Security and Privacy First

In the web 3.0 world, security will fall more into the hands of individuals. As such, we need to design systems that prevent users from making security-related mistakes and that more clearly surface risks to users. Since web 3.0 security norms aren't yet established, we have an opportunity to shape them right up front. It's a chance to innovate and start fresh with our security processes, protocols, technologies, (legal and financial) accountability.

Web 3 security must make risks clear to users.

While much of web 3 tech is complex and sophisticated, core functionality needs to very straightforward. Focus on basic controls for all users with sophisticated, more difficult to reach controls for power users. In other words, make the basics simple. Advanced functionality should be possible, but not required for everyday use. For example, is it safe to share my crypto wallet address? Yes. Is it safe to share my private key? No!!! Not making this clear in the user experience could have detrimental consequences. This is particularly true for less-tech savvy groups. Picture the struggles an elderly person might face in trying to make a cryptocurrency transaction. Design with groups like that in mind.

Design with privacy in mind.

Typically, data cannot be erased once it's on a blockchain. This is a valuable characteristic for transactions, but can be troublesome for things like medical records. And even for transactions - would you like all your purchases to be made visible to the world? Probably not. But as is, things like NFTs and blockchains are public by default so everyone can see that bored ape or Azuki avatar you bought. That's not a big deal, but what if your salary, everyday transactions, medical history, etc. became visible? Not so great. Some would argue that participants don't need to make their identities known. That's true, but we've also learned that it's absolutely possible to work backwards and figure out who the users are. According to Brave and Imperial College London, “Ethereum address leakage to Google is particularly problematic because the company likely already has PII about you, which it can then link to your Ethereum address, which can then be linked to your transaction history on the blockchain.” So we need to design a system that solves for this and embraces the digital privacy the world is asking for. We're starting to see web 3.0 privacy protocols come into place. It's time to really embrace that and design with a privacy-first mindset.

Our greatest risk is being human.

No matter how "secure" technologists make software, it will still be used by humans and humans make mistakes. We also click on things. And sometimes trust the wrong sites and people. And we again and again fall for scams. Our behavior in web 3 will be no different. As such, the human side of vulnerability must be a critical component in how we approach security design. Design must embrace how people think and behave, not just to improve software security. KnowBe4 is a company that's a pioneer in this field and is a good starting point for a new approach to security.

Sources

• Image 1 (Human Factor in Security) - SSDTech
• "Decentralized technology will end the Web3 privacy conundrum." Cointelegraph, 2022
• "The privacy dangers of web3 and DeFi and the projects trying to fix them." TechMonitor, 2021
• "Web 3.0: How To Prepare For A Privacy-Driven Future." Forbes, 2021
• "What is Web 3.0 and What Does it Mean for Privacy?" Anonyome Labs, 2021