Privacy as a Spectrum
Privacy is not a feature you add to Bitcoin after the fact. It is a prerequisite for fungibility: the property that makes one satoshi interchangeable with any other. Without privacy, transactions become targets for censorship, surveillance, and discrimination. The blockchain is permanent; any link you create between your identity and your UTXOs cannot be undone.
This article synthesizes four years of Round Rock Bitcoiners meetups into a single framework. We have returned to privacy repeatedly, not because the tools stayed the same, but because the problem keeps shifting. At Meetup #3 (August 2022) we opened with identity fraud and government surveillance. At Meetup #5 (October 2022) we narrowed the lens to the device in your pocket. At Meetup #10 (March 2023) we introduced Chaumian ecash as a way to transact without leaving a graph. At Meetup #38 (August 2025) we asked what happens when you remove the network entirely.
Taken together, our decks do not present privacy as a checklist. They present it as a spectrum: the more you separate your activity from your identity, the more trade-offs you accept in cost, convenience, and trust.
The Starting Point: "Selectively Reveal Your Data"
At Meetup #3 we framed the entire discussion with one line:
"Selectively Reveal Your Data. Control what parts of you that you want to reveal."
We did not promise perfect anonymity. We promised selective disclosure. The threats we listed were concrete and sourced: identity fraud cost Americans ~$56 billion in 2020; NSA xkeyscore remained active post-Snowden; Operation Chokepoint and the Canadian trucker freeze demonstrated financial censorship. Our prescription was layered: VPN/Tor for network hygiene, CoinJoin for transaction graph breaks, and UTXO management for post-transaction discipline.
At Meetup #5 we added the device layer. We quoted former NSA spy chief Michael Hayden directly:
"We kill people based on metadata."
The threats there were more intimate: Section 702 and PRISM at the government level, COVID-19 contact tracing built into iOS/Android at the OS level, carrier data-mining lawsuits against AT&T, and Google connectivity checks phoning home on idle devices. Our response was equally specific: GrapheneOS, CalyxOS, Mullvad VPN, burner SIMs, and encrypted messaging.
Neither deck claimed one tool fixes everything. Both treated privacy as a series of independent decisions about what to reveal and what to protect.
Layer 1: The Network You Run On
Before you touch bitcoin, your device is already leaking. At Meetup #5 our threat model started here:
| Leak | Source | Mitigation from deck |
|---|---|---|
| Location data | Carrier sales / AT&T lawsuits | Burner SIMs, Silent Link eSIM |
| OS telemetry | Google connectivity checks | GrapheneOS, CalyxOS |
| Traffic analysis | ISP / Wi-Fi provider | Mullvad VPN, Tor Browser |
| App surveillance | Permissions, location sharing | Review permissions, delete unused apps |
This is the baseline. If your phone is broadcasting your location to your carrier and your browsing to your ISP, everything you do on top of it (including bitcoin transactions) carries that metadata with it.
Layer 2: How You Acquired It
At Meetup #3 we treated acquisition as the first bitcoin-specific privacy decision. We listed five no-KYC methods with explicit trade-offs:
| Method | Effort | Cost | KYC Level |
|---|---|---|---|
| Peer-to-peer | Low | Spread | None |
| Azteco Vouchers | Low | ~5% markup | Minimal (voucher only) |
| Bitcoin ATMs | Low | 8-20% fees | Minimal (prepaid phone) |
| Bisq | Medium | Trade fee + miner fees | None |
| Home mining | High | Hardware + electricity | None |
Our point was not that one method is best. It was that how you get bitcoin determines what metadata is created at the boundary between fiat and sats. A KYC exchange ties your identity to a UTXO forever. A cash voucher or P2P trade does not.
Layer 3: Breaking the Graph
Once you hold bitcoin, the blockchain is permanent. At Meetup #3 we listed three CoinJoin implementations (Whirlpool, JoinMarket, and Wasabi) alongside Lightning privacy tools like Bolt 12, Payjoin, and BIP-47 PayNyms. We also emphasized UTXO hygiene: never reuse addresses, separate "clean" and "hot" wallets, and label UTXOs by source.
This is where most privacy discussions stop. We did not.
Layer 4: Transacting Without a Graph at All
At Meetup #10 (March 2023) we introduced Cashu as a way to move value without creating on-chain transactions in the first place. We quoted the Cashu project directly:
"Nobody needs to know who you are, how much funds you have, and with whom you transact."
Cashu uses David Chaum's 1982 blind signature scheme. A mint custodies the underlying sats and issues signed tokens. Internal transfers within the same mint are perfectly private. The mint sees nothing. Inter-mint swaps obscure origin further. Our practical exercise had attendees create a Nutstash wallet, add a mint, and receive tokens over Nostr.
This is a different privacy model entirely. CoinJoin breaks links in an existing graph. Cashu removes the graph from the transaction layer altogether, at the cost of trusting the mint with custody.
Layer 5: Removing the Network
At Meetup #38 (August 2025) we pushed the question further: what if there is no internet at all? Our problem statement was direct:
"Bitcoin wallets require network to broadcast transactions. Black-out scenarios make P2P value transfer impossible."
Our solution was mesh networking combined with Cashu. Bitchat (BLE), Meshtastic (LoRa), and Briar enable encrypted messaging without cell towers or ISPs. The workflow we presented is explicit: mint Cashu tokens while online, copy the Base64 token, transfer it via mesh while offline, and redeem when connectivity returns.
This is the far end of the spectrum. You are not just hiding from surveillance. You are operating outside the infrastructure that enables surveillance. The trade-offs are severe: limited bandwidth (242B-512B payloads), range constraints, power requirements, and the persistent need to trust a mint for redemption.
Why This Is a Spectrum, Not a Ladder
We do not say "start at Layer 1 and work up to Layer 5." We say different situations demand different positions on the spectrum:
- Everyday spending — Layer 2 (no-KYC acquisition) + Layer 3 (CoinJoin or Lightning) is sufficient
- Local circular economy — Layer 4 (Cashu) removes the need for on-chain fees and graph analysis entirely
- Blackout or censorship event — Layer 5 (mesh + Cashu) keeps value moving when the network is down
- Mobile device hygiene — Layer 1 is always relevant, regardless of what you do above it
The "selectively reveal" framing from Meetup #3 holds across all four meetups. Privacy is not about achieving perfect secrecy. It is about choosing what to reveal, to whom, and under what conditions.
What We Did Not Claim
It is worth noting what our decks do not say:
- We do not claim bitcoin is "untraceable" by default
- We do not claim CoinJoin provides perfect anonymity
- We do not claim Cashu mints are trustless
- We do not claim mesh networks replace the internet for general use
The tools we share all have explicit limitations. There is no single silver bullet for privacy.
Cross-Links
- Privacy Stacks — Layered privacy practices and tool comparisons
- No-KYC Acquisition Methods — Detailed methods for acquiring bitcoin without KYC
- Cashu — Chaumian ecash mechanics and trust model
- Mesh Networks — Offline mesh networking platforms and workflows
- Privacy Stacks — CoinJoin and No-KYC Acquisition — Head-to-head comparison of CoinJoin and acquisition tools
- Samourai Wallet, Wasabi Wallet, JoinMarket — CoinJoin implementations
- Bisq, Azteco — No-KYC acquisition tools