Comments Off on Navigating AI Governance in Caribbean Telecom: Privacy Implications
We’re all familiar with how much of our lives are tracked and quantified in the digital age. From the step counter on your phone to the number of likes on your latest selfie, we are constantly leaving behind a trail of data. And while some of it might seem harmless (after all, who doesn’t love a GPS that guides them around traffic?), the reality is that all this data also raises big privacy concerns—especially when it comes to Artificial Intelligence (AI) in the telecom industry.
AI, Telecom, and Privacy: What’s the Connection?
Telecommunications (the networks that carry our calls, messages, and data) is the backbone of our connected world. Think of telecoms as the pipes that carry data like water, and AI as the smart system that analyzes and optimizes how that data flows. It’s a powerful combo, but it comes with a big question: How do we protect our privacy in a world where AI is positioned to process so much of our personal data? You might already be familiar with AI as the brains behind chatbots or the villain in sci-fi movies. But AI is much more than that. It’s about machines that can learn, adapt, and make decisions that usually require human intelligence. From facial recognition to self-driving cars, AI is rapidly transforming how we live, work, and communicate. In the telecom sector, AI can analyze massive amounts of data, optimize network performance, and enhance user experiences. But here’s the thing: as AI collects, processes, and analyzes data, it has the potential to uncover deeply personal insights about us—without us even knowing.
The Data Deluge: What’s Being Collected?
Consider how much data is recorded about you every single day: Your phone’s GPS tracks your movements. Your IP address links you to the Wi-Fi, revealing browsing habits. Your voice assistant is always listening for commands. All of this data flows through networks—and with 5G on the horizon, the amount of data moving through these pipes will only grow. But with all this data being collected, there’s also a big risk. The more devices connected to the network, the more chances there are for data breaches or cyberattacks. Your smart fridge, your security camera, even your car—everything is potentially vulnerable to surveillance or compromise.
The Caribbean’s Privacy Challenge
So, where does the Caribbean stand in all of this? Our legal and regulatory systems for data protection are often fragmented, with each country having its own laws and guidelines. This patchwork approach can make it harder to enforce privacy and security consistently across the region. The EU, on the other hand, is a shining example of regional collaboration. Its General Data Protection Regulation (GDPR) is a robust framework that protects individual privacy while allowing innovation to flourish. The Caribbean could take inspiration from this model—creating a regional approach to AI and data governance that balances the need for privacy with the drive for technological progress.
Privacy Laws: Are They Keeping Up with AI?
Current privacy and data protection laws in the Caribbean often struggle to keep up with the rapid pace of technological change. For example, most laws focus on the collection of personal data—like your name, email, or location. But with the rise of AI, new categories of data are being generated. AI can infer things about us from patterns in our behavior, such as predicting our health, financial status, or even our likelihood to commit a crime. This inferred data can be just as revealing—and sometimes more invasive—than data we willingly share. Take the example of the unverified story of Target and the annoyed father. The story is that the American retailer, once used AI to predict when a customer was pregnant based on their shopping habits. They then sent highly personalized coupons to customers at specific stages of pregnancy. While this data was highly effective for Target, it raised privacy concerns when a father received maternity coupons for his teenage daughter—before he even knew she was pregnant. This story highlights two key issues:
There are new types of data (like inferred data) that aren’t always covered by existing privacy laws.
Inferences made by AI—whether accurate or not—can have serious implications for privacy.
A New Approach to Data Classification
So, how do we fix this? One solution is to rethink how we classify and protect data. Right now, privacy laws focus heavily on identifiable information—data that can directly identify an individual, like your name or address. But with AI, data can be generated or inferred about you without your direct input. This includes things like your health status, your interests, or even your predicted behavior. A more comprehensive data governance framework for the Caribbean should take a risk-based approach and focus on four key areas:
Source of Data: Where does the data come from? Is it directly provided by the individual, collected indirectly, or inferred through algorithms?
Sensitivity of Data: How sensitive is the data? Does it pose a risk to the individual, others, or society as a whole if it’s exposed or misused?
Intended Use: How is the data being used? Is it for personal, operational, or critical uses? Data used for healthcare or legal decisions, for example, requires stricter oversight than data used for marketing.
Privacy Rights: Individuals should have control over how their data is used. This includes the right to access, correct, or delete personal data—and challenge inferences made by AI.
A Balanced Approach to Privacy
It’s clear that AI will continue to shape our lives. The challenge is to ensure that while we embrace these technologies, we also protect individuals’ privacy and rights. A balanced data governance framework—one that considers data’s source, sensitivity, and intended use—will help safeguard privacy while allowing for innovation. As the Caribbean continues to develop its approach to AI and data protection, regional cooperation will be key. A unified framework for AI and privacy can ensure that we protect personal data without stifling the technological growth that promises so much for the region.
Comments Off on The JamCovid App Security Incident and its Implications
Background
Just over a week ago, the renowned online technology news site TechCrunch, released a shocking article revealing a major security failure that resulted in the possible exposure of the private information for thousands of travellers to Jamaica. Within a week of the first vulnerability being exposed, TechCrunch uncovered not one but two additional security vulnerabilities which led to the website finally being offline.
Based on the initial published report, the JamCovid App and website which is used (i) to pre-approve travellers to the country, (ii) to facilitate self-reporting of Covid19 symptoms and (iii) to aggregate and publish periodic Covid19 statistics for the Ministry of Health, was built and developed by the Amber Group for the benefit of the Jamaican government.
The type of data collected by the JamCovid App appears to be:
Names
Emails
Phone Number
Addresses
Passport Numbers
Dates of Birth
Nationality
Name of Employers
Job Title/Position
Photographs
Flight information
Airline
Date of arrival
Date of departure
Flight Number
Port of Disembarkment
Cookies and Usage Data
Health Information including temperature readings and symptoms submitted by travellers and self-reporters
Travel Authorization Reference Numbers
Geo-Location Information
And based on the TechCrunch article, also included:
According to the first report published by Zack Whittaker of TechCrunch a storage server, hosted on Amazon Web Services which stored uploaded documents and information, was set to public.
The Vulnerability In Perspective- A Technical Summary
The “storage server” referenced by TechCrunch is an Amazon Simple Storage Service (Amazon S3) bucket. Amazon S3 is a cloud based service that provides object storage, which is built for storing and recovering any amount of information or data from anywhere over the internet. The Amazon S3 storage can be used via a user friendly web interface or a well documented Amazon S3 REST API.
Think of the Amazon S3 service as a suitcase that you need to pack before you travel. The suitcase in this case is the “bucket” and each of the items you put in your suitcase will be called an “object”. When using the Amazon S3 service a bucket must first be created with specific permissions before you can start using it to store data in the form of objects. In this case the bucket was set to “public” which means anyone in the world can access data/objects stored in this bucket. This major oversight would be akin to creating a suitcase that has no zippers to secure the items in your suitcase while you travel.
Web Interface Showing How Easy To Configure Permissions on AWS S3
Web Interface Showing Warnings When Configured as Public Access
The second reported security vulnerability revealed that private keys and passwords for the JamCOVID app and website were exposed through a file that had been left open and accessible on the website. Again, based on TechCrunch’s report, the third security lapse dealt with quarantine orders being publicly accessible from the JamCOVID website as they were also not protected with a password.
But …. Was There a Breach?
Framing it as a “breach” is weird for me. It’s like if you left your front door open and someone walked in and stole shit, but you say “they broke in” https://t.co/HqEohxwVXV
GDPR defines a “personal data breach” in Article 4(12) as: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. On the other hand a security incident may refer to a situation in which the confidentiality, integrity or availability of personal data/ sensitive data/ confidential information may potentially be compromised. While it is clear that there were security vulnerabilities which could have led to unauthorised access, transmission or processing of the data, there was no reported evidence of an actual breach. Until any such report, this would be classified as a security incident.
Based on all accounts, TechCrunch, through its very public incident report, merely brought the government and their contractor’s attention to the security vulnerabilities and possible data exposure. There is currently no indication that the data was downloaded, stored or processed by any unauthorized person. The Ministry of National Security also released a statement stating that they found no evidence that the vulnerabilities were exploited for malicious data extraction:
The government also wishes to advise that the previously announced enhanced investigation and further monitoring have thus far not revealed any evidence that the vulnerabilities identified, were exploited for malicious data extraction or leakage prior to rectification.
— Ministry of National Security – Jamaica (@mnsgovjm) February 23, 2021
The issue is that finding evidence that there was no breach of data, does not indicate that a breach did not indeed occur.
The Amazon S3 service allows developers to enable logging on all buckets created and as such the Amber Group and its developers would have the ability to see whether the exposed server was accessed through logs, if logging was enabled.
Having server access logging enabled could indicate how many times and from which IP addresses the data was accessed. Unfortunately it is unclear whether the Amber Group had logging enabled. If it didn’t, it would therefore be difficult, if not impossible to conclusively indicate whether a breach did in fact occur and how many times the data may have been accessed, downloaded or otherwise processed by unauthorized persons. The fact remains – the Amazon S3 bucket used to store the JamCovid data was public and could have been accessed by nefarious individuals because it was configured irresponsibly to “public”.
What about the Travellers/Data Subjects?
Notwithstanding the absence of evidence of a breach, it is clear that the data subjects right to transparency should effectively grant data subjects the right to be notified of any major operational failure that puts the data subjects’ personal information at risk of exploitation. Implicit in this right to transparency is the right that data subjects are owed to mitigate any loss or damage which may result from the failure of the Amber Group and by extension the GoJ to properly and securely handle their data.
While no data breach has been reported or confirmed, it is clear that personal data was being processed and at the very least, the government should have adhered to their own data protection standards set out in the Data Privacy Act of 2020 (inspired by industry standards set out in the GDPR).
Global Implications?
Furthermore, the multiple security vulnerabilities reported by TechCrunch in the span of 8 days may have major implications for Jamaica, our businesses and technology locally and internationally.
The inelegant technical management of the JamCovid App by the Amber Group and the way in which this security incident is handled may have long-term effects on the development of our digital economy. Under the GDPR international data transfers are regulated such that, where a company in Jamaica seeks to do business with a company within the European Economic Area; any transfer of personal data from the EU to Jamaica will be subject to one of three conditions, the broadest being that Jamaica has met “an adequate level of protection for personal data as determined by the European Commission”. Needless to say, presently Jamaica does not meet that criteria and has not (to the best of my knowledge) been earmarked as one of the countries that ensures an adequate level of protection for personal data. Arguably, two weeks ago we were closer to reaching that mark. With last year’s passing of the Data Protection Act, we were closer to demonstrating adequacy through the implementation of data protection legislation and regulation that meet the GDPR’s standards. In the wake of this ongoing security issue with the JamCovidApp, this can be seen as precedent. In a very public way, the AmberGroup has now demonstrated that despite a lack of proper cyber security safeguards and a failure to implement proper data protection guidelines and best practices; the rights of data subjects are not being prioritised or recognised.
To meet the GDPR's requirement for adequacy, local businesses and companies will therefore have to continue to build & maintain their own strict self-regulated safeguards that afford data subjects with legal remedies; or fit within very specific situations to fit the criteria for conducting trans-border data transfers with the EU.
The Amber Group
If the content of the TechCrunch articles are to be accepted as true, it is clear that the AmberGroup has failed to perform and respond adequately on several fronts:
No evidence of the conducting a thorough Data Privacy Impact Assessment prior to the deployment of the App or thereafter.
No evidence of the conducting a thorough IT Security Assessment prior to the deployment of the App or thereafter.
No clarity on the number of affected data subjects and lack of evidence on the proper notification of data subjects.
An outdated privacy policy which showcases the date of drafting as “2018”, two years prior to the development and deployment of the application and website (In case of removal see screenshot in gallery above).
No evidence that a Data Breach Incident Plan was in place.
A reactionary approach to securing information and protecting personal data; as opposed to the proactive approach of engineering a program that incorporates privacy by design.
Conclusion
No system is 100% secure. Investing in all the cyber-security and data privacy resources on earth cannot prevent any application or website from having vulnerabilities. What is important is ensuring that data controllers and data processors work proactively to embed security and privacy into every step of the design, engineering, development deployment and operation of IT systems, networked infrastructures, and business practices.
Errors and oversight can happen, however, data controllers (and processors) must work actively to create a framework that fundamentally respects the rights of data subject and effectively manages data privacy and security at all levels. This requires creating a framework that meets legal compliance requirements while meeting the expectations of business clients/customers and simultaneously reducing the risk of security incidents and data breaches.
At all levels, staff and contractor needs to be adequately informed on the organisation's security practices and privacy policies, with constant monitoring of activities to control, manage and report any risks and vulnerabilities associated with security and privacy management. Incident reports, such as those provided by TechCrunch, are not attacks, but an opportunity to mitigate risk and build a more robust infrastructure and system. Having a clear plan to respond to unfortunate public events and incidents is core and critical to effective data privacy management.
Below is a brief paper presented on 17th November 2018 at the Jamaica Bar Association’s JambarCLE’s Annual Conference in Montego Bay, Jamaica.
Abstract
The advent of blockchain technology has introduced a new paradigm, which is poised to transform computing, technology and almost all daily activities in a manner comparable only to the introduction of the worldwide web. The basic architecture of blockchain presents endless opportunities for the building, development and growth of several applications, ranging from it most renowned use – Bitcoin and other cryptocurrencies, to the advancement of the internet of things, decentralized autonomous organizations, and smart contracts. Though initially slow and gradual, its adoption and prevalence has exploded in the last three years, bringing with it a familiarity of concept to most but a lack of infrastructural understanding for many.
This paper explores blockchain technology, the opportunities it presents for governments, start-ups, creative industries and other market participants in the Caribbean. Usually met with enmity by economists, governments, legal and regulatory groups, this paper approaches blockchain technology from a positive and cautiously optimistic perspective whilst exploring some legal and regulatory challenges including security and privacy issues which are likely to emerge with the adoption of blockchain technologies.
Introduction
Our traditional belief that something is safe and reliable is an institutionally based one. We’ve come to rely on trusted third parties and established systems to facilitate and execute from basic everyday activities to more complex mechanisms, and commercial transactions. Our collective trust comes from a history of perceived security and stability that is inherited and passed down from generation to generation.
However, a trend of disrupting trusted systems with innovative technologies and business models has begun to shift how trust is perceived, shifting from institutionally-based trust to a more distributed and participative trust. In developed economies, industries like the hotel and transportation industry have moved from placing trust and reliance on transport authorities and multinational hoteliers, to utilizing cars and homes of regular civilians through the business model innovation introduced by Uber and AirBnb.
In the wake of the 2008 financial crisis, a person (or group) named Satoshi Nakamoto[1], with the aim of similarly disrupting the financial industry, proposed an electronic payment system based on cryptographic proof and instead of the institutional and third-party trust and reliance on financial institutions, it allowed any two willing parties to transact directly with each other without the need for any trusted third party. Satoshi Nakomoto introduced Bitcoin, a peer to peer electronic cash system, where transactions are made via a decentralized virtual currency and recorded in a publicly distributed ledger called Blockchain.
What is Blockchain Technology and How Does It Work?
As mentioned above, Blockchain refers to a publicly distributed ledger technology. A distributed ledger technology refers to any technology that allows recording and sharing data across multiple digital ledgers in a way that allows for transactions and data to be recorded, shared, and synchronized across a distributed network of different network participants. [2] Each ledger within the network contains identical records which are collectively maintained by the network participants (also called nodes).
Figure 1: Distributed Ledger Technology
Blockchain utilizes cryptography through highly complex algorithms to record, share and synchronize the data across the network, gaining consensus[3] and validity of the data from each network participant, before entry unto the ledger. The data is stored in digital blocks connected to each other through a continuous chain, so that all blocks are tied together and the data output of each block forms part of the input into the next block in the chain, influencing the algorithmic output entered unto the ledger. This makes it immutable; as any change by any network participant to a block on his ledger, would change the subsequent series of blocks and would not be accepted or validated by the other participants in the network.
Additionally, in the Blockchain, information flows in only one direction, in what is called a one-way function, such that if you have the input data, all blocks will reveal the same output. However, it is virtually impossible to know what information was input based on the output.[4]
It’s important to note that a blockchain may be open/permissionless or permissioned.[5] An open/permissionless blockchain is one where the participants can join or leave the network at will; there is no central owner and identical copies of the ledger are distributed to all network participants.[6] A permissioned blockchain is one in which the participants have been pre-selected by an owner or administrator of the ledger who controls network access and sets the rules of the ledger.[7]
Blockchain and bitcoin terminology can be notoriously confusing[8] and is still in a state of evolution, but for the purpose of this paper, the following terms shall have the following meanings:
Bitcoin refers to the first and largest cryptocurrency.
Bitcoin blockchain specifically refers to the blockchain underlying the bitcoin protocol.
Bitcoin Protocol is used to mean the protocol that runs over the underlying blockchain technology to describe how assets are transferred on the blockchain.
Blockchain does not refer exclusively the blockchain underlying the bitcoin protocol but to the distributed ledger technology that uses cryptography and mathematical algorithms to create and verify a continuously growing data structure – to which data can only be added and from which existing data cannot be removed – that takes the form of a chain of transaction blocks. Unless otherwise indicated, the word “blockchain” implies an open/permissionless blockchain.
Blockchain, Entrepreneurship, Business & Finance
The introduction of bitcoin and blockchain, though introduced as a digital cash/ cryptocurrency and payment system, offers several opportunities to a range of industries beyond the financial sector. In 2010 Satoshi posted:
“…I wanted to design it to support every possible transaction type I could think of. The problem was, each thing required special support code and data fields whether it was used or not, and only covered one special case at a time. It would have been an explosion of special cases. The solution was script, which generalizes the problem so transacting parties can describe their transaction as a predicate that the node network evaluates. The nodes only need to understand the transaction to the extent of evaluating whether the sender's conditions are met.”[9]
This contemplates the use of Blockchain technology to register, confirm, transfer and record all types and categories of transactions and data. Similar to the way businesses such as Google, Amazon and Facebook were enterprises built on an underlying technology of the internet, Blockchain presents a new opportunity on which innovative businesses can build and develop with increased functionalities and sophistication over time, whether by using the Bitcoin blockchain or other separate blockchains.[10]
Financial Industry
A distinctive feature of blockchain technology is its ability to uphold transactional agreement without the approval of an intermediary. It provides trust, openness, independence, speed, strength, universality and effectiveness; all desirable tenets of a robust and efficient financial system. From re-imagining traditional banking, to reinventing money markets and payment systems, a few financially-based companies have already begun to emerge in the Caribbean’s Blockchain ecosystem, moving beyond recognizing the blockchain opportunity to seizing it, while paving the way for businesses to come.
Mobile Money & Remittance
With little to no intermediary fees, financial transactions on Blockchain technologies are cheaper, and quicker. This facilitates lower transaction costs, financial privacy and increased efficiency while protecting consumers against regulatory measures and capital controls.
Bitt, a Barbadian blockchain startup, is the self-proclaimed ‘fastest growing [Caribbean] platform for moving and holding any form of money or commodity, instantly and securely’.[11]Bitt is a financial technology company that uses blockchain technology to develop software and mobile applications that facilitate the easier transfer of monies between individuals, companies, banks and other financial institutions instantly and securely. At the very least this most recognized Caribbean blockchain company has already made headway in signing agreements and MOUs with financial institutions in the Caribbean, including a MOU with the Eastern Caribbean Central Bank to launch a pilot that will enable eight Caribbean countries to test the use of cryptocurrencies alongside their national and a partnership with the Central Bank of Curacao and Sint Maarten to explore the possibility of introducing a digital currency for Curacao and Sint Maarten.[12]
With the lightweight efficiency and cost effectiveness of financial transactions via blockchain, the technology provides an attractive alternative for quick, seamless, low-cost remittances. Remittances have long formed a constant part of the Caribbean’s traditional and financial economies and has even remained stable or increased in several territories despite the 2008 global economic downturn. It continues to be significant source of income for families and a sustainable source of foreign currency for our economies. As a share of total economic output (measured in gross domestic product — or GDP), remittances were equivalent to eight percent (8%) per cent of the Caribbean’s GDP.[13]
The London-based bitcoin wallet company with Jamaican development offices, Caricoin Limited, reportedly seeking to introduce the first bitcoin exchange aims to i) bank the unbanked, ii) accelerate and encourage financial inclusion and iii) reduce the cost of remittance.
ICOs & Financial Markets
With quicker and easier transactions, Blockchain technology has also brought new opportunities for businesses and small companies to raise and access capital. A mechanism called an initial coin offering (ICO) allows individuals or companies to raise capital on new projects for which crypto tokens are issued in exchange for cryptocurrencies such as bitcoin and Ethereum. This is in essence similar to initial public offerings which allows investors to buy and trade stocks in companies. The major distinction is that generally crypto tokens do not necessarily give the holder a share in ownership or rights to dividends. While the blockchain community is split on whether ICO’s are unregulated securities or a new and innovative means of venture-funding, the practice of conducting an ICO to fundraise is increasingly becoming a go-to mechanism for start-ups and innovators.
Over US$ 90 million was raised by companies in ICOs in 2016 and this figure propelled to over US$ 3.5 billion in 2017.[14] Currently for 2018, as at the writing and publication of this paper, over US$ 20 billion has been raised thus far in 2018. Innovators that utilise blockchain technology can access a new pool of funding to boost their businesses and stimulate growth in an economy ripe for innovation, investment and further development. Billions of dollars have already been raised with the issuance of crypto tokens and additionally billions continue to be traded by crypto-investors on cryptocurrency exchanges daily.
The Jamaica Stock Exchange has recognized the value and trading possibilities in cryptocurrencies and blockchain. In a recent article in the Jamaica Gleaner noted that despite the Bank of Jamaica’s caution on virtual currencies, the Jamaica Stock Exchange (JSE) has entered into a memorandum of understanding with Toronto-based fintech company Blockstation to explore offering cryptocurrency trading on the Jamaica Stock Exchange. [15]
Blockchain in the Legal Industry
Smart Contracts
Blockchain technology also allows the development or written programming, through scripted language existing on top of a blockchain, of automatically executed applications that run or perform as programmed without interference, downtime, fraud or censorship.[16] These applications are called smart contracts. These smart contracts are self-executed by nodes within the blockchain network, based on instruction set in the application. Data is input and recorded on the blockchain, which in turn triggers the execution of the terms of the smart contract.
The emergence of smart contracts on the blockchain came with the introduction of the Ethereum platform, a network optimized for the operation of smart contracts. In fact, developers came together to write and program smart contracts that execute a new mechanism called a decentralized autonomous organization (“DAO”) capable of self-executing transactions that have been codified into its technological infrastructure. A self-run organization built on smart contracts which removes reliance on documentation, human input and third-party influence, facilitating decentralized control in this autonomous entity. Typically, these DAOs are crowd funded with the issuing of tokens through ICOs.
These autonomous organizations have already undergone major scrutiny with the rise and fall of “The DAO”, a decentralized autonomous organization that was created Slock.it, a German startup company. The DAO broke records in its growth and funding, before being hacked because of a flaw in The DAO’s software. Consequently, the Ethereum blockchain community decided to roll back the transactions by the hackers resulting in what the community refers to as a hard fork, a process that results in the Ethereum blockchain being split into two separate blockchains with two separate cryptocurrencies, one that maintains all transactions, including those done by the hackers, and another that removed the offending transactions.
Property Rights
With an open, easily audited, immutable and open ledger, the blockchain’s trust protocol and the innovation of smart contracts, the real estate industry is a prime candidate for the adoption of blockchain technology.
Envision that whether through an agent or on his own, a prospective buyer logs on to an open shared real estate listing, a blockchain powered MLS database. He conducts his own physical due diligence in visiting and inspecting the property and surveying the land, but the property’s open ledger shows the history of transactions with this property, its restrictive covenants, if any and any other encumbrances on the property. He contacts the seller and both parties are able to conduct a background check using the parties’ digital identities and transaction history. Both sides negotiate and agree on key terms which are recorded via a smart contract on the blockchain.
The UAE, Georgia, Honduras and the UK are among the countries exploring Blockchain technology for property transactions, while Sweden has already undergone trials. “It’s possible to shorten the process a lot but one of the most successful aspects of the trial was security and the verification of contracts,” says Mats Snall, chief digital officer at the Swedish Land Registry.[17]
Similarly, too can blockchain technology be leveraged to create and execute wills and trusts. The content of the will or trust is entered unto the blockchain via a smart contract referencing assets and beneficiaries via their digital identities. Amendments can only be added to the smart contract by the creator/writer, because of the immutability of the blockchain. On death or another programmed triggering event, the transfer of assets is automatically executed.
Other
In a document-rich trade such as the legal industry, where a lot of emphasis is placed on open and accessible databases, trust and general adherence to clearly defined terms; smart contracts and blockchain technology can be utilized in several areas of the field. From registering and recording intellectual property, to collateral registries, to automating insurance payments and payouts, blockchain technology has the potential to disrupt the legal industry in a way that enhances efficiencies and eliminate or reduce challenges.
Blockchain in Government
While blockchain technology has begun to disrupt the financial industry and impact the private sector, adoption by government could potentially increase efficiency and transparency; reduce fraud, corruption, operational costs and bureaucracy; while promoting technological innovation and economic development. The openness, accessibility and integrity of the technology provides for a range of flexible applications for government.
The UK Government Chief Scientific Adviser noted that:
“Distributed ledger technologies have the potential to help governments to collect taxes, deliver benefits, issue passports, record land registries, assure the supply chain of goods and generally ensure the integrity of government records and services…the technology offers the potential to improve healthcare by improving and authenticating the delivery of services and by sharing records securely according to exact rules. For the consumer of all of these services, the technology offers the potential, according to the circumstances, for individual consumers to control access to personal records and to know who has accessed them.”[18]
The adoption of Blockchain technology by a government would facilitate integration into agencies and local authorities and registries and facilitate implementation of digitized national identification systems and a secured healthcare system that allows a secure sharing of information and health recording for patients and healthcare providers.
Major Legal & Regulatory Implications
Jurisdiction
As a decentralized network with distributed nodes throughout the world, blockchains seem to transcend laws and governance. Inherent issues of jurisdiction, governing law and liability arise in certain transactional and contractual relationships on permissionless blockchains, as no point of finality necessarily exists in a transaction, and several parties are involved in the transaction. On one end of the spectrum, transactions may be governed by the jurisdictions of the parties to the transaction, where that information is made publicly available. On the other hand, applications, transactions and relationships on the blockchain may be subject to the governing laws of each territory in which a node exists. This could potentially cause an overwhelmingly unreasonable amount of compliance requirements for a blockchain application or organization to conform with each legal and regulatory system under which the blockchain falls. Permissioned blockchains carry less jurisdictional issues, as there is one owner with administrative control of the blockchain and who will be subject to a jurisdiction.
As form of governance of open blockchains may require the intervention of an international organization, equipped with a sound understanding of the technology and an open, growth inclined perspective on the development of blockchain technology.
Data Privacy & Security Implications
Although blockchain’s encryption and distributed ledger system makes it nearly impossible to break, the very small and unlikely possibility still exists. Additionally, hackers can utilize other bypass mechanisms such as exploiting weaknesses in the code of software applications built on the blockchain and manipulating individuals into getting access through disclosure of their private keys.
While the integrity of Bitcoin’s blockchain has remained resilient against attacks[19], hacks on smart contracts, DAOs and other blockchain applications, such as the attack on The DAO on Ethereum demonstrates that unrecognized weaknesses or vulnerabilities in overlaid software may have costly and substantial consequences. Like any software, these applications must be subject to constant maintenance, monitoring, development and updates. Additionally, the possibility of systematic attacks on individual nodes or standard Distributed Denial of Service (DDoS) attacks on participants in the network may pose a cybersecurity risk. Additionally, as with the general security of any digital information, security risks exist at access points where a digital identifier or private key is required by a user to conduct a transaction or access information. Storage and disclosure of these keys by holders of this information therefore also inherently pose a security risk.
With an openly accessible distributed ledger where transactions are visible and users are identified through a public key, users are not entirely anonymous but pseudonymous. Transactions can be monitored and traced on the ledger by the use of individuals’ public key.[20] As such, where a public key becomes associated with a particular person, information on the blockchain ledger, may be categorized as personal data or personally identifiable information. This in turn raises several issues on establishing who is considered the data controller, whether there are data processors, and determining issues of jurisdiction and governing laws over the data.
Other
One of the biggest issues currently plaguing the application of blockchain technology is the financial regulation of cryptocurrency. Adoption by governments and financial institutions will require anti-money laundering measures and Know-Your-Customer (KYC) protocol. With encrypted public keys as identifiers, it makes current cryptocurrencies difficult to harmonize with established financial regulations. Financial applications built on these blockchains will have to establish standardized methods of ID verification and consumer vetting to comply with local and international standards of financial due diligence.
Conclusion
A paradigm shift in the way we live and transact digitally. A shift of power balance from centralized bodies to decentralized applications. The opportunities for both the private and public sector to recreate existing industries and introduce innovative new business models never before envisioned as possible, brings an open and auspicious possibilities of a new world. In order to maximize these opportunities stakeholders must first develop a clear vision of how blockchain technology can improve the way we live. Subsequently, Considerations must be given to the unique legal and regulatory challenges and other security and privacy issues which may arise with the adoption of this new and disruptive technology. The blockchain opportunity presents a future where conducting business, the delivery of services, the provision of government goods and the general regulation of a populace is more efficient, personal, prompt, safe and secure – all we need to do is seize it.
[3] Id. pp 6. This is done through a process called “proof of work” to establish consensus among the participants in the decentralized network. It is a computational challenge that requires intensive computing power and processing time.
[4] The odds of guessing the output are 1 in 2256. See the following video for a more in-depth explanation: https://www.binance.vision/blockchain/how-does-blockchain-work.html
[8] Walch, A. The Path of the Blockchain Lexicon (and the Law) (March 24, 2017). 36 Review of Banking & Financial Law 713 (2017) (Available at SSRN: https://ssrn.com/abstract=2940335)
[12] Bishop C. (2018, August 27th ) Blockchain Firm Bitt & America’s Oldest Central Bank Explore Digital Currency. Legal Gambling and the Law. Retrieved from: https://www.legalgamblingandthelaw.com/news/blockchain-firm-bitt-americas-oldest-central-bank-explore-digital-currency/
[13] Business Report (2018, January 26th) Record Remittances For Caribbean In 2016. The Jamaica Observer. Retrieved from: http://www.jamaicaobserver.com/business-report/record-remittances-for-caribbean-in-2016_123523?profile=1056
[15] Business Article (2018, August 19th), Jamaica Stock Exchange Exploring Cryptocurrency Trading. The Jamaica Gleaner. Retrieved from: http://jamaica-gleaner.com/article/business/20180819/jamaica-stock-exchange-exploring-cryptocurrency-trading
[16] The Ethereum Platform. Retrieved from: https://www.ethereum.org.
[17] Bill T (2018) Chain Reaction, The Wealth Report 2018 pp. 32 (https://www.knightfrank.com/wealthreport/2018/global-wealth/blockchain-and-real-estate)
[18] U.K. Government Office for Science. “Distributed ledger technology: beyond blockchain”. A report by the UK Government Chief Scientific Adviser. 19 January 2016. Retrieved from: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/492972/gs-16-1-distributed-ledger-technology.pdf
[19] In a permission-less blockchain that requires a proof of work consensus, like the bitcoin blockchain, an attack would require one node or participant on the network to take over 51% of the computing power of the entire network, i.e. all the participating servers, and effectively control the consensus.
[20] Prosecutors were able to trace the bitcoin transactions of Ross Ulbricht from his laptop (See: https://www.wired.com/2015/01/prosecutors-trace-13-4-million-bitcoins-silk-road-ulbrichts-laptop/)