# Balancing Privacy between Decentralization and Regulation: Insights from DevConnect Istanbul Written by @xbinSin7Y During DevConnect Istanbul, I had the privilege of engaging with various project teams and researchers dedicated to privacy-oriented initiatives. We discussed a range of privacy-related topics. To my surprise, I found that the concept of **'privacy'** is interpreted quite differently by different people, generally falling into two distinct categories: 1. Prioritizing ultimate individual privacy protection before considering regulatory oversight (including both centralized and decentralized methods). 2. Achieving individual privacy protection within a regulation-friendly framework. These different approaches lead to varied technological solutions. In my opinion, all privacy protection schemes should be regulated to penalize malicious users, thereby protecting the interests of the majority of ordinary users. Concurrently, it is essential that user privacy is not entirely compromised. Privacy and regulation are not inherently contradictory. **Humans need privacy, but privacy requires regulation.** ## Why Does Privacy Need Regulation? Consider the various hacking incidents that have occurred in the past, with data sourced from the SlowMist - [2022 Blockchain Security Report](https://www.slowmist.com/report/first-half-of-the-2022-report(EN).pdf): | Event | Date Stolen | Amount Lost | | --- | --- | --- | | Ronin Network | March 23, 2022 | 173,600 ETH、25,500,000 USDC | | Wormhole | February 2, 2022 | 120,000 WETH | | Beanstalk | April 17, 2022 | 24,830 ETH、250,000 USDC Tokens and 36,390,000 BEAN Token | | Harmony | June 23, 2022 | ETH:13,100 ETH、41,200,000 USDC 、592 WBTC、9,981,000 USDT、 6,070,000 DAI、5,530,000 BUSD、 84,620,000 AAG、110,000 FXS、 415,000 SUSHI、990 AAVE、43 WETH and 5,620,000 FRAX BSC :5,000 BNB and 640,000 BUSD | | Crypto.com | January 17, 2022 | ETH:4,836.25 ETH BTC:443.93 BTC | | Uniswap Phishing | July 11, 2022 | 3,278.84 ETH and 240.42 WBTC | | ApeCoin Airdrop Flashloan Arbitrage | March 17, 2022 | 60,564 APE | | BAYC Official Discord Hacking | June 4, 2022 | Approximately 145 ETH ($256,000)of NFTs | | FEGToken | May 15 & 16, 2022 | 443.86 ETH and 7,626.49 BNB | | Optimism | May 27, 2022 | 20,000,000 OP Tokens(17,000,000 OP returned) | | MM.finance | May 4, 2022 | $2,000,000 | Statistics show that 74.6% of the stolen funds from the Ethereum network have been transferred to Tornado Cash, and 48.9% from the Bitcoin network have been moved to ChipMixer to evade fund tracking. It becomes clear that if privacy is designed to an extreme degree where it facilitates evasion of regulation, the platform will inevitably turn into a sanctuary for malicious users seeking to evade sanctions. While this approach may protect the interests of these individuals, it ultimately compromises the interests of the vast majority. Interestingly, some stolen funds have been quickly frozen, mitigating overall losses, due to the cooperation between security agencies and exchanges. This is feasible thanks to the inherent transparency of blockchain technology, enabling the swift tracking and freezing of stolen funds before hackers can process them. Hence, for privacy-focused projects, irrespective of their design, it is imperative to ensure that **regulatory bodies/organizations can pinpoint the target without additional information.** Otherwise, it could be extremely dangerous. # Comparison of Privacy Projects In [my tweet](https://twitter.com/ocean_xiaobai/status/1718877425365574114?s=20) published on Oct 30th, I highlighted several projects related to privacy, including Zcash, Anoma, Aztec, Aleo, Miden, Ola, among others. These projects all employ zero-knowledge (zk) technology to achieve privacy. Strictly speaking, they are extensions of the Zcash protocol, and can be categorized as follows: | Project | Privacy | Programmability | Compliance | | --- | --- | --- | --- | | Zcash | High | No | View Key (Unenforceable) | | Aleo | High | Yes | View Key (Unenforceable) | | Anoma | High | Yes | View Key (Unenforceable) | | [Aztec](https://twitter.com/aztecnetwork) | High | Yes | View Key (Unenforceable) | | Miden | High | Yes | View Key (Unenforceable) | | [Ola](https://twitter.com/ola_zkzkvm) | Middle | Yes | Native | The View Key is a crucial component for decrypting the contents of private transactions, as illustrated in the following diagram ([Zcash protocol](https://github.com/zcash/zips/blob/main/protocol/protocol.pdf) 4.19.3): ![1280X1280 (1)](https://hackmd.io/_uploads/ry27ya-Sp.png) This means that anyone with access to the View Key can decrypt the transaction contents, thereby obtaining detailed information about the transaction. Generally, the View Key is kept by the user themselves to receive transactions sent to them. **If a user does not provide their View Key to regulatory authorities, these bodies have no way of knowing any information about the transactions, which is a concerning signal.** Regrettably, we haven't seen any improvements or considerations regarding this issue in some projects. Observing various hackers funnel stolen funds into privacy platforms for money laundering, it becomes evident that we must propose a new solution that balances privacy protection with regulatory needs. We need a genuinely compliance-friendly privacy solution that protects the privacy of the majority of users while also tracking the money laundering activities of malicious users, as shown in the following diagram: ![aaaf1516-87e3-40fb-a9a0-dde24baa3416](https://hackmd.io/_uploads/S1-oJa-Hp.png) Ola's solution disrupts the unlinkable attribute of private transactions yet preserves the privacy of each transaction. This allows regulatory bodies to track and freeze target funds based on their linkable attributes alone, without compromising transactional privacy, requiring additional information, or knowing the ownership details of the funds being frozen. # Additional Regulatory-Friendly Measures In other articles, we observe some projects attempting to prevent malicious activities through various means, such as KYC mechanisms, blacklist systems, limits on the number and amount of transactions per day or per transaction, and even mandatory proxy storage of View Keys. However, these measures do not address the fundamental issues for several reasons: 1. Mandatory storage of View Keys by the project or platform leads to the same issues as with Web2, requiring trust in centralized entities. 2. The implementation of KYC might deter users from utilizing privacy features. 3. If a KYC-verified user acts maliciously and refuses to cooperate, regulators may still find it challenging to track the targeted funds. 4. Blacklist updates often experience delays and are unable to prevent malicious acts in ongoing transactions by users on the whitelist. 5. Malicious users may strategically spread their activities over multiple addresses. However, these restrictions significantly impede the user experience for legitimate users. 6. ... The aforementioned measures either undermine privacy, lead to centralization, or fail to effectively address malicious behavior by users. # Data Ownership in Web3 Considering the evolution of blockchain technology, with its shift from fully transparent blockchains to those prioritizing privacy, privacy emerges more as an objective. Consequently, some projects have emphasized ultimate privacy protection for users, often overlooking regulatory considerations. However, regulation is a fundamental aspect that can not be overlooked. Expanding the perspective to view this as an upgrade from Web2 to Web3: Web2 = Centralization + Data leakage Web3 = Decentralization + Data ownership Blockchain + Privacy will be key to fulfilling the Web3 vision. Blockchain achieves decentralization, while Privacy ensures Data Ownership. However, **decentralization doesn't imply a lack of regulation but rather suggests a model of decentralized regulation.** Therefore, whether in Web2 or Web3, regulatory compliance is essential, with the difference being between centralized and decentralized regulation. This transition is not instantaneous and will take time to evolve. In this interim, a coexistence of both systems is probable. **Ola focuses on bringing Data Ownership to Web3 with privacy.** --- We've been writing research articles related to zero-knowledge cryptography and privacy solutions since 2021. Below are useful links for your references: Github: https://github.com/Sin7Y HackMD: https://hackmd.io/@sin7y Medium: https://medium.com/@ola_zkzkvm