Designing a governance model and policy should be as independent of the chosen technology as possible. This is especially important in a rapidly changing technological landscape, such as the DLT space, where the right choice of technology may change frequently, and there may be several technologies and standards that are in use at the same time. The need for multiple technologies is greater for governance approaches that are aimed at a geographic region, rather than a specific market niche. Whereas a governance model closely associated with a niche market might be able to converge on a small set of technologies, a geographically oriented governance structure will need to cover a broader set of use cases and needs to be more technology agnostic.
As a thought experiment, a good policy and governance model should function well, even when the chosen technology is a shared spreadsheet.
Policies can be difficult to change and so must serve their purposes over extended periods of time, this means that an overly prescriptive policy runs a very high risk of becoming quickly outdated. A policy that is too strongly tied to an industry landscape that has progressed can easily become counterproductive.
The goal of a good policy is to establish principles that will achieve a set of desired outcomes. To come up with a good policy, its creators must take into account the possibility that established rules may have consequences that are opposite of the desired outcomes by limiting options or by slowing down its subjects in achieving the desired goals. Therefore, the principles must be carefully considered and evaluated against positive as well as negative effects.
A good strategy for achieving desired outcomes, while avoiding risks can be modeled as a balance of progress versus risk management. If progress is given too much priority, risky decisions may be undertaken and jeopardise the intended goals. On the other hand, if risk management is given too much priority, attempts at progress will be thwarted or subjects may choose other frameworks that are more conducive to achieving the desired goals faster.
For this reason, the right balance for a DLT governance policy should benefit from an approach that leans toward the permissive end of the spectrum. This is especially important because DLT use cases can be tricky to work into models that deliver business value, and falling short of expectations is common.
Innovation is a famously difficult process to navigate as it involves dealing with failure in the face of elevated expectations. If the policy leans too strongly toward restraint before business value has been proven, the policy subjects may become strongly disincentivised from taking on innovative projects and from investing into the space.As use cases prove their value, and where risks to compromising events are deemed to be increasing due to a high amount of activity and decreased visibility, it may become prudent to tighten the policy slowly over time. This is consistent with allowing for a more progressive approach when the adoption and exposure are small, and gradually attenuating risk as the stakes become greater.
As DLTs are still nascent, research is always ongoing on its component elements, so breakthroughs may be encountered. The approach to intellectual property is evolving too, with some firms applying for patents or following a Software as a Service (SaaS) model, and some offering their technology to the market with permissive open source licensing conditions and full disclosure of source code.
The open approach has proven to be the most effective at spreading new types of solutions, when faced with limited resources for development and distribution. From a policy perspective, giving policy subjects a choice of approach to creating or using intellectual property is desirable, but needs to be balanced with interoperability across the policy’s jurisdiction. Interoperability can be achieved by requiring data interchange format and encryption standards to be followed, so that ecosystem innovation efforts of participants are not restricted by choices made by others. The benefit of standardising interoperability through data and encryption standards is that both data objects and encryption standards can function across blockchain platforms.
An example of the effects of standardisation is that identities issued on several platforms could all serve to access one service, or vice versa, a single identity from one provider could operate across independently developed and operated services.
With numerous DLT networks forming and with the lack of established standards, interoperability may become a barrier for the smaller networks to merge and form larger and possibly higher-value networks. Although there are efforts to provide technical solutions for interoperability, they all present their own challenges. This also contributes to the hesitation companies and government agencies are going through when deciding where to invest in blockchain and which technology to bet on.
DLT use-cases and networks that do not have a proven incentive model, such as the mining model, may struggle with financially maintaining security of the network. Any established network must therefore have funding plans that ensure its adoption and an incentive model that will take hold once the value flowing out of them begins to be realised.
Privacy and confidentiality
As discussed earlier, privacy and confidentiality are key factors when it comes to blockchain and DLT. Information on the blockchain is immutable by design, hence, it is possible that the use of blockchain may bring challenges with complying with privacy regulations and standards, such as the European GDPR (General Data Protection Regulation), Bahraini PDPL (Personal Data Protection Law), Qatari DPL (Data Protection Law) and expected laws across the GCC. The main concern is that data stored in a replicated and indelible medium is a risk to privacy. This is true, even if the data is encrypted, since guarantees about the security of encryption are time-bound for any given encryption scheme. This means that in order for encryption to remain effective, it must be possible to upgrade the encryption when weaknesses are found, and old copies need to be deleted. This is a concern even before we start considering the “right to erasure” that has gained adoption in Europe as an emerging legally required feature of systems that store personal data.
Even in a private blockchain network that implements Zero Knowledge Proofs, where no information is actually stored on the blockchain, the volume of transactions alone may be confidential information between competitors in the same network. This can be another obstacle for blockchain network formation, especially for industry networks that would naturally include competitors.
These challenges mean that the only viable mechanism today for handling personal data is to store and manage it off-chain in traditional systems with known privacy enabling architectures, such as private cloud and point to point encryption.
Private blockchains lose some of the security aspects inherent to fully trustless public blockchains. In a closed loop of trusted nodes, a security breach of one of the nodes might compromise the whole network. This elevates the importance of infrastructure security and key management and presents a crucial area for standardisation and enforcement across all participants.
Addressing these challenges through policy
As a deduction from the previous sections, a good policy in the DLT space needs to be as technology agnostic as possible and permissive in a way that stimulates innovation, while containing risks and mitigating the challenges that impede blockchain adoption and network formation.
Instead of dictating approaches and solutions, the form of which no one can reliably predict, a policy can provide guidance and stimuli for participants to agree on an approach to move forward to test it. As such, a DLT policy might give priority in network formation to industry governing bodies or can stimulate the formation of such bodies that can drive network formation. Additionally, it can identify the areas that network participants need to openly address.
However, one foundational element that can be directly addressed through a policy and that can have a profound effect on blockchain implementation is identity management. Having a trusted source for issuing digital identities for entities and individuals can play a significant role in driving adoption and facilitating interoperability between blockchain networks, and this is not exclusive to private blockchains.
In other areas, policy can provide the general guiding principles, such as requiring that no data gets stored in clear on the blockchain, specifying the minimum security standards that networks need to adopt, and addressing the key laws and regulations that the networks need to uphold while providing support and guidance on the laws and regulations that are not yet ready for a fully-digital age.