Les technologies blockchain se sont imposées comme des outils efficaces pour tracer les flux de marchandises. Elles offrent un paradigme de confiance pour l’ensemble des acteurs des chaînes logistiques et l’on remarque que la nature même des biens échangés a peu d’importance, du moment que l’on trouve un moyen de les dénombrer. Pourquoi alors ne pas utiliser ce paradigme pour l’échange d’objets non tangibles, tels que les données personnelles, dont chaque usage fait aujourd’hui l’objet d’une déclaration de consentement ? Dans cet article, nous nous interrogeons sur la mise en place d’un registre basé sur la blockchain pour permettre à chacun de tracer les autorisations données au quotidien lors de l’utilisation de services numériques.
(Article en anglais)
For several years now, blockchain technologies have established themselves as effective tools for tracking commodity flows. The immutable nature conferred on the data stored in these infrastructures creates a paradigm of trust for the large number of stakeholders engaged in the value chain. The goods traced on these blockchains are diverse, for example foodstuffs, luxury items, medical records, and we note that the property’s nature does not matter as soon as we find a unit to enumerate it.
Therefore, why not apply this paradigm of tracking goods to data? In this article, we outline a basis for reflection on a potential solution for monitoring the treatment of users’ information in a context where personal data is the driving force of the business of today’s largest companies.
By now, we have all perceived the big private companies strategy, particularly the superpowered GAFAM (Google, Amazon, Facebook, Apple and Microsoft), that under the pretext of always better satisfying their customers make sure to collect a lot of personal data to feed their business model.
These companies have repeatedly shown their inability to effectively protect information about their users. Time after time, they have showed their bias to manipulate this data, to resell it or buy it back for their own profit. The abuse of manipulation of users’ personal data has provoked many scandals these last years. In 2018, it turned out that millions of Facebook users’ personal data was collected without consent by Cambridge Analytica (British political consulting firm) 3 years earlier to be used for political advertising during the American elections campaign.
In pursuance of signaling its firm stance on data privacy and protection of its citizens, the European Union (EU) passed in 2018 the General Data Protection Regulation (GDPR). This regulation levy hash fines against those who violate its privacy and security standard. Among its articles, the seventh regarding “consent” has a straight impact on consumers and digital service providers. It establishes that anyone using any online service, must give his consent for the use that will be made of his personal data. The company responsible for processing this data — whatever its size — must be able to demonstrate that it has this consent. This results in a huge number of consents given each day.
We envision a consent registry where the user’s consent to use his personal data is stored in a blockchain infrastructure. The storage of consents “on chain” would be beneficial to both involved parties: the user and the service provider. On one side, the user profits from the traceability of all the consents he gives, as well as the revocation of these consents. On the other side, the service provider benefits from the transparency and unalterable characteristics of blockchain systems to consistently prove their possession of these consents.
Let us illustrate the use of this registry with a daily use case, Bob that connects to his favorite social media web site, let us say Facebook.
A proposal for managing use of personal data with blockchain technologies
With this blockchain solution, Bob is fully aware of the consents he gives. Through this platform, Bob can directly track the consents he gives to the different websites he uses, which are all linked to his identifier. This infrastructure also authorizes Bob to revoke any of his consents to the use of his personal data, ensuring that this revocation is visible to all involved parties participating in the blockchain. The registration of the revocation through the smart contract in the blockchain serves as a legal proof. Thereupon, a website that continues to process a user’s personal data after his revocation will face the appropriate penalties enforced by GPDR regulation.
It must be pointed out that what is entered in the blockchain, in the smart contract, is the type of data (name, birthdate, address, etc.) to which the user gives the consent, and not the user’s information itself (Bob, 16/06/1990, 1 Roseville Avenue, etc.). It is the smart contract identifier, its address in an Ethereum blockchain for example, that allows the user to track his consents.
The interest could be found in the transparency of the communication, as an extension of the cookie’s information banners used by all websites today. This argument could gradually become unavoidable as the number of companies adopting this solution to prove their transparency increases. The trade-off is then: following the flow or risking company image damages. Furthermore, the pressure will come from the users that will demand this transparency from all companies processing their personal data.
We believe that the use of these blockchain consent registries could one day become the standard, such as the use of the protocol https and its padlock icon has become inevitable.
Obviously, the proposal we make here is the very first step of what would be a long running project. The implementation of a blockchain solution comes with quite a lot of questions that one should inevitably answer to. Whoever would be interested in getting deeper into that kind of solution should at least think of a governance scheme: who, on the system, run the nodes? Who’s allowed to read/write on the ledger? Do I need a trust organization to manage the system?
One of the options would be that organizations responsible for the regulation of citizens data protection, such as the CNIL in France, would be the ones in interest to set up these blockchain infrastructures and oversee its governance. The companies willing to participate would simply have to implement the blockchain APIs into their existing information systems.
It would come out some insight on what kind of blockchain to use: private or public, permissioned or not, etc. Then only would come the time for technical questions.