Censorship and healthcare's redactable blockchain trapdoor

Leaked encryption keys, offensive material, and errors as in the case of a medical record suggests that an editable blockchain is worth reflection.

puppeteer concept 104870858
Credit: Thinkstock

Situations exist where the ability to go back in time and perform an "undo" appear to make sense. In these contexts, we imagine a fair and balanced world operating in harmony — a utopian version of the modern internet of things.

The struggle for freedom of expression

Censorship has been explained actions taken in the best interests of the public. A benevolent public concern for morality. China’s censorship of WeChat for Uber. The decision by India's film censor to cut 94 scenes from a movie about Punjab’s drug problem. Michelangelo’s 1565 “The Last Judgement.” 

Freedom of speech is the right to articulate one’s opinions and ideas without fear of government retaliation or censorship, or societal sanction. The right to be heard. 

Does a network hold trust if all voices are not heard? Are we talking about the ability to edit a transaction or present proof-of-trust, of immutability? The concepts are mutually exclusive.

What is a redactable blockchain?

Giuseppe Ateniese (USA), Bernardo Magri (Italy), Daniele Venturi (Italy) and Ewerton Andrade (Brazil) (referenced as AMVE here onward) are the inventors behind the new framework to rewrite and or compress the content of blocks. Their joint paper, “Redactable Blockchain, or Rewriting History in Bitcoin and Friends,” published Aug. 5, 2016, expands IBM Watson’s earlier chameleon signatures research, published in 2000.

According to AMVE, a blockchain is editable by adding a link to each link of the hash chain. Think of each block-to-block link as a lock (physical lock), in which a key is required to unlock it. In a permissionless blockchain, there is no key, making the series of transactions or blocks immutable. In a permissioned blockchain, this “trapdoor key” can be given to miners, a centralized auditor, or shares of the key could be distributed among several authorities. In this context, these operators will have the ability to repair blocks — e.g. blocks can be deleted, modified or inserted into existing blocks.

The argument supporting an editable blockchain

The authors come from varied academic backgrounds. Giuseppe Ateniese is a professor in and director of the computer science department at Stevens Institute of Technology. Bernardo Magri is a researcher at Sapienza University of Rome. Daniele Venturi is an assistant professor at the University of Trento. Ewerton Andrade is a researcher at the University of São Paulo.

This week I had the good fortune to speak with Bernardo Magri, one of the visionary authors behind the editable blockchain concept. Margi conducts research on both the theoretical and practical aspects of cryptography. He joked, "working with cryptocurrencies is a shot in the dark, as the community's reaction to the work can be completely unpredictable — you never know if they will love your work or hate it." It's fair to say industry loved the work on redactable blockchains.

Margi said there is one thing the public often gets wrong: "The public has trouble understanding the inner workings of blockchain technology. Therefore it's normal that they also have trouble seeing the benefits of this technology over a simple, centralized database system. Adding a redactable feature to a blockchain does not make it centralized at all. The blockchain will continue to operate as usual and depending on how the chameleon hash is shared the trust assumption could remain the same." Redactable blockchains are possible when the trusted entities are limited (a variation of M-of-N multisig).

Do we need a blockchain with a delete button? AMVE identified two industry approaches for the facilitation of the blockchain technology to implement decentralized services and applications: an overlay on top of Bitcoin and the creation of an alternative blockchain.

There are four motivations behind the desirability of redactable blockchains.

  1. Abuse: the ability correct the storage of arbitrary messages e.g. Bitcoin has already been abused with offensive material cemented in its walls for eternity.
  2. Rewritable storage: classic blockchains do not scale and waste precious resources. Rewriting presents new storage options e.g. CD-R.
  3. Inability to expunge: permitting the deletion of records if required e.g. in case they contain errors (medical records), sensitive information when it is necessary by law, or if personal encryption keys are leaked.
  4. Inter-entity interactions: consolidation’s hard to achieve with immutable blockchains e.g. this removes the impossibility of consolidating past transactions without affecting any subsequent blocks. This feature is necessary to combine distinct accounting structures, budgets, or transactions.

Adapting the framework to the types of blockchains

AMVE anticipated the next logical question: How are keys the managed across the three main types of real-world blockchains?

  1. Private blockchain: the ability to write is bestowed upon a central authority. This example is straightforward, with the “trapdoor key” given to the central authority with the power to compute collisions and therefore redact blocks. A single operator has the power to redact.
  2. Consortium blockchain: consensus is predetermined by a finite group of parties. In this example, the “trapdoor key” is shared among consortium parties and redactions can be made through secure multiparty computation (MPC) protocols similar to M-of-N multisigs (where multiple consortium parties just grant the redaction before authorization is approved). A select few have the power to redact.
  3. Public blockchain: decentralized with no central operator and any party can submit transactions to the network e.g. a permissionless blockchain such as Bitcoin. AMVE offers two suggestions for this type of blockchain: (a) distribute the “trapdoor” to all parties using multiparty computation (MPC) protocols, and (b) distribute to a chosen subset of parties. Under the assumption that the top 7 mining pools in Bitcoin already control 70 percent of the total network hashing power. All parties have equal power to redact.

What happens if there are HIPAA violations

There are many HIPAA violations that can occur. Below are 10 of the most common violations:

  1. Lost or stolen devices e.g. unencrypted computer loss
  2. Unauthorized access e.g. database breaches or employees illegally accessing patient files
  3. Employee dishonesty e.g. disclosing health records
  4. Improper disposal e.g. the hard drive in the office printer
  5. Third-party disclosure e.g. business associates or subcontractors which ineffectively protect protected health information (PHI)
  6. Unauthorized discussion of medical conditions e.g. while in a waiting room
  7. Sharing incorrect medical information e.g. you receive a treatment plan in email that is not yours
  8. Emailing or texting patient information e.g. receptionist emails patient information
  9. Posting on social media e.g. picture of a patient disease or treatment, even without name, is posted on social media
  10. Lack of prior authorization information for release e.g. disclosure of any individual's PHI that is not used for treatment, payment, healthcare operations or that falls under the Privacy rule.

Does an editable blockchain offer advantages to healthcare entities that are part of the health delivery system. To address this question lets split this into two separate questions: (1) value of blockchains, and (2) benefits of editable blockchains. Blockchain technology, when applied to healthcare absolutely can improve the trust between doctors and patients. To answer the second part of this question, we asked Bernardo Magri, author and researcher, for his thoughts. For Magri the benefits for blockchains in healthcare settings are quite evident. Magri, then addressed potential benefits. "The chameleon key is only given to the healthcare privacy officer. However, we do not expect a privacy officer to run the entire blockchain or produce transactions about payments or add health records. The privacy officer would be called in when records must be expunged because of HIPAA or another regulation violation." The role of the healthcare privacy officer is expanding. As data, information, and intelligent analytics become a foundational element of every healthcare organization the protection of health information is a critical growth and sustainability strategy.

In practice

The paper elaborates on a proof-of-concept implementation to redact a Bitcoin application using three distinct functions are explained: GenerateKey (create the “trapdoor key”), ChameleonHash (computes hash – from the message and random number), and HashCollision (outputs new random number, for reference later). This scenario was then modeled using a regression test network feature of the Bitcoin core network.

This framework opens the ability to redact and compress the content of blocks in virtually any blockchain based technology. Are editable blockchains merely a form of modern censorship, disguised as flexibility but for the chosen few? Time will tell.

It's evident that industries are very curious about editable blockchains. Editable blockchains have just entered the Innovation Trigger stage of the Hype Cycle.

This article is published as part of the IDG Contributor Network. Want to Join?

To comment on this article and other CIO content, visit us on Facebook, LinkedIn or Twitter.
Download the CIO Nov/Dec 2016 Digital Magazine
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.