Maintaining Transaction Privacy in the Age of Government Blockchain Analysis
On January 17, 2020, British tax collection department Her Majesty’s Revenue and Customs (HMRC) published an open contract seeking bid applications for tools that can track, identify and associate bitcoin transactions with real identities. Correspondingly, developers of such “intelligence gathering methods to identify and cluster Cryptoasset transactions” can apply for the £100,000 ($131,000) contract until January 31, 2020.
The initiative is effectively a government-sponsored attempt to deanonymize bitcoin transactions — though the expectations for the tool extend toward targeting privacy coins like monero and zcash.
Currently, the U.K. government is able to collect transaction and investment data that takes place on regulated cryptocurrency exchanges that operate within its territories. However, it’s much more difficult for HMRC to track bitcoin being sent back and forth by U.K. citizens who run their own nodes, use Tor for connection privacy or employ CoinJoin as forms of obfuscation.
As explained in the notice, HMRC is interested in targeting coins being sent to mixing services, gambling operations and darknet markets. Essentially, every attempt to attain sender privacy and use the cryptocurrency outside of the boundaries of regulated businesses is suspected as a possible attempt to evade taxes or perform another illicit activity.
Interestingly, the methodology to determine the winning bid for the blockchain analysis tool prioritizes its costs over the security offered — which means that a company that provides good tracking at a reasonable price, but with backend vulnerabilities that can potentially be hacked, is more likely to be awarded the contract than one which is more expensive but better across the board. Furthermore, the bounty for this contract is less than 16 BTC, an amount that represents only a small fraction of Gregory Maxwell’s bounty fund to incentive work on CoinJoin.
Can Average Bitcoin Users Keep Their Privacy?
If and when such a mechanism gets deployed by a government body like HMRC, the anonymity of bitcoin transactions is going to be much more difficult to maintain — especially if privacy procedures are not followed rigorously and easy links can be made between KYC exchange withdrawals or purchases made to home addresses in which BTC is the medium of payment.
In order to better explain methods by which average users can protect their privacy against surveillance from governmental agencies, Bitcoin Magazine spoke with Wasabi Wallet Lead Developer Nopara73 and Edge Wallet CEO Paul Puey.
Nopara73 was very direct in terms of the best practices that average Bitcoiners should use for greater privacy and protection against state actors:
“Use Wasabi or JoinMarket, they break the link between one set of coins and another,” he explained.
On the other hand, Puey expressed a greater degree of pessimism about maintaining privacy in the age of government-based blockchain analysis.
“Unfortunately, the common person is ill-equipped to protect their privacy against state-level attacks on Bitcoin,” Puey said. “It would take quite a high level of effort out of reach of most people.”
Puey also explained the limitation of CoinJoin in relation to IP address tracking and suggested some means to achieve greater privacy.
“Even with CoinJoin, a user would still expose their balance and transactions once they start to query the blockchain from a known IP address that is associated with them,” he said. “While CoinJoin could protect them against everyday citizens trying to undermine their privacy, state-level IP address tracking will easily circumvent mixing services. The best practice would be to utilize IP address anonymization via VPN and/or Tor. Also, utilizing multiple different hardware wallets that do not mix inputs between themselves would provide a high level of privacy.”
Wasabi Wallet already uses Tor by default to provide a random IP address to transactions, but it’s important to make sure that links to an ISP (which has a database of customers and can easily identify your internet activity) are further obfuscated by using a VPN or another Tor setup. For instance, sending mixed bitcoin from Wasabi to your clearnet Bitcoin Core client will expose your IP address, location and potentially your identity. Furthermore, managing UTXOs to prevent your transactions from being linked to exchange accounts is essential.
Furthermore, solutions in the works like Payswap may add obfuscation power to bitcoin mixing services, if and when they become available.
Power User Privacy Going Mainstream
These precautions are mostly for power users who understand how Bitcoin and networking work, but the means to achieve this degree of privacy are getting simpler than ever. With Wasabi, for instance, all of the privacy features are integrated in a point-and-click experience: From Tor to CoinJoin and hardware wallet integrations, everything is under the same interface, which is ultimately designed to prevent address reuse.
Furthermore, it’s time to finally put Bitcoin’s criminal narrative to rest. Agencies like HMRC should realize that transaction privacy isn’t only for masking criminal activity. There are multiple legitimate use cases where users may want to avoid being tracked and identified by third parties and these instances need to be protected.
“A company for example, may want to obfuscate how much they are paying each of their employees — as is commonly done in the world today,” Puey said. “Also, people generally do not want to expose any part of their personal balance or transactions to someone they send or receive money from.”
The latter concern refers to the many instances in which Bitcoiners have been subjected to physical attacks, threats and violence. And the more BTC they hold, the more exposed they are to criminals who may target them.
As explained in HMRC’s documents, the priorities for the partnership are efficiency and cost — thus leaving security as a less important criterion. If anyone was to hack the databases of the contracted service, the list of physical attacks against Bitcoiners might just expand, surely an unintended consequence from government agencies exploring ways to track cryptocurrency transactions.