Tuesday, January 11, 2022

Another Layer Of Centralization

Moxie Marlinspike tried building "web3" apps and reports on the experience in his must-read My first impressions of web3. The whole post is very perceptive, but the most interesting part reveals yet another way the allegedly decentralized world of cryptocurrencies is centralized.

Below the fold, I explain the details of yet another failure of decentralization.

Marlinspike starts with his explanation of why although "web1" was decentralized, "web2" ended up centralized:
People don’t want to run their own servers, and never will. The premise for web1 was that everyone on the internet would be both a publisher and consumer of content as well as a publisher and consumer of infrastructure.

We’d all have our own web server with our own web site, our own mail server for our own email, our own finger server for our own status messages, our own chargen server for our own character generation. However – and I don’t think this can be emphasized enough – that is not what people want. People do not want to run their own servers.

Even nerds do not want to run their own servers at this point. Even organizations building software full time do not want to run their own servers at this point. If there’s one thing I hope we’ve learned about the world, it’s that people do not want to run their own servers. The companies that emerged offering to do that for you instead were successful, and the companies that iterated on new functionality based on what is possible with those networks were even more successful.
This is partly an example of Economies of Scale in Peer-to-Peer Networks; massive economies of scale make running services "in the cloud" enormously cheaper. But it is also an issue of skill. I've been running my own servers for decades, so I can testify that the skills needed to do so now are exponentially greater than when I started. Not that they were trivial back then, but I was a professional in the technology. There are two main reasons:
  • The environment in which servers run these days is extremely hostile, keeping them reasonably secure demands constant attention.
  • The devoted efforts of thousands of programmers over the decades have made the software the servers run much more complex.
Delegating the task of baby-sitting servers to the paid professionals who run cloud systems just makes sense.

His key observation is:
When people talk about blockchains, they talk about distributed trust, leaderless consensus, and all the mechanics of how that works, but often gloss over the reality that clients ultimately can’t participate in those mechanics. All the network diagrams are of servers, the trust model is between servers, everything is about servers. Blockchains are designed to be a network of peers, but not designed such that it’s really possible for your mobile device or your browser to be one of those peers.

With the shift to mobile, we now live firmly in a world of clients and servers – with the former completely unable to act as the latter – and those questions seem more important to me than ever. Meanwhile, ethereum actually refers to servers as “clients,” so there’s not even a word for an actual untrusted client/server interface that will have to exist somewhere, and no acknowledgement that if successful there will ultimately be billions (!) more clients than servers.
Ethereum nodes need far more resource than a mobile device or a desktop browser can supply. But on a mobile device or in a desktop browser is where a "decentralized app" needs to run if it is going to interact with a human. So:
companies have emerged that sell API access to an ethereum node they run as a service, along with providing analytics, enhanced APIs they’ve built on top of the default ethereum APIs, and access to historical transactions. Which sounds… familiar. At this point, there are basically two companies. Almost all dApps use either Infura or Alchemy in order to interact with the blockchain. In fact, even when you connect a wallet like MetaMask to a dApp, and the dApp interacts with the blockchain via your wallet, MetaMask is just making calls to Infura!
So once again we see that "decentralized" is just a marketing buzzword that implies "not controlled by big corporations you can't trust", thus obscuring the fact that each layer of the system is controlled by a few not yet as big corporations that are actually far less trustworthy that the big corporations that centralized "web2".

How do we know that the two companies centralizing this layer of the "decentralized" stack aren't trustworthy? Marlinspike looked at their APIs:
These client APIs are not using anything to verify blockchain state or the authenticity of responses. The results aren’t even signed. An app like Autonomous Art says “hey what’s the output of this view function on this smart contract,” Alchemy or Infura responds with a JSON blob that says “this is the output,” and the app renders it.

This was surprising to me. So much work, energy, and time has gone into creating a trustless distributed consensus mechanism, but virtually all clients that wish to access it do so by simply trusting the outputs from these two companies without any further verification.
One of the major reasons advanced for why centralization of "web2" in the hands of huge corporations is bad is that they can censor the Web. Marlinspike built an NFT to demonstrate the fragile nature of NFTs. It looked different depending on which NFT service you used to view it:
but when you buy it and view it from your crypto wallet, it will always display as a large 💩 emoji
How did OpenSea react to this demonstration of the problems with NFTs?
After a few days, without warning or explanation, the NFT I made was removed from OpenSea (an NFT marketplace)
...
The takedown suggests that I violated some Term Of Service, but after reading the terms, I don’t see any that prohibit an NFT which changes based on where it is being looked at from, and I was openly describing it that way.

What I found most interesting, though, is that after OpenSea removed my NFT, it also no longer appeared in any crypto wallet on my device.
The reason is that the wallets simply call OpenSea's API, so OpenSea can simply decide to refuse to display NFTs they don't like. Russell Brandom reports on another instance of OpenSea's censorship in Messy NFT drop angers infosec pioneers with unauthorized portraits:
Released on Christmas Day by a group called “ItsBlockchain,” the “Cipher Punks” NFT package included portraits of 46 distinct figures, with ten copies of each token. Taken at their opening price, the full value of the drop was roughly $4,000. But almost immediately, the infosec community began to raise objections — including some from the portrait subjects themselves.
...
Tuesday morning, the ItsBlockchain team announced in a Medium post that it would be “shutting down” the collection in response to the backlash, offering full refunds to any purchasers and covering any gas fees involved in the transfer.
...
In the wake of the post, OpenSea appears to have taken central action to remove the collection, which is no longer visible on the platform.
Censorship can also be useful in the wake of thefts, as Edward Ongweso Jr. reports in ‘All My Apes Gone’: NFT Theft Victims Beg for Centralized Saviors:
Chelsea art gallery owner Todd Kramer had 615 ETH (about $2.3 million) worth of NFTs, primarily Bored Apes and Mutant Apes, stolen by scammers and listed on the peer-to-peer NFT marketplace OpenSea.
...
"We take theft seriously and have policies in place to meet our obligations to the community and deter theft on our platform. We do not have the power to freeze or delist NFTs that exist on these blockchains, however we do disable the ability to use OpenSea to buy or sell stolen items. We've prioritized building security tools and processes to combat theft on OpenSea, and we are actively expanding our efforts across customer support, trust and safety, and site integrity so we can move faster to protect and empower our users.”

OpenSea did not answer, however, why it had frozen the trading of these NFTs and not others stolen just weeks ago that were announced on Twitter by Bored Ape Yacht Club and Jungle Freak NFT owners.
More than seven years ago I provided a detailed description of the economic forces driving centralization. Why has there been almost no progress since in developing ways to push back against these forces? No-one cares that their "decentralized" system isn't actually decentralized because even if it isn't they can use the buzzword to ensure their "number go up".

10 comments:

David. said...

The conclusion of Can Duruk's response to Moxie Marlinspike, Who is Web3 Really Good for?, is:

"For many companies in this space, such centralization efforts will seem benevolent as the crypto pie is still growing. But keep your eyes fixated on the future, not the past. They must all be seeing more competition in their future than their past. When that happens, expect even more centralization than there is today. When that happens, the crypto-folk might be left wondering why they let those who built today’s internet with all its problems, own the next one as well."

David. said...

Ed Zitron writes Nobody Cares About Decentralization - They Just Want To Get Rich, and he's so right:

"The only real idea left was the idea of personal liberty and ownership outside of legacy systems, which Marlinspike has accurately and painfully detailed isn’t the case.

That’s why crypto evangelism is so poisonous - because it’s ugly to say “join this system that I’m using so we can both get rich!” It’s much easier to promise dreams of escaping the 9 to 5 and evil “centralized platforms,” using vague dogma to convince people that this is a moral rather than fiscal crusade. The reason you might get rich is because you picked the right side. You are “going to make it” because you made the right moral choice."

David. said...

Via Ed Zitron, we find Parmy Olsen's Web3 Just Had Its Emperor’s-New-Clothes Moment - an excellent overview of Marlinspike's argument for the lay person. She concludes:

"In acting as gatekeepers of data, Web3 companies have even more insights into what users are doing than companies like Alphabet Inc.’s Google and Meta Platform Inc.’s Facebook.

That could become a bigger problem if Web3 companies reach the scale of Big Tech today. Given the strangeness of their mechanics, though, it is hard to see that growth happening anytime soon, if ever."

David. said...

Crypto-Savings Lawsuit Puts Principles of DeFi to the Test by Dylan Tokar reports that:

"[DeFi] also begs the question: Who’s responsible when things go wrong?

That is the question being raised by a class-action lawsuit filed in New York federal court against one such novel DeFi service, a cryptocurrency savings application called PoolTogether. The application, described as a “no loss prize game,” incentivizes users to save their cryptocurrencies by offering them the chance to win awards from the interest generated by the collected funds.

The lawsuit, filed by a software engineer named Joseph Kent, has challenged the legality of PoolTogether’s operation, saying the scheme is essentially a lottery and prohibited under New York law."

David. said...

Ben Thompson's OpenSea, Web3, and Aggregation Theory describes yet another layer of centralization - OpenSea as the dominant aggregator of demand for NFTs:

"In fact, what gives Aggregators their power is not their control of supply: they are not the only way to find websites, or to post your opinions online; rather, it is their control of demand. People are used to Google, or it is the default, so sites and advertisers don’t want to spend their time and money on alternatives; people want other people to see what they have to say, so they don’t want to risk writing a blog that no one reads, or spending time on a social network that because it lacks the network has no sense of social."

Thus:

"This, then, is the reason that OpenSea received its $13 billion valuation: it is by far the dominant market for NFTs; should the market exist in the long run, the most likely entryway for end users will be OpenSea. This is a very profitable position to be in, even if alternatives are only a click away. It’s not like that reduces the profitability of a Google or a Facebook.

It is also why OpenSea’s bans have some amount of teeth to them: as I noted, you can still buy and sell these stolen and rip-off NFTs, just as you can still go to a website that is not listed in Google, communicate with a friend kicked off of Facebook, or state your opinions somewhere other than Twitter. The reduced demand, though, lowers the price, whether that price be traffic, convenience, or attention. Or, in the case of NFTs, ETH: not having access to OpenSea means there is less demand for these NFTs, and less demand means lower prices."

David. said...

Another article inspired by Moxie Marlinspike is John Naughton's Will blockchain fulfil its democratic promise or will it become a tool of big tech?. Naughton is appropriately skeptical:

"At the moment, for example, the consensus-establishing processes for verifying blockchain transactions requires intensive computation, with a correspondingly heavy carbon footprint. Reducing that poses intriguing technical challenges, but focusing on them means that the engineering community isn’t thinking about the governance issues raised by the technology. There may not be any central authority in a blockchain but, as Vili Lehdonvirta pointed out years ago, there are rules for what constitutes a consensus and, therefore, a question about who exactly sets those rules. The engineers? The owners of the biggest supercomputers on the chain? Goldman Sachs? These are ultimately political questions, not technical ones."

David. said...

There's now a site dedicated to showing that Web3 is going just great. The most recent posts are:

- Developer apparently rug pulls two NFT projects at once.

- An attacker pulls about 350 ETH from Float Protocol's Rari Capital pool.

- Voice actor Troy Baker announces his involvement in "voice NFT" project Voiceverse with an antagonistic tweet, shortly before it's revealed that the project stole work.

- Token drop for the aptly named WTF token devolves into chaos.

Web3 really is going great!

David. said...

The Onion’s Guide To Web3 is succinct, readable, and insightful.

David. said...

Nick Baker's Wall Street Traders Muscle Into the Middle of Crypto greatly under-estimates Wall St. market makers' role in cryptocurrency markets. The subhead is:

"It’s called decentralized finance, but the established pros still want a cut."

For a necessary corrective see this.

David. said...

Ephrat Livni's Tales From Crypto: A Billionaire Meme Feud Threatens Industry Unity explores the fight over "web3" and "decentralizing the Internet" between the people who only have your interests at heart.