Coinbase, ICE, and Bitcoin Blockchain Monitoring CryptoBlog
This is an opinion piece by Justin Ehrenhofer, Vice President of Operations and Multicoin Cake Wallet, Bitcoin privacy educator and moderator of the r/CryptoCurrency subreddit.
Coinbase recently came under fire after a Freedom of Information Act request from Tech Inquiry revealed details of its contract to provide U.S. Immigration and Customs Enforcement (ICE) access to its tool. Coinbase Tracer blockchain analytics tool.
Coinbase has agreed to provide ICE with monitoring data on 12 blockchains (including Bitcoin’s). Among other tools, ICE gained access to Coinbase’s “Multi-Hop Analysis,” “Lightning Network Survey,” “Historical Geolocation Data,” and “Transaction Unmixing and Analytics.” protected transactions”. You can see a summary of the scope in this screenshot obtained by Tech Inquiry:
For privacy advocates and cryptocurrency compliance professionals, the existence of these features comes as no surprise. Chainalysis, CipherTrace, Elliptic and other blockchain analysis companies have been selling similar services for many years. According to the table below, ICE has purchased licenses from Chainalysis since 2016.
The extent of blockchain surveillance that was once hidden from the public is now widely known. Chainalysis, CipherTrace, Elliptic, and Coinbase all tout their compliance tool offerings.
Chainalysis offers Reactor for regulators and investigators, KYT (“know your transaction”) for automated address and transaction compliance monitoring, Kryptos for high-level control, Market Intel for researchers and investors, Business Data for exchanges to track their clients’ activities for business development and crypto incident response for victims of ransomware and other threats. Blockchain monitoring data is sold for compliance, research, investment and marketing purposes by the same company. And there are dozens of other companies selling similar data for other purposes.
Fallout from the ice
Following a flurry of negative press following the release of details of Coinbase’s contract with ICE, the exchange reiterated that it “does not sell proprietary customer data” and that “Coinbase Tracer derives its information from public sources and does not use Coinbase user data. Ever.”
I’ll accept Coinbase’s claims on the surface, but even if it’s true, it still shares customer data with the US government.
Your “proprietary” data is probably already shared, secretly
Coinbase is Required by law Submit Suspicious Activity Reports (SARs) to the Financial Crimes Enforcement Network (FinCEN) if they believe certain activities are suspicious. These reports can include customer information such as names, physical addresses, and even cryptocurrency transaction and address data, if available.
BitAML, a compliance consultancy firm focused on anti-money laundering (AML) regulations, has a guide for submitting cryptocurrency-related SARs on its website, which you can use to get an idea of the information. that bitcoin exchanges usually submit. SARs can be filed for all sorts of things, including situations where a customer refuses to comply with requests for information.
Banks file Currency Transaction Reports (CTRs) for all daily cash deposits or withdrawals over $10,000. CTRs are currently not required for cryptocurrency transfers (e.g. withdrawals of $20,000 in BTC from an exchange), but FinCEN has lobbied for this in the past. It is likely that CTRs will be needed for cryptocurrencies (because they allow users to hold their private keys and ability to spend the coins, making them bearer instruments, like cash) in a near future. I can’t speak for Coinbase or if they submitted CTRs, but Coinbase or other bitcoin exchanges may have already sent your information to FinCEN if you deposited or withdrew more than $10,000 in BTC through their platforms in a single day.
If Coinbase’s blockchain monitoring or compliance tools indicate that a bitcoin transaction on its platform is suspicious, it’s reasonable to expect the exchange to have submitted a SAR. ICE can easily use the blockchain analytics tool to find suspects of what it considers “financial crimes” and then check to see if Coinbase or other exchanges have submitted SARs on those users.
Coinbase may not directly share customer data with ICE, but they do share customer data as needed with FinCEN, which may share it with ICE. So it stands to reason that ICE makes extensive use of the Coinbase tracking tool to help track and learn the identities of certain Coinbase customers.
You will not be notified that your information is shared in a SAR. SARs are explicitly must remain secret. Exchanges and banks are prohibited from notifying you. Unfortunately, as mandatory documents, none of these massive data collections require a warrant.
Your “proprietary” data is public
People need to understand that the only information that is truly “proprietary” to Coinbase is the information you share directly with them. When you deposit and withdraw cryptocurrencies, you create public records that are usually traced in a trivial way. If you withdraw bitcoins from Coinbase to your non-custodial wallet, the Coinbase tool will likely show that transaction leaving Coinbase.
IP address monitoring is a big industry on its own. Bitcoin nodes are ultimately public servers. When you send bitcoins, the transaction must go to a public database. Companies run Bitcoin nodes to collect the first IP address they can find associated with a transaction. In many cases, this gives these companies a good idea of your approximate location and sometimes even your personal IP address.
It’s true: your personal IP address, wallet addresses, and every transaction you make can be public information that is analyzed, packaged, and sold as tools to law enforcement. According to USAspending.gov, ICE alone gained access to these by issuing contracts currently valued at $6 million. The FBI and IRS issued contracts to four analytics firms for $13.5 million and $17 million, respectively. FBI contracts have a potential total value of over $40 million. Across these and other organizations, the cost to taxpayers could be as high as $79 million.
Anger at Coinbase is not the solution
You may be mad at Coinbase at this point. Do not be.
Well, at least don’t just be mad at that. Chainalysis has made a lot more money from ICE and other agencies over the years than Coinbase has, and if Coinbase didn’t sell this tool to ICE, ICE might build it themselves.
So you should really be mad at blockchains that allow mass surveillance of all this transaction information, and be mad at the warrantless mass surveillance offered by SARs and CTRs.
So what do we do from here? It takes three things to enable better Bitcoin privacy:
- Set the record straight on the usefulness of these tools. They allow mass surveillance on almost everything you do with your bitcoin. Stop beating around the bush and accept that a privacy issue exists for all 12 listed blockchains (including those for Bitcoin and Ethereum), as well as almost all others.
- Incorporate significant and significant changes to break these tools. Hide IP addresses used to better broadcast transactions with tools like Dandelion++. Hide amounts, addresses and transaction graphs. Bitcoin needs better default privacy protections to circumvent this mass surveillance. It’s almost impossible to completely kill these tools, but we can significantly reduce their surveillance scope by following in the footsteps of Monero, for example, by enabling sound privacy settings at all levels, not just for users of a tool. niche.
- Stop using regulated entities that must report SARs and CTRs. Using a noncustodial wallet to send more than $10,000 in bitcoins could prevent your information from being automatically shared.
Why is this important?
Bitcoin proponents have championed the usefulness of BTC for remittances to El Salvador and other countries. Bitcoin is certainly useful in many of these circumstances. However, many migrant workers are going to be scared off by the transparency of Bitcoin and the millions of dollars invested in tracing Bitcoin transactions each year. It is more difficult for ICE to target individual users of the traditional, centralized remittance system than for ICE to observe every bitcoin payment to find numerous exchanges, IP addresses and services in El Salvador.
Migrant workers often escape dangerous situations at home. Regardless of your political views on immigration, one must understand how someone in this situation would exercise great caution in protecting their privacy for fear of deportation.
Unfortunately, Bitcoin does not protect the privacy of the vast majority of its users very well. Suppose El Salvador takes the extreme (though highly unlikely) step of demanding itcoin remittances. Would that be a net positive, driving people away from centralized, regulated institutions that largely profit from the world’s poor? Or would it be a net negative, since firstly most people will use regulated platforms to buy and sell bitcoin with fees anyway, and secondly the vast majority of people will be monitored by enemy actors (from the point of view of view of illegal immigrants) on the transparent blockchain?
The answer is not simple; there are positives and negatives, and Bitcoin will be the preferred option for some people. Still, I hope the strong voices of the bitcoin community will understand the challenges and risks associated with ICE monitoring every transaction, and that they will advocate loud and clear for better default privacy protections on bitcoin to to protect the users they say Bitcoin was designed for.
This is a guest post by Justin Ehrenhofer. The opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.