Chao Wu

DOI: https://doi.org/10.1016/j.techsoc.2024.102457

IF: 6.879

2024-01-01

Technology in Society

Abstract:In recent years, data privacy has attracted increasing public concerns, especially with public scandals from top Internet companies, emerging over inappropriate data collection, lack of transparency in data usage, and manipulation of users' preferences. This has led to responsive efforts from multiple sectors of society to constrain the violation of individuals’ data privacy. Among these efforts, the regulations like GDPR are the most influential, which are believed to be able to change the foundation of the whole data ecosystem. The main concern of current regulation is data transparency, designed to enable individuals to make rational decisions about their data. However, I argue that transparency cannot mitigate a key issue of data privacy, which is the right of receiving benefits from data. This issue is getting severe with the rapid development of the data economy and will become the essential problem of social welfare and fairness in the AI era. I further point out that the key to solving this issue is to migrate the current centralized data utilization paradigm to a new decentralized paradigm. Based on the recent technical advancements, I propose an applicable pathway to implement such a paradigm. And to realize a fair and sustainable data eco-system, joint efforts should be made within this paradigm.

AKM Bahalul Haque,AKM Najmul Islam,Sami Hyrynsalmi,Bilal Naqvi,Kari Smolander

DOI: https://doi.org/10.48550/arXiv.2104.00648

2021-04-01

Cryptography and Security

Abstract:Although blockchain-based digital services promise trust, accountability, and transparency, multiple paradoxes between blockchains and GDPR have been highlighted in the recent literature. Some of the recent literature also proposed possible solutions to these paradoxes. This article aims to conduct a systematic literature review on GDPR compliant blockchains and synthesize the findings. In particular, the goal was to identify 1) the GDPR articles that have been explored in prior literature; 2) the relevant research domains that have been explored, and 3) the research gaps. Our findings synthesized that the blockchains relevant GDPR articles can be categorized into six major groups, namely data deletion and modification (Article 16, 17, and 18), protection by design by default (Article 25), responsibilities of controllers and processors (Article 24, 26, and 28), consent management (Article 7), data processing principles and lawfulness (Article 5,6 and 12), and territorial scope (Article 3). We also found seven research domains where GDPR compliant blockchains have been discussed, which include IoT, financial data, healthcare, personal identity, online data, information governance, and smart city. From our analysis, we have identified a few key research gaps and present a future research direction.

Anton Hasselgren,Paul Kengfai Wan,Margareth Horn,Katina Kralevska,Danilo Gligoroski,Arild Faxvaag

DOI: https://doi.org/10.48550/arXiv.2009.12913

2020-09-28

Abstract:The transparent and decentralized characteristics associated with blockchain can be both appealing and problematic when applied to a healthcare use-case. As health data is highly sensitive, it is also highly regulated to ensure the privacy of patients. At the same time, access to health data and interoperability is in high demand. Regulatory frameworks such as GDPR and HIPAA are, amongst other objectives, meant to contribute to mitigating the risk of privacy violations in health data. Blockchain features can likely improve interoperability and access control to health data, and at the same time, preserve or even increase, the privacy of patients. Blockchain applications should address compliance with the current regulatory framework to increase real-world feasibility. This exploratory work indicates that published proof-of-concepts in the health domain comply with GDRP, to an extent. Blockchain developers need to make design choices to be compliant with GDPR since currently, none available blockchain platform can show compliance out of the box.

Cryptography and Security,Computers and Society,Social and Information Networks

Javed Ahmed,Sule Yildirim,Mariusz Nowostawski,Mohamed Abomhara,Raghavendra Ramachandra,Ogerta Elezaj

DOI: https://doi.org/10.1007/978-3-030-39445-5_10

2020-01-01

Abstract:AbstractOnline Social Networks (OSNs) are very popular and widely adopted by the vast majority of Internet users across the globe. Recent scandals on the abuse of users’ personal information via these platforms have raised serious concerns about the trustworthiness of OSN service providers. The unprecedented collection of personal data by OSN service providers poses one of the greatest threats to users’ privacy and their right to be left alone. The recent approval of the GDPR (General Data Protection Regulation) presents OSN service providers with great compliance challenges. A set of new data protection requirements are imposed on data controllers (OSN service providers) by GDPR that offer greater control to data subjects (OSN users) over their personal data. This position paper investigates the link between GDPR provisions and the use of blockchain technology for solving the consent management problem in online social networks. We also describe challenges and opportunities in designing a GDPR-compliant consent management mechanism for online social networks. Key characteristics of blockchain technology that facilitate regulatory compliance were identified. The legal and technological state of play of the blockchain-GDPR relationship is reviewed and possible ways to reconcile blockchain technology with the GDPR requirements are demonstrated. This paper opens up new research directions on the use of the disruptive innovation of blockchain to achieve regulatory compliance in the application domain of online social networks.

Rahime Belen-Saglam,Enes Altuncu,Yang Lu,Shujun Li

DOI: https://doi.org/10.1016/j.bcra.2023.100129

2022-10-10

Abstract:The blockchain technology has been rapidly growing since Bitcoin was invented in 2008. The most common type of blockchain systems, public (permisionless) blockchain systems have some unique features that lead to a tension with European Union's General Data Protection Regulation (GDPR) and other similar data protection laws. In this paper, we report the results of a systematic literature review (SLR) on 114 research papers discussing and/or addressing such a tension. To be the best of our know, our SLR is the most comprehensive review of this topic, leading a more in-depth and broader analysis of related research work on this important topic. Our results revealed that three main types of issues: (i) difficulties in exercising data subjects' rights such as the `right to be forgotten' (RTBF) due to the immutable nature of public blockchains; (ii) difficulties in identifying roles and responsibilities in the public blockchain data processing ecosystem (particularly on the identification of data controllers and data processors); (iii) ambiguities regarding the application of the relevant law(s) due to the distributed nature of blockchains. Our work also led to a better understanding of solutions for improving the GDPR compliance of public blockchain systems. Our work can help inform not only blockchain researchers and developers, but also policy makers and law markers to consider how to reconcile the tension between public blockchain systems and data protection laws (the GDPR and beyond).

Cryptography and Security

Lipeng Wang,Zhi Guan,Zhong Chen,Mingsheng Hu

DOI: https://doi.org/10.1109/jiot.2023.3285211

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:The general data protection regulation (GDPR) is a European Union (EU) data protection and privacy law. According to the GDPR, the data on a hosting platform must meet semantic consistency and data integrity requirements. Semantic consistency means that the data operation should comply with the GDPR, while data integrity is meant to ensure that the outsourcing data should be intact. The two terms are not interchangeable. For example, if a cloud service provider migrates data to foreign storage nodes without authorization of the data owner, the data integrity requirement of the GDPR is met but the semantic consistency requirement is not. How to ensure data integrity and compliance is the main challenge for a GDPR-compliant data supervision platform. To achieve this aim, we leverage a blockchain-based data management framework to check the data compliance, which can break the black box of the data hosting platform and demonstrate its logic to data owners, allowing for inspection. We propose a new provable data possession (PDP) scheme for the aforementioned framework that can check for semantic consistency and data integrity simultaneously. The verifier does not need to hold any audited data, which can reduce bandwidth usage. The verification result can be regarded as the proof for subsequent data recovery and accountability. Experimental results show higher efficiency of the PDP scheme.

Nguyen Binh Truong,Kai Sun,Gyu Myoung Lee,Yike Guo

DOI: https://doi.org/10.1109/tifs.2019.2948287

IF: 7.231

2020-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The General Data Protection Regulation (GDPR) gives control of personal data back to the owners by appointing higher requirements and obligations on service providers who manage and process personal data. As the verification of GDPR-compliance, handled by a supervisory authority, is irregularly conducted; it is challenging to be certified that a service provider has been continuously adhering to the GDPR. Furthermore, it is beyond the data owner's capability to perceive whether a service provider complies with the GDPR and effectively protects her personal data. This motivates us to envision a design concept for developing a GDPR-compliant personal data management platform leveraging the emerging blockchain and smart contract technologies. The goals of the platform are to provide decentralised mechanisms to both service providers and data owners for processing personal data; meanwhile, empower data provenance and transparency by leveraging advanced features of the blockchain technology. The platform enables data owners to impose data usage consent, ensures only designated parties can process personal data, and logs all data activities in an immutable distributed ledger using smart contract and cryptography techniques. By honestly participating in the platform, a service provider can be endorsed by the blockchain network that it is fully GDPR-compliant; otherwise, any violation is immutably recorded and is easily figured out by associated parties. We then demonstrate the feasibility and efficiency of the proposed design concept by developing a profile management platform implemented on top of the Hyperledger Fabric permissioned blockchain framework, following by valuable analysis and discussion.

computer science, theory & methods,engineering, electrical & electronic

Pinky Bai,Sushil Kumar,Kirshna Kumar,Omprakash Kaiwartya,Jaime Lloret,Mufti Mahmud

DOI: https://doi.org/10.3390/electronics11203311

IF: 2.9

2022-10-15

Electronics

Abstract:Smart healthcare systems provide user-centric medical services to patients based on collected information of patients inducing personal health information (PHI) and personal identifiable information (PII). The information (PII and PHI) flows into the smart healthcare system with or without any regulation and patient concern with the help of new information and communication technologies (ICT). The use of ICT comes with the security and privacy issues of collected PII and PHI data. The Europe Union has published the General Data Protection Regulation (GDPR) to regulate the flow of personal information. Towards this end, this paper proposes a blockchain-based data storage and sharing framework for a smart healthcare system that complies with the "Privacy by Design" rule of the GDPR. The personal information collected from patients is stored on off-chain storage (IPFS), and other information is stored on the blockchain ledger, which is visible to all participants. The smart contracts are designed to share the PII data with another participant based on prior permission of the data owner. The proposed framework also includes the deletion of PII and PHI in the system as per the "Right to be Forgotten" GDPR rule. Security and privacy analyses are performed for the framework to demonstrate the security and privacy of data while sharing and at rest. The comparative performance analysis demonstrates the benefit of the proposed GDPR-compliant data storage and sharing framework using blockchain. It is evident from the reported results that the proposed framework outperforms the state-of-the-art techniques in terms of performance metrics in a smart healthcare system.

engineering, electrical & electronic,computer science, information systems,physics, applied

Shailja Garg,Tamal Mondal,,

DOI: https://doi.org/10.35940/ijmh.g1696.10070324

2024-03-30

International Journal of Management and Humanities

Abstract:The paper explores how blockchain technology can transform data management, especially when it comes to handling privacy and security issues. Blockchain's immutability, transparency, and decentralization make it a potentially useful tool for addressing the expanding problems associated with data security and integrity. However, the slow adoption of blockchain technology is influenced by a complex interplay of developing privacy concerns, legislative uncertainty, and technological subtleties. The current study aims to identify key data privacy, protection, and security challenges associated with blockchain adoption in various domains, assess the adequacy of the current data privacy, protection, and security laws to address these challenges, and propose potential solutions and areas for further research to mitigate data privacy, protection, and security risks in blockchain applications. Additionally, the research has examined the adaptability and dependability of the two main kinds of blockchain—public and private—as well as the variations in their reach and visibility.

Marta Arisi,Paolo Guarda

DOI: https://doi.org/10.15168/2284-4503-673

2020-07-02

Abstract:The blockchain ecosystem meets the GDPR in the healthcare sector, where its impact is widely debated. To debunk the narrative of contrast, a complexity of applications is displayed, and the legal background is outlined, introducing the matter of governance and compliance with GDPR principles, rights and obligations. Although this work cannot dispel the uncertainties in the application of GDPR rules to blockchains, such as the one regarding the right to erasure, and given the issues elected for further study, we focus on the room for compliance arising from the diverse potential of this technology, which can be shaped according to different architectural choices.

Medicine,Law,Business

Quang Cao,Katerina Vgena,Aikaterini-Georgia Mavroeidi,Christos Kalloniatis,Xun Yi,Son Hoang Dau

2024-09-27

Abstract:Centralized social networks have experienced a transformative impact on our digital era communication, connection, and information-sharing information. However, it has also raised significant concerns regarding users' privacy and individual rights. In response to these concerns, this paper proposes a novel Decentralized Social Network employing Blockchain technology and Decentralized Storage Networks completed by Access Control Smart Contracts. The initial phase comprises a comprehensive literature review, delving into decentralized social networks, explaining the review methodology, and presenting the resulting findings. Building upon these findings and an analysis of previous research gaps, we propose a novel architecture for decentralized social networks. In conclusion, the principal results highlight the benefit of our decentralized social network to protect user privacy. Moreover, the users have all rights to their posted information following the General Data Protection Regulation (GDPR).

Cryptography and Security

Liang Zhang,Haibin Kan,Yang Xu,Jinhao Ran

DOI: https://doi.org/10.1007/978-3-030-92708-0_4

2021-01-01

Abstract:Data sharing methodology has recently been an active research area due to the development of information technology. As blockchain gets popular, decentralized storage mode becomes a favorable method for data sharing. Moreover, non-repudiation, confidentiality, revocability and fine-grained access are sometimes indispensable in practice. In light of these requirements, we propose a solution by combining decentralized ciphertext-policy attribute-based encryption (CP-ABE) and Software Guard eXtension (SGX) with blockchain. In our framework, the use of blockchain makes shared data publicly accessible and undeniable. To ensure confidentiality and fine-grained access control, we take advantage of decentralized CP-ABE to encrypt data. SGX is utilized as a key management service for the decentralized CP-ABE, making our data sharing methodology revocable without updating ciphertext. Overall, our methodology achieves privacy protection, revocability and decentralized fine-grained access. In addition, we perform experiments on Ethereum, and the results demonstrate that our approach is feasible.

Yi Li,Jinsong Wang,Hongwei Zhang

DOI: https://doi.org/10.1016/j.jnca.2023.103686

IF: 7.574

2023-08-01

Journal of Network and Computer Applications

Abstract:Blockchain has been widely used in various fields, such as health management, finance, the Internet of Things (IoT), identity management, and supply chains. However, the performance of blockchain, including its throughput and transaction processing latency, has hindered its large-scale practical application, which is known as the scalability issue of blockchain. Many on-chain and off-chain solutions have been proposed to solve this problem, such as directed acyclic graph (DAG) blockchain and Rollup schemes. Despite these schemes’ ability to enhance the scalability of the blockchain, they compromise on other essential properties. The consensus is that the DAG blockchain can never provide deterministic security for transactions, and Rollup is disputed because it makes a trade-off of decentralization for scalability. Sharding technology is a proposed solution for these limitations, promising to tackle the scalability issue while maintaining security and decentralization at the same time. To date, no survey has been done on sharding design models and their key components and corresponding attack surfaces. To fill this gap, in this survey, we first provide a detailed analysis and comparison of both permissioned and permissionless sharding blockchains. Then, we describe the common building blocks chosen by the above sharding schemes as key components. Finally, we investigate how these components may be attacked and suggest corresponding countermeasures. Several open challenges are also given as future research directions. The survey aims to help researchers, engineers, and educators quickly grasp a consolidated body of knowledge about current sharding blockchain development.

computer science, interdisciplinary applications, software engineering, hardware & architecture

Aashaka Shah,Vinay Banakar,Supreeth Shastri,Melissa Wasserman,Vijay Chidambaram

DOI: https://doi.org/10.48550/arXiv.1903.04880

2019-05-16

Abstract:The recently introduced General Data Protection Regulation (GDPR) is forcing several companies to make significant changes to their systems to achieve compliance. Motivated by the finding that more than 30% of GDPR articles are related to storage, we investigate the impact of GDPR compliance on storage systems. We illustrate the challenges of retrofitting existing systems into compliance by modifying Redis to be GDPR-compliant. We show that despite needing to introduce a small set of new features, a strict real-time compliance (eg logging every user request synchronously) lowers Redis' throughput by 20x. Our work reveals how GDPR allows compliance to be a spectrum, and what its implications are for system designers. We discuss the technical challenges that need to be solved before strict compliance can be efficiently achieved.

Distributed, Parallel, and Cluster Computing,Databases

Rodrigo Dutra Garcia,Gowri Ramachandran,Kealan Dunnett,Raja Jurdak,Caetano Ranieri,Bhaskar Krishnamachari,Jo Ueyama

2024-11-25

Abstract:Modern distributed applications in healthcare, supply chain, and the Internet of Things handle a large amount of data in a diverse application setting with multiple stakeholders. Such applications leverage advanced artificial intelligence (AI) and machine learning algorithms to automate business processes. The proliferation of modern AI technologies increases the data demand. However, real-world networks often include private and sensitive information of businesses, users, and other organizations. Emerging data-protection regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) introduce policies around collecting, storing, and managing digital data. While Blockchain technology offers transparency, auditability, and immutability for multi-stakeholder applications, it lacks inherent support for privacy. Typically, privacy support is added to a blockchain-based application by incorporating cryptographic schemes, consent mechanisms, and self-sovereign identity. This article surveys the literature on blockchain-based privacy-preserving systems and identifies the tools for protecting privacy. Besides, consent mechanisms and identity management in the context of blockchain-based systems are also analyzed. The article concludes by highlighting the list of open challenges and further research opportunities.

Cryptography and Security,Emerging Technologies

Shravani Amar

DOI: https://doi.org/10.55041/ijsrem16668

2022-10-28

INTERANTIONAL JOURNAL OF SCIENTIFIC RESEARCH IN ENGINEERING AND MANAGEMENT

Abstract:Abstract—Blockchain’s evolution during the past decade is astonishing: from bitcoin to over 2.000 altcoins, and from decentralised electronic payments to transactions programmable by smart contracts and complex tokens governed bydecentralised organisations. While the new generation of blockchain appli- cations is still evolving, blockchain’s technical characteristics are also advancing. Yet, immutability, a hitherto indisputable property according to which blockchain data cannot be edited nor deleted, remains the cornerstone of blockchain’s security. Nevertheless, blockchain’s immutability is being called into ques- tion lately in the light of the new erasing requirements imposed by the GDPR’s “Right to be Forgotten (RtbF)” provision. As the RtbF obliges blockchain data to be editable in order restricted content redactions, modifications or deletions to be applied when requested, blockchains compliance with the regulation is indeed challenging, if not impracticable. Towards resolving this contradiction, various methods and techniques for mutable blockchains have been proposed in an effort to satisfy regulatory erasing requirements while preserving blockchains’ security. To this end, this work aims to provide a comprehensive review on the state-of-the-art research approaches, technical workarounds and advanced cryptographic techniques that have been put forward to resolve this conflict and to discuss their potentials, constraints and limitations when applied in the wild to either permissioned or permissionless blockchains. Index Terms—Blockchain, immutability, Right to be forgotten, GDPR

Yizhong Liu,Jianwei Liu,Marcos Antonio Vaz Salles,Zongyang Zhang,Tong Li,Bin Hu,Fritz Henglein,Rongxing Lu

DOI: https://doi.org/10.1016/j.cosrev.2022.100513

IF: 8.757

2022-11-01

Computer Science Review

Abstract:Sharding is the prevalent approach to breaking the trilemma of simultaneously achieving decentralization, security, and scalability in traditional blockchain systems, which are implemented as replicated state machines relying on atomic broadcast for consensus on an immutable chain of valid transactions. Sharding is to be understood broadly as techniques for dynamically partitioning nodes in a blockchain system into subsets (shards) that perform storage, communication, and computation tasks without fine-grained synchronization with each other. Despite much recent research on sharding blockchains, much remains to be explored in the design space of these systems. Towards that aim, we conduct a systematic analysis of existing sharding blockchain systems and derive a conceptual decomposition of their architecture into functional components and the underlying assumptions about system models and attackers they are built on. The functional components identified are node selection, epoch randomness, node assignment, intra-shard consensus, cross-shard transaction processing, shard reconfiguration, and motivation mechanism. We describe interfaces, functionality, and properties of each component and show how they compose into a sharding blockchain system. For each component, we systematically review existing approaches, identify potential and open problems, and propose future research directions. We focus on potential security attacks and performance problems, including system throughput and latency concerns such as confirmation delays. We believe our modular architectural decomposition and in-depth analysis of each component, based on a comprehensive literature study, provides a systematic basis for conceptualizing state-of-the-art sharding blockchain systems, proving or improving security and performance properties of components, and developing new sharding blockchain system designs.

computer science, information systems, theory & methods, software engineering

Enrique Fynn,Fernando Pedone

DOI: https://doi.org/10.1109/dsn-w.2018.00051

2018-06-01

Abstract:Blockchain has received much attention in recent years. This immense popularity has raised a number of concerns, scalability of blockchain systems being a common one. In this paper, we seek to understand how Ethereum, a well-established blockchain system, would respond to sharding. Sharding is a prevalent technique to increase the scalability of distributed systems. To understand how sharding would affect Ethereum, we model Ethereum blockchain as a graph and evaluate five methods to partition the graph. We assess methods using three metrics: the balance among shards, the number of transactions that would involve multiple shards, and the amount of data that would be relocated across shards upon repartitioning of the graph.

Lo-Yao Yeh,Chih-Ya Shen,Wei-Chiao Huang,Wan-Hsin Hsu,Hsien-Chu Wu

DOI: https://doi.org/10.1109/jsyst.2021.3139319

IF: 4.802

2022-01-01

IEEE Systems Journal

Abstract:With the rise of blockchain technology, the peer-to-peer (P2P) network system has once again caught people's attention to equipping a blockchain with a big storage capacity. In the traditional P2P file-sharing network systems, such as InterPlanetary File System (IPFS), data stored in the other nodes cannot be revoked by the owner and can only be removed by other nodes themselves. To comply with the criteria of the European Union's General Data Protection Regulation, it is important to ensure that personal data can be completely removed by their owners. To improve the privacy and security of the P2P file-sharing system, we propose a revocable and monitorable P2P file-sharing system over a consortium blockchain to achieve revocation of files in the decentralized environment. By using a trusted execution environment, such as Intel Software Guard Extensions (SGX), the proposed scheme can verify the integrity of the executables of the P2P file-sharing system and generate a file authentication code for each IPFS node to make sure that the system is synchronized correctly. This scheme elaborately integrates the autonomous smart contracts and Intel SGX hardware to obtain the monitorable merit. The experimental results suggest that enhancing the security and privacy take modest computing costs into consideration. To the best of our knowledge, this scheme is the first attempt to achieve the P2P file-sharing system with securely revocable functions.

computer science, information systems,telecommunications,engineering, electrical & electronic,operations research & management science

Paulo Henrique Alves,Isabella Z. Frajhof,Fernando A. Correia,Clarisse de Souza,Helio Lopes

DOI: https://doi.org/10.48550/arXiv.2010.11677

2020-10-22

Computers and Society

Abstract:Data privacy is a trending topic in the internet era. Given such importance, many challenges emerged in order to collect, manage, process, and publish data. In this sense, personal data have got attention, and many regulations emerged, such as GDPR in the European Union and LGPD in Brazil. This regulation model aims to protect users' data from misusage and leakage and allow users to request an explanation from companies when needed. In pandemic situations, such as the COVID-19 and Ebola outbreak, the action related to sharing health data between different organizations is/ was crucial to develop a significant movement to avoid the massive infection and decrease the number of deaths. However, the data subject, i.e., the users, should have the right to request the purpose of data use, anonymization, and data deletion. In this sense, permissioned blockchain technology emerges to empower users to get their rights providing data ownership, transparency, and security through an immutable, unified, and distributed database ruled by smart contracts. The governance model discussed in blockchain applications is usually regarding the first layer governance, i.e., public and permissioned models. However, this discussion is too superficial, and they do not cover compliance with the data regulations. Therefore, in order to organize the relationship between data owners and the stakeholders, i.e., companies and governmental entities, we developed a second layer data governance model for permissioned blockchains based on the Governance Analytical Framework principles applied in pandemic situations preserving the users' privacy and their duties. From the law perspective, we based our model on the UE GDPR in regard to data privacy concerns.