[Cross Post from Authors Blog]
There is a lot of misconceptions around in what a blockchain is – especially in the government sectors. A lot of the discussions with various government stakeholders gave me the impression that the following misconceptions are most prevailing and must be addressed by blockchain technologists:
a. Blockchain is like the Internet – you need to build a network infrastructure around the country or in a state – so that everyone can use that infrastructure to do their e-governance and other applications. Case in point is a publication by the Tamil Nadu E-Governance organization – they have claimed that they are building a state-wide blockchain which will enable all stake holders to build applications on – this is a very misleading concept. Blockchain protocols sit on top of the Internet (be in private or public blockchain) – what you need is the software that runs on various nodes (the nodes could be heavy duty – like servers or light weight – like mobile phones, depending on what the role of the node is in the blockchain)
b. Blockchain is secure – this is another dangerous misconception. Blockchain – if the mining, ordering, or consensus nodes are programmed correctly, and has the requisite redundancy – can guarantee information integrity – i.e. the information on which consensus has been reached cannot be changed without getting caught. However, blockchain nodes run programs, and for second and third generation blockchains they also get transactions done on behalf of people – through smart contracts. There have been numerous cases where smart contracts have been found to have security vulnerabilities – which led to huge monetary losses, exfiltration of information etc. So Blockchain does not guarantee security – it is the designers of the blockchain and programmers of smart contracts who must do either secure systems or do post facto remediation when security bugs are discovered – and provision for remediation must be in the design itself.
c. Cryptography guarantees Blockchain data integrity – this is a partial misconception. Not all blockchains use quantum-safe cryptography – which means that it is not forward secure. If post-quantum cryptography is not used in the blockchain primitives – one can in the future lose all integrity and security.
d. Government must design a blockchain on its own and force every government organization to use its implementation of blockchain – this is another dangerous misconception. First, interoperability between distinct blockchain technologies is an active area of research and depending on which existing blockchain you use – there may be ready-made methodology and solutions. So, interoperability cannot be the reason for this. However, a number of government people argued with this justification for government designed and mandated blockchain platform. Second, for every application – depending on the complexity of the business process of governance – one has to benchmark various blockchain solutions to select which works the best – some blockchain are designed only for mining cryptocurrency (Bitcoin and Blockchain-1.0 solutions), -- some are designed to process complex transactions – currency or other wise and requires smart contract programming (Ethereum and other Blockchain 2.0 solutions), -- some are designed for legal contract enforcement and alarming violations of contracts – not necessarily financial contracts (Corda and Blockchain 3.0 solutions) – some blockchains are only used for time stamping documents permanently (the KSI blockchain and Hashgraph of other kinds). Besides the purpose – there are other issues – such as what transaction volume is predicted in the application and whether the chosen blockchain can support that, the consensus mechanism and its robustness and speed, the volume of the blockchain data that can be handled, whether ordinary lightweight nodes can do transactions and verify sanctity of transactions and many other issues. Therefore, any attempt to fix the blockchain and forcing everyone to use it would mean ill-fitted for the purpose, ill-fitted for the semantics of the business process to be automated, ill-fitted for transaction volume or usage requirements and so on. Another issue with government producing its own implementation or basic skeleton implementation. The most important primitives in a blockchain base – is crypto primitives. Government may even select to use crypto that it can break – and then no one will trust any of the applications built on top of base. On the other hand, the most compelling reason for using blockchain based decentralized e-governance solution is to create trust among stake holders – that the signatures cannot be forged to create forged transactions on someone else’s behalf, that the hash are conflict free so there is guarantee of tamper resistance, in case data is encrypted on the chain – that the data is confidential etc. – if that purpose is subverted by insisting that the e-governance project can use only government built blockchain – it will completely defeat the purpose of blockchain based e-governance.
e. One has to have a government vetted closed source blockchain platform to run e-governance solutions: One must understand that open source software such as Linux has been shown to be less ridden with security bugs than proprietary ones such as Windows – reason being that open source community is a worldwide community of conscientious and top programmers --- government cannot have at its disposal that quality of software developers – and hence its implementations will have security bugs – and black hat hackers will make use of that. Also, fixing bugs in open source community happens immediately once reported – as somewhere some programmer in the world would fix and publish patch – whereas unless a long-lived development team of that high expertise is available with the government they should not even try.
f. Blockchain cannot have data-privacy: A lot of the people I found to be mistakenly thinking that all data in a blockchain are public data. That is not true at all. First, one can always choose to put only relevant meta-data that would ensure integrity of the data being protected – while the data fiduciary controls the ownership of data on their own premises. The blockchain is NOT a database – it is Not meant to be burdened by all data generated. Blockchain only ensures data integrity – which can be ensured without putting the data on the blockchain. If the data needs to be shared among parties – even, then channels can be created between the relevant parties (like in Hyperledger) – to ensure privacy. Further cryptography can be used to keep the data confidential from anyone else on the channels.
g. “Right to forget” in the data privacy law (being tabled in the parliament) is incompatible with blockchain usage: Again, the point above addresses this issue to a large extent – also note that since the Data Privacy laws will come soon which will define what information is to be considered private – one can always avoid putting that kind of data on the blockchain and only put the witness certificate of data integrity into the chain.
h. Data localization is not guaranteed if we use off the shelf blockchain – as the data will be replicated worldwide. But for e-governance you will not put data on bitcoin or Ethereum or something of the kind that is replicated worldwide. You will use private blockchain run by nodes whose identity can always be established by their cryptographic identity (digital certificates). So, all e-governance data will reside on blockchain that will entirely reside on nodes within the country. Also, as explained before, blockchain does not have to contain all the data but metadata about data from which data cannot be inferred.
i. Government must regulate blockchain technology:, Lot of government agencies seem to think so but no one seems to know what to regulate. In my view, regulation may be needed in the future once it is clear where and in what manner blockchain technology is being used in the country. It seems too premature to consider regulation as a policy. The policy framework can be updated in the future after letting the technology being used extensively. Surely, the cryptocurrency should be regulated – and probably not be used until it is well understood by the RBI. I will write about dangers of cryptocurrency in countries like India in a different note.
Overall, I think before we put forth a policy that becomes binding on all government departments – we need to seriously create a very large-scale awareness drive with extensive training programs – in the government sector. The industry stake holders playing in this field understands blockchain but many of them know it in silos. So, companies dealing with cryptocurrency blockchains seem to have many of the above misconceptions as well. Companies dealing with supply chain blockchain do not find the restrictions on cryptocurrency very understandable and so on.
Professor, Computer Science and Engineering at Indian Institute of Technology, Kanpur