Getting Started with Governance

Table of Contents

Getting Started with Governance

There are two ways to write error-free governance,
and only the third one works.

I am paraphrasing, of course, but I am also amazed at how complex and interesting of a subject this is.

Two big things I took away from Lane’s presentation: we need to identify who the key stakeholders are in this ecosystem, and we need to determine our “self-evident truths” as a community.

There have been quite a few sentiments expressed in quite a few different directions as I’ve watched content in both the chat and the forums, but I think we all came here under the same reasoning - we want apps that don’t can’t be evil.

The purpose of this post is to try and aggregate the information in one place for general knowledge and review.

:postal_horn: Replies to this post should only be to add to the reference material at the top, rather than discuss any of the points below.

There will be other topics for that, this one is long enough!

How do we define a dApp and can't be evil in this context?

Instead of trying to define this myself, let’s start with some of the resources we have already that were designed around this concept and the Blockstack ecosystem to begin with.

Blockstack PBC

From the Blockstack Community Guidelines

Blockstack’s mission is to enable an open, decentralized internet which will benefit all internet users by giving them more control over information and computation. We’re committed to always support the decentralization of the Blockstack network and ensure that we build the network in a way that no single entity, including Blockstack PBC, has control over it.

We’re committed to build a safer, more secure, and more user controlled new internet. We believe decentralization is key to personal freedom and to innovation.

From the Principles of Blockstack applications

An application is considered a Blockstack DApp if it adheres to the following three principles.

  1. Users own their data (independent and outside of the application)
  2. Users own their identities (sole administer of their own independent and unique identifiers)
  3. Users have free choice of clients (identities and data are application independent)


DApps serve users
Fundamentally, DApps should serve users by preserving user autonomy. Developers should not profit from abusive features or neglectful designs. Because Blockstack applications allow users to own their identity and data and gives them free choice of clients, any user can simply stop or avoid using bad DApps with near-zero switching cost.

New Internet Labs

From New Internet Labs

At New Internet Labs, we believe that the world deserves better. We believe that together we can build a web of apps that respect your digital rights. Software running on your behalf, not laws, regulation or privacy policies is the best positioned to make sure that those apps Can’t Be Evil.

From Larry Salibra and the Can’t Be Evil Sandbox FAQ

Can’t Be Evil Sandbox v1

  • No Cookies
  • No Third Party Assets
  • Programmatic Connections Allowed

The current web uses a blacklist model for network security instead of a more secure whitelist model based on the principle of least privilege. Today’s web browsers let web apps connect to any server in the world they want unless the user has installed some sort of content blocker that blocks the unwanted connection. This results in a world where a web app can make an unbounded number of connections and ad or tracking blockers are left to guess which ones might be unwanted. It’s an unending game of whack-a-mole that can’t be won.


From the FAQ

If you use traditional apps, your digital rights, privacy, and choices are severely limited. These app ecosystems serve to enrich a small number of powerful corporations by centralizing user identities and data storage.

Decentralized apps offer a solution based on blockchain technology. Dapps link developers and users directly, without middlemen hosting software or managing user data. These customer-developer networks are more transparent, equitable, and resilient than traditional apps—with all parties incentivized to treat each other well as they rapidly innovate.

Today there are thousands of dapps built on protocols like Ethereum, Blockstack, and many others. While definitions are rapidly evolving, here are some criteria aligned with the future:

  • Do customers own their network identity? Can anyone else revoke that identity?
  • Is customer data encrypted? Can anyone else decrypt that user data?
  • Is customer data stored on decentralized networks with reconfigurable APIs?
  • Is the app open source? Can community members contribute or fork the software?
  • Is the app publishable and hostable by others or only a single company?
  • Is the app running client-side or on a server?
  • Does the app limit or clearly communicate the scope of data logging?

Can’t Be Evil App

From Terje|njordhov

  • Defending Digital Rights
  • Data Ownership
  • Privacy by Design
  • Security Through Encryption
  • Can’t be Evil

This is a preview of Can’t Be Evil? … an interactive investigative exploration into dapps and privacy. We use the medium of a dapp - a decentralized application - to expose what such dapps get to know about you compared to data amassing centralized services like Google and Facebook. Spoiler: Far less.

Join us in keeping dapps honest and respecting privacy. Sign in to go down the rabbit hole and discover what dapps like this actually get to know about you.

After logging in, I learned that dapps get to know the following about me (whoabuddy):

  • my blockstack profile user name
  • my blockstack profile first/last name
  • my avatar (which varies in size depending on which ID!)
  • the number of times I have used the dapp before

So far you have visited this dapp 1 time…
How it knows: The dapp stores a timestamp for each time you load the page, countin the number of timestamps to determine how many times you have visited. Reload the page to see the counter incrementing.

And the most controversial one of the bunch, what dapps I’ve used before.

IMO this should be opt-in only. I don’t want an app to know what other apps I’ve used unless I authorize it first, and it’s that type of data that spawned the do not track issues we have with browsers today. You don’t need to know where I came from or where I’m going, only that I’m here. /IMO

What are people saying?


If we want the world to care, we have to get our own house in order first.


In an open and decentralized system, you don’t want to trust anyone.

Discord Chat Mentions

Disclaimer: I am not in the chat 100% of the time, but I wanted to collect some of the conversations that stood out to me in regard to the topics above. If I missed you, I’m sorry, and if I misrepresented you, please let me know and I will correct it!

Regarding dApps and Privacy


The question I have is what stops company XYZ from walking into this ecosystem and creating apps that follow the same Web2 principles. That’s where we need to establish ourselves as ethically different by the “can’t be evil” philosophy, and measure that the apps we promote follow the same standard. Even if its just an awareness campaign I think it has more meaning in this space than what is currently out there.

it is my hope that as we go through this governance process we can define what a dapp is in the BS ecosystem, what CBE really means, and a basic standard to hold every app against.


We had a misalignment of incentives and measurement for the longest time … We wrongly assumed people would come to this community with the right intentions, but those were the minority, unfortunately, and partially what led to the app mining pause.

We should all remember that its up to users and devs to maintain security.


Users should have reason to trust the Blockstack ecosystem in being truthful and deliver on our promises. :innocent:

There are prominent Blockstack apps with highly misleading marketing, yet still promoted by PBC and the ecosystem. Honest marketing should be implied by the CBE ethos.
Proposal: Reviewer of Truth in Marketing #155

It is of course debatable whether the Blockstack SDK should expose previously used apps. This information is made available to every Blockstack app by the SDK. We make a point of educating users about this fact in the Can’t Be Evil app, which highlights data Blockstack apps get to know about the user, including the list of previously used apps. :innocent:

Sérgio (Envelop)

For me the only analytics that I would want to use on :envelop: is one that asks the user about it first, before tracking anything. All current apps just start tracking you and then tell you about it in the Privacy Policy at most.

Regarding dApps and Decentralization


Yesterday I received this comment about :note_riot: NoteRiot: i love that you have the ‘deploy to netlify’ button. i forked you on gitlab, clicked the button, and then i don’t have to do anything except push commits! … I challenge you all to enable your users to run your applications in a trust-minimized way.
Also, someone in a private keybase group asked me how to recognize good Blockstack apps. Here’s what I told them:

First thing, Blockstack does not guarantee any sort of privacy … they make a platform that devs can use to create private, secure apps, but there is no enforcement mechanism in the code … although i try my best to shame devs socially who make crappy non-private apps using blockstack, its of limited use
Second thing is, if the app is using Blockstack, your data is encrypted via an “app Private Key” which is deterministically derived using the “host” of the app and your own private key… this means, if that host goes away, and you do not know the name of the files or how they were saved, you effectively lose your data. Again, we try to make everything open source, so that you can always know whats happening, but there are many closed source devs.
So … what is “good”, to me, is an app that 1) is open source, 2) details how you can run the app yourself on your own client, without reliance on their hosting, 3) provides a way to download your data, and 4) does not use Google/Facebook/Amaazon analytics, so that you’re tracked all over the web.

Sérgio (Envelop)

You are right that tying the private key to the host is a blessing and a curse. Domains aren’t decentralised, they’re owned by someone. I imagine there must be a way for a user to retrieve his/her files decrypted from whatever host?

There’s still a lot of tooling missing for users, so they can properly fell that they’re owning their data.


You dont technically need the host, jsut the host name … so you can modify your hosts file so that (for instance) is … but if you dont know the files you’re (potentially) sol

Sérgio (Envelop)

The “Deploy to netlify” button is a good idea, we have build instructions for web and android, but a deploy button is better.
A proper user explorer for Blockstack would be a nice thing to have. Showing which apps you’re publicly using, where are your files hosted, offer a way to browser them, etc…


Domains aren’t decentralised, they’re owned by someone
If a developer keeps the domain but just decides to go away and take the app down … or its subject to a commercial/government take down, you’re out of luck if you cant take back your data

Collections mitigate this to a large some extent, but there’s tons of user data right now that is unprotected

Sérgio (Envelop)

Right, I should just be able to head to a website and:

  • see all my data across all hosts I’ve used
  • see which files are encrypted or not
  • mess with it freely (add, change, delete, backup, migrate to a diff host)
  • migrate to a different hub
    Right now we can say to :envelop: that they own their data, but it’s not like we can easily show them that.
    We need to create bounties so we can invest on making these tools for the community.


@dant These are some good points that I think will be key to the ecosystem: open source code with the ability to deploy or at least replicate options/services to help with sustainability, and following general practices that focus on user identity and user privacy. These are the things that “should” have existed on the web before, and I think the key word to it all is transparency.


I’m excited about the possibilities that new web standards like webpackage will offer for running apps on your own, without depending on an Internet connected host. Enabling BNS and signing these webpackages might be a first step, but ideally a one-click build-your-own webpackage would be feasible.

From a user standpoint the identity and data ownership are key … i mean hope thats why we’re all here … but from a distribution perspective it needs to be easily discoverable and enable some degree of trust minimization

Regarding Governance


I have questions too on governance.

  1. Is there a higher up for Stacks Foundation?
  2. Who will be setting milestones and collecting metrics?
  3. How do the governance plan to scale across the globe?
  4. Is there anyone from the foundation is responsible in talking to STX investors?


There are definitely upsides and downsides to both centralized and decentralized governance! The goal of this initiative is to move towards more decentralization, but it won’t happen overnight and we shouldn’t give up all of the benefits of having an entity like PBC that can be agile, make decisions, and execute on them efficiently. Maybe the right way to look at it is that it’s not black-or-white, all-or-nothing, one or the other. Governance should be “multipolar,” with multiple centralized organizations each acting independently, each having some power/voice, some checks and balances. But there is no single actor that has all of the authority.

Regarding the Timeline

Thanks Brittany!

Here’s the timeline we presented in the call on Friday:
Week 1: Foundation announcement & working group [Feb 7] :white_check_mark:
Week 2: Governance community call & onboard researcher [Feb 13] :white_check_mark:
Week 3/4: Community survey, focus groups, and research :arrow_left: this week
Week 5: Draft 1 Governance proposal
Week 6/7: Community feedback, working groups, and research
Week 8: Draft 2 Governance proposal
Week 9: Draft Foundation charter proposal
Week 10: Community feedback, discussion, and foundation setup
(TBD) Week 11-15: Formation of foundation

Popular top 10 app list

My thought: how can we ensure that users are really afforded the rights talked about above with the applications listed below?


I am not sure if there are any new dApps. But, here is my recommendations.

  1. Xordrive ( @mmajeed )
  2. Mumble ( @David Yap )
  3. Blocksurvey ( @Wilson Bright )
  4. WebStudio ( @JW )
  5. Land Ho! ( @dant )
  6. Gekri ( @KevinNTH )
  7. NoteRiot ( @dant )
  8. Runkod ( @talha )
  9. DMail ( @Dmails )
  10. Sigle ( @leopradel )

Discourse Forum Topics

Note: should we add the governance tag to these past discussions, or just move forward?

Brittany (Blocks8)
Stacks Foundation: Developing Governance for Blockstack

Blockstack PBC was founded on the principles of decentralization and we firmly believe it is the only way to fully succeed in building a user-owned internet. Two years ago we laid out a concrete path to decentralization, and we are actively working with the community to carry out that plan.

And from the related path to decentralization blog post:

Decentralization is not a binary step. It is a journey that needs to be carefully planned and executed. The announcements we’re making today are just the initial steps. It will take years to build a healthy ecosystem where no single party has too much control of the network, where users are not dependent on any single entity for software development, and where no entity can be considered an issuer of the tokens used on the network.

MiM (community user)
Questions related to governance & design of Blockstack ecosystem

  • this one had a ton of content going back and forth already, and is worth a read on its own without me quoting too much here.

Youtube Videos and Playlists

Playlist from dant

I’ve put together a quick “Blockchain Governance” youtube playlist. Most of the videos are under 15 mins. They start from “what is blockchain governance”, cover some issues in blockchain governance, and finally review some of the models that different blockchains have taken.

blockchain governance

Playlists from Harini Rajan

Few more always helpful educational resources from Blockstack :-

Blockstack Academy playlist

Jude on Stacks Blockchain

Aaron on user-owned data

Larry on Blockstack Identity & Authentication

Fireside Chat with Balaji Srinivasan (Nakamoto) & Patrick Stanley (Blockstack)

00:56 Why he started Nakamoto
02:55 Proof of HODL and why it’s important
07:10 Crypto Twitter and building better community
12:08 Tech companies and religion
15:13 Curation and collaboration in decentralized and centralized communities
20:48 What is useful work for a community
25:59 Wealth creation in crypto
32:44 Why Balaji doesn’t think Internet is all good anymore
35:15 Conditional probability and Corona Virus
38:52 How to mitigate Internet downsides

Privacy and User-Focused Resources

Throughout the conversations we all touched on a few tools out there to help protect people on today’s Internet.

If we look at what these tools are fighting against, we can be reminded of why this fight is such a big deal.

User Tracking and Ethical Responsibility

This is a tough subject. Analytics give us insight to how our app is performing, but collecting data from users without consent doesn’t fit within CBE. Keeping the ideals and messages in this post in mind, how can we evaluate the use of tools such as:

And some new ones I noticed in the Blockstack Browser.


IMO, PrivacyTools got it right!

No Ads, No Google Analytics, No Affiliates, No Cross-Site Requests. PrivacyTools is a socially motivated website that provides information for protecting your data security and privacy. Never trust any company with your privacy, always encrypt.

If we do nothing it will only get worse.

If we succeed, we can change the world!


This is a great resource! Thank you for sharing! Bookmarking now.

Just to flag, some of the video links under “Timestamped version of Firechat with Balaji from Peter T” are not working on YouTube.

Wow that’s a great compilation. Really appreciate it @whoabuddy!

1 Like

Thank you, the video links are fixed, timestamps updated, and I added the timestamp itself to the link text for clarity.