At present, we are looking at blockchain technology rather as a tool that seems to have potential to improve some current solutions, but it is not necessary. meaning we can solve everything well enough too without a blockchain, as we are used to doing so with traditional solutions relying on central authority. We believe that the view of the blockchain will be gradually modified and the importance of this technology will grow, also in connection with the growing importance of other so-called innovative technologies and their interconnection (See also section 12 and the question “Where will the blockchain be irreplaceable?”).
At EY, we mean, in addition to BC (Blockchain), especially the technology shown in the following figure (Image 10). A brief description of the connection of blockchain with other innovative technologies, from the point of view of information security, it is indicated in the following list:
· IoT (Internet of things): Blockchain as a reliable and secure repository of data produced with IoT sensors,
· DA (Data analytics) and AI (Artificial intelligence): Blockchain as a source of reliable (partially validated when writing to blocks) and fixed data (e.g. from IoT) for further processing, interpretation and use in machine learning,
· Cyber (Cyber security): Blockchain as a control mechanism of information security (main topic of this part of the study),
· RPA (Robotic process automation) and AI: Blockchain e.g. as a reliable log of actions (intelligent) robots to verify the compliance of their actions with the prescribed rules.
Notes on other selected IB topics
In this section, we further focus on aspects of blockchain technology related to information management security in the context of other topics that are relevant to the informatization of public administration and its compliance with relevant national and European regulations and rules. List of analyzed topics is not complete and should be seen as a contribution to further discussion.
Protection of personal data (GDPR Regulation)
The GDPR (General Data Protection Regulation) was approved by the European Union in 2016 and came into force in 2018 in order to protect the personal data of the population. Possible technology mismatch blockchain and GDPR is a common objection. The EU Blockchain Observatory and Forum released in October 2018 “Blockchain and the GDPR” report, which explains the pitfalls of GDPR compliance and outlines possible solutions.
Main rights according to GDPR:
· The right to correct incorrect data,
· The right to erasure (sometimes referred to as the “right to be forgotten”),
· Right of access: members of the public have the right to find out what information is stored about them,
· Rights associated with automated processing.
This report explains that compliance with the GDPR does not apply to technology as such, but to technology uses. Just as there is no GDPR compatible Internet, we are not talking about compatibility of blockchain and GDPR, but only on GDPR-compatible cases and applications. The implementation is of course, easier for private than for public blockchains. Main areas of potential inconsistency are the following:
· Identification and obligations of data processors,
· Anonymization of personal data,
· Exercise of certain rights of entities (for example, the right to delete data, which when it comes to blockchain is a problem in general; discussions on what can be considered as deletions are still ongoing).
These issues have not yet been definitively decided by the data protection authorities, the European Council Data Protection Supervisor (EDPS) or by a court. The main recommendations of the above report are:
· Focus on the overall picture first: what is the added value, how is the data used and whether it is necessary to save to blockchain,
· Avoid storing personal data in the blockchain. Trying to “fog”, encrypt and aggregation to anonymize data,
· Store personal data off-chain or use a private blockchain. Consider the issue of personal data well when connecting private and public blockchains,
· Keep innovating and be as transparent to users as possible.
Selected innovative – breakthrough technologies
Data protection on accounting documents
Part of the digitization of the economy is also the solution of seemingly very simple tasks such as digitization and, if possible, complete exclusion of paper invoices, in general accounting documents. This effort has seen a growing trend in recent years, also in connection with the advent so-called shared service centers (SSCs), which process a quantum of accounting documents daily. Possibility convert a paper invoice to an electronic one right at the beginning of its life cycle and avoiding furthermore, the parallel storage of a paper “original” brings huge financial savings.
Requirements for the quality and security of electronically processed and stored invoices are set by law no. 222/2004 Coll. on value added tax, which is also stated in paragraph 71:
· An electronic invoice is an invoice that contains data pursuant to Section 74 and is issued and received in any electronic format; an electronic invoice may be issued only with the consent of the recipient of the goods or services,
· the credibility of the origin of the invoice is the confirmation of the identity of the supplier of the goods or services or the person who issued the invoice on behalf of the supplier,
· integrity of the content of the invoice means preservation of the content of the invoice,
· electronic data interchange means the transfer of data in electronic form from a computer to a computer using an approved electronic interchange link structure standard.
· A taxable person is obliged to ensure the credibility of the origin, the integrity of the content and legibility of the invoice from its issue until the end of the invoice storage period. As a way of securing the authenticity of the origin, the integrity of the content and the legibility of the invoice may be used:
– business process control mechanisms that reliably ensure the assignment of the invoice to a document related to the delivery of goods or services,
– guaranteed electronic signature according to a special regulation29 or a law valid in another Member State governing the use of the guaranteed electronic signature,
– electronic exchange of data, where the contract relating to such exchange provides for the use of procedures ensuring the credibility of the origin and the integrity of the data content,
– another method of ensuring the authenticity of the origin and the integrity of the contents of the invoice.
Note: Further details can also be found in EU Regulation 2010/45 “The Invoicing Directive” and its “Explanatory notes”.
Critical are therefore the requirements of § 71 point (3) to ensure:
· credibility of origin,
· integrity of the content,
· the legibility and availability of the invoice during the period stipulated by this Act.
In the sense of the above , we can only state here that this exact data protection can be provided by blockchain technology. Unlike traditional ways of reducing risks of information security – i.e. in particular by layering general and application control mechanisms, in this case, the information security solution also appears to be based on implicit control blockchain mechanisms are not only more efficient (almost 100% certainty) but also cheaper.
A similar role as tax control in verifying compliance with electronically processed requirements and retained invoices, the auditor also has financial statements in relation to all accounting documents. In addition to the obvious requirement for the availability (including legibility) of these documents, the auditor verifies (trio of CEA):
· existence (existence, i.e. that the data on the documents are true and not fictitious) and their
These three assumptions, which are the subject of the audit, fall under the notion of integrity (in the information security). Data integrity can be very successfully ensured by blockchain technology and so it can literally revolutionize the approach to auditing.
Note: Conclusions of this section on the applicability of blockchain technology in ensuring information security of data on accounting documents and on a potential fundamental change – simplification of the audit approach as follows stored data are applicable not only for commercial but also for public administration.
eID and eIDAS
The Slovak Republic has introduced the technology of identity cards / electronic residence documents with a chip on the Infineon Technologies SLE78CFX3000P / Atos CardOS 5.0 platform (hereinafter simply eID). These eIDs are used to store and work with the private key belonging to the qualified certificate using RSA technology with a key length of 3072 bits. Subsequently, the eID with a valid certificate allows you to create electronic signatures and access state electronic services.
The main disadvantage of RSA technology is the length of the electronic signature, which is equal to the length of the key, i.e. In this case, 384 bytes (characters). Therefore, most blockchain implementations use newer ones ECC / ECDSA electronic signature technology (elliptic curve cryptography – cryptography on elliptic curves; elliptic curve digital signature algorithm elliptic curves), mostly on a SECP256K1 curve with a key length of 256 bits, generating signatures on 65 characters long. 256-bit ECC keys are, from a security point of view, considered equivalent to 3072 bit RSA key. In the case of a blockchain that holds the signature of each record, almost a sixfold difference in length can represent significant capacity savings.
From the above, there are two possibilities for using eID with blockchain:
· Blockchain will implement the signature technology RSA3072, or
· Use ECC certificates in eID. Implementation details, e.g. elliptic curve used, require further discussion with the technology vendor.
Blockchain can be a suitable platform for the distribution and management of qualified certificates – a database maintaining a list of valid and revoked certificates, in addition to enabling automatically validate new transactions against these lists. However, the publication of complete certificates can be problematic, in particular personal data stated in the certificate (for example in qualified certificates issued in Slovakia states also birth number), directly on the blockchain.
It is important to also mention that there is a requirement by Commission Implementing Decision (EU) 2015/1506, which lays down specifications for enhanced electronic signature formats; and enhanced electronic seals that can be recognized by public sector bodies. Normal implementation of the signed blockchain transaction implements its own proprietary format, which is not in the list of reference formats.
For use at national level, provided that the legislation is aligned with the chosen implementation, it is possible to see the signature on the transaction as an enhanced electronic signature. Technically speaking, the format used, in which the signature is stored, in principle, does not add to security. However, depending on the application used, it may be necessary to either harmonize the implementation of the blockchain so that the transaction format is one of the XAdES formats or CAdES, or create appropriate conversion tools for import and / or export.