Are Cryptocurrencies Truly Anonymous?
Cryptocurrencies such as Bitcoin are portrayed as non-traceable, in sharp contrast to credit cards or other online payment methods. A recently released Princeton University study however, showed that this assumption of anonymity may be too good to be true.
In a report written by one of the study’s authors, Steven Goldfeder, cryptocurrencies’ ability to protect your identity becomes compromised when met with the third party trackers and browsers cookies employed by many online shopping sites.
Goldfeder illustrated the problem on Princeton’s Center for Information technology website.
“Websites, including shopping sites, typically have dozens of third-party trackers per site. These third parties track sensitive details of payment flows, such as the items you add to your shopping cart, and their prices, regardless of how you choose to pay.
Many shopping sites leak enough information about your purchases that trackers can connect them to a specific transaction on the blockchain. From there, it’s relatively simple to link that transaction to the rest of your Bitcoin wallet address.”
Goldfeder and his team analyzed 130 e-commerce sites that accept Bitcoin payments, using the privacy measurement tool OpenWPM. They ultimately found that 53 of the sites leaked transaction details to trackers. Of the leaked information, 49 of the sites included names, emails and usernames within the information supplied to trackers. This combination of information would allow trackers to link real-world identities to Bitcoin wallets addresses, leaving the blockchain concepts meant to retain anonymity useless.
According to Goldfeder, it’s the conglomeration of information over a number of purchases that makes user identification possible. He explains further
“Consider three websites that happen to have the same embedded tracker. Alice makes purchases and pays with Bitcoin on the first two sites, and logs in on the third. Merchant A leaks a QR code of the transaction’s Bitcoin address to the tracker, merchant B leaks a purchase amount, and merchant C leaks Alice’s PII
Such leaks are commonplace today. The tracker links these three purchases based on Alice’s browser cookie. [They] obtain enough information to uniquely identify coins on the Bitcoin blockchain that correspond to the [other] two purchases.”
Cryptocurrencies veterans often use browser extensions such as Adblock Plus and uBlock Origin to protect their identities. Purchases might also be made through CoinJoin, in an effort to keep anonymous when making Bitcoin transactions.
Let’s suppose that Alice took the precaution of putting her bitcoins through CoinJoin before making the aforementioned purchases. She should be safe, correct?
In their study, Goldfeder and his group made real purchases using Bitcoins that were “mixed” using the CoinJoin anonymity technique. The tracker that observed two purchases – a commonplace occurrence, according to Goldfeder – would be able to identify the Bitcoin wallet making the purchases 80% of the time.
Going back to Alice: “Either transaction individually could not have been traced back to Alice’s wallet, but there is only one wallet that participated in both CoinJoins, and is hence revealed to be Alice’s.
Many of these information leaks are by design, to enable advertising and analytics. While transfers from one individual user to another may still be anonymous, third party interference on websites from trackers or browsers cookies veritably eliminate this identity security.
Goldfeder sees his team’s findings as a reminder that our privacy is much less secure than we might imagine. “Anonymity in cryptocurrencies seems especially tricky, because it inherits the worst of both data anonymization (sensitive data must be publicly and permanently stored on the blockchain) and anonymous communication.”