A Quick Introduction to NFTs: The Internets Latest Scam
I've been doing some research on NFTs (non-fungible tokens) and can now
confirm the idea that: when you purchase an NFT, you do
have exclusive rights to the digital artifact that you purchased. The image, or
digital artwork, is out there, either directly on the Internet, or on
the Dark Web, and can be accessed by anyone with some relatively
simple tools (and some extra time on their hands).
Said another way: if you purchase an NFT, anyone on the Internet can download
the image, or digital artwork, or whatever digital artifact that you
purchased - in it's original form - and you cannot stop this from happening.
Nor can you stop discovery of the ownership data itself.
I validated this by following a set of relatively simple steps to locate and
download a single NFT.
Think about that for a moment: when you buy an NFT, you're likely making a
couple of assumptions (which turn out to be impressively false):
- That you own the content itself. Meaning, you're the only one who can access
it. Said another way: it's somehow "protected", because it's stored
on the blockchain.
That or: "It's encrypted and only I have the keys".
("After all, I bought it, right?! So I should own it now?")
- That your ownership is private, so no one can know what you've purchased. As it
turns out, the receipt of your purchase is published in the public domain.
To quote Geoffrey Huntley, who employs an eloquent metaphor to explain the whole situation:
What are people actually purchasing with NFTs?
The one way I like to look at it is that you've got one side that's essentially
selling a treasure map, or directions on how to get to treasure, and the other
side thinks they're buying treasure, the actual treasure. On one side, we have
people who think they're buying the artwork, the treasure, and that's what
they think is valuable, and on the other side, we have people exploiting those
people, and selling treasure maps, how to get to the treasure.
I wanted to find out more, so I followed some simple steps to locate and pull down
a single NFT over ipfs.
Here is a high-level overview of some of the technical details that explain both why NFTs
are not stored on the blockchain and how to access any NFT in existence:
Caveat: I do not recommend using any of these tools unless you understand the
risks. Ipfs links are essentially dark web links, and pulling down unknown content via ipfs
is a good way to get yourself in trouble.
- As it turns out, the cost of storing 1 GB of data on the blockchain is incredibly high:
"As of Dec 31st, 2021, it costs $284M USD to store 1GB worth of data
on the Ethereum Mainnet".
This cost bounces around a lot, as the underlying price of Ethereum transactions is highly
volatile... but suffice it to say, it's wicked expensive.
- Therefore, it's cost prohibitive to store an actual NFT on the blockchain. Even if they're
small-ish (~kB or ~MB in size), it's simply cost-prohibitive.
- So to sell an NFT, people store a URL to the NFT instead of the digital artifact itself.
This is specified in the contract and is normally an "ipfs" link (though not necessarily,
it can be "https" or similar). This minimizes the amount of data that needs to be stored
on the blockchain.
- Since Ethereum transactions are public, you can browse them and find NFT transactions.
The whole point of the blockchain is that anyone can download it and validate the
transactions that it's storing.
As it turns out, this opens up a huge number of privacy issues, which I expect to
play out over the next few years as "the solution known as blockchain" finds
problems to solve.
- There are widely available tools
to walk the blockchain. You can simply walk the chain and peruse the transactions.
- Once you find an NFT transaction, you can look at the contract and find the ipfs link to the
actual digital artifact that someone purchased. It's in plain text and begins with
either "ipfs://" or "/ipfs/".
- You can then use any number
of applications to download the NFT digital artifact itself (to download the target of the ipfs
link). If the link is https, you can use a web browser to pull
down the content if you're familiar with the simple network tools that come with any decent browser.
This all means: when you buy an NFT, you're not securing exclusive access to a photo or digital
artwork, you're securing ownership of a pointer for how to get to said artifact, and your
ownership isn't private, it's actually public.
(Read: If what you bought was essentially a map to the digital content, and said map was then
immediately made public, well, what exactly was it that you bought?)
(Read: NFTs are a scam of breathtaking proportions)
(Read: There's a sucker born every minute)
To prove all of this in the most extreme way: Someone made an
archive of all NFTs currently in existence by
programmatically walking the blockchain and indexing all NFT transactions, then spidering in the
digital artifacts themselves, then bundling the whole thing up into a massive torrent.