Why Cryptography Is Necessary but Is No Longer Sufficient
© Barnaby Harris, June 2026
The cypherpunk milieu of the early 1990s. (Image created by GPT5)
Hughes’ Visionary Contribution
In March 1993, Eric Hughes published a short text that would quietly shape the next three decades of digital infrastructure. “A Cypherpunk’s Manifesto” ran to barely a thousand words. It had no footnotes, no diagrams, no implementation plan. At its core is a foundational distinction. Privacy is not secrecy. Privacy is the power to selectively reveal oneself to the world.
Whereas secrecy is binary - hidden or exposed - selective disclosure requires systems that let individuals choose what to reveal, to whom, under what conditions, and for how long. Hughes was not arguing for people to disappear. This was a rallying call to build infrastructure that would let people choose how and when to be visible. This stance anticipated - by decades - the zero-knowledge proofs, verifiable credentials, and attribute-based authentication systems that are now entering mainstream deployment.
Hughes identified three principles that, taken together, constituted a theory of digital freedom.
The first was cryptography as a social tool. Privacy, Hughes argued, could not be protected by policy, goodwill, or institutional restraint. It required mathematics. Strong encryption shifts the balance of power from institutions to individuals - not by preventing surveillance entirely, but by making mass surveillance economically and computationally prohibitive. This was not a technical preference but a political position: the only guarantees worth trusting are the ones that do not depend on trust.
The second was decentralisation of power. Hughes and his contemporaries saw clearly that any system with a central point of control was a system waiting to be co-opted. Communications that route through a single operator can be monitored by that operator, or by anyone who compels them. Peer-to-peer architectures, distributed key management, and protocols without privileged nodes were engineering responses to a structural threat.
The third was what would later become shorthand as “code is law.” If institutions cannot be relied upon to protect individual freedom, then the software itself must enforce the guarantees. Transparent, auditable code that does what it claims to do, verifiably and without exception. This was the cypherpunk answer to the problem of accountability: do not ask permission; build systems where permission is unnecessary because the constraints are mathematical rather than political.
These three ideological principles produced working systems. PGP encryption, onion routing, anonymous remailers, and cryptographic cash protocols all emerged from the community Hughes helped to galvanise. The influence was not always direct - many of the engineers building today’s end-to-end encrypted messaging, passkey authentication, and privacy-preserving computation have never read the manifesto - but the design philosophy they inherited is recognisably his.
Consider the landscape of 2026 through Hughes’ eyes. End-to-end encryption is the default in consumer messaging, not a specialist tool. Zero-knowledge systems allow individuals to prove age, credential possession, or authorisation status without revealing the underlying data - selective disclosure operationalised at protocol level. Passkeys and device-bound identity are replacing passwords, moving authentication from shared secrets to cryptographic proof. Client-side computation and edge architectures are reducing the data that ever reaches a central server. Differential privacy techniques allow aggregate analysis without individual exposure. These achievements reflect a fundamental shift in the assumptions embedded in everyday digital infrastructure.
However, Hughes’ warning about adversarial incentives has aged with uncomfortable precision. Data extraction is now industrialised. Tracking is probabilistic and cross-contextual. AI models amplify inference power to the point where nominally anonymous datasets can be re-identified through correlation. The manifesto’s most quoted line - “we cannot expect governments, corporations, or other large, faceless organisations to grant us privacy” - reads less like polemic in 2026 and more like a sober description of the operating environment.
In many respects, the manifesto’s deepest prediction has been vindicated: privacy survives only when it is automated, cryptographic, and default. What was once radical ideology is now standard protocol design. Cypherpunk ideas succeeded so thoroughly that they became invisible - embedded in the engineering assumptions of systems whose designers may never have encountered the word.
This success is real, and it deserves to be acknowledged without qualification. Hughes and his contemporaries were right about the necessity of cryptographic infrastructure. They were right that policy alone would not hold. They were right that the battle would be fought in code.
But necessity is not sufficiency. The landscape has shifted since 1993 in ways that the manifesto’s framework - powerful as it remains - was not designed to address. The threats to individual agency no longer arrive exclusively through surveillance. They arrive through coordination capture, dependency asymmetry, interface dominance, and the quiet accumulation of structural power in systems that remain technically open. Cryptography can protect what you send but cannot, by itself, protect the conditions under which you send it.
The Opening Gap - What “code is law” Cannot Reach
Hughes wrote against a specific threat. In 1993, the danger was surveillance: governments intercepting communications, corporations harvesting personal data, institutions accumulating dossiers on individuals who had no means of knowing what was collected or how it was used. The manifesto’s response was precisely calibrated to that threat. Encrypt the message and the interceptor gets noise. Decentralise the network and there is no single point to tap. Make the code transparent and the guarantees become verifiable. Against surveillance, this remains the correct architecture.
But the threat model has expanded. The dangers to individual agency in 2026 include surveillance - that problem has not gone away - but they no longer stop there. Power now accumulates through mechanisms that encryption was never designed to address, and that “code is law” cannot reach without a broader conception of what risks are to be mitigated.
The most consequential shift is from interception to inference. Hughes’ adversary was the eavesdropper - someone who gains access to data they were not meant to see. The contemporary adversary is often someone who already has legitimate access, or who can reconstruct what they need from data that was freely given. Machine learning models trained on consented behavioural data can infer health conditions, political affiliations, financial vulnerability, and relationship status with alarming accuracy. The data was not stolen. The individual may have agreed to its collection. But the inference was never part of the bargain. Encryption protects data in transit and at rest; it does not constrain what can be derived from data that has already arrived.
This is connected to a second change in the threat landscape. Hughes’ adversary was hierarchical: a government monitors its citizens, a corporation surveils its users. The response was to remove the hierarchy - replace centralised systems with peer-to-peer ones, eliminate the privileged node, distribute control. But contemporary power often operates not through direct control but through dependency that emerges from convenience, scale, and the sheer difficulty of operating infrastructure effectively. No one is forced to use a particular cloud provider, content delivery network, or code hosting platform. But the practical cost of not using them - in performance, security, discoverability, and operational burden - can make the alternative irrational.
A related pattern is at work in how open systems consolidate at the interface layer. The manifesto assumed a correspondence between openness and freedom: open protocols meant open participation, open code meant accountable systems. This was reasonable in 1993. It is demonstrably incomplete in 2026. The web runs on open protocols, but search is consolidated. Email is federated, but a handful of providers dominate. Git is decentralised by design, but the social, reputational, and operational infrastructure built around it is not. Mobile platforms implement open standards while maintaining control through app stores, proprietary services layers, and certification requirements that open-source alternatives cannot practically replicate.
The overall pattern is consistent: openness at the protocol layer does not prevent capture at the interface, operational, or coordination layers. Power migrates upward - from the standard to the implementation, from the implementation to the service, from the service to the dominant provider of that service. The code may be auditable but dependency may not be escapable.
Hughes’ framework addressed the relationship between individuals and systems, but the systems that now mediate daily life have become so embedded that leaving them is not merely inconvenient but psychologically difficult and professionally disruptive. Workflows adapt to dominant tools. Habits form around default interfaces. Professional identity becomes entangled with specific platforms. AI assistants that accumulate personal context create switching costs measured not in data portability but in the loss of a working relationship with a system that has learned how you think. This is not (in itself) surveillance. It is not even, strictly, lock-in in the traditional sense. It is the accumulation of cognitive debt that makes alternatives increasingly expensive to evaluate, let alone adopt.
Cryptography on its own cannot counter the changes laid out above. Encryption can prevent an adversary from reading your messages but it cannot prevent the emergence of a coordination layer that determines whether your messages are seen. Decentralisation can eliminate the single point of control but cannot prevent the economic gravity that recreates concentration at the user interface. Transparent code can make a system’s behaviour verifiable but it cannot make the conditions surrounding that system - who hosts it, who funds it, who mediates access to it - equally transparent or equally contestable.
The manifesto’s framework addressed what happens to your data but it could not, given its moment, address what happens to your options.
Hughes’ vision is undeniable - and his prescriptions remain essential - but a security architecture designed for a 1990s threat landscape meets 2026’s threat landscape with a structural gap: governance. Governance is the set of rules, structures, and constraints that determine not how data flows but how power accumulates, how dependency forms, and how exit remains viable when the pressures of scale, convenience, and coordination all point toward consolidation.
The Re-Centralisation Problem
The cypherpunk prescription was decentralisation: remove the central node, distribute control, and power has nowhere to accumulate. At the time this was sound, but thirty years of evidence show that decentralised systems reliably produce new forms of centralisation as a predictable function of their own success. The pattern is systematic and understanding it is essential to seeing where governance needs to intervene.
The underlying logic is straightforward. Decentralised systems increase coordination complexity. When there is no single authority managing identity, security, discovery, or dispute resolution, every participant must manage those functions independently or find someone to manage them on their behalf. Open protocols increase attack surfaces. Federated architectures increase operational burden. Distributed key management increases the cost of recovery when something goes wrong. These are all inherent properties of systems designed to operate without a central coordinator.
Markets respond to this complexity by creating new intermediaries. Not the centralised authorities that decentralisation displaced, but service providers that aggregate coordination functions across the distributed network. Content delivery networks that protect open websites from denial-of-service attacks. Managed hosting providers that remove the operational burden of self-hosting open-source software. Code hosting platforms that add social coordination - issues, pull requests, continuous integration, reputation - on top of distributed version control. Identity providers that simplify authentication across federated systems. Each of these services solves a real problem. Each creates a new dependency.
Cloudflare illustrates the dynamic with particular clarity. The web remains technically decentralised. Anyone can host a website, run a server, register a domain. The protocols are open. But a substantial proportion of the world’s web traffic now passes through Cloudflare’s network, which provides caching, security, bot filtering, TLS termination, and edge compute. Cloudflare does not own the web. It does not control the protocols. It does not lock users in through proprietary formats. Users can leave. But the performance, security, and cost advantages of staying create a gravitational pull that is, for many operators, economically irrational to resist.
This is not platform capitalism in the classical sense. Cloudflare does not capture value through social graphs, identity ownership, or algorithmic gatekeeping. It captures value through coordination efficiency - the provision of services that become more effective at scale, because larger networks yield better threat intelligence, faster routing, and more comprehensive protection. The value proposition is genuine. The dependency is also genuine. And the result is what might be called soft centralisation: private governance over public infrastructure, exercised by an entity that is neither elected, nor regulated as a utility, nor accountable through any mechanism beyond market competition and its own institutional choices.
The same pattern repeats across the digital landscape, varying in specifics but consistent in structure.
Git was designed as a distributed version control system. There is no inherent central server; every copy of a repository is a complete replica. But GitHub added the coordination layer - issue tracking, pull requests, code review, social profiles, continuous integration, package hosting - and in doing so became the dominant surface through which open-source software is discovered, evaluated, maintained, and contributed to. The protocol remains distributed. The ecosystem is not. Leaving GitHub is technically trivial - clone the repository and push it elsewhere. Practically, this leads to losing discoverability, contributor reputation, integration with toolchains that assume GitHub’s presence, and the social graph that determines whether a project attracts contributors at all. So whilst no protocol capture occurred, effective power capture did.
Email tells the same story across a longer timescale. SMTP is one of the oldest federated protocols in widespread use. Anyone can run a mail server. The standard is open, well-documented, and implemented by countless independent operators. Yet the operational reality is that a handful of providers - Google, Microsoft, Apple - handle the overwhelming majority of consumer email. The reasons are familiar: spam filtering at scale requires massive data, deliverability depends on sender reputation that large providers control, and the operational burden of running a reliable mail server has increased as security requirements have tightened. The protocol is open. The market is consolidated. Self-hosting is a theoretical right that most individuals and small organisations cannot practically exercise.
Mobile platforms add another variation. The underlying standards - cellular protocols, web standards, Bluetooth, Wi-Fi - are open and interoperable. But the operating systems that mediate access to those standards are controlled by two companies. The app stores that determine what software reaches users are controlled by those same two companies. The proprietary services layers - push notifications, location services, payment APIs - are deeply integrated into the development environment. An open-source mobile application can be written, but reaching users requires conforming to terms set by platform owners who participate in standards bodies while maintaining control at the interface layer.
These are not isolated examples. They are instances of a general pattern: decentralisation at the protocol layer produces re-centralisation at the coordination layer. These are straightforward economic forces. Network effects reward density - users go where other users are. Scale economies reward volume - larger operators provide better security, faster performance, lower per-unit costs. Cognitive load favours simplicity - people default to the familiar interface, the trusted brand, the tool their colleagues already use. Liquidity concentrates. Markets, whether for attention, transactions, or reputation, cluster around the most substantial pools. Risk aversion drives delegation - most users prefer to outsource key management, security, compliance, and recovery to someone who does it professionally.
These forces operate whether or not the underlying protocol is encrypted, open-source, or formally decentralised. Cryptography does not counter network effects. Open standards do not prevent interface dominance. Distributed architecture does not eliminate the human preference for simplicity and the economic logic of aggregation.
What the cypherpunk toolset does accomplish is important and should not be understated. Open standards reduce the durability of dominance. They make exit technically possible, even when it is not practically convenient. They lower the barriers to competition, so that a dominant player can be challenged by a new entrant who does not need permission to interoperate. They create the conditions under which contestability is at least structurally feasible. These are substantial achievements, and they distinguish the current landscape from one built entirely on proprietary lock-in.
But they do not, by themselves, prevent the accumulation of structural power. They do not constrain what a dominant coordinator does with its position. They do not ensure that dependency remains substitutable, that extraction remains bounded, or that the governance of coordination layers remains accountable to the communities that depend on them.
The soft platform - an entity that exercises platform-like influence within an open ecosystem without owning the protocol - is not an aberration but rather a predictable emergent property of decentralised systems operating under market conditions. The question is what will constrain them when they do arise - and that is a question not of cryptography but of governance.
Governance as Infrastructure
We know that cryptography protects data, and open standards protect interoperability, but what protects the conditions under which systems operate? What prevents a technically open ecosystem from consolidating into a structurally captured one? What constrains the soft platform once it has emerged?
The answer is governance. Not governance as afterthought - the compliance layer bolted on once the architecture is complete, the terms of service drafted by lawyers after the engineers have shipped. Governance as infrastructure: a design layer with the same structural weight as encryption, built into systems from the beginning, shaping what is possible in the same way that cryptographic protocols shape what is visible.
This is a harder argument to make than the cypherpunk case. Cryptography has the elegance of mathematics. It is provable, testable, implementable. Governance is messier - it involves institutions, incentives, accountability structures, and the perpetual negotiation between competing interests. But the evidence of the preceding sections points to an unavoidable conclusion: the threats that cryptography cannot reach are precisely the threats that governance needs to address. A system can encrypt everything and still be captured at the coordination layer. A protocol can be fully open and still produce dependencies that are practically inescapable.
The default trajectory in digital systems is what I’ve called the capture gradient (see companion essay, “Beyond the Cathedral and the Bazaar”). This is the movement from open specification to open implementation to commercial marketplace to enclosed fortress. Each transition offers immediate benefits - stability, scale, convenience - while accumulating long-term costs that are diffuse and deferred. Standards enable implementations; implementations enable markets; markets consolidate toward dominant players; dominant players become fortresses. This is a gradient - the path of least resistance in a landscape shaped by network effects, scale economies, and the human preference for simplicity.
Reversing a gradient requires counterforce. In digital infrastructure, this means building systems where capture is structurally difficult - not merely discouraged by policy or prohibited by licence, but made architecturally expensive. Governance is the mechanism through which that counterforce is sustained.
The progression of this is extraction creep: a coordination hub that begins by providing genuine value - security, discovery, dispute resolution - faces continuous pressure to monetise its position. If the entity is funded by venture capital expecting exponential returns, the pressure is acute. If it is publicly traded, it is relentless. Fee increases, pay-to-play visibility, self-preferencing, data harvesting - these are the predictable consequences of misaligned incentive structures. The technical architecture may remain open while the economic behaviour becomes extractive. Cory Doctorow’s description of this trajectory as “enshittification” captures the dynamic precisely: platforms that degrade service quality to extract more value from users who cannot easily leave.
This in turn leads to an absence of accountability. Soft platforms exercise governance functions - they filter, rank, moderate, set terms, resolve disputes - without the accountability structures that typically accompany such power. A content delivery network that can unilaterally deny service to any website exercises a form of censorship, regardless of whether it frames the decision as a commercial choice. A code hosting platform that determines discoverability exercises editorial power over the open-source ecosystem. These are not neutral coordination roles. They are governance acts performed by entities that are neither elected, nor regulated as utilities, nor subject to due process obligations. Whilst the power is real, the accountability is only voluntary.
Governance as infrastructure addresses the above through design, not policy overlay.
With regards to the capture gradient, the response is contestability by design. This requires not just data portability, but portability of identity, reputation, social graph, transaction history, and workflow configuration - the full set of assets that create switching costs when they are locked to a single provider. It assumes multi-homing as a default assumption: systems designed on the premise that participants will use multiple providers simultaneously, not as an edge case but as the normal mode of operation. Substitutability has to be possible at every layer - if a coordination service disappears or degrades, another can take its place without requiring participants to rebuild from scratch. Email achieved this. The telephone network achieved this. It is an engineering pattern with precedent.
This contestability is, however, only achievable if extraction is also constrained. Steward ownership - governance structures where the entity cannot be sold, where profit extraction is capped, and where the mission is legally locked - removes the pressure that drives enshittification. Cooperatives distribute control among participants rather than concentrating it among investors. Multi-stakeholder trusts balance the interests of users, workers, communities, and funders rather than subordinating all interests to shareholder return. Capped-return financing, revenue-based funding, and public co-investment make it possible to build at scale without accepting capital that demands enclosure as the exit strategy. These are not new institutional forms - they predate digital technology by centuries. What is new is applying them deliberately to digital coordination infrastructure, where the stakes of misaligned incentives are systemic rather than local.
Against accountability absence, the response is explicit governance of coordination roles. Any entity that accumulates systemic dependency - where its decisions affect the viability of other actors who cannot practically substitute - should be subject to transparency requirements, due process obligations, and appeal mechanisms. This does not mean treating every service provider as a public utility but rather recognising that coordination power is governance power, and that governance power without accountability is a structural risk regardless of whether the entity exercises it benevolently. The standard is not perfection but visibility: participants should be able to see what rules govern them, how those rules can change, and what recourse exists when the rules are applied unfairly.
This is more than aspirational - each response has working examples, limitations, and trade-offs.
The Fediverse, built on the ActivityPub protocol, distributes coordination by design - no single entity controls discovery, moderation, or identity across the network. The trade-off is user experience fragmentation and the difficulty of managing abuse across independent instances. Matrix and Element have maintained federation as a structural defence, accepting the performance and usability costs that come with refusing to centralise. The GDPR, for all its implementation complexity, functions as a regulatory forcing function at the boundary between open and enclosed systems, requiring data portability and interoperability that markets would not otherwise provide. The European Digital Markets Act goes further, imposing interoperability obligations on designated gatekeepers - an explicit attempt to make contestability durable rather than theoretical.
Europe’s broader regulatory philosophy is relevant here, not as a model to be copied wholesale but as evidence that an alternative theory of digital infrastructure is structurally coherent. Where the dominant American framing positions innovation against regulation - as though constraints necessarily impede progress - the European framing positions power against accountability. The anxiety is not stifled innovation but unchecked concentration. The goal is not to prevent large coordinators from emerging but to ensure that their dominance remains contestable, their extraction remains bounded, and their governance remains accountable.
This positioning reflects a different understanding of where value comes from and what infrastructure is for. If infrastructure exists to serve the communities that depend on it, then governance is not an overhead cost to be minimised but a design requirement to be met - no less essential than encryption, no less structural than the protocol itself.
However, it has to be acknowledged that governance-first infrastructure is harder to build, slower to scale, and less compatible with conventional investment models than its capture-oriented counterpart. Capture is the default gradient. Every shortcut, convenience optimisation, and growth-stage funding round that demands rapid user acquisition tends toward enclosure. Building against the gradient requires accepting constraints that markets do not impose and that most investors do not reward. Patient capital, capped returns, procurement-backed scaling, community wealth vehicles - these financing structures exist, but they are not yet the norm. The path is steeper, and the incentives to abandon it are constant.
But the alternative - technically open systems that consolidate into structurally captured ones - is not an acceptable equilibrium either, particularly when the coordination domains at stake include identity, health, energy, education, and the democratic public sphere.
Beyond “code is law”
Hughes wrote that cypherpunks build systems. Not manifestos, not petitions, not policy papers - systems. Code that works, deployed in the world, enforcing guarantees that do not depend on institutional goodwill. That commitment to building was the manifesto’s deepest contribution, more enduring than any specific technical prescription. It insisted that the response to power be structural, not rhetorical.
This essay has argued that the structural response Hughes articulated - cryptography, decentralisation, auditable code - remains necessary but is no longer sufficient. The threat model has evolved. Surveillance persists, but it has been joined by coordination capture, dependency asymmetry, interface dominance, and the quiet consolidation of governance power in entities that remain technically open while becoming structurally inescapable. The cypherpunk toolset addresses the first of these. It does not, by itself, address the rest.
What is proposed here is not a replacement but an extension for the current digital age. Cryptography tells us who can see the data. Governance tells us who controls the system. Code enforces rules within a system. Governance determines which rules the system enforces, and who gets to change them. These are different questions, operating at different layers, and answering one does not discharge the obligation to answer the other. The design checklist for infrastructure that serves individual agency must therefore now extend beyond the cypherpunk original.
Hughes’ questions endure. Is the operation cryptographically verifiable? Can any participant opt out without leaving a trace? Is the code publicly auditable and version-controlled? These remain non-negotiable. Any system that fails them is not serious about privacy, and no amount of governance design compensates for weak cryptographic foundations.
The cypherpunk questions now need to sit alongside three further tests.
1: Is coordination power contestable? Can participants realistically use alternative providers for discovery, identity, reputation, and dispute resolution - not merely in theory but in operational practice? If a dominant coordinator changes its terms, raises its fees, or degrades its service, can the ecosystem absorb the shock without systemic disruption? If the answer is no, the system has a governance problem that encryption cannot solve.
2: Are dependency relationships visible and substitutable? Can participants see which coordination layers they depend on, understand the terms under which those layers operate, and switch to alternatives without rebuilding from scratch? Portability of data is necessary but not sufficient. Portability of identity, reputation, social graph, and workflow configuration is what makes exit credible rather than theoretical. If leaving is technically possible but practically irrational, the system has reproduced the lock-in it was designed to prevent - just at a different layer.
3: Does the financing model require enclosure to succeed? Capital that demands exponential return demands enclosure. Growth funded by venture expectations will, under pressure, extract from users, degrade service quality, and enclose what was open - not because the founders intended it but because the incentive structure requires it. If the economic model cannot sustain itself without capturing the value that flows through it, the system will capture that value regardless of its founding principles. Aligned financing - patient capital, capped returns, revenue-based funding, cooperative ownership, public co-investment - is not a nice-to-have. It is a structural precondition for infrastructure that remains open under pressure.
These six questions - three inherited from Hughes, three extending his framework - constitute a design test for infrastructure that protects agency rather than merely protecting data. They name the layers at which freedom is won or lost, and they make visible the gap that the cypherpunk framework alone cannot close.
In the companion essay “Beyond the Cathedral and the Bazaar,” I described the Inverse Trojan Horse: infrastructure designed to enable exit rather than enforce retention. Where capture logic accumulates data, liberation logic enables portability. Where capture logic treats switching costs as a moat, liberation logic treats switching ease as a feature. Where capture logic grows through lock-in, liberation logic grows through preference - the system must be good enough to be chosen, repeatedly, by people who could leave.
That principle applies here with full force. But the Inverse Trojan Horse requires more than open protocols and strong encryption. It relies on governance that keeps the protocols open under economic pressure. It needs institutional forms that resist extraction when growth demands it and accountability structures that constrain coordination power before it becomes coercive. Finally, the financing model must not be able to undo the architecture it funds.
Hughes was right that privacy must be automated, cryptographic, and default. The extension is that contestability must also be automated, structural, and default. Exit rights must be design primitives, not afterthoughts. Accountability must be architectural, not aspirational. Governance must be purposefully built, not bolted on.
The manifesto closed with a call to action: “Cypherpunks write code.” The sentiment stands. But the code must now do more than encrypt. It must encode the governance that keeps systems open, the constraints that prevent coordination from becoming capture, and the structural commitments that make agency durable in a landscape where the pressures of scale, convenience, and economic gravity all point toward consolidation.
Hughes gave us the cryptographic layer. The governance layer remains to be built - with the same insistence on structural guarantees over good intentions that defined the cypherpunk project from the beginning.
References
A Cypherpunk’s Manifesto — Eric Hughes.