Link copied to the clipboard.
No one should be surprised to learn that Germany’s legislature is not always able keep up with the pace of technological developments. The blockchain has nonetheless managed to make its way into the latest coalition agreement. And the committee for the German Bundestag’s digital agenda went so far as to actively explore the topic in November.
But today, our focus is not on whether antiquated laws or the lack of specific legislation is a huge disadvantage for companies — especially startups — that wish to operate in Germany.
Instead, we’re going to look at a specific example. How does a purely public blockchain implementation that some very ambitious (and optimistic) vendors have annouced hold up when compared with the letter of the law as it currently stands in Germany?
Let’s clear one thing up first, though. The intention here is not to discredit anyone else’s ideas about technologies or markets. My objective is to take an unbiased view of this rather complex state of affairs.
A blockchain is suitable for “authenticating” data. The idea of making it possible to validate documents over a longer period of time using what is known as public anchoring is both a tempting and obvious use of the technology. Even the implementation appears simple at first glance: hash values are calculated either locally or using a vendor client for data that are stored by a system or one or more block chains in a subsequent step. Public systems such as Bitcoin or Ethereum are often used to validate local data.
The problems start when vendors with big plans attempt to turn the public blockchain into a compliance zone. Their vision revolves around creating a public trust system that can be used to prove that documents are still in their original, unmodified state. But what works for an unregulated cryptocurrency does not automatically work for other use cases. Unless, of course, the government creates a suitable, future-proof legal framework.
Because why is it even necessary to be able to prove a document is in its original state? The utility, in the end, lies in proving that the document is unmodified — authentic, in other words. But mere technical evidence is not sufficient here. The proof must also be legally recognized so that the means of providing this proof is able to withstand any legal scrutiny in the event of a dispute. In this case, the matter is similar to a paper contract whose precise contents are only of interest when a conflict arises between the signing parties. Only then will these optimistic promises translate into added value.
In other words, certifying documents with a public blockchain is only a feasible use case when there is no doubt that the original document will retain its legal validity. So, what’s the end game here? We need to get to the bottom of one thing.
Meeting the burden of proof with public blockchains — the question of organization
Before we start looking at the applicable regulations, the following questions arise:
Why is that important? Because the decisive question is, who can guarantee a user that for instance the Bitcoin blockchain will still exist six or even ten years from now? What will happen to validation data if “Bitcoin 2.0” is released tomorrow and the current network simply dies? What happens if the community decides to throw away parts of the blockchain or significantly decrease the size of the network, for instance using hard forks, greatly increasing the risk of individual miners taking over? Can’t happen, you say? Of course it can happen. And it does. Ethereum has already been split into multiple chains. Just look up the DAO hacker attack. If the Ethereum community had successfully pushed through their EIP 999 in the spring of 2018, the next split would already be on its way. And with “Constantinople,” we’ll see the next hard fork as soon as early 2019.
Legal standing with public blockchains — procedures and laws
Current regulations such as eIDAS (and the accompanying BSI TR-03145) or the specification for “Maintaining the evidentiary value of cryptographically signed documents” (BSI TR-03125) use a conventional signature-based procedure. Ensuring the authenticity of data at this level of quality by generating a qualified signature is simply not possible right now without a CA (Certificate Authority) — let alone without any such signature whatsoever.
It’s the exact same with the generation of qualified electronic time stamps. Currently, only certification providers accredited by the Bundesnetzagentur (Germany’s Federal Network Agency) are permitted to issue such official certifications. Neither Bitcoin nor Ethereum are on the list. The Trusted Time Stamp has to ensure within 24 hours that the time of an event or a signature is accurate within a maximum deviation of 100 milliseconds in the event of time signal failures of up to a maximum of 500 milliseconds. These types of response times are by design simply not possible with Bitcoin and Ethereum. Even the optimistic 10 second time-to-block of Ethereum is far removed from these regulations. The gap between the truth of current technologies and what is technically and legally required becomes evident here.
What we also must not forget is that there is no guarantee for the longevity of hashes. SHA-1, for instance, is no longer considered secure. What would happen if, five years from now, the government would determine that the now frequently used SHA 256 hashes should be classified as no longer secure? What implications would there be for evidence that relies on these types of hashes? Because a public blockchain makes it impossible to perform the necessary changes to a system. You would be at the mercy of the global community, whose highest law is always and only the code.
Are current public blockchains an appropriate medium to maintain documents in such a way that they can be validated over a period of several years? The answer is currently a clear no.
There are simply too many questions in these infrastructures that remain unanswered. The government has yet to provide a clear legal framework. We don’t even know if it will be able to pass any legislation at all in this space any time soon. So, vendors out there right now selling business solutions based on public blockchains are overpromising. If you hop on that bandwagon, you do so completely at your own risk.
I’m not claiming that public blockchain infrastructures are fundamentally incapable of providing a solution to the challenges mentioned above. Quite the contrary — I believe that they are a very real option — just not using the infrastructures that exist right now such as Bitcoin and Ethereum.