Privacy Is a Gradient: An Interview With Zcash’s Josh Swihart
Crypto Briefing sat down with Josh Swihart to discuss Zcash, financial privacy, national security, CBDCs, crypto regulation in the United States, and more.
- Crypto Briefing sat down with Electric Coin Company executive Josh Swihart to discuss Zcash, on-chain privacy, CBDCs, and more.
- Swihart believes Zcash can outperform the rest of the crypto market once participants realize that individual privacy isn’t just a nice-to-have, but an essential component of commerce and national security.
- He argues that privacy is a gradient and there are steps people can take to improve their online privacy.
Share this article
Josh Swihart is senior vice president of growth, product strategy, and regulatory affairs at Electric Coin Company, the organization behind privacy coin Zcash. Previously, Swihart worked for a host of different software companies, including Aspenware and Dell EMC (formerly EMC Corporation). In fact, he’s been involved in software development in global marketing in one form or another since 1996—meaning he has much more experience than your average crypto user. Crypto Briefing had the opportunity to interview Swihart on his thoughts on the crypto landscape. During the conversation, he spoke at length about Zcash adoption, Tornado Cash, U.S. crypto regulations, CBDCs, and the role individual privacy plays in fostering national security.
Crypto Briefing: Electric Coin Company recently published a roadmap indicating it wanted Zcash to become a top 10 cryptocurrency within the next three years, which would require a huge surge in adoption. What makes you think this is likely?
Josh Swihart: There’s going to be some incremental adoption as more people become aware [of Zcash] and the technology becomes more usable. We have to keep in mind that using shielded Zcash was difficult until recently because the underlying cryptography is so expensive. It’s expensive to create a proof. But now you have more exchanges adding native shielding support and some hardware wallet providers are adding native shielding support.
But my guess is that a lot of users will come at once. Within the Internet world, back in the 90s, there wasn’t an expectation of too much privacy. Data transferred over the Web was in clear text, essentially, and everybody could see that traffic. And there was a recognition that to have commerce on the Web, we needed to have encryption. So if I’m buying something from Amazon, sure, Amazon can see what I’m buying, but all of the hackers and snoops out on the Internet can’t see that transaction because it’s encrypted. They can’t steal the credit card.
The problem with public blockchains today is that all of that transactional data is on a public chain for everybody to see for all time. It’s immutable. It can’t be changed. Your history is there. And we’ll have “moments,” I think. In the traditional Web, there was the Firesheep moment, where everybody opened their eyes to the need for privacy and encryption. I think the same thing will happen with blockchains. And I think it will be unnerving for most of the world to know that your full transaction history is out there and that this transaction history is aggregated with the rest of your social data.
It’s not safe. Businesses can’t use [blockchains] effectively that way. If I’m a business accepting cryptocurrency natively, not through a third-party intermediary, I can’t afford to let my competitors see all of that information. Not only the information about my business—what’s coming in and out—but information about my customers who may be transacting with me online or using cryptocurrency. So I expect there to be a tipping point where there’ll be a flood of demand.
CB: Right. The way I see it, in the early days, people were more protected as there were fewer tools available to read what was happening on-chain. But that has changed.
JS: Yeah. You had block explorers, but there wasn’t a lot of tagged data. So now you have all kinds of crypto surveillance companies, Chainalysis and others, that are not only tracking transactions in order to look at flows, but they tag addresses. So there are very rich datasets of people and activities. And people are willing to do it—naming your Ethereum address allows other people to go in and see that full transaction history. Some people say they don’t care, but I think that will change.
CB: In this scenario where Zcash outperforms the rest of the market, which projects do you think it would siphon market share from? Or would Zcash onboard a completely new set of users to crypto?
JS: I don’t think the Zcash adopters are necessarily here yet. Or maybe they’re here, but they’re just crypto-curious: they buy something on Coinbase, and they let it sit there, and they don’t transact because there are not a lot of great tools out there to transact with—at least not with other vendors. It’s an exhilarating thought. We don’t see it as a zero-sum game where Zcash has to take market share from other coins for broad adoption to happen. It’s a path of growth. We intend to ensure that Zcash is available to billions of people around the world. I think crypto largely hasn’t found a product market fit outside of speculative channels, but as that changes… well, that’s what we’re focused on.
CB: The U.S. Treasury Department’s OFAC decided a few months ago to ban Tornado Cash. Is there a fear that Zcash and other privacy protocols might be next?
JS: I don’t know that there’s fear. There’s healthy concern about the direction in which regulatory conversations have been going. I think what OFAC did was a massive overreach. There are court cases fighting it. I think that’s going to prompt an interesting conversation about whether or not we, in the United States, still believe that code is speech or should be considered speech.
[Electric Coin Company] is a team of software developers. So we’re doing the same thing. We’re building code and making it available to the world. That’s protected under U.S. law. I don’t have a fear that suddenly regulators will try to ban [our] code. But I have concerns that regulators are looking for ways to easily identify various actors and the implications of that.
We’ve seen a few things. We’ve kind of been through these “Crypto Wars” already. Some people talk about this being the “Crypto Wars 2.0,” but I think it’s the same. It’s a lot of the same actors. We’ve had this conversation before where the government wanted to ban cryptography because it was regarded as ammunition. A fight ensued, which led to the legal codification that code is speech. But during that process, there were all kinds of schemes introduced that would allow various agencies to have access to people’s private information, including key escrow and other things. Key escrow is the idea that you have a key stored with a third party, and if there’s a subpoena, the regulator can go after that.
There are similar kinds of conversations happening now. I think there’s broad recognition within the regulatory community that privacy is a right, that it’s necessary for people’s security, and that it’s necessary for the security of businesses in their jurisdiction. Ultimately, it’s even necessary for national security. Because if you have all of your citizens’ and businesses’ transaction history out on a public chain, yes, you can see them as a regulator. But so can a foreign government that may wish you harm, or hackers.
Privacy is necessary, but we’re having the same kinds of conversations as before—questions about things like key escrow, or backdoors, or different mechanisms to allow regulatory agencies to have access, which creates all sorts of other problems. Key escrows simply act as a honeypot. We haven’t been good at protecting any of our data, even at the highest levels of government. What would it mean for all of those keys to be “safely held” and then compromised at some point? It would be a disaster.
So, back to your question, there isn’t a fear that Zcash might be next or that a regulator will come after Electric Coin Company. It’s certainly possible. I don’t think it’s probable. But the action they took is certainly concerning.
CB: Do you think Coin Center’s lawsuit will bring about significant change in terms of regulation and privacy rights?
JS: I think they’re going to bring significant change. It’s a bit like a dance. You have a regulator that overstepped, in my opinion, their authority by sanctioning code that was used by tens of thousands of people for legitimate reasons, not nefarious ones. I think [Coin Center Director of Research] Peter Van Valkenburgh said something like, it’s the equivalent of sanctioning email or some other tool on the Internet like file storage because somebody is doing bad things. It will be interesting to see if they’re able to make substantive change. If Coin Center fails, that sets a pretty scary precedent for everybody in the U.S.—and the U.S. has a pretty long arm. If the lawsuit fails, I suspect there’ll be even more industry backlash and a putting-together of different mechanisms to take before the court. But I don’t think they’re going to fail. The law is clear.
“You can’t go back and add privacy to a Layer 1.”
CB: Considering the U.S. government’s current stance on financial privacy, what would you say to people who believe crypto developers should move outside of U.S. jurisdiction to build applications?
JS: Well, there are all kinds of issues currently within the U.S. that go beyond privacy. Obviously, privacy is a concern. But the Securities and Exchange Commission is also a concern. There’s no regulatory clarity on what’s deemed a security—though it appears the SEC thinks everything except Bitcoin is a security.
So there have been a lot of calls from Congress for the SEC to provide clarity. But even if the SEC does provide clarity, that doesn’t mean it will allow for new development and new ideas to flourish. There was an idea at one point—I think even within the SEC, under Valerie Szczepanik—of launching something that was like a sandbox so that there was a period in which you could experiment, you could try ideas, you were in a good faith engagement with the SEC. That idea evaporated when the current administration took over.
To the extent that people will keep wanting to launch projects, and they won’t be sure if it’s going to be viewed well by the SEC, my guess is that they probably will incorporate somewhere else. And I’m aware of projects that chose that route: they’re now building in places where they don’t feel there’s as much regulatory risk.
I don’t see building privacy-based solutions as risky [from a regulatory perspective] right now. If you want to operate as a money services broker, then you need to be licensed [and] you need to go through proper channels, but if you’re building privacy-preserving technology, there will be some scrutiny. If it takes off and there’s any kind of adoption, there will be conversations at the highest levels of government. We’re knee deep in some of those. But there’s nothing that prohibits their development right now here in the United States. God forbid that ever happened.
CB: You speak of conversations at high levels of government. Can you share anything more about that? What’s one of the most interesting ongoing discussions that you know of?
JS: We’ve had various meetings, and I can’t get into the details, but we had meetings with the White House and the Office of the National Cyber Director. The latter is very interested in cryptocurrencies. We had meetings with FinCEN and conversations with the Department of Justice—agencies like that, which have a high degree of interest in better understanding how the technology works, the intent behind it, the use cases, and whether or not there are opportunities for them to access data that are made available on the blockchain.
CB: In the future, do you believe all major protocols and smart contract platforms will have privacy features implemented? Or will there still be a division between privacy-preserving protocols and transparent ones?
JS: Well, the cat’s out of the bag a little bit. I mean, you can’t go back and add privacy to a Layer 1 [blockchain], and I don’t see the Layer 1s that are out there right now going away. Now, whether or not they’re just used for settlement, and some privacy is added up the stack… That may happen. There are arguments about how private that really is. It depends on the implementation and the threat model. There are all kinds of privacy-preserving tools that keep your mom from seeing what you’re doing online—because it’s too hard—but probably not a nation-state. So there’ll be different levels of privacy within different kinds of solutions. But if your threat model is really high, if you’re really concerned about another nation seeing information, or you’re very concerned about corporate espionage or something like that, then you’re going to want privacy all the way down to the base layer.
CB: People are working on implementing identity features on the blockchain in the form of Soulbound Tokens. Some Verified Credentials advocates, on the other hand, claim you should never put personal data on an immutable ledger for privacy reasons. Do you have a special take on this debate?
JS: It’s really interesting. So there are all these potential solutions where you still have to give up your PII [Personal Identifiable Information] to a third party, and you’re hoping they will keep it safe. You could do that and maybe be issued a token that’s a zero-knowledge proof that, for example, you aren’t on a Specially Designated Nationals And Blocked Persons list, or a convicted felon, or something like that, and use that proof across different applications. That seems more interesting—and better—than replicating PII across all these different applications with Know Your Customer restrictions at each step. There’s some really interesting stuff coming out around zero-knowledge. But theoretically, if somebody’s doing KYC in a regulated jurisdiction, they can be subpoenaed for that information. So users have to be aware of this.
There also may be other identity solutions like Proof of Humanity, which creates social proofs of somebody’s identity even if that person doesn’t have a legal identity in any particular jurisdiction for whatever reason. There are billions of people around the world in that situation, so allowing them to participate [in society] again, being able to prove their identity without having to trust a third party with PII… That’s kind of the Holy Grail in terms of privacy.
“Store your crypto in something that’s natively private.”
CB: There’s a lot of fear in the crypto space and among privacy advocates about central bank digital currencies and the possibility for governments to control the way people spend their money. Do you think the fears are warranted?
JS: Absolutely, 100%, there is concern. But there is conversation around different types of CBDCs. I spoke with a senator, two [or] three months ago, and they said that there’s no appetite for a retail CBDC within the U.S. right now. There may be an appetite for a settlement CBDC—still a digital currency. I know that MIT’s Digital Currency Initiative has been working with the Boston Fed on potential designs, and those designs might allow for transactions of a certain amount to not require identity, similar to using cash. Under the Bank Secrecy Act of 1970, financial institutions and businesses have an obligation to file Suspicious Activity Reports with FinCEN over certain transaction thresholds. So if you withdraw more than $10,000 from the bank, a report gets filed with FinCEN. That, in my opinion, is warrantless surveillance in violation of the Fourth Amendment.
So people are looking at whether there are ways to do that on a retail CBDC within the U.S., and similar conversations are also happening in the EU and other places. I think it’s a terrible idea, personally. With Zcash, the intent is not to supplant any currency, or even supplant a CBDC. Zcash is to give people the option to use something that’s not state-controlled or state-surveilled. And so to the extent that we can provide this option as an alternative, and that this option is protected and supported, I think ultimately it will be useful and more attractive to people.
But, yeah, this idea of programmable money… I mean, regulators have said that everybody was unhappy because we went through COVID-19 and people got their stimulus checks, and they sat on them. And the government was like, “Well, that’s not what we intended. We were trying to lubricate the market.” So what if the government says you have to spend that amount on something that it deems OK within a certain amount of time, or you lose the money? That’s just the government playing puppet master. None of us want to live in that regime.
CB: I was in the U.K. when the pandemic started and I put all of the furlough money I received straight into Bitcoin. Can’t imagine that happening with a CBDC.
JS: It’s very Orwellian. Most of us outside of the government agree that it’s very Orwellian and spooky, and none of us want that. It’s a responsibility for us as citizens and countries to stand up for what we want and believe in and not sit back and be passive during the development of these tools.
CB: Final question. Do you have any specific tips for readers who would like to improve their online privacy?
JS: That’s a great question. We produce content all the time our website. It’s mostly Zcash-focused. Pardon me for not directly answering your question. But there’s a problem because privacy isn’t binary. It’s a gradient. Look: this conversation that we’re having, you and I, right now, is it private or not private?
CB: Not private. Nothing that happens on a computer is private. I just assume I’m being spied on by 16 different governments.
JS: You may be spied on. But even if we were to meet in person, whatever is going on in that room, there is counterparty risk. You can see me, I can see you, you can see what’s in my office… There are all kinds of data leakages. If we went to a coffee shop for this conversation, whoever is sitting next to us, or maybe whatever surveillance camera is mounted up on the wall—all of that is privacy loss.
So it’s just a question of what you’re trying to protect yourself and how you’re thinking about it. Zooko [Wilcox-O’Hearn] had a great presentation in which he argued that privacy doesn’t happen at the transaction level; it happens where you store your wealth. If we’re transacting, there’s all this data leakage, as I mentioned. But I have my Zcash wallet on my mobile phone here, and it’s shielded, so if I send you 1 ZEC, you can’t see my balance, and you can’t see my transaction history. If we’re transacting shielded-to-shielded, then nobody can see it happen except for you and me, and you can’t even necessarily see where the money comes from.
Now, could somebody theoretically track IP addresses or do something else to get an indication that something happened? Yes. But the safest way, in terms of cryptocurrencies, is to store your assets in something that’s natively private. Then you can engage or spend in the most private way from that source. There is a problem with Tornado Cash and other mixers. People have done this with Zcash as well. They say, “OK, I’m going to try to hide my tracks. I’m going to take 1.23 ZEC, store it as shielded, and then tomorrow I’m going to spend 1.23 ZEC on something, and nobody will be able to trace it.” Well, they can just do a heuristic analysis. 1.23 ZEC came in, that’s a pretty specific amount, and 1.23 ZEC came out—maybe that’s the same person. It’s probabilistic. It’s probably that person. And that’s how a lot of surveillance works. So when you’re thinking about your transactions, don’t just move things through a mixer in that way. Be cognizant that every action that you take is a tapestry of things that get put together in order to make a probabilistic determination about your identity.
Disclaimer: At the time of writing, the author of this piece owned BTC, ETH, and several other crypto assets.