Confidential Computing Will Secure Our Secrets in Web3

Web2 was built on data harvesting but the next phase of development must be about protecting that data, not exploiting it.

Often the true consequences of a technological shift only become clear later – and when they do, they can drive the next shift. That is certainly true of the “social web”, or Web2, which dominated web development in the first two decades of this century and is now slowly being supplanted by Web3. Web2 gave us so much, but the world is waking up to what it took from us. And we want it back.

Web2 revolutionized not only how we communicate, but in many ways, how we live. It changed the nature of the web from static, one-way information portals to dynamic, collaborative information sharing. It introduced the mobile, interconnected, cloud-based internet that now underlies most services – users expect to be able to access information and services seamlessly wherever they are, whatever device they are using, and to log in for a personalized experience.

It also got consumers used to accessing free services built on the value of user data. Or to use that now well-worn phrase, if you aren’t paying for the product, you are the product. At first, users generally assumed they were “paying” with their time and attention, and why not put up with a few ads? But it’s gotten creepier over the years, as it became clearer just how targeted those ads are, and how much we’re being snooped on. Seeing a product you looked at once follow you across a dozen websites is annoying. Seeing ads pop up in response to a conversation you thought was private – that’s far worse.

Public fights over the activity tracking that fuels all this targeted advertising go back at least a decade (Microsoft even attacked Google over it, although it faced similar criticisms itself soon after). But until fairly recently, it seemed that most people were willing to shrug off privacy and security worries. That is changing.

Why privacy matters – Especially now

There’s a common argument that if you have nothing to hide, you needn’t worry about privacy. But this is simply wrong, for many reasons. One is that state surveillance poses a fundamental threat to free political action and thinking – as eloquently set out by journalist Glenn Greenwald. Citizens who live with the constant awareness that their actions may be seen naturally behave very differently; it’s a way of repressing dissidence before it even starts.

On the corporate side, data harvesting results in a concentration of economic power, and hence, market distortion. We have seen how the emergence of tech monopolies (driven in part by exactly this data exploitation) has made the erosion of privacy seem unavoidable: where are the alternatives? It also creates the potential for truly dangerous manipulation, as was seen in the Cambridge Analytica scandal. And then, on top of all that, there’s the risk of having centralized data hoards exposed to criminals.

Over the past year and a half, repeated lockdowns drove a digital revolution that pushed an already connected world further and faster into digitalization. Suddenly everyone had to get comfortable with remote working technologies, while telehealth, online shopping, and food delivery took on far greater importance. Masses of data were accumulated on remote servers that offered an inviting single point of attack. In this rush, and amid the existential terror of the global pandemic, data security was not exactly top of mind – which resulted in not only more data breaches (especially in the sensitive healthcare sector) but a higher cost for those that occurred.

In just the past few months, millions of private records have been exposed in incidents at T-Mobile, Microsoft, LinkedIn, and elsewhere. LinkedIn defended itself with the argument that it wasn’t really a breach since the information was legally scraped – which is, if anything, even more hair-raising. Clearly, user privacy is pretty low on the agenda for these companies. But the same can no longer be said for their customers, or for regulators.

Perhaps the clearest indicator of how the mood is changing is how hard WhatsApp has been hit this year. First, a terms of service update prompted millions of users to switch to other platforms, as they realized their private information was not actually that private. And then the company was hit with a record €225 million fine over GDPR non-compliance.

WhatsApp is a classic Web2 case study, with an irresistibly convenient mobile communication offering that just begged to be turned into a data harvesting machine. Although at first it was supported by nearly free ($1) downloads or subscription payments, once Facebook bought the company in 2014, the writing was on the wall. Privacy promises are all very well but so much juicy data was just too good to resist. It’s become clear that privacy must be built in by design, not left to policies that can be changed.

The path to protection in Web3

While Web2 was distinguished by an interconnected experience, that impression was only skin-deep, with the client-server model of computing undisturbed. The new generation features distributed computing, as well as interaction, and depends on the secure interoperability of numerous systems. The new decentralized web aims to build a “fair internet where users control their own data, identity and destiny”. In this vision, users should retain sovereignty over their digital identities, while companies should be able to harness the power of data-generated insights without actually having access to that underlying data.

Although Web3 is underpinned by blockchain technology, which is transparent by nature, data security can be achieved through various means. One option is the use of trusted execution environments (TEEs) – a hardware element that enables data to be processed according to defined rules without anyone, even the system administrator, being able to view the dataset. Because the component can be remotely attested, it is suitable for use on a decentralized network. TEEs also accommodate the crucial right to deletion of your data. That opens up a world of possibilities – from collaboration between competitors to trustless smart contracts and GDPR-compliant cloud services.

Another well-known privacy protocol with applications for Web3 is zero-knowledge proofs. This refers to a mathematical way of verifying data without actually revealing it – it’s based on probabilities. The technique has applications in core blockchain use cases such as cryptocurrency transactions and digital identification. But as yet, ZKP is not generally market-ready; the method is abstruse and computationally heavy. And it doesn’t easily comply with the right to erasure – although data is not revealed, there is a risk of exposure should your private key be leaked at any point. TEEs have the advantage of being already mainstream and intrinsically compliant.

The nature of monetization is also changing. In the Web2 model, profit was derived from first building a vast user base, and then monetizing it, often through data harvesting (as seen with WhatsApp). In contrast, Web3 applications often feature tokenized protocols that create innate alignment between the companies and the users’ interests.

A fundamental shift in value

In the new web generation, we will see new drivers of business value. Web2 companies differentiated themselves by offering great convenience, but the unseen cost turned out to be too high. At this point, customers expect that convenience, but are not willing to pay for it with data.

The importance of data certainly hasn’t changed. Web3 – a spatial network of machine-readable data, deeply integrated with the physical world – will be built on ever more leveraging of information for business insight. But it will have to be insight without access. The new business differentiator will be built-in security and privacy. Web2 was engineered for exploitation; Web3 must be built for protection. That is the change we need, and it’s already happening. And as is the nature of evolution, those that can’t adapt to the new paradigm will soon find themselves redundant.

First published on Cryptonomist on September 27, 2021.