Eurochain

This week, I wanted to share with you excerpts from the testimony I provided to the European Parliament on their new proposed legislative and regulatory efforts around blockchain. A great deal of my work over the past 5 years has landed at the intersection of technology innovation, government policy, and commercial reality, and you might be interested to see what some of that looks like on a practical level.

The European initiatives, led in part by MEP Eva Kaili and by the excellent team at the Digital Single Market Directorate of the European Commission, are painting a new future of possibility and opportunity (in contrast to the more restrictive stances of some other regulatory regimes). Eva will be speaking at Oxford Said Business School 22 May at our upcoming financial innovation forum ("Financial Innovation @ the Inflection Point") [UPDATED] and you can register here: https://www.sbs.ox.ac.uk/school/events-0/oxford-fintech-and-blockchain-strategy-symposium

Of recent note: 10 April 2018, the European Blockchain Partnership Declaration was signed by 22 countries.

* * * * *

Introduction

The European Union has been a world leader in adopting new legislation and new regulations in support of digital rights and in fostering fintech innovation. The General Data Protection Regulation (GDPR), Payment Services Directive (PSD2), and Regulation (EU) N°910/2014 (eIDAS), have offered better services and lower costs for consumers while protecting their personal information. The European Union has an opportunity to extend its leadership in areas like Fintech and Blockchain with the new proposed Blockchain Resolution. 

…

Let me acknowledge up front that technology is not automatically good – or bad – and we have read a good number of headlines in recent years about the negative effects of social media platforms on the foundations of democracy. Similarly, with blockchain, there are a tremendous number of opportunities that it provides, but it’s not without risk and we have intelligent ways to address that risk.

You may have concerns or question about things like:

• If we using blockchain for voting, can’t we track people?
• Could someone grab health data off of a blockchain?
• Is GDPR guaranteed in a permissionless blockchain?

The good news is that there are solutions to each of these challenges, which I will talk about later in my remarks.

…

Digital Identity

OK so let’s talk about an interesting application of blockchain with respect to Digital identity. 

Today, those same regulations around anti-money laundering and Know Your Customer, known as AML and KYC, keep our money supply and our citizens safer. However, they’ve added huge cost burden to banks.  It’s as much as 20% of all costs to run a bank according to Bain & Company.

Part of the issue is due to data privacy regulation. Each time you open up a new account at a bank, they have to duplicate the same effort another bank has already gone through to identify you as you, give you products that are appropriate for you, and make sure you aren’t a criminal. The banks aren’t allowed to share this due diligence with each other so it makes for a slow and expensive process to open a new account.

So there has been a movement to creating multi-bank service bureaus, identity bureaus, using blockchain. This can help reduce cost, but the way many people are currently going about it, it increases risk around privacy. When you create a pool of information, instead of having it spread out in many pieces, it’s that much easier for an attacker to get to it, as India discovered when the entire 1.2 billion citizen biometric database of Aadhaar was accessed recently.

Also, identity isn’t just what you need to bank. When you go to a bank they need to know some very simple things about you like are you a criminal or not. To get there, you have to provide them all sorts of personal information, when all we need is a couple of yes/no answers from a source we trust, that says you’re not a bad person and you’re allowed to open an account. 

Sharing all of our personal information with everyone it’s not how we live our lives. We have different personae for different situations. We bring one persona to work, we have a different one with our doctor, we have yet another when we are shopping online. The concept of self-sovereign digital identity means you could protect your personal information by creating different versions of yourself for different purposes, but all are linked back to you in a privacy-preserving fashion. 

The clothing store doesn’t need to know who you are or how much money you have in order to sell you a scarf; they just need to know you have enough money to pay for the scarf. This is called a zero-knowledge proof, the yes/no question “Does this guy in front of me have enough money to pay for this scarf in this bank account he’s giving me?” The same idea could be extended to other areas of our lives to improve personal privacy.

What we need is self-sovereign digital identity, a way of creating valid identities for ourselves that is trusted, distributed, and carefully governed to protect the privacy of citizens while giving them better access to their personal data. 

Our current identity systems have many flaws, that we right now are beginning to repeat on blockchain. More than 10% of Syrian passports in the EU are fraudulent. Even legitimate Syrian passports have assumed market value – desperate people fleeing crisis arrive in places like Germany with no money, and sometimes sell their passports because Syrian passports are prioritized for resettlement assistance.

Basic biometrics like fingerprint or facial recognition do not solve the problem. The iPhone 7 fingerprint scanner was spoofed within 24 hours of being launched, and iPhone X facial recognition was spoofed within 48 hours of its launch. We need better biometrics.

Behavioral biometrics can help us have more secure identities. This new technology, that my company Distilled Analytics is commercializing out of research from top tier universities, lets us, with a user’s permission, determine who someone is from passively acquired information about their actions rather than relying on a physical token like a passport.

So we need self-sovereign digital identity, and we need to secure it with behavioral biometrics.

This new vision of how blockchain and other technology can help with areas like digital identity and personal information requires the deployment of new technology that we have been developing.

New Principles for Managing Data

When my frequent collaborator, MIT Professor and Oxford SBS Visiting Professor Alex Pentland gave the keynote speech in Estonia last year during the handover of the EU Presidency, he outlined some principles to address concerns regarding data privacy and data access:

·     Share answers not data

·     Send questions to the data, instead of pooling data

Leave data encrypted both at rest, when it’s not being used, and when it moves around, in flight. Technology can let you get useful answers out of encrypted data. More on this in our book Trust::Data. 

Addressing Risks

Going back to the issues I described in the beginning around voting privacy, and health privacy, and GDPR -

·     With encryption and the right kind of data setup, we can record votes on the blockchain, know that they are valid votes, without revealing the identity of the voter

·     If the data is encrypted as I suggest, even an open, permissionless blockchain can protect the privacy of health records. You would need the correct cryptographic key to unlock the data.

·     And a well-constructed blockchain that puts appropriate systems of data governance around the data could enable you to create an identity bureau on a blockchain that is also GDPR compliant

There are always new challenges emerging. The system I described just now requires good cryptography, which we have today. However, quantum computing, for example, will be so fast and powerful, that it could make all of that encryption useless. We need to prepare for a post-quantum future with post-quantum cryptography. 

What are some actionable ideas?

·     Just as EU member states have been pioneering in the education of young children to be able to determine the difference between fake news and real news, all European citizens need to be educated about their personal data from a young age – what their rights are, what their risks are, and what the opportunities are that they can benefit from by using their data intelligently.

·     We need research funding to advance the frontiers of knowledge in these areas and to provide neutral forums in which to evaluate success, failure, and risk

·     We need commercialization activity to advance new enterprises, the small businesses that create 4 out of 5 new jobs. The European Central Bank ECB and the European Monetary Authority EMA can play critical roles here.

·     We need sandboxes in which startups can experiment safely with new technologies without having to undergo laborious regulatory process just to get to an answer of “do I have a viable idea or not?” It’s also important to clarify between ideas that require licensing, and blockchain applications that do not require licensing.

Usage fees, license fees, or other variations on industry-focused, proportionate taxation can help fund these areas directly out of the people who benefit from them. Small companies pay less, while they are growing; big companies pay more.

The good news is that the mechanisms to fund and deploy these ideas already exist in large part within the European Commission and other areas of the EU government. The Parliament can offer strategic guidance to bodies like the European Commission into directing focus. The free market can help support innovation development if it has clarity on investment vehicles like ICOs to accelerate technology transfer in pioneering new technologies, perhaps in collaboration with European venture capital supported by the European Investment Fund.

I’m David Shrier, and more of my thoughts on these subjects can be found at VisionaryFuture.com. I’m happy to answer any questions you may have.

The opinions reflected herein are my own, and do not necessarily reflect those of the University of Oxford or its faculty.