The Return of the Cypherpunk
--
On surveillance, privacy tools, and why the demand curve only goes one direction.
In 1993, Eric Hughes wrote a short manifesto. He was one of three people who had started a mailing list the year before, and he wanted to put the group’s thesis in plain language.
“Privacy is necessary for an open society in the electronic age,” he wrote. “We cannot expect governments, corporations, or other large, faceless organizations to grant us privacy out of their beneficence. We must defend our own privacy if we expect to have any.”
That document is 33 years old. It has aged better than most things written in that era, and not in the way the cypherpunks expected. They thought privacy technology would proliferate alongside surveillance. What actually happened is that surveillance expanded for twenty-five years mostly uncontested, and privacy tools remained niche, difficult to use, and associated in the popular imagination with criminals and paranoia.
I spent time tracking this gap professionally. My conclusion was the following: increasing surveillance does not eliminate demand for privacy. It increases its value. The question was always timing and usability, not direction.
What Surveillance Actually Looks Like
The PATRIOT Act passed in October 2001. Section 215 was secretly interpreted to authorize bulk collection of phone metadata on hundreds of millions of Americans. That program ran from May 2006 until November 2015, when the USA Freedom Act ended it. The Privacy and Civil Liberties Oversight Board reviewed the program and found little evidence it had produced material counterterrorism results. Between 2015 and 2019, the successor program cost $10 million and produced one significant lead.
In June 2013, Edward Snowden released the first of his NSA documents. The initial disclosure showed a FISC order directing Verizon to hand over metadata on all of its 120 million subscribers daily. The next day came PRISM, showing the NSA collected data from Microsoft, Google, Yahoo, Facebook, Apple, and others. In the thirty days ending March 2013, the NSA had collected 97 billion pieces of intelligence globally, with around 3 billion from U.S. networks. MUSCULAR tapped Google and Yahoo’s internal data-center links directly.
FISA Section 702 was reauthorized in April 2024, and the reauthorization expanded the program rather than constrained it. FBI warrantless queries on U.S. persons using Section 702 data ran at roughly 3.4 million in 2021. Documented abuses include queries targeting 19,000 donors to a congressional campaign and searches on journalists and protest participants. A 2024 internal audit found roughly a 4% noncompliance rate, which at scale represents tens of thousands of improper queries.
This is the legal architecture. The corporate one runs alongside it.
The Identity Theft Resource Center has tracked 25,200 data compromises since 2005, with roughly 79 billion records exposed. 2025 was the worst year on record: 3,322 breaches, and 80% of American consumers received a breach notification in the prior twelve months. The National Public Data breach in 2024 put approximately 2.9 billion records and 272 million unique Social Security numbers on the dark web. Change Healthcare, breached in February 2024, exposed the medical data of 192.7 million individuals. The average U.S. data breach now costs $10.22 million and takes 241 days to identify and contain.
Google earned $265 billion from advertising in 2024. Meta earned $164 billion, roughly 99% of it from ads. The data broker industry is estimated at $257 to $390 billion annually. These numbers represent the monetization of personal data at scale. Shoshana Zuboff, who spent years mapping this system, described it plainly: surveillance capitalism claims human experience as raw material for behavioral prediction. The product is your future behavior, sold in advance.
Where the Cypherpunk Thesis Came From
The cypherpunks were a mailing list, not a movement in any organized sense. Hughes, Timothy May, and John Gilmore started meeting in 1992 at Gilmore’s company in the Bay Area. The list grew to hundreds of subscribers. The contributors included Phil Zimmermann, who had released PGP in 1991 and spent three years under federal criminal investigation for it. The U.S. government classified encryption as a munition. Zimmermann faced potential prison time for releasing a privacy tool. The charges were dropped in January 1996.
May had written the Crypto Anarchist Manifesto in 1988. Hughes wrote his manifesto in 1993. The list also published work from Adam Back, who developed the proof-of-work concept that Bitcoin’s whitepaper cited directly. Wei Dai’s b-money proposal, Nick Szabo’s Bit Gold, and Hal Finney’s work on reusable proof-of-work were all products of this community or closely adjacent to it.
On October 31, 2008, Satoshi posted the Bitcoin whitepaper to the metzdowd cryptography mailing list, a direct descendant of the cypherpunk list. In a later email, Satoshi acknowledged that Bitcoin was an implementation of Wei Dai’s b-money and Nick Szabo’s Bit Gold proposals. The lineage is unambiguous. Privacy and financial sovereignty were the founding impulse.
The Adoption Gap
The privacy tools existed. The demand case was obvious. So why did adoption stay niche for so long?
The honest answer is usability. A 1999 study called “Why Johnny Can’t Encrypt” tested PGP 5.0 with ordinary users. Only about a third could successfully sign and encrypt a message in 90 minutes. A quarter accidentally sent plaintext. Follow-up studies in 2006 and 2015 found the usability problem largely unchanged. The tools required technical knowledge that most people did not have, and the onboarding cost was high enough that convenience consistently won.
The crypto wallet problem is structurally identical. Studies consistently show only around 13% of new wallet users return after the first week. Coinbase has 120 million verified users but only 6 to 8% transact monthly. MetaMask launched social login in August 2025, using Google and Apple accounts to eliminate seed phrases. That product decision was an acknowledgment that the 1993 usability problem is still unsolved in 2025.
But something has shifted. When usability improves enough to reach ordinary people during moments of heightened concern, adoption spikes are explosive.
Signal had around 20 million users in December 2020. On January 7, 2021, Elon Musk tweeted “Use Signal.” WhatsApp announced a privacy policy change the same week. Signal added 40 million new users in a single day and ended January 2021 with roughly 50 million installs, up over 5,000% year over year. It now has around 70 million monthly active users.
After Russia’s invasion of Ukraine in February 2022, Russian VPN demand grew over 1,900% in a single week. Daily downloads went from 15,000 to 475,000. After Iran’s Mahsa Amini protests the same year, VPN demand in Iran grew over 3,000%. The global VPN market is now approximately $89 billion, projected to reach $137 billion by 2030. Brave Browser crossed 100 million monthly active users in September 2025.
Privacy coin adoption has followed the same pattern, though more slowly and with more friction from regulators. Zcash’s shielded pool grew from under 5% of supply in 2017 to roughly 29% by November 2025. Monero processes around 23,000 transactions per day. The IRS offered $625,000 to crack Monero tracing in 2020, which tells you something about the threat model.
Tornado Cash is the clearest illustration of what happens when the two threads, financial privacy and government response, collide. Sanctions in August 2022 caused an 85% volume drop. But in November 2024, the Fifth Circuit ruled that OFAC had exceeded its authority by sanctioning immutable smart contracts. The court held that code is not property and cannot be an SDN target. In March 2025, Treasury formally delisted Tornado Cash. Alexey Pertsev, one of its developers, had already been convicted and sentenced to 64 months in the Netherlands in May 2024. The legal and technical picture is still messy, but the Fifth Circuit ruling is significant. It echoes the Bernstein case in 1995, which established that source code is protected speech.
What I Think Is True
The reception to my original privacy research at the time was tempered agreement rather than full buy-in. The main pushback was reasonable: users prioritize convenience over privacy, and that slows adoption.
I still believe that. But I think the dynamic is changing in a few ways.
First, the surveillance evidence is now overwhelming and widely understood. Pew Research found in 2023 that 71% of Americans are concerned about government data use, up from 64% in 2019. Even Republican concern has jumped, from 63% to 77%. The Snowden disclosures, repeated mega-breaches, Clearview AI, license plate surveillance networks scanning 20 billion vehicles per month, geofence warrants. The accumulation of evidence makes the demand case stronger each year.
Second, the usability gap is closing. Signal is now a mainstream app. Brave is a mainstream browser. Self-hosted crypto wallets with social login are mainstream products. The tools are not perfect, but they are no longer exclusively for people who know what PGP stands for.
Third, surveillance is beginning to produce its own backlash in adjacent areas. FISA Section 702, previously a reliable bipartisan reauthorization, produced the most visible congressional opposition in its history in 2024. The Tornado Cash reversal is a legal precedent. The Pertsev conviction is a legal precedent in the other direction. These are active fights, not settled questions.
My original framing was that increasing surveillance would not eliminate demand for privacy, but would increase its value and drive adoption over time. I would adjust one thing in how I said it: the timeline was always going to be longer than anyone expected, because usability is the binding constraint, not awareness.
But the thesis has not broken. If anything, the compounding evidence of the past few years has made it stronger. Hughes was right in 1993. The question was never whether people would eventually want to defend their own privacy. The question was when the tools would get good enough to let them.
That window is opening.
