How blockchain could help prevent another Windrush scandal
Experts say UK gov should follow Estonia's example on how to modernise public services
Blockchain promises to revolutionise the way we handle data and, so far, its impact has been pretty remarkable.
It has single-handedly been responsible for the creation of the cryptocurrency phenomenon, and it's also starting to see compelling real-world application within the financial and trading industries, where immutability, accuracy and transparency are fundamental to business.
Yet these principles aren't just necessary to business they're also essential to public life. Recent events have exposed public sector inadequacies when it comes to dealing with modern threats and demands on data, whether that be the rise of cyber crime, the deployment of emerging technology, or the growing trend to control one's own data.
Attention has naturally turned to technology for an answer. As remarkable as blockchain is, it remains a fairly nebulous term even among IT leaders, and its potential use cases are still being considered within tech. However, some believe that blockchain is potentially a silver bullet for society's data woes.
Preventing another Windrush
The Windrush scandal was perhaps one of the most damning examples of inadequate record-keeping in recent times. Migrants invited to Britain after WWII were threatened with deportation because they were unable to provide enough documentation to prove that they were here legally.
The gross inadequacy of the UK government aside, the case sparked a conversation around the modernisation of public records. One solution that's been proposed is the creation of a public sector blockchain for the storage of citizen IDs an immutable record that would be accessible to both public authorities and the data subject. Once citizenship details had been entered on the blockchain, no government would be able to delete them.
"Public blockchains enable a self-sovereign identity, a digital identity owned by the individual it identifies," explains Eoin Connolly, a lecturer at the National College of Ireland and advocate for the use of distributed ledgers in the public sphere.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
"No corporation can deactivate it and no government can deny its existence, and because this self-sovereign identity is cryptographically secured by the individual's ownership of a private key, there isn't a single centralised honeypot where every private key is stored."
Instead, the keys are owned and controlled by a billion people, all recoverable in the event of theft or loss, backed up offline in a long sequence of random words and capable of not only storing the proof of our identities but ownership of our digital assets as well."
Digital citizens
Estonia has used blockchain in its public services since as early as 2008
Estonia has become the litmus test for this type of approach. Having issued e-residency ID cards since 2014, the country now uses a blockchain across a host of critical public infrastructures, including in its registries and national security. This has allowed for the creation of a digital identity that not only records data, but can be used by citizens to access healthcare, set up bank accounts and when travelling.
It's still unclear how a similar system might be applied in the UK, but experts believe that a tailored blockchain that's different to a standard cryptocurrency ledger would be needed when it comes to handling sensitive data.
Cryptocurrencies are built using public (permissionless) blockchains, meaning that anyone can join the network and verify transactions. While that's essential for digital currencies to function, a blockchain operating in the public sphere would need to be far more restrictive.
"While chained blocks and resulting (quasi-)immutability of blockchain records is good for cryptographic security, there needs to be a way to also deal with errors and unpredicted events," says Dr Katrin Tinn, professor in finance at Imperial College Business School.
"When it comes to more sensitive data (such as medical records held by NHS), well-defined ownership and access rights to this data are no less important than making sure that the data is not lost.
The digital isle
Underneath the idyllic veil, the Isle of Man is at the forefront of disruptive technology
This idea has yet to be broadly implemented by Britain's public sector, except for one often forgotten strip of land in the Irish Sea: the Isle of Man.
This crown dependency was the first government in the world to store company data on a blockchain ledger, and in 2014, it was the first government to regulate digital currencies. What's more, over 30% of the island's economy is now reliant on e-business and e-gaming.
Following successful early implementation of blockchain, the Isle of Man is now looking to use the technology to address wider societal problems, including fraud.
"We see excellent examples, such as how lottery winners may be protected by blockchain technology," says Brian Donegan, head of e-Business operations for the Isle of Man government. "A lottery winner may now have winnings protected by the censorship-resistant record of the blockchain which has the potential to prevent criminals from accessing assets. This format works in the same way for traditional bank customers wishing to protect funds from fraudster access."
Data held to ransom
The NHS fell victim to the WannaCry attack that infected 200,000 systems across 150 countries
The accessibility of public data is one thing, securing it is another matter entirely. If the WannaCry ransomware attacks last year proved anything, it was that the public sector, particularly the NHS, was entirely unprepared to deal with modern cyber threats.
Ransomware relies on being able to target an organisation's weak spot a single point of entry that allows it to spread through a system and encrypt data while remaining undetected by users and security software. Once that task is completed, it then reveals itself to the end user. Donegan believes that if blockchain had been deployed within the NHS, WannaCry could have been entirely averted.
"A hacker exploits a single point of failure in a network in order to gain access this does not arise with blockchain," he explains. "Whenever a change or transaction occurs in the database, it is known to all of the computers in the network, which verify the transaction or decline it."
"In other words, if there is no single point of failure or a centralized location to attack, the hacker cannot steal information. With blockchain it is impossible for a hacker to steal data without raising an alert as the whole network immediately knows about any activity happening on it."
Blockchain is still seen as a highly disruptive phenomenon in the tech world, and while that's an attractive proposition to a fledgeling startup, convincing public services already struggling to update older IT infrastructure that they need to invest in a technology that has very few real-world use cases is a difficult task. And let's face it, if the NHS is still using almost 9,000 fax machines across 124 Trusts, it's clear the UK government has a lot of work to do before it's ready to embrace the technology.
And that's before we consider the legal ramifications of rolling out blockchain across the public sphere. Prior to the introduction of the EU's GDPR on 25 May, legal experts warned that there were "irreconcilable differences" between the new regulations and the core concepts of blockchain, differences that have yet to be addressed.
Two days prior to the launch of GDPR, Malcolm Dowden, legal director at Womble Bond Dickinson, told IT Pro that the rules around blockchain are murky at best, as, in theory, the act of adding a new node or data subject to a network could be classed as data processing, with that data being replicated across the ledger. While this is largely a problem for open blockchains, there's also a distinct lack of clarity when it comes to using private systems.
In fact, Nigel Houlden, head of technology policy at the Information Commissioner's Office, the body responsible for enforcing data protection laws in the UK, says the technology gives him "nightmares" and that there's likely to be dozens of regulatory roadblocks if attempts are made to create a blockchain-based system.
At this stage it appears to be a matter of if, not when which is unfortunate given the success of the technology so far. If we're to avoid another scandal like Windrush, an overhaul to the way we handle data is needed, and blockchain is perhaps the best chance we have.
Dale Walker is a contributor specializing in cybersecurity, data protection, and IT regulations. He was the former managing editor at ITPro, as well as its sibling sites CloudPro and ChannelPro. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.