Every week another AI startup launches, yet the projects that actually move the privacy needle (Signal, Mullvad, Proton, Brave) are rarer. Inspired by YC’s Request for Startups, I’d like to crowd-source a 2025 privacy gap list to spotlight where builders and contributors should focus next.
I’m specifically interested in…
Missing / under-maintained FOSS
Blind spots where “good enough” privacy simply does not exist today.**
Overlooked communities/individuals most in need of privacy
Opportunities to leverage recent research development
Areas with new/accelerating threat models
Feel free to share pain points, stalled projects, wish lists, or “this exists but still sucks.” Hoping this inspires those looking to either contribute or start new projects to identify and respond to important challenges. Thank you!
Honestly instead of more self contained products I wanna see more standards-based interoperation. Like imagine if most messengers could interoperate because they all use MLS, that would be amazing to see. Recently I saw that Apple is going to be supporting WiFi Aware, so we’re going to have interoperable AirDrop essentially. They’re also going to be supporting the RCS standard with MLS E2EE in their messages app along with Google now so we will have inter-platform encrypted messaging by default. Any organization that’s working toward that is going to be doing a lot of good I feel.
A huge privacy gap currently is in payments, we recently saw the launch of GNU Taler which promises private payments and importantly isn’t a new currency, it works with existing currencies. I’d love to see wider adoption of it but that’ll be up to governments I think.
We’re currently seeing some VPN providers adding anti-AI traffic analysis to their products like Mullvad’s DAITA. It seems like the kind of thing that will eventually be standardized but it’s still being hammered out and improved.
A big thing during protests is a need for connectivity that’s not centrally controlled so that it can’t easily be shut off or censored. I’ve seen a few projects like meshtastic and briar that try to do the mesh network idea but it doesn’t seem like a lot of research or optimization has gone into it. I’d like to see a very simple and efficient mesh network that can be deployed using cheap hardware would be good to support.
Beyond all that, wider adoption of Privacy Enhancing Technologies by as many organizations as possible would do a lot of good I feel.
Mullvad’s DAITA seems really interesting, but I wonder if it really works? I also don’t see a way to enable that at the router level if I set up Mullvad there. DAITA seems to be only available via Mullvad’s apps on Android and iOS.
Is there even a desire for standardization? I’m most likely going to stick with using Mullvad for a while. I’ll probably continue using Proton at the router level. Most likely I’ll use Mullvad with an app so that I can use DAITA. It would be nice if Mullvad could bring these features to the router level.
I am also skeptical of solutions like DAITA or other AI-enabled obfuscation of WireGuard.
I think a stronger approach, taken by @obscuracarl and others, might be something that resembles masque, where proxied traffic is disguised to resemble benign web traffic close enough to create collateral freedom.
Is it even possible to have an newer OEMs fit their standards? Unlike larger companies, startups simply don’t have the resources to support their older devices.
For example, look at the Nothing and Fairphone phones having lackluster support for updates despite promises. Or the countless brands out there that had shutdown due to limited sales numbers. It’s difficult running a business in such a competitive market.
Unless you are Samsung, Apple, or Oppo, the smartphone is most likely not a significant driver of your business. Only reason why the Pixel is even kept alive by Google because it also develops Android.