Why IoT Architectures Must Consider Privacy Impacts

There are increasing concerns about data privacy and online security around the world; this is somewhat of a paradox, as users continue to give away personal data (and thus their privacy) in exchange for different services. A recent survey [CIGI-Ipsos 2019] on Internet security and trust found that 78 percent of Internet users in 25 economies were at least somewhat concerned about their privacy online. Internet scams of various types have also been demonstrated to raise internet users’ sensitivity to privacy issues [Chen 2017]. While economic development theory has long grappled with the consequences of cross-border flows of goods, services, ideas, and people, the most significant growth in cross-border flows now comes in the form of data. Some of these flows represent ‘raw’ data while others represent high-value-added data; this can make a difference in the trajectory of national economic development [Weber 2017]. Public awareness about privacy risks on the Internet is increasing; with the evolution of the Internet to the Internet of Things, these privacy risks are likely to become even more significant due to the large amount of data collected and processed by IoT architectures [Baldini 2018]. The Sony pictures hack[1] illustrates that privacy is not just an individual concern; unease over privacy expectations has emerged at the individual, governmental and international levels. Conceptually and methodologically, privacy is often confounded with security. [Spiekerman-Hoff 2012]. Gartner expressed a concern that the biggest inhibitor to IoT growth will be the absence of security by design[Gartner 2018] (which would include some aspects of privacy). While there has been considerable attention placed on some aspects of security, privacy has received less attention from the IoT community.  Privacy was identified this year by Deloitte[2] to be the factor driving regulatory uncertainties over data management. This regulatory uncertainty challenges enterprises’ adoption of new technologies (like blockchain, or IoT). Social expectations for privacy are evolving, particularly in regard to aggregate representations of personal data in cyberspace. IoT devices and architectures are emerging as a major new data source for capturing representations of human activity. Rising cyberspace privacy concerns are moving beyond isolated activities like web browsing or social networks to consideration of the privacy impacts of the aggregate representation of personal data, including foreseeable data generation capabilities of IoT architectures. At a minimum, this creates a public relations problem for the deployment and operation of IoT Architectures.

IoT networks, like many other networks, are not technically constrained within geographical or political boundaries, but these political constructs may imply legal obligations for participants. Many of these legal notions of privacy evolved prior to the availability of the internet. International treaties like the UNDHR [UN 1948] and ICCPR [UN 1976] provide some definitional guidance on privacy rights, and [ALI 1977] identifies US common law privacy torts related to intrusion upon seclusion, appropriation of name or likeness, and publicity given to private life. These legal concepts, however, were all in place before the deployment of the Internet and the emergence of IoT. US legal requirements on privacy also come from a variety of other sources including constitutional limits, legislation, regulation, common law, and contract law; while litigation processes like discovery also implicate privacy. The Federal Trade Commission provides some cross-industry-sector privacy enforcement, but other industry-specific agencies in the health, finance, education, telecommunications, and marketing enforce industry-specific privacy regulations. States have also promulgated their own laws (e.g., on data breach notification and reporting obligations). [Solove 2006] proposed a privacy taxonomy with four main groups of activities that threated privacy (1) information collection (including surveillance and interrogation); (2) information processing (including aggregation, identification, insecurity, secondary use and exclusion); (3) information dissemination (including breach of confidentiality, disclosure, exposure, increased accessibility, blackmail, appropriation, and distortion); and (4) invasions (including intrusions and decisional interference). More recently, the General Data Protection Regulation [EU 2016] (GDPR) applies extraterritorially to protect EU citizens and has also been influential in other national privacy efforts. In particular, GDPR identifies roles in managing data (e.g., Data Protection Officers); rights for data subjects (including breach notification, access to their personal information, data erasure (the right to be forgotten), and data portability); and requires privacy to be incorporated into the design of systems (Privacy by Design). Globally, privacy laws are continuing to evolve towards bringing greater rights to data subjects [Greenleaf 2019]. Legal considerations on privacy generally revolve around the rights and obligations of legal entities; the IoT, however, is generally considered from the perspective of “things” and the data they generate or consume.  The “things” in IoT are not usually considered legal entities, but many recent proposals for IoT architectures have been based on blockchains, and some have argued that blockchains could be implemented as Digital Autonomous Organizations (DAOs) structured to be recognized as independent legal entities (e.g., zero-member LLCs [Bayern 2014] or BBLLCs [Vermont 2018]). Manufacturers of IoT systems often seek the scale of global markets, and so cannot avoid these international trends in privacy regulation. IoT architectures have historically not emphasized privacy features, or considered IoTs operating as independent legal entities. The threats of increased regulation and the opportunities of new legal options will challenge existing IoT deployments and create opportunities for new IoT architectures.

The data we collectively create and copy each year is growing at 40% annually is estimated[3] to be around 44ZB/yr in 2020 (that’s around 6TB/yr for every person on earth), with much of this data expected (in future) to come from IoT devices sensing the world around them. Today, while people may choose to consume their portion of all their data as internet cat videos, many are not mindful of the digital footprints they leave in cyberspace [Camacho 2012].  An entirely new value chain has evolved around firms that support the production of insights from data.  Individual data are worth very little on their own; the real value of data comes from the data being pooled together. [Beauvisage, 2017]. IoT provides a major new source of data for the big data value chain. Beyond intentional internet interactions, IoT sensor networks can also passively collect data on human activities. At the earlier stages of the data value chain, information content is limited, and therefore the scope for value generation is also low; at the same time, the data is more personalized and hence more susceptible to privacy threats.  Some types of data should not be extracted, for instance, if it impinges on fundamental privacy rights. Some data, such as health data, may be usefully extracted under highly regulated circumstances. For many IoT architectures, the privacy threat arising from information processing (e.g., aggregated data) may be more severe than individual data samples. IoT data does not have to be as bandwidth-intensive and focused as video surveillance to threaten privacy. Patterns of private human activity can be discerned from aggregating data from disparate IoT architectures. The ownership and control options for IoT architecture generated data (as relating to human privacy) may be more complex than previous IoT architectures had considered – perhaps rather than centralizing data from IoT sensors in the cloud, IoT data may need to remain distributed, but responding to a limited set of authorized queries. Some actors may also have access across multiple IoT architectures providing a further degree of information aggregation and processing. Even IoT architectures intended for other purposes (e.g. environmental monitoring) may have the data they generate repurposed in ways that violate human privacy.  For IoT architectures to succeed in large scale commercial deployments, they must be prepared to address evolving privacy concerns. This will require IoT architecture to identify which of the data they generate can implicate human privacy concerns.

Humans are interacting with vast amounts of data in new and unusual ways.  Sensor density in consumer products is also increasing. Cyberspace historically was just an environment in which computer communication occurred; now it is already defined more by users’ social interactions rather than technical implementation concerns [Morningstar 2003]. Cyberspace computation today is often an augmentation of the communication channel between real people. People seek richness, complexity, and depth within a virtual world; and at the same time require increasing annotation of real-world entities with virtualized data in augmented reality.  Humans increasingly use cyberspace for social interaction merging cyberspace and social spaces into social computing. The environments, however, are not the same; humans’ expectations and intuitions from the physical world do not always carry over into cyberspace.  For example, real-world experiences are ephemeral; thanks to data storage, however, representations of personal data do not naturally decay; applying this to privacy violations, a transient real-world peeping incident equivalent in cyberspace could result in an ongoing data peeping threat. Legal notions of privacy are typically sensitive to the context (e.g., public spaces vs homes) and actors (e.g., people, organizations, governments). If IoT deployment scale projections are correct, then cyberspace in the near future will be dominated by data flows from IoT architectures. Cyberspace may create notions of new types of entities that may implicate privacy [Kerr 2019], and DAOs are one example of this. Devices are evolving to provide more “human-like” interfaces (e.g. voice assistants (e.g. Alexa, Siri) AI chatbots [Luo 2019]) and autonomous activity (e.g. UAV drones, Level 5 self-driving cars).  The Apple iPhone 11 sensors include[4] faceID, barometer, three-axis gyro, accelerometer, proximity sensor, ambient light sensor, audio, and multiple cameras. The Tesla Model 3 includes[5] rear side and forward cameras, forward-facing radar and 12 ultrasonic sensors. The increasing data intensity in human experience is affecting human behavior and perceptions. While data generically is a very abstract concept, IoT sensor data is very much concerned with creating and aligning various linkages between physical reality and its cyberspace counterpart. Many actors may have an interest in the data about humans created by IoT devices and architectures. Beyond data ownership considerations, recent privacy legal initiatives have created new roles and additional obligations for operators of IoT architectures – e.g. GDPR’s rights to correct data or to be forgotten. The scope, scale, and serendipity of individual human interactions with cyberspace are reaching a qualitative change as IoT architectures become more pervasive.

The human-computer interaction (HCI) with the IoT blockchain is also an important factor affecting whether privacy enhancements are successful. Click through licenses can easily permit users to contract away their privacy rights (unless otherwise limited by regulation). There have been some efforts[6] to provide better exemplars of legal patterns for privacy information; adoption, however, is voluntary unless there is some superseding regulation (e.g., requiring specific notices to “opt-in” for certain types of information disclosures). Given the evolving nature of privacy concepts, HCI approaches may be helpful [Wong 2019] to better define users’ perceptions of the privacy problem space. Trademarks and certification seals may be useful [Wirth 2018], [Bansal 2008] for consumers to identify and trust products and services that provide privacy assertions (e.g., conformance to privacy regulations such as the GDPR). Beyond disclosures, new privacy rights create functions (e.g., for authorized modification or deletion of data) that need to be supported in IoT architectures. The effectiveness of such functions in providing humans with more advanced controls of their personal data will depend in large part on their ease of use. The usability/ operability of such user controls of their data will also be impacted by the visibility and accessibility of the privacy controls. IoT use cases need to evolve to consider these new roles and functions within IoT architectures and how humans can effectively use them to maintain control of their privacy.

Two fundamental technology trends are driving the Internet of Things (IoT). Firstly, the continued miniaturization of devices through Moore’s law, nanotechnology, new materials, etc.,  is providing an increased density of functionality in devices, and a consequent increase in the variety and volume of the data these devices can generate and consume. Secondly, the number and quality of connections are increasing.  Gartner estimated[7] there would be 8.4 billion connected Internet-of-Things (IoT) devices in use worldwide in 2017 and projects an increase to 50 billion by 2020. IoT use cases are one driver for 5G deployments and these deployments are also expected to increase connectivity density towards ubiquity in many areas.  Ericsson estimates[8] there will be 1.5 billion IoT devices with cellular connections by 2022 with cumulative annual growth rates on the order to 20%-30%. This is significantly faster growth than the US GDP growth (estimated[9]in the range 2-3% 2018-2019) or world population growth rates (estimated[10]at 1-2%). Even the job outlook for software developers is only expected[11] to improve by ~21% (2018-2018). The number of IoT devices and their connectivity is evolving the Internet to be primarily an Internet of Things, where the IoT devices, and the data they communicate, forms the dominant usage pattern. This massive IoT investment comprises multiple information infrastructures; forming a cyberspace data environment within which people will interact for an increasing portion of their lives. With massive IoT deployments expected within the next 5 years, to avoid stranded investments, it is important to get the appropriate IoT architecture requirements in place to address common human concerns, particularly around privacy. Existing IoT deployments will also be impacted by privacy as public relations headwinds, evolving regulatory requirements on management of IoT data, changing human attitudes due to the qualitative changes in cyberspace experiences from pervasive IoT environments, and increased user control of IoT data. Retrofitting privacy (or security) into an existing distributed architecture is unlikely to be simple cheap or complete. New IoT architectures must consider privacy impacts.

References

[ALI 1977] American law Institute, “Restatement of the law, Second, Torts”, 1977, § 652

[Baldini 2018] G. Baldini, et al. “Ethical design in the internet of things.” Science and engineering ethics 24.3 (2018): 905-925.

[Bansal 2008] G. Bansal, et.al., “The moderating influence of privacy concern on the efficacy of privacy assurance mechanisms for building trust: A multiple-context investigation.” ICIS 2008 Proceedings (2008)

 [Bayern 2014] S.Bayern, “Of bitcoins, Independently wealth software and the zero member LLC”, Northwestern U.Law Rev. vol 108, pp 257-270, 2014

[Beauvisage 2017] T. Beauvisage (2017). Selling one’s behavioral data: An impossible market? (Research blog). Orange. April 18. Available at: https://recherche.orange.com/en/selling-ones-behavioral-data-an-impossible-market/.

[Camacho 2012] M.Camacho, et. al., “Self and identity: Raising undergraduate students’ awareness on their digital footprints.” Procedia-Social and Behavioral Sciences 46 (2012): 3176-3181.

[Chen 2017] H.Chen, et.al., “Securing online privacy: An empirical test on Internet scam victimization, online privacy concerns, and privacy protection behaviors.” Computers in Human Behavior 70 (2017): 291-302.

[CIGI-Ipsos 2019] CIGI-Ipsos, UNCTAD and Internet Society (2019). 2019 CIGI-Ipsos Global Survey on Internet Security and Trust. Centre for International Governance Innovation, UNCTAD and the Internet Society. Available at: https://www.cigionline.org/internet-survey-2019.

[EU 2016] European Union: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

 [Gartner 2018] R.Contu, et.al.,“Forecast: IoT Security, Worldwide, 2018”, Gartner, Tech. Rep., 2018. 

[Greenleaf 2019] G. Greenleaf, “Global Data Privacy Laws 2019: New Eras for International Standards.” (2019).

[Kerr 2019] Kerr, Ian. “Schrödinger’s Robot: Privacy in Uncertain States.” Theoretical Inquiries in Law 20.1 (2019): 123-154.

[Luo 2019] Luo, Xueming, et al., “Frontiers: Machines vs. Humans: The Impact of Artificial Intelligence Chatbot Disclosure on Customer Purchases.” Marketing Science (2019).

[Morningstar 2003] C.Morningstar, et. al., The Lessons of Lucasfilm’s Habitat. The New Media Reader. Ed. Wardrip-Fruin and N. Montfort: The MIT Press, 2003. 664-667. 

[Solove 2006] Daniel J. Solove “A Taxonomy of Privacy”. U. Pa. L. Rev., 154:477–560, 2006.

[Weber 2017] S. Weber, “Data, development, and growth.” Business and Politics 19.3 (2017): 397-423.

[Spiekerman-Hoff 2012]. S.Spiekermann-Hoff,  “The challenges of privacy by design.” Communications of the ACM (CACM) 55.7 (2012): 34-37.

[UN 1948] United Nations, “Universal Declaration of Human Rights”, 1948

[UN 1976] United Nations, “International Covenant on Civil and Political Rights”, 1976

[Vermont 2018] Vermont S.269 (Act 205) 2018 §4171-74

[Wirth 2018] C. Wirth, et. al., “Privacy by blockchain design: a blockchain-enabled GDPR-compliant approach for handling personal data.” Proc. of 1st ERCIM Blockchain Workshop. European Society for Socially Embedded Technologies (EUSSET), 2018.

[Wong 2019] R. Wong, et.al., “Bringing Design to the Privacy Table: Broadening ‘Design’ in ‘Privacy by Design through the lens of HCI” Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems. ACM, 2019.


[1] https://bit.ly/35AmrTF

[2] https://bit.ly/2RLp156

[3] https://bit.ly/2jMfjOq

[4] https://apple.co/2krqDlT

[5] https://bit.ly/2MefQGO

[6] https://bit.ly/33vyyzt

[7] https://gtnr.it/2Mcqz56

[8] https://bit.ly/2tjDYeY

[9] https://bit.ly/2L6ybDw

[10] https://bit.ly/2Pb5IlC

[11] https://bit.ly/2OgAJii

Why IoT architectures are adopting blockchains

“Things” have been around much longer than the Internet or Blockchain. The term “Internet of Things”, however, seems to have emerged around 1999 [1], [2], and gained more widespread recognition with the 2005 ITU report [3] (which seemed largely concerned with RFID technologies). In 2010, the IoT application domains included transportation and logistics, healthcare, smart environments, personal and social, and robot taxis, smart cities, and virtual reality were considered “futuristic”; while data authentication, data integrity, privacy, and data forgetting were considered open research issues [4]. IoT was added to the 2011 Gartner Hype Cycle, and hit the peak of inflated expectations in 2014, based on embedded sensors, image recognition, and near-field payment technologies. Early standardization efforts on IoT were primarily focused on optimized communication technologies (e.g. [5]). Google Glass was released in 2013 triggering popular interest in Augmented Reality and Virtual Reality, and Amazon released the Echo voice assistant in 2014. Around this time trust management aspects of IoT started to receive more attention [6] as did the intersection between IoT and social networks [7]. IoT Architectures in 2015 were mainly layer-oriented, separating sensing/ perception from communication and (centralized) processing [8], and security threats were also categorized by these layers[9]. By 2016, IoT device deployments we sufficiently large to form an attractive target for malware attacks (e.g., Mirai malware) and  Blockchain started to come into the IoT conversation [10]. Blockchain capabilities like immutability, transparency, auditability, data encryption, and operational resilience have been proposed to solve many architectural shortcomings of early IoT systems [11].

IoT Blockchains

IoT architectures seem to be adopting blockchains to leverage advantages from decentralization, security/ trust models and enablement of new business models providing greater user control of the IoT data [12], [13]. Centralized IoT architectures have enabled users to surrender their data to others in exchange for IoT services; blockchain technologies enable more nuanced controls on data usage and offer possibilities of commercial microtransactions thus enabling new business models.  Existing IoT business models have been analyzed across multiple dimensions (e.g. [14]), but the impact of additional blockchain capabilities was not considered. With blockchains’ roots in cryptocurrencies, they can also be used to facilitate microtransactions and other trading activities in the IoT applications (e.g., smart-grid energy trading & settlement [15]). IoT architectures relying on centralized servers are vulnerable to failures and Denial of service attacks on a single point. IoT architectures are characterized by massive quantities of nodes, with the law of large numbers ensuring that some portion of the nodes is impacted by limited or intermittent connectivity, power or other faults. Blockchains based on redundant peer-peer infrastructure provide some degree of resiliency in the face of failure. Centralized IoT architectures rely on trusting a third party to handle the data, and typically do not support assurances against the life cycle of data integrity (e.g. data tampering, deletion or provenance). Blockchains can provide some assurances regarding data integrity, and blockchain consensus mechanisms can provide assurances of data provenance even amongst untrusting parties, and by distributing data over a peer-peer network provide alternate mechanisms for establishing trust in the IoT ecosystem [16].  Historically, centralized IoT architectures have provided users with only limited knowledge or control over how their data may be used and by whom. Blockchains and smart contracts can provide constraints on operations permitted on the data in the blockchain.  Massive IoT deployments in centralized architectures imply substantial costs for centralized infrastructure support; in contrast, distributed peer-peer blockchain IoT architectures have no centralized servers. An IoT ecosystem has numerous vulnerabilities concerning confidentiality, privacy, and data integrity. With its cryptographic characteristics, blockchain can help in addressing security requirements in IoT [17] ([18] provides a SWOT analysis of blockchain as a mechanism to improve the security of IoTs). [19] proposed a blockchain architecture for IoT for improved privacy by distributing the data and placing it under the control of the user. [20] proposed a design for the tamper-resistant gathering, processing, and exchange of IoT sensor data (car mileage) that was intended to be scalable, efficient, and privacy-preserving. [21] prototyped a blockchain IoT leveraging the immutability properties of blockchains to preserve evidence for use in law enforcement and insurance cases. Whether viewed from the perspective of adding blockchain features to IoT, or including IoT data flows in blockchains, the integration trend of these technologies is expected to continue.

The IoT encompasses a broad range of sensors, systems, and services that tend to be optimized for (or fragmented into) specific applications. [22] provides an overview of the scope of IoT across the perspectives of multiple taxonomies to identify the main dimensions used to characterize IoT systems. Most of the literature focused on the IoT “things”, their communication patterns and to a lesser extent, the data made available by the IoT system; complete treatments of all the potential elements of IoT systems or all the quality dimensions of IoT systems have typically not been provided. Given the breadth of IoT, not every IoT deployment requires a blockchain – IoT applications with multiple independent, interacting entities that do not have a shared trusted authority are more suitable for blockchains [23]. The scale, connectivity and transaction patterns of IoT architectures are not the same as cryptocurrency applications that blockchains were initially deployed in. Blockchains designed for other purposes may not have the inherent characteristics required for IoT [24]. IoT devices are typically resource-constrained (e.g. RFIDs have no computational elements), and blockchains involve computation heavy cryptographic functions; blockchains have, however, been demonstrated in the context resource-limited computing nodes such as the Raspberry Pi [25]. Blockchain also appears to be adopting IoT as a key use case, with increasing numbers of publications focused on the topic [26].  While blockchains and smart contracts can provide interesting features to IoT architectures, they may need optimization for the IoT context, and don’t necessarily address all of the emerging IoT requirements in areas such as privacy. With billions of IoT devices already deployed, existing IoT architectures may need to be adapted to support blockchain capabilities. Developers of new IoT architectures should consider whether to include blockchain capabilities. While new blockchain technologies optimized for IoT are emerging, existing blockchain deployments may also need to consider the impacts of IoT data flows on their infrastructure (e.g., address space consumption, transaction performance, etc.). Smart contracts may provide a path to ease the integration of IoT data on blockchains while enabling new capabilities (e.g. control loops or transactions triggered by IoT sensor data).

If you are looking for a book that provides a detailed overview of the legal implications of blockchain technology and smart contracts, then “Blockchains, Smart Contracts, and the Law” is the perfect choice for you. This book is written clearly and concisely, making it easy to understand even for those who are new to the topic.

References

[1] K. Ashton, “That ‘Internet of Things’ Thing”, RFID Journal, June 2009

[2] N. Gershenfeld, “When things start to think”, Henry Holt & Co, 1999. ISBN 0805058745

[3] ITU “ITU Internet Reports 2005” The Internet of Things”,  2005

[4] L. Atzori, et. al., “The internet of things: A survey.” Computer networks 54.15 (2010): 2787-2805.

[5] I. Ishaq, et. al., “IETF standardization in the field of the internet of things (IoT): a survey.” Journal of Sensor and Actuator Networks 2.2 (2013): 235-287.

[6] Z. Yan, et. al., “A survey on trust management for Internet of Things.” Journal of network and computer applications 42 (2014): 120-134.

[7] A. Ortiz, et. al., “The cluster between internet of things and social networks: Review and research challenges.” IEEE Internet of Things Journal 1.3 (2014): 206-215.

[8] S. Madakam, et. al., “Internet of Things (IoT): A literature review.” Journal of Computer and Communications 3.05 (2015): 164.

[9] E. Leloglu,  “A review of security concerns in Internet of Things.” Journal of Computer and Communications 5.1 (2016): 121-136.

[10] M. Conoscenti, et. al., “Blockchain for the Internet of Things: A systematic literature review.” 2016 IEEE/ACS 13th Int’l Conf. of Computer Systems and Applications (AICCSA). IEEE, 2016.

[11] A. Panarello, et. al., “Blockchain and iot integration: A systematic survey.” Sensors 18.8 (2018): 2575.

[12] M. Ali, et. al. “Applications of blockchains in the Internet of Things: A comprehensive survey.” IEEE Communications Surveys & Tutorials 21.2 (2018): 1676-1717.

[13] R. Thakore,  et al. “Blockchain-based IoT: A Survey.” Procedia Computer Science 155 (2019): 704-709.

[14] D. Hodapp, et. al., “Business Models for Internet of Things Platforms: Empirical Development of a Taxonomy and Archetypes.” AIS: 14th Int’l Conf. on Wirtschaftsinformatik, Feb. 24-27, 2019, Siegen, Germany

[15] M. Andoni, et. al., “Blockchain technology in the energy sector: A systematic review of challenges and opportunities.” Renewable and Sustainable Energy Reviews 100 (2019): 143-174.

[16] B. Yu, et. al. “IoTChain: Establishing trust in the internet of things ecosystem using blockchain.” IEEE Cloud Computing5.4 (2018): 12-23.

[17] M. Khan, et.al., “IoT security: Review, blockchain solutions, and open challenges.” Future Generation Computer Systems 82 (2018): 395-411.

[18] S. Moin, et. al. “Securing IoTs in distributed blockchain: Analysis, requirements and open issues.” Future Generation Computer Systems 100 (2019): 325-343.

[19] M. Ali, et.al., “IoT data privacy via blockchains and IPFS.” Proceedings of the Seventh International Conference on the Internet of Things. ACM, 2017.

[20] M. Chanson, et al. ,”Blockchain for the IoT: privacy-preserving protection of sensor data.” Journal of the Association for Information Systems 20.9 (2019): 10.

[21] D. Billard, et. al., “Digital Forensics and Privacy-by-Design: Example in a Blockchain-Based Dynamic Navigation System.” Annual Privacy Forum. Springer, Cham, 2019.

[22] F. Alkhabbas, et. al., “Characterizing Internet of Things Systems through Taxonomies: A Systematic Mapping Study.” Internet of Things7 (2019): 100084.

[23] N. El Ioini, et.al., “A decision framework for blockchain platforms for IoT and edge computing.” SCITEPRESS, 2018.

[24] R. Han, et.al., “Evaluating blockchains for iot.” 2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS). IEEE, 2018.

[25] A. Reyna, et. al., “On blockchain and its integration with IoT. Challenges and opportunities.” Future Generation Computer Systems 88 (2018): 173-190.

[26] A. Firdaus, et al., “The rise of “blockchain”: bibliometric analysis of blockchain study.” Scientometrics 120.3 (2019): 1289-1331.

Healthcare Blockchains & Smart Contracts: Technical and Legal Challenges

Blockchains and related concepts like smart contracts and digital autonomous organizations (DAOs) have emerged from the computer networking and cryptography techniques popularized by cryptocurrencies like bitcoin. With bitcoin having some degree of commercial operational success, a number of folks have been keen to apply these technologies in other fields. One approach to valuation for the impact of technologies is to consider the size of the addressable market. With cryptocurrencies, the potentially addressable market is very large – almost everyone on the planet uses money in some form these days. Many other blockchain applications[1] (e.g. supply chain provenance) address narrower industrial rather than consumer markets. Healthcare blockchain applications may be one area with a large potentially addressable market (who doesn’t have health to worry about?)  depending on the specific use case.

A variety of healthcare applications have been proposed [2] including drug counterfeiting prevention, clinical trial, public healthcare management, longitudinal healthcare records, automated health claims adjudication, online patient access, sharing patients’ medical data, user-oriented medical research, precision medicine, and, smart contracts to improve the credibility of medical research. In some cases, these are moving beyond proposals into implementations based on open-source code bases such as Ethereum or Hyperledger. The designers of healthcare information systems may have a number of different requirements associated with the systems they are designing, and the criteria for applying blockchain are not always clear. Healthcare applications must balance patient care with information privacy, access, completeness, and cost. Rationales proposed for using blockchains in healthcare applications include: access control, non-repudiation, data versioning, logging, data provenance, data auditing, and data integrity, which is quite far from the double-spending problem solved by Nakamoto in his famous whitepaper. The data stored in and the actors operating on a healthcare blockchain also seem quite different from the actors and transactions of cryptocurrency blockchains.

Many of the healthcare application proposals do not address mass markets. Assuring drug provenance, for example, is an important social good given impetus with the DSCSA legislation in the USA. This, however, addresses and industrial market – the pharmaceutical supply chain, and while mass-market consumers benefit from this advancement, they do not directly interact with the blockchain in this use case. Use cases around medical records and adjudication of healthcare claims have a greater potential for impacting mass-market consumers. Work remains, however, to crystalize use cases that are viable – not just from a technological perspective, but also from commercial and legal perspectives as well as from the perspectives of the various actors in health care delivery.  

Technology issues can be seen as risks impeding design and deployment of healthcare blockchains. There is not one blockchain but a variety of implementations with different characteristics (even the original bitcoin has forked). With multiple (and uncertain) use cases and fragmented or customized technology approaches, it is only possible to talk of the technology and legal challenges in general terms. Identified[3] technology challenges to the development of healthcare blockchains include interoperability, security and privacy, scalability, speed, and patient engagement. Interoperability, scalability, and speed are characteristics of the software implementation of healthcare applications on the blockchain. The degree of patient engagement can be significantly impacted by the not just the implementation and trust issues, but also the usability of the system and the overall user experience with the healthcare blockchain. Security, privacy and trust issues reflect concerns about not just the implementation, but the processes for assuring the users can trust the blockchain and its associated software, as well as the organizational and legal context. Because of the use of blockchain technology in the financial industry, and the associated loss risks, the security of blockchains and related smart contracts have received significant attention. Financial losses can often be addressed through other means (e.g. insurance); privacy losses (e.g., disclosed medical records) may be harder to detect and redress.

Legal issues often arise with the introduction of new technologies.  Where the use cases involve sophisticated commercial entities and complement existing industry transactions, the legal issues can often be resolved with private law e.g. contracts between the parties. How existing regulations are applicable would depend on the specific industry and the use case. Where the use case involves mass-market consumers (generally assumed to not be sophisticated parties), public laws and regulations are more likely to be applicable, protective of the consumer, and were written prior to the possibilities of the new technology being envisioned. There are very few public laws explicitly mentioning blockchain, though there has been some incremental progress at the State level in the USA, most of this is targeted as fintech applications of blockchains. In this environment, the legal uncertainty often reduces to assessing how the technology use case would be classified under the existing regulations. DAOs are rather novel as legal entities, but such entities may prove useful to meet the privacy requirements of consumer-oriented healthcare blockchains. While DAOs may fit within some states’ LLC enabling legislation, additional legislative initiatives may be required for DAOs to be deployed more widely.

Smart contracts provide a computational mechanism built on top of a blockchain. These have a number of applications from enforcing legal requirements for transactions to implementing business process workflows. With industrial use cases, sophisticated parties may negotiate the smart contract before implementing it. With consumer use cases, the smart contract would more likely be an adhesion contract that the consumer would not be able to negotiate. Of particular concern with smart contracts is the source of data to trigger smart contract decisions. Oracles for financial data feeds are emerging, but medical data oracles are less widely available. Smart contracts have been proposed for dispute resolution in a manner similar to arbitration, but this has not yet received large scale adoption.

Open source blockchains like ethereum and hyperledger enable easier technology exploration. Building on these with privacy enhancement technologies like zero-knowledge proofs and privacy-preserving computation will help address the technical challenges in privacy that healthcare blockchain use cases bring.  The development of standards[4] to build industry consensus around the terminology and fundamental technical choices to be made will help reduce the fragmentation in the technology. The IEEE 2418.6 healthcare standards project can help, but will take some time to address all the use cases. Specific use case development to define the service requirements from the user point of view would also be very helpful. Automation of existing use cases may be more easily tractable; given increasing concerns for privacy, however, new paradigms to empower people to control their data footprint in cyberspace are emerging. Placing patients in control of their data and having others query for it would be a significant change from existing practices. For industrial markets, existing standards bodies may be well-positioned to develop these use cases. For consumer use cases these may emerge through private enterprise, or through discussion in more public forums (e.g., regulatory hearings, NGO activities etc.).

For a more detailed treatment of this topic refer to my paper presented at the 2019 ITU Kaleidoscope academic conference “ICT for Health: Networks, standards and innovation”.  

If you are looking for a book that provides a detailed overview of the legal implications of blockchain technology and smart contracts, then “Blockchains, Smart Contracts, and the Law” is the perfect choice for you. This book is written clearly and concisely, making it easy to understand even for those who are new to the topic.


[1] See e.g., F.Casino, et. al., “A Systematic literature review of blockchain based applications: Current Status, classification and open issuesTelematics and Informatics, vol. 36, pp 55-81, (2019).

[2] See e.g., S.Agraal, et. al, “Blockchain Technology: applications in Healthcare”, Circulation: Cardiovascular Quality and Outcomes 10.9 (2017)

[3] See, e.g., C. Agbo, et. al., “Blockchain Technology in Healthcare: A Systematic Review”, Healthcare, vol.7, no.56, (2019)

[4] See e.g., the work of ISO TC 307, IEEE, ITU

Blockchain and Smart Contract Trends

Blockchain and Smart contracts have evolved out of the technology underlying and popularized by bitcoin. So how widespread are these concepts? Have they reached the public awareness or are these merely niche technologies? Google Trends provides one perspective based on search queries which shows much greater search interest and therefore awareness of “Bitcoin” than “Blockchain” or “Smart Contracts”. It may also reflect the maturity and scale of bitcoin commercial offerings with multiple cryptocurrency exchanges in operation globally. In contrast, Blockchains and Smart Contracts appear to be at an earlier stage of development and commercialization as well as being targeted towards markets that are less mass market and more niche industrial applications (e.g. tracking supply chain provenance for pharmaceuticals).

The search terms “Bitcoin”, Blockchain” and “Smart Contract” all have a similar global spread, with peak search volumes coming, perhaps surprisingly, from Africa. Peak search volumes were associated with bitcoin price queries as might be expected. The results for “Smart Contract” also indicated related queries associated with mobile phones. This may reflect some different interpretations of the phrase (e.g. advertising for mobile phone subscription contracts) or perhaps an interest in access to bitcoins and blockchain smart contracts through wallets on mobile devices.

The Gartner Hype Cycle for Emerging technologies provides a perspective on perceived technology maturity. Newly emerging technologies are posited to go through stages from being an “innovation trigger” to the “Peak of Inflated Expectations” then through the “Trough of Disillusionment”, and up the “Slope of Enlightenment” to finally reach a “Plateau of Productivity”. The Gartner Hype Cycle 2016 identified “Blockchain as nearing the “Peak of Inflated Expectations”. The Gartner Hype Cycle 2017 identified “Blockchain” as about to cross between the “Peak of Inflated Expectations” and the “Trough of Disillusionment”. The Gartner Hype Cycle 2018 maintained “Blockchain” as about to cross between the “Peak of Inflated Expectations” and the “Trough of Disillusionment”. It also split out “Blockchain for Data Security” as being in the “Innovation Trigger” stage. The Gartner Hype Cycle 2019 does not list Bitcoin, Blockchain or Smart Contracts, but it does call out “Decentralized Autonomous Organizations” (DAOs) as being in the “Innovation Trigger” stage. DAOs may be considered as LegalTech – prototype legal entities associated with blockchain smart contracts. Gartner’s 2019 Hype Cycle for Blockchain Technologies provides a more detailed perspective. While the more generic term “blockchain” is sliding into the trough, smart contracts, decentralized identities, and consensus mechanisms are at the peak; zero-knowledge proofs, privacy-enhanced multiparty computing, and smart contract oracles are on the rise.

Bitcoin has moved into the mass market vocabulary and seems to be providing some operational utility as a financial asset with many searches for bitcoin prices. Blockchain applications beyond cryptocurrency are often not mass-market applications. Blockchain Loyalty Programs would target mass-market consumer awareness but even these have limitations of scale compared to cryptocurrencies. Industrial applications of blockchains, in supply chains, for example, would not reach consumer awareness to trigger searches.

Patents in the Commercialization of Technology Research

Patents grant to an inventor a property right issued by a governmental patent office. In the USA, the intellectual property right granted is “the right to exclude others from making, using, offering for sale, or selling” the invention in the United States or “importing” the invention into the United States. There are three types of patents:(1) utility patents – granted for new and useful processes, machines, etc., (2) design patents – granted for original ornamental designs for manufactured articles, and (3) plant patents- granted for new plant varieties. Most “high tech” inventions – semiconductors, software, would fall under utility patents. Similar patent regimes exist in other advanced economies that grant patent rights within their individual economies. The World Intellectual Property Organization (WIPO), a self-funding agency of the United Nations, helps to provide alignment of patent policies internationally. 

A hand selecting a Patent business concept on a futuristic computer display.

The government agencies granting patents charge fees for their services. Under the Patent Cooperation Treaty (PCT), a single application can be presented to obtain patent rights in multiple jurisdictions, though this will result in fees to the relevant agencies in those jurisdictions. While inventors can file patent applications on their own, it is generally advisable to retain competent patent counsel to file on their behalf in order to maximize the scope of patent coverage and avoid procedural missteps in the filing process.

Rational inventors with limited budgets must balance the costs of obtaining patents with the breadth of patents rights they seek. This balance is obviously affected by the business strategy of the inventor (or, in many cases, the corporate assignee) – e.g., is international exploitation of the patent planned? If so in which markets, and how valuable are those markets expected to be? The role of patents in the business strategy is a broader question – e.g. whether the invention is planned to be practiced directly or licensed to others. For startups and other early-stage innovators, patent rights may be useful assets to help establish corporate valuations.  Entities which do not practice their inventions, but rather only license them are referred to as Non-Practicing Entities (NPEs). There exists a broad range of NPEs from Universities to more specialized and speculative investors acquiring assets through bankruptcy[1].

As with the metes and bounds of real property, patent grants are delimited by the enumerated claims. Generally, existing patents only expire with time (20 years in USA) or through some other legal action to invalidate the patent. Some patent licensing obligations may be created by the assignee participating in Standards setting activities.  Patents are required to be novel; and, often build on existing well-known technologies and other patents to provide additional functionality. Granting of a new patent does not invalidate an existing patent. In some cases, this can result in the creation of a patent thicket[2] where the existence of many overlapping and underlying patents may complicate licensing arrangements and constrain the commercial utilization of new patents. The smartphone, for example, may have hundreds of thousands of applicable patents[3].

Entities intending to commercialize novel technologies should be aware of the existing patent landscape.  A patent landscape provides a snapshot of patenting activity in a particular technology area.  A competitive landscape is one tool for developing business strategy and Patent Landscape Reports can provide that perspective for competing intellectual property. The recent WIPO technology trends report on Artificial Intelligence is perhaps a good example of a patent landscape report on a currently popular area of technology innovation. 

While patent landscaping can help with broad strategic questions, more tactical decisions may require more targeted patent-related legal opinions to minimize legal risks and optimize commercial opportunities. These may include opinions of counsel on patentability, invalidity, infringement or freedom to operate.  Depending on the business need, intellectual property may play greater or lesser roles; in the commercialization of technology research, however, the intellectual property representation of that technology research likely needs to be central to the business strategy. While technology developers are primarily focused on the implementation of their technology, the commercial valuation often lies in the relative strength of the intellectual property position vs competitors. Traditional competitive analysis of market positioning looks at offers available in the marketplace. Evaluating the patent landscape can identify potential new entrants based on their patent portfolios, as well as potential weaknesses in the positions of other known competitors.

If you are interested to get started with patent landscaping, you could use the patent office search tools (e.g., USPTO, WIPO, Google Patents) to extract the list or relevant patents to analyze; and WIPO publishes a manual on open source tools that could be helpful for custom analytics on patents. While this may be a good way to learn the method, it may not always be the best use of your time. Lawyers and other intellectual property specialists can provide commercial-grade reports for a fee. There are some commercial tools (e.g., ip vision, patent insight pro, vantage point) and some free tools that may also be a useful place to start (Lens.org, PIUG, patent inspiration).


[1] Steven A. Wright, Preserving Patent Licensor’s SSO Commitments, Assn. of Insolvency & Restructuring Advisors J., (2012).

[2] Carl Shapiro, “Navigating the Patent Thicket: Cross Licenses, Patent Pools, and Standard Setting,” Innovation Policy and the Economy 1 (2000): 119-150. https://doi.org/10.1086/ipe.1.25056143

[3] Reidenberg, Joel R. and Russell, N. Cameron and Price, Maxim and Mohan, Anand, Patents and Small Participants in the Smartphone Industry (2014). WIPO Working Paper, IP and Competition Division, 2014; Fordham Law Legal Studies Research Paper No. 2674467. Available at SSRN: https://ssrn.com/abstract=2674467

Blockchain Network Topologies

Blockchains are hashed linked data structures replicated over a peer to peer network. In considering blockchain topologies we need to distinguish between the topology of the peer to peer network and the topology of the blockchain data structure.

Peer-Peer networks became prominent with the file-sharing application pioneered by Napster in 1999. File sharing was popular with many consumers sharing music or video files; however, it was much less popular with various copyright holders whose content was being shared without permission, and Napster eventually closed in 2001. File sharing continued with Gnutella, BitTorrent, and, others, though the underlying technology architectures evolved[1]. The node connectivity could be structured or unstructured. The files being shared could be centralized or distributed. Centralized file structures created a point of attack for opponents of file sharing, as did regular structured topologies. Peer – peer applications moved beyond file sharing with communications services like Skype.  

The nodes in peer-peer networks are not all completely meshed – each node is connected to a limited (and different!) set of peers.  Typically, less than 16 peers are sufficient[2] for the content to propagate through the peer-peer network, though specific performance with obviously be impacted by the processing power and bandwidth available to the nodes, and the content sharing protocols of the particular peer-peer network. In this model, nodes are also not required to be permanently connected – as long as some porting of the network remains active, new nodes can be connected, and the content propagates.

Permissionless blockchain systems rely on an unstructured public P2P network for information dissemination between participating peers. Flooding or gossip protocols are then used for the propagation of the required information to all peers so that the blockchain consensus protocols have the information they need. At design time, the node attachment and communication strategies that impact the topology of the network in operation are fixed. While a complete peer-peer network is not easily observable, these network characteristics are known to adversaries and can be targeted for attacks. The users of these permissionless blockchain networks have requirements[3] for their applications that typically include aspects such as performance, low participation cost, topology hiding, Denial of Service (DoS) resistance and anonymity. The tradeoffs between the implementation choices for these requirements are not well understood, and further work in these areas is expected to help improve the maturity of blockchain solutions.


[1] For a summary of file sharing approaches see, Masood, Saleha, et al. “Comparative Analysis of Peer to Peer Networks.” International Journal of Advanced Networking and Applications 9.4 (2018): 3477-3491

[2] For an example study on BitTorrent performance, see, Bharambe, Ashwin R., Cormac Herley, and Venkata N. Padmanabhan. “Analyzing and improving a BitTorrent network’s performance mechanisms.” Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications. IEEE, 2006.

[3] Neudecker, Till, and Hannes Hartenstein. “Network layer aspects of permissionless blockchains.” IEEE Communications Surveys & Tutorials 21.1 (2018): 838-857.

Blockchain Maturity

Blockchain technologies are seen by many as a key infrastructure component enabling a wide variety of new applications – from Accounting applications like share registries, Biotech blockchains, Cryptocurrencies and down through the rest of the alphabet. While many claims are made for blockchains, the resilience of an infrastructure based on a peer-peer network operating autonomously of centralized actors is seen as key for what seems to be emerging as an infrastructure software layer for many fintech applications, if not the wider Internet.  While there are multiple blockchain architectures; beyond the peer-peer infrastructure and the blockchain data structure itself, many blockchains support a distributed applications layer of dApps or Smart contracts executing on the underlying blockchain infrastructure. Blockchain appears poised for wider adoption with open-source implementations available, large scale existing deployments in cryptocurrency mining and large commercial entities reportedly exploring and, in some cases, deploying the technology.  But is the technology really mature enough for wide-scale public use?

Adoption of a new technology can be limited by readiness or maturity issues in the operational processes using the new technology, the staff driving those processes, or the development of the blockchain itself.  Process maturity is typically measured with a 5-point scale such as:

  1. Initial               (not under statistical process control)
  2. Repeatable     (the organization has a stable process with repeatable levels of statistical process control and rigorous project management)
  3. Defined           (the process is defined for consistent implementation)
  4. Managed         (the process is comprehensively measured and analyzed)
  5. Optimizing      (the process is continuously improved)   

These five levels have been adapted for use in a number of different industries. The blockchain software components (peer-peer network, blockchain data structure, consensus protocols, etc.) could be evaluated on such a scale. In a similar fashion, the operational context (market, regulation, consumer/ operator use-cases, etc.) could also be evaluated. Blockchains are inherently distributed applications (otherwise a centralized database could be used).  With distributed applications, multiple actors are involved.  Multiple independent human actors add complexity to process evaluations because their individual evaluations of the process maturity may be different, and their understanding of the expected operational use-cases may also differ. While there have been proposals[1] for blockchain maturity models, it is not clear how widely supported they are.  

To err is human, and the open-source blockchain developers have demonstrated their humanity in a number of ways[2]. What matters more is the process for resolving those inevitable bugs. One approach to tracking maturity, particularly for open source projects is the core infrastructure initiative  (CII) from the Linux Foundation.  This provides not just tooling and education, but also a (free) badging program for open source projects to attest to their adherence to industry best practices. CII is not restricted to Linux Foundation projects;  but as might perhaps be expected,  Hyperledger projects do report on CII; unfortunately, Etherium does not; though there are a number of other blockchain projects that do.

If blockchain systems and technologies are to live up to their promise as future infrastructure, then their maturity needs to be demonstrated. Developers and open source communities have tools like CII to demonstrate the maturity of their software. Users of blockchain software should ask their suppliers for evidence of the maturity of their products. Beyond the software, other aspects (e.g., market and regulatory dimensions) may need industry-specific adaptions of the process maturity scale to evaluate the operability of blockchain proposals in their context.


[1] See e.g., Wang, H., Chen, K. & Xu, D. Financ. Innov. (2016) 2: 12. https://doi.org/10.1186/s40854-016-0031-z

[2] See e.g., Wan, Z., Lo, D., Xia, X., & Cai, L. (2017, May). Bug characteristics in blockchain systems: a large-scale empirical study. In 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR) (pp. 413-424). IEEE.

Blockchain Loyalty Programs

“What gets us into trouble is not what we don’t know. It’s what we know for sure that just ain’t so.”
― Mark Twain

Under current taxation regimes, cryptocurrencies are treated as property by the IRS, which implies a host of existing rules and regulations regarding the reporting and taxation of property transactions.  This reporting and tax collection can be manually burdensome and is rarely automated given the current state of the technology. The IRS has recently started increased enforcement actions on cryptocurrency transactions. Blockchain and cryptocurrency enthusiasts have sought to apply some of the underlying technology and concepts in a variety of other ways to avoid these burdens.  One proposed use is in customer loyalty programs.

Customer loyalty programs can provide differentiation and sustain competitive advantages, particularly where the switching costs are low[1].  Customer loyalty programs have a long history with applications in the 1700s and 1800s with tokens and stamps that could be used by the customer for discounts on future purchases with the same supplier. Perhaps the modern stereotype is the frequent flyer mile. Originally acquired and used solely for air travel, these can now be acquired without using air transport and exchanged for a variety of other goods and services.  While typically not fungible beyond the partner ecosystem, customer loyalty tokens (e.g. frequent flyer miles) are sometimes seen as alternative currencies by both the creators and users. The analogy with cryptocurrency schemes as an alternative currency seems obvious.

Most consumers don’t think about taxation of their frequent flyer miles; and, most would typically assume that they are not taxable.  This, unfortunately, ain’t always so. The IRS has issued limited guidance on the taxation of frequent flyer miles with IRS announcement 2002-18 stating they would not pursue a tax enforcement program on frequent flyer miles – and not that these were not taxable. This relief does not apply to travel or other promotional benefits that are converted to cash, to compensation that is paid in the form of travel or other promotional benefits, or in other circumstances where these benefits are used for tax avoidance purposes. And there are a couple of court cases[2] where the value asserted in a frequent flyer miles transaction has exceeded de minimus limits and resulted in the issuance of 1099-MISC income statements with tax impacts. There are many variants in customer loyalty programs and opinions on the practicality of heir taxability[3]. Unexpected tax enforcement against consumers of loyalty program tokens would significantly impact the value of such programs.  No consumer-facing company wants to give its customers promotional tokens that result in tax problems from unexpected liabilities or reporting concerns.

Considering the potential for increased tax enforcement against cryptocurrency transactions, proponents of blockchain-based customer loyalty programs should consider how closely their proposed loyalty programs match the original concept of discounts against future purchases with the same supplier vs fungible alternative currency.

For companies considering a blockchain-based loyalty program there are additional considerations. FINCEN has recently issued guidance involving convertible virtual currencies.   While this guidance seems directed to virtual currency exchanges, it is not clear that businesses exchanging virtual currencies for goods and services are exempt. If applicable, then the business would need to comply with state money transmission regulations. This gives companies considering blockchain-based loyalty programs added incentives for restricting the program to match the original concept of discounts against future purchases with the same supplier vs fungible alternative currency.

Blockchain-based customer loyalty programs are not impossible; however, due diligence needs to be undertaken with the applicable regulations, to ensure the loyalty program is designed appropriately.


[1] A. Nastasiou, M. Vandenbosch, “Competing with loyalty: How to design successful customer loyalty reward programs”, Business Horizons Vol 62, Is 2. March-April 2019 pp 2017-214.

[2] See e.g., Shankar v Commissioner 143 T.C. No 5 (2014), Hirsch v Citibank (S.D.N.Y) Case 1:12-cv-01124-DAB-JLC (2016)

[3] J. A. Mankin, J.J. Jewell, “Frequent Flyer Miles as company scrip: implications on taxation” Business Studies Journal, Vol 7, No. 1, 2015

Blockchain Terminology

Tokens may be used to safeguard sensitive data involving, for example, bank accounts, financial statements, medical records, criminal records, driver’s licenses, loan applications, stock trades, voter registrations, and other types of personally identifiable information (PII)

Initial Coin Offering (ICO) –In an ICO, a quantity of cryptocurrency is sold in the form of “tokens” (“coins”) to speculators or investors, in exchange for legal tender or other cryptocurrencies. The tokens sold are promoted as future functional units of currency if or when the ICO’s funding goal is met and the project launches. In some cases, like Ethereum, the tokens are required to use the system for its purposes.

Stablecoins are cryptocurrencies designed to minimize the volatility of the price of the stablecoin, relative to some “stable” asset or basket of assets.

Backed Stablecoins are redeemable in commodities (such as precious or industrial metals).

Currency backed stable coins are pegged to one or more fiat currencies (e.g. US Dollar, Euro etc.)

Cryptocurrency backed stable coins are issued with cryptocurrencies as collateral, which is conceptually similar to fiat-backed stablecoins; the significant difference between the two designs is that while fiat collateralization typically happens off the blockchain, the cryptocurrency or crypto asset used to back this type of stablecoins is done on the blockchain, using smart contracts in a more decentralized fashion.

Colored coins are a class of methods for associating real world assets (e.g. a deed for a house, stocks, bonds or futures) with blocks on the blockchain network. 

Mining– process of generating a new block on the blockchain – typically includes a PoW assertion.

Mining pool– a collection of miners who have pooled their resources together in order to mine a cryptocurrency

Single mining pool– A mining pool that mines a single cryptocurrency.

Multipool mining– mining poll that mines multiple cryptocurrencies

Orphan blocks– a successfully completed PoW that was not accepted by the consensus protocol – discarded (waste) in bitcoin

Stale blocks– a block that is abandoned because the mining node already received a solution from some of other node.

Uncle blocks– an orphan block; in Etherium, orphan (uncle) blocks can earn ether.

Genesis blocks– the first block on the blockchain.

Just as a Mint creates new currency notes and coins, minting on a blockchain expands the size of the cryptocurrency in circulation and supported by the blockchain.

To Burn a crypto currency asset is to destroy it – reduces the size of the cryptocurrency in circulation and supported by the blockchain.

Fiat currency is an object (like a paper bill or metal coin) that has been established as money, often by a government

Digital Currency is a type of currency designed to be used in the digital form. A cryptocurrency is a digital currency.

On a permission less network, anyone who meets certain technical requirements can access the network or operate a node.

On a permissioned network, an entity controls access to the network and oversees who can operate a node.

Blockchain Governance is the approach to decision making taken by the decentralized nodes on a blockchain.

non-fungible token (NFT) is a special type of cryptographic token which represents something unique; non-fungible tokens are thus not interchangeable. This is in contrast to cryptocurrencies like bitcoin, and many network or utility tokens that are fungible in nature.

cryptocurrency wallet is a device (e.g. usb stick), physical medium, program or a service which stores the public and/or private keys and can be used to track ownership, receive or spend cryptocurrencies. The cryptocurrency itself is not in the wallet. In case of bitcoin and cryptocurrencies derived from it, the cryptocurrency is decentrally stored and maintained in a publicly available ledger called the blockchain. A public key allows for other wallets to make payments to the wallet’s account(address), whereas a private key enables the spending of cryptocurrency from that address.

Computing Terminology

A Distributed System is a system whose components are located on different computers connected by a network – typically the Internet; which communicate and coordinate their actions by passing messages to one another.

Client–Server model is a distributed application structure that partitions tasks or workloads between the providers of a resource or service, called servers, and service requesters, called clients. Clients request communication sessions with servers which respond to incoming requests.

Peer-to-peer (P2P) computing or networking is a distributed application architecture that partitions tasks or workloads between peers. Peers are equally privileged, equipotent participants in the application. They are said to form a peer-to-peer network of nodes.

Network partition refers to network decomposition into relatively independent subnets for their separate optimization as well as network split due to the failure of network devices.

Network topology is the topological structure of a network and may be depicted physically or logically. It is an application of graph theory wherein communicating devices are modeled as nodes and the connections between the devices are modeled as links or lines between the nodes.

Grid Computing is composed of many networked loosely coupled computers acting together to perform large tasks, these computers be more heterogeneous and geographically dispersed.

Cloud Computing is the on-demand availability of computer system resources, especially data storage and computing power, without direct active management by the user. The term is generally used to describe data centers available to many users over the Internet.

Virtual Machine (VM) is an emulation of a computer system. Virtual machines are based on computer architectures and provide functionality of a physical computer. Their implementations may involve specialized hardware, software, or a combination.

computer program is a collection of instructions that performs a specific task when executed by a computer. n.b. Algorithms + Data Structures = Programs (a 1976 book written by Niklaus Wirth pointing out that algorithms and data structures are inherently related).

More precisely, a data structure is a collection of data values, the relationships among them, and the functions or operations that can be applied to the data.

Linked list is a linear collection of data elements, whose order is not given by their physical placement in memory. Instead, each element points to the next. It is a data structure consisting of a collection of nodes which together represent a sequence. In its most basic form, each node contains: data, and a reference (in other words, a link) to the next node in the sequence. This structure allows for efficient insertion or removal of elements from any position in the sequence during iteration. More complex variants add additional links, allowing more efficient insertion or removal of nodes at arbitrary positions.

A database is an organized collection of data, generally stored and accessed electronically from a computer system. Where databases are more complex they are often developed using formal design and modeling techniques. A graph database is a database that uses graph structures for semantic queries with nodes, edges, and properties to represent and store data.

database transactionsymbolizes a unit of work performed within a database management system (or similar system) against a database; and treated in a coherent and reliable way independent of other transactions.

ACID (Atomicity, Consistency, Isolation, Durability) is a set of properties of database transactions intended to guarantee validity even in the event of errors, power failures, etc.

hash function is any function that can be used to map data of arbitrary size onto data of a fixed size. The values returned by a hash function are called hash values, hash codes, digests, or simply hashes. Hash functions are related to (and often confused with) checksums, check digits, fingerprints, lossy compression, randomization functions, error-correcting codes, and ciphers. Although the concepts overlap to some extent, each one has its own uses and requirements and is designed and optimized differently.

The CAP conjecture, also known as Brewer’s theorem states that it is impossible for a distributed data store to simultaneously provide more than two out of the following three guarantees: Consistency: Every read receives the most recent write or an error; Availability: Every request receives a (non-error) response – without the guarantee that it contains the most recent write; Partition tolerance: The system continues to operate despite an arbitrary number of messages being dropped (or delayed) by the network between nodes. In particular, the CAP theorem implies that in the presence of a network partition, one has to choose between consistency and availability. Note that consistency as defined in the CAP theorem is quite different from the consistency guaranteed in ACID database transactions

The primary goal of information security is to control access to information. The value of the information is what must be protected. These values include confidentialityintegrityand availability. Inferred aspects are privacyanonymityand verifiability.

confidentiality is an attribute of information that is not made available or disclosed to unauthorized individuals, entities, or processes.

data integrity means maintaining and assuring the accuracy and completeness of data over its entire lifecycle. This means that data cannot be modified in an unauthorized or undetected manner.

For any information system to serve its purpose, the information must be available when it is needed. Availability requires the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly.

Privacy is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively. The boundaries and content of what is considered private differ among cultures and individuals; but share common themes. When something is private to a person, it usually means that something is inherently special or sensitive to them. The domain of privacy partially overlaps with security (confidentiality), which can include the concepts of appropriate use, as well as protection of information.

Anonymity requires that  person be non-identifiable, unreachable, or untrackable.

Pseudonymity enables the other party to link different messages from the same person and, thereby, to establish a long-term relationship, without necessarily disclosing personally identifying information

Non-repudiation refers to a situation where a statement’s author cannot successfully dispute its authorship or the validity of an associated contract. The term is often seen in a legal setting when the authenticity of a signatureis being challenged.

In contrast with identification, which refers to the act of stating or otherwise indicating a claim purportedly attesting to a person or thing’s identity, authentication is the process of actually confirming that identity. 

Authorization is the function of specifying access rights/privileges to resources, which is related to information security and computer security in general and to access control in particular.

Encryption is the process of encoding a message or information in such a way that only authorized parties can access it and those who are not authorized cannot. Encryption does not itself prevent interference; but denies the intelligible content to a would-be interceptor.

In symmetric-key encryption schemes, the encryption and decryption keys are the same.

In public-key encryption schemes, the encryption key is published for anyone to use and encrypt messages. However, only the receiving party has access to the decryption key that enables messages to be read.

public key infrastructure (PKI), is  centralized architecture in which one or more third parties – known as certificate authorities – certify ownership of key pairs.

web of trust is a decentralized trust modelused in PGP, GnuPG, and other OpenPGP-compatible systems to establish the authenticity of the binding between a public key and its owner.There are many independent webs of trust, and any user (through their identity certificate) can be a part of, and a link between, multiple webs.

In cryptography, a nonce is an arbitrary number that can be used just once in a cryptographic communication. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks.

To achieve overall system reliability in the presence of a number of faulty processes. This often requires processes to agree ( achieve consensus) on some data value that is needed during computation.

Proof-of-Work (PoW) system (or protocol, or function) is a measure to deter denial of service attacks and other service abuses such as spam on a network by requiring some work from the service requester, usually meaning processing time by a computer.

Proof of authority (PoA) is an algorithm used with blockchains that delivers comparatively fast transactions through a consensus mechanism based on identity as a stake. Blockchain transactions and blocks are validated by approved accounts, known as validators.validators are incentivized to uphold the transaction process.

Proof of stake (PoS) is a type of consensus algorithm by which a cryptocurrency blockchain network aims to achieve distributed consensus. In PoS-based cryptocurrencies the creator of the next block is chosen via various combinations of random selection and wealth or age (i.e., the stake).

zero-knowledge proofor zero-knowledge protocol is a method by which one party (the prover) can prove to another party (the verifier) that they know a value x, without conveying any information apart from the fact that they know the value x. The essence of zero-knowledge proofs is that it is trivial to prove that one possesses knowledge of certain information by simply revealing it; the challenge is to prove such possession without revealing the information itself or any additional information.

Byzantine Fault Tolerance (BFT) is the ability of a decentralized system to provide safety guarantees in the presence of faulty, or “Byzantine” members. Byzantine Fault Tolerant (BFT) consensus protocols are designed to function correctly even if some validator nodes — up to one-third of the network — are compromised or fail.

Consensus protocol allows nodes to collectively reach an agreement on whether to accept or reject a transaction.

Merle tree is a type of authenticated data structure that allows for efficient verification of data integrity and updates.

Open source is a term used for software that makes the original source code freely available so that it can be distributed and modified.