Many Americans would not be able to point out Estonia on a map, yet the tiny country has become a technological powerhouse and is the headquarters for NATO’s Cyber Defense Centre.
Estonia was also the first country to vote online (in 2005), and almost all Estonians can now file taxes online within minutes. Now the Estonian government is heavily turning to blockchain technology to further advance its digital government services and provide citizens with greater control over their personal data. According to Former Estonian President Toomas Hendrik Ilves, “Estonia is now a blockchain nation.”
In parts one and two of this blockchain and privacy series, I've discussed how blockchains work and the potential for it to help “restore” internet privacy. In this third post, I will discuss the practical use cases of blockchain technology for privacy professionals, through the lens of Estonia.
Why are Estonians so keen to allow the government to store their information online?
After the collapse of the Soviet Union, Estonia sought to modernize its economy and build an e-government. In order incentivize the adoption of e-government services, the Estonian government believed that its citizens first needed to be confident in the government’s ability to keep their data safe.
A 2007 cyberattack on Estonian banks, media outlets and government bodies became the first known cyberattack on an entire country. Although the effects of the attack were limited due to a number of defensive measures, government personnel feared that if a massive data breach were to take place, citizen trust in the government’s information system would be eroded.
Since the attack, the Estonian government has developed an incredible information security system emulated by a number of governments, including the United States. The Estonian government’s reliance on cryptography in order to secure personal data has led it to become one of the first nations to adopt blockchain technology.
Medical records
Estonia’s Electronic Health Record is a blockchain-based interoperable system that integrates medical data from Estonia’s different health care providers in order to create a common record that every patient can access online. Patients can access their own records from anywhere, and, in the event of an emergency, a doctor can access a patient’s universal record with certain cryptographic codes. The government is also able to compile health data for its national statistics in order to track epidemics and health trends.
One of the most pressing issues affecting the electronic health record system in the United States is the inability for patients and doctors to transfer medical records to different health care providers. Following in the footsteps of Estonia, U.S.-based startups and institutions are experimenting with blockchain technology in order to secure medical records. The most prominent organization doing this is MedRec, developed by researchers from MIT.
MedRec is a cryptocurrency-backed system that manages medical records using the Ethereum blockchain. By linking access to patients’ medical records across their doctor’s databases, MedRec restores patients’ control over their medical data. Records are validated and added to the blockchain by the researchers’ computing power, who are rewarded with aggregate and anonymized health data that can be used for medical research.
Personal identification
Estonian citizens can access their e-health records through the use of their cryptographically secured digital national ID card system. With 98 percent of Estonians having a verified online digital identity, it is much easier for Estonians to interact with blockchain-based services developed by the government and private companies. For instance, since 2012, blockchain has been in use for judicial, legislative, security and commercial code systems, with plans to extend its use to other spheres.
As mentioned in part two, ConsenSys, the U.S.-based company behind uPort and the Zug ID, has ambitious plans to create a blockchain-based self-sovereign identity. In 2016, ConsenSys and Microsoft joined forces to work on a blockchain-based identity system for refugees who lack proper legal identification.
Data protection and integrity
Estonian startup Guardtime has deployed the Keyless Signature Infrastructure blockchain for all levels of Estonian e-government infrastructure. The KSI blockchain can be easily integrated into pre-existing centralized databases, such as the Oracle Database, in order to provide a forensic-quality audit trail for the life cycle of database records. This technology not only helps to prevent unauthorized access, but it also logs any access or changes to a centralized database.
Is the blockchain the panacea for preventing Equifax-esque hacks? Aside from the decentralized credit score projects that are underway, blockchains provide many advantages for those looking to secure personal data on a blockchain.
Due to the lack of any “hackable” entrance or a central point of failure, data stored on a blockchain is likely to be more secure than when stored in centralized databases. The only way to access a private, permissioned blockchain is through the use of an authorized user’s private key or device, eliminating many cyberthreats that exist within our current system.
So will blockchain technology eliminate the need for privacy pros?
No so fast . . .
Data stored on a blockchain can only be safely removed through a fork of the original. While there are proposed solutions, any personal information that was stored on the “old chain” would continue to exist until that blockchain was not supported.
The blockchain’s immutable nature makes editing, removing, accessing or modifying personal data stored on a blockchain very difficult, if not impossible. More importantly, the inability to remove personal data puts blockchain technology at odds with many privacy laws and principles.
Current enterprise blockchain solutions are not only significantly more expensive and slow but are also more difficult to maintain and scale than centralized databases. Until such obstacles are overcome, it is unlikely that organizations will store massive amounts of personal data directly on blockchains. Nevertheless, due to the security advantages of blockchain-based technologies, regulators should look to reconcile the technology with data privacy laws.
Top image: Estonia's flag, courtesy of Wikipedia.