Clouds and chains
Opportunities and Challenges for Financial
Services in the cloud (...but mostly challenges)
● These slides contain names of specific
companies. This is for illustrative purposes only
and is not intended to be seen as an
● The contents herein does not reflect the views
or opinions of anyone else but myself.
● I am not a lawyer.
Who in the audience...
● Is a lawyer?
● Data privacy expert?
● Runs their own node and/or a node on behalf of
● Is building some type of cross-border
technology-based infrastructure? (… like a
And just on Sunday
“Some blockchains, as currently designed, are
incompatible with the GDPR. EU regulators will
need to decide whether the technology must be
barred from the region or reconfigure the new
rules to permit an uneasy coexistence.”
- Michele Finck, Oxford University
General Data Protection Regulation
● If a company processes data of EU citizens or
targets them, data protection regulations in the
EU have a big impact on how a company can
operate in Europe
● In the case of GDPR, it doesn't matter if the
entity is a small or big organization, or a
financial company because there is no
distinction based on an industry
− Note: Germany was the 13th largest trading partner
(measured in imports) for South Korea in 2017
Other 'Older' quotes
● Brock Pierce in May 2016: “The solution to
SWIFT's issues is blockchain”
− Verdict: No, SWIFT’s security issues at the time
were not directly solvable because of the usage or
adoption of a blockchain.
● E&Y July 2016 report: “Blockchains may also
cause the ground to shift rapidly beneath
providers of cloud services, especially
infrastructure-as-a-service (IaaS) providers.”
− Verdict: TBD, depends on what a “blockchain”
actually is viewed as in practice.
Everything onto a blockchain?
● Even if it was technically possible to somehow
store and secure all financial information on a
blockchain (which it probably isn’t), each
country has its own specific laws surrounding
● And encryption probably isn't the silver bullet
answer, more on this later.
Pre-GDPR that are on the books
● “Right to be forgotten”: existed in EU and
Argentina and other regions for ~10+ years
● Personally Identifiable Information (PII):
− HIPAA; Financial Privacy Rule / Safeguards Rule;
FISMA; Fair Credit Reporting Act; Regulation S-P;
Data Protection Act of 1998
● BCBS 239: core principles for effective Risk
Data Aggregation and Risk Reporting (RDARR)
− Sidenote: data lakes
What laws are data subject to?
● Subject to the laws of the country in which the
company (subsidiary) is located?
● ... in which it originated?
● … in which the cloud provider is
“In the cloud, data sovereignty can become an issue
because different countries have different laws
governing the collection, use, storage, and
transmission of data within their borders. So data
sovereignty really is the question of which sovereign’s
(i.e., country’s) laws govern your data.
A related issue is that of data custody, which is about
who controls your data. Essentially, who has the right
– or the obligation – to hand it over if the government
“As many details of the GDPR are still subject of
interpretation and companies discussing it will have
a competitive advantage in the EU if they are able
to adapt their technological infrastructure and
business models in accordance with the
requirements under the GDPR.
A forward-looking privacy by design approach
will be key.”
- Jana Moser, attorney and founder of Data Reality
US and the EU
● In 2015, the EU Court of Justice decided that
Safe Harbor isn't valid anymore.
● As a result, Privacy Shield is being negotiated:
to make companies that abide by the framework
agreement are deemed to have an equivalent
data protection level.
● On-going case centered around a Microsoft
data center in Ireland which essentially says
that these privacy model clauses are not valid.
● How to handle and solve for the problem
surrounding sensitive information that cannot
leave the border?
● Even if you encrypt sensitive data, if it is stored
by a third party it still creates potential
− Even with state-of-the-art encryption tools, allowing
third parties to hold the data creates potential future
− Some of this risk can be controlled via strict
certification process and contractual/legal recourse
“But muh encryption!”
● Trade-off: you can try to be your own bank
(e.g., a “sovereign” cryptocurrency user) but in
practice due to convenience, a large portion of
private key holding is outsourced to institutions
such as banks and trusted intermediaries
● Now the third party has time to “crack the lock”
so to speak and/or be subpoenaed
- Also UX tradeoff
● Sovereign clouds for data sovereignty is a
● Microsoft Cloud Germany is a sovereign cloud
operated by a German data trustee.
● Microsoft Azure Government cloud is a cloud
for just the US government.
− “Information Impact Level 5 DoD Authorization”
AWS Secret Region
● The AWS Secret Region can operate workloads
within several U.S. security classification levels.
● “With the launch of this new Secret Region,
AWS becomes the first and only commercial
cloud provider to offer regions to serve
government workloads across the full range of
data classifications, including Unclassified,
Sensitive, Secret, and Top Secret.”
● April 2, 2015: BNY Mellon launched a private
cloud platform called NEXEN:
“Allows programmers to build and store banking
and trading apps. The platform, built largely with
open source code, also includes a catalog for
storing application programming interfaces,
essentially instructions that tell software
components what to do.”
● Private cloud providers for banks: Oracle,
Cisco, IBM, BankOnIt
What do sovereign clouds and
“secret spaces” have to do with the
Anarchic versus archic
● In practice, most blockchain implementations
are effectively cryptographically linked data
structures housed in a cloud
● Anarchic / public blockchains such as Bitcoin
and Ethereum typically use a decentralized
“cloud” comprised of non-KYC'ed
pseudonymous validators (nodes)
● Private / permissioned chains sometimes use a
“cloud” in which all validation is handled by
known, legally accountable parties and all
identities are KYC’ed
Challenges for anarchic chains
● By design anarchic / public blockchains
− Terms of Service; End-User License Agreement;
service-level agreement; consumer protections;
● They lack these contractual hooks because any
such artifact in an anarchic chain leads to some
"controller" who can be shut down
● Regulated institutions handling regulated data
might not use an anarchic chain for a couple
- Because all information is replicated globally
and stored publicly and can be downloaded
by anyone allowing them to potentially learn
some kind of proprietary information
- This type of replication potentially violates
various national and supranational
Challenges for permissioned chains
● In contrast, private/permissioned chains are
specifically built around contractual agreements
and tie-ins with legal infrastructure.
● The challenge is in operation and maintenance:
− SLAs: which cloud provider or 3rd party providers
should the nodes operate out of?
− How to prevent the network from becoming
centralized such that collusion or abuse could
occur? (e.g,. the problems that database have)
− How to handle disputes that span multiple
Other impact of GDPR on a chain
● For a company, this impacts HR and payroll
systems more in the forefront, which typically
gets controlled by some cloud central database
solution with easy deletion.
● For a blockchain platform, this gets tough
because of right to be forgotten rules that force
deletion (unrecoverable pseudoanonymization)
or full anonymization.
● The hard part is breaking the chain of
provenance and revocation.
Not all is roses for a fully chained
● A single cloud provider could host the nodes
across multiple data centers, giving you some
fault tolerance of physical failure.
● But then you're dealing commercially with a
single party, who can 'extort' the network
participants if migration to another cloud(s) is
difficult (monopoly rent seeking).
● There are other more subtle risks to cloud, like
some unknown vulnerability in the client
software that can be exploited across the entire
network because cloud provider uses the same
hypervisor software on all its hardware.
For blockchains: who sues who?
● The fact that data is stored in perpetuity is a
problem under a lot of regulators views of
perpetuity and around "purpose limitation" (you
don't collect for other purposes)
● Also limitation of retention past when the data is
useful. So keeping data forever that is not
required, that will be an issue.
● If you're a conduit of data, if you have no control
of it, you were not liable. But the bright line
between being a conduit and hosting is being
● Data privacy issues are not inherently solved
because of the usage “blockchains”
● In fact, the opposite may be true, especially with
blockchains that use a “gossip” method and
replicate all information to every node globally.
● If you plan to build, maintain, or operate
infrastructure – including a blockchain – be sure
to have a lawyer who specializes in data privacy
to scrutinize your platform.