Privacy 'poisoning' poses threat to companies using blockchain

A new type of cyberattack that can render blockchain technology unusable may become a major headache for organizations that depend on it.

Known as privacy "poisoning," the attack involves loading private data, such as names, addresses and credit card numbers, or illegal material, such as child pornography, into a blockchain, therefore putting the network in conflict with local laws. The result: The affected chain with all of its contained data cannot be used unless expensive and time-consuming steps are taken.

Blockchain is a digital ledger of transactions run on a network of computers with no centralized governing or regulatory authority. It's run by those who use it. The technology is increasingly being explored by banks and financial services firms, governments and startup businesses for its potential to improve the effectiveness of payment systems while cutting costs.

A factor in the rise of blockchain poisoning is the introduction of strong data privacy laws such as the European Union's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act (CCPA). Both allow consumers to request that personal data held by a company be deleted or erased.

This is a problem for blockchain systems because they are designed to prevent changes to past transactions, and there is no central authority charged with correcting problems. Bart Willemsen, a Gartner Inc. analyst, said the one-two punch of privacy poisoning and privacy laws will hit public blockchains especially hard.

Willemsen estimated that by 2022, three out of four public blockchains will suffer privacy poisoning — inserted personal data that renders the blockchain noncompliant with privacy laws. Businesses wanting to implement the technology must determine if any of the data being used falls under privacy laws, he said.

"Organizations that implement blockchain systems without managing privacy issues by design will run the risk of storing personal data that can't be deleted without compromising chain integrity," a Gartner report said.

Private blockchains are slightly more resistant to privacy poisoning, although it can occur. In those cases, any companies that are still connected to the ledger can force all the participants to join in a "hard fork" to erase the offending data. Or private blockchains can force all them to stop operating, rendering the encrypted data permanently inaccessible.

Kenyon writes for CQ-Roll Call.