——Taking the xLog blockchain blog as an example, I will discuss my thoughts on DApps
Introduction: The Transition from Web2 to Web3#
Limitations of the Web2 Era#
- Centralization Risks
In the Web2 era, data storage and management are highly centralized. Once a platform suffers an attack or abuses power, user rights and interests can easily be compromised. - Information Islands
Data is difficult to interconnect between platforms, forming information islands that limit the full exploration and utilization of data value, restricting user experience. - Lack of Content Control
Creators often lose complete control over their works when publishing content on Web2 platforms, with inadequate copyright protection and revenue distribution mechanisms. - Intrusion of Advertising Models
The reliance on advertising for profit leads to users frequently encountering irrelevant ads, affecting their experience, while personal data is used for targeted marketing, blurring privacy boundaries.
Vision and Goals of Web3#
- Origin of Web3: Web3 originated from reflections on the data monopoly of Web2, aiming to utilize decentralized networks to restore data sovereignty to users.
- Smart Contracts: Smart contracts automatically execute agreements without the need for third parties, ensuring transactions are transparent and efficient, forming the core of Web3's trust mechanism.
- Blockchain Technology: Blockchain provides immutable data records that support decentralized applications in Web3, ensuring information security and privacy.
- Distributed Ledger: Web3 emphasizes user control over personal data, protecting privacy through encrypted data, achieving true digital empowerment.
Core Concepts of Web3, Smart Contracts, and Blockchain#
To be honest, I registered this blog to experience the blockchain concept that has been trending for several years (even though our university blockchain course had us experience DApps). To help those reading this article understand the concept of Web3, I will briefly compare it with Web2.
First, the form of Web3 products is very simple; it combines blockchain with traditional web application forms.
| Product Form | Definition | Examples |
|---|---|---|
| DeFi (Decentralized Finance) | Financial service platforms built on blockchain technology that provide services such as loans, borrowing, and trading without traditional financial institutions as intermediaries. | Uniswap, Aave, Compound |
| NFT (Non-Fungible Token) | A technology that represents unique digital assets on the blockchain, typically used in fields like art and collectibles. | CryptoPunks, Bored Ape Yacht Club, Decentraland |
| DApp (Decentralized Application) | Applications that run on the blockchain, characterized by decentralization and immutability, covering various fields such as gaming and social media. | OpenSea (NFT marketplace), Steemit (social media) |
| There are many more, such as GameFi, etc. |
Having said so much, let's compare it from the perspective of traditional development that we are familiar with.
Perceiving Differences from the Registration and Login Process#
Web2 Registration and Login#
This is familiar to anyone studying software engineering and information security.
Web3 Registration and Login#
- Infrastructure Process
The backend is almost entirely replaced by smart contracts.
It can be viewed this way: the Web2 backend performs CRUD operations on a database, while contracts perform CRUD operations on the blockchain, as the blockchain can be seen as a database.
However, in Web3, when the contract side processes calculations, costs are incurred. The larger the calculation, the greater the expense, which needs to be deducted from the user's wallet in tokens. Therefore, we generally still need to use the backend for traditional CRUD operations to reduce costs on the contract side.
Challenge is a randomly generated, one-time string created by the server (or frontend) for the user to sign, proving their control over a certain wallet. It can be understood as a "temporary password," which only the true owner can correctly sign. The principle is usually based on ECDSA (Elliptic Curve Digital Signature Algorithm), and interested students can learn more.
Further Explanation of Concepts#
- Wallets and Tokens
In Web3, everyone has at least one wallet to store their assets—most of which are tokens (like Bitcoin, Ethereum, etc.). Wallets are actually divided into cold wallets and hot wallets. A cold wallet can be understood as a USB hardware device that requires physical access to use, while a hot wallet includes software like MetaMask.
- Blockchain and Blocks
Blockchain is a decentralized distributed ledger technology that can solve trust issues.
Centralization:
Decentralization:
In simple terms, it is a linked list, with each node called a block (block), containing a set of transaction records. Anyone with internet access can view these transaction records and even fully copy them for backup—data on the blockchain is transparent and public, and almost impossible to tamper with.
The code for the experimental course is also written.
{
"Header": {
// Parent hash value, which is the hash of the previous node, forming a linked list
"parentHash": "abasbdasbd",
// Creation time
"timestamp": "2020-02-30",
// Address of the root node of the transaction tree
// The transaction tree contains records of all transactions in this block
"transactionRoot": "hash22222",
// Address of the root node of the state tree,
// The state tree contains some user-generated information (balance after transactions, 🌟 contract code, etc.)
"stateRoot": "hash21312312", // Receipt tree...., transaction history (payer, payee, transaction fees, etc.)
"...": "..."
},
"Body": [
"hash111111",
"hash222222", // This is the root address of the transaction tree mentioned above
"hash333333",
"hash444444",
"..."
]
}
Some students may ask—when does a blockchain add a new block? This depends on the protocol adopted by the blockchain, as different blockchains have different rules. For example, Bitcoin's chain uses the PoW mechanism, while Ethereum's chain uses the PoS mechanism. The general structure of a blockchain is as described above; now let's talk about specifics.
- Smart Contracts
A smart contract is essentially a piece of code that we can deploy to a test blockchain, looking like this:
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
contract SimpleVoting {
// Define candidate structure
struct Candidate {
string name;
uint voteCount;
}
// Store candidate information
mapping(uint => Candidate) public candidates;
uint public candidatesCount;
// Initialize constructor, set candidates
constructor() {
addCandidate("Candidate A");
addCandidate("Candidate B");
}
// Voting function
function vote(uint _candidateId) public {
// Ensure voting for a valid candidate
require(
_candidateId < candidatesCount
&& _candidateId >= 0, "Invalid candidate id"
);
// Update vote count
candidates[_candidateId].voteCount++;
}
}
The interface provided by the backend is called an API, but the interface address of a smart contract is a binary hash value called ABI, looking like: 0xhash123123.
Combining the blockchain data structure above, we can see that deployment is placing this program's ABI into the Body, becoming a node in the state tree.
Isn't it similar to the blob tree management method in git? Both are Merkle trees (hash trees).
- Computational Costs
Before explaining why there are computational costs, let's introduce the background:
Under PoW or PoS mechanisms, when a new block is generated, those participating in the generation of the new block (like miners or validators) will receive some tokens as rewards (yes, mining is just that). This refers to gas fees, a charging mechanism first proposed by Ethereum's PoS. It serves several purposes: to prevent abuse of the blockchain, as every operation has a cost, effectively reducing high-frequency attacks; to incentivize miners, as if you are willing to pay more gas, part of the gas will be treated as a tip for miners, and your transaction will be prioritized by miners for faster inclusion in the next block (inclusion in a block means completing the transaction).
Advantages and Disadvantages of Web3, Smart Contracts, and Blockchain Compared to Web2#
Technical Aspects#
First, there is a performance bottleneck. Compared to Web2, Web3 and blockchain technology have slower transaction speeds, limited processing capabilities, and the execution efficiency of smart contracts is also constrained by on-chain resources, making it difficult to meet large-scale demands. Issues such as exchanges, wallets, registered accounts/unregistered accounts, recording passwords (private keys, mnemonic phrases)/not recording passwords, complex operational processes, high gas fees, and unstable network connections constantly trouble users. Therefore, although the concept of Web3 is hot, ordinary users have low awareness of it, lacking intuitive and understandable application scenarios, leading to significant room for improvement in technology popularization and public acceptance, somewhat "detached from the masses."
Regulatory Aspects#
This blog is built on the blockchain, with accounts using wallet addresses + blockchain verification, and blog content stored in the IPFS distributed file system. After experiencing it for a few days, I deeply feel the benefits of this approach, but the drawbacks are also very obvious. The most prominent issue is regulatory concerns.
1. Platforms Lack Authority to Govern Malicious Accounts and Content#
All public spaces should consider the compliance of speech while ensuring freedom of expression. The core idea of decentralized social platforms is decentralized governance, so once users can freely publish malicious content or abuse the platform, it will lead to a deteriorating community environment. I personally believe that a community governance model should be introduced, such as issuing governance tokens, allowing high-token accounts to participate in voting mechanisms, enabling users to decide whether to ban or even hide violating accounts (I am not sure if deletion is possible; theoretically, content published on the bound IPFS can be deleted, but if it involves on-chain accounts, it may not be deletable, so it can only be hidden).
2. Sensitive Information Accidentally Uploaded to the Blockchain Will Never Be Deleted#
First, we should avoid directly writing sensitive information onto the blockchain; at most, we can store a hash value, with the actual content placed in IPFS. However, if Web3 is to enter the homes of ordinary people, or if it is maliciously uploaded to the chain, that would be quite disastrous. Even with IPFS, sensitive information should be uploaded encrypted, so only users with specific private keys can read it.
3. The Survival of Community Blockchains and Its Impact on Data#
If a community-built blockchain "dies," and the content on it has not been merged into a public chain or another chain, users will be unable to access this data through the original network. Even if the data still exists, it requires special means (like directly accessing node storage devices) to recover and access it, but where are these distributed data? Backup is a significant challenge; public chains are somewhat better, but for small private chains, once these infrastructure issues arise, reliability is still a major concern.
4. Legal Issues#
When I first started this blog, I casually posted a few whimsical articles, thinking that not many people would read them, and even if they did, they wouldn't know who I was due to anonymity, treating it as a whispering tree hole. Posting whimsical articles is not a big deal, but such a platform poses significant legal challenges (after all, black markets use BTC for settlement, and blockchain has almost become a breeding ground for black industries), especially regarding the "Personal Information Protection Law," which poses considerable challenges to the existing system. (I used this section for my information security law course assignment, and it's quite gratifying to be able to use it; why do I have so many courses? I'm going crazy ah ah ah ah ah!!!)
In terms of blockchain, the differences in technical architecture between different types of blockchains (public chains/permissionless chains vs. private chains/permissioned chains) directly determine their feasibility in compliance with the "Personal Information Protection Law." Permissioned chains, due to their identifiable and controllable participants, provide more possibilities for establishing governance mechanisms and fulfilling legal responsibilities, thus having a natural advantage in adapting to the existing legal framework. For example, some viewpoints even suggest that the initiators and node controllers of public chains do not bear legal responsibilities as personal information processors, while the initiators and limited node controllers of non-public chains should bear this responsibility.
Smart contracts, as "backends," can automatically execute, control, or record contract terms and related behaviors based on pre-set rules and conditions. Their operation is based on "if-then" logic. Although the automation feature can significantly improve transaction efficiency, it also raises questions about human oversight, error correction, and how to intervene when conflicts arise between execution and legal rights or changes in circumstances. For example, the execution results are as immutable as the underlying blockchain data. This directly challenges the right of individuals to withdraw consent (Article 15) and the ability to adjust or stop processing activities when processing becomes illegal or unnecessary under the "Personal Information Protection Law."
So, the problem is serious! Not to mention the privacy concerns arising from personal information being uploaded to the chain mentioned in the previous chapter, and the data issues arising from key management concerns, just an immature blockchain + smart contract, once deployed, will automatically and continuously violate the "Personal Information Protection Law," and it is difficult to correct. Calmly thinking, is the data subject really you? The "Personal Information Protection Law" grants individuals a series of data subject rights, including the right to know, the right to decide (Article 44), the right to access and copy (Article 45), the right to correct and supplement (Article 46), and the crucial right to delete (Article 47). Additionally, it includes the right to withdraw consent (Article 15) and the right to data portability (Article 45, paragraph 3). These rights, especially the rights to correction and deletion, directly conflict with the immutability of blockchain. Your information can be recklessly fragmented and permanently stored anonymously on unknown nodes, and you lose the rights to deletion, correction, portability, and withdrawal of consent. Can you really control this data?
Therefore, personal information processors (because decentralized organizations are quite difficult to define as responsible entities, we will blur this and directly treat organizations as processing entities) must be responsible for overall security; otherwise, technologies like blockchain will find it difficult to truly enter thousands of households. Yes, calmly thinking, while blockchain is indeed great, and Web3 is truly wonderful, the concept of "code is law" conflicts with the legal system's need to interpret and apply laws, provide remedies, and adapt to unforeseen circumstances. The legal framework is dynamic, while deployed code may be rigid. Disputes arising from the execution of smart contracts involving personal information will still be regulated by the "Personal Information Protection Law." The automated execution rules of smart contracts, while reducing certain types of human errors or biases, may also introduce new systemic biases—if there are defects or discriminatory inputs in the underlying code or data. The blockchain ecosystem has given rise to new types of participants, such as miners/validators, node operators, smart contract developers, and transaction initiators, whose roles and responsibilities under the "Personal Information Protection Law" remain unclear. How can we promote blockchain technology and its uncontrollable spread without clarifying the entire system of rights and responsibilities?
Chairman Mao taught us not to try to solve all contradictions at once; contradictions are infinite. We must grasp the main contradiction of the matter, and other problems will be resolved accordingly. Next, let's list and see what major contradictions technology brings:
| Provisions and Core Requirements of the "Personal Information Protection Law" | Challenges Brought by Technical Features | Specific Challenge Descriptions |
|---|---|---|
| Article 47 – Right to Delete; Article 46 – Right to Correct | Immutability | Unable to directly delete or modify personal information recorded on the chain, making it difficult to meet user requests for deletion or correction. |
| Article 73 – Identification of "Personal Information Processors" | Decentralization | Difficult to identify a unique or common responsible entity that autonomously decides the purpose and method of processing in public chains or DAOs. |
| Article 14 – Informed Consent, Explicit Consent; Article 15 – Right to Withdraw Consent | Automation and Irreversible Execution of Smart Contracts | Difficult to ensure users are fully informed about the complex processing logic of smart contracts; after users withdraw consent, it is difficult to stop or modify automatically executed contracts. |
| Article 24 – Regulation of Automated Decision-Making | Automation Decision-Making Characteristics of Smart Contracts | Difficult to ensure the transparency and fairness of automated decision-making, as well as users' rights to explanations and to refuse decisions based solely on automation. |
| Articles 38 to 40 – Rules for Cross-Border Transfer of Personal Information | Global Distributed Nature of Blockchain Networks | Difficult to identify data exporters and recipients, making it difficult to apply security assessments, standard contracts, etc.; data replication across multiple nodes leads to ongoing cross-border flow. |
| Article 6 – Data Minimization Principle | Full Node Data Replication and Permanent Record Features of Blockchain | On-chain storage and full network broadcasting may lead to processing personal information beyond the minimum necessary scope. |
| Article 51 – Security Assurance Obligations | Decentralization, Complexity of Key Management | Although there are technologies like encryption, overall security responsibility is unclear; once on-chain data is leaked (e.g., key theft), it is difficult to control; open-source code may have vulnerabilities. |
Thus, this is not just a technical issue; it also involves regulation, operation, and is a multifaceted legal problem.
Technical issues ultimately require targeted technical solutions, while operator issues ultimately require operators to make considerations. Below, I will list my personal views as a conclusion to this chapter.
| Strategy Category | Specific Strategy | Description | Compliance Benefits under the "Personal Information Protection Law" | Main Considerations/Limitations |
|---|---|---|---|---|
| Technology | Off-Chain Storage of Personal Data | Store sensitive personal information in controllable off-chain databases, with only hashes or references on-chain. | Facilitates the realization of the right to delete/correct, reducing the risk of on-chain data exposure. | May increase system complexity, partially sacrificing the value of direct management of on-chain data. |
| Technology | Application of Privacy-Enhancing Technologies (PETs) | Such as zero-knowledge proofs, homomorphic encryption, etc., for verification or computation without exposing original data. | Enhances privacy protection during data processing, potentially aiding in achieving data minimization. | Varying maturity and standardization of technology, legal recognition pending clarification, implementation costs may be high. |
| Technology | Robust Anonymization/Pseudonymization Processing | Effectively anonymize personal information or assess and reduce re-identification risks during pseudonymization. | Anonymized information is not subject to the "Personal Information Protection Law"; pseudonymization helps reduce direct exposure risks. | Achieving true anonymization is challenging; pseudonymized data may still be re-identified. |
| Governance/Operation | Adoption of Permissioned Chains/Consortium Chains | Participants' identities are known, allowing for the establishment of clear governance rules and responsibility allocation mechanisms. | Helps clarify "personal information processors" and fulfill various legal obligations. | May sacrifice some decentralization features, limited applicable scenarios. |
| Governance/Operation | Implementation of Data Protection Impact Assessments (DPIA) | Conduct pre-risk assessments and records for high-risk blockchain data processing activities. | Proactively identifies and mitigates legal risks, meeting the requirements of Articles 55 and 56 of the "Personal Information Protection Law." | Assessment processes may be complex and time-consuming, requiring expertise. |
| Governance/Operation | Establishing Clear Governance Frameworks and User Transparency Mechanisms | Clarify data processing rules, responsibilities of all parties, and clearly inform users about their information processing status and rights. | Enhances accountability, ensuring users' rights to know and decide. | Governance framework design and execution depend on consensus and cooperation among participants. |
| Legal/Regulatory | Issuing Targeted Regulatory Guidelines and Standards | Regulatory agencies publish specific guidelines and standard contract templates for the application of the "Personal Information Protection Law" in blockchain scenarios. | Provides legal certainty and guides compliance practices. | Guideline formulation takes time and may lag behind technological development. |
| Legal/Regulatory | Promoting Industry Self-Regulation and Certification Mechanisms | Encouraging industry associations to establish codes of conduct and personal information protection certification systems. | Supplements legal regulation and enhances overall industry compliance levels. | Self-regulation effectiveness is limited; the authority and universality of certification mechanisms need to be established. |
Conclusion#
Ah, back in the day when the concept of blockchain first emerged, I was just a kid. I never expected that over a decade later, I would be writing a blog in the university computer room, discussing lofty ideas, haha. I will mimic a leader's speech as the conclusion of this article: The world is in motion, moving forward. As technology and law are rapidly evolving, the impacts and challenges raised today are not static. With the maturation of technology and deeper legal interpretations, new problems and solutions will continuously emerge. Therefore, all stakeholders must maintain ongoing vigilance, in-depth research, and open dialogue to adapt to this dynamically changing field. I believe that in the future, Web3, smart contracts, and blockchain can truly empower the new era of the internet, reducing black market activities and increasing practical applications, achieving free and comprehensive development for individuals and society (I think this thing has both the embryonic form of communism and the freedom and clear pricing of advanced capitalism; it might just become the cornerstone of a unique social form for humanity in the future!!)
That's all.