The Security Challenges of DAO-based Employment

tl;dr: Working for a DAO will give millions of people opportunities that were previously impossible, allowing organizations to move faster at lower costs. At the same time, the security of the contributors must be top-of-mind.

I recently had a proposal passed by the Genesis DAO, a decentralized autonomous organization, that runs on DAOstack (discl: advisor).

What that means is that, when I submit my final deliverable, I will be paid by a smart contract that exists on the Ethereum blockchain.

I am not alone.

Others have done the same both at the GenesisDAO and through Politeia, a marketing and community governance platform that supports Decred (reviewed here).

In the near future, more and more people will submit proposals to entities like this. Polkadot is building the PolkaDAO. Gnosis has already launched DutchX.

All of them will get paid by a smart contract.

On the one hand, that’s extremely cool and the cost-savings possibilities here are orders of magnitude cheaper than the existing systems.

It’s why I have called DAOs, “decentralized ERP.”

On the other hand, it raises a serious privacy challenge.

The Potential Security Pitfalls of DAO-based Employment
Let’s, for example, look at an innovative proposal for a “real-life” organization based in Prague, but which will operate as a DAO.

Appropriately enough, it’s called the PragueDAO and its mission is:

to create a physical space in Prague that will support a DAO incubator for companies as well as DAO research and events in one of the most high profile locations in the city.

I happen to think this is a wonderful experiment. It’s a chance to bring a “digital-native value organization” to the physical world. It may be one of the first, in fact.

At the same time, however, because it is physical, there is a risk. That risk is both of security and privacy.

The person behind the proposal is listed as @davidcostello86. A couple of clicks from there and you get to his Twitter handle which has a picture. Meanwhile, his GenesisDAO account has his Ethereum address where you can dig around as well, seeing amounts and past transactions.
At the same time, however, because it is physical, there is a risk. That risk is both of security and privacy.

It could be revealing and a source of vulnerability

Now, we’re not talking about huge sums of money…for the time being so David (who works for DAOstack as well) is probably fine.

However, what happens when everyone knows who a person behind a proposal is AND how much money is sitting in their account?

I could see a scenario where enterprising criminals, kidnappers, and other nefarious actors start putting it all together and targeting the recipients of DAO funds, much like they target big holders of crypto.

For purely digital activities, this isn’t a huge issue. You can create an online alias that acquires provable reputation (REP), which serves as a currency within a DAO.

For physical DAO scenarios like in Prague or in situations where people leverage their real-world persona to support their proposals, as I have done, it’s something to consider.

I don’t know what the answer is, but I think zk-snarks or something like that may be part of it.

A super early example I saw recently came from outside the world of DAOs. A 100% privacy guaranteed email newsletter put out by the Zcash Club of LA and delivered via the blockchain. I still have to play with it to fully get my head around it, but the bottom line is that the identity of the recipient is kept a secret.

As DAOs proliferate in popularity and make the jump from 100% digital to analog, as in the Prague case, they will be forced to figure out how to protect the identities of their contributors so as not to compromise security.

blockchain marketing crypto tokens protocol climate change analytics insight ROI agency tactics DAO