Why Digital Association Still Fails Despite Tor and Signal: An Empirical Test of the Identity-Privacy Hypothesis

§ 1. Introduction

Twenty-two years have elapsed since the second-generation onion router paper introduced Tor in 2004¹; the deployment of end-to-end encryption via the Signal protocol now exceeds a decade; and Briar, Cwtch, and other communication tools built on offline mesh networks for high-threat contexts have been available in usable releases for several years². At the normative level, the right to anonymous communication and the freedom of association both possess sufficient juridical standing; at the engineering level, the cryptographic foundations capable of resisting large classes of network adversaries are already in place. The phenomenon observed across multiple authoritarian and semi-authoritarian settings, however, takes the form of “strong assembly, weak association.” Large-scale, one-off digital mobilizations have repeatedly succeeded (Tunisia, Egypt, Hong Kong, Iran, Belarus, Catalonia), yet cases of digital association capable of sustaining persistent membership, verifiable group boundaries, and internal accountability mechanisms after mobilization are nearly absent³.

In preliminary doctoral research, mashbean advances an intuitive hypothesis that can be restated in its strongest reading (hereafter H0): “The fundamental reason that existing anonymity tools fail to support digital association is that identity privacy is insufficient; once identity privacy is pushed to a sufficient strength, digital association will appear.” This reading takes “insufficient identity privacy” as a sole sufficient cause, reducing all cases of associational failure to downstream manifestations of an upstream privacy problem. Its appeal lies in alignment with the cypherpunk lineage of tool-optimism from the 1990s onward, and in the explanatory space it retains given that Tor, Signal, and Briar have not yet genuinely diffused⁴.

The difficulties with H0 emerge gradually upon literature review. First, settings that have substantively solved pseudonymous-membership continuity—such as token-based governance in MakerDAO, Compound, and Uniswap—have not thereby achieved stable association; they have instead fallen into multiple governance pathologies, including plutocracy, VC capture, and core-team exit⁵. Second, Hong Kong’s LIHKG during the 2019–2020 anti-extradition movement partially resolved, via verified badges and pseudonymous handles, the condition that “the same speaking subject be recognizable within the group,” yet factional fragmentation (militant / moderate / exile) and the collapse of internal accountability still constituted decisive failure⁶. Third, Briar and Cwtch deliver strong-privacy peer-to-peer communication at the tool level, but adoption rates among the high-threat populations that need them most remain low, exhibiting a gap between tool specification and social institution⁷.

Taking these three sets of observations together yields a preliminary inference that H0 is too strong. Tools such as Tor and Signal solve the upstream problem of “momentary identity privacy,” yet in the field where association fails, the second and third walls (verifiable group boundary, internal accountability) continue to block scaling independently. The task is therefore to revise H0, not to deny it. The revised version takes the form of a three-walls conjunctive structure, denoted H1’ = ¬F ⇔ W1 ∧ W2 ∧ W3, where W1 is the persistent-pseudonymity wall (tool layer), W2 is the verifiable-group-boundary wall (institutional layer), and W3 is the internal-accountability wall (governance layer). The argument proceeds through five stages—political-philosophical text interpretation, convergence of the connective-action literature, process tracing across five cases, formalization of the three walls, and treatment of counter-example boundaries—building the credibility of H1’ incrementally and identifying integration points with article 01 (accountability without identification) and article 02 (civic proof concept positioning).

Three boundary conditions must be marked at the outset. First, H1’ is a normative-empirical conjunction, not a purely logical definition; other structural conditions such as W4 (legal status), W5 (resources), and W6 (leadership) are not excluded but are left for further development. Second, the case sample of the present article is N = 5 (Iran, Hong Kong, Catalonia, Belarus, Briar/Cwtch); N is low, and the three failure patterns α/β/γ derived therefrom should be regarded as “patterns observed at N = 5, pending broader verification.” Third, no present case resolves all three walls simultaneously, so H1’ admits, under contemporary conditions, only falsificationist testing (one missing condition is sufficient to fail) rather than verificationist confirmation; correspondingly, the engineering proposition that “the bundle of normative conditions constituting civic proof can be simultaneously satisfied in scaled association” remains a normative proposal, not an empirically verified engineering scheme⁸.

§ 2. Political-Philosophical Foundations: Three Conditions Distinguishing Assembly from Association

Evaluating whether H0 stands requires first determining what additional normative obligations association bears relative to assembly. If association is simply assembly continued into the following day, H0’s single-cause pathway might hold; identity privacy that sustains momentary assembly would, extended along the time axis, yield association. The textual evidence, however, points in another direction.

Arendt describes action in Chapter V of The Human Condition as “spontaneous beginning” and as the “self-disclosure in public space,” which has led many secondary readings to treat her as a proponent of “assembly = momentary.” This reading underestimates the institutional dimension of Arendt’s later texts. In Chapter 6 of On Revolution, in the discussion of the council system and the ward republics, Arendt explicitly indicates that political action requires institutional sedimentation to endure across generations; the “public space” is public precisely because it can be sustained beyond a single gathering⁹. Honig’s (1993) interpretation of the politicization–depoliticization tension in Arendt and Benhabib’s (1996) reinforcement of Arendt’s institutional dimension both push this point to an explicit position¹⁰. Arendt’s action is not purely momentary; the momentary reading captures certain facets of Arendt rather than her full position.

Tocqueville, in Democracy in America, vol. 2, pt. 2, chs. 5–7, distinguishes political association (parties, political alliances) from civil association (reading clubs, cooperatives, mutual-aid organizations), warning that the two bear distinct normative obligations and that conflating them invites harm¹¹. Contemporary Tocquevillean interpretation divides into two principal paths. Putnam’s Bowling Alone (2000) romanticizes civil association as a “producer of social capital,” reading the decline of association as an indicator of democratic decline. Skocpol’s Diminished Democracy (2003) counters this romanticization, pointing out that Putnam’s pathway overlooks the historical structural shift of twentieth-century American civic organizations from membership-based to management-based¹². Rosenblum’s On the Side of the Angels (2008) then defends party association within the Tocquevillean lineage, while cautioning that party association and civil association are not interchangeable; the obligations of representation, interest aggregation, and internal discipline borne by the former exceed those of the latter by far¹³. Placing the Tocqueville–Putnam–Skocpol–Rosenblum lineage together yields the more restrained proposition that “association is a political practice bearing normative obligations”; the romanticizing framing (“association is naturally good”) is not the genuine position of the lineage.

Juridical evidence comes from the separate treatment of freedom of assembly and freedom of association in U.S. First Amendment doctrine. NAACP v. Alabama, 357 U.S. 449 (1958), confirmed the centrality of confidentiality over membership lists to associational continuity; Roberts v. United States Jaycees, 468 U.S. 609 (1984), confirmed the internal rule-making power of associations over the setting of membership; Boy Scouts of America v. Dale, 530 U.S. 640 (2000), extended the boundary of “expressive association” to permit the exclusion of specific members¹⁴. Inazu’s Liberty’s Refuge (2012) systematically organizes the history of this doctrinal line, indicating that freedom of assembly and freedom of association have, since the twentieth century, been increasingly treated as two distinct constitutional rights—the former protecting momentary public gathering, the latter protecting persistent group existence and membership identity¹⁵. The two legal doctrines correspond to the two political-philosophical concepts.

Synthesizing these texts, association bears three conditions in addition to those of assembly. First, membership identity recognizable across the time axis, that is, the same individual being recognized by the group as the same member at times t1 and t2. Second, a verifiable member/non-member boundary, that is, the group’s capacity to determine internally who is a member and who is not. Third, a chain of mutual accountability obligations among members, that is, an institutional mechanism by which the group can hold responsible those who transgress, beyond the path of exit. Denoting these as C1 (persistent identity), C2 (group boundary), and C3 (internal accountability), the equation “association = assembly + C1 + C2 + C3” provides the minimal operational criterion under this lineage.

What is the weakest form of C1? A common answer is pseudonymity: the same pseudonymous handle being recognized at t1 and t2. But this answer does not apply to long-term collaborative groups such as the Linux Kernel, which operate principally under real names; Linus Torvalds and his maintainer circle have been continuously recognized through real names plus public contribution history, without taking the pseudonymity path¹⁶. Broadening the weakest form of C1 to narrative continuity—the same narrative subject being recognized across the time axis, whether under a real name or a pseudonymous handle—better covers the observable cases. The concept of narrative identity within the Arendt–Honig–Benhabib lineage provides the normative basis for this broadening¹⁷. It should be noted that extending from Arendt–Honig–Benhabib to “engineering-sense persistent-identity design” is a theoretical extension, treated here as a derivable extension proposition rather than an empirically verified engineering conclusion.

This broadening produces a reverse correction to the civic proof unlinkability condition of article 02. Article 02 describes unlinkability as “non-linkability across actions,” without explicitly distinguishing external from internal. Under the conjunctive requirement of C1 + C2, unlinkability must be split into external and internal forms: externally (against non-members, against the state, against surveillance adversaries) the cross-action non-linkability of members is preserved; internally (within the group itself) the linkability of members is maintained for purposes of membership verification. Anonymous credentials (e.g., idemix-style, fully unlinkable) violate C1 because they prevent “the same member” from being identified within the group. Pseudonymous credentials (e.g., BBS+-style, unlinkable outside the group but linkable within) satisfy C1 and C2 simultaneously¹⁸. The present article elaborates this correction further in § 7.

§ 3. The Connective-Action Literature: The Empirical Regularity of Strong Assembly, Weak Association

The second source of evidence comes from three mainstream lines of literature: connective action, networked publics, and digitally enabled social change. Between 2010 and 2020, these literatures accumulated case observations across geographies (the Middle East, East Asia, Southern Europe, North America), across issues (democratization, labor, environment, gender), and across tools (Twitter, Facebook, WhatsApp, Telegram, Signal), converging on a recurrent and identifiable empirical regularity.

Bennett & Segerberg, in The Logic of Connective Action (2013), name the shift in action morphology brought by digital tools as “personal action frames + digitally networked”¹⁹. This framework emphasizes that individuals can, without joining a formal organization, participate in large-scale collective action through sharing, forwarding, and self-disclosure. This lowers the threshold for mobilization but simultaneously lowers organization formation. Tufekci, in Twitter and Tear Gas (2017), specifies the mechanism as three observations—organizational capacity in excess, narrative capacity insufficient, decision-making capacity fractured—and repeatedly verifies them through Tunisia, Egypt, Turkey, Occupy, and Hong Kong²⁰. Castells, in Networks of Outrage and Hope (2012/2015), reaches similar conclusions from observations of Spain’s 15M, Occupy Wall Street, and the Arab Spring, with greater emphasis on affective mobilization and identity²¹. Earl & Kimport, in Digitally Enabled Social Change (2011), draw on data from U.S. domestic issue activism, emphasizing that tools lower coordination costs while also lowering commitment density²². Polletta’s Freedom Is an Endless Meeting (2002), although focused on the pre-digital U.S. social movements, observes that “leaderless / consensus-decision” associations struggle to sustain themselves, an observation continuous with that of the connective-action literature²³. Diani & McAdam, in Social Movements and Networks (2003), confirm within a network-analytic framework that weak ties facilitate mobilization diffusion while only strong ties can sustain organization²⁴.

Placing these independent studies together yields a common empirical regularity that can be restated as: “digital tools amplify mobilization and weaken establishment”; strong assembly, weak association. This observation has been stably reproduced across geographies, issues, and tools, and therefore attains the status of an empirical regularity. Two things must be distinguished, however. First, an empirical regularity is “a phenomenon stably reproduced under present observational conditions”; it is not “structural necessity.” Arguments for structural necessity must appeal to mechanism, which is the task of the three-walls formalization in § 5. Second, the conditions under which the empirical regularity holds in the existing literature do not encompass all possible settings; the following two counter-examples require that the claim be narrowed in scope.

The first counter-example is Karpf’s The MoveOn Effect (2012). Karpf’s observation shows that “online-offline hybrid + pre-digital skeleton” organizations such as MoveOn.org scaled successfully in the U.S. democratic environment without falling into the “weak association” predicament described by the connective-action literature²⁵. The supporting mechanism for MoveOn is a conjunction of three conditions: selective mixing of real names and pseudonyms; central-team execution; and the pre-Internet political mailing-list assets. This narrows the claim of the connective-action literature to “in settings without a pre-digital skeleton”; where actors inherit pre-digital union, party, religious, or community-organization skeletons, digital tools may instead amplify existing associational capacity and not weaken establishment.

The second counter-example is the natural experiment of Tunisia and Egypt. The two countries faced similar authoritarian-mobilization structures in 2010–2011 and both used social media extensively for mobilization. Tunisia, however, inherited the UGTT (Union Générale Tunisienne du Travail), a national-scale union founded in 1946, whose internal accountability, membership, and cross-city coordination mechanisms had operated for more than sixty years before the eruption of digital mobilization; Egypt had no comparable skeleton, and although mobilization at Tahrir Square succeeded in overthrowing Mubarak, it failed to form stable political associations after mobilization²⁶. Howard & Hussain’s Democracy’s Fourth Wave? (2013) and Anduiza et al.’s (2014) study of Spain’s 15M point to the same explanation: pre-digital skeletons are one of the principal explanatory variables for the trajectory of democratization, and digital tools amplify or suppress this variable rather than replace it²⁷. It should be noted that natural-experiment inference requires controlling for other variables (sectarian proportions, military posture, external support), so describing pre-digital skeletons as “one of the principal explanatory variables” fits the data better than describing them as “the decisive independent variable.”

Taking the Karpf counter-example together with the Tunisia–Egypt natural experiment, the claim of the connective-action literature may be narrowed to the form: “in settings without a pre-digital skeleton, digital tools amplify mobilization and weaken establishment” is a stable empirical regularity. This narrowing does not weaken the present article’s revision of H0; the core settings of digital-association failure (Iran, Hong Kong, Catalonia, Belarus, exile Iranian / Syrian / Belarusian communities) are precisely “without a pre-digital skeleton.” The connective-action literature delivers observation, not mechanism. The three-walls formalization converts this observation into a testable conjunctive structure.

The operational criteria for assembly and association can be derived from the normative conditions of § 2 and the empirical observations of this section. The criterion for assembly is “one-off mobilization, no persistent membership, no internal rules”; the criterion for association is “persistent membership, verifiable boundary, internal accountability.” These criteria classify the cases in the sections that follow.

§ 4. Process Tracing of Five Cases: Three Failure Patterns and the Catalonia Boundary

This section conducts process tracing on five quasi-digital-associational cases. For each case, the state of W1/W2/W3 is first listed as solved, partially solved, or unsolved; the key nodes of the failure chain are then traced; and the case is finally classified into one of three failure patterns. The boundary of the sample must be marked explicitly. N = 5 is low for inductive inference, and the three patterns α/β/γ derived therefrom should be regarded as “cross-case patterns of observation, pending broader verification.” Cases from Latin America (Chile 2019) and Africa (Ethiopia, Sudan) are not covered; subsequent research should extend the sample to N ≥ 15, including successful comparison groups, to strengthen inductive force.

“Failure” must also be defined in three layers to avoid conceptual confusion. Mobilization-layer failure refers to the absence of even large-scale mobilization (the Iran Green Movement 2009 approximates this case); governance-layer failure refers to successful mobilization followed by the collapse of internal governance (Hong Kong’s LIHKG and the Belarusian opposition approximate this case); legal-effect-layer failure refers to viable internal governance but a deficit in external legal effect (Catalonia’s ANC/Òmnium approximates this case). These three layers are marked separately in the analysis below.

Case 1, Iran Green Movement 2009. Under early mobilization via Twitter and Facebook, the Iranian opposition once gathered large-scale protests in Tehran. The authorities, however, conducted dragnet identification through multiple channels—Twitter public data, Facebook real-name policy, mobile-phone signal localization—identifying, detaining, and torturing a large number of participants²⁸. Sreberny & Khiabany’s Blogistan (2010) and Khamis & Vaughn’s (2011) study of Iranian Internet politics indicate that the breach of W1 (persistent pseudonymity) severed the entire mobilization chain at its first stage. W2 (group boundary) and W3 (internal accountability) downstream had no opportunity to form. This case belongs to Pattern α: C1 breach → upstream collapse.

Case 2, Hong Kong LIHKG 2019–2020. LIHKG provided a verified-badge mechanism plus pseudonymous handles, partially resolving W1 at the tool layer; the same speaking subject could be recognized as persistently present within the group. W2 was weak in implementation: multiple anonymous accounts intermingled, making the group boundary difficult to delineate. W3 was wholly absent; after factional fragmentation (militant, moderate, exile), no internal accountability mechanism could prevent the split of action lines or attribute responsibility for decisions²⁹. Lee & Chan’s Media and Protest Logics in the Digital Era (2018), Lee’s (2020) observation in Critical Asian Studies of the anti-extradition trajectory, and Yuen’s (2020) extended study in Hong Kong Studies converge on the same outcome: mobilization intensity was extremely high, but after mobilization the three paths mutually negated one another, and after 2020 the movement disintegrated entirely under the National Security Law environment³⁰. This case belongs to Pattern β: W1 partially solved but W2/W3 unsolved → factional fragmentation.

Case 3, Post-2017 Catalonia (ANC/Òmnium). ANC (Assemblea Nacional Catalana) and Òmnium Cultural maintained membership systems and internal statutes with the support of digital collaboration tools; W2 attained medium strength at the offline-membership level, and W3 was likewise medium. W1 at the tool layer, however, became a weakness once it crossed the boundary of authoritarian suppression, because Spanish civil-identity roots were in use. After the 2017 referendum, the Spanish Constitutional Court’s blockage, the Madrid central government’s criminal prosecution, and experiments with alternative infrastructures such as Vocdoni placed the case under both internal-governance and external-legal-effect pressures³¹. Crameri’s Goodbye, Spain? (2014) and Della Porta et al.’s Movement Parties Against Austerity (2017) indicate that ANC/Òmnium, despite medium strength across the three internal conditions, failed to achieve independence largely because external state suppression overpowered the internal structure. This case belongs to the Catalonia boundary: it delineates the boundary of an external variable (state coercion) without weakening the framework itself. It should be made explicit that an alternative reading is possible—namely, that external suppression alone is sufficient to render the three conditions ineffective—which is left as an open challenge to H1’.

Case 4, Belarusian Opposition 2020–2021. Telegram mobilization (NEXTA and related channels) reached hundreds of thousands during the 2020 presidential-election protests. W1 was weak (Telegram remained bound to actual phone numbers), W2 was weak (a structural break between exile and domestic grassroots), and W3 was absent (after the exile of Tikhanovskaya as leader, the accountability chain with the domestic grassroots was lost)³². The updated edition of Wilson’s Belarus: The Last European Dictatorship (2021) observes that the Belarusian opposition succeeded at the mobilization layer but collapsed completely at the governance layer; after 2021, domestic organizational capacity was virtually erased, and a structural break appeared between exile leadership and domestic supporters. This case belongs to Pattern β, but compared with Hong Kong it more closely resembles simple leadership rupture than factional divergence.

Case 5, Briar / Cwtch 2017–2026. Briar and Cwtch strongly solve W1 at the tool layer; peer-to-peer mesh networks + end-to-end encryption + non-reliance on centralized servers permit operation even in network-disconnected scenarios³³. The tools themselves, however, do not provide the corresponding institutions for W2 and W3; Briar offers no “group-membership proof” or “cross-member accountability process” function design. Adoption rates among the high-threat populations that most need these tools (exiles, journalists, organizers under repressive regimes) remain low, partly because the tools lack accompanying social institutions³⁴. It should be noted that quantitative data on Briar / Cwtch adoption are incomplete; observations are drawn primarily from Sukhbaatar’s (2017) academic evaluation and the projects’ own public documentation, and more systematic quantitative research (GitHub stars, Play Store, interview-based fieldwork) is needed. This case belongs to Pattern γ: tool solves W1 but no corresponding social-layer W2/W3 institutions → low adoption.

Synthesizing the five cases, the three failure patterns can be mapped onto the position of the breach across the three walls:

• Pattern α: W1 breached at the mobilization layer, downstream walls inaccessible (Iran Green 2009).
• Pattern β: W1 partially solved but W2/W3 breached at the governance layer, leading to factional fragmentation or leadership rupture (LIHKG, Belarus).
• Pattern γ: W1 solved at the tool layer but no corresponding W2/W3 institutions at the social layer, leading to low adoption (Briar/Cwtch).
• Catalonia boundary: W1 + W2 + W3 at medium strength but external state suppression overpowering the internal structure, delineating the external boundary of the framework.

These four modes constitute, under the N = 5 limitation, the core induction of the present article. It must be made explicit again that this induction is a pattern observation under an N = 5 sample, and that subsequent research with larger N may revise the classification or add additional modes. The Catalonia boundary in particular requires careful handling; the possibility that an external variable weakens the framework must be recorded separately from the possibility that the framework itself is verified.

§ 5. Formalization of the Three Walls: H0 → H1 → H1’ and the Civic Proof Correspondence

Sections 2–4 draw evidence respectively from normative-text interpretation (D, deductive), cross-case literature convergence (I, inductive), and process tracing of five cases (C, causal). This section integrates these three sets of evidence into a formalized conjunctive hypothesis and establishes a mapping to the four civic proof conditions of article 02. The formalization adopts the three criteria of Cappelen’s (2018) Fixing Language conceptual engineering—coverage, discrimination, and inheritability—as its internal evaluation standard³⁵.

P1 (weak): H0 is too strong. The strongest reading of mashbean’s original hypothesis is H0 = (A ⟹ F), where A = insufficient identity privacy, F = failure of digital association, and ⟹ is sole sufficient cause. H0 is equivalent to “A is sufficient for F.” The counter-examples are as follows. Token-governance DAOs such as MakerDAO, Compound, and Uniswap have attained substantive strength on W1 (pseudonymous wallets + public-key continuity), yet governance still fails; plutocracy (token-holding proportion determines voting), VC capture (early investors hold large token shares), and core-team exit (governance collapse after the departure of core developers) operate independently³⁶. The analyses of Buterin, Ohlhaver & Weyl’s Decentralized Society: Finding Web3’s Soul (2022) and DuPont’s The DAO (2017) indicate that the cause of DAO governance failure is not insufficient identity privacy; the design failure of the W3 internal-accountability mechanism is central. This counter-example predicts associational success under “sufficient identity privacy” but fails to match observation, so H0 is too strong.

P2 (medium, core revision): H1’ = ¬F ⇔ W1 ∧ W2 ∧ W3. Revising H0 into a conjunctive structure yields H1’. ¬F (association does not fail) is equivalent to the simultaneous satisfaction of W1 ∧ W2 ∧ W3; the simultaneous resolution of the three walls is the necessary and sufficient condition for the scaling of association. The walls’ contents are as follows. W1 (persistent-pseudonymity wall): the same membership identity is recognizable to the group across the time axis, whether under a real name or a pseudonym, with the weakest form being narrative continuity. W2 (verifiable-group-boundary wall): the group is capable of determining internally who is a member and who is not. W3 (internal-accountability wall): when members transgress, the group has an institutional mechanism for attributing responsibility. The conjunctive structure of the three walls carries the three failure patterns of § 4; the breach of any single W_i constitutes failure, which corresponds to the logical “one missing condition is sufficient to fail” property of conjunction.

H1’ is a normative-empirical conjunction, not a purely logical definition. Its “normative” content is derived from the political-philosophical lineage of § 2; its “empirical” content is induced from the process tracing of five cases in § 4. This conjunctive property entails that H1’ cannot be proven through purely conceptual analysis; it can only be approached through empirical testing, and remains open to revision under new cases. W4 (legal status), W5 (resources), W6 (leadership), and other structural conditions are not excluded but left for open discussion; they may serve as supplementary or antecedent conditions to the three walls, but no assertion to that effect is made here.

P3 (strong, requires bridging): The four civic proof conditions correspond to the normative necessary conditions required by the three walls. The civic proof conceptual framework proposed in article 02 contains four conditions: anonymity, unlinkability, verifiability, and accountability³⁷. The correspondence mapping between these four conditions and the three walls is set out in the table below.

Civic proof condition	Corresponding wall	Mechanism
anonymity	W1	Without exposing the real name, the same actor remains identifiable as “the same member” (narrative continuity rather than real-name continuity)
unlinkability	W1 + W2	Externally non-linkable across individual member actions; internally verifiable as a member (internal-external separation)
verifiability	W2	Verifiable membership credentials (cryptographic-sense proofs of membership)
accountability	W3	Accountable pseudonymity (threshold opening held by the group m-of-n; drawing on article 01’s “political-economic achievement” framework)

This mapping is the point of conceptual articulation among the three doctoral articles. Article 01 supplies the political-economic foundation for W3; accountable pseudonymity is possible not through cryptographic mechanism alone, but because a social contract enables the collective bearing by associational members of the dual condition “internally accountable upon transgression + externally pseudonymous under normal conditions”—this is a “political-economic achievement” rather than a purely technical one³⁸. Article 02 supplies the normative-condition bundle for W1 + W2 + W3; civic proof posits the four conditions as the minimum normative requirements for any proof system that “externally claims membership + internally permits accountability + externally avoids identification”³⁹. Article 03 (the present article) supplies the empirical verification: the three-walls hypothesis + process tracing of five cases + Strong/Weak form boundaries.

It must be made explicit that the four civic proof conditions are a normative proposal, not a verified engineering implementation. Anonymity has cryptographically mature tools (zero-knowledge proofs, blind signatures); verifiability has implementation paths under verifiable credentials and the W3C VC standard; but the internal-external separation of unlinkability (pseudonymous credentials rather than anonymous credentials) is not yet the default in mainstream wallet ecosystems, and the “threshold opening held by the group m-of-n” form of accountability remains a research topic⁴⁰. Mapping the four civic proof conditions onto the three walls aligns a normative proposal with an empirical hypothesis; it does not claim that the problem has been solved.

P4 (strongest, conditional): If the three walls were simultaneously resolved, the scaling of digital association would be possible; no present case resolves the three walls simultaneously, so the hypothesis admits only falsificationist testing. P4 is the conditional conclusion of H1’. Its strongest reading is that “the conjunction of the three walls constitutes the necessary and sufficient condition for the scaling of association,” but verifying this reading requires at least one case that simultaneously resolves W1, W2, and W3 and attains a scale of ≥10⁵ members with persistent operation across authoritarian boundaries. Such a case does not currently exist. Lakatos’s (1970) methodological treatment of scientific research programs provides a workable handling for this situation: when the core proposition cannot be directly confirmed, it can be retained as the hard core of a research programme and approached through the protective belt’s handling of counter-examples⁴¹. The treatment of counter-examples and boundaries in § 6 of the present article plays this role.

§ 6. Counter-Examples and Boundaries: DAO, Cypherpunks, SecureDrop, and Linux Reframed

The formalization of H1’ is completed in § 5. This section addresses four sets of cases that might refute H1’ and delineates the Strong/Weak form boundary.

DAO governance (MakerDAO, Compound, Uniswap, Optimism Citizens’ House). DAOs are the strongest candidate counter-example to H1’; they attain substantive strength on W1 via pseudonymous wallets, attain medium-to-strong strength on W2 via token holders as boundary, yet still fail on W3. MakerDAO, operating from 2018 to the present, has repeatedly undergone plutocracy crises (token-holding proportion determining governance), VC capture (concentrated holdings by early investors such as a16z), and core-team exit (governance-trajectory disputes following Rune Christensen’s departure)⁴². The governance records of Compound and Uniswap display similar patterns. The reviews by Hassan & De Filippi (2021) in Internet Policy Review on DAO governance theory, by Schneider (2022) in Governable Spaces on the concept of “governable spaces,” and by Buterin (2021) in “Moving beyond coin voting governance” on the deficiencies of coin voting, all converge on multiple failures of W3. The manifestations of W3 failure are multiple: beyond plutocracy, VC capture and core-team exit act simultaneously, each independently constituting a breach in W3⁴³.

The Optimism Citizens’ House (operating from 2023 to the present) is at present the most earnest attempt at W3. It employs quadratic voting, a bicameral structure of Citizens’ House and Token House, and RetroPGF (retroactive public-goods funding) to escape the plutocracy trap of coin voting⁴⁴. The case is presently locked at scales of 100s to 1,000s, however, and the membership of Citizens’ House remains Foundation-led citizen issuance (issued by the foundation’s selection); its scaling trajectory is unknown. If Optimism Citizens’ House reaches a scale of 10K with genuinely de-Foundation-ized citizen issuance before 2027, the weak form will be partially refuted. This is a conditional conclusion, not a present rebuttal basis.

Placing the DAO cases within the framework of H1’ yields revision rather than refutation. DAOs resolve W1 + W2 but not W3, which is the concrete instantiation of H1”s prediction that “one missing condition is sufficient to fail.” This supports the weak form.

The 1990s cypherpunks mailing list. The historical accounts by Levy in Crypto (2001), Coleman in Hacker, Hoaxer, Whistleblower, Spy (2014), and Beyer in Expect Us (2014) show that the cypherpunk community operated principally under pseudonyms (W1 solved), without a formal membership system (W2 weak), and that community norms were sustained by core figures such as Tim May and Eric Hughes plus mailing-list moderation (W3 medium)⁴⁵. The argument treating cypherpunks as a counter-example to H1’ typically invokes “Bitcoin originated within the cypherpunks community” as support: since cypherpunks could give rise to Bitcoin, communities with W1 solved are capable of major outcomes. This argument conflates movement with association. Cypherpunks is a movement / knowledge community (a school of thought, a technical testbed), not an association (persistent membership + group boundary + internal accountability); Bitcoin’s success is the composite outcome of Satoshi as a single actor / small team + a public protocol + autonomous operation, and cannot be credited back to the associational capacity of the cypherpunks community itself. After this reframing, cypherpunks does not constitute a counter-example to H1’.

Tor SecureDrop. SecureDrop has been deployed across 70+ news organizations since 2013, providing an anonymous-submission workflow between journalists and sources⁴⁶. It solves W1 (onion service + Tor); W2 is medium within newsroom-scoped scope (each newsroom manages its own instance); W3 is borne within the newsroom by editorial authority. The argument treating SecureDrop as “digital association” commits a categorical error. SecureDrop belongs to the service-tier whistleblower workflow, provided and operated by news organizations as already-existing legal entities, rather than constituting an emerging digital association itself. Two criteria apply. First, the membership of SecureDrop is defined by the host newsroom, not by the group itself; second, internal accountability is borne by the editorial discipline of the host newsroom, not by mutual accountability among members of the group. These two criteria place SecureDrop on the service tier rather than the association tier. After this reframing, SecureDrop does not constitute a counter-example to H1’. It must be marked that this reframing does not deny the value of SecureDrop; it merely delineates its scope as a service infrastructure.

The early Linux Kernel community. Linus Torvalds and his maintainer circle operate principally under real names with public contribution histories, and the community has operated effectively for more than thirty years⁴⁷. Kelty’s Two Bits (2008) and Lerner & Tirole’s (2002) analysis of the open-source movement show that the success of Linux depends on three conditions: (a) real names + public contribution histories substitute for the narrative-continuity mechanism of W1; (b) the committers list serves as the group boundary of W2; (c) Linus and the maintainer circle bear the internal accountability of W3. The argument treating Linux as a counter-example to H1’ would say that, since Linux succeeds without resolving W1, the three-walls hypothesis does not hold.

The difficulty with this argument is that it overlooks the contextual boundary of the Linux case: democratic environment + labor-rights protection + the bearability of individual physical exposure. Under these conditions, “real name + public contribution history + the individual’s capacity to bear identification” can substitute for narrative-continuity-sense W1. This substitute path, however, holds only in the democratic / labor-rights-protection context; when the context shifts to authoritarian (China, Iran, Belarus), Linux’s substitute path would collapse, because individual physical exposure is not bearable. After this reframing, Linux does not constitute a counter-example to H1’; on the contrary, it delineates a substitute-path boundary: under conditions of democracy + labor-rights protection, real-name + public-contribution-history can substitute for the pseudonymous form of W1. It must be made explicit that this boundary judgment is an extension proposition derived from the contextual conditions of existing cases, not an empirically verified structural conclusion; whether Linux’s substitute path remains workable in authoritarian contexts is currently without a direct case and is left for further research.

Synthesizing the four reframings, the Strong/Weak form distinction takes the following form:

• Strong form: in political association + ≥10⁵ scale + cross-authoritarian-boundary settings, the three walls are jointly necessary. No present case simultaneously resolves the three walls; quasi-large-scale cases such as NEXTA / Telegram exhibit the standard failure modes.
• Weak form: in financial governance + 10³–10⁴ scale + democratic-environment settings, W1 + W2 can be resolved, while W3 remains a problem. DAOs such as MakerDAO / Compound / Uniswap are typical supporting cases; the Optimism Citizens’ House 2025–2027 trajectory is a candidate for potential refutation.
• Linux substitute path: in democratic + labor-rights-protection + individual-physical-exposure-bearable settings, real-name + public-contribution-history can substitute for W1. The early Linux Kernel community is a supporting case; the proposition that this substitute fails under authoritarian contexts is an inference rather than a verified claim.

The Strong form, under present conditions, admits only falsificationist testing. The Weak form has been partially verified in the DAO setting (W1 + W2 solved → W3 remains open). The Linux substitute path provides a substitute path for W1 without negating the three-walls framework.

§ 7. Integration with Article 01 and Article 02

The present article is the third research article of the doctoral series. The first two articles address accountability without identification (article 01) and civic proof concept positioning (article 02). The three articles formally articulate through the three-walls framework. This section organizes the points of articulation and presents one important reverse correction.

The point of articulation with article 01 is the political-economic foundation of W3. Article 01 argues for the possibility of the conceptual pairing “accountability does not require identification.” Accountable pseudonymity is a dual-condition design that is cryptographically implementable (threshold opening, selective disclosure) but sociologically requires a collective bearer⁴⁸. Connecting article 01’s argument to W3 in H1’ yields the following relation: for the internal-accountability mechanism of W3 to be reached under the condition of “no external exposure of members’ actual identities,” it must take the path of accountable pseudonymity; and the possibility of accountable pseudonymity is argued in article 01 as a “political-economic achievement” because it requires the group’s willingness collectively to bear the dual condition “internally accountable upon transgression + externally pseudonymous under normal conditions,” constituting a social rather than a purely technical contract. Substituting this perspective into the failure cases of § 4 permits a reinterpretation of the W3 failures of LIHKG and Belarus. What these two cases lack is not a single cryptographic tool; more centrally, they lack the group-level institutional bearer of the political-economic burden of accountable pseudonymity.

The point of articulation with article 02: the four civic proof conditions as the normative-condition bundle for W1 + W2 + W3. Article 02 positions civic proof as the conceptual framework of a proof system through which a subject “externally claims membership + internally permits accountability + externally avoids identification,” and proposes the four conditions—anonymity / unlinkability / verifiability / accountability—as the minimum normative requirements for any civic proof candidate scheme⁴⁹. The mapping in § 5 of the present article shows that these four conditions correspond precisely to the normative necessary conditions required by the three walls: anonymity corresponds to W1; unlinkability corresponds to the internal-external separation of W1 + W2; verifiability corresponds to W2; accountability corresponds to W3. Applying the normative framework of article 02 to the empirical hypothesis of article 03 yields the conclusion that civic proof offers a normative proposal of systematic resolution: should an engineering implementation simultaneously satisfy the four conditions, the possibility of resolving the three walls simultaneously would be opened. It must be made explicit that civic proof remains a normative proposal rather than a verified engineering implementation; in mainstream wallet / verifiable-credentials ecosystems at present, neither the internal-external separation of unlinkability nor the group-m-of-n threshold opening of accountability has become standard configuration.

Reverse correction to article 02: unlinkability must include internal-external separation. The political-philosophical argument of § 2 of the present article indicates that the conjunctive requirement of C1 (persistent identity) and C2 (group boundary) compels unlinkability into internal-external separation: externally (against non-members, against the state, against surveillance adversaries) the cross-action non-linkability of members must be preserved; internally (within the group itself) the linkability of members must be maintained for verification. The original version of article 02 describes unlinkability as “non-linkability across actions” without explicitly distinguishing external from internal. Under the framework of the present article, this description requires correction: anonymous credentials (e.g., idemix-style, fully unlinkable) violate C1 because they prevent “the same member” from being identified within the group, rendering W1 of association unattainable; pseudonymous credentials (e.g., BBS+-style / Coconut-style, unlinkable outside the group but linkable within) satisfy C1 and C2 simultaneously⁵⁰.

This reverse correction yields two proposals for subsequent revision of article 02. First, in the condition description of unlinkability, the “internal-external separation” sub-condition should be explicitly added, with “internally linkable + externally unlinkable” serving as engineering-selection guidance for any civic proof candidate scheme. Second, in article 02’s evaluation table for mainstream cryptographic tools (idemix, BBS+, AnonCreds, PCP, Privacy Pass, Tor, Verifiable Credentials Data Model, etc.), the dimension “whether compliant with the principle of internal-external separation of unlinkability” should be added. These two proposals do not weaken the civic proof normative framework of article 02; they refine that framework at the level of engineering selection.

The articulation map of the three articles. Synthesizing the foregoing points, the three doctoral articles stand in the following relation within the H1’ framework. Article 01 supplies the political-economic foundation of W3 (accountable pseudonymity as a social-contract achievement); article 02 supplies the normative-condition bundle for W1 + W2 + W3 (the four civic proof conditions, including the present article’s reverse correction on unlinkability); article 03 (the present article) supplies the empirical verification (the three-walls hypothesis + process tracing of five cases + Strong/Weak form boundaries). The three constitute the argumentative chain “normative conditions → political-economic foundation → empirical testing”; each can stand independently, but only together are they complete.

§ 8. Conclusion

The strongest reading of H0 (“insufficient identity privacy is the sole sufficient cause of the failure of digital association”) proves too strong after literature review and must be revised into the conjunctive structure H1’ = ¬F ⇔ W1 ∧ W2 ∧ W3. The three walls are W1 (persistent pseudonymity), W2 (verifiable group boundary), and W3 (internal accountability). The process tracing of five cases displays three failure patterns: α (W1 breached → upstream collapse, the Iran model); β (W1 partially solved but W2/W3 unsolved → factional fragmentation, the Hong Kong / Belarus model); γ (tool solves W1 but social-layer W2/W3 absent → low adoption, the Briar / Cwtch model); together with the Catalonia boundary (under external state suppression, medium strength across the three conditions still fails to hold). Quasi-successful cases such as DAOs, cypherpunks, SecureDrop, and Linux, once strictly reframed, do not constitute counter-examples; on the contrary, they delineate the two boundaries—the Strong form (political association + ≥10⁵ + cross-authoritarian) in which the three walls are jointly necessary, and the Weak form (financial governance + 10³–10⁴ + democratic) in which W1 + W2 are resolvable while W3 remains open. The Linux substitute path supplies, under democracy + labor-rights protection, a real-name + public-contribution-history substitute for W1; the proposition that this substitute collapses in authoritarian contexts is an inference rather than a verified claim.

The failure of digital association is not, at root, merely a problem of insufficient tools. The simultaneous unresolved state of the three walls is central. Identity privacy is only the first upstream wall: it is a necessary bottleneck; even when resolved, failure persists at the second wall (verifiable group boundary) and the third wall (internal accountability). The normative-condition bundle of civic proof corresponds precisely to the normative necessary conditions required by these three walls, providing a normative proposal for a systematic resolution. Civic proof, however, is a normative proposal, not a verified engineering implementation; no present case resolves the three walls simultaneously.

H1’, under contemporary conditions, admits only falsificationist testing (one missing condition is sufficient to fail) and not verificationist confirmation (simultaneous resolution of the three walls requires at least one case at ≥10⁵ scale across authoritarian boundaries with sustained operation, which does not exist at present). This methodological limitation is an endogenous condition of H1’, not a defect in the argument. Lakatos’s (1970) methodological treatment of scientific research programs—taking the core proposition as the hard core and approaching it through the protective belt’s handling of counter-examples—provides a workable framework for further research on H1’.

Several questions remain for subsequent research. First, the case sample of N = 5 is insufficient and should be extended to N ≥ 15, with a successful comparison group (Chile 2019 in Latin America, Ethiopia / Sudan in Africa, and post-2025 Asian cases are not covered); the coverage of Latin American and African cases is especially critical for testing the cross-geographic universality of the framework. Second, the relations between W4 (legal status), W5 (resources), W6 (leadership), and the three walls are not treated in the present article and may stand as supplementary or antecedent conditions to the three walls. Third, the strong/medium/weak scoring of the three conditions has not been operationalized; subsequent research should establish a reproducible five-point rubric with inter-rater reliability assessment. Fourth, engineering-implementation research on the four civic proof conditions: whether the existence of a wallet that simultaneously satisfies the four conditions and supports ≥10K association would falsify H1’ P4 is a line of research that article 02 and the present article can jointly advance. Fifth, the 2025–2027 scaling trajectory of the Optimism Citizens’ House would, if it reaches 10K scale with genuinely de-Foundation-ized citizen issuance, supply an opportunity for partial refutation of the weak form. Sixth, whether mashbean’s original-author intent corresponds to the strongest reading H0 awaits further confirmation through interview or cross-reference; the present article proceeds under the working assumption of the strongest reading to avoid locking the author into a particular version.

The three doctoral articles formally articulate through the three-walls framework: article 01 supplies the political-economic foundation of W3; article 02 supplies the normative-condition bundle for W1 + W2 + W3 (including the present article’s internal-external separation reverse correction on unlinkability); article 03 supplies the empirical verification and the Strong/Weak form boundaries. The next stage of integration requires the joint advancement of engineering-implementation research and N ≥ 15 cross-geographic case extension.

References

Footnotes

1. Dingledine, R., Mathewson, N., & Syverson, P. (2004). “Tor: The Second-Generation Onion Router.” USENIX Security Symposium 13. Source level A. ↩

2. Briar Project documentation, briarproject.org; Cwtch Project documentation, cwtch.im; Sukhbaatar, B. (2017). Briar Project academic evaluation. Source level B/C. ↩

3. Cross-case observation synthesized from Tufekci (2017) Twitter and Tear Gas; Castells (2012/2015) Networks of Outrage and Hope; Bennett & Segerberg (2013) Logic of Connective Action. Source level A. ↩

4. Levy, S. (2001). Crypto: How the Code Rebels Beat the Government Saving Privacy in the Digital Age. Penguin. Source level A. ↩

5. Buterin, V., Ohlhaver, P., & Weyl, E. G. (2022). “Decentralized Society: Finding Web3’s Soul.” SSRN 4105763; DuPont, Q. (2017). “Experiments in algorithmic governance: A history and ethnography of ‘The DAO’.” In Bitcoin and Beyond, ed. Campbell-Verduyn. Routledge. Source level A. ↩

6. Lee, F. L. F., & Chan, J. M. (2018). Media and Protest Logics in the Digital Era: The Umbrella Movement in Hong Kong. Oxford University Press; Lee, F. L. F. (2020). “Solidarity in the Anti-Extradition Bill movement in Hong Kong.” Critical Asian Studies, 52(1). Source level A. ↩

7. Briar Project documentation and Sukhbaatar (2017) observations on adoption rate; quantitative data are incomplete, and subsequent research requires GitHub stars / Play Store / interview-based fieldwork. Source level B/C. ↩

8. Methodological basis for conditional conclusions: Lakatos, I. (1970). “Falsification and the Methodology of Scientific Research Programmes.” Source level A. ↩

9. Arendt, H. (1958). The Human Condition. University of Chicago Press, ch. V; Arendt, H. (1963). On Revolution. Viking Press, ch. 6. Source level A. ↩

10. Honig, B. (1993). Political Theory and the Displacement of Politics. Cornell University Press; Benhabib, S. (1996). Democracy and Difference. Princeton University Press. Source level A. ↩

11. Tocqueville, A. de (1840). Democracy in America, vol. 2, pt. 2, chs. 5–7. Source level A. ↩

12. Putnam, R. D. (2000). Bowling Alone: The Collapse and Revival of American Community. Simon & Schuster; Skocpol, T. (2003). Diminished Democracy: From Membership to Management in American Civic Life. University of Oklahoma Press. Source level A. ↩

13. Rosenblum, N. L. (2008). On the Side of the Angels: An Appreciation of Parties and Partisanship. Princeton University Press. Source level A. ↩

14. NAACP v. Alabama ex rel. Patterson, 357 U.S. 449 (1958); Roberts v. United States Jaycees, 468 U.S. 609 (1984); Boy Scouts of America v. Dale, 530 U.S. 640 (2000). Primary sources, level A. ↩

15. Inazu, J. D. (2012). Liberty’s Refuge: The Forgotten Freedom of Assembly. Yale University Press. Source level A. ↩

16. Kelty, C. M. (2008). Two Bits: The Cultural Significance of Free Software. Duke University Press; Lerner, J., & Tirole, J. (2002). “The Open Source Movement.” Journal of Industrial Economics. Source level A. ↩

17. The lineage interpretation of narrative continuity is synthesized from Honig (1993) and Benhabib (1996), and extends Arendt’s concept of action as “self-disclosure in public space.” Source level A (foundational texts) + B (extended inference). ↩

18. The technical-implementation reference for the internal-external separation principle draws on BBS+ signatures and Coconut and other selective-disclosure credentials; the distinction between anonymous and pseudonymous credentials is the present article’s reverse correction to article 02. Source level B (synthetic inference). ↩

19. Bennett, W. L., & Segerberg, A. (2013). The Logic of Connective Action: Digital Media and the Personalization of Contentious Politics. Cambridge University Press. Source level A. ↩

20. Tufekci, Z. (2017). Twitter and Tear Gas: The Power and Fragility of Networked Protest. Yale University Press. Source level A. ↩

21. Castells, M. (2012/2015). Networks of Outrage and Hope: Social Movements in the Internet Age. Polity. Source level A. ↩

22. Earl, J., & Kimport, K. (2011). Digitally Enabled Social Change. MIT Press. Source level A. ↩

23. Polletta, F. (2002). Freedom Is an Endless Meeting: Democracy in American Social Movements. University of Chicago Press. Source level A. ↩

24. Diani, M., & McAdam, D. (Eds.). (2003). Social Movements and Networks: Relational Approaches to Collective Action. Oxford University Press. Source level A. ↩

25. Karpf, D. (2012). The MoveOn Effect: The Unexpected Transformation of American Political Advocacy. Oxford University Press. Source level A. ↩

26. Howard, P. N., & Hussain, M. M. (2013). Democracy’s Fourth Wave? Digital Media and the Arab Spring. Oxford University Press; the historical account of the UGTT skeleton is provided in the book’s ch. 5 on the Tunisia case. Source level A. ↩

27. Anduiza, E., Cristancho, C., & Sabucedo, J. M. (2014). “Mobilization through online social networks: the political protest of the indignados in Spain.” Information, Communication & Society, 17(6); Lim, M. (2013). “Many Clicks but Little Sticks: Social Media Activism in Indonesia.” Journal of Contemporary Asia. Source level A/B. ↩

28. Sreberny, A., & Khiabany, G. (2010). Blogistan: The Internet and Politics in Iran. I.B. Tauris; Khamis, S., & Vaughn, K. (2011). “Cyberactivism in the Egyptian Revolution.” Arab Media & Society. Source level A/B. ↩

29. Factional-fragmentation observations are synthesized from Lee (2020) and Yuen (2020); Yuen, S. (2020). “Hong Kong After the Anti-Extradition Bill Movement.” Hong Kong Studies. Source level A. ↩

30. Lee & Chan (2018), supra n. 6. ↩

31. Crameri, K. (2014). Goodbye, Spain? The Question of Independence for Catalonia. Sussex Academic; Della Porta, D., et al. (2017). Movement Parties Against Austerity. Polity; Vocdoni Catalonia case documentation, vocdoni.io. Source level A/B/C. ↩

32. Wilson, A. (2021). Belarus: The Last European Dictatorship (updated ed.). Yale University Press; Tikhanovskaya organizing platforms documentation. Source level A/C. ↩

33. Briar Project documentation, supra n. 2; Cwtch Project documentation, supra n. 2. ↩

34. Adoption-rate observations are synthesized from Sukhbaatar (2017) and Briar Project public documentation; quantitative data are incomplete and require further research. Source level B/C. ↩

35. Cappelen, H. (2018). Fixing Language: An Essay on Conceptual Engineering. Oxford University Press. Source level A. ↩

36. MakerDAO MIPs public governance documents; Compound governance forums; Uniswap governance forum and related governance-record analyses. Source level C (primary governance records). ↩

37. Article 02, civic proof concept positioning (second research article of the doctoral series, 2026), arguing for the normative necessity of the four conditions of anonymity / unlinkability / verifiability / accountability. ↩

38. Article 01, accountability without identification (first research article of the doctoral series, 2026), arguing for accountable pseudonymity as a political-economic achievement rather than a purely technical achievement. ↩

39. Article 02, supra n. 37. ↩

40. Engineering-implementation evaluation references: Schneider, N. (2022). Governable Spaces. University of California Press; Hassan, S., & De Filippi, P. (2021). “Decentralized Autonomous Organization.” Internet Policy Review, 10(2). Source level A. ↩

41. Lakatos (1970), supra n. 8. ↩

42. Buterin, V. (2021). “Moving beyond coin voting governance.” vitalik.eth.limo; MakerDAO MIPs public governance documents, supra n. 36. Source level A/C. ↩

43. Hassan & De Filippi (2021), supra n. 40; Schneider (2022), supra n. 40; Buterin (2021), supra n. 42. ↩

44. Optimism Citizens’ House 2024–2025 governance documentation, optimism.io/governance; RetroPGF 2–4 public evaluations. Source level C. ↩

45. Levy (2001), supra n. 4; Coleman, G. (2014). Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous. Verso; Beyer, J. L. (2014). Expect Us: Online Communities and Political Mobilization. Oxford University Press. Source level A. ↩

46. SecureDrop deployment data, securedrop.org; deployment records across 70+ news organizations. Source level C. ↩

47. Kelty (2008), supra n. 16; Lerner & Tirole (2002), supra n. 16. ↩

48. Article 01, supra n. 38; the extended argument for the political-economic foundation of W3 appears in §§ 3–5 of that article. ↩

49. Article 02, supra n. 37; the systematic argument for the civic proof normative-condition bundle appears in §§ 2–4 of that article. ↩

50. For the internal-external separation property of unlinkability in BBS+ signatures and Coconut credentials, see Camenisch et al.’s security analysis of BBS+ and Sonnino et al.’s Coconut design documentation; the present article treats this technical distinction as a reverse correction to article 02’s unlinkability condition. Source level B (synthetic inference). ↩