Kinks in the blockchain

By Meg McKechnie, Sid Mylavarapu and Shengshi Zhao

19 Jul 2018

Blockchain is still a work in progress, but its advantages must be seen in the light of regulatory concerns and corporate protection.

Imagine this piece of written material is edited on a server, with a number of users all seeing and contributing to the edited version as it is being written. There is no ability to change the previous word. The ongoing changes are each placed in an information block and every participant in the network is updating and agreeing with the changes in the copy as they are being made.

The last user is the de facto record of this written piece – there is no final copy.

This is broadly how blockchain works. Every participant (or "node") is updating the story, which has to be agreed on by everyone along the chain. Blockchain eliminates the need for a single oversight and in doing so, allows a series of transactions to occur at speed.

Blockchain works as a series of blocks, each of which contain digital information such as sender ID, recipient ID, timestamp, a consensus protocol such as proof-of-work and hashed (or registered) value of the previous block. Each block contains a full history of the transactions involved, and subsequent blocks in the chain carry that data forward, with each one containing a hash of the previous block.

The process is known as a distributed ledger system and its applications are multiplying. It allows you to see clearly where information has come from and gone to – an innovation in record-keeping.

The shared ledger technology has been used in the public domain for the virtual currency Bitcoin and other crypto-currencies for some time, but new ventures are being conceived by the hour.

Walmart, the US superstore, is using it to track products back to their roots. Scan a mango and you can eventually follow the chain back to the farm where it was grown. It has been used by British Airways to ensure that operational flight information is synced and that airports, airline crew, ground services and passengers ­are all on the same page. ANZ and Westpac recently put the technology to the test by using blockchain for bank guarantees on their commercial property transactions.

Blockchain proponents believe the process is infallible. The digital signature of each block, which stores transaction information for the network, is used to encrypt the next block. Anyone wanting to create a false record would supposedly have to modify every subsequent block and need everyone using the blockchain to agree on the fraudulent transaction.

Of course, trust has always been a risk judgment between different parties, and it often comes down to proving identity (authentication) and proving permissions (authorisation).

Blockchain proponents talk about the “immutability of ledger entries” – ie. that parties to a blockchain are able to maintain a consistent audit trail containing a complete record of the entire transaction lifecycle, as all details are recorded on the ledger.

Problems down the line

Is this so-called immutability not a risk in itself? If the entries (or identities of users) have been made in error or deliberately falsified, or if there has been collusion by some of the “agreeing parties” along the chain – and later deliberately sequenced along it – the potential for serious problems down the line for businesses, regulatory authorities and consumers rears its head.

Since every organisation’s node is under its own ultimate control and holds the secured key, there is no check in place to stop them (or an unauthorised hacker posing as them) from making changes. Can it be possible, for instance, to tell from the ledger which key made an amendment?

As a chain grows, it becomes computationally more difficult to revise should a mistake or fraud occur. SHA256 is a popular choice of hashing method (ie. a check of the data's integrity) as it is easy to generate but reportedly difficult to reverse engineer. The question remains – if the chain gets exponentially long, how easy is it to modify errors whether either intentional or unintentional?

Do you have to do a reversing entry and then re-enter so the change is transparent?

How big does the chain get? If you need to check a share price from several years ago what sort of computational power would be needed if the chain is many millions of blocks long? Do we need to think of cutting and restarting chains at a certain point to make them more manageable?

The fear is that finding, checking and/or correcting a chain may be impossible to do so when an old data entry is so deeply buried.

Permissions in a permissionless domain

In the public domain where crypto-currencies proliferate, anonymity reigns. It is a permissionless domain.

Of course, in a perfect world, those parties entering into a private permissioned blockchain would be properly identified and all users authenticated.

Private key cryptography supposedly provides a powerful ownership tool. It also spares a person from having to share more personal information than they would need to for a centralised exchange, but might this not leave the key holders exposed to hackers?

Anti-money laundering and counter terrorism financing (AML/CTF) laws demand that know your customer checks are performed on all transactions. Will these checks be performed with the same diligence on blockchain parties as they are on real people now?

Private blockchain solutions can and have been marketed without disclosing the underlying protocols, which increases the chance of collusion, fraud and other risks.

There is currently no specific legislation that relates to blockchain – the Corporations Act does not mention it. The Australian Securities and Investments Commission has issued an information sheet (INFO 219) to help companies evaluate their blockchain ideas in a financial services context and even has a regulatory sandbox which allows companies to test applications.

There’s a security certification standard ISO 27001 which covers the security of data, but this has not been updated to include the blockchain process. Private chains are stored in the cloud – this makes the transactions vulnerable to hacking as well as other storage and power outage-related risks.

Less or more adaptable?

While the mind boggles as to the number and type of blockchain uses, it also boggles when thinking about the repercussions of misuse. We do not know how adaptable the system will be to correction and revision.

The big question for clients is how to manage this problem. How, for instance, would a case of price collusion between certain powerful parties be spotted if entered and later multiplied along the chain?

Blockchain does allow you to see the alterations – as well as who did them and when they were made – but it’s not clear unless you look behind the chain and only then can the audit details be discovered.

This means that falsely inflated prices may not be immediately recognised and could only be changed by an audit trail well after the event, possibly hundreds or thousands of links behind the current chain.

Does this mean that users of blockchain will need an ongoing monitoring or internal audit like process? How do you consistently monitor the back-end of transactions – it would most likely require a sophisticated software program which can regularly check and look behind the trades.

Since February 22 this year, companies and organisations must report eligible data breaches to the Office of the Australian Information Commissioner as well as informing any affected, at-risk individuals. How will blockchain work for this kind of activity? How will outside breaches be detected and dealt with in real time and how easy will it be to re-enter and correct the chain after the event?

Blockchain is still a work in progress, but its advantages must be seen in the light of regulatory concerns and corporate protection. The general fear is that blockchain will repeat and compound an error or fraud or fail to see an infiltrator – all of which not just be difficult to spot but even more difficult to rectify over time.

Get in touch

Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.