Data Protection with Ethereum Blockchain
Autor(a) principal: | |
---|---|
Data de Publicação: | 2018 |
Tipo de documento: | Dissertação |
Idioma: | eng |
Título da fonte: | Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
Texto Completo: | http://hdl.handle.net/10400.22/13944 |
Resumo: | Blockchain technology has been one of the most promising technologies of the past decade, with Ethereum and Bitcoin being the two most popular Blockchains today. Both do not provide data protection and privacy by default. The former allows for Decentralized Applications (DApps) to be built, with zero chance of downtime or censorship and is the main focus of this dissertation. The European Union approved a law in 2016, the General Data Protection Regulation (GDPR), with severe penalties being enforced since May 25th, 2018. It is considered a massive step toward protecting user data. Not only does it affect companies with offices in the EU, but also organizations throughout the world that have users from EU territories. Further, it stipulates key obligations for organizations handling user data, in addition to introducing new rights to individuals, such as the right to erasure. This represents a major challenge towards achieving GDPR compliance in DApps, as Blockchains such as Ethereum, are immutable by design. This dissertation’s work attempts to comply with the GDPR and its conflicting right to erasure, by developing an Ethereum proof-of-concept DApp: DFiles, which also aims to provide some form of data privacy and protection. It also allows its users to upload encrypted files in addition to their download and decryption. It was developed using an Agile methodology in an iterative approach with mainly decentralized technologies, such as the Interplanetary File System (IPFS) and Ethereum smart contracts, with a centralized component for user authentication, while adhering to Blockchain Software Engineering. Due to the GDPR’s complexity, some parts were selected, namely the rights to erasure, data portability, access and rectification. DFiles GDPR compliance was then evaluated with a statistical analysis on user encrypted and unencrypted uploaded files in the DApp, with its elapsed upload times and Ethereum transaction costs measured for files separated into four categories: small (1KB-1MB), medium (1MB-20MB), large (20MB-200MB) and extra-large (200MB-2GB). However, due to hardware limitations, this statistical analysis could only be performed for files up to 14.2MB. It concluded that transaction costs for unencrypted files are slightly higher, although this increase is not significant. As for elapsed upload times, it found that the elapsed upload time in encrypted files was overall significantly higher. Data from files larger than 14.2MB was still recorded which determined that the last two elapsed upload times for unencrypted files up to 800MB, are less than the last two upload elapsed times for encrypted ones up to 14.2MB. In conclusion, encrypting files to comply with the General Data Protection Regulation’s right to erasure is a valuable option only for small to medium files up to 14.2MB. From there, without considering hardware encryption limitations, upload times tend to grow exponentially. Ethereum and the IPFS must advance to allow better privacy techniques. Recently, there have been major new improvements to Ethereum and its smart contracts; the world of DApp development is always changing at a fast rate. In the future, Ethereum might evolve to a newer version which may bring new and enhanced privacy controls which may allow its complete GDPR compliance. |
id |
RCAP_74f5bd3041c0edfc1568e619d6af035a |
---|---|
oai_identifier_str |
oai:recipp.ipp.pt:10400.22/13944 |
network_acronym_str |
RCAP |
network_name_str |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
repository_id_str |
7160 |
spelling |
Data Protection with Ethereum BlockchainEthereum BlockchainGeneral European Data Protection RegulationSmart contractsData privacy and protectionDecentralized applicationsBlockchain software engineeringInterplanetary File SystemSistemas ComputacionaisBlockchain technology has been one of the most promising technologies of the past decade, with Ethereum and Bitcoin being the two most popular Blockchains today. Both do not provide data protection and privacy by default. The former allows for Decentralized Applications (DApps) to be built, with zero chance of downtime or censorship and is the main focus of this dissertation. The European Union approved a law in 2016, the General Data Protection Regulation (GDPR), with severe penalties being enforced since May 25th, 2018. It is considered a massive step toward protecting user data. Not only does it affect companies with offices in the EU, but also organizations throughout the world that have users from EU territories. Further, it stipulates key obligations for organizations handling user data, in addition to introducing new rights to individuals, such as the right to erasure. This represents a major challenge towards achieving GDPR compliance in DApps, as Blockchains such as Ethereum, are immutable by design. This dissertation’s work attempts to comply with the GDPR and its conflicting right to erasure, by developing an Ethereum proof-of-concept DApp: DFiles, which also aims to provide some form of data privacy and protection. It also allows its users to upload encrypted files in addition to their download and decryption. It was developed using an Agile methodology in an iterative approach with mainly decentralized technologies, such as the Interplanetary File System (IPFS) and Ethereum smart contracts, with a centralized component for user authentication, while adhering to Blockchain Software Engineering. Due to the GDPR’s complexity, some parts were selected, namely the rights to erasure, data portability, access and rectification. DFiles GDPR compliance was then evaluated with a statistical analysis on user encrypted and unencrypted uploaded files in the DApp, with its elapsed upload times and Ethereum transaction costs measured for files separated into four categories: small (1KB-1MB), medium (1MB-20MB), large (20MB-200MB) and extra-large (200MB-2GB). However, due to hardware limitations, this statistical analysis could only be performed for files up to 14.2MB. It concluded that transaction costs for unencrypted files are slightly higher, although this increase is not significant. As for elapsed upload times, it found that the elapsed upload time in encrypted files was overall significantly higher. Data from files larger than 14.2MB was still recorded which determined that the last two elapsed upload times for unencrypted files up to 800MB, are less than the last two upload elapsed times for encrypted ones up to 14.2MB. In conclusion, encrypting files to comply with the General Data Protection Regulation’s right to erasure is a valuable option only for small to medium files up to 14.2MB. From there, without considering hardware encryption limitations, upload times tend to grow exponentially. Ethereum and the IPFS must advance to allow better privacy techniques. Recently, there have been major new improvements to Ethereum and its smart contracts; the world of DApp development is always changing at a fast rate. In the future, Ethereum might evolve to a newer version which may bring new and enhanced privacy controls which may allow its complete GDPR compliance.A tecnologia de Blockchain tem sido uma das mais promisoras da última década, com Ethereum e Bitcoin como as duas Blockchains mais conhecidas atualmente, em que ambas têm o problema de não fornecer, por defeito, a proteção de dados e a sua consequente privacidade. O Ethereum, o principal foco desta dissertação, permite desenvolver Aplicações Descentralizadas (DApps) com a impossibilidade de estarem offline ou serem alvos de censura. A União Europeia (EU) aprovou o Regulamento Geral sobre a Proteção de Dados (RGPD) em 2016, com penalizações apenas a serem aplicadas no dia 25 de Maio de 2018. Este regulamento é considerado um passo gigante para proteger a informação e os dados dos utilizadores, visto que este não afeta apenas organizações com escritórios na EU, mas também empresas no mundo todo que tenham clientes em territórios da União Europeia. Além disto, o regulamento estipula novas obrigações para organizações que manuseiam dados dos seus utilizadores, além de introduzir novos direitos para os mesmos, como o direito de apagamento dos dados. Este direito representa um desafio enorme para conseguir cumprir estritamente com o RGPD nas DApps, visto que as Blockchains como o Ethereum são, no seu design, imutáveis. O trabalho desenvolvido nesta dissertação tenta cumprir com o RGPD e o seu direito problemático ao apagamento dos, ao desenvolver uma prova de conceito, uma DApp em Ethereum: DFiles, em que esta visa fornecer alguma maneira de proteger os dados dos seus utilizadores e também a sua privacidade. Além disto, também permite que os seus utilizadores submetam ficheiros encriptados além de os conseguirem desencriptar quando o seu download é efetuado. Foi também desenvolvida com uma metodologia Agile, com uma abordagem por iterações usando na maioria tecnologias descentralizadas, como por exemplo o Interplanetary File System (IPFS) e os contratos inteligentes do Ethereum, contando também com uma componente centralizada para efeitos de autenticação de utilizadores, ao mesmo tempo que adere à Engenharia de Desenvolvimento de Software para Blockchain (BOSE). Devido à complexidade do RGPD, apenas alguns dos seus aspetos foram selecionados para a sua implementação no DFiles como os direitos de apagamento dos dados, portabilidade, acesso e retificação. O cumprimento do RGPD na DFiles DApp foi avaliado com recurso a uma análise estatística nos ficheiros encriptados e não encriptados submetidos pelos seus utilizadores, em que foram medidos o tempo gasto no seu upload e o custo total de transação em Ethereum, em ficheiros de quatro categorias diferentes: pequenos (1KB-1MB), médios (1MB-20MB), grandes (20MB-200MB) e muito grandes (200MB-2GB). No entanto, por limitações de hardware, esta análise estatística apenas foi feita para ficheiros até 14.2MB de tamanho. Pode ser concluído que os custos de transação para ficheiros não encriptados são ligeiramente superiores, apesar deste aumento não ser significativo. Além disto, esta análise também concluiu que o tempo gasto nos ficheiros encriptados é substancialmente maior. Os dados dos ficheiros com tamanho superior a 14.2MB foram também registados. Ao compararmos os últimos dois registos dos ficheiros desencriptados, até 800MB de tamanho, concluímos que o seu tempo gasto é inferior aos útlimos dois registos para ficheiros encriptados até 14.2MB de tamanho. Finalmente, pode-se concluir que encriptar ficheiros para cumprir com o direito ao apagamento de dados do RGPD é uma possível abordagem apenas para ficheiros pequenos e médios até 14.2MB de tamanho. A partir desta fase, e sem considerar limitações de hardware, os tempos gastos para upload de ficheiros encriptados tendem a aumentar exponencialmente. Assim sendo, o Ethereum e o IPFS têm obrigatoriamente que melhorar a sua tecnologia num futuro próximo para permitir novas e melhores técnicas de privacidade dos dados. Recentemente, têm existido melhoramentos significativos no Ethereum e os seus contratos inteligentes que fazem com que o mundo do desenvolvimento de DApps se faça a um ritmo muito elevado. No futuro, o Ethereum poderá evoluir numa nova versão que poderá também trazer novos melhoramentos e controlos de privacidade que poderão permitir o cumprimento na totalidade do RGPD.Azevedo, Isabel de Fátima SilvaRepositório Científico do Instituto Politécnico do PortoTeles, Duarte Paulo Gonçalves Cabral2019-06-11T11:37:12Z20182018-01-01T00:00:00Zinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/masterThesisapplication/pdfhttp://hdl.handle.net/10400.22/13944TID:202166171enginfo:eu-repo/semantics/openAccessreponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãoinstacron:RCAAP2023-03-13T12:56:22Zoai:recipp.ipp.pt:10400.22/13944Portal AgregadorONGhttps://www.rcaap.pt/oai/openaireopendoar:71602024-03-19T17:33:48.183633Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãofalse |
dc.title.none.fl_str_mv |
Data Protection with Ethereum Blockchain |
title |
Data Protection with Ethereum Blockchain |
spellingShingle |
Data Protection with Ethereum Blockchain Teles, Duarte Paulo Gonçalves Cabral Ethereum Blockchain General European Data Protection Regulation Smart contracts Data privacy and protection Decentralized applications Blockchain software engineering Interplanetary File System Sistemas Computacionais |
title_short |
Data Protection with Ethereum Blockchain |
title_full |
Data Protection with Ethereum Blockchain |
title_fullStr |
Data Protection with Ethereum Blockchain |
title_full_unstemmed |
Data Protection with Ethereum Blockchain |
title_sort |
Data Protection with Ethereum Blockchain |
author |
Teles, Duarte Paulo Gonçalves Cabral |
author_facet |
Teles, Duarte Paulo Gonçalves Cabral |
author_role |
author |
dc.contributor.none.fl_str_mv |
Azevedo, Isabel de Fátima Silva Repositório Científico do Instituto Politécnico do Porto |
dc.contributor.author.fl_str_mv |
Teles, Duarte Paulo Gonçalves Cabral |
dc.subject.por.fl_str_mv |
Ethereum Blockchain General European Data Protection Regulation Smart contracts Data privacy and protection Decentralized applications Blockchain software engineering Interplanetary File System Sistemas Computacionais |
topic |
Ethereum Blockchain General European Data Protection Regulation Smart contracts Data privacy and protection Decentralized applications Blockchain software engineering Interplanetary File System Sistemas Computacionais |
description |
Blockchain technology has been one of the most promising technologies of the past decade, with Ethereum and Bitcoin being the two most popular Blockchains today. Both do not provide data protection and privacy by default. The former allows for Decentralized Applications (DApps) to be built, with zero chance of downtime or censorship and is the main focus of this dissertation. The European Union approved a law in 2016, the General Data Protection Regulation (GDPR), with severe penalties being enforced since May 25th, 2018. It is considered a massive step toward protecting user data. Not only does it affect companies with offices in the EU, but also organizations throughout the world that have users from EU territories. Further, it stipulates key obligations for organizations handling user data, in addition to introducing new rights to individuals, such as the right to erasure. This represents a major challenge towards achieving GDPR compliance in DApps, as Blockchains such as Ethereum, are immutable by design. This dissertation’s work attempts to comply with the GDPR and its conflicting right to erasure, by developing an Ethereum proof-of-concept DApp: DFiles, which also aims to provide some form of data privacy and protection. It also allows its users to upload encrypted files in addition to their download and decryption. It was developed using an Agile methodology in an iterative approach with mainly decentralized technologies, such as the Interplanetary File System (IPFS) and Ethereum smart contracts, with a centralized component for user authentication, while adhering to Blockchain Software Engineering. Due to the GDPR’s complexity, some parts were selected, namely the rights to erasure, data portability, access and rectification. DFiles GDPR compliance was then evaluated with a statistical analysis on user encrypted and unencrypted uploaded files in the DApp, with its elapsed upload times and Ethereum transaction costs measured for files separated into four categories: small (1KB-1MB), medium (1MB-20MB), large (20MB-200MB) and extra-large (200MB-2GB). However, due to hardware limitations, this statistical analysis could only be performed for files up to 14.2MB. It concluded that transaction costs for unencrypted files are slightly higher, although this increase is not significant. As for elapsed upload times, it found that the elapsed upload time in encrypted files was overall significantly higher. Data from files larger than 14.2MB was still recorded which determined that the last two elapsed upload times for unencrypted files up to 800MB, are less than the last two upload elapsed times for encrypted ones up to 14.2MB. In conclusion, encrypting files to comply with the General Data Protection Regulation’s right to erasure is a valuable option only for small to medium files up to 14.2MB. From there, without considering hardware encryption limitations, upload times tend to grow exponentially. Ethereum and the IPFS must advance to allow better privacy techniques. Recently, there have been major new improvements to Ethereum and its smart contracts; the world of DApp development is always changing at a fast rate. In the future, Ethereum might evolve to a newer version which may bring new and enhanced privacy controls which may allow its complete GDPR compliance. |
publishDate |
2018 |
dc.date.none.fl_str_mv |
2018 2018-01-01T00:00:00Z 2019-06-11T11:37:12Z |
dc.type.status.fl_str_mv |
info:eu-repo/semantics/publishedVersion |
dc.type.driver.fl_str_mv |
info:eu-repo/semantics/masterThesis |
format |
masterThesis |
status_str |
publishedVersion |
dc.identifier.uri.fl_str_mv |
http://hdl.handle.net/10400.22/13944 TID:202166171 |
url |
http://hdl.handle.net/10400.22/13944 |
identifier_str_mv |
TID:202166171 |
dc.language.iso.fl_str_mv |
eng |
language |
eng |
dc.rights.driver.fl_str_mv |
info:eu-repo/semantics/openAccess |
eu_rights_str_mv |
openAccess |
dc.format.none.fl_str_mv |
application/pdf |
dc.source.none.fl_str_mv |
reponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação instacron:RCAAP |
instname_str |
Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação |
instacron_str |
RCAAP |
institution |
RCAAP |
reponame_str |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
collection |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
repository.name.fl_str_mv |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação |
repository.mail.fl_str_mv |
|
_version_ |
1799131430309068800 |