Hacker News new | comments | show | ask | jobs | submit login
Web merchants routinely leak data about Bitcoin purchases (technologyreview.com)
158 points by sgoldfed on Aug 23, 2017 | hide | past | web | favorite | 54 comments

I'm a co-author of this paper. It's available here: https://arxiv.org/pdf/1708.04748.pdf

The surprise here isn't that Bitcoin isn't perfectly anonymous. There are two new findings. The first is the extent to which your Bitcoin payment details get leaked to third party trackers. I've been writing about the excesses of third party tracking for years [1], and I'm pretty jaded, but the extent of the leaks surprised me.

The second main finding is that CoinJoin isn't enough to protect yourself. We tested this on our own transactions, but also by coming up with a way to identity essentially all existing CoinJoins on the blockchain and analyzing their anonymity.

[1] http://randomwalker.info/web-privacy/

thanks for sharing the paper, do you have any plans for a similar study on Monero transactions?

I'd also like to know this

Seems like a good business opportunity to develop and offer a privacy shield service for customers who care.

Is that already what a Tumbler does?

or just use cryptocurrencies that support anonymous transactions?

That is not the point.

Even if you have a 100% anonymous cryptocurrency, you are spending it on a site that has information about you and your activities on that site. If you are dealing with physical items, it has your address.

Agreed. However, if someone is leaking your physical address, they really don't need bitcoin addresses at all. They can just join on your address :)

This made me curious about the feasability of an anonymous postal service. One which you pay for with x-coin, with no identity attached, and you get physical deliveries at that address (placed into a box only you can access, maybe with some sort of private key).

With the security cams and all it might be hard, but probably not impossible if enough people are using it.


If you want "100% anonymity", you make sure that sites have no information about your meatspace identity. You certainly don't share your address. If you're leasing a VPS or whatever, you invent some persona for the account, and SSH via chained VPN services and Tor.

And connect that through a quadracopter mesh network to your local starbucks ISP. Also make sure you don't pick up your delivery until a month after it's shipped, just in case it's being watched.

The point is you can take as many precautions as you want, but you'll never attain 100% anonymity. You get diminishing returns after a while.

The main point is that having stuff delivered is the major risk. Using Tor through nested VPN chains is easy. I can't imagine "quadracopter mesh network". That would attract too much attention, I think.

Doesn't matter, nobody would know where you are, just the quadracopters. You could use dozens of drones if you want obscurity and to strengthen the mesh network. I was also joking.

You pay a runner to make collections, make sure they don't know anything about you. Add runners like you add VPNs.

Definitely use an open WiFi, definitely not your local Starbucks.

What you shifting to make all that subterfuge worthwhile? Other people are likely going to be your weak link.

The idea of using runners seems iffy. Too many people to trust. As you say, "Other people are likely going to be your weak link."

Yeah, that is what I keep saying every time these "bitcoin is not anonymous" stories pop up. Ditch it and use a cryptocurrency that was designed, engineered and built with anonymity and privacy in mind, like Monero.

dang, would be nice to change title/link to the paper (https://arxiv.org/abs/1708.04748 for non-PDF link). Too much commentary here is reacting to the article title.

(By dang I of course mean https://news.ycombinator.com/user?id=dang)

The article seems ok so perhaps we'll try changing the title to the subtitle instead.

It's been clear for years that Bitcoin transactions aren't anonymous, and that web tracking is pervasive. To use Bitcoin anonymously, one must use mixers, such as Bitcoin Fog. CoinJoin just doesn't cut it.[0] With mixers, you get totally unrelated Bitcoin. Also, one must use VPN services and/or Tor, to avoid tracking. It's rather misleading to write a paper like this without letting users know how to do it right.

0) https://www.reddit.com/r/joinmarket/comments/6d60f0/coinjoin...

IMHO anonymity has never been Bitcoin's strength, and we must stop pretending that BTC is the right tool for transactions that need to be private. At best, Bitcoin is pseudonymous.

Other currencies have attempted to fix this problem, such as Zcash. But I think it will be hard to escape the volumes of metadata created through transactions on merchant websites. Ultimately, your spending habits and browser cookies will say more about you than your BTC address.

Sure, but it's quite nice that any random passerby who happens to look at the Monero blockchain has no idea what you've spent and where. If there's something like bitcoin's "new address per transaction" for Monero, they won't be able to tell anything even if they have data from all the merchants.

Monero should be treated like the beta software it is. There have been vulnerabilities in the past to remove anonymity and there will be in the future. I would at least give it 5 years & a lot more adoption to start trusting it somewhat.

The only Monero software in beta is the GUI which no one has reported any major issues with, and the CLI is just fine.

There hasn't been any vulnerabilities in the code affecting anonymity. Saying there will be vulnerabilities in the future is FUD.

Trust is a personal preference, but the code is open to all to analyze.

This is an incredibly naïve point of view.

> Saying there will be vulnerabilities in the future is FUD.

Saying there will be vulnerabilities is 99.99% likely to be true. All software written by humans is highly likely to have mistakes. Remember Heartbleed? The code was open for all to analyze and used by millions, and yet we recently found a vuln that allowed attackers to dump the entire memory of a server. Open source is no guarantee against vulnerabilities.

Default assumption should airways be that there will be vulnerabilities.

I'll just throw this out here because I still need feedback. https://www.comsys.rwth-aachen.de/fileadmin/papers/2017/2017... I think anonymous CoinJoin transactions are possible and could be the default in Bitcoin.

I'm new to cryptocurrency and it astounds me the amount of information I have to hand over just in order to buy currency on an exchange. Presumably this is a source of de-anonymization? I thought the whole point was that you don't have to give away information to a third party?

Does anyone know how to get cryptocurrency without going through this process? Is there a way just to buy cryptocurrency with a simple credit card transaction?

US KYC law mandates all that. And exchanges have US customers, so they follow KYC. BTC-e didn't, and the US took them down. So hey.

But anyway, it doesn't matter that your initial cryptocurrency purchase is totally not anonymous. Just use mixing services. And do that through Tor. After a couple mixes, you will have totally different Bitcoin or whatever, with no association with your initial purchase.

You can always use a site like localbitcoins for buying directly from someone. At least before you could occasionally find people willing to sell for money exchanged in real life.

Alternatively you can buy btc from bitcoin ATMs (tho some but not all ask for ID) depending on where you are.

In the US all Bitcoin ATMs are required to ask for picture ID

You mine it; either with raw compute power, or by providing services fulfilling a contract.

Of course, if you then want to sell those coins, to "cash out" into a fiat currency, you'll need to comply with the KYC laws.

Technically, the protocol is anonymous. Addresses/hashes are not human readable or, better said, you can't easily infer someone's identity/physical address/phone/nationality just by glancing at them.

Exchanges as entry points to the network are required to make that conection. Merchants as the paper say, do too.

If a merchant required a certain amount to complete your transaction, and that amount came from an unknown, unregistered wallet (in the sense you didn't acknowledge its ownership), would they legally be able to say it coming from you?

In the end, yes, it's a technicality, because it's difficult to enter the blockchain without leaving a trace at the fiat-border. But still...

I think because of it's lack of anonymity and how that helped with the recent hansa / alphabay takedowns, we're going to see a big boost in use of dash/zcash/monero/anonymous-crypto-coin-du-jour once the next round of markets rise up. I'm very curious to see the regulatory response to those style of coins, as until recently they've kinda been in the shadows.

Pretty much everyone in the bitcoin community takes this knowledge for granted. If you want actual privacy go with either Monero or ZCash.

I wouldn't trust in Monero's privacy. Most of the techniques uses to defeat CoinJoin would also work against Monero's ring signatures, which amount to effectively the same thing.

ZCash is definitely a different tier of privacy... or it would be if they made ZCash proofs required for every transaction. But instead they made anonymous payments opt-in and therefore your privacy can be defeated by people upstream or downstream of you.

I'm not sure I follow on the "your privacy can be defeated by people upstream or downstream of you." In ZCash, your transaction is completly indistinguishable from the other shielded transactions. The only thing the person you are paying learns is they were paid e.g. $10 by a shielded TX user. So they learn nearly nothing from upstream, and know nearly nothing to share downstream. In particular, this seems to completely negate the attack described in this paper. (Which coinjoin does not).

The limitation for ZCash is that shielded tx's are only 1/5th of the total number of TXs by volume, so your anonymity set is not as large as it could be. But it's likely considerably larger than the anonymity you get by mixing < 10 TX's and then doing this repeatedly both because of intersection attacks (which the attack here is) and because of the impossibility of correctly sampling the TXs to mix with.

There are a LOT of factors that could be used to de-anonymize you including frequency and time of day of transactions, wallet application identifying signatures in the transaction itself (e.g. use of fee sniping protections vs not, type of multi-sig used), patterns of usage in non-block chain services such as exchanges, etc.

You could identify a dozen or a hundred different features about a transaction or the transaction graph, then run standard machine learning tools to find clusters of usage patterns. You could then probabilistically infer connections between upstream and downstream usage patterns that implicate you.

I'm not arguing against the cryptography of zcash, which is solid as far as I'm aware. But while it does such a thorough job of bolting the front door, the window is left wide open.

So there definitely are other attack options that Zcash on its own does not protect against and in some cases cannot. The biggest being timing. Usage patterns fall seem to fall into that.

But do you think the fact that 1/5th of transactions are shielded actually enables more attacks on shielded TXs?

Yes because 4/5 of the transactions are revealing a LOT more than they otherwise would, thereby greatly increasing the signal to noise of other analysis techniques.

Monero uses ring signatures in conjunction with one-time stealth addresses, so even if you figured out a transaction's link to a previous transaction, you would still be stuck with stealth addresses.

This is further hardened with RingCT

Please explain how this is undermined, using techniques applicable within the last 9 months.

Is this really a flaw in bitcoin?

And I do not agree that this makes bitcoin any less anonymous. There is still the gap between key and owner that needs to be bridged before identification can take place, and I do not believe that the word anonymous guarantees no history available, only that the history cannot be linked to a person. By definition, I mean to say.

I would compare this to a headline titled "bitcoin is less secure" because of the Mt.Gox hack. Similarly not the fault of bitcoin.

It's a public ledger of every single transaction, as soon as you link your identity to some payment, the game is up surely ?

Well, one can have arbitrarily many Bitcoin wallets. I have dozens in current use. Each one is associated with an identity, at least an email address. Most of them only connect through Tor, so there's no IP address association.

But yes, if you don't compartmentalize like that, everything is linked.

You can have as many wallets as you like, but the problem is the same for all of them: getting coins into them. Transferring between wallets would obviously link them. You would have to go through a (different) convoluted way of obtaining the coins for each wallet.

Not at all. I work anonymously for Bitcoin. Under a few identities, each with its own set of wallets. And I transfer among identities using mixers. I generally mix at least twice, using throwaway intermediary identities. And each identity has its own Whonix instance.

No one who understands what bitcoin is thought it was anonymous.

Hey, at least Satoshi's identity is still unknown, so there's that!

Appreciate your work.

In a sense it's similar to talking on the phone and being recorded by a security camera. If anyone thought that using Bitcoin or any cryptocurrency for purchases magically hides any side-channel privacy leaks, I would say it's lack of (self-)education. The reality is with such influx of users in the space and countless of Youtube etc. channels educating without actually doing research and spreading wrong facts we have some poor level of intro-education for new people. But that happens to any new system getting mass attention.

Yeah. Monero would solve this problem.

Who is everyone? I highly doubt that anyone that actually studied the underlying protocol had any illusions about it being anonymous.

The important thing to remember is that all transactions are public and that any linking of a single transaction will allow someone to link all other purchases / receipts with that address.

At best bitcoin is pseudo anonymous.

More interesting is that they broke CoinJoin.

Some fairly intelligent folks have had, or continue to have this viewpoint. As an example, I was extremely delighted to meet Chris Dixon, whom I still consider to be rather intelligent and diligent fellow. When we met, in 2013, he was all about Bitcoin and the blockchain so I tried to engage him in conversation about it. The first thing I asked was what he thought about the fact that it was being used for some fairly nefarious things, but was not, in fact, anonymous.

He was convinced it was anonymous. I attempted to bring up some points to convince him otherwise but found it to be a rather short conversation.

So, you may be as surprised as I was that it's relatively uncommon knowledge, even for intelligent and diligent technical folks, that Bitcoin != anonymous.

Bitcoin's anonymity, or lack thereof, has not changed. This article is poorly titled.

The problem is with the endpoint - the person or business you are transacting with (or the technologies they use for the interaction).

This problem will exist with any cryptocurrency if the endpoints still operate the same.

Bitcoin was never claimed to be "anonymous." It operates under a privacy model called "pseudonymity," which was described elegantly in Satoshi's white paper.

The distinction is important because conflating privacy in general (and pseudonymity in particular) with anonymity is one way people get into trouble.

Read the paper. This isn't what is being covered here.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact