Crypto was originally most closely associated with anonymity, but in 2025, the crypto ecosystem has changed.
User privacy is diminishing, as new laws in different jurisdictions across the globe require Know Your Customer and ID checks for wallets or exchange accounts to combat money laundering. The increasing sophistication of blockchain analysis tools means that every transaction has a transparent trail that can be traced back to its source.
As a result, onchain privacy has become a major theme. In October, the Ethereum Foundation announced the formation of its โPrivacy Cluster,โ a group of some 47 researchers, engineers and cryptographers who are working to make the base layer of Ethereum private.
This takes the form of Kohaku, a modular framework for the network that allows senders and receivers to hide their real wallet address, among other functions. It claims to be compliant, but Signal, from ZK privacy solution Onflow, argued that โfrom a legality perspective, in ~0% of the large jurisdictions would view keys be considered compliance.โ
It turns out crypto platforms face a seemingly impossible task in complying with opaque rules designed for centralized entities to protect the data privacy of individuals, while still being compliant with financial rules around transparency.
To better understand these complexities, Magazine spoke with Charlyn Ho, CEO of Rikka โ a law and consulting firm specializing in privacy, technology transactions and cybersecurity.
This conversation has been edited for clarity and length.
Magazine: Whatโs even legal when it comes to private crypto transactions?
Ho: Itโs a little bit complicated because every single jurisdiction has its own privacy laws. So, for example, letโs just take Europe.
Europe has the GDPR [General Data Protection Regulation]. But in recent times, itโs promulgated all these other laws that are kind of layered on top or adjacent to GDPR. For example, itโs got MiCA [Markets in Crypto-Assets Regulation], which is the crypto law, and that intersects.
Magazine: So, how do privacy laws relate to Ethereum and blockchain in general?
Well, it kind of depends because a lot of times these [privacy] laws have exceptions.
For Anti-Money Laundering and Know Your Customer, there are exceptions where people canโt keep their data private necessarily. If itโs being used to commit crimes, you canโt say, โBecause of my privacy, Iโm not going to disclose my information to the regulator.โ
Thatโs where some of the complexities are, like with Tornado Cash or Telegram. In some of these cases, private mechanisms or privacy-preserving protocols have kind of butted up against the regulatorโs ability to regulate.
Magazine: How are legal opinions and legal treatment of tools like privacy pools and zero-knowledge proofs developing?
Ho: The public discourse in the US is basically, โIf youโre going to be developing crypto products, then they better follow the laws. Weโre not going to write specific laws that change the underlying privacy laws just for crypto.โ
And so, we have the laws we have, and they do not have crypto in mind.
A few years ago, the European Commission had a study about blockchain. And there was some genesis or movement towards embracing self-sovereign identity as a privacy-preserving mechanism. But the ultimate conclusion of the regulator was that no matter if your intent is to preserve privacy, that doesnโt obviate your requirement to comply with GDPR, for example.
Read also
So, if using a public permissionless blockchain is not going to allow you to satisfy GDPR, then you canโt really build on that platform. Thereโs not a very satisfactory response.
From a regulatorโs perspective, I can understand why they would not give an exemption to a particular type of technology. The laws are just the laws.
Magazine: What laws do developers need to take into consideration when developing privacy tools?
Ho: This is an unsettled area of law. Whatโs interesting about crypto is that, because thereโs no central body, itโs kind of like the developers are the ones that are being held liable for their usersโ actions.
Letโs just take Facebook as an example. Facebook as a company can be sued like privacy violations because there is a Facebook to sue. You donโt go after the third-party developers that Facebook has hired.
Whereas in the case of Ethereum, you canโt just sue Vitalik [Buterin] โ thereโs no central entity. So, the individual developers are kind of being held responsible for their usersโ actions, which is an unusual outcome in privacy law.
Under GDPR, for example, thereโs this concept called a controller and a processor. The controller is the entity or person that decides how the personal data is to be used. And the processor is essentially somebody that acts on behalf of that controller.
For example, Google would provide software, like G-Suite, to a company, letโs say itโs Cointelegraph. Cointelegraph decides how theyโre going to use that information, and Google is just providing a tool. So, the developer is not responsible for how Cointelegraph uses it. But when you take it into the decentralized world, it doesnโt really make sense anymore.
Recent enforcement actions, like Telegram, where the CEO is being held liable for people doing illicit things on their platform, I think thatโs a very scary thing for a developer. They should be wary that their liability may be more enhanced as opposed to a non-decentralized platform.
Also, with Anti-Money Laundering laws, there is definitely a tension. FinCEN was trying to come out with some rulemaking on convertible virtual currency mixers, but I donโt think it actually was finalized.
At least in the US, itโs not 100% clear where privacy laws end and Anti-Money Laundering laws begin. Because whether or not crypto mixers are legal, it depends on how theyโre actually being used.
The White Houseโs report on cryptocurrency highlighted this tension, too. It comes up with all things relating to privacy, like the ability to self-custody. So, if youโre self-custodying and youโre not reporting data to the government, there is a potential that youโre committing crimes โ or at least the government doesnโt know. And so, there again, there is some tension between those inherent rights that are relating to your privacy versus the governmentโs regulatory authority.
I donโt think the line is clear yet.
Magazine: Do developers work together with legal experts when working on these tools?
Ho: Some developers that have money will hire legal experts, but a lot have just kind of moved on and just taken the risk. I will say that this is a personal opinion, but as a legal person in this field for a while, I will say privacy has been low on the totem pole of peopleโs concerns.
Most crypto developers that Iโve worked with are much more concerned about securities laws and making sure that theyโre not in violation of that. Privacy has only recently become more important in my observation.
Magazine: What do institutions need to be able to adopt these privacy solutions?
Ho: Initially, crypto and blockchain companies just needed to get off the ground. Getting over that hump, just raising the funds to operate, was first and foremost.
Now, platforms have matured, so theyโre essentially operating just the same as centralized products and services. So, theyโre now kind of coming around to realize they need compliance with privacy laws and compliance measures. I think a lot of it was kind of like the Wild West, where a lot of companies just kind of skipped over all of that, and they were just rushing so fast, and it was a bit of a mess, to be honest.
Institutions need to make sure that they know what privacy laws theyโre subject to. Letโs just take the CCPA [California Consumer Privacy Act] as an example. The CCPA doesnโt apply to everybody. It only applies to an entity that is qualifying as a business and has a three-part test. If youโre not subject to CCPA, then you donโt need to worry about it. But there may be other laws youโre subject to. So, thatโs number one is just knowing what privacy laws apply.
Number two, letโs just say you do recognize or you conclude with a lawyer that CCPA does apply. Well, if it does apply, then your obligation is to allow consumers to satisfy their data subject rights. So, that includes the right to delete. If the privacy-preserving solution has personal data in it, are you going to be able to delete it if somebody requests? Well, blockchain is immutable. Maybe not. Then youโre going to be in violation of the law. That is very obviously not in compliance.
The argument from blockchain developers has been, โWeโre not storing any personal data. Itโs just a public key. Thatโs not personal data.โ Well, as I said, that is a kind of a common rebuttal from a non-privacy lawyer. But thatโs not going to fly with a regulator. So, if you canโt design your solution, whether itโs intended to preserve privacy or not, to actually fulfill these rights, then youโre not in compliance.
Subscribe
The most engaging reads in blockchain. Delivered once a
week.
Aaron Wood
Aaron Wood is a senior writer in the Features team at Cointelegraph, covering stories about crypto and policy, regulation, politics and energy usage. Aaron holds degrees in Political Science and Economics. Previous to working at Cointelegraph, Aaron worked on election campaigns for the Democratic Farm-Labor Party in Minnesota and was a managing and technical editor at the ENERPO newsletter and academic journal at the European University in St Petersburg. Aaron holds Bitcoin and Ethereum above Cointelegraphโs disclosure threshold of $1,000.
