ICTworks

One of the most discussed technologies today is distributed ledger technology, a decentralized system for recording transactions with mechanisms for processing, validating and authorizing transactions that are then recorded on an immutable ledger.

Distributed ledger technology exploits a set of well-established principles, including public key cryptography, peer-to-peer (P2P) networking, and consensus algorithms (e.g., proof-of-work (PoW), proof-of-stake (PoS), Federated Byzantine Agreement).

Blockchain is one implementation of distributed ledger technology (DLT), and other new technologies such as Directed Acyclic Graph (DAG) are emerging. IOTA and Hashgraph are examples of DAG-based DLTs.

The FAO publication Blockchain for Agriculture aims to demystify blockchain technology, provide some thoughts on the opportunities and challenges in implementing blockchain-based systems as well as document some case studies on the use of blockchain for agriculture.

Distributed ledger technology hasn’t yet reached maturity therefore it brings in certain implementation risks that are important to comprehend and wherever possible to mitigate before deployment.

A good understanding of the risks would assist in deciding whether DLT or a centralized database would be more appropriate, and further choosing the appropriate DLT for a given scenario as the risks vary with the type of deployment, i.e. permissioned (private) or permissionless (public).

Is software code mature enough to replace the law?

In a distributed ledger technology environment, smart contracts are agreed based on a software code and on the agreed date executed (sometimes mercilessly) as the contract itself is the law. Although this unalterable nature (or immutability) is the core strength of this technology and enhances trust amongst parties, it also needs to be mature enough to replace the law.

There have been instances in the past when some of the well-known DLTs had to be “hard forked” – a phenomenon whereby the governing code has to be replaced with a new one. In 2016, for example, Ethereum had to be hard forked after long debate amongst the community as an unexpected code path allowed users to withdraw funds and an unknown user managed to withdraw USD 50 million. Not all in the community agreed with the decision, which led to different versions of Ethereum, viz. Ethereum and Ethereum Classic.

Such decision-making is not easy or quick to arrive at as it requires agreement amongst the community. Another important area is the application of the law. In instances where there are judicial decisions to reverse a smart contract for legal noncompliance, how would the prior data in the blocks be altered?

In the context of agriculture, where smart contracts are very useful applications of DLTs, absence of a legal entity or a human being to interpret the code in event of a dispute is an important risk to remember. It is very important, therefore, to keep the contract simple.

Standards are underdeveloped and not mature yet

Being at a stage of rapid technological development, there are no mature standards addressing distributed ledger technology yet. At this point, there are various competing proprietary and community-managed DLT platforms and frameworks. The absence of international standards carries risks related to customer lock-in, lack of interoperability, privacy and security.

There are international efforts ongoing in these areas, including ISO Technical Committee 307 on Blockchain and Distributed Ledger Technologies and work in ITU’s standardization sector ITU-T.

Energy requirement can be high

A methodology to build consensus for entering a new data block amongst participating nodes is a core feature of blockchain. There exist several possible ways of reaching consensus, each with its own advantages and disadvantages.

The one that is employed by Bitcoin and Ethereum, the most famous of blockchain implementations, is proof-of-work (PoW). It works on the principle of “hard to create, easy to verify”, which means lot of energy needs to be spent by the node to earn incentive tokens. For a large chain like Bitcoin, estimates suggest data size exceeding 100 gigabytes and electricity requirements more than the entire country of Ireland.

Although this is true for the PoW methodology, other alternatives such as proof-of-stake (PoS), Byzantine fault tolerance algorithm, and delegated proof-of-stake model require less energy. However, they come with their own disadvantages, for example in the case of PoS, users with more stakes will have greater control on decision-making.

Trusting the blockchain developers and managers

A very high level of trust is placed on the developers and managers of the blockchain. It is a new technology where a large number of entities are innovating to create solutions. The focuses, owners and software implementations vary.

Implementations of these technologies are largely dependent on the community of developers backing the project or the owner. A decision to soft fork or hard fork a project, or to change the cryptography algorithm, will be driven by the nodes and participants in the blockchain. These decisions are driven by codes that govern the consensus and the community developing it.

At the same time, it is important to build resilience into the networks so that they can be entrusted with critical data, information and services. Carrying out a risk assessment of the project is important before making a choice.

Increased responsibility on the user

By its very design, blockchain implementation does not have a central authority – at least in the case of public blockchains such as Bitcoin – which puts additional responsibility on the user. There is no entity to go to in the event of individuals losing private keys (or incurring losses as a result of revealing a private key).

Also, there is no feature to restore forgotten passwords and usernames that individuals are used to. Individuals need to exercise great caution, just as on the Internet, before publishing anything. The importance of entering the correct data is very important too as it is very difficult to make corrections later.

Implementing data privacy legislation

Data protection and privacy is a major concern and initiatives to prevent their abuse are being taken by countries and regions (e.g. Association of Southeast Asian Nations (ASEAN), European Union General Data Protection Regulation (EU GDPR).

For example, the EU GDPR has instituted the “right to forget” whereas the design of DLTs is oriented towards “never to forget”. Although there is a possibility of keeping identification unknown in the system, it raises security concerns largely in relation to anti-money laundering (AML) activities and know your customer (KYC) requirements.

Policy and regulatory risks

The policy and regulatory framework around blockchain is in its infancy and therefore entails high risks. The fluctuations in the price of Bitcoin and the reports of hacking of cryptocurrency have resulted in increased regulation by a number of countries and has attracted regulatory interest.

These regulations vary from a complete ban on holding cryptocurrency (e.g. Bangladesh), a ban or regulation on cryptocurrency trading (China, Saudi Arabia) to a ban on holding initial coin offerings (ICOs). A number of blockchain projects, especially those dealing with currency or cross-border transactions, requires KYC/ AML compliance and it is important to understand the national framework before delving into these projects.

At the same time, governments see DLTs as a high potential technology and are investing in the use of its application. A project without the use of cryptocurrency in general will have less regulatory challenges than those with it.

At present, there is no international framework for cooperation amongst policymakers and regulators in this area, which means there is a lack of appropriate consumer protection in the international environment.

Speed of transactions

The speed of transaction is an important element as some of the public blockchains do not have high transaction speeds. On Bitcoin blockchain, a new block emerges on average every ten minutes but is not guaranteed; and this block time is different for every blockchain.

For scalability, it is important to understand the requirement of applications in terms of speed (transactions per second (tps)) before choosing a solution. Theoretically, Visa network can handle about 50,000 tps, which is a lot more than is offered by most mature blockchains today.

Malicious users

In the absence of identification of a third party, the system is prone to risks from malicious users in systems that are pseudonymous, that is with no requirement to disclose identity.

Although DLTs are designed to disincentivize malicious intent, there can be situations where malicious users have greater incentives to game the system and at least cause harm in the short term and may call for a hard fork. These situations are more likely where they gain greater control of the system.

Identity and security

Public blockchains carry out transactions based on the public and private key of the individual and do not keep the mapping of the identity with the key. This raises security constraints for the law enforcers and applications where identity is important.

In contrast, there are privacy concerns in disclosing identity on permissionless blockchains that require data to be public facing and transaction histories to be disclosed. Most DLTs use encryption algorithms that are hard to break by normal non-quantum computers.

Going forward, where quantum computing (relying on cubits rather than bits) gains momentum and enhances computing powers, these encryptions are not secure enough. There have been a large number of successful attacks on DLTs and there are security risks associated with DLTs30 (e.g. blockchain attacks, phishing, malware, cryptojacking, endpoint miners, implementation vulnerabilities, wallet theft, technology attacks, legacy attacks which have been modernized, dictionary attacks, quantum computing-based attacks).

Adapted from the FAO publication Blockchain for Agriculture.