The Problems With Proving NFT Ownership
This is a first draft
I would like to talk about how it is possible to claim first-rights (creative ownership) to an NFT.
Since the most common response to the issues with NFTs that I have brought up is "but you can verify which NFT is authentic through the blockchain", I will disprove this miss-conception next.
The way that NFT authenticity is currently verified is through three methods. First method is whether the "creator" has a blue "verified" badge on their profile. This is, in my opinion, an unreliable method. Identity theft is very sophisticated these days, criminals are capable of creating companies, opening bank accounts, getting credit cards, and doing a whole lot of other nasty things with stolen identities. They can bypass just about any security measure put in place. We have to realize that no company in the NFT sector can and will be able to manually validate identities, most of these procedures are automated and implemented through third-party software. Behind the scenes there are "tiers" which trigger higher levels of scrutiny and warrants further review and verification. Understanding these principles, a malicious actor can in fact join one such platform and operate "under the radar" by using a larger set of identities and selling at lower price points, or they could get fully verified by selling an expensive item to a know associate of theirs. This isn't a hypothetical scenario, it's just a matter of time before we hear about this on the news.
The biggest difficulty and issue for NFT marketplaces, in verifying an artist, will be in being able to confirm that the artist is in fact the original creator of the artwork. Their only resource and tool is the internet, Google searches, image databases, etc. This will not be enough. One could easily join the platform with a privately acquired digital art piece, verify their identity, the "authenticity" of their original creation, and only after, start selling stolen work under their name. One could sell hundreds of NFTs before getting flagged and removed from the system. We are already seeing this turning into a big problem, there are thousands of stolen renditions being sold at this very moment.
The second method of verifying authenticity is the reputation of the marketplace that mints the NFT. This is the most unreliable method of the three since you can never truly trust a company/entity/brand. Time and time again has proven and shown that every successful company has: participated in illegal activity, cut corners, and intentionally made decisions that were not in favor of their clients, all with a goal of making more money. Read the news and study corporate history if you doubt me on this. Additionally, a malicious actor could use one of the more reputable marketplaces to mint their NFT and then transfer it to another platform where they are verified. Thus bypassing the two layers of security by splitting them into two separate actions. Making it significantly easier to inject stolen NFTs into the market.
Third and most important method of verifying the authenticity and validity of an NFT is through the blockchain, the one and only source of truth. Data that is put on the blockchain is immutable and stays there forever. This is the verification method that is constantly being mentioned. NFT marketers have repeated this fact over and over again so many times that it is permanently embedded in everybody's heads. Let us break this down piece by piece so that we can understand how to leverage this immutable source of truth in our favor and hijack a legitimate token. The current NFT being used in the market is on the Ethereum blockchain, each NFT has to be compliant with the ERC721 specification. To summarize, what is required of an NFT contract to be compliant and create NFT tokens, is to provide functions that allow one to: make a transfer, get/set approval, get balance, identify owner and not much else. The one thing that makes the NFT so "unique" from other ERC tokens is the ability to store metadata. This metadata is stored on the blockchain in the form of an external URL pointing to a JSON file with the actual metadata. That's it, an NFT is just a URL pointing to a JSON file.
The way an NFT gets authenticated on the blockchain against a "fake" is quite simple, you compare it with the NFT in question and see which came first. The one that was minted first is the original leaving the other to be the imposter.
A truly dedicated malicious actor could accomplish a scam on a massive scale by pre-minting a bunch of blank NFTs, getting verified on a reputable marketplace, selling legitimate digital art to known associates, pass all the verification flags. And then once all is complete, transfer in a set of stolen NFTs to sell through a verified and fully approved account.
Sounds incredibly simple and almost stupid right? This is the technology running the entire NFT market. We are not even talking about Intellectual Property rights not being associated with NFTs, I will link to some great articles on that topic below.1
- Monsieur Personne