Tag: GDPR

  • Web3 and all of my questions, #3

    Photo by Shubham Dhage on Unsplash

    There is obviously a dividing line between integrity and authenticity when we talk about creating value based on Web3 technology. I’ll see if I wind up my own tail in trying to elaborate on this (for me) quite unclear topic.

    Cryptocurrencies, distributed ledgers, DApps etc. built on a blockchain has this quite odd property – they leave the users information wide open for all who look into the database of the blockchain. This is by design and quite inevitable as I have understood it, and it was revealed for quite some years ago as a part of research written about in Wired (it’s a really well-written long read, highly recommended for those looking for an introduction to the crypto world).

    This reveals a conflict between wanting to claim authenticity and wanting to have integrity. I visited a webinar a couple weeks ago where a Swedish web3 community had invited to a session around web3 application for corporates. I realized there and then that one of the first questions a buyer representative on an enterprise is going to ask is “how does your product/technology comply with GDPR*?” And I also realized that if you don’t have a clear answer to give instantly on that question, the buyer’s not gonna buy (or even consider to further think about it. Said and done, I thought I should be the smart one in the virtual room and ask about the lecturer’s view on this. And yes, it became clear for me that this isn’t an obvious thing to solve. You can of course build protection mechanisms in your overarching logic, but it isn’t necessarily an easy task, since this mechanism need to follow your info through the blockchains journey through the nodes.

    Another question to think about in this context is then – is it even desirable? Do we really want to hide our personal data that we have uploaded in the blockchain? Isn’t this one of the purposes with the cryptographic technology – to prove that we really are the one we claim to be? And could it even be that we need to redefine what personal data is, when web3 use gain a wider traction, or is it even like personal data is personal data covered by GDPR* in one application and not in another? Is maybe GDPR* not be applicable in certain future use case scenarios? In some use cases it might be more important for me to prove my authenticity than having my integrity secured, or?

    This leads me to an analogy regarding surveillance and me being the one saying “I don’t care ‘cuz I have nothing to hide”. Could it be really, really bad in a long term to claim authenticity through blockchain-ish footprint from a surveillance perspective, if the surveillance structures start to use my wide-spread, wide-open authenticity information against me?

    A possible branch on this topic is to analyze fraudster scenarios and how to block them, a topic possibly being another factor the buyer of web3 development will ask questions around. Having preparations for this in a product development startup quickly becomes a hygiene factor in order to build trust towards the corporate user.

    *)GDPR here taken as an example of an extensive and very adopted regulatory framework, with the awareness of many other frameworks existing globally.