On Anonymity in Web3

EducationFebruary 18, 2025

Anonymity is hard to get by when you’re online. Most digital products track their customers’ every step, often with the help of an advertisement almost-monopoly of Google or Meta. These companies try to learn as much about us as they possibly can to distill an ever more detailed profile of us. Often we get “free” access to convenient products in return. Escaping this surveillance capitalism is increasingly hard and demands countermeasures that tend to scratch convenience. Web3 is, in some regards, even worse: its pseudonymity tricks users into a false sense of anonymity. Quite the opposite is the case: on most ledgers, all of your transactions can be observed not only by a few companies but by everyone. Forever.

Anonymity is a state of being unidentifiable or untraceable within a given context. A particular blockchain can be such a context and it has a finite number of users. Every real context is finite and constrained, therefore, absolute anonymity is theoretically impossible. The best we can achieve is practical anonymity—where the effort required to identify someone outweighs the benefit.

On a public ledger, the best we can do is break up our traces of actions into pieces that are indistinguishable from the actions of a set of other individuals. In this article, we will explain how Incognitee can assist in breaking up these traces. It can do more than this, actually: what happens on Incognitee isn’t recorded on a public ledger. Its state is encrypted with a key no human has access to and all user actions are processed in an encrypted fashion as well. This is possible thanks to trusted execution environments.

The best a public ledger can do is provide k-anonymity: All actions are publicly observable, but you can plausibly deny that any particular action was taken by you. The best Incognitee can do is perfect unobservability: There is no need for you to deny anything because nothing relevant can be observed in the first place. In the following we’d like to show you how Incognitee can help you obtain k-anonymity on a ledger like Polkadot and soon Ethereum and others too.

Account Hygiene

Because of the limitations hinted above, we’ll be using the term “account hygiene” instead of anonymity to avoid overpromising what you can realistically do for your actions on a public L1.

Let’s assume Edward has previously invested in DOT and holds 100,000 DOT in his HODL account. He also plans to put 10 DOT on a new account with an on-chain identity set to his Matrix handle and email.

Edward wants to keep his 100,000 DOT holdings private due to concerns for his physical safety. Therefore, he cannot simply send 10 DOT from his HODL account to his new account, as this transaction would be publicly visible forever.

Before Incognitee, Edward’s only option was to fund his identity account via a centralized exchange withdrawal. However, this approach is problematic because it requires trusting the CEX with his KYC information and temporary custody of his funds. This information may be exposed by hackers in the future, along with a list of used withdrawal accounts.

Thanks to Incognitee, a better solution is now available for Polkadot without relying on trusted intermediaries.

Solution: Edward shields a bit more than 10 DOT from his HODL account to Incognitee and sometime later unshields 10 DOT back to L1 to his new account.

Why does this provide plausible deniability and how big is the anonymity set? Incognitee operates a vault account on L1 which receives all shielding inputs and sends out all unshielding outputs. Whoever observes L1 can see multiple inputs and multiple outputs, but cannot know which input corresponds to which output by solely analyzing the blockchain history.

As a first naive notion, let’s say the anonymity set equals the number of accounts with net inputs higher than 10 DOT at the time of Edward’s unshielding.

The real figure may differ in both directions, because of multiple factors we need to consider:

Factors reducing anonymity

Third-party risk: It could happen that multiple people out of Edward’s anonymity set – willingly or not – expose their inputs, effectively reducing Edward’s anonymity set a-posteriori.

Active forensic analysis (Sybil attack): One party may spam Incognitee with shielding activity from many Sybil accounts to make the anonymity set look bigger than it actually is and give Edward a false sense of anonymity.

Factors improving anonymity

Thanks to Incognitee’s unobservability, Edward may be able to plausibly deny being the originator of ANY of the vault account’s inputs: Incognitee allows private transfers on L2 which leave no traces on L1 at all. This means Edward may be able to unshield his 10 DOT although he never shielded anything at all: He may just have obtained the DOT from someone else who shielded these DOTs before.

But it gets even more complicated: transaction signatures are not the only way to know who controls an account. Behavioral analysis can do that too. Not as undeniably as plain signatures, but to the extent which may be hard to deny in practice. For Edward, this means he must take good care to not accidentally link the two through his behavior:

Do not transact with both accounts at the same times
Do not vote in OpenGov with both accounts on the same referenda with the same preference.
Do not query the balances of both accounts from the same browser nor IP at public RPC endpoints or block explorers

Using Incognitee for Everything

As you see: account hygiene is a tricky endeavor to the extent that it potentially kills the fun when exploring web3. This is why account hygiene is only a byproduct of Incognitee. The real innovation is that we add utility on L2: Incognitee already allows you to pay digitally directly on L2, to send messages, to share easy-to-use vouchers with your friends by QR code or a simple link.

Soon you will also be able to vote, stake, swap, and trade as well. So why would you want to leave traces on L1 at all?

Societal limits of anonymity

There is a wide consensus that privacy is an individual right, as ratified in regulations like GDPR (EU) and CCPA (CA, USA). There are significant differences as to what extent individuals’ data is protected by companies and governments. Every country makes its own tradeoff between individual freedom and collective security. But all reasonable societies agree on one point: There are limits to anonymity for the sake of the collective good. Anonymity should be limited in the case when one individual or a group illegitimately curtails the freedom and security of others. Most states go further than that: They complement ownership rights with the duty to report all assets owned for tax purposes.

At Integritee, our mission is to protect privacy by default. It is not our mission to assist illegal activities. The technology we use has a USP to fulfill both missions: Trusted execution environments make privacy rules programmable in detail. No backdoor, but selective disclosure to authorities, limited in rate and scope.

Privacy is a legitimate right! It’s nothing shady. It’s not about hiding things. Privacy is about being in control of the traces you leave behind in your life.

• • •

About Integritee

Integritee is the most scalable, privacy-enabling network with a Parachain on Kusama and Polkadot. Our SDK solution combines the security and trust of Polkadot, the scalability of second-layer Sidechains, and the confidentiality of Trusted Execution Environments (TEE), special-purpose hardware based on Intel Software Guard Extensions (SGX) technology inside which computations run securely, confidentially, and verifiably.