January 31, 2023
Some two decades ago, the internet as we know it – Web 2.0 – evolved from static, read-only webpages into dynamic environments where users can read and write content. With the shift from passive consumption of information to active participation in online communities, traffic on the “world wide web” skyrocketed from 600 million users in 2003 to over 5 billion people that access today’s internet (1).
Yet even as over 64 “zettabytes” of content is uploaded to the internet each year, users paradoxically have little control over the information that they generate (2). For the tech companies that have built the infrastructure of Web 2.0 and enabled its growth, the monetization of user data to advertisers and analytics companies has emerged as a lucrative source of revenue. Advances in machine learning have only fueled the demand for user data, and the transformation of internet applications into sensors, as marketing campaigns are increasingly tailored to consumer profiles.
While centralized databases of user information might be “gold mines” in the tech industry, the sensitive content within the walls of these servers exposes internet consumers to a wide range of risks including hacking, identify theft, and scams. Although Web 2.0 has coincided with growth of the cybersecurity industry, 7 of the 10 largest data breaches – collectively leaking over 20 billion records – occurred within the past five years (3).
In response to calls for data privacy on the internet, regulators across the globe have enacted laws designed to help users regain control of their content. The most stringent of these regulations, the European Union’s General Data Protection Regulation (“GDPR”), requires companies to obtain consent before accessing user data and provide all users with timely notification in the event of a security breach. The GDPR has also ushered the “propertization” of internet data by granting citizens with “bundles” of rights such as access to personal data upon request, the erasure of data and exclusion from data processing (4). The California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”) on January 1, 2023 to encompass personal information that employers collect on their employees, bestows Californians with similar rights to the GDPR and has served as a roadmap for privacy laws across the United States (5).
Even though the GDPR and CCPA have only been in existence since 2018, and were likely contemplated for Web 2.0, rapid developments in blockchain technology have catalyzed the internet’s transition into the era of Web 3.0. In this framework, where blockchain protocols power a decentralized internet, users will have the ability to read, write and own their content. Although blockchain may have bewildered regulators through the disruption of longstanding jurisprudence from bankruptcy proceedings to securities offerings, it could actually become a boon for data privacy advocates. When this happens, they can credit the underlying technology and the “zero-knowledge” that comes with it.
A blockchain is a database accessible to all participants across the network and its broader adoption – as necessitated to fully realize Web 3.0 – would require it to be “permissionless” or publicly open to any users. Moreover, as a practically immutable ledger, information can only be added to a blockchain and never deleted. While these principles are seemingly antithetical to the protection of privacy, it is this unique level of transparency that enables users to better monitor their data and track its potential usage. The decentralized nature of a blockchain would also prevent individual entities from becoming sole custodians of a data layer.
If Web 3.0 is to become a truly user-centric internet, however, it would not only allow individuals to track their data but also selectively restrict the types of information that they provide. In this instance, zero-knowledge (“ZK”) proofs – a cryptographic concept independent of blockchain – could offer a solution.
Rather than existing within the primary blockchain itself (the “Layer 1”), a ZK protocol is built on top (as a “Layer 2”) and conducts batches of transactions (known as a “rollup”) off-chain. Taken together, a ZK rollup can increase the efficiency of a blockchain by reducing Layer 1 traffic and bolsters privacy by enabling users to transfer information that they seek to withhold off-chain.
The fundamental methodology underlying a ZK rollup involves a prover, a witness and a verifier. Ultimately, the prover must demonstrate to the verifier that the secret (known as the “witness”) held by the prover – i.e. specific information an internet user has selected to disclose on the blockchain – is accurate. To achieve this, the verifier randomly queries the prover with sets of questions to determine if the prover has access to the witness. As the prover answers the presented questions, the verifier iteratively modifies the questions to the point that only a prover with access to the witness can answer them correctly. After this process is repeated many times, the verifier can effectively validate, with “zero-knowledge” of the witness, that the prover has accurate information.
When translated to a real-world scenario, a ZK rollup could theoretically enable an individual to prove that they are old enough to buy alcohol or vote, without having to reveal the full contents of their driver’s license (6). The ZK rollup would process this transaction off-chain and only present validated information back to the Layer 1 blockchain. Conceivably, information stored off-chain would have to remain in compliance with existing data privacy regimes or even deleted altogether.
Although the massive potential of Web 3.0 has yet to be fully unleashed, it would appear that its core principles may align with, if not strengthen, the data privacy considerations established for Web 2.0. The openness of a Layer 1 blockchain gives users full transparency into their data, while Layer 2 applications such as a ZK rollup allow individuals to selectively distribute their information. The latter would actually confer an additional “stick” in the bundle of rights – the freedom to choose what to disclose – for Web 3.0 users. With these enhancements, the next iteration of the internet could become a safer and more accessible environment for consumers.
The growth of blockchain, its associated cryptocurrencies, and the core elements for Web 3.0 are currently on a trajectory that resembles Web 2.0 of the late 1990s (7). Barring major regulatory hurdles, technical bottlenecks or any other unforeseen obstacles, the next decade could see Web 3.0 obtaining parabolic adoption to become the dominant and decentralized form of internet. This growth could unlock a user-centered ecosystem with ownership rights, transparency and data privacy features that are currently lacking in Web 2.0.
1 Internet Growth Statistics, Internet World Stats (2023) https://www.internetworldstats.com/emarketing.htm.
2 A “zettabyte” represents a billion trillion “bytes” of storage. Petroc Taylor, Amount of data created, consumed, and stored 2010-2020, with forecasts to 2025. Statista (September 8, 2022) https://www.statista.com/statistics/871513/worldwide-data-created/.
3 Abi Tyas Tunggal, The 68 Biggest Data Breaches (Updated for November 2022), UpGuard (December 12, 2022) https://www.upguard.com/blog/biggest-data-breaches.
4 Luis Miguel M. del Rosario, On the Propertization of Data and the Harmonization Imperative, 90 Fordham L. Rev. 1699, 1709 (2022).
5 Josh Nadeau, How the CCPA is Shaping Other State’s Data Privacy, SecurityIntelligence (December 23, 2022) .
6 Joseph Burleson et al., Privacy-Protecting Regulatory Solutions Using Zero-Knowledge Proofs: Full Paper, a16zcrypto (November 16, 2022) .
7 Cryptocurrencies – Too early or too late?, Wells Fargo Investment Institute (February 2022) .