This guest article was contributed by Mohammad Sayadi, solution architect and CEO at Djuno.
The tech world has erupted amid the rapid growth of Web3, the third iteration of the Internet. Web3 is centered around blockchain technology, a key element of which is the democratic concept of decentralized data storage.
Decentralization takes personal data and content out of the hands of third party platforms (e.g. Google, Amazon, Apple, Facebook) and allows consumers to own their data and essentially do whatever they want with this information.
If that sounds like an otherworldly deviation from the current norm – a.k.a. Web2 – that’s because it is. The advanced and generally unfamiliar mechanics behind Web3 make it very difficult to regulate, and a complete absence of a regulatory framework creates many security risks. And until Web3 is widely recognized as safe, mass adoption won’t become a reality.
Before going over these vulnerabilities and how regulatory policies can mitigate them, we need to understand how Web3 differs Web2 in terms of data storage and management:
Web2 vs. Web3
The decentralized storage of Web3 stands in stark contrast with the centralized storage of Web2, in which data is stored on a single cloud system owned by a third party platform like Google Cloud or Amazon Web Services. Since they own the data, these platforms can prevent consumers from accessing their own data and theoretically sell consumers’ personal information to the highest bidder.
In Web3, on the other hand, there is no single cloud system or server because no single entity has control over the network. Data is distributed across multiple servers and split into small pieces – or “blocks” – each of which are encrypted with a specific cryptographic hash or private key. These blocks are then distributed across an extensive system of nodes through a process known as “sharding.”
When it comes to privacy and security, Web3 is a significant improvement over Web2. This is primarily because Web3 avoids reliance on a central server, which is an attractive target for cybercriminals. Decentralized data storage enables consumers to decide if they wish to share their data publicly or keep it completely private.
However, while decentralized networks may be more difficult to hack than centralized networks, this doesn’t mean they are impenetrable to data breaches and other forms of cyberattacks.
The security risks of Web3
Despite its decentralized structure, Web3 has proven to be just as vulnerable to phishing, SIM swipes, malware payloads, and bot attacks as Web2. The difference is that, while Web2 can be protected by antivirus software, firewalls, security suites on the cloud, or virtual private networks (VPNs), most decentralized networks only employ single-layer security protocols. This is because very few – if any – security tools are capable of protecting Web3’s blockchain technology against the aforementioned cyberattacks. For instance, current security tools were not designed to protect against the use of malicious smart contracts on a network’s front end.
Likewise, the source code that runs the blockchain in a decentralized network is typically not protected by the same type of security that protects an organization’s infrastructure. According to a report by Forrester Research, running closed source smart contracts is apparently “frowned upon” within the Web3 community because it contradicts Web3’s “open code” ethos.
Also, while decentralization was designed to give control back to ordinary people, who’s to say these groups of people couldn’t consist of cybercriminals? If more than 51 percent of a network’s blockchain is controlled by malicious collaborators, these people could theoretically form malicious nodes or collectively manipulate the blockchain in what is known as a “51 percent attack.” Thanks to Web3’s anonymity and lack of oversight, innocent users would have no way of spotting a malicious network or authenticating the opposite end of a transaction involving personal information.
And if someone’s data does get stolen, it’s not as if decentralized networks have a “fraud department” where users can report a theft. This points to another major obstacle to the mass adoption of Web3: the lack of a regulatory body to penalize data theft or retrieve lost data.
To that end, it’s worth noting that no web application in existence is truly 100 percent secure. Like any other type of application, blockchain can contain errors in coding, which can create additional security vulnerabilities. Since decentralization means there’s no single entity at the center, fixing these flaws requires the approval of the entire network. That means that once a security flaw is discovered, it could take a very long time for that flaw to be fixed – if ever.
How can regulations make Web3 safer to use?
Again, it’s extremely difficult to spot malicious activity or correct security flaws in a decentralized network. For this reason, the first regulations for Web3 should be geared towards ensuring that developers adhere to certain security standards when building decentralized networks. After all, the codes these developers design will ultimately determine the security of consumers’ assets and information.
For example, developers might need to undergo a certification process before they can create a decentralized network. This would allow government agencies to maintain a list of registered networks, which would show the general public that only certain networks can be safely trusted with their personal information.
This certification process could also ensure that legitimate decentralized networks share a series of common characteristics and can be distinguished from malicious networks. Regulators from different countries or jurisdictions could also share best practices with each other in order to maximize security across borders without inhibiting scalability.
Once a network is ready for deployment, further regulations could mandate that the network’s founders conduct periodic audits. Any potential flaws in security or signs of suspicious activity would have to be documented and reported to government agencies. Likewise, the network’s founders would have to make sure that only certain users are directly interacting with their smart contracts.
Such regulations could come to resemble New York’s BitLicensing legislation, which requires any business that engages in virtual currency activity to develop and implement a series of protocols and submit affidavits, undergo background investigations, and more upon the state’s request.
Regulations will determine Web3’s future
Regulating Web3 will be no easy task, partially because the very concept of regulations contradicts a key aspect of decentralization: evading authority. Web3 also involves a highly complex application of blockchain technology, and the U.S. government has only recently taken its first steps towards developing policies in relation to cryptocurrency and digital assets.
Hopefully, the steady momentum of Web3 and the ongoing wave of cyber attacks on cryptocurrency will motivate legislators to act quickly. In order for Web3 to fulfill its intended goal of making the Internet safer to use, the public and private sectors will have to work together to make that a reality.
Mohammad Sayadi is the CEO of Djuno, a company that develops AI technology to help businesses optimize their cloud IT infrastructure for better performance.