Finally, the cryptocurrency lender argued that since many of its customers live in different jurisdictions around the world, disclosing their PII “could reveal [Celsius] to potential civil liability and significant financial penalties.” The document specifically notes the UK’s General Data Protection Regulation (UK GDPR) and the EU’s GDPR.
The US trustee, for its part, argued that Celsius “does not and cannot rely on any exceptions to the general rule that bankruptcy proceedings should be open, public and transparent” and has offered “no more than vague statements in support of their request” to redact it the confidential information.
They also argued that the PII that Celsius sought to redact “is neither confidential nor commercial information.”
“The American trustee claims that [Celsius’] own privacy policy supports the argument that customers’ information is not confidential because it allows customers’ names and contact information to be shared with third-party ‘business partners’ and is therefore not confidential,” according to the court document.
In addition, “the US Trustee asserts that the information is not truly commercial in nature because the debtors are not seeking to redact all creditors’ names and identifying information and are instead requesting that identifying information be redacted only for certain creditors, “but information with respect to another group will be fully disclosed because of where such creditors reside.'”
On the international law aspect, the US trustee also reasoned that under US bankruptcy law, bankruptcy proceedings should be public and they should preempt the UK GDPR and the EU GDPR.
Finally, and most shockingly, “the American trustee claims that [Celsius’] Arguments that creditors might be subjected to violence if their identities were revealed constitute anecdotal evidence, falling short of the level of proof necessary to overcome the presumption of open and public bankruptcy.”
In response, Celsius published another motion, which sought to implement a complete anonymization process so as not to reveal detailed user information. It went beyond the first motion submitted, which asked for the ability to redact the home and email address of US customers and the name, home address and email address of UK and EU customers.
The court ruled against the majority of Celsius’ requests. It rejected the differentiation between US and UK/EU customers based on the above arguments and allowed the company to edit only home and email addresses. It completely rejected the anonymisation proposal.
The court’s decision. (Screenshot/Celsius restructuring rights document)
Here’s what Doxxed users can do
There are many options one can take if they find themselves exposed in the Celsius documents, but none of them will be able to erase the past. The closer one can get, in the event that the release of these data points has the potential to harm the person concretely, they can legally change their name as an (extreme) option of last resort. One can also move to another address, but since the court authorized Celsius to redact home addresses, it may not be such a big problem to try to reduce. It is worth noting, however, that unredacted versions of the filings are available to “the US Trustee, and counsel to the Committee, and that any interested party” who requests and receives access; the case for moving homes can still be brought forward.
Users can also take measures to mitigate some of the threats in the digital world. In the case of on-chain addresses that observers can anonymize by looking at the blockchain and the information disclosed in the document, good privacy-focused tools can come to the rescue.
The simpler option is CoinJoin funds. While it will not delete the user’s transaction history, it will enable the user to enjoy good forward-looking privacy if done correctly. This means that spending from that point on will not be clearly detected as a transaction coming from the doxxed user. (Similar to how the bank knows when you withdraw money from an ATM, but can’t get detailed information about what you spend it on afterwards.) The user can resort to other privacy tools, such as PayJoins, which also break heuristics used by bad actors to derive information from chain data.
But perhaps the most important thing users can do is to use the low-time preference approach and avoid using centralized services that harvest user data. Financial services companies worldwide, in cryptocurrency and beyond, must comply with Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations. While such laws are likely well-intentioned, their effectiveness is disputed and the downsides are clear – as in this Celsius case.
In the information age, data is the most valuable commodity, and as such, companies that collect vast amounts of data become honeypots, becoming effective targets for cyberattacks as hackers and others seek to monetize this information.
Although the world’s governments do not recognize this gigantic problem in the 21st century, users are encouraged to do what they can to take ownership of their data and reclaim their privacy. As the status quo pressures people to share as much about their lives as possible, the right to privacy should not be seen as something that law-abiding citizens do not need, but rather as the very right that enables all the others.
