Today, while researching the Sign Protocol, Feng Zai still hasn't found a clear answer to one question.
Sign's selective disclosure and zero-knowledge proof allow users to prove their identity without exposing raw data: this is its core technical commitment. Meanwhile, Sign is helping Kyrgyzstan build a national-level CBDC and assisting the UAE in deploying an on-chain government affairs system. Putting these two things together, a contradiction arises that Feng Zai feels has not been discussed directly by anyone.
As of January 2026, 73% of countries worldwide have legislated and implemented the FATF travel rule. The core requirement of the travel rule is simple: cryptocurrency transactions exceeding a certain amount must be accompanied by complete identity information of the sender and receiver, including name, account address, and national ID number, so that regulatory authorities can trace the flow of funds when necessary.
Sign's ZK proof and travel rules serve two opposing goals. The way ZK proof protects privacy is to prove without exposing raw data. What the travel rule requires is precisely to expose that raw data. This is not about who designed it wrong, but rather that the two requirements are fundamentally opposed: one demands maximum privacy, while the other demands maximum traceability.
Sign stands in between the two; its solution is selective disclosure: users are normally protected by zero-knowledge proof privacy, but under certain conditions, sovereign institutions can demand data to be opened.
This solution is reasonable on a practical level. Feng Zai cannot find a better compromise. But it raises a deeper question: who decides what the "specific conditions" are?
In the architectural design of the Sign Protocol, policy and regulatory power are retained at the sovereign governance level. In other words, the conditions under which user data can be opened are defined by the government operating this system, not guaranteed by the protocol itself. This means that the privacy protection users receive is essentially "the government chooses not to look", rather than "the government technically cannot see".
Feng Zai is not saying that this is a bad design. In the real world, operating a national-level financial system cannot achieve "the government technically never sees it"; otherwise, no sovereign institution would be willing to use this system. This is a reality constraint that must be accepted. Feng Zai thinks the real issue is: the marketing aspect saying "zero-knowledge proof protects privacy" and the actual operational logic of "sovereign government controls disclosure conditions" are two different definitions of privacy.
The FATF travel rule requires the sender to provide name, account number, and identification details, and must be traceable when required by regulatory authorities. A CBDC operating in a country that has already accepted the travel rule must be able to meet this requirement. The selective disclosure mechanism of Sign can indeed technically achieve this, with the government having the right to open the data under compliance conditions.
But ordinary users of SignPass, when they see "ZK proof protects your privacy", most understand it as "no one can see my data". In reality, a more accurate description would be "no one can see your data unless the sovereign government chooses to allow privacy". This gap is not a technical flaw, but a design trade-off that needs to be clearly communicated.
Feng Zai's warm reminder to pay attention to the unlocking of 49.17 million pieces at the end of this month and the price trend after unlocking.
Feng Zai believes that what Sign is doing is correct, finding a practically feasible middle ground between ZK privacy and regulatory compliance; this is inherently difficult. However, the distance between "practically feasible middle ground" and what users typically understand as "zero-knowledge proof protects privacy" is worth clarifying seriously, rather than just leaving it in the white paper.
Do you think that "privacy protection controlled by sovereign governments" counts as real privacy protection? 👇
