Why Celsius Exposed Users and What You Can Do – Bitcoin Magazine
This week Celsius Network published a large document containing all the account balances of its customers.
The move is part of the company’s ongoing restructuring process following the Chapter 11 bankruptcy filing from earlier this year. The document reflects user balances as of July 13, 2022, when the company’s restructuring began, and customer transactions that occurred during the 90 days prior to the Chapter 11 filing, according to the company’s FAQ.
Unsurprisingly, the release of such detailed customer data, which includes balances, transactions and names, caused a rebellion on Twitter. This information can not only shed light on each user’s financial information, but also enable observers to analyze the blockchain and de-anonymize addresses on the chain, since the transaction amount and date are detailed in the document.
Putting it all together, it becomes clear that users’ privacy was invaded and their security compromised. But don’t worry (yet); This article reviews why this happened and what can be done to mitigate some threats if you are among the doxxed users.
Why did Celsius make this document public?
As mentioned earlier, this document is part of Celsius’ restructuring process. Celsius was obliged to disclose customer information as part of its restructuring process, given the necessary transparency required by US law. Although it usually only applies to the company’s assets, they were also affected since Celsius held customer funds in custody.
According to a court filing, Celsius filed a request to cut back on the release of its customers’ personally identifiable information (PII) through a redaction process before it was made public. The lender put forward three arguments.
At first, Celsius argued that such a large database of consumer information was too valuable for the company to take public. Doing so would “significantly reduce the value of the customer list as an asset in any future potential sale of assets,” the company argued.
(Screenshot/Celsius restructuring rights document)
Second, Celsius advanced the argument that if customers’ PII were disclosed, they could be targeted for “identity theft, extortion, harassment, stalking and doxing,” according to the court filing.
(Screenshot/Celsius restructuring rights document)
Finally, the cryptocurrency lender argued that since many of its customers live in different jurisdictions around the world, disclosing their PII “could reveal [Celsius] to potential civil liability and significant financial penalties.” The document specifically notes the UK’s General Data Protection Regulation (UK GDPR) and the EU’s GDPR.
The US trustee, for its part, argued that Celsius “does not and cannot rely on any exceptions to the general rule that bankruptcy proceedings should be open, public and transparent” and has offered “no more than vague statements in support of their request” to redact it the confidential information.
They also argued that the PII that Celsius sought to redact “is neither confidential nor commercial information.”
“The American trustee claims that [Celsius’] own privacy policy supports the argument that customers’ information is not confidential because it allows customers’ names and contact information to be shared with third-party ‘business partners’ and is therefore not confidential,” according to the court document.
In addition, “the US Trustee asserts that the information is not truly commercial in nature because the debtors are not seeking to redact all creditors’ names and identifying information and are instead requesting that identifying information be redacted only for certain creditors, “but information with respect to another group will be fully disclosed because of where such creditors reside.'”
On the international law aspect, the US trustee also reasoned that under US bankruptcy law, bankruptcy proceedings should be public and they should preempt the UK GDPR and the EU GDPR.
Finally, and most shockingly, “the American trustee claims that [Celsius’] Arguments that creditors might be subjected to violence if their identities were revealed constitute anecdotal evidence, falling short of the level of proof necessary to overcome the presumption of open and public bankruptcy.”
In response, Celsius published another motion, which sought to implement a complete anonymization process so as not to reveal detailed user information. It went beyond the first motion submitted, which asked for the ability to redact the home and email address of US customers and the name, home address and email address of UK and EU customers.
The court ruled against the majority of Celsius’ requests. It rejected the differentiation between US and UK/EU customers based on the above arguments and allowed the company to edit only home and email addresses. It completely rejected the anonymisation proposal.
The court’s decision. (Screenshot/Celsius restructuring rights document)
Here’s what Doxxed users can do
There are many options one can take if they find themselves exposed in the Celsius documents, but none of them will be able to erase the past. The closer one can get, in the event that the release of these data points has the potential to harm the person concretely, they can legally change their name as an (extreme) option of last resort. One can also move to another address, but since the court authorized Celsius to redact home addresses, it may not be such a big problem to try to reduce. It is worth noting, however, that unredacted versions of the filings are available to “the US Trustee, and counsel to the Committee, and that any interested party” who requests and receives access; the case for moving homes can still be brought forward.
Users can also take measures to mitigate some of the threats in the digital world. In the case of on-chain addresses that observers can anonymize by looking at the blockchain and the information disclosed in the document, good privacy-focused tools can come to the rescue.
The simpler option is CoinJoin funds. While it will not delete the user’s transaction history, it will enable the user to enjoy good forward-looking privacy if done correctly. This means that spending from that point on will not be clearly detected as a transaction coming from the doxxed user. (Similar to how the bank knows when you withdraw money from an ATM, but can’t get detailed information about what you spend it on afterwards.) The user can resort to other privacy tools, such as PayJoins, which also break heuristics used by bad actors to derive information from chain data.
But perhaps the most important thing users can do is to use the low-time preference approach and avoid using centralized services that harvest user data. Financial services companies worldwide, in cryptocurrency and beyond, must comply with Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations. While such laws are likely well-intentioned, their effectiveness is disputed and the downsides are clear – as in this Celsius case.
In the information age, data is the most valuable commodity, and as such, companies that collect vast amounts of data become honeypots, becoming effective targets for cyberattacks as hackers and others seek to monetize this information.
Although the world’s governments do not recognize this gigantic problem in the 21st century, users are encouraged to do what they can to take ownership of their data and reclaim their privacy. As the status quo pressures people to share as much about their lives as possible, the right to privacy should not be seen as something that law-abiding citizens do not need, but rather as the very right that enables all the others.
