Regulate Web3 Apps, Not Protocols

Miles Jennings

Many early proponents of the internet advocated for it to remain free and open in perpetuity, a borderless and regulation-free tool for all of humanity. That vision lost some clarity over the past two decades as governments cracked down on misuse. And yet, despite this, much of the technology underlying the internet – communications protocols such as HTTP (data exchange for websites), SMTP (email), and FTP (file transfers) – remained as free and open as ever.

Governments around the world preserved the internet’s promise by accepting that the technology depends upon open-source, decentralized, autonomous, and standardized protocols. When the U.S. passed the Scientific and Advanced Technology Act of 1992, it paved the way for a commercial internet boom without tampering with TCP/IP, the protocol for computer networking. When Congress passed the Telecommunications Act of 1996, it didn’t interfere with the way data traverses networks, yet still provided enough clarity to enable the U.S. to dominate the internet economy with now-giants such as Alphabet, Amazon, Apple, Facebook, and others. While no legislation is perfect, these guardrails allowed industry and innovation to grow, resulting in many of the internet services we enjoy today.

One of the major enabling factors: Instead of regulating protocols, governments sought to regulate the apps – applications like browsers, websites, and other user-facing software, commonly referred to as “clients” – through which users access the web. This same guideline which still governs the web should extend to web3, an evolution of the internet that will feature new apps or clients, such as webapps and wallets, and advanced decentralized protocols, including a settlement layer for value exchange, enabled by blockchains and smart contracts. The question is not whether there should or should not be web3 regulation. The answer to that is obvious: Rules are necessary, welcome, and warranted. The question is, rather, at which layer of the tech stack does web3 regulation make the most sense.

Today, a typical web user experience might involve connecting through a regulated internet service provider, then accessing information through regulated browsers, websites, and applications, many of which depend upon free and open protocols. Governments can shape this experience on the web by applying access restrictions to website content, or by requiring compliance with privacy rules and copyright takedown requests. This is how the U.S. can compel YouTube to take down a terrorist recruitment video, while leaving DASH (a video streaming protocol) alone.

There are a few reasons why protocol-level regulation is undesirable and, moreover, unworkable. First, it’s not technologically possible for protocols to comply with regulations, which often require indefinable, subjective determinations. Second, it’s impractical for protocols to incorporate global regulations, which vary – and may clash – by jurisdiction. And third, it’s unnecessary and counterproductive to rewrite the web’s technical underpinnings given that apps or clients can comply with regulations further up the tech stack.

Let’s review each reason in more detail.

Protocols cannot technically comply with subjective regulations

Regardless of how well-intentioned a regulation may be, if it requires subjective assessments, its application to protocols will be disastrous.

Consider spam. Hatred for spam email is nearly universal, but what would the web of today look like if authorities made it illegal for the email protocol (SMTP) to facilitate the sending of spam? The answer: not good. What constitutes junk email is inherently subjective and changes over time. Massive companies like Google spend fortunes trying to eliminate spam from their email apps or clients (e.g., Gmail) – and they still get it wrong. In addition, even if some authority mandated that SMTP filter spam by default, malicious actors could, because protocols are open source, simply reverse engineer the filter in order to circumvent it. As a result, prohibiting SMTP from facilitating the sending of spam would either be ineffective or the end of email as we know it.

In web3, we can analogize tokens to email in the context of a decentralized exchange protocol (DEX). If governments wish to prohibit the exchange of certain tokens they believe may be securities or derivatives using such a protocol, they need to be able to articulate technical specifications that objectively meet such classification. But such objective classification criteria are not possible. The determination of whether an asset is a security or derivative is subjective and requires an analysis of facts and laws. Even the U.S. Securities and Exchange Commission struggles with this.

Attempting to embed second-order, subjective analyses into base layer instruction sets is an exercise in futility. Just as with SMTP, there’s no way for a decentralized and autonomous protocol like a DEX to perform a subjective analysis without adding human intermediaries, thereby negating the protocol’s decentralization and autonomy. As a result, the application of such regulations to DEXs would effectively ban such protocols, thus outlawing a burgeoning category of tech innovation in its entirety and jeopardizing the viability of all of web3. 

Protocols cannot practically comply with global regulations

Even if it were technologically possible to build protocols capable of making complex and subjective decisions, doing so would be impractical on a global scale.

Imagine the morass of conflicts. SMTP enables us to send email to anyone in the world, but if the U.S. required SMTP to filter spam email, we can assume that foreign governments would require similar restrictions. Further, because what constitutes spam is subjective, we can also assume that governments’ requirements would differ. So, even if it were technologically possible to build protocols capable of making complex and subjective decisions, doing so is antithetical to the concept of establishing a standard that is practical on a global scale. It’s simply not possible for SMTP to incorporate the changing spam filter requirements of 195 countries, and even if the protocol could, it wouldn’t know what country users are in and how to prioritize competing determinations with any fairness. Adding subjectivity to protocols destroys one of the pillars that makes them useful: standardization.

Rules are context dependent. In web3, what’s permissible under securities and derivatives laws varies by country, and those laws change all the time. A DEX has no way of establishing a global standard for such laws and, like SMTP, has no way to curtail access based on geography. Ultimately, there’s no way for protocols to be successful if they are required to be built on top of the shifting sands of global regulation.

Avoid these problems by making apps or clients comply

By now it should be obvious why it’s critical to regulate apps instead of protocols. App-level regulation can accomplish the goals of governments without jeopardizing the underlying technology. We know this because the approach already works.

Early web protocols remain useful after more than 30 years because they continue to be open source, decentralized, autonomous, and standardized. But governments can restrict the information passing through these protocols by regulating apps. Or they can protect the free flow of information, as the U.S. did by approving Section 230 of the Communications Decency Act of 1996. Each country can determine its own approach and the businesses that operate browsers, websites, and applications in their respective jurisdictions are capable of tailoring products to comply with such decisions.

As the dichotomy between protocols and apps is the same in web3, the regulatory approach to web3 should stay the same. Web3 apps like wallets, webapps, and other applications enable users to deposit digital assets in liquidity pools of lending protocols, to buy NFTs through marketplace protocols, and to trade assets on DEXs. Those wallets, websites, and applications can be regulated in every jurisdiction where they seek to provide access, and it’s reasonable to require them to comply.

The first generation of the web gave us incredible tools in the form of networking, data exchange, email, and file transfer protocols, all of which made it possible to move information at the speed of the internet. Web3 makes it possible for the transfer of value to occur at that speed, with lending and asset exchange already being available as native functions of this new internet. This is an incredible public good that must be protected. As web3 expands from decentralized finance, or “DeFi,” to video games, social media, creator economies, and gig economies, regulation that creates a level playing field across these sectors will become even more critical. Weighing all the factors, the right approach becomes readily apparent.

Apps ought to be regulated, not protocols.


Editor: Robert Hackett, @rhhackett


The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the current or enduring accuracy of the information or its appropriateness for a given situation. In addition, this content may include third-party advertisements; a16z has not reviewed such advertisements and does not endorse any advertising content contained therein.

This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments for which the issuer has not provided permission for a16z to disclose publicly as well as unannounced investments in publicly traded digital assets) is available at

Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see for additional important information.