Privacy as Infrastructure

Privacy cannot be bolted on after the fact. It must exist as an architectural property before computation begins—built into the structure of systems rather than implemented through policy declarations.

Policy Privacy vs. Structural Privacy

Policy Privacy

Data is collected, then access is controlled through policy. Privacy depends on enforcement, compliance, and trust in operators.

• Vulnerable to policy changes
• Requires trust in implementation
• Data exists and can be compelled
• Breaches are possible

Structural Privacy

Data is never collected, or is collected in a form that cannot be correlated. Privacy is a property of the architecture, not a promise.

• Survives policy changes
• Minimizes trust requirements
• Absent data cannot be compelled
• Breaches expose less

Architectural Patterns

Data Minimization

Collect only what is operationally necessary. Retention defaults to zero. Every piece of collected data requires justification.

Anonymization at Ingress

Remove identifying information before processing, not after. Data that enters the system should already be unlinkable.

Local Computation

Process data where it originates rather than centralizing it. Computation moves to data, not data to computation.

Cryptographic Boundaries

Use encryption to enforce access boundaries. Operators cannot access what they cannot decrypt.

The Limits of Privacy Technology

Privacy-enhancing technologies can reduce observability but do not eliminate it:

• Metadata often leaks when content is protected
• Traffic analysis can reveal patterns even through encryption
• Side channels exist at every layer
• User behavior can undermine technical protections

Structural privacy raises the cost of surveillance. It does not make surveillance impossible.

OnionHat's Approach

OnionHat treats privacy as a design constraint applied at every architectural decision:

• What data is necessary?
• How long must it exist?
• Who can access it and why?
• What survives if we are compromised?

Privacy is not a feature. It is the absence of systems that would violate it.