What do AI, blockchain and GDPR mean for cybersecurity?
Beyond the challenges faced when building AI tools for defense, Vanatta adds that AI could create new vulnerabilities, effectively weaponizing data.
“If every decision they are making is based on these data streams, then to attack an artificial intelligence system I no longer need to be an insider threat,” Vanatta says. “All I have to do is poison the data and play that long game.”
For example, she says that if someone sent a box from the same place on the same day, every month to the same government address, it would get flagged, tagged and opened—at first. However, if the package had a deck of cards in it, it would be marked as safe. If this pattern continued for a few years, the algorithms that originally flagged the potential threat will “learn” packages following that pattern are not dangerous and don’t need to be flagged in the future.
Put on the black market, this knowledge could be bought by someone out to harm that government agency. “Then, death and destruction rains down instead,” she says.
Similar approaches could affect any data-heavy algorithm, such as those used in finance to flag money laundering, making it easier to disguise the transfer of illegal funds.
As cybersecurity experts continue to grapple with the double-edged sword of AI, blockchain is trying to establish itself as the future of data protection. However, there is debate over whether new data privacy laws in Europe and the U.S. will impact its development.
Nikolas Guggenberger, a resident fellow at the Inform- ation Society Project at Yale Law School, says blockchain fulfills the potential of privacy by design. The concept requires companies to take privacy into consideration during every stage of a project that processes personal data. Not just for technologists, this idea was codified in the European Union’s General Data Protection Regulation, which came into force in May.
“It’s important to stress that blockchain has great promise for data privacy and data protection,” he says. “It’s baked into the infrastructure.”
Cybersecurity and the law
A joint production of the ABA Journal and the ABA Cybersecurity Legal Task Force
Blockchain and GDPR
At its core, blockchain is most suited for data protection because it creates a decentralized, immutable network. This means that there is no central repository of data to entice a hacker, and once data is “on chain”—data codified on a blockchain—it can’t be altered.
Blockchain has “no single point of failure,” says Philippa Ryan, lecturer at the University of Technology Sydney and 2018 ABA Journal Legal Rebel. This means that the most common types of data loss, either through human error or malicious attack, occur less often.
Like data collection confounding AI’s role in cybersecurity, however, blockchain has its technical hurdles. It is still clunky and slow, which emphasizes the perennial trade-off between security and efficiency. Ryan says that when quantum computing—a type of computing with the potential to outperform today’s supercomputers—becomes viable, speeds won’t be a problem. (Theoretically, the math behind quantum computing is ready; the hardware, on the other hand, is not.) Regardless of computing speed, regulators may slow down blockchain’s adoption and use.
Europe’s GDPR is a regulatory behemoth that includes rights to erasure and portability of personal data. Some see direct conflict between these rights and the fixed nature of data on a blockchain.
In 2012, when the GDPR was first drafted, parliamentarians were considering “old-school data management,” which assumed databases were centralized, says Guggenberger, who was a policy analyst at the European Parliament from 2014 to 2016. “At that time, no one at the European level was talking about blockchain,” he says.
As for a legislative fix to the GDPR, he believes it’s unlikely. “That’s like opening Pandora’s box,” he warns.
On the design side, however, there are two potential solutions, according to Laura Jehl, partner at BakerHostetler in Washington, D.C.
“You have to be proactively thinking about the architecture of your system, what information they collect and store ‘on chain,’ how they store information ‘off chain,’ ” and whether data stored “on chain” is sufficiently anonymized, she says.
Ensuring that protected, personal identifying information as defined by the GDPR is kept off a blockchain network could circumvent erasure and portability requirements, for example. Further, if a company decides to host personal data “on chain,” then they would need a robust anonymization process to obscure a user’s identity.
While less extensive than the GDPR, Jehl adds that California’s new data privacy law has a right to deletion. She says, for similar reasons, this creates “open questions” for anyone doing business in California.
Back in Europe, however, local authorities tasked with enforcing the GDPR have a different view.
“At first glance, it seems that there is a conflict with the GDPR [and blockchain applications], especially with the rights of the data subject,” says Kristin Benedikt, head of department for online companies, tele-media, apps and mercantile directories at the Bayern Office for Data Protection Oversight, which enforces the GDPR. “However, this is not correct.”
She notes that both the rights to erasure and portability apply in narrow circumstances, so some of the concern is overblown. However, there is still need for further guidance.
“With regard to the future, we believe that it is important to have a European opinion and not only a Bavarian [opinion],” she says.
This article was published in the December 2018 ABA Journal magazine with the title "What Lies Ahead."