In daily life we are increasingly hearing new terms surrounding cyber technology. For example the ‘internet of things’ allows us to turn on our heating on the way home from work, turn the lights on before we approach and simultaneously start the coffee maker to welcome us home on dark winter nights.
While automation is a physical and relatively easy to understand concept, less so are the terms ‘blockchain’ and ‘cryptocurrency’; nevertheless, we hear of them on a daily basis. Whilst these are less familiar terms, they could facilitate how we buy our more tangible gadgets in the future. Do we really understand these terms? If our clients are talking about them, how well do we understand the risks – both upside and downside – that they represent to the business?
The background to blockchain
When I first heard these terms I turned to the internet – and confused myself further! I then spoke with a friend was able to explain them in layman terms and suddenly clarity dawned. If we are to consider the impact of these concepts upon our clients and audit work, we need to first establish a basic understanding.
Blockchain was invented by Satoshi Nakamoto in order to create Bitcoin. No one knows the true identity of Satoshi Nakamoto, or if indeed he was one person or a group of individuals. But one thing is clear, the origin of blockchain and cryptocurrency is one and the same. The reason people distinguish between them today is because ideas from blockchain can be applied to other areas.
Since the release of Bitcoin in 2008 multitudes of other cryptocurrencies have started with 1,658 now in circulation; however the majority of these are very small. Bitcoin dominates with a market capitalisation bigger than all the other cryptocurrencies put together (approximately 67% market share).
Though blockchain came from the creation of Bitcoin, people have started to realise its potential for other areas, thanks largely to blockchain's ability to solve the double-spending problem without the need for a trusted authority. Put simply, it means we don't need a controlling body to manage transactions. Normally banks would fulfil this function, so without banks how do cryptocurrencies work?
Everyone has access to a ledger that contains all the transactions that have ever taken place. When someone wants to spend some ‘coins’, the transaction has to be verified by ‘miners’ on the network. Miners are people who have bought dedicated mining rigs (processors specifically built to crack cryptography problems) to find new coins. They are purely focused on mining coins, but the process of mining continually checks the transactions. If you try to fool the network by saying a transaction took place when it didn't, then the miners will reject the transaction. This is the equivalent to having your bank card rejected by a card machine. Sorry, the computer says no!
Blockchain creates a very secure network. But it also creates potential privacy problems which cryptocurrencies are only able to resolve through anonymity. In order to understand this, we have to understand a new problem created by the distributed ledger.
Below is an example where identities have not been hidden:
‘Mr Wolf’ paid ‘MeatWarehouse.com’ £30
‘1st Little Pig’ paid ‘2nd Little pig’ £500
‘3rd Little Pig’ paid ‘Whips&Rubber.com’ £29.99
‘The Gingerbread Man’ paid ‘Mr Wolf’ £15,000
As everyone gets to see the ledger, you can see it's possible for anyone to work out that Mr Wolf has a lot of money in his wallet at the moment. Also if we visit Whips&Rubber.com to find out what the 3rd Little Pig has been up to, we'll be able to work out that he appears to be paying a monthly subscription for their premium package. This entitles him to unlimited access for one-on-one rubber fetish webcam experiences. Oh dear, now you see the problem of not hiding identities when everyone can see the ledger.
So let's hide their identities with four digits (actual addresses are 25-34 characters in length):
‘1234’ paid ‘8101’ £30
‘6423’ paid ‘1982’ £500
‘1087’ paid ‘7624’ £29.99
‘0213’ paid ‘9767’ £15,000.
You will see that ‘1234’ has been substituted for ‘Mr Wolf’. But nobody knows it was Mr Wolf except for Mr Wolf. Also each time there is a transaction his wallet address changes. Notice when he receives £15,000 from The Gingerbread Man his wallet address becomes ‘9767’ making it impossible to link any transactions.
Hiding identity is not just about privacy, it can also be a matter of safety. Normally, if someone had £10m pounds, they would keep it in a bank. But the value of cryptocurrency is in the coins. If someone can gain access to your coins on your device, then they can steal them. So if people could work out who had a lot of Bitcoin and where they lived, then it would be easier to kick down their door rather than trying to rob a bank.
We are used to the idea that everyone's identity is known, but personal financial information is hidden. Cryptocurrencies can only work because they are the total reverse. All financial information is known, but personal identities are hidden.
But cryptocurrencies aren't the only use for blockchain. For example a bank could use a permissioned blockchain system for keeping their customer accounts. If an external hacker managed to break into the system, any changes made would automatically get rejected. This would occur because all the other nodes within the network would be working to validate the transactions. The system would instantly know that it had been compromised, and would be able to activate an alarm to signal a breech.
The culture to hide identities is not one that sits well with the established financial institutions – meaning that cryptocurrencies are often viewed with suspicion. However, the potential benefits that blockchain technology could bring to the industry have meant that most financial services will have an internal blockchain project of some kind.
Now, I wonder what The Gingerbread Man and Mr Wolf are up to?
Lee Glover – director of internal audit, Haines Watts
Current and future resources
ACCA UK’s Internal Audit Network will be running a series of webinars on crypto currencies and blockchain for internal auditors in April. Information about the Unblocking the Crypto Chain webinar series and how to register will be released in January 2019.