How decentralized identities can save us from surveillance capitalism in Web3
As we transition into Web3 and the metaverse, how are we processing and protecting user data when using these new technologies? Are we running the risk of making the same Web2 mistakes again, and can DIDs fix the problem?
The dawn of the metaverse raises new questions about user protection and data-driven advertising. This new world is hinging on immersive technology that could allow companies to collect new kinds of personal information and even biometric data.
In a worst-case scenario, Web3 and the metaverse could be just as bad for user data security as are the Web2-based business models most of us love to hate, maybe even worse. How do we as an industry avoid falling into the old trap of surveillance capitalism?
Web3 technology itself holds the key to answering these questions and mitigating the risk. There are different definitions of what Web3 actually is; one key definition is that data should reside on the user or client-side, not on the server-side. The latter is the prevalent model of today and the main reason why the user is not in control of her data.
Web3, on the other hand, is the exact opposite – the user is in control of the data through everyone’s wallets. But being in control also means handing out data when or where needed, and a key technology enabling the control of personal data is so-called decentralized identifiers or DIDs.
DIDs are designed to decouple from centralized registries
DIDs have already been standardized through W3C and some blockchain projects are working on implementing the standard to be used by ordinary blockchain, Web3, and metaverse users.
According to the DID standards documentation, DIDs are
“a new type of identifier that enables verifiable, decentralized digital identity. A DID refer to any subject (e.g., a person, organization, thing, data model, abstract entity, etc.) as determined by the controller of the DID. In contrast to typical, federated identifiers, DIDs have been designed so that they may be decoupled from centralized registries, identity providers, and certificate authorities. Specifically, while other parties might be used to help enable the discovery of information related to a DID, the design enables the controller of a DID to prove control over it without requiring permission from any other party.”
One of the blockchain projects deeply involved in developing and implementing DIDs is Ontology. Ontology is a public blockchain project that helps other projects to put reputation and decentralized identity in front and center; things like data management, data sourcing, integrating data from different feeds and locations, and with a focus on cross-chain collaboration as well.
The metaverse changes the way audiences engage
To help us understand the risks, and how to minimize those risks of surveillance capitalism in Web3, CryptoSlate talked to Erick Pinos, America’s Ecosystem Lead at Ontology. Erick is also President of the Blockchain Education Network (BEN), a seven-year-old global network of blockchain clubs, students, professors, and alumni.
According to Pinos, what sets Ontology apart is the tools and the infrastructure to manage digital identities, and manage data – storing data and keeping it privacy-preserving for the user – that Ontology develops and provides to others.
“I think the metaverse is going to change the way audiences are engaged because up to this point it’s been very straightforward – here is the product and the service you can chose to interact with or not – but now with the metaverse, especially when we get more into things like VR and experiments with AR, now we’re interacting with these services in a 3D space, as opposed to just see it on our screen,” Pinos says.
This is going to change the relationship between the consumer and the product or service, because the consumer can feel it’s a tangible thing that’s right there in front of her, especially for VR. Even today, people are able to spend some time in these virtual worlds and just hang out. That has already changed the way that people interact with others and with these services.
Collecting data in a 3D space
Services in a metaverse virtual world can collect user data by seeing user behavior, instead of just collecting data in 2D, such as where the user is looking at the screen or where the mouse is pointing. In the metaverse, services can collect data in a 3D space, where people are moving around and interacting with other users and with services.
“I think that it’s up to us as an industry to put decentralized protocols in place for people to still remain in control of their data, because that is a lot of data that is going to be generated, and if we’re not careful about it, it’s going to end up in the hands of companies that are running the risk of losing all this data in hacks,” Pinos says.
According to Pinos, decentralized identities are going to play a big role in this development because that is what lets people link data pieces to their identity, to then present for whatever use case they need. Users perhaps need to connect with someone or something where they need to present a credit score, for example. By having a decentralized identity they are able to share that information and then revoke it once the data has been shared or once the use case has been achieved.
The important thing is that data doesn’t stay, it doesn’t live on the server owned by a company, it stays at the user, it only gets lent to do whatever the action is.
Companies have to adapt to a new model
One could argue, then, that this model doesn’t stop companies from saving the data once it has reached the company server; which is true, but it would depend on the terms of service for that particular service. It could also be that a service must keep user data e.g. for compliance purposes.
But according to Pinos, as the entire industry is moving to open data collaboration and letting people keep their data personally, privately, and locally stored, companies are going to have to adapt to this new model.
“Companies can’t just keep going with the current model, they need to move and change because that’s how they can plug into the wealth of data that exists in the metaverse. For most of the products that transition over, there’s going to be a standardized flow of data, and the moats are no longer going to be in collecting data and hoarding it, but rather in the models that you can create to run on top of that data,” Pinios says.
There’s definitely a risk that things could go wrong; there’s nothing inherent in Web3 that makes it impossible for services and companies to practice unwanted surveillance. In fact, it may be even more tempting than today, because of the abundance and richness of the data becoming available.
“There’s going to be a lot of data created through web3 – people interacting with their wallets through the metaverse and people moving around in these 3D spaces. That is a lot of data generated per person per minute,” Pinos says.
The Web3 industry needs ethical guidelines
Since there’s nothing “hard” in the technology itself stopping surveillance, the industry has to adopt softer means and adopt the proper way of thinking. The industry has to make sure that it has ethics to guide the development of the technology in the right direction.
According to Pinos, the early development of the web tells a story to learn from. At the beginning of the web, there was a big clamoring that corporations were not welcome there and that this is the future of the free internet, but a few years later the companies came on board and started to put ads everywhere, and put cookies and trackers on user’s devices. The rest is history.
“I think that’s why it’s important for us to reflect on what happened before because if Web3 became like that, it wouldn’t be Web3 anymore. We would be still just living in Web2.”
Unfortunately, the tendency is already here, especially around large established Web2 companies that smell future profits in the metaverse. Some have even changed their company name accordingly.
The internet will change in drastic ways
Pinos thinks these companies will pivot their marketing and say they want Web3 because that makes sense for them, but he doesn’t think they will be able to change the actual business model. Instead, there will be new companies starting from the ground up that will build themselves up using new frameworks.
“I think there’s a preference for the internet and how we interact with the internet, so I think there’s going to be a disruption – the internet is not going to stay the same forever, it will keep changing, and changing in drastic ways,” Pinos says.
How, then, are the Web3 native businesses behaving; are they adhering to new and better ethics, or is it too tempting to make money the old way?
“There’s a couple of them, but it’s still a business so they need to figure out short-term revenues. I think a lot of the Web3 stuff right now is very experimental so it’s gonna take a little bit before we see native Web3 companies just running themselves. There will be a transition period, and each successful project will push us a little bit further into using Web3 infrastructure,” Pinos says.
Zero-knowledge proofs on open ledgers
Of course, Web3 is about open ledgers, and all data stays on the blockchain and might be exploited for all kinds of purposes. For example, if someone voted in a DAO, everyone can see, and maybe exploit, this information.
“That’s why I think DIDs are important because right now if you’re voting in one of these projects, you’re voting in a DAO, but in the future perhaps you’ll be voting in political elections using blockchains. That’s why, on the user side, we need decentralized identity so people can create DIDs for themselves, and then vote in a way so it’s not revealed, and it’s not tied to their public persona,” Pinos says.
The vote, however, will still be verifiable, that a person casting a vote is eligible to participate. Also, on the actual transactions themselves that are used for the voting, there’s a lot of technological development with zero-knowledge proofs that enables voters to cast their votes without revealing who they are and for the system to know whether it’s a legitimate vote.
The same thing goes with any kind of financial transaction – there are two levels to this, on the transaction side, and on the user and wallet side.
“DIDs will be helpful on the wallet management side, so you can use different DIDs for different purposes, and zero-knowledge proofs will be helpful on the transaction side where you are actually executing the transaction. It will be secure and private, but it will still be provably legitimate.”
Keep as much as possible on the user side
Erick Pinos’ advice to builders and developers is that they should always be thinking about doing everything, or as much as possible, around data processing on the client-side, because that’s how they touch the data as little as possible. Builders should try to decentralize the storage, and even decentralize the computation.
“If the user passes the data to you and you run a calculation on it, there’s a point of potential risk, because they sent it over to you, so the more you can do on the user side, the better. That way data stays local and doesn’t get sent somewhere. If it does get sent, that’s where it can be intercepted, that’s where it can be stored, that’s where it can be hacked.” Pinos says.
Fortunately, technology development is playing into the hands of developers. User’s computers are getting stronger and more powerful and they can run powerful applications even on people’s phones.
DIDs let the user be in control of the data, but that doesn’t mean the data mustn’t ever leave the user’s device. There are, of course, use cases where users must provide some data, such as AML/KYC information, or the user won’t be able to access the service at all.
Erick Pinos believes in the flexibility of letting projects decide the level of verification they need for users to access the product; whether it’s full-on KYC, or just information needed to verify that a user is a unique individual and not a bot.
“I think that this level of flexibility is going to be very important because it enables the different projects to create and structure what their requirements are based on, or what their jurisdiction is.”
“It’s a global technology, there’s no KYC solution for the whole world. Different jurisdictions require different levels of KYC for their citizens, so the only thing we can do is to provide that flexibility for the projects,” Pinos says.
DIDs make a better way to do KYC
Using DIDs for AML/KYC purposes is, in Erick Pinos’ mind, a better way to perform this sort of verification because by decentralizing identifiers it wouldn’t be like sharing a passport or driver’s license with all the information in them. The user would only be sharing the information that the project needs to verify her. Services don’t need to know the user’s height, eye color, or home address, they just need to know that it’s a unique number, that it’s not a forged document, and that a user is a unique person.
“Some projects might need to know more, so what a DID does is that it gives you the flexibility to provide that. Right now, the system is very opaque – you upload a jpeg of your passport to all these companies and servers and it’s there forever. DIDs are a much smarter way, and a much more flexible, robust way of sharing sensitive information to verify your identity,” Pinos says.
To make DIDs scale globally, it helps to establish standards to make different DID protocols and projects intercommunicate with each other, even projects that have never heard of each other. As long as developers adhere to the W3C standards, they are able to plug in to and integrate with all other standards-abiding identity-based projects.
“I always think that standardization is generally a good thing,” Pinos says. “We have people on the team that participate in the committee discussions for the W3C. They have the reports and the formal proposals that update or change the standards.”
“The things we’ve been working on are making huge strides in the right direction, both in terms of the infrastructure that Ontology is building, but also the thought leadership, being in community calls, with different community members, with different companies and enterprises. We discuss these things and talk about what the standards, ethics, and frameworks should be.”
For Pinos, DIDs are not just a purely technological solution, it’s also a matter of standards, ethics, and how we structure things from a societal standpoint.
What Ontology is building
What sets Ontology apart, at least according to Erick Pinos, is that Ontology has its own layer-1 blockchain, but Ontology is also developing middleware solutions that can run on other blockchains as well, but ultimately feed back to the L1.
Ontology’s technology stack is compliant with the W3C standards, which means it can integrate with already existing digital infrastructure for digital identities, not even decentralized identities.
Besides the blockchain, Ontology has developed the ONT ID solution, which is the actual deployment of the decentralized identity infrastructure that they have. This is what integrates the DID with the verifiable credentials, and that is compliant with the existing infrastructure.
ONT ID is also deployed to other chains as well, and that is how Ontology is able to bridge across different chains and create cross-chain identity profiles for users.
Web3 technology is not some magic solution to the menace of Web2 surveillance capitalism, we still need ethics, but it does put, especially with the use of DIDs, tools in the hands of users to give them control over how their data, and what data, is handed over to the services that need them, or don’t need them. As we have seen many times in crypto, Web3 shifts, in some respects at least, the responsibility over to the user side. But as always – not your keys, not your data.