Bitcoin and the Limits of Privacy

While anonymous transactions may be abused, protection of privacy is essential for the future of bitcoin as an alternative processing option. 

Written on: March 20

Bitcoin and the Limits of Privacy

Wikipedia describes pseudonymity as "a state of disguised identity...[but] true anonymity requires unlinkability, such that an attackers examination of the pseudonym holder's message provides no information about the holder's true name." As it pertains to bitcoin, transactions are indeed pseudonymous, sent to and from addresses which consist of random letters and numbers. However, there is also an unprecedented degree of transparency in the bitcoin network as anyone with an internet connection can view each and every historic transaction on the blockchain. We rightly expect our economic transactions to remain private, and thus the erosion of pseudonymity is a great threat against the network as a whole and to each of its individual users.

It should be self evident why personal or professional financial transactions should be kept as anonymous as possible. We keep our money matters private for a host of reasons - to avoid arousing the jealousy of one's neighbors or coworkers, to hide embarrassing or secret purchases or payments, and just because it is nobody's business how much money we have and how we spend it. One needn't resort to nasty scenarios of extortion, robbery, blackmail or kidnapping to make the point for transactional anonymity.

From a network perspective, an increasing lack of privacy is a massive threat for a couple of reasons. Bitcoin has proved its utility as an instrument for regulatory arbitrage, a method of circumventing unfavorable regulations not possible using standard payment processors. A great deal of bitcoin's demand, and most likely additional impetus for growth, depends on the ability to remain such an instrument, which itself is dependent partially on the ability to protect transactional anonymity.

Transactional anonymity might also be a prerequisite for a fungible bitcoin. Consider, for instance, the case of chainalysis, whose mission of "building the compliance layer for the future of value exchange" which is meant to "spot connections between digital identities...allow[ing] financial institutions to develop trust lines between them." All well and good when utilized to track down bitcoin thefts, but what happens if financial institutions start valuing some bitcoin as more valuable than others due to a more pristine history? Will bitcoin straight from the miner - well, depending which miner actually - be considered more attractive than bitcoins that has been around the block? Will "damaged" bitcoin be worth less in highly regulated markets than in less regulated markets? So while Chainalysis, at least ostensibly, is doing this for noble reasons (and not simply because they have developed a product they do not know how to otherwise monetize), without countermeasures it could potentially have a detrimental effect on the market.

And so we find ourselves in a game of cat and mouse in which time and new technologies offer innovative ways of finding meaning in heretofore blockchain scribbles, whilst time and new technologies offer innovative ways of keeping those scribbles scribbles. We devote the rest of this article to describing the ways in which transactions are being kept anonymous, which we hope will help inform our user's decision making when determining which wallet to use.

Anonymizing addresses

If each bitcoin user were to have a single address from which all corresponding transactions were sent and received it would be simple to associate the transactions with one another. This is sort of how things used to be. Blockchain.info, for instance, created one address per wallet by default which limits usage. While users were able to set up multiple addresses if desired, every time new addresses were created the wallet would need to be backed up again which is a pain in the arse - and theoretically relaying each separate backup event via email presents an additional security hole. Additionally, change from transactions was and still is sent by default to the sending address. For blockchain watchers, this leaves a breadcrumb trail connecting the dots between the sending address, the recipient address, and the next address to which the change is sent.

Hierarchical Deterministic (HD) wallets are now mostly standard in the industry. Multiple addresses can be generated from a single private seed as and when required. Most HD wallets automatically rotate addresses for single use, both on the sending and receiving end, including the address to which change is sent. This greatly complicates efforts to create a connection between transactions. As an additional convenience, all present and future addresses are forever associated with the private seed regardless of where and when the wallet is restored, making wallet admin much simpler.

Some wallets allow for the creation of multiple wallets within the same master wallet - BitLox is one good example out of a handful. This allows for the creation of a wallet to associate with different purposes - one for personal and family expenses, one for business ventures, another to fund your hoboken squat cobbler addiction, etc. This ensures that, even if one address is somehow tied back to the wallet, your different ventures will be unconnectable - at least from the address perspective.

Network observers

However, anonymizing addresses does not protect against network observers like ISPs, mobile carriers, bitcoin nodes or the wallets themselves. The aforementioned chainanalysis, for instance, has employed in the past "listening" nodes which would be able to identify user IP addresses. In an article on the subject, Coindesk writer Grace Caffyn notes that the incident highlights "the fact that bitcoin operates on 'user-selectable privacy' – by default it is no more secret than a google search from a home internet connection".

Network privacy is partially a function of how exactly transaction verification is handled. Some wallets run on a "trusted node" model, in which verification is managed by their own trusted node or nodes, which will then know which IP is requesting which transaction information - thus tying IP to wallet address, and addresses to one another. While wallet providers would claim that they don't save or monitor such information, we can only take them at their word.

SPV wallets offer an improved method of validation over the trusted node model. SPV wallets query any full node on the network to check transactions - but as they still search for particular transactions the wallet, or any other snooper, could still make a pretty good guess as to which IP is associated with which particular address.

A greater level of transactional anonymity is theoretically offered when running your own node, through the use of bitcoin-QT or Bitcoin Armory, or even Schinbach's Bitcoin Wallet which offers the option to connect to your own trusted node. Of course, that does not prevent your mobile carrier or ISP from capturing your information were they so inclined. Nor does it protect against malware, which figures much more prominently in the discussion when desktop wallets are involved. And finally, other network users will still be able to associate an IP address to a full node, and thus know of an association to bitcoin, despite not knowing the exact transactions.

More advanced users might be routing activities through the TOR network, which provides additional protection against IP exposure. However, this is not a perfect solution. BitLox, for instance, offers a TAILS os-enabled device which routes transactions through TOR as default. However, they operate from a single server for validation, and thus while they might be unable to collect a user's real IP address, they will be able to tie together all transactions. The best solution is to use a full node wallet and route transactions through TOR, but most users have neither the knowledge nor the inclination to do this.

Additional privacy innovation

Confidential Transactions

Confidential transactions keep the amounts contained within a particular transaction private, while maintaining blockchain integrity. This helps manage the fungibility issue discussed previously - it will be more difficult to ascertain which bitcoin came from where - and it provides security against thieves looking to target wallets with large amounts of bitcoin.

The solution is being integrated by blockstream under the name "Elements Project", and is already being used by developers experiment with sidechain-based implementations.

Stealth Addresses

A stealth address is one in which the transactional sender essentially provides a secret key to an address to the recipient, such that only he may open the transaction. Stealth addresses make it impossible to connect different payments to the eventual recipient address, both for third parties as well as other payors. Stealth addresses are already integrated in Dark Wallet, Samorai Wallet and ArcBit, and seem destined to become a more standard mainstream feature.

Payment Codes

Payment codes are an improvement on stealth addresses. Payment codes are described by the creator, Justus Ranvier, as similar to email addresses in that they may be publicized on business cards, websites, or anywhere else as a single, static address. Users needn't scan the entire blockchain to detect transactions, and payment code transactions look just like any normal bitcoin address to the casual viewer. As a convenience for merchants, an owner of a payment code address is able to ascertain the sender address automatically, which is convenient when refunds must be issued.

CoinJoin

CoinJoin, experimented with in Dark Wallet, mixes multiple transactions together and reroutes payments to recipients such that it is very difficult to determine which payer initially intended to pay which recipient. For this to work, the solution will need to be deployed on a network level, or close to it. As it is today, coinjoin solutions constitute a red flag as to a user's nefarious intent, rightly or wrongly, and regulated exchanges such as Coinbase will close accounts of participants.

Conclusion

There are some who believe that bitcoin's pseudonymous nature restricts its growth into a mainstream processing engine. If authorities and regulators are unable to determine if and who are exploiting the network for criminal means - as they are able to do through centralized payment processors by simply serving a warrant - bitcoin's growth might be stymied.

Others, myself included, believe that transactional anonymity, or as close an approximation to it as possible, is of great importance for bitcoin to remain a viable payment alternative. While I want money launderers and terrorists arrested just as much as the next guy, you cannot tailor privacy only to those who have good intentions. As Tim Cook wrote in his response to the FBI request to build a backdoor into the San Bernardino terrorist iphones: "In today's digital world, the "key" to an encrypted system is a piece of information that unlocks the data, and it is only as secure as the protections around it. Once the information is known, or a way to bypass the code is revealed, the encryption can be defeated by anyone with that knowledge."

Bitcoin Price (USD): 853.48