Is it possible for a blockchain solution to respect the fundamental principles of data protection and privacy? We have previously analysed this issue (see March of the Blocks) and concluded, generally speaking, yes.
But does quantum change this? In our recent article ‘the Collapse of cryptography – considering the quantum threat to blockchain’ Ben Kingsley and Emily Bradley from our Quantum Computing Hub consider whether quantum computers herald the end of data security in the context of blockchain solutions, or whether the reality is in fact more nuanced.
As well as briefly explaining what quantum computing is, and the threat it poses to blockchain (put simply, lots of blockchain solutions use public-key cryptography and many popular public-key cryptographic algorithms are vulnerable to future attack from quantum computers) the article goes on to discuss the legal risks this could create. These include:
- GDPR compliance issues – where personal data is stored on a blockchain it must be kept secure using appropriate technical and organisational measures;
- Sector specific compliance issues. For example:
- banks and others in the financial sector must have appropriate systems and controls and adequate risk management systems in place, there are proposed PRA and FCA rules to improve the operational resilience of firms and senior managers responsible for data security could face regulatory scrutiny if data was compromised; and
- operators of essential services (in sectors such as health and energy) and certain digital service providers that fall under the NIS regime are subject to further requirements to manage the risks posed to the security of networks and information systems which they use in their operations.
- Potential issues for directors. Interference with the integrity of data recorded on a blockchain could constitute an infringement of directors’ duties under the Companies Act 2006, as well as a breach of the UK Corporate Governance Code.
Appraising the quantum threat
It is clear that quantum computing has the potential to undermine the integrity of data stored on blockchain solutions, giving rise to a number of negative legal consequences. However, there is some debate about how real, in practice, the threat is. Many commentators appear confident that cryptography will be able to keep pace with developments in quantum computers, which are expected to be in use by governments and companies in the 2030s. Also, certain blockchain systems are considered by some (currently a minority) to be quantum resistant.
That said, where incumbent systems are vulnerable to quantum computers, bad actors could potentially steal encrypted data now and wait until advances in quantum computing enable decryption access. It is therefore important, irrespective of subsequent developments, for organisations to take measures now to mitigate such consequences. For example, for a number of reasons (including the quantum threat) the storing of personal data on a blockchain should be avoided as far as possible (using solutions such as middleware applications that sit on top of the blockchain to achieve this).
Comment
Despite current and future potential threats, we remain optimistic that the GPDR and other legislation relating to data security need not stymy the development of blockchain solutions. The limitations presented by blockchain must, however, be recognised and a pragmatic approach adopted, particularly in light of the threat to data integrity posed by quantum computers.
For more information, please see our article: The Collapse of cryptography – considering the quantum threat to blockchain’