Updated on:12/01/2025 05:07 PM 
The emergence of the metaverse brings new challenges regarding user privacy and data-driven marketing. This digital realm relies on immersive technologies that could enable companies to collect novel types of personal information, including biometric data.
In a worst-case scenario, Web3 and the metaverse could become just as problematic for user data privacy as the Web2-based business models many of us dislike, potentially even worse. How can we as an industry avoid falling into the familiar trap of surveillance capitalism?
Web3 technology itself holds the key to answering these questions and mitigating the risks. There are varying definitions of what Web3 actually entails; one key definition is that data should reside on the user or client-side, not on the server-side. The latter represents the current framework of today and the primary reason why users lack control over their data.
Web3, on the other hand, represents the complete opposite – users maintain control over their data through their wallets. However, having control also means sharing data when and where necessary, and a key technology enabling user control over personal data is so-called decentralized identifiers or DIDs.
DIDs have already been standardized through the W3C and several blockchain projects are working on implementing the standard for use by average blockchain, Web3, and metaverse users.
According to the DID standards documentation, DIDs are
“a new type of identifier that enables verifiable, decentralized digital identity. A DID refers to any subject (e.g., a person, organization, thing, data model, abstract entity, etc.) as determined by the controller of the DID. In contrast to typical, centralized identifiers, DIDs have been designed so that they may be decoupled from centralized registries, identity providers, and certificate authorities. Specifically, while other parties might be used to help enable the discovery of information related to a DID, the design enables the controller of a DID to prove control over it without requiring permission from any other party.”
One of the blockchain projects deeply involved in developing and implementing DIDs is Ontology. Ontology is an open blockchain project that helps other projects prioritize reputation and decentralized identity – aspects like data ownership, data sourcing, integrating data from various feeds and locations, with a focus on cross-chain collaboration as well.
To help us understand the risks and how to minimize those risks of surveillance capitalism in Web3, CryptoSlate spoke with Erick Pinos, Ecosystem Lead at Ontology. Erick is also Lead of the Blockchain Real Estate Network (BEN), a seven-year-old global network of blockchain clubs, students, professors, and alumni.
According to Pinos, what sets Ontology apart is the tools and framework to manage digital identities and control data – storing data and keeping it privacy-preserving for the user – that Ontology develops and provides to others.
“I think the metaverse is going to transform how audiences are engaged because up to this point it's been very direct – here is the product and the service you can choose to interact with or not – but now with the metaverse, especially when we get more into things like VR and experiments with AR, now we're interacting with these services in a 3D space, as opposed to just seeing it on our screen,” Pinos says.
This is going to transform the relationship between the consumer and the product or service, because the consumer can see it's a tangible thing that's right there in front of them, especially for VR. Even now, people are able to spend some time in these virtual worlds and just hang out. That has already changed the way that people interact with others and with these services.
Services in a metaverse virtual world can collect user data by tracking user behavior, instead of just collecting data in 2D, such as where the user is looking on the screen or where the mouse is pointing. In the metaverse, services can collect data in a 3D space, where people are moving around and interacting with other users and with services.
“I think that it's up to us as an industry to put decentralized protocols in place for people to still remain in control of their data, because that is a lot of data that is going to be generated, and if we're not careful about it, it's going to end up in the hands of companies that are running the risk of losing all this data in hacks,” Pinos says.
According to Pinos, decentralized identities are going to play a big role in this development because that is what lets people link data pieces to their identity, to then present for whatever use case they need. Users might need to transact with someone or something where they need to present a credit score, for example. By having a decentralized identity they are able to share that information and then revoke it once the data has been shared or once the use case has been fulfilled.
The important thing is that data doesn't stay, it doesn't live on the server owned by a company, it stays with the user, it only gets revealed to do whatever the task is.
One could argue, then, that this framework doesn't stop companies from saving the data once it has reached the company server; which is true, but it would depend on the terms of service for that particular service. It could also be that a service must keep user data e.g. for compliance purposes.
But according to Pinos, as the entire industry is moving toward open data collaboration and letting people keep their data personally, privately, and locally stored, companies are going to have to adapt to this new framework.
“Companies can't just keep going with the current framework, they need to evolve and adapt because that's how they can tap into the wealth of data that exists in the metaverse. For most of the products that transition over, there's going to be a standard line of data, and the moats are no longer going to be in collecting data and signing it, but rather in the models that you can create to run on top of that data,” Pinos says.
There's definitely a risk that things could go wrong; there's nothing inherent in Web3 that makes it impossible for services and companies to practice unwanted surveillance. In fact, it may be even more tempting than today, because of the volume and richness of the data becoming available.
“There's going to be a lot of data created through Web3 – people interacting with their wallets through the metaverse and people moving around in these 3D spaces. That is a lot of data generated per person per time,” Pinos says.
Since there's nothing "hard-coded" in the technology itself stopping surveillance, the industry has to take softer means and take the proper way of thinking. The industry has to make sure that it has incentive to steer the development of the technology in the right direction.
According to Pinos, the early development of the web tells a story to learn from. At the beginning of the web, there was a big clamor that corporations were not welcome there and that this is the future of the free internet, but a few years later the companies came on board and started to put ads everywhere, and put cookies and trackers on users' devices. The rest is history.
“I think that's why it's important for us to reflect on what happened before because if Web3 became like that, it wouldn't be Web3 anymore. We would be still just living in Web2.”
Unfortunately, the trend is already here, especially around huge established Web2 companies that smell future profits in the metaverse. Some have even changed their company name accordingly.
Pinos thinks these companies will pivot their marketing and say they want Web3 because that makes sense for them, but he doesn't think they will be able to adapt the actual business model. Instead, there will be new companies starting from the ground up that will build themselves up using new frameworks.
“I think there's a shift for the internet and how we interact with the internet, so I think there's going to be a change – the internet is not going to stay the same forever, it will keep evolving, and evolving in drastic ways,” Pinos says.
How, then, are the Web3 native businesses behaving; are they adhering to new and better incentives, or is it too tempting to make money the old way?
“There's a couple of them, but it's still a market so they need to figure out short-term revenues. I think a lot of the Web3 space right now is very experimental so it's going to take a little while before we see native Web3 companies just running themselves. There will be a transition period, and each successful project will push us a little bit further into using Web3 principles,” Pinos says.
Of course, Web3 is about open ledgers, and all data stays on the blockchain and might be used for all kinds of purposes. For example, if someone voted in a DAO, everyone can see, and possibly exploit, this information.
“That's why I think DIDs are important because right now if you're voting in one of these projects, you're voting in a DAO, but in the future perhaps you'll be voting in political elections using blockchains. That's why, on the user side, we need decentralized identity so people can create DIDs for themselves, and then vote in a way so it's not revealed, and it's not tied to their public address,” Pinos says.
The vote, however, will still be verifiable, that a person casting a vote is eligible to vote. Also, on the actual transactions themselves that are used for the voting, there's a lot of development happening with zero-knowledge proofs that enables voters to cast their votes without revealing who they are and for the system to know whether it's a fair vote.
The same thing goes with any kind of transactional activity – there are two levels to this, on the transaction side, and on the user and wallet side.
“DIDs will be helpful on the wallet management side, so you can use different DIDs for different purposes, and zero-knowledge proofs will be helpful on the transaction side where you are actually executing the transaction. It will be secure and private, but it will still be verifiably transparent.”
Erick Pinos' advice to builders and developers is that they should always be thinking about doing everything, or as much as possible, around data processing on the client-side, because that's how they touch the data as little as possible. Builders should try to modify the storage, and even modify the architecture.
“If the user passes the data to you and you run a computation on it, there's a point of potential risk, because they sent it over to you, so the more you can do on the user side, the better. That way data stays local and doesn't get sent somewhere. If it does get sent, that's where it can be intercepted, that's where it can be stored, that's where it can be hacked.” Pinos says.
Fortunately, technology development is playing into the hands of developers. Users' computers are getting stronger and more powerful and they can run powerful applications even on people's phones.
DIDs let the user be in control of the data, but that doesn't mean the data mustn't ever leave the user's device. There are, of course, use cases where users must provide some data, such as AML/KYC information, or the user won't be able to access the service at all.
Erick Pinos believes in the flexibility of letting projects determine the level of verification they need for users to access the product; whether it's full-on KYC, or just data needed to verify that a user is a unique individual and not a bot.
“I think that this level of flexibility is going to be very important because it enables the different projects to create and strategize what their requirements are based on, or what their risk tolerance is.”
“It's a global industry, there's no one-size-fits-all KYC solution for the whole world. Different jurisdictions have different levels of KYC for their citizens, so the only thing we can do is to provide that flexibility for the projects,” Pinos says.
Using DIDs for AML/KYC purposes is, in Erick Pinos' mind, a better way to approach this type of verification because by compartmentalizing identifiers it wouldn't be like sharing a passport or driver's license with all the information in them. The user would only be sharing the information that the project needs to verify them. Services don't need to know the user's height, eye color, or home address, they just need to know that it's a unique person, that it's not a fake ID, and that a user is a unique individual.
“Some projects might need to know more, so what a DID does is that it gives you the flexibility to provide that. Right now, the system is very clunky – you upload a jpeg of your passport to all these companies and servers and it's there forever. DIDs are a much smarter way, and a much more flexible, robust way of sharing sensitive information to verify your identity,” Pinos says.
To make DIDs work globally, it helps to establish standards to make different DID protocols and projects interact with each other, even projects that have never heard of each other. As long as developers adhere to the W3C standards, they are able to plug into and trust with all other standards-compliant identity-based projects.
“I always believe that standardization is mostly a great thing,” Pinos says. “We have people on the team that participate in the design discussions for the W3C. They review the reports and the formal proposals that update or add to the standards.”
“The things we've been working on are making huge strides in the right direction, both in terms of the technology that Ontology is building, but also the thought leadership, being in conference calls, with different consortium members, with different companies and enterprises. We handle these things and talk about what the standards, incentives, and frameworks should be.”
For Pinos, DIDs are not just a purely technical solution, it's also a matter of standards, incentives, and how we design things from a societal perspective.
What sets Ontology apart, at least according to Erick Pinos, is that Ontology has its own layer-1 blockchain, but Ontology is also developing middleware solutions that can run on other blockchains as well, but ultimately verify back to the L1.
Ontology's technology stack is compliant with the W3C standards, which means it can integrate with already existing digital systems for digital identities, not just decentralized identities.
Besides the blockchain, Ontology has developed the ONT ID solution, which is the actual implementation of the decentralized identity framework that they have. This is what integrates the DID with the verifiable credentials, and that is compliant with the existing systems.
ONT ID is also deployed to other chains as well, and that is how Ontology is able to bridge across different chains and create cross-chain identity profiles for users.
Web3 technology is not some magic solution to the dangers of Web2 surveillance capitalism, we still need proper incentives, but it does put, especially with the use of DIDs, tools in the hands of users to give them control over how their data, and what data, is handed over to the services that need them, or don't need them. As we have seen many times in crypto, Web3 shifts, in some respects at least, the power over to the user side. But as always – not your keys, not your data.
