By Wendell Cathcart and Sam Hartnett
In the world of blockchains, transparency is typically considered a feature, not a bug. But there are exceptions. Transparency can be a potential thorny problem for blockchain solutions in heavily regulated and highly competitive industries.
In energy markets there are many times when data must be kept private, yet it remains desirable to retain the kind of auditability and transparency that naturally flow from the attributes of a public blockchain. How, then, do we have it both ways? How can we ensure data privacy when needed while still using a public blockchain? In other words, how can data hide in plain sight?
The blockchain community writ large has been exploring a variety of possible paths forward—from pseudonymity to transaction “mixing” to state channels to zero-knowledge proofs. At EWF we are particularly excited about a development we call private transactions, which work in concert with a secret store.
The privacy problem with public blockchains
In public blockchains like Ethereum or the Energy Web Chain, data and tokens move within the network in transactions that are viewable by anyone. The identity of actors may be pseudonymous via their public keys (their true identities may still be susceptible to uncovering through blockchain analysis), but individual transactions, smart contracts, and the total blockchain state remain essentially in plain view for all to see.
This intrinsic transparency is essential to the success of a decentralized network: because any party can view and verify transactions, users do not need to trust a central authority to ensure that information is correct (hence descriptions of blockchains as being “trustless”). Further, in the context of the energy sector, we expect that public blockchain transparency can facilitate necessary regulatory oversight, streamline data reconciliation processes, and mitigate disputes.
Yet, energy companies, regulators, and consumers alike are accustomed to storing data in private servers. It is neither desirable nor appropriate for sensitive information—energy usage for industrial customers, prices for bilateral contracts, personal identification data—to be made fully public for the world to see.
But at the same time, we’ve seen again and again the privacy risks of storing sensitive data with a private but centralized entity, such as when a 2013 data breach exposed the information of up to 110 million Target Stores customers, or the 2017 Equifax data breach affecting 143 million customers, or a pair of Facebook data breaches this year that together compromised 137 million user accounts.
Plus, in today’s regulatory environment around data use, protection, and privacy—such as the EU’s recently enacted General Data Protection Regulation (GDPR)—new rules defining what constitutes private personal data and where it may be stored pose a possible problem for blockchain solutions, where data is public by default and stored across the globe.
Blockchains introduce privacy concerns; privacy introduces blockchain concerns
Transparency as one of the inherent, defining characteristics of public blockchains seems fundamentally at odds with the business and regulatory realities of energy markets. In other words: blockchain introduces privacy concerns; privacy introduces blockchain concerns.
Is it possible—through thoughtful design and clever engineering—to develop a privacy solution that doesn’t compromise blockchain’s core strengths?
At EWF, we’ve worked closely with our Affiliates to define the data privacy requirements for their businesses and we’ve developed a novel capability to perform private transactions on the public Energy Web blockchain. Though not a silver bullet, such private transactions promise to help overcome one of the perceived barriers to blockchain innovation—and adoption—in the energy sector.
For context, let’s consider Energy Web Origin (EW Origin) and privacy. EW Origin is a customizable, open-source toolkit for renewable energy and carbon markets that simplifies and enhances the way in which customers procure renewable energy certificates (RECs), guarantees of origin (GOs), and other forms of green attribute tracking.
EW Origin’s distinct capabilities and value proposition stem from the programmability and transparency of the public Energy Web Chain, which enable both buyers and sellers of certificates to view granular data, down to the level of a specific generation asset, the RECs associated with its generation, and tokens used to transfer ownership of those RECs. Not everyone may want that data public.
Generally speaking, renewable power generators consider their generation data to be proprietary since it can be used to calculate the profitability of their assets. Similarly, many commercial and industrial customers that want to offset their consumption with RECs consider their consumption data sensitive. Likewise, homeowners who purchase RECs to match their house’s energy use may also consider their real-time consumption sensitive since it could indicate occupancy to strangers.
Given the different stakeholders and priorities within the EW Origin ecosystem, when it comes to privacy solutions, one size does not fit all.
Straddling the divide: forging a privacy solution that doesn’t compromise blockchain’s strengths
Based on the current state of legacy solutions and emerging blockchain technology, we’ve identified several approaches to data privacy. Each comes with inherent tradeoffs, but we believe one in particular offers a promising “sweet spot” that addresses matters of data privacy while still leveraging many of blockchain’s strengths.
–Trusted Intermediary: In legacy systems—such as those used in the REC markets of our EW Origin example—a trusted intermediary ensures data privacy, but often adds administrative overhead and the problems (cybersecurity and other) of a centralized system. In a blockchain era, a trusted intermediary could also be an off-chain data process that receives generation data from renewable assets and issues certificates to buyers, using a known algorithm to disassociate personally-identifiable data from data contained in the certificates themselves. Blockchain’s role could be limited to establishing contractual terms and/or performing financial settlement. An intermediary need not be a person or organization—it’s possible to design an off-chain, open-source software agent to perform this role—but it does reintroduce “black boxes” (and potential cybersecurity vulnerabilities) in the process and in some ways obviates the value of blockchain in the first place.
–Public Transactions: Public transactions represent blockchain “business-as-usual,” where data is handled with complete transparency on a public chain. Entities are nominally “hidden” beyond their pseudonyms (i.e., public keys), but otherwise their transactions and the total blockchain state are visible to all. While beneficial in many contexts (e.g., it is “trustless” and decentralized, and enables multi-party transactions without intermediaries), this approach’s utter lack of data privacy is, we believe, disqualifying.
–Zero-knowledge Transactions: Another “trustless” approach, zero-knowledge transactions, uses complicated mathematical functions to prove the authenticity of data without revealing the data itself. In theory, zero-knowledge technology appears ideal for something like EW Origin. It ensures even greater data privacy than a trusted intermediary, plus the “trustless” decentralization of a blockchain. For EW Origin, it could be used to prove publicly that a certificate trading transaction occurred without revealing to anyone outside of the buyer and seller the conditions of the transaction contract (e.g., price, quantity, resource type). But this technology remains in the research phase, is currently limited to performing narrow financial transactions for “privacy coins,” and would need to gain acceptance from regulators, REC market administrators, etc. It is not yet practical for proving complex data such as the contents of a REC and thus, not currently viable for even routine business processes beyond simple transfers of value.
And there are other approaches—current, evolving, and emerging—as well, although we don’t discuss them here. At EWF, we are pursuing a fourth path—one that borrows the best of each of the aforementioned approaches, while trying to minimize each of their shortcomings.
One way the Energy Web Chain currently addresses the privacy problem is with what we call Private Transactions, which allow encrypted smart contracts and data to reside on the public blockchain with strictly permissioned access for users and validators. The world can “see” that smart contracts and transactions exist, but they cannot read the details. Decrypting the information is reserved only for specified entities, who receive their keys to unlock the data from a separate Secret Store.
Think of it like a set of entities with top secret government clearance to receive confidential intelligence information. Those with the appropriate security clearance can all view, review, discuss, and agree on the sensitive information. That sensitive info, meanwhile, is shielded from the general public’s eyes, even though they all trust that the information has been verified by the approved authorities.
This approach, we believe, does a good job of achieving the best of both worlds. The public blockchain remains the single source of truth, with all of the decentralization, verification and auditability, cybersecurity, and other benefits that come along with it. Meanwhile, parties to a private transaction sacrifice what we believe to be an acceptable amount of privacy by exposing their smart contract and transaction data to a set of trusted validators that they specify.
Private transactions are not appropriate for every scenario, but they are useful in bilateral transactions or other instances where private data can be shared between all of the parties involved in the transaction (e.g., sender, recipient, and private validators).
For example, a renewable generator sensitive to disclosing production data could choose to encrypt a REC transaction representing a particular energy quantity when sending it to a buyer it had an existing relationship with. The known buyer would be granted the decryption key by a separate group of network participants (called the Secret Store), verify the details, and send an acceptance message to a private validator pool of its choosing (e.g., nodes run by a local grid operator, utility, and or regulator), who re-encrypt the data and store the state on the main blockchain. Importantly, this process would not make any transfer of tokens private; only the data in the original transaction is protected.
Private transactions remain in an experimental phase, but EWF Affiliates are actively pursuing opportunities to leverage the technology. We will continue to improve functionality (including enabling token transfer privacy) through continued testing on Tobalaba in advance of the Energy Web Chain’s genesis block in 2019.
For more information about Private Transactions and how they function as part of the Energy Web Chain, please download our white paper.
Wendell Cathcart is a former EWF Intern and is currently completing a Masters of Environmental Management degree at Duke University Nicholas School of The Environment. Sam Hartnett is the research and collaboration lead at EWF.