Privacy: the deceptive anonymity of Bitcoin and Co

Just because “kryptós“ is ancient Greek for secret does not mean that cryptocurrencies guarantee privacy. But, several concepts promise relief.

People trading in Bitcoins need payment addresses – and anyone can easily have them generated by a wallet. No formalities or identity proof are required, only the right software. So far, so anonymous. Or is it?

In fact, cryptocurrencies such as Bitcoin do not protect the identity of their users as good as it seems at first glance. The only thing secret are private keys. Payment addresses should rather be considered generally known ID numbers or pseudonyms which are firmly connected with their holder. As soon as you know which user owns which address, you can track their entire payment history.

That is because the alternative currency builds its blockchain on a cash book which is made known to the entire network. So, transactions can be inspected by anyone, at any time. It works particularly well with one of the numerous blockchain explorers on the web. If you use them to enter a bitcoin address, the relevant service provides you with an overview of all transactions made to date and of the current balance.

Satoshi Nakamoto’s workaround

The Bitcoin developers knew of the pitfalls of such an architecture for the user’s privacy more than ten years ago. Satoshi Nakamoto dealt with this subject in a dedicated, though short section on the last pages of his fundamental whitepaper “Bitcoin: A Peer-to-Peer Electronic Cash System“. While it reads like a half-hearted workaround, it also provides some indications for potential precautions. Those placing importance on privacy should keep their public keys a secret and use a new address for each transaction. Transfers could still be tracked then, but not be collected and allocated to a certain person.

These good approaches are, however, already sabotaged by multi-input transactions. These are payment transactions combining smaller balances which are securitised on different Bitcoin addresses, to make one larger payment transaction. If only one of these sources allows, at any time, conclusions to be drawn on its user, all addresses used would be discredited.

Users are threatened by even more adversities at the interfaces to the real world. In order to buy or sell cryptocurrencies in an appreciable amount through (regulated) stock exchanges, the latter do now request an identity proof. Any balances transferred to and from the market place are then directly linked to a real person and the addresses they used, including their history, are disclosed.

And since clients communicate by network, even their operators might ultimately be considered a weakness. If users use no anonymous internet access, their addresses could also be intercepted here and allocated to the owner of the connection.

These concealment tactics are available

Several approaches are available to best conceal one’s identity from certain people groups. On the network layer, users might use public accesses or infrastructures whom they trust more than their own service provider – e.g. VPNs or ToR.

On a higher level, users might use several wallets independently. By applying some self-discipline, they would then never disclose their entire credit balance to one single party – provided the organisations do not cooperate or forward payment transactions to financial authorities which would then, once again, be able to get a more comprehensive picture.

“Tumbler“ or “Mixing Services“ offered by different services providers are also a practical way for concealing the origin of one’s own coins from the public. They combine or mix transactions to prevent conclusions to be drawn on the history of individual coin amounts. But, you should not only trust these providers regarding confidentiality; but also hope to get your coins back.

And some cryptocurrencies were, from the inception, generally designed to provide more privacy. Monero offers so-called stealth addresses concealing transactions from the public. Ring signatures should also strongly mix and conceal transfers.

One uncertainty remains

No matter whether you use classic cryptocurrencies or coins trimmed to privacy: users should rather not expect a hundred-percent privacy.

That is shown, on the one hand, in a blog article by Elie Bursztein working for Google. In this article, the security expert describes how his team started tracking cybercriminals and was even able to trace concealed bitcoin transactions. And even potential weaknesses of Monero have already been discussed publicly .