#104: Data Ownership: the future of data privacy with Web3
W FINTECHS NEWSLETTER #104: 22/04-28/04
👀 Portuguese Version 👉 here
This edition is sponsored by
Iniciador enables Regulated Institutions and Fintechs in Open Finance, with a white-label SaaS technology platform that reduces their technological and regulatory burden:
Real-time Financial Data
Payment Initiation
Issuer Authorization Server (Compliance Phase 3)
We are a Top 5 Payment Initiator (ITP) in Brazil in terms of transaction volume.
💡Bring your company to the W Fintechs Newsletter
Reach a niche audience of founders, investors, and regulators who read an in-depth analysis of the financial innovation market every Monday. Click 👉
here
👉 W Fintechs is a newsletter focused on financial innovation. Every Monday, at 8:21 a.m. (BrasÃlia time), you will receive an in-depth analysis in your email.
In the first decade of the 21st century, the question "Who owns the data?" sparked various discussions about who should have the right to access and transfer user data, whether it's the companies storing them in their databases, the financial institutions that collected them, or the users themselves who generated them.
In the United Kingdom, Open Banking began when fintech companies encountered difficulties in accessing customers' transactional data. This made it challenging to create personalized services, as well as to compete with major banks. To allow customers to choose their financial service providers, regulations such as PSD2 (Payment Services Directive 2) emerged in the European market. These regulations compelled banks to open their APIs and seek user consent for data exchange. This fueled competition and innovation in the financial sector.
Essentially, data can be used multiple times without being depleted and accessed by several people simultaneously, with their value increasing as they become easier to access. In other words, the more accessible the data, the greater the value that can be created from it.
As the internet has advanced, these complexities of data access have gradually been resolved, while paradoxically bringing other challenges of concentration, control, and privacy issues.
The evolution of the internet
In the early era of the internet, known as Web1, user interaction functions were limited. This phase focused on information reading, with little to no user interaction.
Identification methods on portals and websites were also more archaic, often requiring repetitive information such as email and password with little interoperability between different players.
Web2 brought greater harmony to data exchanges and increased the potential for creating new data, as now besides data reading, it was possible to write new information, giving rise to social networks.
With this new phase, federated identity emerged, allowing login through accounts such as Google, Apple, and Facebook across various services. This not only simplified user onboarding on different platforms but also granted these players greater control over their users. In other words, this centralization of data further strengthened the power of these players over user information.
Big Techs and other service providers in Web2 have the advantage of controlling user data, which often results in scenarios where they assume significant power over what happens with this data. For example, when you store your photos on Facebook or Instagram, these platforms have the power to delete them citing a violation of community standards.
The challenges of privacy in Web2
Moreover, the era of Web2 has been marked by significant privacy concerns.
A notable example was the Cambridge Analytica scandal on Facebook, in which the data of millions of users was improperly shared and used to influence elections and other political processes. This only intensified the debate that user information can be exploited without proper consent.
Furthermore, persistent issues related to malware and spyware in online advertisements also pose risks to users' digital security. These forms of malicious software can be embedded in seemingly legitimate ads, exposing users to risks of personal data theft, privacy breaches, and other harmful activities.
Initiatives to correct the path
Data protection regulations, such as LGPD in Brazil, CCPA in the US, and GDPR in Europe, have sought to control and increase the accountability of Big Techs regarding shared data. However, even though the enforcement of GDPR has led to several significant fines, major technology companies do not struggle to pay the fines. In a way, the cost of non-compliance for Web2 companies is monetary, with few legal consequences.
As I mentioned in the previous edition [link 👉 here], data protection laws have several challenges to be complied with. In the case of the Brazilian data protection law, the authority responsible for supervision faces various difficulties, even in punishing companies that violate LGPD.
The Web2 approach to correcting privacy tends to exacerbate the problem because, in many cases, these companies increasingly concentrate power and control over user data.
Although laws like GDPR and LGPD are intended to protect users and provide transparency on how data is being used, in practice, they often result in more bureaucracy for smaller companies and fewer resources to implement necessary changes.
Meanwhile, larger players, with more financial resources and greater technical capabilities, can more easily adapt to regulations and, in some cases, even use their position to shape laws according to their interests. This can perpetuate a cycle where large companies become even more dominant, resulting in more concentration of power.
The Web2 business model
The business model of many of these companies also indicates that there may not be many changes in this regard. Essentially, Web2 companies rely on advertising. To enhance segmentation algorithms and ad sales, increasingly more data is required, whether consented to or not.
Companies like Google and Facebook have thrived thanks to their "secret sauce" advertising formulas, in which they combine vast amounts of user data with sophisticated algorithms, which in turn encourage users to interact with ads.
Some argue that Big Techs should compensate their users for providing data. But the monetization model in Web2 is complex. The reality is that while some online content creators receive a share of the advertising revenue generated by their videos, most users are not compensated, despite providing valuable data used to target ads.
These data, which are the true source of value for the platforms, are held and controlled by them, while users do not receive a fair share of the generated revenue.
I believe the first step towards monetization and compensation for individuals is to ensure data autonomy. In other words, autonomy may lead to compensation.
Infrastructures for sharing consented data, such as Open Finance, are good starts to ensure data autonomy — user control over data — but it still doesn't create complete autonomy, as this data is still stored centrally.
Web3 can change this game through concepts of decentralization and sovereign identities. This could open up new opportunities for data monetization, as users would have more control over who accesses their information and how it is used.
The privacy challenges in Web3
The main difference between Web3 from other versions of the Web lies in the democratization of ownership.
Web3 utilizes blockchain technology to optimize the user experience, ensuring users control over their data. The impact of Web3 through blockchain technology ensures that the internet operates on a peer-to-peer network of nodes, operating in a decentralized network, rather than relying on centralized servers.
While Web1 was defined by the website and Web2 by the post, in Web3, the token takes on the central role.
Tokens are digital assets on the blockchain that facilitate exchanges, represent real-world assets, and encourage participation and governance in decentralized networks. They enable direct transactions between peers, eliminating intermediaries.
With blockchain serving as a public ledger, data becomes accessible to everyone. This drives competition, potentially enhancing end-user experiences. However, there are challenges regarding privacy.
In Web3, balancing transparency and privacy is challenging due to the decentralized and transparent nature of blockchain networks. Ensuring privacy without compromising security is complex.
A promising solution is Zero-Knowledge Proofs (ZKPs), capable of ensuring privacy without sacrificing transparency.
In practice, ZKPs could be used to allow an individual to prove their age to access a certain online service without revealing their specific date of birth. For example, when requesting access to a site that requires age verification, the user could generate a cryptographic proof that they are over 18 years old without needing to disclose their date of birth.
This would be done through a ZKP protocol, where the user interacts with the age verification system in a way that convinces it of the truth of their age without revealing any additional information. This approach preserves the user's privacy since they do not need to disclose sensitive details, while still allowing them to prove their eligibility to access the service.
However, ZKPs face challenges of scalability, and compatibility, and require substantial computational resources. To understand the privacy infrastructure of Web3, we need to break it down into three levels: network-level privacy, protocol-level privacy, and user-level privacy.
Privacy at the network level
The basic idea of privacy begins with the network itself, where each transaction is protected by consensus systems and the design of the blockchain. This fundamental idea refers to the Bitcoin protocol, which anonymizes 'wallet addresses' through cryptographic hashes of 160 bits.
This approach inspired the development of other privacy-focused blockchains, such as Monero, launched in 2014.
Monero differs from Bitcoin by hiding both user wallets and transactions through a concept called 'Ring Signatures'. Within a 'ring', users have access to a group signature used to sign transactions, making it virtually impossible to identify which specific user conducted the transaction. This idea of 'privacy in the crowd' ensures that on the Monero network, all transactions are automatically protected.
However, this privacy safeguard can also be exploited by malicious individuals for illicit activities such as money laundering and drug trafficking, especially due to Monero's popularity on the Dark Web. The association of "privacy coins" with criminal activities may discourage legitimate users concerned about their privacy, limiting their adoption.
Privacy at the Protocol Level
An alternative approach to privacy is to ensure "protocol-level privacy," where private transactions are processed through protocols or applications on a blockchain network, rather than being encoded in the network's consensus.
While implementing this was challenging in early blockchains due to a lack of programmability, the advent of smart contracts, as seen in Ethereum, paved the way for privacy protocols such as Tornado Cash. The latter mixes transactions in a pool to ensure privacy. However, in 2022, it faced US sanctions due to allegations of use by North Korean hackers.
Another strategy, led by the Aztec Network, focuses on "rollups," a second-layer scaling technique for blockchains. This approach aims to improve the processing capacity and scalability of blockchains while safeguarding funds and facilitating private transactions. Using ZKP, rollups ensure transaction privacy and system integrity.
Although still in early stages, these solutions represent the next phase of privacy evolution at the protocol level, offering superior scalability compared to decentralized application (dApp)-based alternatives such as Tornado Cash.
User-Level Privacy
Another approach is "user-level privacy," which focuses on ensuring the protection of individual user data rather than just transactions.
This aims to address the issue that "privacy coins" have faced with criminal activities. This approach seeks to implement targeted filters, allowing private interactions for legitimate users and quickly filtering out harmful behaviors.
Furthermore, this approach further intensifies the use of decentralized identity (dID), leveraging the dynamics between the user and their wallet addresses on the blockchain. A notable example is the Notebook Labs project, which aims to unite scattered identities on the blockchain with personally identifiable information, ensuring both user privacy and security.
Additionally, "stealth wallets" emerge. These wallets function as an additional layer of anonymity, allowing users to conduct transactions on the blockchain privately without revealing their identities. This is especially relevant in cases where users want to maintain their privacy when dealing with unique digital assets, such as NFTs, or in transactions involving less-known and specialized cryptocurrencies.
The complexity of privacy in Web3
Privacy in Web3 is a complex challenge, where different approaches, whether at the network, protocol, or user level, seek to balance transparency and privacy.
The conflict between privacy and transparency is likely to remain a central theme in the evolution of Web3, with multiple interests at stake, including governments, developers, and users.
What I believe will be crucial for the mass adoption of privacy-focused blockchains is accessibility for users. Many projects cater to technical users, but for widespread adoption, simplifying the technical aspects of blockchains to enable common users to understand and enjoy their benefits will be necessary. Privacy in Web3 is not just a technical issue but also a user experience issue.
With the transition to Web3, users are likely to focus mainly on the most popular cryptocurrencies, which raises the question:
What is necessary for a privacy-focused blockchain to achieve significant recognition?
This dilemma leads us to question to what extent consumers truly value privacy and what concessions they are willing to make in its name. Understanding how much consumers value privacy and what concessions they are willing to make is crucial for the acceptance and influence of privacy blockchains in the future of the digital economy.
What is the path to Data Ownership?
I believe it's quite likely that we're moving towards technologies that take a more user-centric approach.
In the Web2 environment, platforms hold absolute control over user information, directly impacting privacy and portability rights. In Web3, while users are technically owners of their data, they lack control due to the immutable nature of the blockchain and the lack of effective deletion mechanisms.
The ideal solution seems to lie in a privacy model that grants users control over access to their personal data while allowing them to securely and profitably share that data.
A promising approach involves combining data portability with privacy techniques like ZKP, which allows data to be used without being viewed or stored. This would ensure user privacy while enabling the generation of value from their data. In an ideal scenario, users could rent out their data to applications, receiving fair compensation and retaining control over who has access to it.
I don't believe people really care if big platforms possess their data enough to do anything, but I think they will care about what can happen when they can control their own data, whether that means more integrated online usage, personalized experiences, or more money in their bank account. The future of privacy is based on ownership, putting data control directly into the hands of users, but we still have a long way to go.
If you know anyone who would like to receive this e-mail or who is fascinated by the possibilities of financial innovation, I’d really appreciate you forwarding this email their way!
Until the next!
Walter Pereira
Disclaimer: The opinions expressed here are solely the responsibility of the author, Walter Pereira, and do not necessarily reflect the views of the sponsors, partners, or clients of W Fintechs.