login? Apps can only access your data with your consent, and you can revoke this permission at any time. So, can these apps “steal” your data? Yes! And all they have to do is to create a copy.
This most obvious point of failure of the above proposal. The data you generate in the app can only be uploaded to blockchain by the app itself, so the app can steal it in the middle of the upload, or it can even outright prevent the data from being uploaded. The only way to make it work is through something like TouchID: your fingerprint is collected by your iPhone, and the app cannot touch the data, it can only ask iPhone to check whether your fingerprint is correct. The data from the point of being collected, to being processed and stored is in a closed loop. This is how Apple protects your privacy from everyone except themselves.
In short, cryptocurrencies can protect privacy because they don’t need your private information to verify transactions, nor do they require authorities that own your personal information to verify transactions. Blockchain can encrypt your data and store it securely and prevent anyone from using it, but it cannot protect your data from being misused.