{"id":4499,"date":"2020-03-09T11:48:31","date_gmt":"2020-03-09T15:48:31","guid":{"rendered":"https:\/\/cointelegraph.com\/magazine\/?p=4499"},"modified":"2021-07-24T11:35:00","modified_gmt":"2021-07-24T15:35:00","slug":"zookos-triangle-human-readable-paradox-crypto-adoption","status":"publish","type":"post","link":"https:\/\/cointelegraph.com\/magazine\/2020\/03\/09\/zookos-triangle-human-readable-paradox-crypto-adoption","title":{"rendered":"Zooko’s Triangle: The Human-Readable Paradox at the Heart of Crypto Adoption"},"content":{"rendered":"

I don\u2019t remember my first personal email username.\u00a0<\/strong><\/p>\n

I know the domain was with Pipex Dial, a U.K. provider to whom I paid a monthly fee for the privilege of receiving a unique string of abstract digits through which to receive email messages. I remember there were a scant handful of other early adopters who also had this thing. And I remember that it was complicated and expensive. But for some reason I\u2019ve always been drawn to things like that.<\/span><\/p>\n

My second email address, I remember clearly. Because the genius of Hotmail in 1996 wasn\u2019t just the invention of email signatures and the first truly viral marketing campaign. The game-changing difference was that as well as giving away web-based email for free, Hotmail gave you the ability to choose any username you wanted, assuming no one else had grabbed it first.\u00a0<\/span><\/p>\n

Your real name, a nickname or joke, even businesses could easily get started with a free Hotmail email, at a time when owning an actual domain or website was still an obscure dark art. <\/span>Anythingyoulike@hotmail.com<\/span><\/i> got the world on board with email at last, and while the brand itself is now fully subsumed within Outlook, it endured for many years after Microsoft <\/span>acquired<\/span><\/a> it from founders Jack Smith and Sabeer Bhatia in 1997 for an estimated $400 million.<\/span><\/p>\n

The history of web domains followed a similar path. While the domain naming system, or DNS, and first top-level domains were created in the 1980s, most early academic and defense applications relied on the accurate manual user entry of numerical IP addresses, and according to Wikipedia, fewer than 15,000 dotcom domains had been registered by 1992.<\/span><\/p>\n

Fast-forward to the present day, and an explosion in new top-level domains, or TLDs, has enabled easy acquisition of branded and personalized online territory for any user, with the third quarter of 2019 alone seeing 359.8 million new domain names <\/span>registered<\/span><\/a> across all TLDs. Nowadays, our need to manually enter even the shortest and most memorable domains is diminishing in a world driven by the tapping of native app icons and voice search. Pretty soon, we\u2019ll probably be able to instruct our devices and automated assistants by gesture or eye movement alone.<\/span><\/p>\n

Until very recently though, cryptocurrency wallet tools have remained mostly in the \u201cusenet\u201d state of evolution, and there are good reasons why the security has had to develop ahead of the ease of use \u2014 if you mistyped an email or web address, the worst that could happen was an obscure error message, rather than the loss of actual financial value. But if personally identifiable email was the killer app that really created mass adoption of the internet, will personalized wallets be the catalyst for similar growth in digital asset adoption, even if we acknowledge that the stakes are significantly higher?<\/span><\/p>\n

The access vs. security trade-off<\/span><\/h3>\n

No one can deny that the user experience of defining and accessing online territories has become simplified to the most basic level, but this has not come without cost.\u00a0<\/span><\/p>\n

Easy-to-use tends to correlate with easy-to-hack<\/i><\/b>. Staggeringly large breaches of consumer data barely make headlines in the mainstream media anymore, and already in the first few weeks of 2020, Microsoft, LabCorp and even the United Nations have <\/span>reported<\/span> massive exposures of personal data in their care. New privacy legislation from Europe to California seems to have done little to protect users from such violations, and it\u2019s unsurprising that identity theft <\/span>continues to escalate<\/span><\/a> globally.<\/span><\/p>\n

In the fintech sector, traditional institutions are increasingly defending themselves from losses they have typically absorbed in the past, as they fought their private battles against hackers behind closed doors. If your online banking was compromised a couple of years ago, you\u2019d generally have been made good, with any fraudulent transactions promptly reversed \u2014 even if you could never get a clear answer from your bank as to what exactly happened. Now, they\u2019re cracking down on access standards, enforcing better practice from users with multifactor authentication, and even subjecting users to detailed interrogation about their password hygiene and personal information security practices.\u00a0<\/span><\/p>\n

This shifting of responsibility onto the user is an inevitability and a well-deserved wake up call for many, but some users need more support than others. It\u2019s not OK that my elderly aunt uses the same grandchild\u2019s first name as her password for <\/span>everything<\/span><\/i>, but due to branch closures, she has been forced into online banking on a PC that looks as old as she is. She never wanted to own one of these smartphones \u2014 so how is she supposed to implement the \u201cstrong customer authentication\u201d being forced upon her by the institution she has trusted since her first wage slip nearly 60 years ago?\u00a0<\/span><\/p>\n

The bank has promised to work something out for her and are continuing to extend her full personal telephone support for now, but we\u2019re walking a tightrope between user experience and security.\u00a0<\/span><\/p>\n

And the cryptocurrency world is treading similarly fine lines in the ongoing tension over the protection of privacy and uncensorability versus mass adoption.<\/span><\/p>\n

We\u2019re not talking about the needs of those like my aunt, who I probably have to accept is unlikely to ever get on board with crypto nor suffer unduly as a result. There is a huge mass of mid-to-late adopters way ahead of her on the curve, however, who are savvy enough to use password managers and multifactor authentication, and understand the consequences of irreversible transactions and personal sovereignty. Their growing uptake is essential for required network effects, but they are never going to get to grips with UTXOs and 35-character network addresses. So all but the most die-hard cypherpunk purists would generally agree that we need more accessible and easy-to-use tools.<\/span><\/p>\n

Onboarding the next wave<\/span><\/h3>\n

A plethora of new services are emerging to improve the UX and make cryptocurrencies easier and more user-friendly for everyday humans while trying to ensure core security aspects are not compromised.<\/span><\/p>\n

Bradley Kam\u2019s Unstoppable Domains offers blockchain domains entirely separate from the current DNS, purporting to help provide uncensorable websites as well as payment tools for Bitcoin, ETH and Zilliqa.\u00a0<\/span><\/p>\n

Currently, you\u2019ll need a browser extension to view content on the .crypto or .zil domains, and you won\u2019t find them indexed by traditional search tools. However, the creation of a new network on an alternate root means only a little more friction, which most users should be able to handle \u2014 <\/span>if <\/span><\/i>they can see a good reason to bother. It all feels nostalgically 1990s, only without Geocities\u2019 migraine-inducing color schemes.<\/span><\/p>\n

Namebase and its blockchain Handshake have focused on human-readable addresses, similar to those launched by the Ethereum Name Service in May 2017.\u00a0 The Handshake white paper <\/span>references<\/span><\/a> a trilemma known as Zooko\u2019s Triangle (after the creator of Zcash), in which he posits that we can realistically achieve two out of three from the properties of human-meaningfulness, decentralization and security. (Some, such as the Monero development team who developed OpenAlias<\/a>, and Nick Szabo, disagree<\/a>.) The Namebase solution creates a single point of consensus around the association between names and certificates, using multiple actors to verify addresses on a blockchain in an attempt to resolve this paradox.<\/span><\/p>\n

\"Zooko's<\/p>\n

But this inevitably creates some degree of pseudonymization, and where there are any elements that can be reverse-engineered, any impression of anonymity is just that \u2014 a deceptive impression. So, are we in danger of creating just another kind of DNS under a different kind of centralized control? Is this trade-off really worth it in order to drive the mass adoption of cryptocurrencies?<\/span><\/p>\n

I spoke to Emin G\u00fcn Sirer, presently on leave from Cornell University to work on Avalabs, about this complex intersection of psychology, security and usability.<\/span><\/p>\n

\u201cHuman-readable addresses are nice, […] but in my opinion, nobody should be using anything human-readable anyway. Payments should be a secure channel between me and the merchant, the merchant giving me his address and me using it.\u201d<\/span><\/p>\n

This makes sense, as the DNS itself has always been easy to reverse-engineer, as Sirer pointed out way back in the 90s. DNS Security Extensions, or DNSSEC, is ICANN\u2019s solution, with the addition of data origin authentication and data integrity protection to the basic address structure, but Sirer describes these efforts as \u201ca supremely expensive failure of vision, a giant hole that ended up lining the pockets of a couple of vendors […] that has enjoyed zero practical adoption by the regular community.\u201d<\/span><\/p>\n

Unsurprisingly, he\u2019s encouraged by the grassroots solutions emanating from the crypto community, which have the potential to rebuild a more secure and decentralized internet:<\/span><\/p>\n

\u201cThey\u2019re mostly young people, having no connection to the DNS community whatsoever, building an alternative secure system from the ground up using much more modern techniques. It\u2019s a slap in the face to the DNS researchers who absolutely and unilaterally failed to fix this.\u201d<\/span><\/p><\/blockquote>\n

A new decentralized structure for the internet of the future, which allows for human-recognizable transacting and navigation, sounds ideal. But in reality, the use of anything human-readable is, as Sirer indicated, easier to compromise. Tim Copeland of Decrypt recently proved the point, <\/span>doxxing<\/span><\/a> a number of high-profile people using ENS through careful analysis of their chosen Ethereum names and associated balances and transactions \u2014 after all, it\u2019s all right there, on a public blockchain.\u00a0<\/span><\/p>\n

Exporing the human<\/span><\/h3>\n

It\u2019s basic social engineering, the kind hackers have used for years \u2014 combining bits of information in the public domain with other facts people don\u2019t consciously remember sharing, along with the odd (lucky and\/or educated) guess, to join them together and expose connections that look nothing short of miraculous.<\/span><\/p>\n

I saw a live performance by the amazingly talented British magician Derren Brown years ago, full of classy mind-reading stunts. At one point he \u201crandomly\u201d selected members from the huge theater audience and regaled them with facts about their personal lives and recent activities, striking enough home-runs to cause visible shock. Impressively, he had clearly memorized unique seating allocations for each night\u2019s show, but a quick check on some of the names of people he singled out revealed completely open Facebook profiles, which specifically referenced their recent travels, injuries, meals and other explicitly mundane facts with which he astonished them. I\u2019m willing to bet that each person chosen was also the named ticket purchaser for the event within their party.<\/span><\/p>\n

It was a vivid reminder of how much personal information we all routinely leak into the world without a great deal of thought, and while I am busy lecturing my mature relatives about the reuse of passwords, people often reuse <\/span>usernames<\/span><\/i>, which are easily associated with their personal identity.\u00a0<\/span><\/p>\n

An example of this is Thorsten Schulte, @silberjunge on Twitter. Copeland found that \u201csilberjunge.eth.\u201d contained just $17 of Ether, and like many accounts, was probably set up just to experiment with the new service and explore what it had to offer when the Ethereum Name Service launched publicly last year. However, the address used to register this domain<\/span> contained a more significant 1,163 ETH, and a further $121,000 worth of Ethereum-based tokens \u2014 perhaps something the owner may have wanted to maintain a little more discretion.<\/span><\/p>\n

We all have different needs for personal privacy, after all, and often it takes a threat or a scare to make someone review and lock down their operational security. Bitcoin engineer and evangelist Jameson Lopp has <\/span>gone<\/span><\/a> to extreme lengths to protect his physical location and online activities after someone maliciously sent a SWAT team to his house. I used to have a limited company registered to my home address \u2014 until the day I attracted the attention of a far-right hate group by debunking some of their social media activities, and simultaneously learned that Google now thoughtfully supplied a street view photo of my home to accompany the search results for the business location.<\/span><\/p>\n

As Sirer explained, this kind of social engineering is not the result of flaws within specific networks, but instead is a consequence of human behavior within an ecosystem of interrelated tools that can be interrogated in increasingly imaginative and granular ways.\u00a0<\/span><\/p>\n

\u201cIf I use my account to register my name for a conference, and then I use the same account to go and buy a name online, then there\u2019s a linkable piece of information right there. So people use tricks like that, to de-anonymize. It\u2019s absolutely not the result of ENS leaking any information, it\u2019s the user behavior at the source.<\/span><\/p>\n

\u201cThe bottom line is, it\u2019s hard [to be completely anonymous and secure online], right? It\u2019s twice as hard as keeping two separate wallets and never transferring money from one to the other. If you can do that, then sure, you can keep your anonymity, but most people find that too difficult.\u201d<\/span><\/p><\/blockquote>\n

And that\u2019s the rub, because for \u201cmost people,\u201d it\u2019s never going to happen. We need better tools that provide viable protection commensurate with the value of the asset being guarded \u2014 and in the case of crypto, also prevents access being accidentally lost forever.<\/span><\/p>\n

Sirer points out that hardware wallets have not evolved or improved much in recent years, while mobile wallets are improving and offer real potential to extend highly accessible and acceptably secure tools to large numbers of users \u2014 including potentially billions of presently unbanked people, if not to my old aunt.<\/span><\/p>\n

Exchanges are going to have to be recognized and regulated for the second layer they are becoming. We\u2019re going to need DEXs \u2014 competitive with centralized exchanges in terms of usability \u2014 instead of what Sirer describes as the \u201chorrible performance, absolutely horrible execution\u201d of present offerings. He sees these improvements in the pipeline for deployment within the next 12 months, and they\u2019re badly needed, given the transaction volumes they handle.<\/span><\/p>\n

New money needs new understanding<\/span><\/h3>\n

Identity, trust, how we reveal and define ourselves to others; what we choose to share, to obscure or even hide in plain sight \u2014 these are complex and abstract concepts that are frequently taken for granted and unexamined in everyday discourse. Alongside the difficulties of defining what money and value really mean beneath the everyday distractions, this is part of the job the crypto community is going to have to do \u2014 help the majority overcome the inertia, habits and routines of the present paradigm.<\/span><\/p>\n

But the crypto and blockchain revolution offers us a unique new opportunity to get things right this time \u2014 for a human-readable <\/span>and<\/span><\/i> human-centered future, which works as well for unbanked Gen Alpha kids as it can for elderly aunts. It\u2019s a chance to build a Web 3.0 that may leverage biometrics and similar identifiers not reliant on memory, knowledge or description, yet does not compromise the original cypherpunk promise of user anonymity.<\/span><\/p>\n

Resolving the puzzle of Zooko\u2019s Triangle won\u2019t be as easy as resolving a DNS address to a nice snappy URL. But it\u2019s a challenge many of the brightest minds are working on: to create the mass-uptake, killer Hotmail solution we need for the future of money.<\/span><\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Another trilemma for crypto advocates to consider as blockchain domain names become more common. Memorable, decentralized, secure: Can you really only pick two?<\/p>\n","protected":false},"author":18,"featured_media":5408,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"mc4wp_mailchimp_campaign":[],"_links_to":"","_links_to_target":""},"categories":[157],"tags":[],"yst_prominent_words":[181,178,180,179,166,176,163,169,175,164,173,177,172,168,165,174,167,170,182,171],"_links":{"self":[{"href":"https:\/\/cointelegraph.com\/magazine\/wp-json\/wp\/v2\/posts\/4499"}],"collection":[{"href":"https:\/\/cointelegraph.com\/magazine\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cointelegraph.com\/magazine\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cointelegraph.com\/magazine\/wp-json\/wp\/v2\/users\/18"}],"replies":[{"embeddable":true,"href":"https:\/\/cointelegraph.com\/magazine\/wp-json\/wp\/v2\/comments?post=4499"}],"version-history":[{"count":3,"href":"https:\/\/cointelegraph.com\/magazine\/wp-json\/wp\/v2\/posts\/4499\/revisions"}],"predecessor-version":[{"id":8314,"href":"https:\/\/cointelegraph.com\/magazine\/wp-json\/wp\/v2\/posts\/4499\/revisions\/8314"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cointelegraph.com\/magazine\/wp-json\/wp\/v2\/media\/5408"}],"wp:attachment":[{"href":"https:\/\/cointelegraph.com\/magazine\/wp-json\/wp\/v2\/media?parent=4499"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cointelegraph.com\/magazine\/wp-json\/wp\/v2\/categories?post=4499"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cointelegraph.com\/magazine\/wp-json\/wp\/v2\/tags?post=4499"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https:\/\/cointelegraph.com\/magazine\/wp-json\/wp\/v2\/yst_prominent_words?post=4499"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}