DISCLAIMER: The original article has been produced for Efiko DLT, as part of my internship with them. You can find it at efikodlt.substack.com. Kudos to Elliot Garreffa, Marjin Van Der Laan and Marco Marinelli for their pivotal help in reviewing the entire article.
Since the early 90s, we have witnessed the Internet fail at protecting people's privacy, exposing us to mass surveillance and recurrent data breaches. That is understandable, considering that the Internet infrastructure was not designed with privacy principles in mind.
Even applications and protocols developed to encrypt data (like Signal or TLS) cannot effectively hide metadata from network listeners. The revelations about the NSA's massive surveillance program by Edward Snowden are a prime example of how metadata is visible and can be misused.
Metadata can be used to identify users, track their online activity, and reveal private and personal information. In addition, AI algorithms can be used on metadata to predict individuals' preferences, associations, and other aspects of their personal lives.
This context has inspired the cyberpunk counter-revolution, from which the current blockchain ecosystem took its philosophical foundation, placing anonymity at the center of the first concrete application: Bitcoin.
However, blockchains, including Bitcoin and "Layer-2" solutions like the Lightning Network, were initially conceived with an "original sin": the lack of privacy at the network level.
This unsolved vulnerability allows private companies like Chainalysis to monitor the data available on blockchains and the metadata of the peer-to-peer traffic. Therefore, it is possible and easy to discover the network addresses that broadcast transactions, identify users, and make inferences about private transactions, even in systems with on-chain protections such as Zcash or Monero.
It is time to give privacy the primary stage it deserves, putting these values at the center of future web3 development to build a sustainable environment that respects fundamental human rights and avoids surveillance dystopias.
The Universal Privacy Alliance aims to “advance the understanding of privacy as the basis of free and flourishing digital societies”, bringing together actors like Secret Network, Nym, Oasis Foundation, Status, Aztec, and Orchid, among others.
The Leading Privacy Alliance is an effort where Dusk, Hopr, Block Wallet, and other players join forces to find solutions and protect web3 users from data exploitations. They have also launched a DAO where more projects can convene around the shared desire of making web3 a better place by enhancing privacy.
Even individual initiatives are taking off, such as the web3privacy research project led by Mykola Siusko on GitHub, from which I have taken inspiration in drafting the present article.
In the current web3 state-of-the-art, the following tools can be outlined:
Privacy-focused blockchains which implement features like confidential transactions, shielded addresses, and more
Smart contracts’ secure designs that entail cryptographic techniques to conceal sensitive information: zero-knowledge proofs (e.g. ZK-SNARKS), ring signatures, etc.
Specific Tools that leverage the aforementioned tools
In the following sections, I will delve deeper into the various areas where these efforts are being pursued:
Layer-1s and Layer-2s
Financial (cryptocurrencies, wallets, DeFi)
Digital Identity
Data Storage and Messaging
Tools and Analytics
NFTs and DAOs
Finally, I will end with some examples of projects which enable on-chain anonymity followed by our reflections.
Many layer-1 blockchains are building the technology that could make web3 privacy a reality:
Concordium: a science-backed blockchain designed around an ID layer that balances privacy with accountability
Oasis Foundation: a layer-1 platform for open finance and a responsible data economy
Secret Network: a blockchain that enables customizable privacy
Nym: infrastructure that protects packet’s metadata at the network and application layers
Horizen: a Zero-Knowledge network of blockchains
XX Network: a quantum-resistant blockchain ecosystem
Other projects aim to bring privacy to popular blockchains, such as Ethereum and EVM-compatible layer-2 solutions like Obscuro or Zecrey , but also Light Protocol (Solana) or Calamari Network (Polkadot – Kusama).
The blockchain privacy space is not going unnoticed by investors. We are witnessing multi-million-dollar rounds for projects like Aztec ($100M), Secret Network ($400M), Nym ($300M), Starkware ($273M), Oasis Foundation ($160M) and so on.
Besides the infrastructural stack, privacy-preserving solutions are popping up across all the main web3 application areas. The most significant ones are:
Financial data is one of the most desirable targets for both surveillance proponents, such as authoritarian governments, and malicious actors. A clear picture of an individual’s financial movement can be depicted as the Holy Grail for mass surveillance programs. Additionally, connecting the dots on someone's economic activity can pave the way for fraud, blackmail, and other personal attacks.
These reasons have led many blockchain projects to provide an array of solutions that balance legit transparency and personal privacy.
Monero is the most well-known example in this field: by leveraging technology to obfuscate transactions, the renowned privacy coin promises to deliver absolute anonymity. However, the currency’s success is controversial: on the one hand, many users praise the developers who make such a level of protection possible, while on the other hand, regulators and some public figures criticize the anonymity approach that allows criminals to carry out international financial operations and money laundering.
The difference between anonymity and regulatory compliance can be a thin line, with several players operating in this area like Dero, Pirate Chain, Epic Cash, DeepOnion, PivX, Iron Fish, and many more.
A more sustainable approach is taken by Zcash, which uses ZK-SNARKs to remain compliant while maintaining maximum user privacy.
The recent controversial update to ConsenSys' privacy policy has raised concern: the most used non-custodial wallet, MetaMask, can collect users’ IP addresses when transacting.
Today, numerous alternatives guarantee users’ full control over personal data: Frame is an excellent example for eth wallets, but also Lunar (the only wallet based on a built-in integration of TOR). Multi-sig wallets like Nucleo, DeFi wallets like Edge or Railway, and Starshell on Cosmos ecosystem are other examples. We can’t forget to mention the bitcoin wallets: Wasabi for instance, cold wallets like the Foundation’s Passport, and even DIY solutions like Seed Signer and open-source firmware (Krux) for more tech-savvy users.
Some of the most influential and promising privacy-preserving dApps and protocols are:
Dusk Network: an open-source and secure DLT that businesses use to tokenize financial instruments
Panther Protocol: a metaprotocol that enables confidential, trusted transactions and interoperability
Shade: a suite of privacy-preserving DeFi applications built on Secret Network
Penumbra: a shielded, cross-chain network that allows anyone to securely transact, stake, swap, or market-make crypto assets
Silent Protocol: it enables compliant full-stack privacy smart contracts and dApps at scale
Other privacy-focused solutions in the DeFi space include bridges like Aztec or ChainPort, and even validators services (see ZKValidator).
There are also companies building privacy-preserving smart contracts and dApps, such as Findora, Nulink, Dero, and Aleo.
Thanks to cryptography and other technology advancements, concrete digital identity applications are finally emerging. However, the construction of such applications demands careful attention to privacy and the handling of sensitive data.
Not by chance, the leading web3 players in the identity space are paying obsessive attention to users’ privacy protection: many of them believe that a fundamental technology could be Zero Knowledge proofs.
In this cryptographic method, A (the prover) can prove to B (the verifier) the truth of a given statement without revealing any information apart from the statement being true.
Polygon ID is a fierce advocate of this method, as are* Findora CR*, Holonym, zCloak, Verus ID, Notebook labs, and more.
Other projects aim to maintain anonymity by implementing biometrics, like Anonybit. Meanwhile, Shyft sticks to the strictest legal compliance to simultaneously deliver blockchain identity data and user privacy. Also, Cheqd enables individuals and organizations to fully control their personal data, creating an infrastructure level for decentralized identity. Others focus on specific services, like Sismo (a ZK badge provider) or Litentry (a decentralized identity aggregator).
This space is rapidly evolving and is the subject of ongoing international debate, as evidenced by the recent recommendation of the W3C (World Wide Web Council), one of the most important standard-setting bodies for the whole internet infrastructure.
In the modern world, cloud service providers, data silos, arbitrary data retention policies, data breaches, and leaks are all around us.
Because of that, the Skiff suite is soaring as an encrypted and secure alternative to Google Drive; the Sia foundation has created a trustless cloud storage marketplace; and other decentralized data storage platforms (Storj, Swarm, Crust) follow the “privacy-first” narrative in order to compete with the sector leaders Filecoin and Arweave.
Prior to being stored, data is also transmitted. In the communication industry, security and privacy have always been crucial. Even WhatsApp has implemented end-to-end encryption, but more is needed.
In web3 communications, Session minimizes sensitive metadata; Status raised $100M to build a secure messaging app; XMPT partnered with Lens Protocol; Verida is developing a multi-chain protocol; Zion is building on Bitcoin Lightning Network; Telios encrypts metadata; Waku provides tech foundations. The industry is dynamic and constantly changing, with many avenues to explore.
It may look like a paradox, but analytics and similar tools can still respect user privacy, even while tracing on-chain actions.
Oasiis Insights put into practice such a philosophy, being the first user-centric cookie wallet that creates actionable insights for commerce. It allows users to see how organizations are using their personal data and enable them to control whether or not those organizations can access it. Mask Network, instead, brings privacy and benefits from Web3 to social media like Facebook & Twitter with an open-source browser extension.
Many other interesting tools are being developed, and platforms such as Mysterium, Automata, or Arcana are some to consider.
Activeness in decentralized organizations (e.g. voting in DAOs), digital art collections, or NFT certificates can tell much about a person’s identity. Since blockchain data is public, one may wish to keep this information private.
Semaphore allows users to prove their membership of a group and send messages such as votes or endorsements without revealing their original identity, thanks to ZK proofs.
Stashh is the first NFT marketplace with privacy by default; Geniish is a protocol for confidential NFTs; LegenDAO is a play-to-mint NFT platform powered by Secret Network.
Automata also works well in these areas with cutting-edge products likeNFTFair and AnyDAO.
At the extreme side of the transparency-privacy spectrum, we find projects and services that pursue complete anonymity without any compliance compromise. We can classify them into two macro-families: Mixers and VPNs.
Coin mixers, or crypto mixers, are services that blend coins from multiple users together to obscure the funds’ origins. Since the Tornado Cash shutdown, coin mixers have gotten much media attention. Other services still running are Unijoin, Void Protocol, Coinomize, MiX BTC, 0xTIP.
VPNs (Virtual Private Networks) establish a secure network connection by providing encrypted servers and hiding IP addresses, making it difficult for third parties to track users’ activity. VPNs also enables a censorship-resistant and location-independent internet access.
Some of the best decentralized VPNs include Sentinel, Boring Protocol, Orchid, KelVPN, and Lokinet.
Anonymity offers the most extreme interpretation of user privacy and has long played a critical role in countering mass surveillance. Still, it’s a common and widely shared value throughout the cyberpunk philosophy from which we can derive today’s Web3 community.
On the other hand, anonymity is often associated with illegal activities. This is the narrative followed by the SEC when it ordered on August 8th the shutdown of the famous crypto mixer Tornado Cash, drawing a debated legal precedent and paving the way for a moot state interventionism.
Finding the ideal balance in this situation is challenging. Thus, I adhere to Aristotle's dictum: “Virtus in Media Stat”.
Blockchain technology promises to revolutionize privacy through its decentralized and distributed nature, enabling individuals to retain control over their data and determine who can access it. However, while blockchain's inherent transparency and immutability enhance its security, it simultaneously presents formidable challenges for users’ privacy.
The strategies employed may vary depending on the circumstances. Governments, companies, and users hold differing perspectives on privacy, having different needs and preferences. Privacy and transparency are often seen as two competing interests, with more privacy usually coming at the expense of transparency and vice versa. However, balancing these two interests is possible by adopting strategies to increase transparency while respecting privacy.
Many companies, associations, individuals, protocols, and services across all the web3 areas are building and developing solutions to the privacy conundrum. I have counted roughly 400 ongoing projects.
However, builders in this space are currently grappling with regulatory challenges that could lead to prosecution, censorship, and sanctions because of their work or on-chain activity. The recent case of Tornado Cash is a prime example of the harsh consequences that can result from law enforcement actions.
While the Tornado Cash case has demonstrated that Zero Knowledge proofs are not a panacea for all the privacy-related issues, 2023 is expected to be a major turning point for Zero Knowledge technology, with significant advancements in development, adoption, and testing. However, it is worth noting that other promising technologies such as Fully Homomorphic Encryption (FHE) and Multi-Party Computation (MPC) are also being explored, with new ones likely to emerge in the coming weeks, months, and years.
It is crucial to remember that privacy-preserving tools are currently available. Individuals can utilize them immediately; the inclusive list of projects cited is an excellent starting point. Hence, there is no better moment to contemplate one's privacy and taking the necessary steps to secure it.
Let’s build, privately!