Home » Security Boulevard (Original) » Industry Spotlight » Schrodinger’s Cryptocurrency – Both Private and Not Schrodinger’s Cryptocurrency – Both Private and Not

By July 13, 2020Bitcoin Business
Click here to view original web page at securityboulevard.com
Home » Security Boulevard (Original) » Industry Spotlight » Schrodinger’s Cryptocurrency – Both Private and Not

Everyone knows that Bitcoin is an anonymous currency. Except when it isn’t. Bitcoin and other cryptocurrencies attempt to achieve the incompatible goals of providing strong accountability for transactions through blockchain and strong anonymity. If the government wanted to obtain information about a user’s bank account, it would simply subpoena the records from a bank under the Bank Secrecy Act and the powers of the grand jury and obtain the information they needed. Not so for Bitcoin, since there is no “central authority” from which to get records of transactions.

Cryptocurrency Under the Privacy Microscope

On June 30, 2020, the U.S. Court of Appeals for the Fifth Circuit ruled that federal agents could obtain information about Bitcoin and blockchain transactions from cryptocurrency exchanges such as Coinbase with a simple subpoena because users of cryptocurrency, which is specifically touted for its privacy and anonymity features, have no “reasonable expectation of privacy” in the transactions that occur on a public ledger system such as Bitcoin. It’s Schrodinger’s cryptocurrency: both anonymous and public at the same time.

The case arose out of an investigation of child pornography purchased from a website using Bitcoin. As the federal appeals court noted:

When a Bitcoin user transfers Bitcoin to another address, the sender transmits a transaction announcement on Bitcoin’s public network, known as a blockchain. The Bitcoin blockchain contains only the sender’s address, the receiver’s address, and the amount of Bitcoin transferred. The owners of the addresses are anonymous on the Bitcoin blockchain, but it is possible to discover the owner of a Bitcoin address by analyzing the blockchain. For example, when an organization creates multiple Bitcoin addresses, it will often combine its Bitcoin addresses into a separate, central Bitcoin address (i.e., a “cluster”). It is possible to identify a “cluster” of Bitcoin addresses held by one organization by analyzing the Bitcoin blockchain transaction history. Open source tools and private software products can be used to analyze a transaction.

Currency exchanges such as Coinbase maintain records of users who have transferred funds from or to these “clusters,” which can be identified from public records. In the course of the child porn investigation, the government issued a grand jury subpoena to Coinbase to try to identify the Bitcoin user associated with the cluster, and therefore with the child porn. The question for the federal court was whether the government could get those records from Coinbase with a simple subpoena or whether it needed a search warrant supported by probable cause. And to decide that, the court had to decide whether people have a reasonable expectation of privacy in these records.

No Party Like a Third Party

As a general rule, you have a reasonable expectation of privacy in your own records, unless you have voluntarily exposed such records to the public. There’s a lot to unwind in that sentence, though. First, what are “your records”? Are your bank records “yours,” or are they the bank’s records of how you used the service? What about your phone records, hotel records, travel records, credit card records, library account, internet browsing history, GPS records and other records created by third parties and held by them? Are those “your” records for which you have a reasonable expectation of privacy and for which the government has to get a search warrant, or are they the records of the institution that either creates the records or stores them? If they are things such as your personal e-mails and chats (unless made public), they are yours, you have an expectation of privacy and a warrant is required.

The U.S. Supreme Court waded into this quagmire some years ago when it ruled in 1979 that no warrant was required to get telephone toll records since the caller knew that the phone company kept such records and that, by using a phone, they voluntarily exposed their calls to the phone company (these were the days even before caller ID). Besides, it noted, the phone book gave the user a warning (terms of service?) that such records were created. This was the so-called “third party” doctrine, whereby the government could get, by grand jury subpoena, things such as your accountants’ work papers, bank records or other “third party” records.

In 2018, the Supreme Court changed course in a case involving cell tower location records, holding that, even though the records of a cell phone’s location (based on which towers it was pinging) were records of a third party (the phone company), the user had a reasonable expectation of privacy in what these records revealed about them (their location everywhere, every time they had a phone) and therefore a search warrant rather than a subpoena was needed to obtain the records. The test was not ownership or possession but privacy.

So what about blockchain and bitcoin? Private or not?

Privacy in ‘Public’ Information

The Supreme Court’s holding that cell tower location records were “private” was unusual in that the underlying information—where someone is when they are traveling in public—is (or can be) publicly available. When you are driving around in the public, no warrant is needed to follow you around and track your movements, and while a warrant may be needed to attach a GPS device to your car, no warrant is needed to track you in public.

Blockchain and bitcoin transactions occur in public. The Fifth Circuit noted that “Bitcoin users are unlikely to expect that the information published on the Bitcoin blockchain will be kept private, thus undercutting their claim of a ‘legitimate expectation of privacy’” because it “is well known that each Bitcoin transaction is recorded in a publicly available blockchain.” The court finally concluded, “There is no intrusion into a constitutionally protected area because there is no constitutional privacy interest in the information on the blockchain” and therefore, it’s OK to monitor cryptocurrency and other such transactions with software and obtain transaction records without a warrant. Somewhat gratuitously, the court concluded also that, unlike ubiquitous cell phones, which are a staple of modern life (a necessity), cryptocurrencies are not “central to most people’s daily lives.”

The takeaway here is that transactions, communications, records or recordings that, while anonymous (or nearly so), occur in a public arena may not be entitled to legal protections because the public nature of the forum may create the concept that the records are not entitled to any expectation of privacy—despite the fact that the transactions are encrypted, secured, obscured and anonymous. Or at least partly so. As Scott Fitzgerald noted, “The test of a first-rate intelligence is the ability to hold two opposed ideas in mind at the same time and still retain the ability to function.” So we need more first-rate intelligence.

The Bot Problem: Effective Detection, Analysis & Blocking

Leave a Reply