On-chain privacy, confidential data, and compliance in Web3

What does “compliant privacy” mean? Can privacy by itself be non-compliant? How can Web3 ensure that users’ rights are protected, and at the same time, proactively limit the amount of bad actors in the ecosystem?

First things first: by definition, privacy is not non-compliant. It’s generally recognized as a fundamental human right in many parts of the world, though the extent of this right and the protections afforded to it can differ greatly. It is a powerful tool that can be put to use by users and enterprises, however it is often taken advantage of by bad actors.

So, how do we fulfill the need for privacy yet keep the bad actors away?

The dilemma of effective regulations

Pro-privacy blockchain projects have long been debated in the crypto and crypto-adjacent industries. Regulators and central authorities (lawmakers, banks, regulators and academics) have been consistently ambivalent about projects which utilize cryptography to provide privacy-enhancing services, such as Zcash and Tornado Cash (the former which has recently been allowed to remain listed on Binance due to its proactive approach to compliance). The focal point of concern from the regulatory standpoint is that such services may allow malicious actors to hide their criminal activities from law enforcement.

For historical reasons, the current regulations to prevent money laundering are not great for consumers, the financial institutions and even the government that is supposed to enforce it. 

Julian Leitloff, CEO, Fractal ID

Importantly, neither regulators nor businesses are against privacy itself. Every industry actor realizes the necessity of individual and institutional data protection. It is true that privacy can be abused by bad actors to conceal illegal activity–as pointed out by the US DoJ, Tornado Cash could be used to launder over $1 billion USD in criminal proceeds. But it is also a human right which must be upheld. Punishing the common people for the actions of a poorly-behaving few is not the way forward, but of course we want to ensure that we can mitigate the occurrence of such activities — with that in mind, how do we solve this dilemma?

Why does compliance matter in crypto?

With Markets in Crypto-Assets Regulation (MiCA) going into effect and exchange-traded funds (ETFs) already trading in the USA, it has become apparent that the industry is maturing from the “wild west” stage.

The European Union is at advanced stages of finalising the new Markets in Crypto-Assets Regulation. In the United Arab Emirates, Dubai authorities are setting up the world’s first authority solely focussing on virtual assets [the Virtual Assets Regulatory Authority (VARA) has already been established]. 

In the UK, the Government intends to make cryptoassets a regulated financial instrument. In the United States there has been progress to advance legislation on digital assets, but timing of such legislation continues to be in question.

• “Global Crypto Regulation Report”, PwC, December 2023
  
  

PwC’s report “shows that many regulators across the globe have either enacted regulatory schemes for dealing in digital assets or are on the brink of doing so. And given the recent events in the sector, the speed of these developments is likely to intensify.”

On one hand, we have the General Data Protection Regulation (GDPR) – a data protection regulation in the European Union. This piece is the strongest privacy and security law in the world. On the other, there is the MiCA legislation, which calls for transaction traceability to ensure compliance.

The final regulatory landscape might sit somewhere in between these two, but we don’t know exactly what to expect and when to expect them. This is because lawmakers are renowned for their ability to be consistently years behind technological developments, exemplified by the recently adopted (but not yet in effect) MiCA legislation’s exclusion of decentralized finance (DeFi) and non-fungible tokens (NFTs), both of which have existed in the cryptoasset sphere for years.

Of the crucial elements for sustained success, achieving optimal solutions for privacy, compliance, and an outstanding user experience stands as paramount.

Paweł Kuskowski, CEO, Gatenox

As such, we should proactively look for ways to comply with possible future regulations across multiple jurisdictions. Of course, it is impossible to predict exactly what the rules will look like, but there are ways that we can prepare ourselves—even if it’s based on something as simple as our own common sense.

How do we achieve compliance with privacy-enhancing software?

Although privacy is considered one of the human rights, we’ll often see that privacy rights can be limited for national security reasons, law enforcement purposes, or public health emergencies.

In some authoritarian jurisdictions, the concept of individual privacy may also be restricted further, with governments having extensive surveillance capabilities over their citizens. 

The degree to which privacy is protected or violated varies significantly, but a jurisdiction where privacy is explicitly “illegal” or “non-compliant” simply doesn’t exist.

Blockchain technology has the capability to transcend the misleading notion of a binary choice between privacy and compliance. However, these benefits can only be realized if the developers of privacy tools do not fear being held liable for the illegal use of their tools.

Michael Kunz, LL.M. Legal Partner, Attorney at Law, MME

The only statistic that needs to be observed to prove that privacy can be used by bad actors is the countless times that mixers such as Tornado Cash have been used by hackers to launder stolen funds. Thus, the general idea behind compliant privacy-enabling technologies would be to employ fraud-protection mechanisms that prevent bad actors from making use of private operations, ideally without compromising the privacy of good or neutral actors. There are several ways of achieving this.

On the technical side, such a mechanism could be facilitated either by anonymity-revoking functions or by partially deanonymizing participants. In the first scenario, all private actions would be executed in a permissionless manner, however, if there is doubt to certain accounts, their actions could be revealed. The second option could work similarly to banking — parties can be verified by a know your customer (KYC) procedure upon setting up an account, without any subsequent need to provide identifying information to any parties. Additionally, this KYC process could ensure that parties using privacy-enhancing features are not from sanctioned jurisdictions and have not been involved in any criminal activities.

As an extra method of fraud-protection, the networks should be monitored by anti-money laundering (AML) and Know-Your-Transaction (KYT) software to detect any potential fraud, and there are many such services available in the crypto industry.

Aleph Zero’s AZERO is not a “privacy token”

It is no news that we at Aleph Zero take compliance—in particular, the social responsibility aspect of it—seriously. We’ve released multiple articles in the past outlining our approach to compliance, as we believe that optional privacy can be made available for users while simultaneously being proactive to regulatory frameworks. As such, we closely monitor the regulatory landscape and promote conversation with regulators. 

Since its inception, we have been building an array of plans and relationships for how we will proceed with the creation of our privacy-enhancing engine while remaining compliant with regulatory frameworks. 

This engine uses zero-knowledge (ZK) technology to provide opt-in privacy features that are native to the Aleph Zero network. Aleph Zero’s privacy engine allows users to benefit from extensive privacy while the design of this solution employs ZK-ID as a ZK-based KYC verification and on-chain monitoring services to comply with the AML/CFT requirements. This means that user’s actions can remain private just as in the real world, but at the same time those actions are auditable if needed–just as in the real world.

What is important to note is that AZERO is not a private/privacy coin and the Aleph Zero network is not a private network by default. By ensuring that privacy features are optional and gated, we seek to find a compromise between the risks associated with the scrutiny that private networks have been and continue to be under, while ensuring that users and developers have more tools and possibilities to protect each other’s data on-chain. Additionally, we have established relationships and concluded integrations with AML and KYT firms to ensure that malicious actors cannot abuse the native privacy features of the network. Both the idOS and Gatenox seek to provide opt-in privacy enhancing features while ensuring that users who access them are not on any sanction lists or associated with criminal groups.”

Seeking compliance in privacy

We are actively pursuing what we believe to be the best possible approach to offer privacy in a way that protects users’ interests, but also ensures that the network’s operations are sustainable in the long-term. Aleph Zero’s goal is to onboard businesses that, until now, were cautious about blockchain transparency, scalability, and regulatory clarity. Compliant privacy — which is by no means an ideal term, but seems to resonate with the wider public — will thus be an important factor in doing so.

U.S. government supports privacy enhancing technologies that simultaneously allow for or even promote compliance with Anti-Money Laundering and Combating the Financing of Terrorism (CFT) obligations, the use of non-public blockchains by entities that do not comply with AML/CFT obligations or services that may fall outside current regulations will heighten AML/CFT risks.

“Illicit Finance Risk Assessment of Decentralized Finance”, U.S. Department of the Treasury, April 2023

After all, let’s remember that on-chain privacy is the way forward. It’s just a matter of finding the proper balance.