Crypto was originally most closely associated with anonymity, but in 2025, the crypto ecosystem has changed.
User privacy is diminishing, as new laws in different jurisdictions across the globe require Know Your Customer and ID checks for wallets or exchange accounts to combat money laundering. The increasing sophistication of blockchain analysis tools means that every transaction has a transparent trail that can be traced back to its source.
As a result, onchain privacy has become a major theme. In October, the Ethereum Foundation announced the formation of its “Privacy Cluster,” a group of some 47 researchers, engineers and cryptographers who are working to make the base layer of Ethereum private.
This takes the form of Kohaku, a modular framework for the network that allows senders and receivers to hide their real wallet address, among other functions. It claims to be compliant, but Signal, from ZK privacy solution Onflow, argued that “from a legality perspective, in ~0% of the large jurisdictions would view keys be considered compliance.”
It turns out crypto platforms face a seemingly impossible task in complying with opaque rules designed for centralized entities to protect the data privacy of individuals, while still being compliant with financial rules around transparency.
To better understand these complexities, Magazine spoke with Charlyn Ho, CEO of Rikka — a law and consulting firm specializing in privacy, technology transactions and cybersecurity.
This conversation has been edited for clarity and length.
Magazine: What’s even legal when it comes to private crypto transactions?
Ho: It’s a little bit complicated because every single jurisdiction has its own privacy laws. So, for example, let’s just take Europe.
Europe has the GDPR [General Data Protection Regulation]. But in recent times, it’s promulgated all these other laws that are kind of layered on top or adjacent to GDPR. For example, it’s got MiCA [Markets in Crypto-Assets Regulation], which is the crypto law, and that intersects.
Magazine: So, how do privacy laws relate to Ethereum and blockchain in general?
Well, it kind of depends because a lot of times these [privacy] laws have exceptions.
For Anti-Money Laundering and Know Your Customer, there are exceptions where people can’t keep their data private necessarily. If it’s being used to commit crimes, you can’t say, “Because of my privacy, I’m not going to disclose my information to the regulator.”
That’s where some of the complexities are, like with Tornado Cash or Telegram. In some of these cases, private mechanisms or privacy-preserving protocols have kind of butted up against the regulator’s ability to regulate.
Magazine: How are legal opinions and legal treatment of tools like privacy pools and zero-knowledge proofs developing?
Ho: The public discourse in the US is basically, “If you’re going to be developing crypto products, then they better follow the laws. We’re not going to write specific laws that change the underlying privacy laws just for crypto.”
And so, we have the laws we have, and they do not have crypto in mind.
A few years ago, the European Commission had a study about blockchain. And there was some genesis or movement towards embracing self-sovereign identity as a privacy-preserving mechanism. But the ultimate conclusion of the regulator was that no matter if your intent is to preserve privacy, that doesn’t obviate your requirement to comply with GDPR, for example.
Read also
Features
How to bake your own DAO at home — With just 5 ingredients!
Features
Extinct or Extant: Can Blockchain Preserve the Heritage of Endangered Populations?
So, if using a public permissionless blockchain is not going to allow you to satisfy GDPR, then you can’t really build on that platform. There’s not a very satisfactory response.
From a regulator’s perspective, I can understand why they would not give an exemption to a particular type of technology. The laws are just the laws.
Magazine: What laws do developers need to take into consideration when developing privacy tools?
Ho: This is an unsettled area of law. What’s interesting about crypto is that, because there’s no central body, it’s kind of like the developers are the ones that are being held liable for their users’ actions.
Let’s just take Facebook as an example. Facebook as a company can be sued like privacy violations because there is a Facebook to sue. You don’t go after the third-party developers that Facebook has hired.
Whereas in the case of Ethereum, you can’t just sue Vitalik [Buterin] — there’s no central entity. So, the individual developers are kind of being held responsible for their users’ actions, which is an unusual outcome in privacy law.
Under GDPR, for example, there’s this concept called a controller and a processor. The controller is the entity or person that decides how the personal data is to be used. And the processor is essentially somebody that acts on behalf of that controller.
For example, Google would provide software, like G-Suite, to a company, let’s say it’s Cointelegraph. Cointelegraph decides how they’re going to use that information, and Google is just providing a tool. So, the developer is not responsible for how Cointelegraph uses it. But when you take it into the decentralized world, it doesn’t really make sense anymore.
Recent enforcement actions, like Telegram, where the CEO is being held liable for people doing illicit things on their platform, I think that’s a very scary thing for a developer. They should be wary that their liability may be more enhanced as opposed to a non-decentralized platform.
Also, with Anti-Money Laundering laws, there is definitely a tension. FinCEN was trying to come out with some rulemaking on convertible virtual currency mixers, but I don’t think it actually was finalized.
At least in the US, it’s not 100% clear where privacy laws end and Anti-Money Laundering laws begin. Because whether or not crypto mixers are legal, it depends on how they’re actually being used.
The White House’s report on cryptocurrency highlighted this tension, too. It comes up with all things relating to privacy, like the ability to self-custody. So, if you’re self-custodying and you’re not reporting data to the government, there is a potential that you’re committing crimes — or at least the government doesn’t know. And so, there again, there is some tension between those inherent rights that are relating to your privacy versus the government’s regulatory authority.
I don’t think the line is clear yet.
Magazine: Do developers work together with legal experts when working on these tools?
Ho: Some developers that have money will hire legal experts, but a lot have just kind of moved on and just taken the risk. I will say that this is a personal opinion, but as a legal person in this field for a while, I will say privacy has been low on the totem pole of people’s concerns.
Most crypto developers that I’ve worked with are much more concerned about securities laws and making sure that they’re not in violation of that. Privacy has only recently become more important in my observation.
Magazine: What do institutions need to be able to adopt these privacy solutions?
Ho: Initially, crypto and blockchain companies just needed to get off the ground. Getting over that hump, just raising the funds to operate, was first and foremost.
Now, platforms have matured, so they’re essentially operating just the same as centralized products and services. So, they’re now kind of coming around to realize they need compliance with privacy laws and compliance measures. I think a lot of it was kind of like the Wild West, where a lot of companies just kind of skipped over all of that, and they were just rushing so fast, and it was a bit of a mess, to be honest.
Institutions need to make sure that they know what privacy laws they’re subject to. Let’s just take the CCPA [California Consumer Privacy Act] as an example. The CCPA doesn’t apply to everybody. It only applies to an entity that is qualifying as a business and has a three-part test. If you’re not subject to CCPA, then you don’t need to worry about it. But there may be other laws you’re subject to. So, that’s number one is just knowing what privacy laws apply.
Number two, let’s just say you do recognize or you conclude with a lawyer that CCPA does apply. Well, if it does apply, then your obligation is to allow consumers to satisfy their data subject rights. So, that includes the right to delete. If the privacy-preserving solution has personal data in it, are you going to be able to delete it if somebody requests? Well, blockchain is immutable. Maybe not. Then you’re going to be in violation of the law. That is very obviously not in compliance.
The argument from blockchain developers has been, “We’re not storing any personal data. It’s just a public key. That’s not personal data.” Well, as I said, that is a kind of a common rebuttal from a non-privacy lawyer. But that’s not going to fly with a regulator. So, if you can’t design your solution, whether it’s intended to preserve privacy or not, to actually fulfill these rights, then you’re not in compliance.
Subscribe
The most engaging reads in blockchain. Delivered once a
week.
Aaron Wood
Aaron Wood is a senior writer in the Features team at Cointelegraph, covering stories about crypto and policy, regulation, politics and energy usage. Aaron holds degrees in Political Science and Economics. Previous to working at Cointelegraph, Aaron worked on election campaigns for the Democratic Farm-Labor Party in Minnesota and was a managing and technical editor at the ENERPO newsletter and academic journal at the European University in St Petersburg. Aaron holds Bitcoin and Ethereum above Cointelegraph’s disclosure threshold of $1,000.