Coinbase, ICE and Bitcoin Blockchain Surveillance – Bitcoin Magazine
This is an opinion piece by Justin Ehrenhofer, vice president of operations and multi-coin Cake Wallet, a Bitcoin privacy educator and a moderator for r / CryptoCurrency subreddit.
Coinbase recently came under fire after a Freedom Of Information Act request from Tech Inquiry revealed details of the contract to give the US Immigration and Customs Enforcement (ICE) access to the Coinbase Tracer blockchain analysis tool.
Coinbase agreed to provide ICE monitoring data on 12 blockchains (including Bitcoins). Among other tools, ICE gained access to Coinbase’s “multi-hop analysis”, “Lightning network survey”, “historical geospatial data” and “transaction mixing and shielded transaction analysis”. You can see a summary of the scope in this screenshot taken by Tech Inquiry:
For privacy advocates and cryptocurrencies professionals, the existence of these features is not surprising. Chainalysis, CipherTrace, Elliptic and other blockchain analysis companies have been selling similar services for many years. According to the chart below, ICE has been purchasing licenses from Chainalysis since 2016.
The extent of blockchain monitoring that was once hidden from the public is now widely known. Chainalysis, CipherTrace, Elliptic and Coinbase all show their compliance tool offerings.
Chainalysis offers Reactor for regulators and investigators, KYT (“know your transaction”) for automated compliance screening of addresses and transactions, Cryptos for high-level monitoring, Market Intel for researchers and investors, Business Data for exchanges to track customer activities for business development, and Crypto Incident Response for ransomware and other threats victims. Blockchain monitoring data is sold for compliance, research, investment and marketing purposes by the same company. And there are dozens of other companies selling similar data for other purposes.
ICE Fallout
Following a wave of negative press after the details of Coinbase’s contract with ICE were announced, repeated that it “does not sell proprietary customer data,” and that “Coinbase Tracer retrieves its information from public sources and does not use Coinbase user data. Ever.”
I would accept Coinbase’s claims on the surface, but even if they are true, it still shares customer data with the US government.
Your “proprietary” data is probably already shared, in secret
Coinbase is required by law to submit suspicious activity reports (SARs) to the Financial Crimes Enforcement Network (FinCEN) if it deems certain activities suspicious. These reports can include customer information such as names, physical addresses and even cryptocurrency transactions and address data, if applicable.
BitAML, a consulting company that focuses on anti-money laundering (AML), has a guide for submitting cryptocurrency-related SARs on its website, which you can use to get a feel for the information that bitcoin exchanges typically submit. SARs can be filed for all kinds of things, including situations where a customer refuses to comply with information requests.
Banks submit foreign exchange transaction reports (CTRs) for all daily cash deposits or withdrawals over $ 10,000. CTRs are not currently required for cryptocurrency transfers (eg withdrawals of $ 20,000 in BTC from an exchange platform), but FinCEN has pushed for these in the past. . It is likely that CTRs will be required for cryptocurrencies (as they allow users to hold their private keys and their ability to use the coins, thus turning them into bearer instruments, such as cash) in the near future. I can not speak for Coinbase or if it has submitted any CTRs, but Coinbase or other bitcoin exchanges may have already sent your information to FinCEN if you have deposited or withdrawn more than $ 10,000 in BTC via their platforms on a single day.
If Coinbase’s blockchain monitoring or compliance tool indicates that any bitcoin transactions on their platform are suspicious, it is reasonable to expect the exchange to have submitted a SAR. ICE can easily use the blockchain analysis tool to find suspects for what they consider to be “financial crimes”, and then check if Coinbase or other exchanges have submitted SARs for these users.
Coinbase may not share customer data directly with ICE, but they do share customer data where necessary with FinCEN, which can share them with ICE. So it’s natural that ICE largely uses the Coinbase tracking tool to help track and learn the identities of certain Coinbase customers.
You will not receive a notification that your information is shared in a SAR. SAR is explicit required to be secret. Stock exchanges and banks are prohibited from notifying you. Depressingly enough, as mandatory submissions, none of this mass data collection requires a guarantee.
Your “proprietary” data is public
People should understand that the only truly “proprietary” information about Coinbase is the information you share directly with it. When you insert and remove cryptocurrencies, you create public records that are usually trivially tracked. If you withdraw bitcoin from Coinbase to your non-deposit wallet, Coinbase’s tool will likely display the transaction leaving Coinbase.
IP address monitoring is a large industry alone. Bitcoin nodes are ultimately public servers. When you send bitcoin, the transaction must enter a public database. Companies run Bitcoin nodes to collect the first IP address they can find related to a transaction. In many cases, this gives these companies a good idea of your rough geographic location and sometimes even your home IP address.
That’s right: your IP address, your wallet addresses and every transaction you ever make can be public information that is analyzed, packaged neatly and sold as a law enforcement tool. According to USAspending.gov, ICE alone has gained access to these by issuing contracts valued at $ 6 million. The FBI and IRS have issued contracts to four analysis companies for $ 13.5 million and $ 17 million, respectively. The FBI contracts have a potential total value of over $ 40 million. Across all of these agencies and others, the cost to taxpayers can be as high as $ 79 million.
Anger Against Coinbase is not the solution
You may be angry at Coinbase at this point. Do not be that.
Well, at least not now just be angry at it. Chainalysis has made a lot more money from ICE and other agencies over the years that Coinbase has, and if Coinbase did not sell ICE this tool, ICE could build it itself.
So you should really be angry at blockchains that enable mass monitoring of all this transaction information, and be angry at the non-guaranteed mass surveillance offered with SARs and CTRs.
So, what do we do from here? It requires three things to enable better Bitcoin privacy:
- Overview of the usefulness of these tools. They enable mass monitoring of almost everything you do with your bitcoin. Stop turning the bush and accept that there is a privacy issue for the 12 listed blockchains (including Bitcoins and Ethereums), as well as almost everyone else.
- Incorporate meaningful and significant changes to break these tools. Hide the IP addresses used to better broadcast transactions with tools like Dandelion ++. Hide the amounts, addresses and transaction graphs. Bitcoin needs better standard privacy protection to circumvent this mass surveillance. It’s almost impossible to kill these tools completely, but we can reduce their surveillance scope in a meaningful way by following in Monero’s footsteps, for example to enable sensible privacy standards across the board, not just for niche tool users.
- Stop using regulated entities that need to report SARs and CTRs. Using a non-storage wallet to send more than $ 10,000 in bitcoin can prevent your information from being shared automatically.
Why does this matter?
Bitcoin supporters have championed the usefulness of BTC for money transfers to El Salvador and other countries. Bitcoin is certainly useful in many of these circumstances. However, many migrant workers will be intimidated by Bitcoin’s openness and the millions of dollars used to track Bitcoin transactions annually. It is more difficult for ICE to target individual users of the traditional, centralized payment system than it is for ICE to observe every single bitcoin payment to find many who go to El Salvador exchanges, IP addresses and services.
Migrant workers often escape dangerous situations at home. Regardless of your political views on immigration, one should understand how someone in this situation will be very careful about protecting their privacy for fear of being deported.
Unfortunately, Bitcoin does not protect the privacy of the vast majority of users as well. Suppose El Salvador were to take the extreme (but very unlikely) step requires transfers in itcoin. Would this be a net positive, and break people away from centralized and regulated institutions that earn a lot on the world’s poor? Or will this be a net negative, since one, most will use regulated platforms to buy and sell bitcoin with fees anyway, and two, the vast majority of people will be monitored by hostile actors (from the perspective of illegal immigrants) on the transparent blockchain ?
The answer is not simple; There are pros and cons, and Bitcoin will be the preferred option for some people. Nevertheless, I hope that high voices in the Bitcoin community understand the challenges and risks associated with ICE looking at each transaction, and that they strongly advocate for better standard privacy protection on Bitcoin to protect the users they say Bitcoin was made for.
This is a guest post by Justin Ehrenhofer. Expressed opinions are entirely their own and do not necessarily reflect the opinions of BTC Inc or Bitcoin Magazine.