Every few years there comes a technology that people get hyped about, everyone wants to be a specialist in that field because it appears to be the next big thing.
Between 2015-2019 this was largely about bitcoins and blockchain technology. Everyone wanted to be a specialist in blockchain technology. Bitcoin was booming, ICOs were happening to the left and right.
And people were trying to introduce/incorporate blockchain technology into everything they can get their hands on.
Yes sometimes blockchain technology can improve the existing system. However, when you try to introduce blockchain or any other technology into something that doesn’t require it,the results can be disastrous.
This is a story I wanted to write for a very long time, it was about a small startup called BlockEvent. A small startup that wanted to incorporate blockchain technology into event management.
Their website blockevent.tk is now not functioning, and I was unable to find a web archive snapshot. A mirror exists on a different domain, please check the footnotes.
Blockchain on event management has been there before BlockEvents. Smart ticketing and smart contracts are currently being used to improve the ticketing field and control pricing etc.
BlockEvents wanted to make the whole event process a decentralized mechanism. From user data, to events, to registration, everything was supposed to be “decentralized” and was “not accessible” to and “not modifiable” by anyone.
According to the BlockEvent team,
We made BlockEvent as a decentralized system. That means no central party can control this booking process and it will work without any third party involvement.
BlockEvent acts as a bridge between the organizers and the participants where organizers come and create events through our system, and participants can come and book their tickets.
The whole process is done through Public Blockchain.
Using the blockchain for user identity management is a whole new paradigm.BlockEvent on one of their Facebook posts, describing their system.
BlockEvent when initially started mainly hosted monthly blockchain event meetup events. However, their big break came in May 2019, during the annual Google I/O.
Google I/O event is celebrated in Sri Lanka every year, with local tech companies hosting events of their own, with local influencers, while live streaming the Google I/O event.
The selection process is a very completions, hundreds of people compete for few limited number of seats. These events are a good place to network and meet new friends in IT field. Plus you end up getting some cool swags.
In order to be selected to these events you need to show that you are a tech person, usually they check your GitHub page, blog or YouTube channel. And the tech company will select and send an invitation to whom they think are the most suitable to attend their events.
Until 2018, this was done by using a simple Google form or a regular website.
However, in 2019, one of the largest tech and telecom companies in Sri Lanka decided to use BlockEvents to host their Google I/O event.
Getting selected by a big company like them to manage their Google I/O event was big deal, because they host one of the largest I/O events in Sri Lanka. And BlockEvent can leverage this to opportunity to get bigger clients in future.
It was their make or break moment. They had to nail it, and if they failed then for a small startup like BlockEvent, the damage to their reputation is going to hurt them to a point where there is no return.
BlockEvent also in their description, said this,
To ensure the user data privacy and security, we are not storing any user credentials or password[s] in our database. Even the user emails are stored as a hash. Only the users know their passwords and that will provide 100% control over your account actions. Even BlockEvent team can’t access your accounts.BlockEvent describing their system in a Facebook post
Since they were storing everything in the blockchain, they were not storing even user emails and passwords. This may sound as a good privacy focused system. But this will come to hurt BlockEvent in a very bad way.
Since no one else other than the people in monthly blockchain meetups knew about BlockEvents, like in any other new service, most people registering for the local Google I/O event used either throwaway passwords, or new passwords which they forgot or didn’t save.
This caused large number of people to forget their passwords. If we use a normal database to store user data, with no hashing, they would have been able to reset the user passwords.
However, since everything is stored in blockchain, and everything were hashed, this meant that there is no way to reset a user password.
This led to large number of people being locked out of their accounts, unable to create new accounts with the existing emails, and BlockEvent team unable to reset passwords.
This caused a wave of negative reviews on BlockEvent Facebook page and on social media. Some users demanded the organizers to go back to the old system of using a Google form for user registration.
BlockEvent finally responded to their users, they had no way to reseat the password. Unless you remember the password and login, or you are permanently locked out from using the account.
Due to the rules of decentralization, we can’t reset your passwords as we are giving priority to user data and security. We already communicated this on registration [on sign up].
To ensure the decentralization the same rule is applied by many other [b]lockchain projects and products all over the world.BlockEvent responding to the events on a Facebook page
BlockEvent also asked participants to send their personal details on Facebook and via a Google form, so they can manually arrange a way to send the gift pack to the participants.
Some of the users accused the selection process was also flawed and complained that some of the people who were less qualified to attend the event were selected over them.
All this led to irreplaceable damage on BlockEvent, and the Google I/O event didn’t happen due to the Easter Sunday bombings.
BlockEvent went into hiatus few months later, all thought they never mentioned that they are shutting down, their website went offline once their domain name expired. Possibly signaling the end of the startup that hoped to decentralize how we manage identity online.
The title of the post is “Somethings are never meant to be invented”.
No matter how utopian the idea may sound like, guaranteeing 100% user privacy with everything stored on a blockchain, not even giving access to user email to the creators can have its own drawbacks.
And since we are all humans, and we all tend to make mistakes, there has to be a fail safe mechanism, that will keep things in check and can undo the mistakes when we make one.
Also a single use password is a very bad idea, not only that users can lose their passwords, but also in the event of a data breach, user handing over the password to a third party by a mistake, how can the service reset the passwords? There are so many scenarios where things can go wrong.
May be an idea like BlockEvent were never meant to be invented.
The currently hyped up technology may not be ideal for your system and instead a time tested solution may be the answer that you’re looking for.
When it comes to blockchain and cryptocurrency, I’m still open minded, at the same time but skeptical. I’m not yet ready to invest or build something on blockchain.
I still find it difficult to fully understand the idea of blockchain, what makes it different from a decentralized git repository? Why Git is easy to implement but blockchain is hard?
When it comes to BlockEvents, I think what they did was store the email and password both hashed on the blockchain, and when a user logs in, they match the submitted hashed email and hashed passwords against what’s stored in the blockchain, like we do it in a normal login system using a database, except the fact that we don’t hash the emails.
I’m not a blockchain expert, so I don’t know the exact reason why BlockEvent was not able to reset the passwords.
Was it because they didn’t know the emails because they were hashed, or was it because once you put some information to the blockchain it is immutable, or was it due to both?
At the time when I saw this in 2019, I thought it was due to the fact that data is immutable on the blockchain, but now at the time of writing I feel it was due to the fact that the emails were stored on the blockchain in hashed format.
I also don’t know what really caused so many people to lose their password, my assumption is that they used a throwaway password, or a new password which they forgot. But still this number of users getting locked out is still unexplained.
After further Googling I was able to find a mirror of the original website on another domain name http://blockevent.ml
I tried logging in using my BlockEvent account, but I also have forgotten my BlockEvent password, and now I’m also locked out.
- BlockEvent password forgot requests – https://m.facebook.com/pg/blockevent.live/reviews/