

Bitcoin is Not Anonymous - harrigan
http://anonymity-in-bitcoin.blogspot.com/2011/07/bitcoin-is-not-anonymous.html
TL;DR: Bitcoin is not inherently anonymous. It may be possible to conduct transactions in such a way so as to obscure your identity, but, in many cases, users and their transactions can be identified.
======
feral
I'm one of the authors.

This work is about looking at the Bitcoin transaction history as a network,
and investigating privacy and anonymity, in practice, on it - something
there's been a good bit of discussion around recently.

You can see a lot of non-obvious things, when you 'collapse' addresses, as we
describe in the paper, and look at it as a network.

We're not really talking about the extent to which Bitcoin itself is useful as
a currency, or investment - that's a whole other topic, and a big one.

If anyone has any questions on the work we did, if you post them here or on
the blog, I'll try and answer.

~~~
randomwalker
This is very nice work, thank you. I've only had time to skim the paper;
pardon me if these questions are answered therein:

1\. You stop short of actually identifying the thief; is this primarily due to
ethical concerns or the paucity of off-network information? Could you
speculate on whether non-public information available to law enforcement would
be enough to resolve the thief's identity?

2\. How easy is it for users to protect themselves to foil your analysis
techniques? Could client software automate some of these obfuscation
mechanisms?

Incidentally, you cite my Netflix work, but my work on deanonymizing social
networks based on topology ([http://33bits.org/2011/03/09/link-prediction-by-
de-anonymiza...](http://33bits.org/2011/03/09/link-prediction-by-de-
anonymization-how-we-won-the-kaggle-social-network-challenge/),
<http://33bits.org/2009/03/19/de-anonymizing-social-networks/>) might be more
relevant, and some of the techniques potentially applicable to deanonymization
of the bitcoin transaction network if and when it grows larger and gains a
more substantial resemblance to the network of real-life relationships.

~~~
feral
Those are great questions.

1) We made a decision that the purpose of this specific work was to illustrate
anonymity pitfalls, for the benefit of users generally, and not to de-
anonymise any individual users.

As such, we haven't dug deep to try and identify the thief. We've just
examined the theft as a case study, to show that specific flows can be
followed in practice.

We think that law enforcement would have, at the least, some leads to follow,
if they used similar analysis techniques - we could also have looked deeper
into this incident, but didn't.

We can't speculate on whether there's enough information to identify the thief
- a lot would depend on whether the leads panned out, and on what sort of
assumptions the thief made about trying to hide their identity - outside the
scope of this work.

2) I think that some of our analysis would be possible to foil. Its probably
possible for client software to avoid a lot of the account 'linking' that is
due to transactions inputs being merged, perhaps by breaking the connected
components formed, by putting merged Bitcoins through intermediate accounts,
or perhaps by supporting mixing of some form.

There are other leakages, of off-network information, such as the Bitcoin
Faucet displaying IPs, that could trivially be turned off.

But as to whether this would render Bitcoin anonymous overall, it is very hard
to say. It is extremely difficult to get anonymity into your system, unless it
has been an explicit design goal; and it would be possible to take this kind
of analysis much further than we did.

Thanks for the tip about the paper - we should probably reference it. That was
nice work - it occurred to me it was possible to use such a strategy when the
competition was announced, and when we saw the results, we knew someone had!

~~~
coderrr
"2) I think that some of our analysis would be possible to foil. Its probably
possible for client software to avoid a lot of the account 'linking' that is
due to transactions inputs being merged,"

I already did some work on this:

[http://coderrr.wordpress.com/2011/06/30/patching-the-
bitcoin...](http://coderrr.wordpress.com/2011/06/30/patching-the-bitcoin-
client-to-make-it-more-anonymous/)

~~~
feral
That's really nice work.

I think it should be adopted by the official client, and, ideally, the users
educated as to its usage; it would mitigate a lot of the entity resolution,
which our work shows is a widespread problem.

------
gigantor
Of course Bitcoin is not anonymous. The moment you make a purchase that
contains some personal information about you (whether your name, IP, address,
etc.) with your current wallet, any future purchases can be mapped back to you
using your purchase graph. Difficult, yes, but the frequent intent with
security is not to stop things cold in its tracks, but to make it such a chore
to thwart all but the most dedicated intruders.

But that's not the point of Bitcoin's anonymous capabilities. The relative
ease which you can create multiple wallets and keep your questionable Silk
Road and Wikileaks donation purchases separate, as opposed to creating
multiple offshore bank accounts in Switzerland, can establish a high degree of
anonymity. Almost like how drug dealers use prepaid cell phones and discard
them for new ones the moment they suspect something is compromised.

~~~
danenania
Could a service that creates a new ´wallet´ for every single transaction
provide effectively unbreakable anonymity? Forgive me if the question doesn´t
make sense... I haven´t used bitcoin.

~~~
xtacy
Even if it was possible to create new wallets for every transaction, wouldn't
you want to spend it somehow? Then, the "flow" of cash from a subset of
wallets at the same time indicates _something_.

~~~
Zumzoa
A system could create, manage and automate a 'cloud' of several hundred
wallets, all shifting small amounts of money around at random intervals. When
the owner decided to make a particular payment, he could set a target sum to
be accumulated by a single wallet, and within a few hours (or days), make
payment from there.

Once this system had a few users, the difficulty of tracing any particular
wallet 'owner' would be significant.

~~~
Dylan16807
If these nodes aren't shared between users then you're not really getting
anything more than minor obfuscation. If they _are_ shared then you in fact
have a third party cloudbank that hopefully is trustworthy and the money cloud
aspect is a distraction that doesn't provide any benefits.

------
hasanove
<https://en.bitcoin.it/wiki/Anonymity> says pretty much the same, though in a
general terms

"The main problem is that every transaction is publicly logged. Anyone can see
the flow of Bitcoins from address to address (see first image). Alone, this
information can't identify anyone because the addresses are just random
numbers. However, if any of the addresses in a transaction's past or future
can be tied to an actual identity, it might be possible to work from that
point and figure out who owns all of the other addresses. This identity
information might come from network analysis, surveillance, or just Googling
the address. The officially-encouraged practice of using a new address for
every transaction is designed to make this attack more difficult."

Not that you are saying they claimed otherwise and it is exactly your article
that made me look through this page in detail, so thanks for that.

~~~
feral
Yes, absolutely.

We actually wrote a sentence in our paper addressing this: "While there is an
under- standing amongst Bitcoin’s technical users that anonymity is not a
prominent design goal of the system, we believe that this awareness is not
shared throughout the community."

Also, there is a gap between 'might be possible to work from that point' and
actually trying to do it; and it is this gap that a lot of Bitcoin users are
counting on. The idea is out there that while it might be possible to tie
things together in theory, its really not doable in practice.

The discussion mentioned on this blog, and the post its replying to, is an
interesting example of the uncertainty that's out there, even among very tech
savvy users: [http://blogs.forbes.com/timothylee/2011/07/14/advanced-
bitco...](http://blogs.forbes.com/timothylee/2011/07/14/advanced-bitcoin-
anonymity/)

So, we knew that Bitcoin didn't try make hard guarantees of anonymity, but we
wondered how well analysis would work in practice; and it turned out to be
work much better than we expected.

The problem of linking accounts, too, turned out to give us a lot more
information than we think most people would have expected.

We aren't trying to claim any more than that - some people will read this and
say 'huh, obvious' but we think a large number of people will also be
surprised this practically worked - we were.

------
lukesandberg
I don't understand why someone would hold a large amount of money in BTC. The
only real value i see for BTC is in secure online transactions. Basically a
'last mile' currency that should be used much like cash. So having some money
in BTC would make sense (say < $200 US) just for the convenience of secure
online purchases. But why would someone transfer a large amount of wealth into
BTC? It seems like the digital equivalent of stuffing your money into your
mattress. Am I wrong on this? is there some major benefit that im missing?

~~~
nazgulnarsil
bitcoin represents a set of capabilities that haven't been combined before.
People believe that the market hasn't discovered the correct market price for
this set of capabilities yet.

~~~
adrianwaj
I totally agree.

There has been some criticism of bitcoin's technical aspects. I just wanted to
post a thought I've been having for the last week or two, given your great
answer (perhaps you could respond):

If someone creates a better cryptocurrency than bitcoin, they should lock in a
1:1 exchange with bitcoin - so give 1 bitcoin and get 1 of the new currency
back. At any time, one can recall bitcoins with the new currency at the same
1:1 rate. This way current bitcoin holders don't lose out to the new currency.
There might be a minuscule commission to the creator.

One issue in uptake is trusting the issuer of this new currency to stick
around to make good on their promise.

One weakness I see with bitcoin is speed of transactions across the network.

~~~
asdfaoeu
That would just be a centralised version of bitcoin which is pretty much
equivalent to PayPal or any of the many clones.

~~~
adrianwaj
There is a centralized aspect to it, a fixed-rate exchange. Sort of like
having Mt Gox lock in an exchange rate and promising not to shut down and
being on the other side of all trades.

------
dfc
Bitcoin is pseudonymous. I have always been a little irratated that the
developers have not tried to dispel the myth that it is anonymous. I am not
sure if they ever said it was anonymous but they do not do enough (in my
opinion) to stress that it is not anonymous.

~~~
atnnn
All transactions are public.

It is one of the central ideas behind bitcoin and leaves no doubt about the
anonymity of the transactions.

It is a well publicised idea and it is even mentioned on the main page of the
bitcoin wiki (<http://bitcoin.it>).

~~~
feral
The fact that the transactions are public is a separate issue vs. whether they
are anonymous.

The reason people think Bitcoin is anonymous is because they think that
identities cannot be linked to the addresses involved in the public
transactions.

------
Groxx
Awesome depth, many many thanks for the analysis! I'll definitely be reading
this more thoroughly when I'm more awake :)

The moral of the story is still what it's always been, and it's a two-parter:
1) anonymity is only as anonymous as how you use it. And, because Bitcoin's
transaction history is public, it's _very very hard_ to use it truly
anonymously. And 2) _very_ few people go to even reasonable lengths to stay
anonymous. For most, I simply doubt they think it's worth the effort - why
anonymize legitimate use?

------
seanalltogether
I imagine it will be much harder to track the flow of bitcoins as soon as
larger laundering services start popping up. For instance if a major poker
site switched entirely to bitcoin then then it would be very easy for someone
to stash a large amount of coins in the service and pull them out slowly over
time to a separate wallet. Right now it's hard to stay anonymous because there
are no large anonymous entities processing transactions to hide your own
transactions within.

------
jsmcgd
"We contract all vertices whose corresponding public-keys belong to the same
user." How?

------
drivebyacct2
Okay, it's not anonymous but it's easy to receive money at a wallet that is
otherwise unidentifiable (and thus can be sent in a way equally unlinked to
your real identity or public wallet endpoint).

