.svg)
While there is little known about how Web3 might evolve, UK regulators have raised concerns over privacy and competition, as well as the challenges of enforcing compliance on decentralised apps.
“While the ability of Web3 to solve the problems associated with Web 2.0 is yet to be compellingly proven, new Web3 applications present identifiable risks and harms as well as potential benefits,” a new paper published by the Digital Regulation Cooperation Forum (DRCF) on Friday (February 3) says.
DRCF members include the Financial Conduct Authority (FCA), the Competition and Markets Authority (CMA), Ofcom and the Information Commissioner’s Office (ICO).
If Web 2.0 heralded the explosion of user-generated content on the internet, Web3 is the next generation based on the concept of decentralisation underpinned by distributed ledger technology (DLT).
It is different from the metaverse, which is a shared digital reality, which may also run on DLT but is likely to be controlled by a company.
In both concepts, DLT could be used to provide new decentralised finance (DeFi) applications to offer a variety of services, including payments and crypto activities.
For instance, payments could be improved via the use of smart contracts, which automatically execute an action when predetermined conditions are met, or decentralised digital ID tools.
Additionally, DLT may reduce the time in which foreign exchange transactions are settled by taking out the intermediary from the transfer, which would also reduce costs and eliminate the need for complex currency conversions.
Privacy in Web3
Enhanced privacy is one of the compelling promises that Web3 seeks to deliver.
In the concept of decentralised digital identity, users could store their identity information in wallets that only they can access. These wallets offer security and privacy by using cryptographic public and private keys, to encrypt and decrypt digital credentials.
In an e-commerce payment transaction, it would mean that users could store their encrypted credentials and identity information on their own device rather than at each of the service providers that are involved in the transaction, such as the payment gateway, processor and card network.
This would improve privacy and reduce the risk of a large amount of personal information being exposed in a data breach.
However, given that the digital identity is held on the user’s device, the regulators note that it moves “the data honeypot away from service providers to end user devices that may be targeted by attackers”.
Further, losing a digital identity, by theft or by accident, may mean that the user is locked out of services and has an increased risk of fraud.
Challenging incumbent bigtech
In addition to privacy-related benefits, supporters of Web3 believe that the new web may reduce the market concentration of Web 2.0 by removing trusted intermediaries that confirm transactions and other interactions.
The regulators, however, worry that it may also create risks.
“Service providers are important for a range of reasons, including having responsibility for the quality of that service and being accountable to provide redress to a consumer or business if something goes wrong,” the paper says.
Additionally, intermediaries may have incentives to provide good quality service and protect consumers from harm as they may face reputational damage should any issues arise.
The paper also notes that the claim that decentralisation of the web would reduce the market power of Web 2.0 incumbents “is open to challenge”.
“Architectural decentralisation does not necessarily entail political decentralisation”.
For instance, one entity could gain control over the system or an application if it controls a sufficient number of nodes within a blockchain network.
Meanwhile, Web3 companies increasingly partner with incumbent banks and Web2 firms to leverage the legitimacy and brand of established firms.
Earlier in November, JPMorgan announced that it had made its first DeFi trade using a public blockchain, while Meta partnered with Polygon to allow users to mint and sell non-fungible tokens (NFTs).
“Most applications associated with Web3 are at very early stages of development. It is therefore currently too early to predict whether these will tend towards decentralisation or centralisation,” the regulators say in the paper.
“In either case, it is not yet possible to tell whether proponents of Web3 will achieve their stated aim of reducing the existing market concentration within Web 2.0.”
Holding who accountable?
The paper notes that regulations are technology neutral and there are numerous existing regulations that may apply to decentralised entities.
Applications running on Web 2.0 or Web3 alike must comply with the UK General Data Protection Regulation (GDPR), as well as competition and consumer protection legislation.
Upcoming regulations, such as the FCA’s new powers to oversee crypto-asset financial promotions and the new Online Safety Bill, may also apply to DeFi applications.
However, there are various features in Web3 that may turn enforcement into a challenge.
The paper explains when token holders on a decentralised application vote on a policy about processing personal information, they could be qualified as a data controller under the UK GDPR.
With no real limit on the number of token holders voting in such an organisation, this could in effect create a large set of joint controllers who would each have obligations under UK data protection law.
This governance model might mean that users will struggle to identify how, or with whom, to raise concerns or exercise their privacy rights.
It could also be difficult to ensure that all voting token holders understand their regulatory obligations, while regulators trying to enforce their rules against non-compliant entities (who may include thousands of token holders) may face challenges during the process.
The DLT technology may raise further concerns about enforcement due to the immutability of public blockchains, as well as the potential for automated transactions and decision-making through smart contracts, the regulators warn.
The difficulty in reversing transactions can pose specific challenges when addressing harms arising from fraud and scams, as well as from online content.
Automation via smart contracts, on the other hand, can raise questions of accountability if actions triggered by automated transactions or decisions cause harm, or fail to comply with applicable regulations.
Nonetheless, the paper notes that DLT solutions have not yet reached a scale and applications based on DLTs have arguably low levels of adoption to date.
“It remains unclear whether and in what form Web3 might evolve,” the regulators say, adding that they will continue to monitor the new market and technology and engage with industry stakeholders to build knowledge.
