Why too much privacy can be bad for security
It is an oddly counter-intuitive notion that sharing data with thousands of others on a distributed ledger can make it more secure.
As is becoming increasingly apparent, distributed ledger technology has applications throughout industry that go far beyond Bitcoin. As one example, in January 2019, Qingdao port in China joined the Global Shipping Business Network, which is currently working on a distributed ledger-based system to provide connectivity and information sharing between stakeholders in the shipping sector, an industry notorious for its reliance upon outdated, paper-based systems.
Qingdao port has a particular reason to be sceptical of paper-based systems, having been at the centre of a $3 billion fraud in 2014. That scheme involved a company called Dezheng Resources duplicating warehouse certificates to pledge shipments of metal, based at the port, multiple times as collateral for bank loans. In December 2018 Dezheng was ordered to pay $438 million in fines as a result of the scandal, and its chairman Chen Jihong was jailed for 23 years. Had the financial institutions involved been able to update and review a distributed ledger setting out what finance had been advanced against what collateral, perhaps that fraud might have been avoided.
Advocates of distributed ledger technology claim that it can bring benefits including, in the words of IBM, “greater transparency, enhanced security and reduced costs”. It is the second of these claims that may surprise some, because it is in the nature of a distributed ledger that information is spread widely between participants. Copies of the Bitcoin blockchain, for example, exist all over the world, such that the entire global transaction history is freely available online. How, it might be asked, can that possibly make data more secure?
The answer lies in the fact that security and privacy, while often used interchangeably, are not the same thing. For data to be secure it must not only be shielded from prying eyes, it must also have integrity. In other words, it must be available to the right people, at the right time, while being accurate and consistent, safe from alteration in unexpected or unauthorised ways.
Consider a spreadsheet of important data on a personal computer. It is the only copy of that data in existence and is therefore, in theory, private. However, if a malicious hacker were to access the data and change it; then the only copy of that data in existence would be wrong. Was it private? Yes, although not quite as private as its owner may have hoped. However, its integrity has gone, never to be retrieved. Therefore, it can hardly be said to have been secure.
The distributed ledger’s novel approach to data security is to outsource the maintenance of data integrity to the masses. With 100,000 copies of the ledger spread around the world, if a hacker were to access a computer and change a ledger, 99,999 other ledgers worldwide would instantly detect and repudiate the false information. The hacker would have to hack at least 50,001 ledgers simultaneously to stand a chance of success. The data is much less private (which carries its own set of risks), but in many important ways, it is much more secure.
The trade-off between privacy and security is neatly encapsulated by the tribulations of Quadriga CX, Canada’s largest cryptocurrency exchange. It held the equivalent of £145 million in Bitcoin and other cryptocurrency reserves in a “cold wallet” (analogous to a savings account at a bank, as opposed to a “hot wallet” current account) accessed by a private key known only to its chief executive, Gerald Cotton. (It should be pointed out that this is an ongoing investigation, in respect of which facts are still emerging. Recent news reports indicate that in fact Quadriga’s holdings at the material time may have been somewhat lower than previously thought). Tragically, it was announced in January 2019 that Mr. Cotton had died aged 30 from complications related to Crohn’s disease, while on a trip to India to open an orphanage, leaving nobody alive capable of accessing those funds. There is no Bitcoin Central Bank or court of appeal. If the private key to a cryptocurrency account is lost, the cryptoassets in that account are forever unavailable.
As a result, it appears that Quadriga (and its customers) have permanently lost their funds. The company has filed for creditor protection in Canada, but it appears doubtful that it can survive.
A surfeit of privacy brought about by insufficient information-sharing meant that Qingdao port was vulnerable to a multi-billion dollar fraud. Meanwhile, Quadriga’s data was as private as can be. But for want of information available to the right people, at the right time, investors are likely to lose millions. Privacy is not security, and security is not privacy. Distributed ledger technology’s contribution to data security may be counter-intuitive, but in the right circumstances, it is in fact one of its greatest strengths.