Essentially, the creation of collectible art NFTs on blockchain was a dirty hack that became super popular before anyone realised how much of a bad idea it was, architecturally. It was literally a hackathon project that got way out of hand.
An early protocol extension to the Bitcoin network called Counterparty provided one of the first ways to create your own custom cryptocurrency token. You could (and still can) generate billions of your new coin, or just one, and you can lock it up or leave it open so you can create more later. If you create just one and lock supply then you have essentially created an NFT.
All good nerdy fun.
The issue with this, around 2015, was that blank blockchain tokens weren't actually all that interesting. They had a name, and that's about it. To really pop, they needed to have a logo!
Except for one thing.
The Bitcoin blockchain has no concept of images, or any other kind of media. It only recognises its own limited set of Op Codes, and struggles to get its own transaction data into blocks, let alone arbitrary amounts of media data. That wasn't going to fly.
So Counterparty tokens essentially hyperlinked to a file that hyperlinked to a logo image, with both the file and the image sitting on an ordinary webserver somewhere (rather than clogging up the Bitcoin blockchain).
For a logo this was probably appropriate. These logos were not especially valuable, and the whole point was that the tokens were the potentially valuable thing, if they could find their own way of being interesting.
Trading Cards and Digital Art
Then people started linking other sorts of images to these tokens. Initially, trading card images (including the infamous Rare Pepe collection), and then eventually more recognisable digital art images.
Now people were interested in tokens for the image to which it was linked, but missed the fact that the images themselves were not in any way secure. People thought that because these things were on a magic security blockchain that every security problem had been solved. This was very far from the case.
What could possibly go wrong?
Not having a security layer around the media introduces several difficulties.
Firstly, and quite fundamentally, there are questions around what you actually own when you buy a blockchain NFT. You, as a buyer, probably don’t have access to that webserver. But, someone does. Whether this is a team of administrators, or an army of hackers; you, as the buyer of an NFT, will have no idea who has access to it. Anyone who does have access to the webserver will be able to do anything they like to your file. They only need to be able to change one pixel in your image and it isn’t the image that you paid for. Your ability to assert that you in some way “own” the image is, at best, highly questionable.
The second terrible possiblity is that your image gets completely hijacked. Your delighful NFT artwork could be replaced by something completely different, with the same filename. On an compromised webserver there are no restictions on what your image might become, except for the limits of the perverted imaginations of internet trolls. Best to try not to think about it.
A third disaster awaits where some technical problem, or malicious hack, causes the domain to go down, the folder path to change, the file to be renamed or the file to be deleted. Any of these events will cause a 404 error: Resource Not Found. Poof. Suddenly your prized NFT artwork just isn’t there anymore. The amount of money that you paid for it, unfortunately, has zero impact on how likely it is to remain in place.
A Question of Trust
To be able to assert that a person “owns” a digital file, the owner of the file needs to be able to trust that they are buying something that is fixed, and cannot change. That means that the media has to be protected as much as the token that attaches ownership. This is a fundamental distinction between NFTs and Vaulted Objects, as Vaulted Objects are built to ensure that the media that gets vaulted is contained within the token and cannot be destroyed or altered.