——Taking the xLog blockchain blog as an example, I will discuss my thoughts on DApps
Introduction: The Transition from Web2 to Web3#
Limitations of the Web2 Era#
- Centralization Risks
In the Web2 era, data storage and management are highly centralized. Once a platform suffers an attack or abuses its power, user permissions and rights can be easily compromised. - Information Islands
Data is difficult to interconnect between platforms, forming information islands that limit the full exploration and utilization of data value, restricting user experience. - Lack of Content Control
Creators often lose complete control over their works when publishing content on Web2 platforms, with inadequate copyright protection and revenue distribution mechanisms. - Advertising Model Intrusion
The reliance on advertising for profit leads to users frequently encountering irrelevant ads, affecting their experience, and personal data being used for targeted marketing, blurring privacy boundaries.
Vision and Goals of Web3#
- Origin of Web3: Web3 originates from a reflection on the data monopoly of Web2, aiming to utilize decentralized networks to restore data sovereignty to users.
- Smart Contracts: Smart contracts automatically execute agreements without the need for third parties, ensuring transaction transparency and efficiency, and are the core of Web3's trust mechanism.
- Blockchain Technology: Blockchain provides immutable data records, supporting decentralized applications in Web3, ensuring information security and privacy.
- Distributed Ledger: Web3 emphasizes user control over personal data, protecting privacy through encrypted data, achieving true digital empowerment.
Core Concepts of Web3, Smart Contracts, and Blockchain#
To be honest, I registered this blog to experience the blockchain concept that has been trending for years (even though our university's blockchain course had us experience DApps). To help those reading this article understand the concept of Web3, I will briefly compare it with Web2.
First, the form of Web3 products is very simple; it combines blockchain with traditional web application forms.
| Product Form | Definition | Examples |
|---|---|---|
| DeFi (Decentralized Finance) | Financial service platforms built on blockchain technology that provide loans, borrowing, trading, and other services without traditional financial institutions as intermediaries. | Uniswap, Aave, Compound |
| NFT (Non-Fungible Token) | Technology that represents unique digital assets on the blockchain, typically used in art, collectibles, and other fields. | CryptoPunks, Bored Ape Yacht Club, Decentraland |
| DApp (Decentralized Application) | Applications that run on the blockchain, characterized by decentralization and immutability, covering various fields such as gaming and social media. | OpenSea (NFT marketplace), Steemit (social media) |
| There are many more, such as GameFi, etc. |
Having said so much, let's compare from the perspective familiar to traditional development.
Perceiving Differences from the Registration and Login Process#
Web2 Registration and Login#
This is something that students studying software engineering and information security are familiar with.
Web3 Registration and Login#
- Infrastructure Process
The backend is almost entirely replaced by smart contracts.
It can be viewed this way: the Web2 backend performs CRUD (Create, Read, Update, Delete) operations on a database, while contracts perform CRUD operations on the blockchain, as the blockchain can be seen as a database.
However, in Web3, when the contract side processes calculations, it incurs costs. The larger the computation, the greater the expense, which needs to be deducted from the user's wallet in tokens. Therefore, we generally still need to use the backend for traditional CRUD operations to reduce costs on the contract side.
A Challenge is a random, one-time string generated by the server (or frontend) for the user to sign, proving their control over a specific wallet. It can be understood as a "temporary password," which only the true owner can correctly sign. The principle is usually based on ECDSA (Elliptic Curve Digital Signature Algorithm), and interested students can learn more about it.
Further Explanation of Concepts#
- Wallets and Tokens
In Web3, everyone has at least one wallet to store their assets—typically, most assets are tokens (Token), such as the well-known Bitcoin and Ethereum... Wallets are actually divided into cold wallets and hot wallets. A cold wallet can be understood as a USB hardware device that requires physical connection to use, while a hot wallet consists of software, such as MetaMask.
- Blockchain and Blocks
Blockchain is a decentralized distributed ledger technology that can be used to solve trust issues.
Centralization:
Decentralization:
In simple terms, it is a linked list, with each node called a block (block), which contains a set of transaction records. Anyone with internet access can view these transaction records and even fully copy them for backup—data on the blockchain is transparent and public, and nearly impossible to tamper with.
The code for the experimental class is also written.
{
"Header": {
// Parent hash value, which is the hash of the previous node, forming a linked list
"parentHash": "abasbdasbd",
// Creation time
"timestamp": "2020-02-30",
// Address of the root node of the transaction tree
// The transaction tree contains all transaction records in this block
"transactionRoot": "hash22222",
// Address of the root node of the state tree,
// The state tree contains some user-generated information (post-transaction balance, 🌟 contract code, etc.)
"stateRoot": "hash21312312", // Receipt tree...., transaction history (payer, payee, transaction fee, etc.)
"...": "..."
},
"Body": [
"hash111111",
"hash222222", // This is the root address of the transaction tree mentioned above
"hash333333",
"hash444444",
"..."
]
}
Some students may ask—when does the blockchain add a new block? This depends on the protocol adopted by the blockchain, as different blockchains have different rules. For example, Bitcoin's chain uses the PoW mechanism, while Ethereum's chain uses the PoS mechanism. The general structure of the blockchain is as described above; let's talk about specifics.
- Smart Contracts
A smart contract is essentially a piece of code that we can deploy to a test blockchain, looking like this:
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
contract SimpleVoting {
// Define candidate structure
struct Candidate {
string name;
uint voteCount;
}
// Store candidate information
mapping(uint => Candidate) public candidates;
uint public candidatesCount;
// Initialize constructor, set candidates
constructor() {
addCandidate("Candidate A");
addCandidate("Candidate B");
}
// Voting function
function vote(uint _candidateId) public {
// Ensure the vote is for a valid candidate
require(
_candidateId < candidatesCount
&& _candidateId >= 0, "Invalid candidate id"
);
// Update vote count
candidates[_candidateId].voteCount++;
}
}
The interface provided by the backend is called an API, but the interface address of a smart contract is a binary hash value called ABI, looking like: 0xhash123123.
Combining the blockchain data structure above, we can see that deployment is about placing this program's ABI into the Body, becoming a node in the state tree.
Isn't it similar to the blob tree management method in git? Both are Merkle trees (hash trees).
- Computational Costs
Before explaining why there are computational costs, let's introduce some background:
Under the PoW or PoS mechanism, when a new block is generated, those participating in the generation of the new block (such as miners or validators) will receive some tokens as a reward (yes, mining is just that). This refers to Gas fees, a charging mechanism first proposed by Ethereum's PoS. It has the following purposes: to prevent abuse of the blockchain, as every operation has a cost, which effectively reduces high-frequency attacks. To incentivize miners, if you are willing to pay more Gas, part of the Gas will be treated as a tip for the miners, and your transaction will be prioritized by miners, being processed faster into the next block (putting it into a block means completing the transaction).
Advantages and Disadvantages of Web3, Smart Contracts, and Blockchain Compared to Web2#
Technical Aspects#
First, there is a performance bottleneck; compared to Web2, Web3 and blockchain technology have slower transaction speeds and limited processing capabilities. The execution efficiency of smart contracts is also constrained by the resources on the chain, making it difficult to meet large-scale demands.
Exchanges, wallets, registered accounts/unregistered accounts, password recording (private keys, mnemonic phrases)/not recording passwords, complex operational processes, high Gas fees, unstable network connections, and other issues constantly trouble users. Therefore, although the concept of Web3 is hot, ordinary users have low awareness of it and lack intuitive and understandable application scenarios, leading to significant room for improvement in technology popularization and public acceptance, somewhat "detached from the masses."
Regulatory Aspects#
This blog is built on the blockchain, with accounts using wallet addresses + blockchain verification, and blog content stored in the IPFS distributed file system. After experiencing it for a few days, I deeply feel the benefits of this approach, but the drawbacks are also very obvious. The foremost issue is regulatory concerns.
1. Platforms Lack Authority to Govern Malicious Accounts and Content#
All public spaces, while ensuring freedom of speech, should also consider the compliance of speech. The core idea of decentralized social platforms is decentralized governance. Therefore, once users can freely publish malicious content or abuse the platform, it will lead to a deteriorating community environment. I personally believe that a community governance model should be introduced, such as issuing governance tokens, allowing high-token accounts to participate in voting mechanisms, enabling users to decide whether to ban or even hide violating accounts (I am not sure if they can be deleted; theoretically, content published on the bound IPFS can be deleted, but if it involves accounts on the chain, it may not be deletable, so it can only be hidden).
2. Sensitive Information Mistakenly Uploaded to the Blockchain Will Never Be Deleted#
First, we should avoid directly writing sensitive information onto the blockchain; at most, we can store a hash value, with the actual content placed on IPFS. However, if we want Web3 to enter the homes of ordinary people, or in case it is maliciously uploaded to the chain, that would be quite disastrous. Moreover, even with IPFS, sensitive information should be encrypted before uploading, so that only users with specific private keys can read it.
3. The Survival of Community Blockchains and Its Impact on Data#
If a community-built blockchain "dies," and the content on it has not been merged into a public chain or another chain, users will be unable to access this data through the original network. Even if the data still exists, it may require special means (such as directly accessing node storage devices) to recover and access it. But where are these distributed data? Backup is a significant challenge; public chains may be better, but for small private chains, once these infrastructure issues arise, reliability is still put to the test.
4. Legal Issues#
When I first started this blog, I casually posted a few whimsical articles, thinking that not many people would read them, and even if they did, they wouldn't know who I was due to anonymity, treating it as a whispering tree hole; posting whimsical articles is not a big deal. However, such a platform poses significant legal challenges (after all, black markets use BTC for settlement, and blockchain has almost become a breeding ground for the black industry), especially regarding the Personal Information Protection Law, which poses considerable challenges to the existing system. (I used this section for my final assignment on information security law, and it's quite gratifying to be able to use it; why do I have so many courses? I'm going crazy!!!)
In terms of blockchain, the differences in technical architecture between different types of blockchains (public chains/permissionless chains vs. private chains/permissioned chains) directly determine their feasibility in compliance with the Personal Information Protection Law. Permissioned chains, due to their identifiable and controllable participants, provide more possibilities for establishing governance mechanisms and fulfilling legal responsibilities, thus having a natural advantage in adapting to existing legal frameworks. For example, some viewpoints even suggest that the initiators and node controllers of public chains do not bear legal responsibilities as personal information processors, while the initiators and limited node controllers of non-public chains should bear this responsibility.
Smart contracts, as "backends," can automatically execute, control, or record contract terms and related behaviors based on predefined rules and conditions. Their operation is based on "if-then" logic. Although the automation feature can significantly improve transaction efficiency, it also raises questions about human oversight, error correction, and how to intervene when conflicts arise between execution and legal rights or changes in circumstances. For instance, the execution results are as immutable as the underlying blockchain data. This directly challenges the rights of individuals to withdraw consent (Article 15) and the ability to adjust or stop processing activities when processing becomes illegal or unnecessary as stated in the Personal Information Protection Law.
So, the problem is significant! Not to mention the privacy concerns arising from personal information being uploaded to the chain mentioned in the previous chapter, and the data issues stemming from key management concerns, just a single immature blockchain + smart contract, once deployed, will continuously violate the Personal Information Protection Law, and it is difficult to correct. Calmly thinking, is the data subject really you? The Personal Information Protection Law grants individuals a series of data subject rights, including the right to know, the right to decide (Article 44), the right to access and copy (Article 45), the right to correct and supplement (Article 46), and the crucial right to delete (Article 47). Additionally, it includes the right to withdraw consent (Article 15) and the right to data portability (Article 45, paragraph 3). These rights, especially the rights to correct and delete, directly conflict with the immutability of blockchain. Your information can indeed be recklessly fragmented and permanently stored anonymously on unknown nodes, and you lose the rights to delete, correct, and withdraw consent. Can you really control this data?
Therefore, the obligations of personal information processors (since decentralized organizations are quite difficult to define responsible entities, we will blur this and directly treat organizations as processing entities) must be responsible for overall security; otherwise, technologies like blockchain will find it challenging to truly enter the homes of ordinary people. Yes, calmly thinking, while blockchain is indeed fantastic, and Web3 is truly remarkable, the concept of "code is law" conflicts with the legal system's need to interpret and apply laws, provide remedies, and adapt to unforeseen circumstances. The legal framework is dynamic, while once deployed, the code may be rigid. Disputes arising from the execution of smart contracts involving personal information will still be regulated by the Personal Information Protection Law. The automated execution rules of smart contracts, while reducing certain types of human errors or biases, may also introduce new systemic biases—if there are defects or discriminatory inputs in the underlying code or data. The blockchain ecosystem has given rise to new types of participants, such as miners/validators, node operators, smart contract developers, and transaction initiators, whose roles and responsibilities under the Personal Information Protection Law remain unclear. Before clarifying the entire system of rights and responsibilities, how can we promote blockchain technology widely and uncontrollably?
Chairman Mao taught us not to try to solve all contradictions at once; contradictions are infinite. We should grasp the main contradiction of the matter, and other issues will be resolved easily. Next, let's list some of the main contradictions brought about by technology:
| Personal Information Protection Law Provisions and Core Requirements | Challenges Brought by Technical Features | Specific Challenge Descriptions |
|---|---|---|
| Article 47 – Right to Delete; Article 46 – Right to Correct | Immutability | Unable to directly delete or modify personal information recorded on the chain, making it difficult to meet user requests for deletion or correction. |
| Article 73 – Identification of "Personal Information Processors" | Decentralization | Difficult to identify a unique or common responsible entity that autonomously decides the purpose and method of processing in public chains or DAOs. |
| Article 14 – Informed Consent, Explicit Consent; Article 15 – Right to Withdraw Consent | Automation and Irreversible Execution of Smart Contracts | Difficult to ensure that users are fully informed about the complex processing logic of smart contracts; after users withdraw consent, it is challenging to stop or modify automatically executed contracts. |
| Article 24 – Regulation of Automated Decision-Making | Automation Decision-Making Characteristics of Smart Contracts | Difficult to ensure the transparency and fairness of automated decision-making, as well as users' rights to explanations and to refuse decisions based solely on automation. |
| Articles 38 to 40 – Rules for Cross-Border Transfer of Personal Information | Global Distributed Nature of Blockchain Networks | Difficult to identify the data exporter and recipient, making it challenging to apply security assessments, standard contracts, etc.; data replication across multiple nodes leads to de facto continuous cross-border flow. |
| Article 6 – Data Minimization Principle | Full Node Data Replication and Permanent Record Characteristics of Blockchain | On-chain storage and full network broadcasting may lead to processing personal information beyond the minimum necessary scope. |
| Article 51 – Security Assurance Obligations | Decentralization, Complexity of Key Management | Although there are technologies like encryption, overall security responsibility is unclear; once on-chain data is leaked (e.g., key theft), it is difficult to control; open-source code may have vulnerabilities. |
Therefore, this is not just a technical issue; it also involves regulation, operations, and is a multifaceted legal issue.
Technical problems ultimately require targeted technical solutions, and operational issues ultimately require operators to make considerations. Below, I will list my personal views as a conclusion to this chapter.
| Strategy Category | Specific Strategy | Description | Compliance Benefits under the Personal Information Protection Law | Main Considerations/Limitations |
|---|---|---|---|---|
| Technical | Off-Chain Storage of Personal Data | Store sensitive personal information in controllable off-chain databases, with only hashes or references on-chain. | Facilitates the realization of the right to delete/correct, reducing the risk of on-chain data exposure. | May increase system complexity, sacrificing some value of direct management of on-chain data. |
| Technical | Application of Privacy-Enhancing Technologies (PETs) | Such as zero-knowledge proofs, homomorphic encryption, etc., to verify or compute without exposing original data. | Enhances privacy protection during data processing, potentially aiding in achieving data minimization. | Varying maturity and standardization of technology, legal recognition pending clarification, implementation costs may be high. |
| Technical | Robust Anonymization/Pseudonymization Processing | Effectively anonymize personal information or assess and reduce re-identification risks during pseudonymization. | Anonymized information is not subject to the Personal Information Protection Law; pseudonymization helps reduce direct exposure risks. | Achieving true anonymization is challenging; pseudonymized data may still be re-identified. |
| Governance/Operations | Adoption of Permissioned Chains/Consortium Chains | Participants' identities are known, allowing for the establishment of clear governance rules and responsibility allocation mechanisms. | Helps clarify "personal information processors" and fulfill various legal obligations. | May sacrifice some decentralization features, limited applicable scenarios. |
| Governance/Operations | Implement Data Protection Impact Assessments (DPIA) | Conduct pre-risk assessments and records for high-risk blockchain data processing activities. | Actively identifies and mitigates legal risks, meeting the requirements of Articles 55 and 56 of the Personal Information Protection Law. | Assessment processes may be complex and time-consuming, requiring expertise. |
| Governance/Operations | Establish Clear Governance Framework and User Transparency Mechanisms | Clarify data processing rules, responsibilities of all parties, and clearly inform users about their information processing status and rights. | Enhances accountability, ensuring users' rights to know and decide. | Governance framework design and execution depend on consensus and cooperation among participants. |
| Legal/Regulatory | Issue Targeted Regulatory Guidelines and Standards | Regulatory agencies publish specific guidelines and standard contract templates for the application of the Personal Information Protection Law in blockchain scenarios. | Provides legal certainty and guides compliance practices. | Guideline formulation takes time and may lag behind technological development. |
| Legal/Regulatory | Promote Industry Self-Regulation and Certification Mechanisms | Encourage industry associations to establish codes of conduct and build personal information protection certification systems. | Supplements legal regulation and enhances overall compliance levels in the industry. | The effectiveness of self-regulation is limited; the authority and universality of certification mechanisms need to be established. |
Conclusion#
Ah, back in the day when the concept of blockchain first emerged, I was just a kid. I never expected that over a decade later, I would be writing a blog in a university computer lab, discussing lofty ideas, haha. I will imitate a leader's speech as the conclusion of this article: The world is in motion, moving forward. As both technology and law are rapidly evolving, the impacts and challenges raised today are not static. With the maturation of technology and deeper legal interpretations, new problems and solutions will continuously emerge. Therefore, all stakeholders must maintain ongoing vigilance, in-depth research, and open dialogue to adapt to this dynamically changing field. I believe that in the future, Web3, smart contracts, and blockchain can truly empower the internet of the new era, reducing black market activities and increasing practical applications, achieving the free and comprehensive development of individuals and society (I think this thing has both the embryonic form of communism and the freedom and clear pricing of advanced capitalism; it might really become the cornerstone of a unique social form for humanity in the future!!)
That's all.