More eyes than ever are on privacy projects as people look to crypto and web3 to provide individuals with the data autonomy that web2 never could. But the conversation around privacy tech in crypto generally gravitates towards flashy on-chain solutions such as zk-SNARKs or stealth addresses. These are exciting and important, but privacy isn’t something you can offer at just one layer of the stack: it’s either a full-stack solution or isn’t truly private. So how does on-chain privacy compare with off-chain privacy?
This guide looks at what to know about both, plus covers the overlooked but extremely necessary transport layer and its role in web3 privacy.
What is the transport layer?
When we discuss all the technology behind our digital devices and the internet, we often refer to the “tech stack.” This term represents all the different layers of technology that make our online interactions possible. It is a bit like a multi-layered cake, with each layer representing a different aspect of a system’s operation.
One such layer is the transport layer. Sitting near the middle of the stack, it’s not as flashy as the ‘application layer’ at the top (think user interfaces or applications like Facebook or Twitter) or as deep and foundational as the ‘physical layer’ at the bottom (the hardware and physical equipment that actually run the systems). But it is crucial nonetheless.
The transport layer is responsible for data transmission between devices and networks. It ensures that the information you send from your device reaches its intended destination. Imagine you were sending a letter to a friend: the transport layer would be the postal service, ensuring your letter gets from your house to your friend’s house intact and on time.
In the same analogy, your house address would be similar to your IP address. You’re a point on the network, and the postal service needs to know your address and the address of your friend. This small fundamental detail of how the internet functions is the source of a lot of the privacy issues rampant in today’s internet.
Another point on the network needs to know your address to communicate with you (send data back and forth). But any observer can now see who you are communicating with and often what you are sending – what websites you visit, how much time you spend on them, what products you are browsing, etc. Crucially, ignoring privacy at this layer can render our efforts at on-chain privacy pointless.
On-chain vs. off-chain privacy
So what’s the difference between on-chain and off-chain privacy? As the names suggest, the key factor is whether the blockchain is directly involved or not.
On-chain privacy solutions safeguard information on the blockchain, which is usually publicly available and linkable via your wallet address. They often focus on decoupling your wallet address from your transactions via identity-obscuring solutions such as zero-knowledge (ZK) proofs, stealth addresses, ring signatures, or coin-mixing services. These are often computationally expensive, relying on complicated mathematics to produce their privacy effects.
In contrast, off-chain privacy focuses on decoupling your real-life identity from anything you do on-chain or even online. This means obscuring metadata such as your IP address or device information as you browse the web. These approaches can be as complex as on-chain privacy or as simple as ensuring you have strong passwords.
VPNs aren’t sufficient
Can’t this just be fixed with a VPN? A VPN (virtual private network) is an intermediary you can route your data through. It’s like sending a letter to a friend who then puts their return address on the envelope before sending it off. Now the receiver thinks the letter came from your friend rather than you. But apart from the fact you are now trusting this VPN provider with your data, it also isn’t very private.
With minimal effort, your VPN is just synonymous with your IP address. And having a persistent IP address, even if it’s not “yours,” is enough to conduct many different off-chain linking attacks in web3.
Because web2 so heavily normalized the exploitation of user data, flimsy solutions like this were okay. But as a 2023 survey by ConsenSys revealed, web3 users and potential users set a much higher bar for privacy. Your data should be private from the eyes of large corporations, internet stalkers, or any unwanted observer. And this is exactly why you can’t just address parts of the problem and claim the solution to be private.
The interdependence of off-chain and on-chain solutions
No matter how private you make your transactions on-chain, no matter how much you detach your wallet and funds from your transactions and use of web3 services, if someone can trace your metadata, they can de-anonymize you.
The simplest example of this is your RPC provider. Your wallet makes dozens of interactions with the blockchain every minute just to function: What is the current gas price? What is the current block number? How many funds are stored at this address? These questions are answered via RPC calls (remote procedure calls) facilitated by an RPC provider.
All this information must be sourced from the blockchain, which requires a lot of infrastructure (nodes to communicate with the blockchain). This is all outsourced to the titans of industry, such as Infura & Alchemy, which now have access to all of your wallet interactions and everything you do on web3. Every transaction you consider, every service you visit, and every product you browse while using your wallet is now traceable to these large centralized infrastructure providers.
You could use as many stealth addresses as you want, but they can all be linked together and to you in a matter of seconds through your RPC calls. Since nearly 100% of crypto interactions involve RPC providers at some level, this is a huge problem that needs fixing for web3 to be viable.
We need a comprehensive approach to web3 privacy
Data autonomy and ownership are core to the ethos of web3, and offering them in a true sense means setting the bar high. The point-to-point nature of data transmission is so inherently fundamental to the internet that it’s hard to address the privacy pitfalls that come with it.
But not addressing them would just mean inheriting the same issues that have always plagued the internet. Without off-chain privacy, on-chain privacy can only protect you from observers that won’t make an effort to harvest your data. This is not to discredit the work done on on-chain solutions, as without them, complex data fingerprinting attacks would be impossible to stop, and web3 might feel too ‘public’ for many potential users. But you can’t run a marathon with a broken leg, and we can’t build the web3 we need without the infrastructure to transport data securely.
Frequently asked questions
What are better VPN alternatives?
What is the difference between on-chain and off-chain privacy?
What is metadata?
What is digital fingerprinting?
About the author
Sebastian Bürge builds technical solutions that empower the individual. As founder of the private data exchange infrastructure HOPR, he contributes to establishing full stack privacy for web3. He also co-founded two other technology startups: Validity Labs (blockchain education & services) and Sonect (fintech). Sebastian holds a Ph.D degree in Microtechnology from the Swiss Federal Institute of Technology, ETH Zurich.
Top crypto platforms in the US | December 2023
In line with the Trust Project guidelines, the educational content on this website is offered in good faith and for general information purposes only. BeInCrypto prioritizes providing high-quality information, taking the time to research and create informative content for readers. While partners may reward the company with commissions for placements in articles, these commissions do not influence the unbiased, honest, and helpful content creation process. Any action taken by the reader based on this information is strictly at their own risk.