Crypto was originally most closely associated with anonymity, but in 2025, the crypto ecosystem has changed.
User privacy is diminishing, as new laws in different jurisdictions across the globe require Know Your Customer and ID checks for wallets or exchange accounts to combat money laundering. The increasing sophistication of blockchain analysis tools means that every transaction has a transparent trail that can be traced back to its source.
As a result, onchain privacy has become a major theme. In October, the Ethereum Foundation announced the formation of its “Privacy Cluster,” a group of some 47 researchers, engineers and cryptographers who are working to make the base layer of Ethereum private.
This takes the form of Kohaku, a modular framework for the network that allows senders and receivers to hide their real wallet address, among other functions. It claims to be compliant, but Signal, from ZK privacy solution Onflow, argued that “from a legality perspective, in ~0% of the large jurisdictions would view keys be considered compliance.”
It turns out crypto platforms face a seemingly impossible task in complying with opaque rules designed for centralized entities to protect the data privacy of individuals, while still being compliant with financial rules around transparency.
To better understand these complexities, Magazine spoke with Charlyn Ho, CEO of Rikka — a law and consulting firm specializing in privacy, technology transactions and cybersecurity.
This conversation has been edited for clarity and length.
Magazine: What’s even legal when it comes to private crypto transactions?
Ho: It’s a little bit complicated because every single jurisdiction has its own privacy laws. So, for example, let’s just take Europe.
Europe has the GDPR [General Data Protection Regulation]. But in recent times, it’s promulgated all these other laws that are kind of layered on top or adjacent to GDPR. For example, it’s got MiCA [Markets in Crypto-Assets Regulation], which is the crypto law, and that intersects.
Magazine: So, how do privacy laws relate to Ethereum and blockchain in general?
Well, it kind of depends because a lot of times these [privacy] laws have exceptions.
For Anti-Money Laundering and Know Your Customer, there are exceptions where people can’t keep their data private necessarily. If it’s being used to commit crimes, you can’t say, “Because of my privacy, I’m not going to disclose my information to the regulator.”
That’s where some of the complexities are, like with Tornado Cash or Telegram. In some of these cases, private mechanisms or privacy-preserving protocols have kind of butted up against the regulator’s ability to regulate.
Magazine: How are legal opinions and legal treatment of tools like privacy pools and zero-knowledge proofs developing?
Ho: The public discourse in the US is basically, “If you’re going to be developing crypto products, then they better follow the laws. We’re not going to write specific laws that change the underlying privacy laws just for crypto.”
And so, we have the laws we have, and they do not have crypto in mind.
A few years ago, the European Commission had a study about blockchain. And there was some genesis or movement towards embracing self-sovereign identity as a privacy-preserving mechanism. But the ultimate conclusion of the regulator was that no matter if your intent is to preserve privacy, that doesn’t obviate your requirement to comply with GDPR, for example.
Read also
Features
Real AI use cases in crypto, No. 2: AIs can run DAOs
Features
Financial nihilism in crypto is over — It’s time to dream big again
So, if using a public permissionless blockchain is not going to allow you to satisfy GDPR, then you can’t really build on that platform. There’s not a very satisfactory response.
From a regulator’s perspective, I can understand why they would not give an exemption to a particular type of technology. The laws are just the laws.
Magazine: What laws do developers need to take into consideration when developing privacy tools?
Ho: This is an unsettled area of law. What’s interesting about crypto is that, because there’s no central body, it’s kind of like the developers are the ones that are being held liable for their users’ actions.
Let’s just take Facebook as an example. Facebook as a company can be sued like privacy violations because there is a Facebook to sue. You don’t go after the third-party developers that Facebook has hired.
Whereas in the case of Ethereum, you can’t just sue Vitalik [Buterin]…
cointelegraph.com