From government backdoors to systemic surveillance, from the fragility of digital data to the ambiguity of regulators: while billions of personal information are being exfiltrated, privacy protection is transforming from an inviolable right to a gray area of modernity. Only encryption, awareness, and radical choices can reverse the course.
What do the International Civil Aviation Organization, the Russian government agency responsible for managing real estate property records, and a Chinese artificial intelligence startup have in common? Probably nothing, except for the fact that all of them suffered a data breach in the first weeks of 2025, leading to the exfiltration of millions of users’ data.
Similar events are recurring. Privacy in the digital world is a complicated issue. It’s not about assessing the risk of a leak happening, but rather about asking when it will happen and how much of our data will end up exposed. Choosing who can securely handle our data, understanding the vulnerabilities of protection systems, and determining the level of risk that can be overcome has become extremely difficult.
Privacy is a complex and demanding right for multiple reasons. On one hand, it involves the most intimate sphere of a person; it’s tied to dignity and sometimes even personal security. On the other, protecting the right to privacy and interpreting its contents must necessarily contend with the evolution of technology. The emergence of an advanced concept of privacy is linked to the rise of the bourgeois class, which first exalted individual identity within the social sphere and equated privacy with a space in life, almost physical, from which a subject had the right to exclude others. It is the “right to let be alone” theorized by Warrein and Brandeis, meant to translate into the right of individuals to confidentiality concerning those circumstances and events that are intrinsically personal and familial, with no socially significant interest for others.
Yet, for several decades now, this definition is no longer enough. Technology has profoundly changed every aspect of our lives. Every major scientific discovery, every form of progress, every technological milestone reached in the last fifty years has been made possible thanks to the combination of two elements: the Internet and computer science. The whole world has benefited, offering new products and services, but also sharing and refining ideas and initiatives within a much wider community than ever before in history.
However, every great change often has a counterpart. Living and interacting online means sharing billions of small pieces of information about ourselves. Every time we unlock our smartphone, send an email, write a message, visit websites, or use an app or credit card, we leave behind, just like Perrault’s Little Thumb, a myriad of breadcrumbs. These traces might seem insignificant, but when aggregated and analyzed skillfully, they reveal everything about us and often take on a much-overlooked value. They speak of what we like, who we vote for, our sexual orientation, and sometimes even our human vulnerabilities.
What makes the issue even trickier is that the public often struggles to grasp the true extent of the risks associated with managing and sharing personal data. There is much talk about privacy violations, about major scandals tied to data leaks, but only rarely are we aware of what it truly means to put our data at risk. The privacy debate is polarized between those who see it as a lost battle and those who believe it’s possible to maintain control over one’s digital identity. However, what is missing is a clear perception of the actual vulnerabilities within our digital ecosystem. Not to mention those who step aside, claiming they have nothing to hide.
Data is still treated as a commodity to access seemingly free services, with the average user unaware of the long-term implications. Privacy policies, which are complex and written in technical language, do little to bridge this awareness gap. Neither does the approach often adopted by regulators, who, after creating a complex set of rules regarding personal data transfer, which is very different from a law aimed at reducing the amount of personal data being collected, also provide wide exceptions, primarily in favor of governments. These exceptions are shielded by a principle of data minimization, which struggles to distinguish between what is lawful and what is not when it comes to sharing personal data.
The reasons for these exceptions revolve around the concept of public safety, expressed through initiatives to combat money laundering, terrorism financing, drug trafficking, child pornography, and organized crime in general. Unfortunately, the internet, like all public spaces, is not a safe environment. Technology is simply a tool, usable by anyone for various needs.
The protection of our digital communications today is essentially entrusted to encryption. It protects emails (via TLS/SSL), VPNs, communications through messaging apps like Signal or WhatsApp (which use end-to-end encryption), and even financial transactions. We live in an era where strong encryption is probably the last shield for individual privacy, as well as the final frontier against mass surveillance. Attacks on encryption have already occurred in the past. Some may have read about how, in the 1990s, during the Clinton administration, it was proposed—fortunately without success—to require every phone manufacturer to install a chip, the cryptographic key for which would be in the hands of the government, necessary to decrypt the data.
More recently, the goal of preventing certain forms of abuse has led the United States and the European Union to propose a law requiring communication service providers to scan and monitor messages, chats, emails, cloud storage, online photo archives, and websites for CSAM (Child Sexual Abuse Material), introducing supranational authorities for the management and monitoring of compliance with the regulation. And while it’s true that in Europe the process is slow, with several setbacks, in the UK, the Online Safety Bill has already become law, while just recently, the French government proposed an amendment to a bill against drug trafficking—the so-called Narcotrafic—that would require encrypted messaging apps like Signal and WhatsApp to backdoor encryption to deliver decrypted chat messages from suspected criminals within 72 hours of a request. If adopted, the law would allow law enforcement to use various surveillance techniques, including those that undermine the confidentiality of encrypted communications on platforms like Signal or WhatsApp, forcing messaging service providers to introduce a “backdoor,” or reserved access for law enforcement and intelligence agencies, with heavy penalties for those who refuse to comply1.
According to early comments2, the measure seems to represent a serious threat to cybersecurity, as it would weaken end-to-end encryption, making communications vulnerable not only to governments but also to malicious actors and cybercriminals, reducing the overall protection of communications and the confidentiality of personal information for millions of users.
In short, while it is true that few still worry about Bitcoin’s demise, the health of online privacy is rightfully in question.
And when we add to this the fact that almost 95% of the money we exchange daily is digital, that is, numbers in centralized databases, intrinsically tied to data related to our personal identity, which the law forces operators to exchange and store, it becomes clear how urgent the protection of the information concerning us is, starting with financial data.
In the traditional banking model, where access to information is limited to the parties exchanging value, plus the trusted third party (the banking intermediary), privacy protection is the result of a more or less stable balance between technological security, regulations, and internal data management, with the need to ensure that clients’ financial information remains protected, without hindering their right to access and manage their own data. In a context where cyber threats are constantly evolving, banking privacy protection is a costly and ongoing process.
But what happens in the Bitcoin world? Certainly, in the Bitcoin protocol, the issue is unique because the solution to the double-spending problem, which involves making all transactions public in this shared database called the Bitcoin timechain, excludes the use of the same privacy method of obfuscation used by the banking system, since the information related to each individual transaction is visible to everyone. Bitcoin partially compensates for this lack of privacy with the pseudonymity of public keys, which are meant to be used only once, with no association to the identity of the parties. Although each transaction is public, there is, in fact, no public data on who, within a given transaction, controls the private keys. Nor is it technically possible to tell, just by observing the public data of the Bitcoin blockchain, whether a transaction with 10 inputs and 10 outputs is moving sats from one payer to ten beneficiaries, from two payers to one beneficiary, or from one person to themselves.
Let’s define electronic currency as a chain of digital signatures. Each owner transfers currency to the next by digitally signing a hash of the previous transaction and the public key of the next owner, then appending them to the currency. The recipient of a payment can verify the digital signatures to validate the chain of ownership. Satoshi Nakamoto, Bitcoin White Paper.
However, certain behaviors in using Bitcoin can, to varying degrees, compromise user privacy, and often they are less obvious than one might think. One of the main risks once again stems from AML/CFT regulations (anti-money laundering and counter-terrorism financing), which introduced the KYC rule (Know Your Customer). Centralized service providers operating in Europe are required to ask customers to verify their identity before completing a transaction, thereby linking transactions made through these gateways with each user’s personal data. Further issues can arise from reusing the same address for multiple transactions, making it easier to link a specific user’s activity and identify their movements. Similarly, sharing your address publicly allows it to be associated with a person’s or organization’s identity. Furthermore, connecting to the internet without any protection for one’s digital identity, exposing one’s IP address to anyone monitoring the network, enables linking transactions to a specific geographical location or, in any case, to the Internet Service Provider (ISP), reducing the level of privacy.
The issue is delicate. The revelation of financial data can severely damage a person’s social life and, in extreme cases, when it comes to Bitcoin, even their security. Despite this, the development of simple yet rigorous solutions that can guarantee the use of Bitcoin as digital cash is still a work in progress3.
Leaving aside the ideological approach, which is certainly mindful of privacy, the evolution of the protocol in this regard is uneven. In 2024, privacy software Samourai Wallet and Wasabi Wallet underwent significant changes due to legal and regulatory pressures. On April 24, 2024, Samourai Wallet founders Keonne Rodriguez and William Lonergan Hill were arrested and charged with conspiracy to commit money laundering. U.S. authorities claimed the privacy-focused wallet was being used to facilitate illicit transactions. In response, zkSNACKs, the company behind Wasabi Wallet, announced the cessation of CoinJoin coordination services starting June 1, 2024. Additionally, likely to mitigate the legal risks associated with using the service in the U.S., they blocked wallet access for U.S. citizens and residents.
We are living in a historical moment where the tension between technological innovation and government pressures to control technologies, formally justified by concerns over their potentially illicit use, has never been so high. But privacy is not an option: it is a fundamental necessity. The revelation of personal information can destroy a person’s social life, and in the most extreme cases, jeopardize their very safety.
Only by approaching this with rigor and responsibility can we ensure a safer future. If governments continue to act with shortsightedness, oscillating between the desire for control and the inability to grasp what is at stake, the burden of defending digital privacy will inevitably fall on those who build the tools that shape our relationship with technology. History teaches us that individual freedoms are rarely guaranteed from above, but are more often defended by those willing to understand their value and protect them through decisive actions.
In a world where surveillance is becoming more sophisticated and threats to privacy are multiplying, one can only hope that it will be the developers who draw the line between a future of invasive transparency and one in which privacy remains a real possibility. Because technology is potentially neutral, but the intention behind its design ultimately determines its fate.
- The law provides for a further expansion of surveillance capabilities, legalizing the use of spyware similar to those developed by companies like NSO (Pegasus) or Paragon and allowing authorities to remotely activate microphones and cameras on connected devices, such as computers and smartphones, turning them into spying tools. Additionally, it extends the use of so-called “black boxes,” tools that analyze internet traffic and digital communications through algorithms to identify “suspicious subjects.” Introduced in 2015, these technologies have never officially proven their effectiveness but pose a significant risk to citizens’ privacy, turning targeted monitoring into indiscriminate surveillance. Among the additional measures mentioned in the provision, we find:
i) the use of IMSI-catchers in private locations, allowing the police to intercept and identify mobile devices inside homes;
ii) the expansion of powers granted to prefects, enabling them to ban specific individuals from certain areas without judicial orders;
iii) increased use of drones and cameras in prisons or for monitoring strategic infrastructure; and
iv) the introduction of new crimes related to organized crime, further extending the scope of action for authorities. ↩︎ - Si v. PPL Narcotrafic : les droits et libertés à nouveau victimes de l’addiction aux lois sécuritaires, in laquadrature.net. ↩︎
- Among the most promising solutions is likely Cross-Input Signature Aggregation (CISA), an approach that aims to combine multiple signatures within a single transaction or even across multiple transactions into a single signature, leveraging the linear properties of Schnorr signatures, which were implemented in Bitcoin following the Taproot upgrade in 2021. Unlike multi-signature protocols, which allow multiple keys to be combined into a single key, CISA enables the aggregation of signatures created by different keys for different messages. This also helps save storage space in Bitcoin blocks and reduce costs, as signatures from different inputs within a transaction—or even from different transactions—can be combined, improving efficiency and lowering fees on the network. ↩︎
