Research suggests that distributed ledger technology (DLT) could pose some serious risks and threats to personal data privacy and could be vulnerable to denial of service or other cyber attacks. The research was commissioned by Hong Kong's Fintech Facilitation Office (FFO), which was set up in March 2016 by the Hong Kong Monetary Authority (HKMA) to conduct research on the applications of fintech in banking and payments.

The applications of DLT have been frequently discussed in the media and include user scenarios such as smart contracts, exchange of data and signatures in the trade and trade finance process, as well as making cross-border payments. However, the technology's risks have received less attention. This HKMA/FFO white paper suggests that DLT could pose money laundering problems and could be challenging for financial authorities in terms of enforcing regulatory compliance. In particular, it addresses these risks:

• malicious validating nodes
• network problems and attacks
• identity theft risks
• money laundering
• sales of illegal drugs and contraband
• receipt of ransom payments
• DDoS (distributed denial of service) attacks
• theft of wallet keys

DLT vulnerable to cyber attacks

The paper says that DLT could still be vulnerable to denial of access attacks and other cyber attacks. It states:

“Due to the anonymous nature of participants in some DLT applications (in particular Bitcoin), DLT is sometimes seen as being associated with issues of money laundering and the sale of illegal goods, and as supporting the ransomware payment model. Although these issues may largely be addressed when DLT is implemented in a “permissioned” network (which only authorised and authenticated participants may join), this kind of solution still needs to be examined in detail.”

The problem of personal data privacy

It also adds that another point of concern is personal data privacy: “as information stored in DLT cannot be altered or deleted once added, any application will need to address how to comply with the data protection principles of accuracy and an individual’s right of correcting data. In addition, some DLT applications may be implemented across various jurisdictions without a single entity responsible for their running, so issues relating to cross-border data flow, legal enforceability, liability, dispute resolution, discovery and extraterritorial reach need to be addressed too.”