By now, most of the cryptosphere has heard of Privacy Pools — a project launched this year by Ameen Soleimani, a well-known developer and founder. As a former contributor to Tornado Cash, Soleimani aimed to “fix” the popular open-source solution for anonymising Ethereum transactions in order to make it regulator-friendly.
The original teaser, shown in March, was based on an idea initially espoused by Ethereum co-founder Vitalik Buterin in 2022. But it somehow failed to attract the attention of the crypto hive-mind. It was only weeks ago — after Buterin authored an academic paper on the subject — that it began making the rounds more widely on social media.
Why? Well, nothing like mixing “blockchain privacy” with regulatory compliance” to upset some cypherpunks. And to leave the rest of the community wondering if regulators would even be interested in legitimizing the use of non-custodial crypto-asset mixers — which are indeed crucial to the on-chain economy, yet so often misunderstood.
Because the future is clearly a more digitally transformed world where zero-knowledge proofs enter the mainstream and there’s at least a corner of decentralized finance (DeFi) that can benefit from automated compliance at the smart contract level. And this paper has kickstarted that conversation, even if without a conclusion. Meanwhile, how do we go from A to B?
Let’s discuss if privacy pools can really be compliant at the moment. Can they satisfy the core ethos of the community — or at least of the part of the community that cares about preventing the illicit use of tokens, as the Pretty Good Policy for Crypto podcast recently put it? And how can we overcome one of the paper’s most critical shortcomings: the narrative?
Firstly, even if the proposed implementation is sound, users can only prove their innocence by showing their original deposit either belongs to a set of presumably legitimate sources, or doesn’t belong to a set of known unlawful sources. These are referred to as association sets and their implementation is still to be defined by the ecosystem. But compliance is not only about addresses on OFAC’s SDN list or about staying away from known malicious actors.
zero-knowledge Know Your Customer (zkKYC) poolsYes, if someone hacks a protocol, or if an indicted criminal has their wallets identified, and tries to move funds to new addresses, these could be automatically added to an association set for honest users to dissociate from. That’s easy and the paper also recommends more interesting construction mechanisms, such as inclusion delays or even zero-knowledge Know Your Customer (zkKYC) pools.
However, bad actors can stay under the radar for long before being recognized as such, and that leaves regulators anxious as coins associated with illicit activity could reenter circulation. Whereas in the traditional finance world, physical cash accounts for an increasingly small share of payments and illicit funds held at banks can easily be arrested. And regulators have become used to the doxing that exhaustive KYC processes allow.
Secondly, even if this was enough to satisfy present-day regulators, it is also important to understand if the crypto community is happy with the solution — or else it won’t be adopted. And this isn’t only about hardcore cypherpunks, but also users from oppressive regimes and political activists in not-so-healthy democracies. That situation is particularly thorny.
Because these pools can only improve transaction privacy if there’s a whole ecosystem around them which users trust. Yes, association sets can be entirely automated. But even then it’s all about the oracles and about which public and private entities come to control these lists, effectively deciding who is a bad actor and not — potentially without a mandate.
Soleimani noted the protocol “doesn’t require sacrificing on crypto ideals.” Yet, even honest actors who are naturally inclined to prove their innocence can only do so up to the extent their jurisdictions acknowledge large and relevant enough association sets for the proofs to work, or if designated∂ association set providers can be trusted.
Lastly, the proposal’s intentions are clearly good and its design flexible and powerful. Sadly, a large number of builders aren’t convinced that regulation is helpful for this industry. That’s epitomized by developers typically worrying about rules out of fear of being imprisoned or fined in the context of the unclear global legal frameworks for DeFi.
Such a potentially compliant protocol won’t magically solve that, as it creates a separated regulated environment for users (and governments or lawmakers) to opt in. It’s definitely a constructive proposal and self-regulation is laudable, but the crypto policy conversation needs more or else the chasm will keep increasing while privacy gets attacked left and right.
After all, we can only build something for success if we agree with its terms and if what’s built meets the requirements of customers and stakeholders. The corollary is that if we don’t agree with those requirements, we need the whole community to rally behind the change — in this case, to fight for better privacy protections and for better privacy education.
The change starts with you. Have you been supporting your national crypto advocacy groups? Do you know what they stand for? Have they done solid work on the topic? (Even if they haven’t been as fierce as Coin Center, which filed a lawsuit against the United States Treasury Department after it sanctioned the use of Tornado Cash last year.)
If not, the time to engage is now. Let’s lobby for a better future or it will never come.