What if Privacy Were the Default?
Most digital services still require accounts, personal data, and behavioral tracking permissions, even for simple actions. It’s often assumed that convenience depends on identity. But that assumption is outdated.
Tools like anonymous credentials make it possible to build services where an identifying profile is not directly linked to access, creating systems where privacy can be the default, not the exception. This builds on our earlier exploration of how privacy-enhancing technologies intersect with legal disclosure obligations, and how they might challenge, reinforce, or even redefine them.
The Shift Toward Privacy-Respecting Design
In recent years, a growing number of tools and protocols like Privacy Pass and zero-knowledge proof systems have shown that it’s possible to provide access without completely revealing their identity to an entire system workflow, thus preventing extensive surveillance of their activities within a system. They make it possible to say, “I am allowed to do this” and control the extent of the usage of personal information.
One example of this approach is anonymous credentials, a cryptographic approach that allows a person to prove certain rights by selectively asserting aspects of their identifying information for specific purposes, while preventing the creation of a link between different uses of the credential. While there exist anonymous credentials for multi-usage cases even, anonymous credentials can also be built in a single-show or single-use case and are then called anonymous tokens. These are no longer outlier experiments, but have become the foundation of how we should build new services.
What sets this design philosophy apart is that it’s proactive. Instead of collecting data and then creating a patchwork of privacy features and policies after the fact (often only after exposure or misuse), privacy by design minimizes what’s collected in the first place.
The result is a system that’s not only easier to secure, but also more respectful of users. It avoids the false tradeoff between privacy and usability, proving that thoughtful cryptographic design can make services simpler and safer at the same time.
While working on PrivateStorage, our privacy-preserving, end-to-end encrypted file synchronization service, we needed a way to accept payment without utilizing user accounts, while still maintaining separation, limiting data, and avoiding behavioral tracking. To achieve this, we created Zero-Knowledge Access Passes (ZKAPs).
What Are Zero Knowledge Access Passes (ZKAPs)?
ZKAPs are anonymous tokens that can be redeemed to access a service without revealing who the user is or what they’re doing. This type of anonymous credential allows service providers to verify that a user has paid or is otherwise eligible for access without linking that proof to the user’s identity or behavior.
We use a variation of the Privacy Pass protocol, adapted to check for proof-of-payment instead of proof-of-humanness (as is typical with CAPTCHAs) and work with our particular service. In our system, ZKAPs are issued upon payment, then redeemed later to access the service. These two actions remain cryptographically separated.
Why Anonymous Credentials Matter for Customers
For customers, anonymous credentials like ZKAPs offer strong privacy protections through cryptographic separation of data. A service provider may still know who paid, but it no longer knows how each individual uses the service. This separation helps prevent behavioral surveillance and protects users engaging in privacy-sensitive activities, such as reading the news, seeking medical advice, or backing up personal files.
Because they are redeemed anonymously, individual user actions are not linked to identity or to each other. There is no persistent account, no tracking across sessions, and no cumulative profile.
Why Anonymous Credentials Matter for Providers
Anonymous credentials enable an online exchange of value while disconnecting payment and service data. This separation can be crucial in use cases where linking those data points introduces unnecessary legal, regulatory, or security risks.
While collecting personal data may be valuable to some businesses (“data is the new oil”), it can just as easily become a liability to others (“data is toxic waste”). With anonymous credentials, service providers can retain useful aggregate insights without building individual user profiles, and without worrying that logs or usage analytics may contain personal information.
We’ve written more extensively about the design and goals of ZKAPs, a type of anonymous credential, in our whitepaper. It covers the underlying cryptographic mechanisms, privacy considerations, and implementation details for those interested in the full technical picture.
Where Privacy-Enhancing Access Systems Are Already Working
Real-world deployments show how anonymous credentials and private access tokens are reshaping digital interactions, balancing privacy with usability.
Earlier in this blog, we touched on Privacy Pass in connection with PrivateStorage. That same underlying approach is now being applied at scale by Apple through Private Access Tokens to reduce tracking while maintaining service integrity. When a client interacts with an app or website on iOS or macOS, their device can prove legitimacy without revealing identity or linking activity across sites. This gives services the assurance they need while protecting individuals from pervasive tracking, embedding privacy by default into everyday interactions.
In PrivateStorage, ZKAPs function as anonymous, cryptographically secure tokens that prove a customer has paid for storage, without linking payment to service usage. When an individual pays (for example, with a credit card), they receive a voucher within the application. This voucher is redeemed for a batch of ZKAPs. Through cryptographic blinding, PrivateStorage cannot associate a voucher (and thus payment) to the individual tokens issued, and cannot link token use to identity. This is all completed within the application on the customer’s device, where they retain control, and implemented in a user-friendly manner.
This architecture demonstrates that privacy and functionality don’t need to be at odds. ZKAPs enable a model of accountable, paid access, without compromising user anonymity.
What Else is Possible?
Anonymous credentials like ZKAPs are flexible because they provide a general-purpose mechanism for private, verifiable access. They can be used wherever a service needs to verify that someone is entitled to take an action without knowing any information beyond what is necessary to provide the service at each point in the workflow.
We feel that these solutions can extend privacy protections to other domains. There is potential for a broader set of use cases of anonymous credentials, such as:
- Public transportation: provide proof of fare without allowing the tracking of individuals’ movements
- VPN services: allow access to the service while preventing the creation of logging data that can identify individual users
- Content delivery networks (CDNs): deliver content to users without tracking
- Messaging platforms: create anonymous message credit systems to further limit the metadata gathered by service providers
- Voting platforms: enable anonymous voting while still ensuring that all votes are from verified sources
Expanding on our work with anonymous credentials, we are collaborating with another company to develop a system in which payment, authentication and login, and use of the service are separated to provide privacy. To prevent the connection of these data points, a cryptographic solution is needed to enable secure, privacy-preserving associations between different identifiers. We hope to be able to share the details of this project in a future blog.
More Than Security Auditing
Our work is grounded in privacy-first principles, which are the foundation for every product and service. Beyond providing security audits, our team helps you integrate privacy into your systems from the start. Get in touch to learn how we can support the design, implementation, and evaluation of ZKAPs or similar systems, strengthening customer trust as well as long-term security.