Navigating Web3 projects requires two things: a high level of skepticism and the ability to follow the money. Forrester’s recent analysis of the state of the internet’s evolution is stark and honest:
- Scammers are running the show.
- The guiding principles are contradictory and confounding.
- People who lose money in decentralized systems want help from outside authorities to resolve the problem.
Forrester’s two new reports explain why CIOs, CMOs and other executives should approach Web3 with extreme caution and offers advice on how to evaluate Web3 proposals:
- Check whether a Web3 project is an enterprise blockchain project in disguise.
- Be prepared to develop a governance model if one doesn’t exist.
Forrester VP and Principal Analyst Martha Bennett is the lead author of both reports, “Web3 Promises a Better Online Future But Contains the Seeds of a Dystopian Nightmare,” and ““Web3 and Web 3.0 Are Synonymous Today–But This Wasn’t Always True.”
The problem with many Web3 proposals is that “…several core principles Web3 proponents advocate for aren’t practical today—and may never be.” According to Forrester, these include, but are not limited to:
- Decentralization.
- Trust in code, not companies.
- Open protocols and transparent code.
- User-owned data and content.
- User-managed identities.
Part of the problem is the belief in a technical utopia, the idea that technology is the answer to every problem and the belief that it will be used only for good. Bennett described a personal experience to illustrate the problem of this blind faith that ignores the fact that humans use technology in both ethical and unethical ways. During an Ethereum developer’s conference Bennett was attending, the Ethereum network came under a denial of service attack. When asked about the attack, one core developer said he never thought anyone would use the code that way.
“Some people are only thinking about how the code should function and not how it could be subverted,” she said.
Complete decentralization is neither possible nor desirable, according to Bennett.
One of the biggest concerns is that considerable technical challenges that remain with Web3 plans and ideas, including:
- Maintaining privacy and confidentiality on public blockchains
- Preventing harassment
- Establishing interconnectivity between different blockchains
- Addressing scaling and security issues at the network and the application level
Weaknesses in the Web3 architecture
Some of the earliest design decisions for blockchain created opportunities for malicious activity without providing any guardrails. Bennett used the example of an address that cannot refuse a package to describe how cryptowallets work. A bad actor could create an NFT linked to pornographic material and send it to a wallet.
“The vast majority of wallets are completely open, so if I have your address, I can send you something with nasty stuff in it,” she said. “And because of the way public blockchains operate, once something is out there, you can’t undo it.”
Gas fees that are more expensive than the cost of an NFT is another example of a weakness of the system. Recently, the company that owns Bored Ape Yacht Club started selling NFTs to launch a crypto-based metaverse game. Some buyers paid transaction fees that were five times higher than the cost of the NFT. A $25 digital image required an additional $3,300 in fees.
SEE: The metaverse: What is it?
In addition to the risky design of open wallets, smart contracts also have issues, according to Bennett.
“This is a total misnomer because smart contracts are not smart, and they are not legal contracts,” she said. “They are automated business rules running on a blockchain.”
One of the architectural weaknesses of these business rules is the decision to make the code for the contract publicly available.
“If you are true to Web3 ideals, you will make that code openly available, but by doing that you’ve also got a much greater attack surface,” she said.
Developers who decide to keep source code private go against the ethos of Web3 and still run the risk of making a mess of a new product launch.
“There is a trend to not to be so open with the realization of what this approach means,” she said.
No widespread demand for individual control
The main idea of Web3 is putting the individual in control, but that’s also where it falls down, according to Bennett. Managing data and identity in a decentralized, self-regulating community is possible but it requires a level of effort that many people aren’t willing to make. Instead of memorizing public keys and private keys and putting a seed phrase in a physical lockbox, people want these services to be easy to use.
“Not everyone will be capable of doing it, and a lot of people simply don’t want to do it,” she said. “It is possible to extract away from underlying complexities, but then you’ve immediately broken the principles of Web3.”
David Mahdi, chief strategy officer at Sectigo, agrees that there are some significant barriers to wide adoption for blockchain, particularly reliability.
“Centralized cloud providers contractually offer service level agreements, but public blockchains do not,” he said.
SEE: Metaverse security: How to learn from Internet 2.0 mistakes and build safe virtual worlds
Trust and security is another barrier along with identity management, Mahdi said.
“With decentralized identity and the formalization of NFTs comes the need for strong digital identities,” he said. “Remote identity validation solutions enabling users to securely sign documents from anywhere, on any device will be crucial.”
Developers also are skeptical about the merits of Web3, according to a recent Stack Overflow survey. More respondents were not familiar with what Web3 is (36%) while 25% describe it as the future of the internet. The “it’s all hype” and the “crypto” groups were about the same size at 15% each. The smallest group at 9% sees Web3 as a scam.
Among the people familiar with Web3, 40% of those without blockchain experience think Web3 could be the future, and about the same number of developers with blockchain experience think it’s the future. Twenty-nine percent think it’s all hype or a scam.
The majority of the 595 people who responded to the survey (85%) haven’t built anything with blockchain.
Striking a balance and setting ground rules
Web3 worlds and infrastructure don’t have to be completely centralized to provide consumer protections and personal safety. James Arlen, CISO at database-as-a-service company Aiven, that building safe metaverse worlds is not a zero-sum game but more of a Nash’s equilibrium situation, which means each player has to consider the decisions of other players when setting his or her own strategy.
“If everybody loses a little bit, everybody wins,” he said. “It can be a model where everybody wins if we do things for each other.”
The key to success is ensuring this governance is established by a governing body, not arbitrary decisions by big tech companies, Bennett said.
“I would like to see a grownup discussion balanced between decentralization and elements of central control that are properly governed,” she said.
A governing body could establish a process for addressing a smart contract malfunction. For example, a flash crash can be caused by algorithmic trading programs “triggering one another to sell in a feedback loop.”
An independent governing body could establish consumer protection rules for digital currencies and wallets. Currently there is no recourse for people who lose cryptocurrency either accidentally or because of a scam despite the fact that bad actors made off with $4.64 million over a weekend in four attacks.
“Whenever there is a successful attack, people call law enforcement, even though they say they want to operate in an environment that is outside government control,” Bennett said.
There are also privacy issues with recording every activity on a public blockchain.
“In many ways, public blockchains and privacy rules are incompatible,” she said. “If you can never delete anything, there is no right to be forgotten.”
In addition to establishing consumer protections, a standards group could establish codes of conduct beyond “if you don’t like it, you can go somewhere else.”