Blockchain technology has been one of the most promising technologies of the past decade,
with Ethereum and Bitcoin being the two most popular Blockchains today. Both do not
provide data protection and privacy by default. The former allows for Decentralized Applications (DApps) to be built, with zero chance of downtime or censorship and is the main focus of this dissertation.
The European Union approved a law in 2016, the General Data Protection Regulation
(GDPR), with severe penalties being enforced since May 25th, 2018. It is considered a
massive step toward protecting user data. Not only does it affect companies with offices
in the EU, but also organizations throughout the world that have users from EU territories.
Further, it stipulates key obligations for organizations handling user data, in addition to
introducing new rights to individuals, such as the right to erasure. This represents a major
challenge towards achieving GDPR compliance in DApps, as Blockchains such as Ethereum, are immutable by design.
This dissertation’s work attempts to comply with the GDPR and its conflicting right to erasure, by developing an Ethereum proof-of-concept DApp: DFiles, which also aims to provide some form of data privacy and protection. It also allows its users to upload encrypted files in addition to their download and decryption. It was developed using an Agile methodology in an iterative approach with mainly decentralized technologies, such as the Interplanetary File System (IPFS) and Ethereum smart contracts, with a centralized component for user authentication, while adhering to Blockchain Software Engineering. Due to the GDPR’s complexity, some parts were selected, namely the rights to erasure, data portability, access and rectification.
DFiles GDPR compliance was then evaluated with a statistical analysis on user encrypted
and unencrypted uploaded files in the DApp, with its elapsed upload times and Ethereum
transaction costs measured for files separated into four categories: small (1KB-1MB),
medium (1MB-20MB), large (20MB-200MB) and extra-large (200MB-2GB). However,
due to hardware limitations, this statistical analysis could only be performed for files up
to 14.2MB. It concluded that transaction costs for unencrypted files are slightly higher,
although this increase is not significant. As for elapsed upload times, it found that the
elapsed upload time in encrypted files was overall significantly higher. Data from files larger than 14.2MB was still recorded which determined that the last two elapsed upload times for unencrypted files up to 800MB, are less than the last two upload elapsed times for encrypted ones up to 14.2MB.
In conclusion, encrypting files to comply with the General Data Protection Regulation’s right to erasure is a valuable option only for small to medium files up to 14.2MB. From there, without considering hardware encryption limitations, upload times tend to grow exponentially.
Ethereum and the IPFS must advance to allow better privacy techniques. Recently, there
have been major new improvements to Ethereum and its smart contracts; the world of
DApp development is always changing at a fast rate. In the future, Ethereum might evolve
to a newer version which may bring new and enhanced privacy controls which may allow its complete GDPR compliance.
Figures - uploaded by
Duarte TelesAuthor contentAll figure content in this area was uploaded by Duarte Teles
Content may be subject to copyright.