Commentary

How Private Are Bitcoin Transactions?

By Timothy B. Lee
This article appeared on Forbes.com on July 14, 2011.

Are Bitcoin transactions really private? In an age of ubiquitous government surveillance and corporate information collection, the peer-to-peer currency’s boosters tout privacy as a major benefit. I’m not convinced.

Bitcoin’s peer-to-peer method for clearing payments means that the currency’s “books” are inherently open. Every transaction ever made using the currency is available for inspection using a tool like Bitcoin’s Block Explorer.

The privacy benefits come from the fact that you can create an unlimited number of anonymous Bitcoin identities. Block explorer tells me that someone sent 36953.2525 Bitcoins to the address 148X4kTYZhjeKQcd1AVhcytXvh5gL6FNSe. I don’t know who owns that address and there’s no central database where I can look it up. Nor is there a Bitcoin Inc. that could be compelled to create such a database. And this, Bitcoin enthusiasts say, give their currency a privacy edge over the US dollar.

But the fact that the database doesn’t exist doesn’t mean it couldn’t be created. Remember, people want money so they can buy stuff. There are a few goods and services, like pornography or consulting work, that can be delivered entirely over the Internet. But people mostly buy products that need to be physically delivered. An American who wants to deal primarily in Bitcoins will, at some point, need to either buy food and shelter in Bitcoins or convert some of their Bitcoins to dollars. And that means making Bitcoin payments to people in the US.

But the US government could easily require any business accepting Bitcoin payments (or converting Bitcoins to dollars) to collect identification information from their customers in the same way that “know your customer” regulations require financial institutions to collect information about their customers. And once the government has de-anonymized a significant fraction of the addresses on the network, they’ll be able to infer many of the others using basic detective work. Remember, the full pattern of transactions is a matter of public record. Officials trying to identify a particular address will have a complete record of every address that’s ever sent money to, or received money from, that address. If any of them are within the United States, they can be compelled to disclose details (IP addresses, shipping addresses, contact email address, etc) that could help identify the address’s owner.

Now this isn’t to say that a determined individual couldn’t use Bitcoin in a way that preserves his privacy. But it would either require a high level of technical savvy or significant lifestyle changes. He could avoid working for traditional US employers and buying things from mainstream US businesses. But most users just don’t care about privacy enough to make those kinds of major lifestyle changes to get it.

Another approach would be to use technical means to obfuscate the flow of funds to and from his accounts. He could route all Bitcoin traffic through an anonymization service like Tor. He could create a large number of decoy accounts and have different people pay different accounts. There could even be Bitcoin “money laundering” services that accept money from you and pay you back in another account. But few people have the patience or technical know-how to do this effectively.

Moreover, people willing to go to that much trouble can obtain roughly the same degree of financial privacy using dollars. Most obviously, you can conduct transactions in cash, which is inherently resistant to government surveillance. For remote transactions, there are any number of offshore intermediaries in Switzerland, the Cayman Islands, and elsewhere that have been helping privacy-conscious Americans stay beyond the long arm of the law for decades. And all of these transactions have an important advantage over Bitcoin: they don’t produce public entries in a global distributed database.

In other words, Bitcoin’s alleged privacy benefits mostly reflect the fact that the government isn’t really trying to spy on Bitcoin users. It hasn’t built the kind of surveillance infrastructure the government has for tracking dollar-denominated transactions. And to be clear, I would rather that infrastructure not exist. But if Bitcoin becomes popular, the government will build precisely the same infrastructure for spying on the Bitcoin network. And when they do, it will become clear that for ordinary users, Bitcoin is, if anything, less surveillance-resistent than traditional cash.

Timothy B. Lee is an adjunct scholar at the Cato Institute. He covers tech policy for Ars Technica and blogs at Forbes.com.