top of page

Old Rules for New Tech - Privacy and Data in Web3

I’m a really creative person, but I’m also a massive idiot. So most of the time I outsource my thinking about privacy, data and compliance to other people, not other things (ChatGPT—I see you). I admire the work of wonder women in this space—check out Heidi Saas and Debbie Reynolds: if you take nothing else from this article let it be known that these two know their onions.

Be Excellent to Each Other

My knee jerk reaction to traditional data and privacy is more of a learned by osmosis golden rule: treat others' personal data and privacy as you would want yours to be treated. In other words, to respect individuals' privacy rights and protect their personal data as you would want yours to be protected. This means being transparent about how personal data is collected, used, and shared, obtaining consent from individuals before collecting or sharing their data, and taking steps to ensure that data is secure and protected from unauthorised access or disclosure. Additionally, it means giving individuals control over their personal data and respecting their rights to access, rectify, or delete their data as appropriate. It also means avoiding any form of discrimination or unfair treatment based on personal data, such as race, gender, or religion.

This golden rule of privacy and data is reflected in many privacy laws and regulations, including the General Data Protection Regulation (GDPR) and GDPR-K (for kid’s data) in the European Union and the California Consumer Privacy Act (CCPA) in the United States. Individuals and organisations can help ensure that personal data is collected and used in a responsible and ethical manner that respects privacy rights and protects individuals' personal information, but what about for web3? What happens when we go open and transparent with our data? How do we control everything that is personal to us?

Someone made a fun comment about me recently, “she’s so web3 that she doesn’t do insta or whatsapp”. I definitely don't, but not because I'm so out-there and web3, it’s because I got sick and tired of being catfished, gaslit and infiltrated by products and services that somehow slipped into my DMs without my permission.

The Doxx

Ugh, this bane of everything we do online, not just web3: The Doxx, the act of doxxing, it’s gross. Doxxing is the practice of researching and publicly revealing personal information about an individual or organisation without their consent, typically with the intention of harassing or causing harm. This can include information such as their full name, home address, phone number, email address, and other sensitive data. If you’re reading this and worrying, this is not a rallying call for you to change your name to M. Mouse. Moreover, it’s something you can’t really control but it should be a reason to change what you’re doing. You should simply carry out those processes, all processes in web2 or web3 with a heightened level of security.

Because doxxing can be carried out by anyone with access to the internet and can be done for various reasons, such as revenge, activism, or simply as a form of online harassment; you do need eyes in the back of your head. This practice of malevolence can have serious consequences, including loss of privacy, identity theft, physical harm, and even loss of employment or social status. It’s also invasive and pervasive on our wellbeing—it’s harassment; plain and simple. Hacking, social engineering, or simply searching for information that is publicly available online detonates the exposure. The information may be posted on social media, forums, or other online platforms, and can quickly spread to a wide audience.

It's important to note that doxxing is illegal in many countries, and can lead to criminal charges and civil lawsuits. Therefore, it's important to be cautious and responsible when handling personal information online and to respect the privacy of others.

Decentralise Everything

Web3, also known as the decentralised web, is a paradigm shift in the way we think about and use the internet. I often (and foolishly) suggest that this is open season on privacy and data because there are no rules. However, as web3 is based on blockchain technology and allows for decentralised applications (dApps) that are built on top of a peer-to-peer network rather than relying on a centralised server, I’m both correct and incorrect in my throwaway statement. Decentralisation has significant implications for privacy and data management.

In web3, data is typically stored on a decentralised network of nodes, which are maintained by a community of users rather than a single central authority. This means that data is not controlled by any single entity, but is instead distributed across the network. In addition, data on Web3 is typically encrypted and secured using cryptography, making it difficult for unauthorised parties to access or manipulate.

Privacy is also a key consideration in web3, as users have the ability to remain anonymous or pseudonymous while using dApps. This is achieved through the use of public and private keys, which allow users to maintain control over their identity and personal information.

One of the implications of transparency in web3 is that all transactions and interactions are publicly visible on the blockchain. While this provides a level of transparency and accountability, it also means that any personal information that is associated with a particular transaction can be viewed by anyone on the network. Remember what I said about doxxing? Therefore, you gotta be careful in your considerations of what data is shared on the blockchain, and how it is stored and accessed.

Accentuate the +

Web3 should lead to greater trust in the system because of the open and transparent nature of the platform. By providing a clear and public record of all transactions, you should feel confident that the network is operating as intended and that your data is being handled in a secure and responsible manner. The comparison to web2, though we’re super comfortable with it, is obvious. Web2 applications are typically managed through a combination of technical and legal considerations. These technical measures for privacy include the use of encryption, authentication, and access control mechanisms to protect sensitive data and limit access to authorised users. Legal measures include privacy policies, terms of service, and regulatory frameworks that govern the collection, use, and disclosure of personal information. But guys, guys! These are all or often centralised, meaning that data is stored on a single server controlled by a central authority. This can present privacy risks, as users must trust the central authority to protect their data and use it responsibly. That word again. If the central authority is compromised, or if they use the data for purposes that are not aligned with the users' expectations, this can result in significant privacy violations and we’ve seen the fall out haven’t we?

Disclosing personal information in order to use the application has always gone hand in hand with web2 privacy. Things like name, email address, location, and other identifying information. Then, in some cases, this information may be shared with third-party service providers or advertisers, which can further compromise users' privacy. That’s the bit that I can’t stand. I’m damned if I do and damned if I don’t in web2. Why do I have to do X to get Y? It’s a barrier to entry and I don’t want to be limited, like at all, in how I access anything on web2 or web3 platforms.

If we want to continue with the old regime of privacy and data regulation in the transition to dApps and web3, it could have a number of implications and challenges. How about tossing traditional regulatory frameworks in the bin? These rules about privacy and data protection may not be fully compatible with the decentralised nature of web3 applications. For example, it may be difficult to identify a single controller or data processor in a decentralised network, which could complicate compliance with existing regulations. To be fair, these privacy and data protection tools are weighed in favour of the data consumer rather than the owner—that’s we need independent controls as we transition between web2 and web3.

Our optimistic desire for greater privacy and control over personal data is one of the main drivers behind the move to web3 and decentralised applications. If we feel that our privacy is not adequately protected, they may be reluctant to use dApps and may instead stick with traditional web2 applications. The result being the limitations to growth and adoption of web3 technologies.

Finally, I want to say that there is a risk that if the old regime of web2 is maintained, it could perpetuate existing power imbalances and limit innovation in the space. Decentralisation has the potential to democratise access to information and resources, something that the world probably needs as we move to an advanced technological age. If the old regime is maintained, it could stifle giving individuals greater control over their own data and limit the potential benefits of web3.

I’ll look at the doxx in more detail in a subsequent article, but for now, it is important to balance the need for privacy and data protection with the potential benefits of decentralisation and the transition to web3 before we get there. We definitely need something new, and I promise to explore that next time. Until then, the onus of new regulatory frameworks and innovative approaches to privacy and data protection are on us. More care, more common sense and definitely more comprehension is needed no matter who we are. If we’re outsourcing our privacy and data thinking now, what will become of us?


bottom of page