
Web merchants routinely leak data about Bitcoin purchases - sgoldfed
https://www.technologyreview.com/s/608716/bitcoin-transactions-arent-as-anonymous-as-everyone-hoped/
======
randomwalker
I'm a co-author of this paper. It's available here:
[https://arxiv.org/pdf/1708.04748.pdf](https://arxiv.org/pdf/1708.04748.pdf)

The surprise here isn't that Bitcoin isn't perfectly anonymous. There are two
new findings. The first is the extent to which your Bitcoin payment details
get leaked to third party trackers. I've been writing about the excesses of
third party tracking for years [1], and I'm pretty jaded, but the extent of
the leaks surprised me.

The second main finding is that CoinJoin isn't enough to protect yourself. We
tested this on our own transactions, but also by coming up with a way to
identity essentially all existing CoinJoins on the blockchain and analyzing
their anonymity.

[1] [http://randomwalker.info/web-privacy/](http://randomwalker.info/web-
privacy/)

~~~
godzillabrennus
Seems like a good business opportunity to develop and offer a privacy shield
service for customers who care.

~~~
tehlike
or just use cryptocurrencies that support anonymous transactions?

~~~
mathrawka
That is not the point.

Even if you have a 100% anonymous cryptocurrency, you are spending it on a
site that has information about you and your activities on that site. If you
are dealing with physical items, it has your address.

~~~
tehlike
Agreed. However, if someone is leaking your physical address, they really
don't need bitcoin addresses at all. They can just join on your address :)

This made me curious about the feasability of an anonymous postal service. One
which you pay for with x-coin, with no identity attached, and you get physical
deliveries at that address (placed into a box only you can access, maybe with
some sort of private key).

With the security cams and all it might be hard, but probably not impossible
if enough people are using it.

Thoughts?

------
schuetze
IMHO anonymity has never been Bitcoin's strength, and we must stop pretending
that BTC is the right tool for transactions that need to be private. At best,
Bitcoin is pseudonymous.

Other currencies have attempted to fix this problem, such as Zcash. But I
think it will be hard to escape the volumes of metadata created through
transactions on merchant websites. Ultimately, your spending habits and
browser cookies will say more about you than your BTC address.

~~~
StavrosK
Sure, but it's quite nice that any random passerby who happens to look at the
Monero blockchain has no idea what you've spent and where. If there's
something like bitcoin's "new address per transaction" for Monero, they won't
be able to tell anything even if they have data from all the merchants.

~~~
mahyarm
Monero should be treated like the beta software it is. There have been
vulnerabilities in the past to remove anonymity and there will be in the
future. I would at least give it 5 years & a lot more adoption to start
trusting it somewhat.

~~~
Casseres
The only Monero software in beta is the GUI which no one has reported any
major issues with, and the CLI is just fine.

There hasn't been any vulnerabilities in the code affecting anonymity. Saying
there will be vulnerabilities in the future is FUD.

Trust is a personal preference, but the code is open to all to analyze.

~~~
kahnpro
This is an incredibly naïve point of view.

> Saying there will be vulnerabilities in the future is FUD.

Saying there will be vulnerabilities is 99.99% likely to be true. All software
written by humans is highly likely to have mistakes. Remember Heartbleed? The
code was open for all to analyze and used by millions, and yet we recently
found a vuln that allowed attackers to dump the entire memory of a server.
Open source is no guarantee against vulnerabilities.

Default assumption should airways be that there will be vulnerabilities.

------
maufl
I'll just throw this out here because I still need feedback.
[https://www.comsys.rwth-
aachen.de/fileadmin/papers/2017/2017...](https://www.comsys.rwth-
aachen.de/fileadmin/papers/2017/2017-maurer-trustcom-coinjoin.pdf) I think
anonymous CoinJoin transactions are possible and could be the default in
Bitcoin.

------
neuro_imager
I'm new to cryptocurrency and it astounds me the amount of information I have
to hand over just in order to buy currency on an exchange. Presumably this is
a source of de-anonymization? I thought the whole point was that you don't
have to give away information to a third party?

Does anyone know how to get cryptocurrency without going through this process?
Is there a way just to buy cryptocurrency with a simple credit card
transaction?

~~~
Tenoke
You can always use a site like localbitcoins for buying directly from someone.
At least before you could occasionally find people willing to sell for money
exchanged in real life.

Alternatively you can buy btc from bitcoin ATMs (tho some but not all ask for
ID) depending on where you are.

~~~
novalis78
In the US all Bitcoin ATMs are required to ask for picture ID

------
bassman9000
Technically, the protocol is anonymous. Addresses/hashes are not human
readable or, better said, you can't easily infer someone's identity/physical
address/phone/nationality just by glancing at them.

Exchanges as entry points to the network are required to make that conection.
Merchants as the paper say, do too.

If a merchant required a certain amount to complete your transaction, and that
amount came from an unknown, unregistered wallet (in the sense you didn't
acknowledge its ownership), would they legally be able to say it coming from
you?

In the end, yes, it's a technicality, because it's difficult to enter the
blockchain without leaving a trace at the fiat-border. But still...

------
jjcm
I think because of it's lack of anonymity and how that helped with the recent
hansa / alphabay takedowns, we're going to see a big boost in use of
dash/zcash/monero/anonymous-crypto-coin-du-jour once the next round of markets
rise up. I'm very curious to see the regulatory response to those style of
coins, as until recently they've kinda been in the shadows.

------
nicostouch
Pretty much everyone in the bitcoin community takes this knowledge for
granted. If you want actual privacy go with either Monero or ZCash.

~~~
kobeya
I wouldn't trust in Monero's privacy. Most of the techniques uses to defeat
CoinJoin would also work against Monero's ring signatures, which amount to
effectively the same thing.

ZCash is definitely a different tier of privacy... or it would be if they made
ZCash proofs required for every transaction. But instead they made anonymous
payments opt-in and therefore your privacy can be defeated by people upstream
or downstream of you.

~~~
ianmiers
I'm not sure I follow on the "your privacy can be defeated by people upstream
or downstream of you." In ZCash, your transaction is completly
indistinguishable from the other shielded transactions. The only thing the
person you are paying learns is they were paid e.g. $10 by a shielded TX user.
So they learn nearly nothing from upstream, and know nearly nothing to share
downstream. In particular, this seems to completely negate the attack
described in this paper. (Which coinjoin does not).

The limitation for ZCash is that shielded tx's are only 1/5th of the total
number of TXs by volume, so your anonymity set is not as large as it could be.
But it's likely considerably larger than the anonymity you get by mixing < 10
TX's and then doing this repeatedly both because of intersection attacks
(which the attack here is) and because of the impossibility of correctly
sampling the TXs to mix with.

~~~
kobeya
There are a LOT of factors that could be used to de-anonymize you including
frequency and time of day of transactions, wallet application identifying
signatures in the transaction itself (e.g. use of fee sniping protections vs
not, type of multi-sig used), patterns of usage in non-block chain services
such as exchanges, etc.

You could identify a dozen or a hundred different features about a transaction
or the transaction graph, then run standard machine learning tools to find
clusters of usage patterns. You could then probabilistically infer connections
between upstream and downstream usage patterns that implicate you.

I'm not arguing against the cryptography of zcash, which is solid as far as
I'm aware. But while it does such a thorough job of bolting the front door,
the window is left wide open.

~~~
ianmiers
So there definitely are other attack options that Zcash on its own does not
protect against and in some cases cannot. The biggest being timing. Usage
patterns fall seem to fall into that.

But do you think the fact that 1/5th of transactions are shielded actually
enables more attacks on shielded TXs?

~~~
kobeya
Yes because 4/5 of the transactions are revealing a LOT more than they
otherwise would, thereby greatly increasing the signal to noise of other
analysis techniques.

------
nnfy
Is this really a flaw in bitcoin?

And I do not agree that this makes bitcoin any less anonymous. There is still
the gap between key and owner that needs to be bridged before identification
can take place, and I do not believe that the word anonymous guarantees no
history available, only that the history cannot be linked to a person. By
definition, I mean to say.

I would compare this to a headline titled "bitcoin is less secure" because of
the Mt.Gox hack. Similarly not the fault of bitcoin.

------
stuaxo
It's a public ledger of every single transaction, as soon as you link your
identity to some payment, the game is up surely ?

~~~
mirimir
Well, one can have arbitrarily many Bitcoin wallets. I have dozens in current
use. Each one is associated with an identity, at least an email address. Most
of them only connect through Tor, so there's no IP address association.

But yes, if you don't compartmentalize like that, everything is linked.

~~~
joosters
You can have as many wallets as you like, but the problem is the same for all
of them: getting coins into them. Transferring between wallets would obviously
link them. You would have to go through a (different) convoluted way of
obtaining the coins for each wallet.

~~~
mirimir
Not at all. I work anonymously for Bitcoin. Under a few identities, each with
its own set of wallets. And I transfer among identities using mixers. I
generally mix at least twice, using throwaway intermediary identities. And
each identity has its own Whonix instance.

------
gnaritas
No one who understands what bitcoin is thought it was anonymous.

~~~
pen2l
Hey, at least Satoshi's identity is still unknown, so there's that!

------
kbody
Appreciate your work.

In a sense it's similar to talking on the phone and being recorded by a
security camera. If anyone thought that using Bitcoin or any cryptocurrency
for purchases magically hides any side-channel privacy leaks, I would say it's
lack of (self-)education. The reality is with such influx of users in the
space and countless of Youtube etc. channels educating without actually doing
research and spreading wrong facts we have some poor level of intro-education
for new people. But that happens to any new system getting mass attention.

------
nextstep
Yeah. Monero would solve this problem.

------
jacquesm
Who is everyone? I highly doubt that anyone that actually studied the
underlying protocol had any illusions about it being anonymous.

The important thing to remember is that all transactions are public and that
_any_ linking of a single transaction will allow someone to link all other
purchases / receipts with that address.

At best bitcoin is pseudo anonymous.

~~~
wmf
More interesting is that they broke CoinJoin.

~~~
mirimir
Maybe. But see
[https://www.reddit.com/r/joinmarket/comments/6d60f0/coinjoin...](https://www.reddit.com/r/joinmarket/comments/6d60f0/coinjoin_vs_mixing/)

------
blunte
Bitcoin's anonymity, or lack thereof, has not changed. This article is poorly
titled.

The problem is with the endpoint - the person or business you are transacting
with (or the technologies they use for the interaction).

This problem will exist with any cryptocurrency if the endpoints still operate
the same.

------
apo
Bitcoin was never claimed to be "anonymous." It operates under a privacy model
called "pseudonymity," which was described elegantly in Satoshi's white paper.

The distinction is important because conflating privacy in general (and
pseudonymity in particular) with anonymity is one way people get into trouble.

~~~
UncleMeat
Read the paper. This isn't what is being covered here.

