Is the Old World Ready for Radical Permanence? Arweave, Europe, and GDPR Law
Disclaimer: None of the post is legal advice.
Regulatory bodies have always been keen to bring law down on crypto – KYC, for example, is mandatory to enter or exit the space, tracking all transactions in between to link them with a name, face and bank account. When the scope of blockchain evolves, it’s reasonable to expect the law to catch up to cover the edge cases.
Before Arweave, all blockchains were transaction ledgers without capacity to store large amounts of data on-chain. The technology has progressed significantly, and now you can store big chunks of data directly on the chain, permanently: blockchains evolved from ledgers to archives.
In this article, I’ll look at how this evolution impacts the precarious relationship between web3 and regulators.
Does anybody remember GDPR? That promise of controlling the use of personal data which mutated into an annoying extra button on a user interface. One reading of the body of GDPR law could conclude that Arweave, web3, and the blockchain in general is not GDPR-compliant.
What makes Arweave unique compared to other protocols is that it can promise permanent storage of arbitrary data at scale.
Arweave facilitates the creation of an open, decentralized, permanent archive of any kind of record submitted for upload by anybody, for an indefinite amount of time in exchange for an initial fee. Its ultimate goal is to maintain data, considered worthy by someone to the extent that they paid to be stored forever, for future generations to be accessed scientifically, historically, or anthropologically.
If you interpret Arweave through the web2 cloud storage service lens, a regulator might be outraged about its apparent potential for personal data violations. Although, even the EU begs to differ.
Let’s take GDPR’s Article 89 for instance:
- Arweave qualifies for both paragraph 2 and 3’s clauses which apply when: “personal data are processed for scientific or historical research purposes or statistical purposes” and “personal data are processed for archiving purposes in the public interest” respectively.
- Whatever the referenced articles demand, if they “render impossible or seriously impair the achievement of the specific purposes” of Arweave, there will be/could be a exemption.
- Pseudonymisation is achieved by design at the user interaction level with the blockchain.
- Interpreting paragraph 4, Arweave’s core doesn’t serve any other purpose than ensuring a mechanism for permanent storage. Only the layer on top of Arweave could serve “other purposes” like retrieving specific files or metadata, so the dApps interacting with Arweave may not benefit from those exemptions in some instances.
So, what actual rights granted by GDPR is Arweave permitted to circumvent?
- Article 15 Right of access by the data subject;
- Article 16 Right to rectification;
- Article 18 Right to restriction of processing;
- Article 19 Notification obligation regarding rectification or erasure of personal data or restriction of processing;
- Article 20 Right to data portability;
- Article 21 Right to object.
You might notice that a core right – the right to be forgotten – isn’t covered there. Does Arweave need to bow to regulators and delete data? Actually, there’s more to it than that.
The right to be forgotten, or Article 14 – information to be provided where personal data has not been obtained from data subject – does not apply in cases where:
“the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”
There is also Article 9 for special categories of personal data, which does not apply if:
“processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.”
Does this mean that Arweave will use those potential exceptions to overstep the mark? No, actually those are relevant only in rare cases for maintaining the integrity of the entire concept. Imagine that in the future, several national archives will upload their content to Arweave to ensure their citizens that they don’t tamper with the integrity of their records behind closed servers. If Arweave has to delete a single dick pic uploaded by an anon, no matter the reason for the deletion request, the entire use case for those national archives will be lost.
Who are we to judge what’s worth preserving?
While it has never had to be used, Arweave possesses a unique decentralized Content Policy Mechanism that assures a democratic consensus on moderation policies.
Each node could state policies on what is worthy of being stored on its servers. If its rules are too harsh and it rejects too many transactions, this will lead to fewer rewards; if the node’s rules are too permissive, it will end up storing data that the rest of the nodes didn’t want. Now, you can already see here that if a public body, let’s say the EU, wants harsher content policies they only have to become a part of the network and run their own nodes.
Is this mechanism bulletproof? Of course not, but counter-intuitively it’s perfect for the network’s final goal. Usually, our views of what is good or not, or what is essential or not, are linked with biased mindsets. As little as it is, my background in archaeology gives me the means to appreciate the “unwanted” parts of history, which sometimes is preserved without the willingness of late generations. The dicks carved on Pompei’s walls are equally important as exquisite mosaics. An archaeologist will take more information from a gutter than from the walls of a palace.
Medieval “lewd” art on the margins of a religious book…how ethical was this at the moment of its creation? Now is considered a tiny window into the minds of our ancestors, despite the mainstream ethos of the era.
Ok, but what if hate speech or terrorist propaganda will breach the moderation wall? Will they be fit for permanent storage? Unfortunately, those things are part of our history too. We cannot pretend they never happened. If we want our children to dismiss those things, they must first recognize them. In the future, we could identify some content that escaped moderation and let it be a constant reminder of our past shortcomings.
The right to be forgotten vs the right to be remembered
Again – how about the inability to delete stuff? Until now, web permanence was a utopia. Regulators, even if they wanted, couldn’t impose on others the indefinite storage of, for example, financial records because it was unfeasible (so that’s why they limit the period in which a company must store financial or employee documents for 5, 10 or 20 years). They merely manage to keep their own shit, aka laws and stuff, for an extensive period. Gradually, probably national laws, regarding archival duties of specific data sets will change in a form that will incentivize a company or a person to upload that data to the permaweb for researchers of the future.
But data uploaded to Arweave will be visible on the spot. I don’t want to share my employment records with everybody! But who says you have to upload it in clear text? You can encrypt your files and leave them be only to be decrypted for the public at the application level 50 years or 100 into the future (check Sarcophagus for a working Arweave-based implementation of this).
And by the way, for the sake of symmetry, why not have “the right of being remembered” opposed to “the right of being forgotten”. The true, sad reality for almost all of us is that we will disappear into oblivion, “they” will definitely forget us.
An anarchic cypherpunk could even argue that the “the right to be forgotten” is tailored not for me or for you, but for those few in power, who would want to carefully select what the posterity will remember about them.
Why shouldn’t states explicitly recognize a person’s right to fully store his web interactions into permanence? To be an explicit choice, like organ donation. Imagine how meaningful it will be for the anthropologists of the future to have access to an entire digital life. Those guys will be the Otzi of the future.
Look closely at this shard. I’ve touched hands with an individual who lived over 5,000 years ago. Nobody remembers who was the smartest, the wealthiest, the most powerful individual of his time, only his imprint survived (by accident) and made someone from the distant future think about long past.
Returning to Europe
Now, “building on GDPR’s political success” (you can access an article here about the acts where the author actually argues GDPR is a success), the EU is ready to tackle the regulation of its digital market through a triptych of acts:
- Digital Governance Act
- Digital Services Act
- Digital Markets Act
How will this conclude? Given that the scope of those regulations is to wrestle with current intermediary services platforms, the impact on the Arweave ecosystem will be… indirect, at worst.
A revolutionary recommendation came from the Council of Europe, which put forward the motion to “adopt legislation on access to archives”, recognizing that archives are essential and “ensure the survival of human memory”.
Contrary to this, no mandatory directive regulates archives throughout the EU. Instead, there is a “recommended/endorsed package” called eArchiving. I could start to elaborate about this cumbersome Frankenstein creation but I’d rather not. You can look at it yourself if you are into BDSM. Long story short: eArchiving is a component of the third iteration/attempt of EU to develop an architecture (EUDOR) for digital archiving (a sort of open SDK).
It will probably die after 2022 (the contract with the company developing/maintaining it will end next year). It was modeled after an ISO standard called OAIS — Open archival information system, which is not open at all – it comes at a fee of 198 Swiss francs. I just looked at their free preview and concluded that an ape would call the International Organization for Standardization a blatant scam.
What is worth to be mentioned is that the “next steps” eArchiving is willing to take are website archiving and…guess what…potential blockchain integrations!
The mess Europe is in
You will find a plethora of rules regarding specific archives, offices, institutes, etc. that have something to do with data management in a more specific or broader sense: there are archiving policies for documents issued by the European Commission; there is a Publications Office of the European Union, one of its scopes being the digital preservation of its works; there is an official European data portal, and then you have the HAEU (Historical Archives of the European Union), which is basically the physical and digital “dump” for all documents the EU considers worthy for permanent storage, with its own regulation.
Speaking broadly but without being too far from the truth, we can state that this: with regard to archiving, the EU is in a beautiful mess.
However, the image will be far from complete if we don’t look at another more articulated venture of the EU: the open data initiative, based on a directive issued in 2019. Essentially data is considered open when anybody can access it, use it for free, and share it.
Interestingly, they assume that accessing the data could incur a cost, but it has to reflect no more than the “reasonable” reproduction cost. They emphasize that it’s not about the means on how that data becomes available/was published, but about the rights to use itself.
You see what they’ve done here? They have no clue how to sustain an open database economically, so they refuse to discuss the technical architecture, hoping that some centralized actors will keep online that database and charge “reasonably” for the access to just keep the entire dump operational. There are close to zero private actors on board with this. What if governments will change their policies in a couple of decades and decide to pull the plug? Farewell, open data.
It’s not only the EU
The confused state of archival law in the EU is a subject too vast to cover, so let’s assume that what’s been said is enough to get the general idea, and take a quick look elsewhere: the UK.
As you might expect, the UK has one of the oldest state archives out there, given the fact that their constitution is uncodified and comprises of countless acts issued in a span that goes way back in the past (you know, Magna Carta – 1215 AD).
Like any other national archival system, their legislation is pretty straightforward; they have a time buffer after which their documents are sent to the national archives, in their case 20 years. So, each year The Keeper of Records (doesn’t that give you a WoW vibe?) will hand the records deemed for storage from 20 years ago to the national archive. At the moment, the national archive seems to be getting creative with how they maintain those records.
Surprisingly, they tried blockchain at some point. Even though that particular project – Archangel, a joint venture with the University of Surrey and the Open Data Institute – looks abandoned, its philosophical roots are unquestionably correct. Archangel tried to store document metadata and “fingerprints” on the Ethereum mainnet in order to assure the public that its data would never be tampered with.
If one wants to study the desired outputs and the technical aspects of this project, it will become obvious that the tech needed for this to succeed was not available at that particular moment. They were forced to reinvent the wheel and create some sort of hash with the use of AI which had to be independent of future file formats changes. What?! Why don’t you store the file in its original format on the blockchain and create a permanent interface with the needed decoder to retrieve the file on every browser?
Well, because it’s not economically viable to store big chunks of data on Ethereum…and that brings us inevitably to Arweave.
Imagining the archives of the future
I actually wanted to look through a few other states, but this will be a topic for another time. Let’s wrap it up for now and jump to some conclusions:
- Shockingly, GDPR doesn’t collide with Arweave’s “impossible” features.
- The procedural set of actual “archival” rules, like those embedded in eArchiving, could reside above the network without any problem on the permaweb.
- Some national archives are already trying to address ethical issues, like how they assure the public of the immutability of their records with the help of blockchain tech.
- Arguably the notion of “open data” could hardly be a success without the participation of blockchains like Arweave.
Instead of a proper closing phrase, I’ll say this: I can see a future where “cool” forward-thinking states mine $AR and operate gateways to power their nation archives while mocking “normie” totalitarian regimes for letting their history slip into the ether. I can see a distant future when certain states will be remembered only indirectly, from others’ recordings.