Evaluating Privacy in Web3 Projects "Guide to Analyzing Privacy in Web3"

Not all Web3 projects prioritize privacy equally, and evaluating their privacy frameworks is crucial to understanding their potential risks and benefits. In this lesson, you’ll learn to critically assess Web3 projects by examining their privacy features, user data handling, and compliance with privacy principles.

Guide to Analyzing Privacy in Web3

This guide provides a comprehensive framework for assessing the privacy mechanisms of Web3 projects. You’ll discover criteria for evaluating data protection, decentralization, and transparency while identifying potential privacy gaps.


Privacy-services' scoring model for non-techies (playbook)

0x0f1F3DAf416B74DB3DE55Eb4D7513a80F4841073

Imagine that you want to check if the web3 service is private or not. But you can’t “trace the transaction” or “understand technical documentation”. Where would you start?

The Web3privacy now community proposes to use this simple & actionable playbook for non-techies. It helps to:

  • perform check-ups if projects claiming privacy features are legit
  • filter out high-risk services
  • boost web3, privacy & security knowledge base.

Playbook is a part of the future “IMDb/Metacritic for privacy” platform. That’s why our story should start with database & scoring.

Please, review our scoring approach below. We tried to make it as simple as possible, so non-technical people would understand it with ease.

Part 1: Private or not private: that’s the question

These simple actions help non-techies to do a quick test if the project is alive, open-source & open for a third-party audit.

Github

GitHub is a website and cloud-based service that helps developers store and manage their code, as well as track and control changes to their code.

Action plan

  • Visit the official website.
  • Find a link to a Github page
  • Follow the link
  • Check if it’s “alive”: when were the last updates?

How to score

  1. Availability
    1. Available (+),
    2. Missing (-)
  2. Activity:
    1. Active (+): there’s an activity within the last 6 months.
    2. Not (-): The GitHub account is silent.

out of the score, but nice to check: monthly # of activity (general consistency): if the project is updated bimonthly, biweekly or once in a while (1 in 3 months, for example).

Example

Here protocol has a GitHub account, but only a landing page is deployed. Solutions architecture, smart contracts, and code base are missing. Note also the last update date.

https://github.com/Hurricane-Protocol

https://github.com/Hurricane-Protocol

Docs

Comprehensive documentation ensures that people can effectively leverage the project's capabilities, troubleshoot issues, and find answers to their questions.
Documentation is the foundation for collaboration within the open-source community.

Action plan

  • Go to the official website.
  • Find the link to a Documents page
  • Follow the link
  • Analyse available information

How to score

  1. Availability:
    1. Available (+)
    2. Missing (-)
  2. Open-source
    1. Technical (+): written for technical specialists
    2. Marketing (-): use marketing language, lacks tech specs, lots of token narrative
  3. Fullness (# of pages)
    1. More than 5 pages (+)
    2. 2-3 pages (-)

It’s hard for a non-technical person to understand documentation. But if it’s heavily token-centric (where the token has no proper utility) - it’s a “red flag”.

https://shadecash.gitbook.io/shadecash/token/token-and-distribution

https://shadecash.gitbook.io/shadecash/token/token-and-distribution

The same works for visual explainers without technical schemes, infographics, and code base review.

https://shadecash.gitbook.io/shadecash/get-started/how-to-withdraw-relayer

https://shadecash.gitbook.io/shadecash/get-started/how-to-withdraw-relayer

✅ Development-centric documentationWebb

Third-party audit

Security audits performed by competent agencies or individuals ensure the level of project security features. Usually, it stands for critical bugs, centralisation features or just badly written code findings.

Third-party security assessment usually decreases risks associated with the project usage. Companies stake their reputation by claiming that the project: a) has vulnerabilities; and b) is secured.

Note: it’s not a silver bullet, because mistakes happen or the project could audit a small feature, but it’s a perfect hygienic method for privacy services.

Action plan

  • Go to the official website.
  • Find the link to a third-party audit (if not on the website - check the official blog)
  • Follow the link
  • Check it’s actual date

How to score

  1. Availability
    1. Available (+): separate PDF file or landing; available to read/download.
    2. Missing (-): no audit available.
  2. Relevance
    1. Up to date (+): audited within the last 1 year.
    2. Outdated (-): last audit - 1 year+

Having many audits - check, outdated audits - check. DeFiner Protocol’ dates (image below) signify the security features of the project. Literally: in 2020 maybe it was secured (depending on audit findings & if issues were fixed), while in 2023 - no data.

https://docs.definer.org/v/copy-of-definer.org/security/audits

https://docs.definer.org/v/copy-of-definer.org/security/audits

✅ Up to date auditRailgun_

Team

Reputation is a marker of trust. The public team clearly “stakes” its reputation in front of any possible privacy challenge. While anon team could be used as a trick to avoid responsibility over poor privacy features’ execution.

Anonymous engineering could be a mass phenomenon in the future. But now educating about deliberately absent team on the webpage & hidden GitHub contributors vs “cat avatar hardcore developer with tons of public commits” should be well articulated.

Especially, when there's room for anon or sudo-anon reputation: public research, essays, well-written documentation & so on.

Action plan

  • Go to the official website.
  • Find the link to a Team page
  • Explore Team profiles on Twitter, in official Telegram or Discord
  • Check if they are public & active

How to score

  • Public (+): the team is public, with active social media &/or GitHub accounts (note: digital avatars are ok if people are actively contributing to the project & actively communicate in socials: dcbuilder example)
  • Anon (-): weird names, no/or obscure avatars, no socials or GitHub links

Sometimes teams use “Guy Fawkes” or another pop-anon culture avatars - it’s hard to say who’s behind the project & why you should trust in it.

✅ Public team @ LinkedInElusiv

Product-readiness

Refers to the stage of product development from prototypes (early stages) to mainnet (live). Directly correlates with privacy maturity & responsibility of the core team.

The live product is expected to be very stable, relatively bug-free and ready for use.

dApps & protocols have different product versions:

dApps: pre-mature: MVP & beta; mature - alpha
protocols: pre-mature: testnet, mature - mainnet

Action plan

  • Launch project website - try to find the state of the product: explicit description
  • If the website fails to provide information - use Duduckgo or Brave search: “project name + mainnet”. Analyse search results & their proofs.
  • An additional source of truth: official Twitter or blog

How to score

live (+): explicit mainnet for protocols or beta/alpha for dApps communication with additional privacy features maturity level (based on previous testing cycles).

test-net or prototype (-): missing “mainnet” explicit description for protocols, or the latest product version for dApps; explicit “testnet” or MVP/prototype product-readiness communication.

✅ Shade transparently describes mainnet deployment (note: of the specific product feature).

https://shadeprotocol.io/blog/shadeswap-live-on-mainnet

https://shadeprotocol.io/blog/shadeswap-live-on-mainnet

“Under Construction” (the project isn’t live) is the biggest exclusion factor standing for a non-private service.

https://app.xata.fi/#/swap

https://app.xata.fi/#/swap

Good privacy ethics: the project highlights the early version & notifies that usage of this project could be risky.

Summary

This scoring model is the first version of its kind. If you use these simple check-ups - you will empower your privacy experience. But remember that complex assessment and attention to detail ensures that you won’t be tricked by false privacy promises.

Part 2: Sunset

“Sunset” means that the project has been shut down for various reasons: financial challenges, regulatory landscape or weak business model. Here it means that the project team can’t back up privacy features, so it’s a high risk to use it.

Sunsetting could be

  • conscious: when the project informs about terminated operations in advance: Aztec Connect example
  • hidden: when suddenly a website doesn’t work, support is silent, socials are dead.

http://coinbook.app

http://coinbook.app

✅ XATA informed people that they will finish supporting “swap” products & also provided a support line to answer all additional questions.

https://app.xata.fi/#/swap

https://app.xata.fi/#/swap

How can you spot a “hidden” sunset?

  • Check socials: when were the last updates?
  • Check support (Discord, TG): is the core team active?

Lack of updates, news & team support usually indicated that the project is “on hold” - leaning towards sunset. Usually, a 3-6 months public hiatus should be a “red flag” for everyone planning to use such privacy-centric projects.

Appendix

Playbook is based on the DeFi category test made by the Web3Privacy Now team.
Project is a part of the “l2beat for privacy” platform: a description is available here.

Do you have additional questions? Reach us on Twitter: here.

Source

Complete and Continue