Personal Data Problem in Blockchain Applications: Storage Risks and Implications

Year 2022, Volume: 5 Issue: 1, 47 - 67, 30.06.2022

Nurcan Diri , Bahattin Yalçınkaya

https://doi.org/10.33721/by.1000702

Abstract

A large amount of personal data is created, used and stored by the rapid development of Information and Communication Technologies (ICT). The personal data being stored requires the end users to be protected from technical and legal aspects. Blockchain technology is seen as an innovative technology that has made significant progress in recent years to protect the privacy and control of personal data. As a decentralized Peer-to-Peer (P2P) distributed digital ledger, Blockchain technology provides a decentralized, verifiable and immutable ledger service that can store all transactions of digital assets. It offers a new approach to sharing data with participants in a network without having to fully trust them. The recently introduced General Data Protection Regulation (GDPR) and Personal Data Protection Law (KVKK) bring major changes in how personal data is handled. GDPR and KVKK have brought new protection obligations for data controllers and processors with the use of personal data. In order to ensure unity within the scope of GDPR and KVKK data protection legislation, it brings new applications such as easier access to Personally Identifiable Information (PII), giving the right to delete and rectify and transport. In a society dominated by centralized structures within the scope of GDPR and KVKK, personal data processing activities are mostly carried out by central structures and there are a number of procedures and principles that must be followed. However, there are some inconsistencies in the implementation of the KVKK and GDPR provisions, which are prepared for the central legal or natural persons to carry out applications such as data storage, processing and deletion in the storage of personally-identified data in the researches revealed on the blockchain platform. In this study, the basic features of the blockchain are elaborated, blockchain technology supported solutions for the use of personal data are explained, and the problems and difficulties related to the subject are discussed. When the literature is examined, it has been seen that recommendations are given for not storing personal data in the blockchain network today. It has been shown in academic and applied research that the primary rights of personal data within the scope of KVKK and GDPR are not suitable for the characteristic structure of blockchain technology. Also, it is thought by academic circles that developments and updates in blockchain technology will contradict the technology itself and annihilate the characteristic feature of the blockchain, and therefore it is recommended to make minor changes that not affect the main structure (deleting the private key, off-chain storage, deleting the hash value, etc.).

Keywords

Blockchain, Personal Data, Privacy

Blokzincir Uygulamalarında Kişisel Veri Problemi: Depolama Riskleri ve Öneriler

Abstract

Bilgi ve İletişim Teknolojilerinin (BİT) hızla gelişmesiyle birlikte, çok miktarda kişisel veri oluşmakta, kullanılmakta ve depolanmaktadır. Depolanmakta olan kişisel veriler, son kullanıcıların teknik ve hukuki yönlerden korunmalarını gerektirmektedir. Blokzincir teknolojisi kişisel verilerin gizliliğini korumak ve kontrolünü sağlamak için son yıllarda önemli gelişmeler kaydeden yenilikçi teknoloji olarak görülmektedir. Merkezi olmayan ve Eşler Arası (Peer-to-Peer-P2P) bir dağıtık dijital defter olan blokzincir teknolojisi, dijital varlıkların tüm işlemlerini depolayabilen, merkezi olmayan, doğrulanabilir ve değiştirilemez bir defter hizmeti sunar. Bir ağdaki katılımcılarla onlara tam olarak güvenmeye gerek kalmadan veri paylaşma konusunda yeni bir yaklaşım sunmaktadır. Yakın zamanda tanıtılan Genel Veri Koruma Yönetmeliği (GDPR) ve Kişisel Verilerin Korunması Kanunu (KVKK), kişisel verilerin nasıl ele alınacağı konusunda büyük değişiklikler getirmektedir. GDPR ve KVKK, kişisel verilerin kullanmasıyla veri denetleyicileri ve işlemciler için yeni koruma zorunlulukları getirmiştir. GDPR ve KVKK, veri koruma mevzuatı kapsamında birliğinin sağlanması için kişisel olarak tanımlanan verilere (PII) daha kolay erişim, silme, düzeltme ve taşıma hakkı verilmesi gibi yeni uygulamalar getirmektedir. GDPR ve KVKK kapsamında, merkezi yapıların hâkim olduğu bir toplumda kişisel veri işleme faaliyetlerinin çoğunlukla merkezi yapılar tarafından gerçekleştirilmesi ve uyulması gereken bir takım usul ve esasları vardır. Ancak blokzincir platformunda ortaya koyulan araştırmalarda kişisel olarak tanımlanan verilerin saklanmasında; merkezi tüzel veya gerçek kişilerin veri saklama, işleme ve silme, gibi uygulamaları gerçekleştirmesi yönünde hazırlanan KVKK ve GDPR hükümlerinin uygulanmasında bazı uyumsuzluklar bulunmaktadır. Bu çalışmada, blokzincirin temel özellikleri detaylandırılmış, kişisel verilerinin kullanımı için blokzincir teknolojisi destekli çözümler açıklanmış ve konuya dair sorunlar ile zorlukları tartışılmıştır. Literatür incelendiğinde; kişisel verilerin günümüzde blokzincir ağında saklanmamasına yönelik tavsiyeler verildiği görülmüştür. Kişisel verilerin KVKK ve GDPR kapsamındaki birincil haklarının, blokzincir teknolojisinin karakteristik yapısına uygun olmadığı, akademik ve uygulamalı araştırmalarda gösterilmiştir. Blokzincir teknolojisindeki gelişme ve güncellemelerin, teknolojinin kendisi ile çelişeceği ve blokzincirin karakteristik özelliğini yok edeceği akademik çevrelerce düşünülmekte ve bundan dolayı temel yapıyı etkilemeyecek (özel anahtarın silinmesi, zincir dışı depolama, karma değeri silinmesi vb.) küçük çaplı değişikliklerin yapılması önerilmektedir.

Keywords

Blokzincir, Kişisel Veri, Mahremiyet

References

• Althauser, J. (2017). Accenture Secures Patent for its’ Editable Blockchain Technology. https://cointelegraph.com/news/accenture-secures-patent-for-its-editable-blockchain-technology.
• Asghar, M.N., Kanwal, N., Lee, B., Fleury, M., Herbst, M. ve Qiao, Y. (2019). Visual Surveillance within the EU General Data Protection Regulation: A Technology Perspective. https://doi.org/10.1109/ACCESS.2019.2934226.
• Ateniese, G., Magri, B., Venturi, D. ve Andrade, E. (2017). Redactable Blockchain–or–rewriting History in Bitcoin and Friends. https://doi.org/10.1109/EuroSP.2017.37.
• Bernabe, J.B., Canovas, J.L., Herhandez-Ramos, J.L., Moreno, R.T. ve Skarmeta, A. (2019). Privacy-Preserving Solutions for Blockchain: Review and Challenges. https://doi.org/10.1109/ACCESS.2019.2950872.
• Bilgi Platformu (2020). Proof of Stake (Hisse Kanıtı) Nedir? Nasıl Çalışır? https://www.btcturk.com/bilgi-platformu/proof-of-stake-hisse-kaniti-nedir-nasil-calisir/.
• Brown, M. (Ağustos 2020). Blockchain and the GDPR: Can the Conflicts be Resolved? https://compliancecosmos.org/blockchain-and-gdpr-can-conflicts-be-resolved.
• CNIL. (2018). Premiers Éléments d’Analyse de la CNIL: Blockchain. https://www.cnil.fr/sites/default/files/atoms/files/la_blockchain.pdf.
• Danyal, D. (2021, Ocak 24). Blockchain ve Dağıtılmış Defter Teknolojilerinin Temel Avantajları, https://devrimdanyal.medium.com/blockchain-ve-da%C4%9F%C4%B1t%C4%B1lm%C4%B1%C5%9F-defter-teknolojilerinin-temel-avantajlar%C4%B1-6490828bb18a.
• Data Protection Working Party (2014). Opinion 05/2014 on anonymisation techniques. 0829/14/EN WP216. Edited by Article 29 Data Protection Working Party. https://ec.europa.eu/justice/article9/documentation/opinionrecommendation/files/2014/wp216_en.pdf.
• De Hert, P., Papakonstantinou, V., Malgieri, G., Beslay, L. ve Sanchez Martin, J.I. (2018). The Right to Data Portability in the GDPR: Towards User-Centric Interoperability of Digital Services, Computer Law & Security Review, 34(2), 93-203. https://doi.org/10.1016/j.clsr.2017.10.003 .
• De Meijer, C.R.W. (2018, Ocotober 9). Blockchain versus GDPR and Who Should Adjust Most, 01.09.2021 tarihinde https://www.finextra.com/blogposting/16102/blockchain-versus-gdpr-and-who-should-adjust-most
• Desai, S., Shelke, R., Deshmukh, O., Choudhary, H. ve Sambare, S.S. (2020). Blockchain Based Secure Data Storage and Access Control System Using IPFS, Journal of Critical Reviews, 7(19), 1254-1260. https://doi.org/10.1109/ICCUBEA47591.2019.9129015.
• Dwork, C. ve Naor, M. (1993). Pricing via Processing or Combatting Junk Mail. Brickell E.F. (eds), Advances in Cryptology-CRYPTO ’92 Lecture Notes in Computer Science içinde (ss. 139-147), 740, Springer: Berlin. https://doi.org/10.1007/3-540-48071-4_10.
• Eberhardt J. ve Tai S. (2017). On or off the Blockchain? Insights on off-chaining computation and data. https://link.springer.com/chapter/10.1007/978-3-319-67262-5_1.
• Eichler, N., Jongerius, S., McMullen, G., Naegele, O., Liz, S. ve Wagner, K. (2018). Blockchain, data protection, and the GDPR. https://www.crowdfundinsider.com/wpcontent/uploads/2018/06/GDPR_Position_Paper_v1.0.pdf.
• EPRS. (2019). Blockchain and the General Data Protection Regulation. https://www.europarl.europa.eu/RegData/etudes/STUD/2019/634445/EPRS_STU(2019)634445_EN.pdf.
• Esposito, C., Santis, A.D., Tortora, G., Chang, H. ve Choo, K-K. R. (2018). Blockchain: A Panacea for healthcare cloud-based data security and privacy? In IEEE Cloud Comput. 5 (1), pp. 31–37. https://fardapaper.ir/mohavaha/uploads/2019/03/Fardapaper-Blockchain-A-Panacea-for-Healthcare-Cloud-Based-Data-Security-and-Privacy.pdf.
• Faber, B., Michelet, G., Weidmann, N., Mukkamala, R. ve Vatrapu, R. (2019). BPDIMS: A Blockchain-based Personal Data and Identity Management System. https://scholarspace.manoa.hawaii.edu/bitstream/10125/60121/0681.pdf.
• Finck, M. (2018). Blockchains and data protection in the European Union. In European Data Protection Law Review 4 (1), pp. 17–35. https://edpl.lexxion.eu/article/edpl/2018/1/6.
• Fu, D. ve Fang, L. (2016). Blockchain-Based Trusted Computing in Social Network. https://doi.org/10.1109/CompComm.2016.7924656.
• Gräther, W., Kolvenbach, S., Ruland, R., Schütte, J. Torres, C., Wendland, F. (2018). Blockchain for education: Lifelong learning passport. In W. Prinz & P. Hoschka (Ed.): Proceedings of the 1st ERCIM Blockchain Workshop 2018, Reports of the European Society for Socially Embedded Technologies. https://www.dotmagazine.online/issues/blockchain-e-government/blockchain-e-government-citizen-control-of-data/blockchain-for-education.
• Grimes, R.A. (2021). What is personally identifiable information (PII)? How to protect it under GDPR. https://www.csoonline.com/article/3215864/how-to-protect-pii-under-gdpr.html .
• Ibáñez, L.D., O'Hara, K. ve Simperl, E. (2018). On Blockchains and the General Data Protection Regulation. https://eprints.soton.ac.uk/422879/1/BLockchains_GDPR_4.pdf.
• Jensen, G. (2018). Reconciling GDPR rights to erasure and rectification of personal data with Blockchain. https://blogs.oracle.com/cloudsecurity/reconcilinggdpr-rights-to-erasure-and-rectification-of-personaldata-with-blockchain.
• Katuwal, G.J., Pandey, S., Hennessey, M. ve Lamichhane, B. (2018). Applications of Blockchain in healthcare: Current landscape & challenges. http://arxiv.org/pdf/1812.02776v1.
• Kiayias, A., Russell, A., David, B., Oliynykov, R. (2017). Ouroboros: A Provably Secure Proof-of-Stake Blockchain Protocol. Katz J., Shacham H. (eds), Advances in Cryptology - CRYPTO 2017 Lecture Notes in Computer Science, içinde (ss. 357-388), 10401. Springer. https://doi.org/10.1007/978-3-319-63688-7_12.
• KVKK ve Blokzinciri Teknolojisi Raporu (Kasım 2019). https://bctr.org/dokumanlar/KVKK_ve_Blokzincir_Teknolojisi.pdf.
• KVKK (2018, Temmuz 02). Data Protection in Turkey. https://www.kvkk.gov.tr/Icerik/5389/Data-Protection-in-Turkey.
• Lee, D., ve Park, N. (2020). Blockchain Based Privacy Preserving Multimedia Intelligent Video Surveillance Using Secure Merkle Tree, Multimedia Tools and Applications, 1-18. https://doi.org/10.1007/s11042-020-08776-y.
• Li, R., Song, T., Mei, B., Li, H., Cheng, X. ve Sun, L. (2019). Blockchain for Large-Scale Internet of Things Data Storage and Protection, IEEE Transactions on Services Computing, 12(5), 762-771. https://doi.org/10.1109/TSC.2018.2853167.
• Mamoshina, P., Ojomoko, L., Yanovich, Y., Ostrovski, A.,Botezatu, A., Prikhodko, P., Izumchenko, E., Aliper, A., Romantsov, K., Zhebrak, A., Ogu, I. O. ve Zhavoronkov, A. (2018). Converging Blockchain and Next-Generation Artificial Intelligence Technologies to Decentralize and Accelerate Biomedical Research and Healthcare. Oncotarget, 9(5). https://doi.org/10.18632/oncotarget.22345.
• Mingxiao, D., Xiaofeng, M., Zhe, Z., Xiangwei, W. ve Qijun, C.A (2017). Review on Consensus Algorithm of Blockchain. https://doi.org/10.1109/SMC.2017.8123011.
• Miller, A.K. ve LaViola, J. (2014). Anonymous Byzantine Consensus from Moderately-Hard Puzzles: A Model for Bitcoin. http://diyhpl.us/~bryan/papers2/bitcoin/Anonymous%20byzantine%20consensus%20from%20moderately-hard%20puzzles:%20a%20model%20for%20Bitcoin.pdf.
• Nakamoto, S. (2018). Bitcoin: A Peer-to-Peer Electronic Cash System. https://bitcoin.org/bitcoin.pdf.
• Nayak, A. ve Dutta, K. (2017). Blockchain: The Perfect Data Protection Tool. https://doi.org/10.1109/I2C2.2017.8321932.
• Neisse, R., Steri, G. ve Fovino, I.N. (2017). A Blockchain-Based Approach for Data Accountability and Provenance Tracking, ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and Security içinde (ss. 1-10), Association for Computing Machinery: New York. https://doi.org/10.1145/3098954.3098958.
• Ochôa, I., Calbusch, L., Viecelli, K., Paz, J.D., Leithardt, V. ve Zeferino, C. (2019). Privacy in the Internet of Things: A Study to Protect User’s Data in LPR Systems Using Blockchain. https://doi.org/10.1109/PST47121.2019.8949076.
• Omaar, J. (2017). Forever isn't free: The cost of storage on a Blockchain database. https://medium.com/ipdb-blog/forever-isnt-freethe-cost-of-storage-on-a-blockchain-database59003f63e01. Pagallo, U., Bassi, E., Crepaldi, M. ve Durante, M. (2018). Chronicle of a Clash Foretold: Blockchains and the GDPR's Right to Erasure, M. Palmirani (Ed.), Legal Knowledge and Information Systems içinde (ss. 81-90), IOS Press, Amsterdam. https://doi.org/10.3233/978-1-61499-935-5-81.
• Politou, E., Casino, F., Alepis, E. ve Patsakis, C. (2019). Blockchain Mutability: Challenges and Proposed Solutions. http://dx.doi.org/10.1109/TETC.2019.2949510.
• Say, C. (2015). 5 Soruda Blokzinciri, Bankalararası Kart Merkezi: İstanbul.
• Shah, P., Forester, D., Berberich, M. ve Raspé, C. (2019). Blockchain Technology: Data Privacy Issues and Potential Mitigation Strategies. Thomson Reuters The Practical Law, 1-8. https://www.davispolk.com/sites/default/files/blockchain_technology_data_privacy_issues_and_potential_mitigation_strategies_w-021-8235.pdf.
• Shrestha, A.K., Vassileva, J. ve Deters, R. (2020). A Blockchain Platform for User Data Sharing Ensuring User Control and Incentives, Frontiers in Blockchain, 3, 1-22. https://doi.org/10.3389/fbloc.2020.497985.
• Steichen, M., Fiz, B., Norvill, R., Shbair, W. ve State, R. (2018). Blockchain-based, decentralized access control for IPFS. https://www.researchgate.net/publication/327034734_BlockchainBased_Decentralized_Access_Control_for_IPFS.
• Truong, N.B. ve Lee, G.M. (2019). GDPR-Compliant Personal Data Management: A Blockchain-Based Solution, IEEE Transactions on Information Forensics and Security, 15, 1746-1761. http://dx.doi.org/10.1109/TIFS.2019.2948287.
• Urquhart, L., Sailaja, N. ve McAuley, D. (2017). Realising the Right to Data Portability for the Domestic Internet of Things, Personal and Ubiquitous Computing, 22, 317-332. https://link.springer.com/article/10.1007/s00779-017-1069-2.
• Van Humbeeck, A. (2017). The Blockchain-GDPR paradox. https://medium.com/wearetheledger/the-blockchaingdpr-paradox-fc51e663d047.
• Wallace, A. (2018). Protection of Personal Data in Blockchain Technology: An investigation on the Compatibility of the General Data Protection Regulation and the Public Blockchain (Yüksek Lisans Tezi). Stockholm Üniversitesi. http://su.diva-portal.org/smash/get/diva2:1298747/FULLTEXT01.pdf.
• Wang, W., Hoang, D. T., Hu, P., Xiong, Z., Niyato, D., Wang, P., Wen, Y. ve Dong, D. I. (2019). A Survey on Consensus Mechanisms and Mining Strategy Management in Blockchain Networks. IEEE Access,7, 22328-22370. https://arxiv.org/pdf/1805.02707.pdf.
• Wirth, C. ve Kolain, M. (2018) GDPR-compliant Approach for Handling Personal Data. http://dx.doi.org/10.18420/blockchain2018_03.
• Zemler, F. (2019). Concepts for GDPR-Compliant Processing of Personal Data on Blockchain: A Literature Review, Anwendungen und Konzepte der Wirtschaftsinformatik, 9, 96-107. https://www.researchgate.net/publication/338117615_Concepts_for_GDPR-Compliant_Processing_of_Personal_Data_on_Blockchain_A_Literature_Review.
• Zhang, R., Xue, R. ve Liu, L. (2019). Security and Privacy on Blockchain. ACM Computing Surveys, 52(3), 51-85. https://doi.org/10.1145/3316481.
• Zhang, S., Kim, A., Liu, D., Nuckchady, S. C., Huang, L., Masurkar, A., Zhang, J., Karnati, L., Martinez, L., Hardjono, T., Kellis, M. ve Zhang, Z. (2018). Genie: A secure, transparent sharing and services platform for genetic and health data. http://arxiv.org/pdf/1811.01431v1.
• Zheng, Z., Xie, S., Dai H., Chen, X., ve Wang, H. (2017). An Overview of Blockchain Technology: Architecture, Consensus and Future Trends. https://doi.org/10.1109/BigDataCongress.2017.85.
• Zheng, X., Mukkamala, R., Vatrapu, R. ve Ordieres-Mere, J. (2018). Blockchain-Based Personal Health Data Sharing System Using Cloud Storage. https://doi.org/10.1109/HealthCom.2018.8531125.
• Zyskind, G., Nathan, O. ve Pentland, A.S. (2015). Decentralizing Privacy: Using Blockchain to Protect Personal Data. https://doi.org/10.1109/SPW.2015.27.