top of page

Web3 Rules, OK?

Kelly here! I've done a lot of talks recently, where I have explored the possibility of better data practices for web3. As always with these passions of mine - I try to steer clear of what the developer thinks, I focus on what the end user wants, and I cut straight to the meat. I'm happy to say that this article is an opportunity for a larger conversation about everything connected to our data and why it's important moving forward transparently for all people across all web3 technologies, inclusive of video games.

Photo by Dimitar Belchev

The Golden Age

It’s 2022. One of the biggest problems that we know about web2 in 2022 is it's very limited. And because it's very limited, there are not always good opportunities for us to be able to get something out of the relationship that we have with that particular web2 application. So if I want to play on my Xbox, I have to log in with my credentials first. That’s so last generation. If I want to go into Steam, the same thing is true. Hell, if I want to go into Meta (as if I would), I need an actual Facebook account to get in. So that makes it nice and simple for me in Oculus. No Facebook account? No play. But it’s not all doom and gloom: web3 is in a golden age, though the road to this supposed enlightenment is littered with BS APIs (dodgy interface contracts). Like dog poo and cans of piss strewn along the side of the highway, it’s disgusting. It would be a good idea to look at where those touch points are and where those pain points definitely are, and how we can get over them. So how do we start the cleanup process? You guessed it - we educate these so-called devs in exactly what we, the user, wants by focusing on really useful existing tools and cool process designs.

Safety is the right of all users. It's not a privilege. It shouldn't be something that we shouldn’t have to pay for, no matter what the cost is to the developers. It should be something that we have instant access to. Safety and being safe in a web3 environment (and even a web2 environment) is paramount to being able to do everything from playing to buying.

No One Wants Your Data

When I think about how that works as a construct inside web3, I do not look at any other demographic apart from children, preferably under-13s, because it is here that this demographic and vulnerable adults become more vulnerable in spaces where they are exposed in terms of their credentials and their information. It is here that they are exposed to poor UX and bad data sanitisation. The number rule of data design since time immemorial, for example, is that the moment something leaves the server, the creator (read data nerd) loses control. Is that a solid basis for protecting our users if we can’t protect the transaction of data as it passes between two points? If we have to log into a metaverse or website or even an app and we're used to 2FA or MFA (two or multi-factor authentication), then that looks on the surface to be safe, right? For children, safety does not always mean safe. In some cases, safety just means anonymised data. Therefore, as we are gleaning data from children who are accessing all of their favourite online games or social media platforms; what's happening to the data and who's protecting children when they're logging in? Blindly, they will be clicking yes and accepting all of the terms and conditions without question. Why would they? They are children. Who writes EULAs for kids?

Where is that data actually going? In most cases, it's being sold. That’s not cool. But you don’t have to look too far from your own PC or device to know where it’s being sold to.

Whitney Cummings recently joked about no one wants your data, her analogy was simple: in the 70s, 80s and 90s, our names, addresses and numbers were stuffed into something called a telephone directory and then thrown from a car onto your front lawn. Today? We’re horrified by the Cambridge Analytica scandal or revenge porn, and we can’t believe something that awful would happen to someone like us. But Whitney Cummings is right. Nobody on the street cares about data, they’re happy to share it, because phishing opportunities or man-in-the-middle attacks break down the trust we have with the services offered to us, not with individuals specifically. These big corporations of the world are happy to trade your data across various platforms. They don't care about you, it’s nothing personal, because you are not your data, they are happy to sell it, and they're happy to take it, and they don't care about how they're going to protect you because this is not about you.


If none of this is about us, why do I get so heated about children’s data? Because data services tar humans with the same brush and children are not prepared, planned for, or presented to, and no one knows how to protect them, no one. Like, at all. Because if no one cares about you, why would they care about children?

There are only two bodies of whom seriously legislate the misuse of children’s online data, and that is COPPA and in Europe, GDPR (Article 8 Amended/Revised). These two systems work together (in post-Brexit UK, the Data Protection Act and CEOP protect and police the act on top of COPPA and GDPR) to underpin not just data protection but loopholes.

Could decentralisation provide a better protection strategy for children?

Let’s look at the loose history of decentralisation during the rise of blockchain and crypto, starting with the wallet. We started to see a profusion of different software wallets as well as hard wallets - they're the kind of offline storage wallets where you can keep all of your keys and information pertaining to your crypto balance. That was cool. But very quickly, as users and developers, we discovered that these types of things are easily hackable, eminently so. Then a couple of years ago, along came Metamask. Metamask provided a kind of Fort Knox of twelve standalone words that would protect the wallet and lock it down. But as I expressed earlier, no plan survives contact with the enemy. If I have my Metamask open and Open Sea, er, open, and I've also got my Metamask opening Rarible, and I’m using my NFT as my Twitter profile pic, surely I’m putting myself in the same position as I would be if I have 36 tabs open in Google Chrome? The more tabs I have in my Google Chrome of password-protected spaces, the more chance there is to suffer keystroke, phishing and man-in-the-middle attacks that feed on my personal data, and that's the point with which people are always really surprised with wallets. “I can't believe I was hacked”. “I can't believe this money was stolen.” When the truth is, you let it happen. You let everyone in.

Protect Ya Neck

We should use multi-factor authentication (MFA) more. Two-factor authentication (2FA) is fine. But now we've got an opportunity to do multi-factor authentication, using different devices to verify and authenticate our identity. It’s a data perfectionist's dream. Anybody that works in data, cybersecurity, or any type of transactional business will be really happy to hear that you have multi-factor authentication setup on your machine or device. Multi-factor authentication also gives you a great opportunity to be able to do many things across different devices. And so, for you as the user, it's also very good for protecting yourself - a big win for everyone! A small study recently published the big MFA turn-off, the user could not be bothered to ensure that they are protected. I know because I am very guilty of that. When everything is down to the user, and the developer has to trust them, it's quite difficult for them to get to the meat of where they want to be with all the burning hoops they have to jump through. It breaks UX. Nothing breaks UX like a crappy API. Therefore, and until Solo Wallet launches later this year - which promises to do some serious security, Metamask, though a crappy UX in and of itself, will suffice. Other wallets are available.

My point is that we must start to use wallets the same way that we're using login and passwords and MFAs right now. If the wallet has already acknowledged and authenticated, and verified our existence as a real person, then it should act more like a passport to enable us to go through websites and games and anything else that we want to do with ease so that we don't have to do that all of that MFA crap because we can't be bothered to do it.

Do You Know CIAM?

Simply Customer Identity Access Management is something that no one ever thinks about. It's the subset of a larger concept of identity access management which focuses on managing and controlling external parties' access to business applications, web portals, and digital services. What a mouthful. In short, it’s a headless distributor: controlling how information about the user is distributed across platforms from user to service, and everything that's in between. It handles the customer identity, identity management, login experience and authentication. Still not sure? Then take a look at your Google Pay. Additionally, Google has got a really good authentication system which people really enjoy, which is CIAM-focused. So let's hope it doesn't go to the graveyard where everything else seems to go in Google. RIP Stadia. Google has an authenticator too - an MFA, if you will, as does Microsoft. I like to use Twilio’s Authy and SwissID. For CIAM, Google has something called Identity Platform. With the Identity Platform, you can just look at both CIAM and multi-factor authentication to integrate into Google's (or whatever’s) everything. Is Google trying to get into the scene where Metamask and everybody else have both succeeded and failed so far? Maybe. I find it interesting that Google and Apple and all of these folks that handle data transactions of any description have aspirations to go full banking organisations and any fool knows that you never go full banking organisation unless you are a bank. We've got enough banks. But we haven’t considered that the future of currency is actually transactional data. That’s quite funny for Google, a web2 leader wanting to play in our web3 world.

KYC Is King

The reason why I think KYC is one of the most incredible tools that we have developed over the course of the last few years, is because KYC is the literal DNA of all of these other things MFA, CIAM and safety. You know KYC, don’t you? KYC is famous for its relationship with AML. KYC means Know Your Client or Know Your Customer, and AML means Anti-Money Laundering. Together these work in crypto (and a few other systems such as banking) to ensure that people are protected. Where there are big swathes of finances or money that are moving between one place to another and transactions are happening; there is a feeling of satisfaction or reassurance that everybody inside this chain of transaction (excuse the pun) has been identified and is known by both the transactors and with the end destination as well as at the beginning. KYC usually happens at the beginning of an experience.

So why have I left KYC until last? It’s because I believe that KYC is one of the most underused tools that web3 has currently. It’s not just to check the identity of someone wanting to use or transact funds. Why can’t it be used to supersede MFA or wallets? Can we use it to anonymise all data pertaining to children on the blockchain? When children and vulnerable adults become more vulnerable in a space of play, or in a space of purchase, or being able to access information or not access information, it is important to ensure that all parties inside that transaction are protected. The only way to be able to ensure that a complete transaction is authentic is to use KYC. And if we use KYC, then we become able to green light young people, vulnerable people and ourselves to be able to play within the confines with which it is safe to do so.

Doing It For The Kids

In one of my previous metaverse projects where I was CTO, I helped to create a KYC layer as a tool that would ensure that only under-13s were allowed to play in that space. The KYC, in this case, was a normal KYC process flow. However, it was focused solely on the guardianship of the child, and they were the only individuals able to provide information about the child in their care. And because KYC does not discriminate, the guardian could be a parent, a custodian, a caregiver, or even, in this case, a teacher! Our metaverse was educational, and therefore it required a KYC layer that lived between chaos and order. When dealing with educational applications, safety is for everybody, it’s the priority and the right of all users. Schools want to know that their students/learners and staff are safe when they are entering into the metaverse, whether it's a learning metaverse or whether it's just a fun metaverse [insert your metaverse here]. But definitely with this KYC layer that I created; guardians, regardless of their side of the education system, could keep their children safe, that means responsibility. I designed the layer so they were responsible for their children's identity, but not necessarily responsible for their children's play. Because play means autonomous access, inclusivity and discoverability for kids: these are the most important things. There isn’t a kid alive who wants their parents hanging around watching them in a metaverse. Therefore parental KYC gives children the freedom to be able to do so much more. But it also gives parents the reassurance that where they're playing is safe - because it is within their rulesets, guidance and importantly their decision. The parents (at home) or teachers (in a school setting) are the ones who enable that first transaction for the player or metavisitor, and in doing so, it is they who decide the safety level of play.

Safety and data have to go hand in hand. And web3 is a fantastic opportunity for us to put everybody together on servers worldwide to experience lots of things all at the same time and feel inspired, but more importantly, feel safe. So if we're not utilising KYC, MFA and CIAM correctly, then we're not really doing web3 fairly - after all, this space is open, persistent and interoperable. It’s transparent and it is here. So if we’re only using web2 tools to fix what’s on the horizon for web3, can we really say we’re making metaverse memories for decades to come? What do you think? Let us know!


bottom of page