Are Witnesses Liable For Data Privacy Issues on Steem Blockchain?
GDPR - The Most Stringent Data Privacy Regulation in EU
Next week, from 25 May 2018 to be precise, the General Data Protection Regulation (GDPR) will become enforceable in EU region. This is one of the most strict data privacy regulations in the world. Businesses had to invest to the tune of billions of dollars to ensure their compliance with this new data privacy regulation.
In light of this, the words of Steemit CEO, Ned Scott, in the panel discussion held this week at Consensus 2018 event becomes very important. Steem Witness @ura-soul has raised a serious concern upon the onus of legal liability for the content take down issue. Who should be held responsible for that?
Steem Witnesses Should Face All Legal Issues Related to Steem Blockchain?
Ned Scott has clearly stated that the data can be made inaccessible or obscured by the front-end tools like Steemit, Busy and Dtube. So these apps can comply when the issue of content removal arises. But since blockchain technology cannot DELETE any data, Steem network may not remove any content even if it is legally requested to do so.
Steem blockchain is unmutable but this doesn't apply to its front-end apps. This implies that people and organizations that manage and facilitate Steem blockchain i.e. Steem Witnesses are legally liable for their inability to remove any content when legally mandated to do so.
Do Witnesses take this risk into account while opting-in to run a Witness server? Can they actually be held liable for it?
Blockchains Can NOT Comply With GDPR
GDPR regulations are framed to serve the best interest of consumers and are an attempt to give them total control of their own personal data from the clutches of centralized corporations. But paradoxically, it makes the whole public blockchain technology questionable …and may be obsolete by some opinions as blockchains in the current state can’t comply with these regulations.
Public blockchains are permission-less, publicly distributed ledger. Anyone can access that data and run a full node. But GDPR requires the data to be confined in the boundaries of EU only. So no one outside the EU can run a node.
Only Centralized Businesses Were Considered While Framing GDPR
The distinction between data controller, data processer and the data provider also becomes blurred in the case of public blockchains as anyone can download the full ledger in their own computer, run a full node while transacting over the blockchain. So by virtue of this, a consumer herself is the provider, controller and processor of the data. So I wonder who will sue whom?
The regulation also has a provision of a penalty to the extent of up to 4% of the global revenue of the business in question. In the case of Steem, it will be Witnesses. But their earnings are in Steem tokens, the legal validity and value of which is still doubtful. In case if these tokens can’t be liquefied, can a Court enforce an attachment of tokens by freezing them or auctioning them?
The right to be forgotten or the right to erasure is also not very clearly defined in GDPR. So, irreversible encryption of content on the blockchains can also be deemed as erased.
In fact, all data in blockchain is already in hashed and encrypted form. I don’t know much, but what @ned seemed to be conveying is that only front-end apps like Steemit presents the data in readable form. So if all apps (including blockchain explorers) can take down content at their end, will the data be still accessible by general public? I guess, GDPR encourages data anonymization and pseudonimisation as a solution to safeguard consumers’ privacy.
A Precedent In Support of Steem
There was an interesting case where only data processor Google (like Steemit app) was held liable for displaying the information from a newspaper website where as the data controller newspaper (Steem blockchain in this analogy) was not held responsible. I think if this precedent was applied to Steem network, it will spare Steem Blockchain, (the data storehouse) and only held front-end apps like Steemit (data processor) responsible for taking down content. This according to @ned is possible to do. But this case predates GDPR.
I feel there aren’t much option before blockchain-based businesses for GDPR compliance. But in future, the blockchain design can involve features to make them compatible with GDPR kind of restrictions. This will surely come at the cost of wider innovations in this technology, if such a law is adopted across the world.
Can GDPR Really Protect Consumer Privacy?
May be, such a regulation can safeguard consumers’ privacy better. But blockchains are, by nature, transparent, decentralized and trustless DLTs. To protect anything, first we need to isolate and confine it. But if it is confined, it becomes centralized and prone to hackers or attacks. This ultimately put a risk on consumers’ data. I dunno what, but it’s an interesting paradox to me.
So I’m interested to learn what other Witnesses or techies are thinking about this issue and how a public blockchain will survive GDPR post 25th May, 2018.
Any clue?
@ura-soul has had an update on legal advice and it seemed positive.
https://steemit.com/steem/@ura-soul/gdpr-compliance-for-steem-who-is-responsible-an-update-after-speaking-with-uk-gov
Thank you for pointing me to this link! I wasn't aware of it.
@andybets provided a useful link to a document in the comments from a legal firm analysing GDPR in relation to blockchains.. It doesn't answer the full question for Steem but it does fill in some blanks.
Yeah, I had found that pdf too and had read it partially.
The response you got from the Govt. office is quite reassuring but imho, you should get an expert opinion in writing even though it takes 5 months for it.
I hope too... Steemit stand effectively as per GDPR.
@xyzashu what a great study. I hope steemit will stand as per the General Data Protection Regulation (GDPR).
This is of course an interesting point of view.
The thing is any time we think about blockchains in a legal context we are missing the point.
The point of the blockchain is that we do not require the state or any other law/governance outside of the blockchain.
This is where the efficiency is coming from. If we combine the state + blockchain governance we have non-working, non efficient system.
The steem blockchain does not care about the EU or the US or any law. It cannot comply with any of its laws and if it could it would be useless, because mysql would be better.
It's easier said than done. If we need to revolt against the sovereign laws to bring about this revolutionary changes, how many of us are prepared to go to jail for the sake of it?
Blockchain revolution can only pick up if it can continue to grow complying with the existing system or evolving out ways that can make the tracking by the authorities impossible. If privacy system is designed to be so fool-proof that no witnesses can be identified and tracked down, then it becomes possible to run a witness without giving a shit to any law or regulation.
Right but then what is the value of the block-chain?
To prove its value, we first need it to survive and grow its base. Once it acquires a critical power, strong fool-proof privacy features facilitating complete anonymity and truly censorship-free transactions with wide acceptance as preferred currency of transaction will help it to actually establish and function as a censorless, borderless, permissionless, trustless,decentralized entities. Until then we need to take care of all possible survival tactics.
Great thought about steem and steemit.. @xyzashu I think, decentralized networks across the globe will be able to implement all of the GDPR standards...
If any leak had happend, it would be seriously hard to aim artificer. It's another problem for blockchain projects like steemit. But is it really possible that someone can decrypt data from steem blockchain ?
Yes i think GDPR can protect customer privacy
@xyzashu has set 1.000 SBD bounty on this post!
What is a bounty exactly?
A bounty is money sent to a post to be distributed to the users commenting on it. It provides a way to reward users directly and works in addition to the steem/sbd they receive from the blockchain. It works independently of SteemPower.
You create a bounty by sending any amount of sbd/steem to @steem-bounty together with a post-url in the memo.
How can I earn a bounty Users are then competing for the bounty by writing their answers to the post in comments that will achieve upvotes from the community and especially the bounty creator. The money of the bounty gets distributed to all top level comments of the post at the same time when the post is paid out (7 Days after it was written). How much everyone gets depends on the votes the comments received. The sender of the bounties votes are weighted higher so that she decideds where 80% of the bounty money goes and all other votes determine the rest.@steem-bounty does all of this for you automatically. You can use this service to automatically pay out a challenge, ask a hard question or simply to reward the people that interact with you.
Read more about how it works, even in different languages here.
Congratulations to the following winner(s) of the bounty!
Thank you for your continued support of SteemSilverGold
Congratulations! This post has been upvoted from the communal account, @minnowsupport, by xyzashu from the Minnow Support Project. It's a witness project run by aggroed, ausbitbank, teamsteem, theprophet0, someguy123, neoxian, followbtcnews, and netuoso. The goal is to help Steemit grow by supporting Minnows. Please find us at the Peace, Abundance, and Liberty Network (PALnet) Discord Channel. It's a completely public and open space to all members of the Steemit community who voluntarily choose to be there.
If you would like to delegate to the Minnow Support Project you can do so by clicking on the following links: 50SP, 100SP, 250SP, 500SP, 1000SP, 5000SP.
Be sure to leave at least 50SP undelegated on your account.