For the private “permissioned” blockchains that Wall Street is typically exploring—distributed ledger models in which all the validating computers must be pre-authorized to join the network—Ludwin’s “by design” notion refers solely to the fact that the data is distributed among many nodes rather than held solely by one. The advantage is that this structure creates multiple redundancies, or backups, that can keep the network running if one node is compromised. A more radical solution is to embrace open, “permissionless” blockchains like Bitcoin and Ethereum, where there’s no central authority keeping track of who’s using the network. And in that case, the entire security paradigm—the question of what constitutes “security”—changes. It’s not about building a firewall up around a centralized pool of valuable data controlled by a trusted third party; rather the focus is on pushing control over information out to the edges of the network, to the people themselves, and on limiting the amount of identifying information that’s communicated publicly. Importantly, it’s also about making it prohibitively expensive for someone to try to steal valuable information.
It’s perhaps counterintuitive to think that a system in which people don’t reveal their identities could be safe from attackers. But the fact is that the incentive and costs that these software programs impose on actors in the system have proven remarkably secure. Bitcoin’s core ledger has never been successfully attacked. Now, it will undoubtedly be a major challenge to get the institutions that until now have been entrusted with securing our data systems to let go and defer security to some decentralized network in which there is no identifiable authority to sue if something goes wrong. But doing so might just be the most important step they can take to improve data security. It will require them to think about security not as a function of superior encryption and other external protections, but in terms of economics, of making attacks so expensive that they’re not worth the effort.
Let’s compare our current “shared-secret model” for protecting information with the new “device identity model” that Bitcoin’s blockchain could facilitate. Currently, a service provider and a customer agree on a secret password and perhaps certain mnemonics—“Your pet’s name?”—to manage access. But that still leaves all the vital data, potentially worth billions of dollars, sitting in a hackable repository on the company’s servers. With a permissionless blockchain, control over the data stays with the customer, which means that the point of vulnerability lies with their device. So instead of Visa’s servers containing the vital identifying information that’s needed for hundreds of millions of cardholders to access its payments network, the right to access a network is managed solely by you, on your phone, your computer. A hacker could go after each device, try to steal the private key that’s used to initiate transactions on the decentralized network, and, if they’re lucky, get away with a few thousand dollars in bitcoin. But it’s far less lucrative and far more time-consuming than going after the rich target of a central server.
The weak link—there is always one, it is a truism of cybersecurity—would now be the device itself. The onus in a blockchain system is on the customer to protect that device. Admittedly, that opens up new challenges in terms of education around the management of private keys and encryption strategies. Optimizing the cryptocurrency future will require people to take charge of their own security.
But even with this new challenge in terms of device protection, we should see a dramatic reduction in the number of attacks. The crucial point here is that the potential payoff for the hacker is so much smaller for each attack. Rather than accessing millions of accounts at once, he or she has to pick off each device one by one for comparatively tiny amounts. It’s an incentives-weighted concept of security. It is security by design, not by patch.
It seems clear to us that the digital economy would benefit greatly from embracing the distributed trust architecture allowed by blockchains—whether it’s simply the data backups that a distributed system offers, or the more radical idea of an open system that’s protected by a high cost-to-payout ratio. Once we put our heads in that place, liberating new models for managing data emerge, models that restore control to the individuals who produce the data and then give the data itself significantly more protection.
One industry that would no doubt rejoice at such a solution would be the health care industry. Right now, highly sensitive health records are spread across separate siloed databases managed by insurance firms, hospitals, and laboratories, each sitting on their own pools of vulnerable data. These institutions are bound by strict non-disclosure rules laid out in well-intentioned but highly restrictive patient privacy legislation such as the Health Insurance Portability and Accountability Act, which imposes high penalties for failing to protect patient data, and they would love to be free of this liability.
Attacks have been mounting in the industry. A 2016 cyber-attack on insurer Anthem Health exposed 78 million customers’ records. The so-called WannaCry ransom attacks, in which health records of patients in different hospitals around the world were encrypted by hackers who demanded bitcoin payments to unlock them, largely targeted hospitals and other places where the data is a life-or-death consideration.
The biggest losers are patients. This structure creates time-wasting, costly inefficiencies in their care—there are countless horror stories of critically ill patients unable to release vital records from their primary-care physicians to emergency staff so they can take the right measures. And because data isn’t being freely shared, research into potentially lifesaving treatments is held back. Almost everything about how the U.S. health care system manages medical records is broken.
That’s why initiatives like MedRec, an open-source program based on the Ethereum blockchain that was created by MIT Media Lab students Ariel Eckblaw, Asaph Azaria, and Thiago Yieira, are filled with such potential. The idea, one that’s also being pursued in different forms by startups such as Gem of Los Angeles and Blockchain Health of San Francisco, is that the patient has control over who sees their records. Data would still reside with each provider, but patients would use their private cryptographic key—the same device used to authorize bitcoin payments—to release whatever specific aspects of their data are required by providers, to whom they authorize access.
Decentralized Economy with Centralized Trust
How do we get to a world of decentralized trust, so that it costs me close to nothing to safely and confidently engage in transactions with others online? Answers to that question lie in reflecting on how we went from the utopian concept of a level-playing-field Internet that led New York Times columnist Thomas Friedman to declare that the “world is flat” to one in which a handful of gargantuan gatekeepers have asserted almost total control.
Let’s start with the pre-Internet offline economy, the one we inherited from the twentieth century, when the centralized trust model was the only one we could imagine. Under that system, which prevails to this day, we charge banks, public utilities, certificate authorities, government agencies, and countless other centralized entities and institutions with the task of recording everyone’s transactions and exchanges of value. We trust them to monitor our activities—our check writing, our electricity consumption, our monthly payments for everything from newspaper delivery to telephone services—and to reliably and honestly update that information in ledgers that they, and only they, control. With that exclusive knowledge, those entities gain unique powers in determining