View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Policy
December 20, 2021updated 31 May 2022 10:11am

The privacy dangers of web3 and DeFi – and the projects trying to fix them

Researchers have warned of the privacy dangers of web3 and DeFi. A new wave of platforms and protocols hopes to fix them.

By Claudia Glover

Crypto enthusiasts are bursting with excitement at the potential of blockchain-based ledgers to decentralise the finance sector and the web – phenomena known as DeFi and web3 respectively. There are many critiques of these two visions, including a recent study that found that supposedly anonymous transactions could be linked to personally identifiable information. But a new wave of blockchain platforms and protocols seeks to bolster privacy in what many believe is the next paradigm in computing.

web3 DeFi privacy

Public acceptance of web3 and DeFi may require reassurances over privacy. (Photo by SOPA Images / Getty Images)

What are web3 and DeFi?

Enthusiasm for blockchain technology may have cooled but in certain quarters of the technology industry, expectations are as high as they’ve ever been. Proponents see blockchains as the basis of a new system of finance (decentralised finance, or DeFi) and a new paradigm for the web (web3, one of the breakout technology buzzwords of 2021). In both cases, they argue, the transparency and immutability of distributed ledgers will eliminate gatekeepers and bolster individual liberty.

Both web3 and DeFi have their doubters. Earlier this month, the Bank of International Settlements described DeFi’s decentralisation as illusory – “some form of centralisation is inevitable” – and said it currently has “few real-world applications”. And in a widely cited blog post, developer and blogger Stephen Diehl eviscerated web3 as “a vapid marketing campaign that attempts to reframe the public’s negative associations of crypto assets into a false narrative about disruption of legacy tech company hegemony”.

These criticisms haven’t stopped some users voting with their wallets. From 2019 to 2020, the value of digital assets locked in DeFi smart contracts grew by 1800%, from $670m to $13bn, according to a report from the World Economic Forum. The combined value of DeFi tokens reached $152bn this quarter. And around $27bn worth of cryptocurrency has been used to buy NFTs, a cornerstone of web3, so far this year.

Investors are excited. In November, Conensys – the blockchain software vendor behind the ‘MetaMask’ wallet – raised $200m from investors including HSBC, at a valuation of $3.2bn, not long after a $65m raise from JP Morgan, Mastercard and UBS. In October, web3 infrastructure provider Alchemy raised $250m at a $3.5bn valuation.

But there are at least two significant issues that must be addressed if web3 and DeFi are to gain public – and regulatory – approval. The first is the woeful environmental impact of ‘proof-of-work’ systems that underpin most distributed ledgers. This is already thwarting some companies’ web3 ambitions: plans by fundraising site Kickstarter and chat app Discord to adopt blockchain-based infrastructure were met with a backlash by users citing environmental concerns. Ethereum, the blockchain that underpins many web3 applications, plans to switch to a ‘proof of stake’ model next year, which its backers claim will reduce emissions.

How will web3 and DeFi impact privacy?

Less discussed is the impact of web3 and DeFi on user privacy. Proponents argue that web3 will improve user privacy by putting individuals in control of their data, via distributed personal data stores. But critics say that the transparent nature of public distributed ledgers, which make transactions visible to all participants, is antithetical to privacy.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

“Right now, web3 requires you to give up privacy entirely,” Tor Bair, co-founder of private blockchain The Secrecy Network, tweeted earlier this year. “NFTs and blockchains are all public-by-default and terrible for ownership and security.”

Participants in public blockchains don’t typically need to make their identities known, but researchers have demonstrated how transactions recorded on a blockchain could be linked to individuals. A recent paper by researchers at browser maker Brave and Imperial College London found that many DeFi apps incorporate third-party web services that can access the users’ Ethereum addresses.

“We find that several DeFi sites rely on third parties and occasionally even leak your Ethereum address to those third parties – mostly to API and analytics providers,” the researchers wrote. One tracker can access Ethererum addresses in 56% of the 78 DeFi sites examined in the study.

Those third-party services could, in theory, link the Ethereum addresses to other PII they hold about the user, the researchers warn. “Ethereum address leakage to Google is particularly problematic because the company likely already has PII about you, which it can then link to your Ethereum address, which can then be linked to your transaction history on the blockchain.”

“Ethereum addresses constitute sensitive, private information, akin to credit cards and bank account numbers,” they add. “DeFi sites should treat them accordingly.”

Privacy protocols for web3 and DeFi

For DeFi and web3 to be private, then, blockchain transaction data must be isolated from PII. “There is a need to shield the transactions,” explains Saeed Hasan, head of technology at the Blockchain Council, a group of organisations dedicated to the development of blockchain infrastructure.

Because of the demand in the DeFi space and the need for privacy, you’re seeing a lot of privacy protocols coming up.
Saeed Hasan, Blockchain Council

This is giving rise to new, alternative blockchain platforms and protocols that seek to keep transactions private, Hasan adds. “Because of the demand in the DeFi space and the need for privacy, you’re seeing a lot of privacy protocols coming up,” he explains. “Some of the protocols have a very narrow focus while others provide a broad support for the whole ecosystem.”

One example is Oasis Network, which describes itself as “the first scalable, privacy-enabled blockchain”. Its Oasis Protocol enables ‘data tokenisation’, which it says puts users in control of how their data is used. This, the organisation claims, will unlock new, more accessible DeFi applications.

Findora is a blockchain platform and protocol that combines “transactional privacy” with the ability to selectively disclose information to regulators and auditors. This marks it out from privacy-focused cryptocurrencies – so-called ‘privacy coins’ – such as Monero, which has been described as “the cryptocurrency of choice for the world’s top ransomware criminals”, thanks to its untraceability. Findora received an “eight-figure” funding round last year and in October, it launched a $100m fund to bolster its developer community.

Panther, by contrast, is a protocol in development that operates across different blockchain platforms, including Ethereum. It claims to protect the anonymity of transactions with technology – dubbed ‘zero-knowledge succinct non-interactive augment of knowledge’, or zSNARK – that allows an organisation to prove that it possesses certain data without disclosing it. “Panther will allow builders to provide privacy features within their apps without needing a highly specialised team of cryptographers and privacy tech engineers to do so,” the organisation claims. Panther Protocol raised $22m in 90 minutes last month in a public sale of its $ZKP tokens.

Such is the excitement for web3 and DeFi, and privacy-enabling technologies in particular, that these projects have ample funding to develop their protocols and the surrounding ecosystems. But it remains to be seen whether these investments will reassure a public disillusioned with the way the giants of web 2.0 have handled their data.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.