Lately, I have been seeing articles everywhere with titles among the lines of “Why You Don’t Need a Blockchain” and “Blockchain, A Solution Looking For A Problem To Solve”. While these articles often make some good points, their authors tend to take it to the extreme by arguing that blockchains are completely useless.
It is true that many ‘blockchain-solutions’ do not need a blockchain at all — normal databases often suffice, and they are far more efficient than a blockchain ever will be. And sure, some companies have started using blockchain with the sole purpose of jumping on the blockchain hype-train. However that does not mean that there are no genuine use-cases for the technology — and Uber’s recent $148 million settlement shows why.
Today, Uber reached a $148 million settlement to resolve a data breach in 2016. The data breach was revealed in November last year, and affected 50 million customers, around 7 million drivers and included another 600.000 driver license numbers for U.S. drivers.
What’s shocking about this data breach is that Uber did not report it at all. Instead, the company paid hackers $100.000 in bribes in order to get rid of the evidence and keep the data breach a secret.
You might think that a technology company with a valuation of $82 Billion is able to keep its user data secure. However, reality shows otherwise. In fact, big companies acts as ‘honeypots’ for hackers as they know that large amounts of data is stored in the same place.
Now, the amount of data stored by companies is ever-growing. At the same time, IT systems are becoming increasingly complex, resulting in a larger attack surface. Humans make mistakes in designing IT systems, which in turn means an increase in data and an increase in IT systems results in an increase of data breaches and, indeed, big fines.
For their respective data breaches, Yahoo paid about $35 million in fines and $80 million in settlements, while healthcare giant Anthem paid $115 million and Equifax will likely be paying over $200 million.
While pretty despicable, it’s not that surprising that Uber tried to make sure the data breach never came to light. Fines for data breaches are extremely expensive.
What’s more, these fines mentioned above have all been levied in the United States. However, under the new European General Data Protection Regulation, the EU can impose fines that go up to 4% of global revenues as well.
But it’s not just the fines themselves. The security requirements and processes imposed by data privacy regulations are becoming increasingly strict and expensive to follow. Moreover, data subject are becoming increasingly aware of their data rights, and exercise them more often. Having worked on these matters in a big law firm’s data-tech department, I can tell you from my own experience that the costs of ‘data-subject requests’ (e.g. the Right to be Forgotten) rack up quickly.
The world is comprised of data.
Of course, companies are starting to realize all of this and settlements like the one by Uber today throw oil on the fire. Sooner than later, companies will no longer want to own large amounts of personal information. The risk of hacks is just too high, and the fines are costly. They will be looking for alternatives.
Personal data is becoming a liability for companies
For companies, a blockchain eliminates the liability that the storage of personal information brings with it.
Data stored on a blockchain is stored in a large amount of different locations. As such, there is no single point of failure that acts as a honeypot that attracts hackers. Moreover, data on the blockchain is often encrypted and/or anonymous. Combined, these characteristics ensures that your personal data is do not leak to the public.
Now you might be thinking: Wasn’t everything in the blockchain public?
If so, you would be right. Everyone can see the information about your transactions or sometimes, other ‘hashed’ data. However, there is no way for anyone to know which data belongs to who. Transactions go from one user wallet’s ‘public-key-address’ to the next. Without any additional information from the real-world, it is practically impossible to know which public-key belongs to which person.
A data breach is impossible in such a system, as the only information about which public-key-address belongs to which person is kept by each user him or herself.
A company cannot be fined for a data-breach, if the company doesn’t have any personal information in the first place.
Moreover, the usage of a blockchain frees the company from the procedural and security requirements imposed by privacy regulations.
One company I work with, a Dutch blockchain startup called VMC, is, for example, building a blockchain-based solution for the mobility industry. It frees Mobility as a Service providers from their data worries. Indeed, even companies like Uber could use VMC’s blockchain for payments. VMC doesn’t need your personal information for you to use its blockchain. More importantly however, the companies that use VMC’s blockchain for payments don’t need your personal information either. They just need to know that you can pay — and the blockchain takes care of this.
Besides, ask yourself the following: Do we really want companies like Uber having your payment details piled in one central database? Do we want our mobility providers to process and store our every move? If your answer is no, does a blockchain not have real value?
We all know that data is the new oil. However, as shown by Uber’s settlement, personal data is increasingly becoming a liability, rather than an asset. As fines for data breaches are more common and more expensive, companies will be looking for ways to make data anonymous and ways to ensure they do not own the data themselves. After all, they don’t want to be extorted by hackers. They definitely don’t want to be caught by the increasing requirements and fines imposed by global data privacy regulations. But how can you make sure personal data is made anonymous and not stored on your own server, while also ensuring your payment systems work?
A blockchain might just be useful in some cases after all…
Thijs Maas is a Dutch LLM student with a healthy obsession for the legal challenges that arise in relation to the wave of innovation brought by distributed ledger technologies. He started www.lawandblockchain.eu and helps blockchain startups navigate legal issues around ICOs and STOs.
[1] Article 83 of the General Data Protection Regulation provides details of the administrative fines. There are two tiers of fines. The first is up to €10 million or 2% of annual global turnover of the previous year, whichever is higher. The second is up to €20 million or 4% of annual turnover of the previous year, whichever is higher.