20 minute read

Welcome to the eleventh issue of ‘This Month in Bitcoin Privacy’ newsletter. Enjoy!

[1669] Common Emerald (Hemithea aestivaria)"[1669] Common Emerald (Hemithea aestivaria)" by Bennyboymothman is licensed under CC BY 2.0

Table of Contents

  1. IRS John Doe Summons To Exchanges
  2. Onion’78 Wins MIT Bitcoin Expo 2021 Track
  3. Signal Integrates MobileCoin (Sort Of)
  4. Trezor To Add CoinJoin and Coin Control
  5. From Chainalysis Chief To FinCEN Director
  6. Taproot Activation Specification Merged
  7. FATF Public Consultation Closes
  8. Privacy for Journalists
  9. Testnet Atomic Swaps With Monero


In TMIBP02, TMIBP04, TMIBP05, and TMIBP09, I have covered the application of the third-party doctrine regarding cryptocurrency-related services; in TMIBP05, I also included tax authorities’ demands for disclosures of user data. At the start of this month, the U.S. Department of Justice announced that the IRS has served a John Doe summons to Circle, “seeking information about U.S. taxpayers who conducted at least the equivalent of $20,000 in transactions in cryptocurrency during the years 2016 to 2020.” They have also made the same summons to Kraken, and the presiding judge has already decided to narrow the scope.

According to the copy of the summons filed with the petition, the IRS is requesting that Circle produce records identifying the U.S. taxpayers described above, along with other documents relating to their cryptocurrency transactions.

In November 2016, the IRS had served a similar summons on Coinbase, who managed to reduce the scope down from “approximately 500,000 account holders to “14,000 customers.” Of course, they then went on to sell blockchain surveillance tools directly to the IRS and other U.S. agencies years later (see TMIBP01 and TMIBP02).


On the second day of the Massachusetts Institute of Technology (MIT) Bitcoin Club’s expo, member Manish Kumar announced the winners of their virtual hackathon (Day 2, Part 4 - 27:15). Onion’78, a mobile BIP-78 PayJoin implementation by Dan Gould, Armin Sabouri, Johns Beharry, and Ron Stoner, was the ‘Bitcoin and Lightning’ track prize winner.

Our project aims to implement the payjoin standard (BIP-78) and privacy features (Tor Hidden Services) into an existing mobile wallet application (Chaincase). A mobile wallet was selected due to its ease of accessibility and portability, low cost profile for required hardware, and access to application distribution pipelines – providing a benefit to those who are attempting to remain as private as possible with as little footprint as possible, anywhere in the world.

Chaincase is an iOS client “built on top of the famed Wasabi Wallet,” in development by Gould since 2019 and still in beta testing with CoinJoin since September 2020. In March, he had asked if users would like to “receive PayJoin from Chaincase.” Onion’78, as a fork of Chaincase with PayJoin, is now open for beta testing. Gibson commented, “if this BIP78 implementation makes its way into production mobile wallets, will be a great selling point.” You can watch a demo here.

I previously covered PayJoin development in TMIBP03, TMIBP05, TMIBP06, and TMIBP08.


In last month’s TMIBP10, I included that the Signal Technology Foundation had started accepting cryptocurrency donations. It seems this was a precursor for their next major move: integrating MobileCoin.

They announced that U.K.-based beta testers would get access to a new feature, Signal Payments. MobileCoin (MOB) – based on Stellar’s consensus mechanisms and Monero’s ring confidential transactions (RingCTs) and Bulletproofs – has been in development since 2017, when it was reported that Signal’s founder and CEO Moxie Marlinspike was working on it “as technical advisor for the last four months, alongside technologist Joshua Goldbard.” They emphasized its reliance on Intel’s proprietary and oft-broken Software Guard Extensions (SGX) as one of the primary “special features,” used to both “hide the currency’s indelible ledger from view” and store private keys. And don’t forget Microsoft Azure confidential computing. According to their FAQ, without using SGX, “you will not be able to participate in consensus with other validator nodes.” All Americans and U.S.-based persons, along with several other jurisdictions, are explicitly “prohibited” from downloading the software or using MobileCoin in any way. Awkward, given that their promotional video centers on footage of well-off shoppers in San Francisco.

Goldbard, now CEO of MobileCoin Inc. and board member to the foundation, wrote on the Hacker News forums that he “started MobileCoin to fund Signal. That’s it.” He also noted that “MobileCoin has made over 50% of the coins available for purchase. We are currently figuring out how to give away coins while remaining regulatory compliant,” and “MobileCoin Inc. intends to maintain an extreme minority of the coins once the dust settles.” Concern over the distribution of coins stemmed from a supposed early version of their whitepaper, which states that 37.5 million ERC-20 tokens were pre-sold at 0.80 cents per MOB. (Note: While the details seem to be largely consistent with their ‘official’ whitepaper, prior versions of their website, and other documents, Goldbard insists it is not authentic.) In April 2018, they had opened a funding round for $30 million “denominated in Ethereum and Bitcoin,” and in May they filed a notice of offering of securities through a $29.7 million “simple agreement for future tokens” with the SEC.

I can assure you that we have the best minds in the regulatory and legal worlds thinking about this and there just isn’t a lot of regulatory clarity. If you had told me that 4 years after I started MobileCoin we still wouldn’t have guidelines on how to issue a cryptocurrency in the US I would’ve told you that you were insane, yet here we are. This isn’t to point fingers at the regulators, I really think they have a humongous task before them; regulating cryptocurrency is the institutional challenge of a lifetime.

While their marketing espouses that “MobileCoin is money that puts your privacy first” and “no one other than the sender and recipient can observe or track” it, they also state that “governments have a legitimate interest in regulating the economic lives of their citizens” and that they will “create high performance digital payments technology that can transparently encompass the tradeoffs that societies choose.” It is quite unclear to everyone, including them, how they plan to achieve both of these goals.

In February, researchers from Universität Würzburg and Technische Universität Darmstadt published a paper on “large-scale abuse of contact discovery in mobile messengers,” after they were able to query “10% of US mobile phone numbers for WhatsApp and 100% for Signal.” Mitigations were introduced, but unfortunately the integration of MobileCoin also puts pressure on Signal to continue requiring phone numbers, rather than pursue and encourage phone-free addressing. When asked how they would handle “receiver verification,” Goldbard replied:

Signal relies on phone numbers for identities. Other apps that integrate MobileCoin may have a higher threshold for identification.

When asked why they had not integrated bitcoin via Lightning instead, Marlinspike replied, “My impression is that it has a little ways to go still, but please let me know if you have ideas.” Jeremy Rubin commented elsewhere, “for the engineering effort put into MobileCoin, it probably could have been [ready]…” On April 15th, Stephan Livera published an interview with Peter Todd for SLP268. He was suspicious that it was unclear how to run a MobileCoin node, and argued that the trade-off of SGX actually makes a scalable Lightning integration more plausible:

What’s annoying about it is, from the users’ point of view, they could have gotten all the advantages of a centralized infrastructure for payments, without actually creating a new coin. That part of it wasn’t needed. But creating a new coin gets them a ton of money. By “them,” I mean the people behind MobileCoin, which indirectly sounds like it’ll help Signal, but it’s not a hundred percent clear.

On April 21st, through the Signal blog, Marlinspike wrote about how he had come to possess an analyzer from the digital forensics firm Cellebrite, which sells data extraction, indexing, and analysis tools and training. (Bitcoiners might care to take note that they even offer specialised tools targeting cryptocurrency users in a cooperative “suite” with CipherTrace.) He claimed to have discovered vulnerabilities that left the scanning and reporting processes open to compromise, which would “seriously call the data integrity of Cellebrite’s reports into question.” A defence attorney in at least one case that relied on Cellebrite tools in evidence has already called for a re-trial. Speaking for myself here, but I suspect most of my readers would like to see more of this punkery. Though given that Cellebrite’s customers include various U.S. law enforcement agencies, such as the Federal Bureau of Investigation (FBI) and Immigration and Customs Enforcement (ICE), I can’t imagine financial regulators will be in the mood to look favourably on something like MobileCoin now.

On April 27th, Signal shared that in March, they had received a grand jury subpoena “from the United States Attorney’s Office in the Central District of California”, in connection “with an official criminal investigation being conducted by Homeland Security Investigations.” The American Civil Liberties Union (ACLU), including ‘American Spies’ author Jennifer Granick, helped with their response.


Hardware wallet company Trezor announced “four things that are about to happen this year” regarding their products, two of which are relevant to privacy-focused users: CoinJoin and coin control. The Trezor Suite Roadmap currently schedules the addition of coin control on July 14th, and CoinJoin on August 11th. That’s right, punks, native support is on the horizon and the days of ‘just use Electrum’ will soon come to a sweet end!

CoinJoin: We always strive to advance your privacy! CoinJoin will obscure the sources and destinations of your transactions.

CoinControl and CPFP: Another step towards maximizing Trezor users’ privacy, the CoinControl feature will put you in complete charge of compiling your transactions.

Separately, as part of an outline for future development in JoinMarket, Gibson wrote that he was interested in hardware wallet support as an additional feature. “See 663; should be practically possible for maker side at least. The ckBunker initiative looks like a promising angle. This sort of thing does require a lot of care and attention in creating testing setups though.”

On April 29th, Trezor updated their warrant canary and responded to an article summarising a recent contract proposal from the Digital Forensics Unit of IRS Criminal Investigation (IRS-CI), seeking someone to “combine the leading-edge cybersecurity research available on the topics of embedded hardware exploitation with the disciplined, established science of digital forensics” to engage in decrypting hardware wallet devices. I have previously covered IRS contracting for cryptocurrency-related tools and services in TMIBP01, TMIBP02, and TMIBP04.

Efforts to oppress citizens and erode individuals’ rights to privacy, as we see here, are a great validator of Trezor’s open-source philosophy.


On April 2nd, the Financial Crimes Enforcement Network (FinCEN) announced that Blanco would depart on April 9th, and Michael Mosier “will return to FinCEN as Acting Director” of the bureau on April 11th. Mosier “most recently served as Counselor to the Deputy Secretary of the Treasury, a role he assumed last month” after serving as FinCEN’s deputy director.

Between June 2019 and February 2020, Chainalysis had appointed him as Chief Technical Counsel, “responsible for bringing legal expertise to our products, including data privacy and global anti-money laundering (AML), sanctions, policy, and government matters.” He was expected to “work closely with Jesse Spiro, Global Head of Policy, who recently joined Chainalysis from Refinitiv.” In TMIBP05, I highlighted Spiro’s background and writing regarding the development of a growing financial watchlist category, the crypto-exposed person. In TMIBP02 and TMIBP08, I have covered other hires and advisors to the company with regulatory ties, and in TMIBP04 their government contracts. The revolving door spins ‘round and ‘round!

On April 4th, during her presentation for the MIT Bitcoin Club’s expo, Chainalysis senior economist and head of research Kimberly Grauer claimed that their business “only captures criminal activity native to the blockchain,” and reported that “less than 0.5%” of cryptocurrency funds were “associated with illicity activity in 2020” (Day 2, Part 2 - 38:35).

We sell software to law enforcement. I wish they would tell us everything about all the cases, just because I’m interested, but they don’t often tell us. It is really sensitive, what is going on. [With] a lot of these cases, people have been working on investigations for years and there is a lot of really sensitive information, so there is a reason why we’re not included in that side of things.

We do get to learn about cases; sometimes they release information publicly and we learn about it in a news announcement. Then we try to figure out what allowed them to come to this enforcement action. Did they do all of it using our tool, or did they have reason to suspect someone and they used our tool to get more evidence so that they could have a more complete case? All of those things are part of the story.


In TMIBP10, I summarised ongoing discussion and progress with Schnorr / Taproot activation, and that continues this month. On April 4th, What Bitcoin Did host Peter McCormack interviewed Blockstream research director Andrew Poelstra about “Taproot Activation, Applications and Benefits,” and c-lightning engineer Lisa Neigut about Lightning, for the MIT Bitcoin Club’s virtual conference (Day 2, Part 1 - 41:00 and 1:18:55 respectively). Neigut spoke about Schnorr / Taproot as “a big opportunity for Lightning to become more private” since “the on-chain footprint will hopefully largely disappear.” Poelstra talked about how Taproot was developed and the ongoing – but relatively minor – activation drama.

For the last year or so, Taproot has been going full [blast] with all sorts of exciting stuff. I am basically working on applications on top of Taproot and not really looking at what is happening on the blockchain layer. The blockchain stuff is largely Pieter Wuille, who opened the pull-request in Bitcoin Core that has since been merged and implements Taproot. It was a massive pull-request, a magnum opus that a lot of people reviewed. There are several other names, maybe a dozen people who have been actively developing.

What’s really exciting about the development this time around, compared to SegWit and anything else we’ve done in the past, is that we have probably over one hundred active reviewers. People are really digging into this code, asking hard questions, asking to change things. We’ve had a lot of eyes on the code and the design.

Following the Easter break, a meeting was held on April 6th mainly to discuss whether to use BIP-113 median time-past (MTP) or block height for the start and timeout parameters. Several participants, finding either option acceptable, agreed to engage in a coin flip:

As such a coinflip is being run via bitcoin-cli getblockhash $((678059+20)) | cut -b64 | grep -q '[02468ace]' && echo MTP || echo height (that’s about 13 blocks from writing). If it comes up MTP, contributors mentioned below will work towards moving MTP forwards. If it comes up height, contributors mentioned below will work towards moving height forwards.

The outcome was “in favor of MTP.” Folkson and others disagreed with this method of decision-making. Corallo pointed out that “the two authors of actual code for the two proposals here also came to an agreement on a way forward, so it’s not like it was a ‘coin toss to overrule everyone on the other side.’” Harding referenced an Internet Engineering Task Force (IETF) document on rough consensus, and explained that this was “the same method I’ve been using in Bitcoin-related discussions for over seven years[3] to help people transition from ancillary arguments back to working on the things they really think are important.”

In TMIBP01, TMIBP03, TMIBP04, TMIBP05, and TMIBP06, I have featured development of the Schnorr-based multi-signature scheme MuSig and its variations. On April 10th, Adam Gibson published “The Soundness of MuSig,” a review of “how we can (or can’t) be sure of the security of these type of Schnorr-based multisig constructions, as we intend to use them in Bitcoin.”

MuSig2 ditches that initial commitment (or perhaps folds it in!), so we are at two rounds. But! The good news is that the first round (the sharing of Ri,j, j= 1…v) can be pre-processed since it does not depend on the message to be signed. That means in effect that multisignature signing can be (more or less) non-interactive, in the same way that Bitcoin multisig is today (that is: when you have a message to sign, you can just sign it and share with peer(s), although, here, slightly more pre-coordination, in advance at some point, is required due to the nonce setup).

And all this is achieved while maintaining the properties mentioned at the start as desirable: we use a single aggregate key on-chain, making verification indistinguishable from single sig, so better privacy and better scaling (since we achieve the goal without changing the compact nature of the single Schnorr sig).

On April 13th, another meeting was held to discuss Anthony Towns’ “speedy trial” pull-request #21377 and its differences with a user-activated soft fork (UASF) “alternative release.” On April 15th, the “speedy trial” specification was merged into Bitcoin Core by maintainer Michael Ford. For the parameters it uses a “mix of MTP and block height, BIP to be decided.” On April 19th, lead maintainer Wladimir van der Laan shared the first release candidate of Bitcoin Core 0.21.1, which includes these “speedy trial” activation parameters, to the mailing list. The subsequent IRC meeting on April 20th was cancelled since there were “no current agenda items or technical issues to weed out.”

You can follow Taproot signalling progress through Hampus Sjöberg’s taproot.watch page.

:information_source: Check out The Van Wirdum Sjorsnado #31; Bitcoin Optech Newsletter #144, #145, and the Schnorr Taproot Workshop; and Aaron van Wirdum’s article for related summaries and other developments.


In TMIBP10, I examined the response to the Financial Action Task Force (FATF)’s public consultation on its guidance for virtual assets (VAs) and virtual asset service providers (VASPs).

On April 2nd, Unconfirmed podcast host Laura Shin interviewed Dave Jevans, CEO of the blockchain surveillance company CipherTrace, about the guidance for episode #171. He stated that being classified as a VASP would require “DeFi” platforms to engage in “identifying the customer (so KYC), performing sanctions screening of transactions and addresses so you don’t receive funds from sanctioned addresses etc., and potentially the implementation of the so-called Travel Rule.”

I think we’ve been highlighting it at CipherTrace and some of the other work we do with Global Digital Finance (GDF), Chamber of Digital Commerce, and Travel Rule Information Sharing Alliance (TRISA) for probably four, five, six months. I would say much of the industry is not really thinking about it, thinks this isn’t going to happen, or there are specific loopholes in regulations that prevent them from having to do anything. I think this is the first shot across the bow.

I would also say that this is not broad public notice of proposed rulemaking like we saw from FinCEN in the United States in December and January. It is open to anyone, but it is a much more closed group. It is not widely publicized. There will be meetings next week. We’re recording this [podcast] in early April. On April 8th, there will be a meeting of a number of industry participants. On April 15th, there will be a broader meeting of industry participants. I encourage everyone to get involved in those as much as possible, because the proposed recommendations will probably be announced around June 15th 2021 – in which case it would probably be too late to get your voice heard.

Of course his company just so happens (:innocent:) to provide tools and services for these purposes!

On April 6th, Bitcoin Association Switzerland president Lucas Betschart commented:

The FATF Travel Rule will lead exchanges to disable exchange-to-exchange transactions and only allow transactions to non-custodial wallets. Result: More people using non-custodial wallets… Switzerland is one of the few countries where the Travel Rule is already in place by the regulator. It resulted in all the VASP (crypto exchanges, brokers, banks) only allowing transactions with non-custodial wallets. I think this is also globally a way more likely outcome than the industry agreeing on a standard for implementing the Travel Rule AND the big exchanges actually implementing the Travel Rule at all (often based in jurisdictions who are rather relaxed regarding compliance).

On April 11th, Dutch engineer and financial history consultant Simon Lelieveldt published an article about how their central bank (DNB) was “in the act of frontrunning the FATF-rules.” He also tweeted a fascinating thread about the FATF itself being a “red flag” as an organisation, given that he was not able to obtain information about their articles of association or legal entity identifier. “We must see it as a hostile takeover of tax authorities seeking illegitimate ways to harvest commercial data beyond the remit of penal law rules.” He had previously cited a research paper from the Tilburg Institute for Law, Technology, and Society, “analysing the necessity and proportionality” of regulations like AMLD, which concluded their foundation was “shaky, untrue and outright bizarre.” In January, he had also published his comments to FinCEN regarding their proposed rulemaking (covered in TMIBP07 and TMIBP08).

I find it quite ironic that the US, that saved the Dutch population from a dictatorial regime, that taught us about the importance of human rights, true democracies, freedom of speech, privacy and the importance of the presumption of innocence, is now the country that violates the values it has inspired into others.

With one day left before the end of the consultation, FATF tweeted a reminder to “share your views” on the draft. Coin Center’s Peter van Valkenburgh submitted their extensive commentary and summarised it in a blog post. Regarding various “internal contradictions” in this proposed conception of a VASP, he warned that they will be “making persons’ privacy and speech rights vulnerable to arbitrary curtailment from overzealous prosecution.”

As we argue in our full comment, this classification would violate essential human rights to privacy and free expression described in the International Covenant on Civil and Political Rights (ICCPR), the European Convention on Human Rights (ECHR), and the U.S. Constitution. Under the ICCPR surveillance obligations must always be “reasonable in the particular circumstances” and the law must “specify in detail the precise circumstances” in which surveillance is permitted. Under the ECHR, privacy invasive laws must be “formulated with sufficient precision to give citizens an adequate indication as to the circumstances in which and the conditions on which public authorities are empowered to resort to measures of surveillance.” The proposed guidance’s vague and contradictory standards do not conform with those basic guarantees of the rule of law and human dignity described within the ICCPR and ECHR.

This non-justiciable and sweeping standard would also burden member states with a Sisyphean task that would distract from, rather than enhance, existing efforts to stop crime and terrorism.

Other comments by Elliptic, Global Digital Finance, and Coinbase are linked respectively.


I joined Max Hillebrand for the twelfth episode of “Join the Wasabikas” to discuss Bitcoin, my revision-controlled journalism project, and privacy. My favourite soundbite concerns the contrasting yet complementary relationship between privacy advocacy and journalism.

The internet, as they say, never forgets. Memory is very important in a just society in order to hold people accountable for their actions; in an unjust world that not only can’t forget but won’t forgive, then it can become a tyranny.


In TMIBP03, TMIBP05, and TMIBP07, I have been following the development of a cross-chain atomic swap protocol for bitcoin and Monero. The Farcaster project continues, and in February, following the shutdown announcement of the XMR.to exchange, Philipp Hoenisch and Lucas Soriano del Pino published a paper on another implementation based on Gugger’s.

In this work, we give a high-level sketch of a new protocol which expands on the ideas of the original to serve a new use case. In particular, by applying adaptor signatures to the Monero signature scheme, we make possible atomic swaps in which the party holding BTC is no longer the one vulnerable to draining attacks. A real-world service provider could therefore leverage both protocols to put up buy and sell BTC/XMR offers as a market maker.

In their video demo, del Pino shared a prototype that swaps between a Bitcoin testnet and Monero stagenet. During March, they invited people to participate in a public showcase, and iterated based on feedback. On April 23rd, ‘TDev’ confirmed that the Samourai Wallet backend was used for the bitcoin side in at least two of these atomic swaps, on April 19th and another that same day.

Thanks for reading! Feel free to :bookmark: bookmark or subscribe to catch the next edition of ‘This Month in Bitcoin Privacy.’