Digital privacy has been explored, debated, and resolved in various ways over the past decade or two. This journey has moved pretty much in sync with the steady rise of web-based systems, products, and services. But questions around privacy took a unique turn with the onset of web3.
Looking closely at web3’s core nature helps develop a stronger, more nuanced understanding of the key challenges discussed below. Generally, one might think of privacy-related risks as a direct outcome of excessive centralization.
Platforms like Meta (formerly Facebook) and other web2 giants have almost total control over users’ data. The bulk of this data lives in central servers, often becoming single points of failure. Moreover, the Cambridge Analytica scandal in 2019 exposed how Zuckerberg’s “privacy vision” was a sham. But this wasn’t a one-off situation — sadly, it’s pretty much the norm.
Web3, on the contrary, promises community-driven control. This requires distributed data storage, along with decentralized governance. However, this also means no one, in particular, is responsible for ensuring security or privacy. In the world of trustless ecosystems, autonomous users are pretty much in charge of everything. This includes keeping sensitive information safe.
When “your key, your asset/data” is the motto, the ball of privacy is mostly in the user’s court. Given the immutability of web3 transactions, losing one’s private keys, for instance, often means irreversible losses. Web3 wallet addresses are ideally anonymous, meaning it’s often impossible to trace malicious actors.
“Although decentralization is a worthy goal to strive towards, the reality is that privacy issues in decentralized systems are even more important. In web2, Google and Facebook can see all your data and metadata (bad), but in web3 potentially anyone can see it (even worse!).”
Sebastian Bürgel, HOPR founder: BeInCrypto
These are some fundamental conflicts that innovators must resolve.
Over 167 major attacks drained nearly $3.6 billion from the web3 space in 2022, i.e., 47.4% more than in 2021. According to security firm Certik, at least 74 of these incidents posed long-term data breach risks, significantly threatening web3 privacy as a whole.
Web3’s internal conflict regarding privacy can be solved through innovation. It’s only a matter of time. But there’s a growing need to comply with global privacy regulations, like the European Union’s General Data Protection Regulation (GDPR) and the Financial Action Task Force (FATF) recommendations.
They mostly assume that some specific entity collects, owns, and stores the data generated through user interactions. This puts web3 businesses in a difficult spot and presents a novel set of challenges:
Existing Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations oblige companies or platforms to collect and monitor users’ data. This is meant to help identify and report suspicious activity, protecting users and national interests. Likewise, companies must also issue a “notice” informing users about how their data is collected, used, and stored.
Ideally, web3 protocols don’t collect user data at all, let alone monitor. But even when they do collect any data, it’s mostly stored transparently on public blockchains. No specific entity owns this data — except the users themselves — which makes regulatory compliance very difficult for businesses or service providers, if not impossible.
At the same time, however, storing data on transparent blockchains is a problem in itself. Anyone with an internet connection and other tools can access sensitive information stored on public blockchains. This level of exposure isn’t desirable from a privacy perspective, particularly because malicious actors in this space are constantly developing new ways to exploit the system.
Clicking on “Do Not Accept,” “Disagree,” or something similar provides a way for legacy users to “opt out” of the data collection and sharing regime. The jury is still out on whether this entails meaningful consent on the user’s part. But irrespective of its effectiveness, this gives users a semblance of choice. However, this, too, requires some entity to control the data collection process.
When users interact with non-custodial web3 protocols, the underlying blockchain automatically verifies and records the transactions. This is a code-driven process based on game theory principles. No one, not even the involved counterparties, can tamper with this data under normal circumstances. That’s what makes these systems so powerful in the first place.
The choice isn’t given in web3. Rather, it’s embedded into the system in a bottom-up manner. So when the regulators oblige web3 companies to give what they don’t have, many are unable to comply.
Besides opting out, users can also ask for their data to be “destroyed” or deleted per existing regulations. This, again, is a challenge in web3 for the reasons discussed above. Blockchains are irreversible for a reason, and it’s better if they aren’t otherwise.
Even while working with centralized or semi-centralized entities in the web3 space, users can’t expect the destruction of their data. At least not the part that’s verified and recorded on the blockchain. Nevertheless, they have control over who can access this data, which is groundbreaking.
Since blockchains store all data in cryptographically encrypted formats, one requires unique private keys to access them. Users can thus effectively revoke the third party’s access to information, but deletion is impossible in the sense regulators demand.
It’s clear from above that web3’s privacy challenges have two roots: internal and external. Though related, they have to be addressed separately to some extent.
Building decentralized threat monitoring and risk assessment systems is one possible solution. Thanks to AI’s rapid evolution, innovators now have a very broad scope to explore such critical infrastructure. Over 73% of web3 marketers, among other stakeholders, already use AI in various ways. Prioritizing ethical and privacy-related considerations will drive this space forward in unforeseen ways.
Besides adopting AI for smart threat recognition and so on, it’s also crucial to invent and improve web3 primitives. Zero-knowledge proofs, for instance, are a great way of ensuring data sharing or verification without revealing the actual content. This can do wonders while balancing web3 fundamentals with the demand for privacy.
Moreover, since traditional social media platforms have been highly notaries from a privacy breach PoV, building privacy-focused, decentralized alternatives could be a solution. Platforms like Verida are thus building self-sovereign data infrastructures for web3 to help users own their data through encrypted document databases.
While privacy-first innovations arrive on the scene, web3 users must also make sure to learn and use general safety-enhancing practices: using strong passwords, avoiding public Wi-Fi and centralized platforms, verifying suspicious links before clicking on them (if at all), etc. These are very, very important since there can be no coming back from losing private keys in web3.
Finally, coming to the external challenges, regulators (as well as users) must hone their understanding of eeb3. Their expectations must be realistic for the industry to comply. It’s necessary for all parties to grow and evolve with time, coming out of the legacy mindset.
Web3 brings a new world with altogether different rules. Regulators, for one, need to act accordingly and not with the typical one-size-fits-all approach.
“…Collaboration between developers, innovators, and policymakers is essential. Regulatory frameworks that support user privacy, data protection, and innovation must be established to foster the growth and adoption of platforms.”
Chris Were, Verida founder & CEO
Web3 privacy challenges must be addressed with urgency. Unlike in web2, web3 privacy can’t turn into mere lip service over time. Industry stakeholders must inculcate a general privacy orientation from the get-go. Importantly, users must demand privacy at all costs, even if it initially means navigating more complicated UXs and somewhat steeper learning curves.
New-age tools, coupled with secure data storage and identity authentication methods, will play a key role in this journey. Web3 is still in its early days, so the core components, as well as the UX, will certainly improve in the coming years. Innovation on this front is already ongoing. It’s not a question of if — but when — a privacy-first day will dawn.
Victoria Vaughan is the co-founder of ICL, a communications agency for the web3 and tech industry.
With over nine years of experience in the digital asset and blockchain space, Victoria has served as the CEO of Cointelegraph, a media outlet focusing on web3 industry. Victoria has worked with many well-known industry brands, such as CoinMarketCap, Etoro, Moonpay, and OKX, and is an expert in growth hacking, marketing, and business development.
Digital privacy has been explored, debated, and resolved in various ways over the past decade or two. This journey has moved pretty much in sync with the steady rise of web-based systems, products, and services. But questions around privacy took a unique turn with the onset of web3.
Looking closely at web3’s core nature helps develop a stronger, more nuanced understanding of the key challenges discussed below. Generally, one might think of privacy-related risks as a direct outcome of excessive centralization.
Platforms like Meta (formerly Facebook) and other web2 giants have almost total control over users’ data. The bulk of this data lives in central servers, often becoming single points of failure. Moreover, the Cambridge Analytica scandal in 2019 exposed how Zuckerberg’s “privacy vision” was a sham. But this wasn’t a one-off situation — sadly, it’s pretty much the norm.
Web3, on the contrary, promises community-driven control. This requires distributed data storage, along with decentralized governance. However, this also means no one, in particular, is responsible for ensuring security or privacy. In the world of trustless ecosystems, autonomous users are pretty much in charge of everything. This includes keeping sensitive information safe.
When “your key, your asset/data” is the motto, the ball of privacy is mostly in the user’s court. Given the immutability of web3 transactions, losing one’s private keys, for instance, often means irreversible losses. Web3 wallet addresses are ideally anonymous, meaning it’s often impossible to trace malicious actors.
“Although decentralization is a worthy goal to strive towards, the reality is that privacy issues in decentralized systems are even more important. In web2, Google and Facebook can see all your data and metadata (bad), but in web3 potentially anyone can see it (even worse!).”
Sebastian Bürgel, HOPR founder: BeInCrypto
These are some fundamental conflicts that innovators must resolve.
Over 167 major attacks drained nearly $3.6 billion from the web3 space in 2022, i.e., 47.4% more than in 2021. According to security firm Certik, at least 74 of these incidents posed long-term data breach risks, significantly threatening web3 privacy as a whole.
Web3’s internal conflict regarding privacy can be solved through innovation. It’s only a matter of time. But there’s a growing need to comply with global privacy regulations, like the European Union’s General Data Protection Regulation (GDPR) and the Financial Action Task Force (FATF) recommendations.
They mostly assume that some specific entity collects, owns, and stores the data generated through user interactions. This puts web3 businesses in a difficult spot and presents a novel set of challenges:
Existing Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations oblige companies or platforms to collect and monitor users’ data. This is meant to help identify and report suspicious activity, protecting users and national interests. Likewise, companies must also issue a “notice” informing users about how their data is collected, used, and stored.
Ideally, web3 protocols don’t collect user data at all, let alone monitor. But even when they do collect any data, it’s mostly stored transparently on public blockchains. No specific entity owns this data — except the users themselves — which makes regulatory compliance very difficult for businesses or service providers, if not impossible.
At the same time, however, storing data on transparent blockchains is a problem in itself. Anyone with an internet connection and other tools can access sensitive information stored on public blockchains. This level of exposure isn’t desirable from a privacy perspective, particularly because malicious actors in this space are constantly developing new ways to exploit the system.
Clicking on “Do Not Accept,” “Disagree,” or something similar provides a way for legacy users to “opt out” of the data collection and sharing regime. The jury is still out on whether this entails meaningful consent on the user’s part. But irrespective of its effectiveness, this gives users a semblance of choice. However, this, too, requires some entity to control the data collection process.
When users interact with non-custodial web3 protocols, the underlying blockchain automatically verifies and records the transactions. This is a code-driven process based on game theory principles. No one, not even the involved counterparties, can tamper with this data under normal circumstances. That’s what makes these systems so powerful in the first place.
The choice isn’t given in web3. Rather, it’s embedded into the system in a bottom-up manner. So when the regulators oblige web3 companies to give what they don’t have, many are unable to comply.
Besides opting out, users can also ask for their data to be “destroyed” or deleted per existing regulations. This, again, is a challenge in web3 for the reasons discussed above. Blockchains are irreversible for a reason, and it’s better if they aren’t otherwise.
Even while working with centralized or semi-centralized entities in the web3 space, users can’t expect the destruction of their data. At least not the part that’s verified and recorded on the blockchain. Nevertheless, they have control over who can access this data, which is groundbreaking.
Since blockchains store all data in cryptographically encrypted formats, one requires unique private keys to access them. Users can thus effectively revoke the third party’s access to information, but deletion is impossible in the sense regulators demand.
It’s clear from above that web3’s privacy challenges have two roots: internal and external. Though related, they have to be addressed separately to some extent.
Building decentralized threat monitoring and risk assessment systems is one possible solution. Thanks to AI’s rapid evolution, innovators now have a very broad scope to explore such critical infrastructure. Over 73% of web3 marketers, among other stakeholders, already use AI in various ways. Prioritizing ethical and privacy-related considerations will drive this space forward in unforeseen ways.
Besides adopting AI for smart threat recognition and so on, it’s also crucial to invent and improve web3 primitives. Zero-knowledge proofs, for instance, are a great way of ensuring data sharing or verification without revealing the actual content. This can do wonders while balancing web3 fundamentals with the demand for privacy.
Moreover, since traditional social media platforms have been highly notaries from a privacy breach PoV, building privacy-focused, decentralized alternatives could be a solution. Platforms like Verida are thus building self-sovereign data infrastructures for web3 to help users own their data through encrypted document databases.
While privacy-first innovations arrive on the scene, web3 users must also make sure to learn and use general safety-enhancing practices: using strong passwords, avoiding public Wi-Fi and centralized platforms, verifying suspicious links before clicking on them (if at all), etc. These are very, very important since there can be no coming back from losing private keys in web3.
Finally, coming to the external challenges, regulators (as well as users) must hone their understanding of eeb3. Their expectations must be realistic for the industry to comply. It’s necessary for all parties to grow and evolve with time, coming out of the legacy mindset.
Web3 brings a new world with altogether different rules. Regulators, for one, need to act accordingly and not with the typical one-size-fits-all approach.
“…Collaboration between developers, innovators, and policymakers is essential. Regulatory frameworks that support user privacy, data protection, and innovation must be established to foster the growth and adoption of platforms.”
Chris Were, Verida founder & CEO
Web3 privacy challenges must be addressed with urgency. Unlike in web2, web3 privacy can’t turn into mere lip service over time. Industry stakeholders must inculcate a general privacy orientation from the get-go. Importantly, users must demand privacy at all costs, even if it initially means navigating more complicated UXs and somewhat steeper learning curves.
New-age tools, coupled with secure data storage and identity authentication methods, will play a key role in this journey. Web3 is still in its early days, so the core components, as well as the UX, will certainly improve in the coming years. Innovation on this front is already ongoing. It’s not a question of if — but when — a privacy-first day will dawn.
Victoria Vaughan is the co-founder of ICL, a communications agency for the web3 and tech industry.
With over nine years of experience in the digital asset and blockchain space, Victoria has served as the CEO of Cointelegraph, a media outlet focusing on web3 industry. Victoria has worked with many well-known industry brands, such as CoinMarketCap, Etoro, Moonpay, and OKX, and is an expert in growth hacking, marketing, and business development.