Who ate all the PII? Not the blockchain, thankfully

Dutch security firm Gemalto has said its blockchain product, slated to pilot later this year, will keep personal data off the blockchain.

According to the Dutch outfit, the forgettably named Trust ID Network is aimed at users and digital service providers that need verifiable Self-Sovereign Digital IDs where "attestations" issued by trusted parties are stored on the blockchain.

Only the "attestations" will be stored on the blockchain, keeping the personally identifiable information (PII) itself under sole control of the users.

The app will sit on R3 open-source blockchain platform from Corda.

Getting personal

A misapprehension about blockchain was that as an immutable distributed ledger it would be the perfect platform for storing PII or that such information should or would be included in each chain.

Another view held that blockchain could be used to create "attestations" on the chain that point to off-chain PII storage. It remains a controversial topic within the blockchain community.

Dan Gisolfi, IBM CTO of Trusted Identity, Blockchain Technologies, said earlier this year: "One of the most common myths surrounding blockchain and identity is that blockchain technology provides an ideal distributed alternative to a centralised database for storing personally identifiable information.

"This misconception about PII storage in the early stages of the blockchain technology adoption lifecycle is so pervasive that it inspired a Twitter thread dedicated to the debate on why putting hashed PII on any immutable ledger is a bad idea. From GDPR compliance, to correlation, to the cost of block read/write transactions, the debate continues."

Gisolfi reckoned he was trying to debunk some myths and help people gain "an understanding for how blockchain can be used as an infrastructure for identity attestations".

TrustedID? IDTrust? What's it called again?

Gemalto said Trust ID Network would provide privacy, security and immutability along with a streamlined integration for service providers and the ability to support mission critical identity services.

Bertrand Knopf, Gemalto executive vice president for banking and payment, claimed in a statement that the app would solve the weaknesses of traditional, siloed identity frameworks that suffer from "clumsy user experiences", rising costs and difficulties in complying with stricter regulations.

As a guideline, recitals in EU's General Data Protection Regulation describe pseudonymisation as an "appropriate safeguard" (156) and emphasised that it should be incentivised (recital 29).

However, the understanding is hashed or "pseudonymized" data is still considered "personal data" because there is always a risk of reidentification, so this sort of solution makes sense from a risk-reduction point of view. ®