Moxie Marlinspike: Here’s what’s wrong with Web3
In a blog post published on Jan 07, Moxie Marlinspike, creator and maintainer of the Signal messaging app, expressed concerns about Web3 and in particular its claim to be a new and decentralized future alternative to the platform behemoths of Web 2.0.
Marlinspike begins his post admitting he, despite considering himself a cryptographer, hasn’t found himself particularly drawn to “crypto“ [Marlinspike’s quotes], and that he hasn’t yet managed to become a believer.
“Also – cards on the table here – I don’t share the same generational excitement for moving all aspects of life into an instrumented economy,” Marlinspike writes.
However skeptical, Moxie Marlinspike decided to give Web3 a try by creating two Web3 applications (dApps) called Autonomous Art, which lets anyone mint a token for an NFT by making a visual contribution to it, and First Derivative that allows users to create, discover, and exchange NFT derivatives which track an underlying NFT.
People don’t want to run their own servers
Though Web3 being a somewhat ambiguous term, it should, according to Marlinspike, boil down to giving its users the “richness” of Web2, but in a decentralized way. The main reason why the originally decentralized Web1 became the centralized Web2 is because “people don’t want to run their own servers, and never will” and “a protocol moves much more slowly than a platform.” As an example of the latter, Marlinspike points to email.
“After 30+ years, email is still unencrypted; meanwhile WhatsApp went from unencrypted to full e2ee in a year”, e2ee meaning end-to-end encryption.
One thing that Marlinspike finds strange about “the cryptocurrency world is the lack of attention to the client/server interface”, and that “blockchains are designed to be a network of peers, but not designed such that it’s really possible for your mobile device or your browser to be one of those peers.” The point Marlinspike makes is that, normally, wallets don’t connect directly to the blockchain, but does so via API:s provided by node operators.
However, this is a centralizing choke point since, in practice, there are only two of these API providers: Infura and Alchemy, and almost all dApps use one or the other to interact with the blockchain. The reason is these APIs make life easier for dApp developers.
“In fact, even when you connect a wallet like MetaMask to a dApp, and the dApp interacts with the blockchain via your wallet, MetaMask is just making calls to Infura,” Marlinspike writes, echoing critique that’s been heard many times over the history of Ethereum.
“This was surprising to me. So much work, energy and time has gone into creating a trustless distributed consensus mechanism, but virtually all clients that wish to access it do so by simply trusting the outputs from these two companies without any further verification”, Marlinspike writes.
NFTs are centralized to the OpenSea API
To Moxie Marlinspike the situation is even worse with NFT, partly due to the way the NFT standard (EIP-721) is designed, and partly because of the centralizing power of the OpenSea marketplace and its API.
Instead of storing the data on-chain, in most cases, NFTs contains a pointer to the data. Depending on where that data is stored, anyone with access to that storage system can change the data, regardless of whether or not they own the actual token.
Furthermore, with Marlinspike’s words, there is nothing in the NFT specification that tells the owner what the data, like an image, should be, or even allows the owner to confirm whether something is the correct data.
This is different from the misunderstanding around the right-click-save meme, where some people seem to think that the NFT is the actual image, when in fact the NFT is a certificate of sorts, proving the authenticity and ownership of this image. But there’s nothing in the NFT saying what that data should be; there’s nothing saying if an NFT is for a Bored Ape Yacht Club or a Pudgy Penguin.
There’s just a pointer to some off-chain data; if someone succeeds in changing whatever that pointer points to, it will point to something else. The exception to this is NFTs storing data on-chain, like the data lean CryptoPunks do, but it’s only economically feasible for small amounts of data.
“What you bid on isn’t what you get”
Marlinspike illustrates this issue by creating an experimental NFT that looks different depending on who is looking at the associated image, by having the webserver serve different images based on the IP or User Agent of the requester. This way, the same NFT presents three different images depending on if it’s viewed through OpenSea, Rarible, or a wallet.
“What you bid on isn’t what you get. There’s nothing unusual about this NFT, it’s how the NFT specifications are built,” Marlinspike writes.
After a few days, without warning or explanation, according to Marlinspike, his NFT was removed from OpenSea, probably because it violated some terms of service. In removing the NFT from the marketplace, thus removing it from their API, OpenSea made it impossible for most wallets to display the NFT, even though it’s still there on the blockchain. This is because, again, wallets like MetaMask use APIs, like OpenSea’s in the case of NFTs, to access and display on-chain data.
“MetaMask needs to interact with the blockchain, but the blockchain has been built such that clients like MetaMask can’t interact with it. So like my dApp, MetaMask accomplishes this by making API calls to three companies that have consolidated in this space,” Marlinspike writes.
“All this means that if your NFT is removed from OpenSea, it also disappears from your wallet. It doesn’t functionally matter that my NFT is indelibly on the blockchain somewhere, because the wallet, and increasingly everything else in the ecosystem, is just using the OpenSea API to display NFTs, which began returning “304 No Content” for the query of NFTs owned by my address.”
The space is consolidating around platforms. Again.
In Moxie Marlinspike’s mind, the blockchain space is, for the same reasons Web1 was, consolidating around centralized platforms in order to make blockchain technologies usable to a broader audience. Again because neither people nor organizations want to run servers.
“Given those dynamics, I don’t think it should be a surprise that we’re already at a place where your crypto wallet’s view of your NFTs is OpenSea’s view of your NFTs. I don’t think we should be surprised that OpenSea isn’t a pure “view” that can be replaced, since it has been busy iterating the platform beyond what is possible strictly with the impossible or difficult-to-change standards. This isn’t a complaint about OpenSea or an indictment of what they’ve built. Just the opposite, they’re trying to build something that works,” Marlinspike writes.
If the blockchain industry does want to change people’s relationship to technology, Marlinspike thinks the industry has to do it intentionally by accepting the premise that people will not run their own servers, and by designing systems that can distribute trust without having to distribute infrastructure.
Second, Marlinspike thinks the blockchain industry should try to reduce the burden of building software.
“I think changing our relationship to technology will probably require making software easier to create, but in my lifetime I’ve seen the opposite come to pass. Unfortunately, I think distributed systems have a tendency to exacerbate this trend by making things more complicated and more difficult, not less complicated and less difficult,” Marlinspike writes.