Endpoint fraud and biometric privacy issues raised by blockchain

Blockchain technology drives the development of the Bitcoin economy. It is essentially a decentralized, immutable transaction database that is open to everyone, who can view and verify transactions through a distributed set of validators. This technology is designed to ensure that no one can change past transaction records.

From a purely technical perspective, blockchain accomplishes its goals very effectively. So far, blockchain technology has performed well, but this technology has a serious flaw that, unless fully addressed, could result in blockchain applications being costly due to fraud, theft, and legal risks. There are ways to address this fraud problem, but some solutions may cause another problem.

The fraud vulnerability lies at the transaction endpoint. By ‘endpoint’ I mean the boundary of physical space (where people live, and where the blockchain database exists). This endpoint is where users in physical space interact with the blockchain in cyberspace.

Any legitimate, non-fraudulent blockchain transaction depends on the trust between two or more counterparties. The basis of this trust is that the counterparty can absolutely determine the physical space identity of all transaction participants.

In the blockchain solution, a person in the physical space is represented by a public identifier in cyberspace - which helps others find their representative in cyberspace - and a private key used to digitally sign blockchain transactions. In cyberspace, the private key is a digital identity that represents a real person in the physical space.

This model is fine for now, but how do people in the physical space interact with blockchain applications and use their private keys? These people use passwords, or in a more secure way, use multi-factor authentication to log in to a website. This mechanism is insufficient for blockchain transactions because passwords and multi-factor authentication by themselves cannot confirm the identity of the person in the physical space in cyberspace. Party B can also steal Party A’s password or two-factor token and then use Party A’s private key to perform blockchain transactions. Party A can also voluntarily give Party B the password and token for criminal activities.

We can think about this identity problem in another way, such as two friends A and B sitting together drinking coffee and talking. They are both people in the physical space and know each other's identity. Suppose friend A wants to sell a house to friend B by using a blockchain real estate product without the involvement of an intermediary. They only need to use their own password to use the blockchain private. There is no problem in this process. There is no doubt about their identities, they are all real.

Now flip this scenario around, where friend A wants to sell a house to a complete stranger in Eastern Europe. Both parties use the same blockchain real estate product. There is no trust in the process because there are no traditional human intermediaries acting on their behalf (blockchain eliminates the need for intermediaries). The identities of the two parties in the transaction are represented by flesh and blood in physical space. Their blockchain identities in cyberspace are represented by private keys. As long as these respective identities remain disconnected, blockchain fraud will always be possible.

Although I used an individual real estate transaction in this example, the same principle applies to transactions involving groups. At some point, in a group-to-group blockchain transaction, the physical space identity must be consistent with the cyberspace blockchain identity represented by the private key.

The solution to this problem lies in:

In complex and high-value transactions, how can the two parties be absolutely sure that the other party’s physical and cyberspace identities are legally equivalent?

To this end, any comprehensive solution must include a biometric measure to form a bridge at the boundary of physical cyberspace. For complex and high-value transactions, this legal and reliable biometric connector requires a third party to confirm that the biometric measure does belong to the physical space identity. In addition, blockchain applications must include a digital representation of a fingerprint, iris, retinal pattern or photo in a blockchain transaction. This means that the person's biometric information will not only exist permanently in cyberspace, but will also be stored on hundreds or thousands of blockchain nodes and is not controlled by the person in the physical space.

Obviously, this raises a very serious privacy issue. Many people refuse to use biometric authentication because they are worried that their biometric reference data will be obtained by identity thieves.

The hype surrounding blockchain technology will surely ease as people realize that biometric information will eventually find its way across thousands of blockchain servers. Therefore, before adopting any blockchain application in complex transactions, companies should first consider how their employees feel about never having control over their biometric data.