20 minute read

Welcome to the sixth issue of ‘This Month in Bitcoin Privacy’ newsletter. Enjoy!

Moth and Cactus"Moth and Cactus" by incidencematrix is licensed under CC BY 2.0

Table of Contents

  1. MuSig2
  2. Wasabi Wallet 2.0
  3. EU Draft Resolution on Encryption
  4. State of the Onion and Nym
  5. Block Digest Special Edition: Frank Braun
  6. Hodl Hodl P2P Lending for Americans
  7. Know Your Customer’s Customer (KYCC)
  8. How Private Is My Pay App?
  9. Civil Liberties Versus Digital Mercenaries
  10. Coldcard Beta PayJoin Support
  11. Taproot’s Impact on Bitcoin Privacy
  12. Introducing Soroban

November 4th - MUSIG2

In TMIBP05, I highlighted the new “MuSig2: Simple Two-Round Schnorr Multi-Signatures” paper. Co-authors Jonas Nick and Tim Ruffing published a follow-up on the key differences between MuSig / MuSig1, MuSig2, and MuSig-DN. They will be presenting their work at the Real World Crypto (RWC) conference in January 2021.

With the Taproot update to Bitcoin getting closer to potential activation, there has been considerable interest in the MuSig multisignature scheme. MuSig allows a group to collectively own some bitcoin and create a single signature to authorize a payment. Due to MuSig’s innovative key-aggregation feature, this signature is a regular Schnorr signature that can be processed by Bitcoin once Taproot is activated. When used to create multisig wallets, MuSig reduces transaction fees and increases privacy compared to the traditional way of using the CHECKMULTISIG opcode for n-of-n signatures, which needs n public keys and n ECDSA signatures on the blockchain.

November 5th - WASABI WALLET 2.0

A few days after their two-year anniversary, Wasabi announced the upcoming release of next-generation “user interface (UI), user experience (UX) and coinjoin (CJ) improvements” in the wallet. They note that “manual coinjoining will be a thing of the past or for power users only.”

the long awaited WabiSabi will also make its debut. It will facilitate faster, more cost-efficient collaborative transactions without waste, lay the foundation for payments within coinjoins and open the door for combinations with other technologies.

Adam Gibson also published an in-depth breakdown of the “technical (cryptographic) underpinnings” and privacy guarantees of WabiSabi, in comparison to JoinMarket and the current implementation of Wasabi with Chaumian CoinJoins. As I have previously covered in TMIBP01 and TMIBP03, this is a new variable-amount Chaumian CoinJoin (CCJ) protocol, and Ficsór has been planning to replace their current algorithm since 2018.

November 6th - EU DRAFT RESOLUTION ON ENCRYPTION

In TMIBP05, I included warnings about anti-encryption lobbying “encouraging the EU’s member states to agree to a new EU position on encryption in the final weeks of 2020.” A draft resolution from the Council of the European Union (EUCO) on “security through encryption and security despite encryption” has since surfaced, updating a declaration made last month:

Moving forward, the European Union strives to establish an active discussion with the technology industry, while associating research and academia, to ensure the continued implementation and use of strong encryption technology. Competent authorities must be able to access data in a lawful and targeted manner, in full respect of fundamental rights and the data protection regime, while upholding cybersecurity. Technical solutions for gaining access to encrypted data must comply with the principles of legality, transparency, necessity and proportionality.

According to the Austrian national radio station and media outlet FM4 which shared the document prominently, this resolution was bolstered by U.S. Attorney General Barr’s “International Statement: End-To-End Encryption and Public Safety” in October. While not legally binding in itself, the news has drawn the ire of security researchers and journalists. A few days later, encrypted email provider Tutanota, the Committee to Project Journalists (CPJ), and various digital rights organisations called for it to be withdrawn. On November 27th, the civil liberties non-profit Statewatch shared all known iterations of the document and reported on the process to come:

The declaration sets out the Council’s policy stance on obtaining access for state authorities to encrypted data, but does not establish any new binding measures. However, the declaration notes that a “regulatory framework… could be further assessed.”

November 10th - STATE OF THE ONION AND NYM

In TMIBP04, I pointed out research being conducted by the Tor Project into using anonymous tokens, for the purpose of defending against denial-of-service (DoS) attacks. This was one of the topics listed in the agenda for their annual “State of the Onion” presentation.

Onion services developer George Kadianakis rehashed the analogies and use cases introduced in his original blog post, such as a secure and human-memorable name system for onion services, replacing CAPTCHA puzzles for granting access to private bridges, and incentivising relay operators. He did not provide any further detail about the development of these features.

In TMIBP01 and TMIBP05, I have highlighted the importance of improving network privacy; in TMIBP03, I also summarised discussion about the risks for users who share addresses or even extended public keys (xPubs) with untrusted third parties. On November 11th, in the latest release(s) of their new desktop application, Trezor has enabled Onion-Location and integrated a ‘Tor Switch’ feature, making it a little easier for users to “quickly and effectively bring greater anonymity and peace of mind by masking your network activity.” Trezor services can also be used within the Tor browser.

It is important to understand how this improves user privacy and how it doesn’t. Using Tor can protect against network observers attempting to link off-chain data points, such as IP address and geographic location, with on-chain data. Unless you use your own node, Trezor’s services could still correlate your addresses together if you are querying the balances from the same network identity. Tor will also not obscure your transaction history on the blockchain or fix poor coin management practices.

On November 13th, Nym Technologies released version 0.9.0 of their testnet with a reputation-based reward system as a “mechanism to regulate the number of nodes so the sweet spot in the network is achieved.”

To recap, until now the incentives for running a mix node, or mix mining rewards, were being distributed to node operators equally and purely based on having a node be online, regardless of how many packets they mixed. From this release however, rewards are distributed proportional to the reputation score that a mix node gains during an epoch (currently weekly for those using a Liquid address or monthly for everyone else). Factors such as uptime, number of mixed packets, and also dropped packets all contribute to the reputation of a node.

… For the Nym mixnet to provide privacy for the users, the size of the network (number of nodes) should be proportional to the amount of traffic that goes into it. For comparison sake, let’s say the Nym mixnet is a public transport system, where instead of packets there are passengers and instead of nodes there are buses. With too many buses in circulation and too few passengers, there will be too much waste in the network. On the other hand with too many passengers and too few buses there will be delays and dissatisfactions.

Now in this network if you also want to be private, then all the passengers should disguise the same way, just like Nym Sphinx packets, and there will always be a sweet spot between the number of identical looking passengers in the network and the buses they fill such that they can not easily be traced and de-anonymised. With too many buses, each passenger will take a separate bus (and so won’t “mix” with other passengers), and can be de-anonymized even if all the passengers wear the same disguise.

November 12th - BLOCK DIGEST SPECIAL EDITION: FRANK BRAUN

“Cypherpunk, cryptoanarchist, privacy extremist, and dark net aficionado” Frank Braun was interviewed by Shinobi for a Block Digest special edition episode. With the theme of discussion focused on under-appreciated threats to and overconfidence in Bitcoin’s success, they covered DMG Blockchain Solutions’ / Blockseer’s requirement for their mining pool participants to “pass KYC (Know Your Customer) protocols,” his federated Chaumian ecash project Scritcash, whether Lightning nodes could be classified as money transmitters, the cost of custodial compliance, state-sponsored attacks on infrastructure, motives of institutional investors, tax reporting, and network privacy development.

November 13th - HODL HODL P2P LENDING FOR AMERICANS

In TMIBP05, I covered the launch of Hodl Hodl’s new peer-to-peer lending platform. As planned, this month they announced that they had officially opened to the U.S. market.

As you know, Hodl Hodl has not served the US market up until this moment, however we have always wanted to enter the US market. So our new Bitcoin DeFi project has become the best tool to start, since being non-custodial and eliminating fiat has helped us remove the barriers to entry.

Lend at Hodl Hodl is the first of our products entering the US, and we aim to bring more products to the US market, allowing American users to benefit from the truly P2P services of Hodl Hodl.

Removing fiat also removes the currency barriers, meaning that you, being a lender from the US, can lend to a person from Russia, and vice versa, and for anywhere in the world. So create your offers, and let Bitcoin erase boundaries.

November 16th - KNOW YOUR CUSTOMER’S CUSTOMER (KYCC)

Bitonic, a Netherland-based cryptocurrency exchange, announced that they had “added an additional verification measure regarding Bitcoin addresses” in response to new screening requirements imposed by the Dutch central bank (DNB) under the Sanctions Act.

From now on, we are required to ask additional details such as the purpose with which you intend to purchase Bitcoins and what kind of wallet you use. Furthermore, we are obligated to verify that you are the legitimate owner of the given bitcoin address by requesting you to upload a screenshot from your wallet, or by signing a message.

We understand that these additional measures cause nuisance for our customers and we do not agree with the measures ourselves. Therefore we offer the opportunity to formally object to these additional measures and the registration of this data. We will soon release a custom form intended specifically for this purpose. For the time being, you are invited to send complaints to privacy@bitonic.nl.

On the same day, the DNB also announced that the deadline for crypto service providers to register under European anti-money laundering directives was November 21st. (Note: The English version of the news bulletin confuses the fourth and fifth directives together; the Dutch version cites only the fourth.) Bitonic soon notified customers that their registration under AMLD5 had been completed, though they have “mixed feelings about the new legislation.”

On the other hand, we are very concerned about proportionality, the criminalization of the industry and especially the privacy of our customers. We see that European legislation has been introduced in other European countries with a greater understanding of the market and technology. Of all those countries, the Netherlands appears to face the most extreme demands, and we are very disappointed by this.

Journalist Aaron van Wirdum shared this news, and received a response from the DNB that they do “not impose” what “specific procedure for verification” these services must use, and referenced a list of suggested methods, including “screen sharing or video conferencing at the time of logging in.” Swiss developer David Knezić pointed out that guidance from their Financial Market Supervisory Authority/ Finanzmarktaufsicht (FINMA), based on Financial Action Task Force (FATF) recommendations from June 2019, is similar.

In TMIBP01, I noted that these directives did not consider non-custodial wallets to be “obliged entities.” In TMIBP02 and TMIBP05, I looked at the development of a U.S.-based inter-VASP system for sharing customer data as part of their Travel Rule compliance under the Bank Secrecy Act, which Reason accurately describes as “the PATRIOT Act for money.”

On November 18th, in an expert opinion post for Coin Center, former Department of Justice chief of the Asset Forfeiture & Money Laundering Section (AFMLS) Jaikumar Ramaswamy argued that non-custodial wallets “pose less illicit finance risk than commonly believed,” and that “policymakers seeking to prohibit or restrict their development and use would be wise to heed King Canute’s warning about the futility of stopping the ocean’s tides from rising.”

They effectively establish KYCC — “know your customer’s customer/counterparty” — requirements that have traditionally been resisted by financial regulators for good reason. Unlike KYC requirements which arise from a direct customer relationship, KYCC requirements unreasonably obligate non-customers to provide personally identifying information to a VASP/MSB they do not know or do business with, and whose security and privacy practices they have not evaluated, simply because they happen to transact with one of its customers. Collecting identity information from individuals who are not customers would also prove challenging for VASPs, and likely only limit access to legitimate customers — particularly those from financially disadvantaged communities who stand to benefit most from this technology — since illicit actors would simply employ so-called money mules, or use stolen and synthetic identities to defeat the requirement, just as they do with respect to KYC requirements today. The result would be to further exclude financially marginalized populations and hinder innovation which could serve their needs, without meaningfully affecting illicit financial activity.

On November 25th, Coinbase CEO Brian Armstrong tweeted that he had “heard rumors that the U.S. Treasury and Secretary Mnuchin were planning to rush out some new regulation regarding self-hosted crypto wallets before the end of his term.”

This proposed regulation would, we think, require financial institutions like Coinbase to verify the recipient/owner of the self-hosted wallet, collecting identifying information on that party, before a withdrawal could be sent to that self-hosted wallet… We sent a letter to the Treasury last week, along with a number of other crypto companies and investors, articulating these concerns and others.

:information_source: For legal discussion on the Travel Rule and other policy changes that may affect Bitcoin privacy, see episode #18 of the Tangents podcast with Neeraj Agrawal, Jerry Brito, and Peter van Valkenburgh from Coin Center, or the Electric Coin Company’s panel from last month with Josh Swihart, Jack Gavigan, Maria Filipakis, Dana Syracuse, and Yusuf Hussain.

November 17th - HOW PRIVATE IS MY PAY APP?

Last month, PayPal announced that they would allow their customers “to buy, hold and sell cryptocurrency directly from their PayPal account” after they had been granted a Bitlicense by the New York State Department of Financial Services (NYDFS). Predictably, their terms and conditions regarding cryptocurrency, including bitcoin, do not allow withdrawals to other wallets. But what else is there to be concerned about beyond blocking the path to financial sovereignty?

In TMIBP02, TMIBP04, and TMIBP05, I covered the Electronic Frontier Foundation’s calls for more transparency from financial technology companies, in addition to challenging the use of the third-party doctrine with financial records. On November 17th, they published the third episode of their new podcast, “Fixing a Digital Loophole in the Fourth Amendment.” Executive director Cindy Cohn and strategy director Danny O’Brien spoke with human rights attorney Jumana Musa about “how the third-party doctrine is undermining our Fourth Amendment right to privacy when we use digital services.”

One of the things that I remember from listening to the lawyers talk about this at EFF was an incident where the companies were getting so tired of getting these requests, the telcos in particular, that they wrote some tools for law enforcement to get this information more easily, right? They automated the process of getting this data. For me, that’s one of those terrible kind of downhill progressions, where it’s inevitable that if there’s no legal speed bumps to getting this data, the take is that geeks like me are just going to grease that path, right? We’re going to spiral from these arguments that are sort of like this is a specific warrant, but it’s a little non-specific to a world where mass surveillance is just presumed and these companies actively are helping out the governments with it.

In the week prior, freelance writer Sara Harrison and The Markup had published an overview of issues with various payment apps’ privacy policies, including PayPal, Venmo, Apple Cash, Cash App, and Zelle.

PayPal discloses that, in addition to sharing data with financial institutions and credit and fraud detection agencies, the company shares data that may include email, device ID, and IP address with many third parties, including Google, Facebook, Twitter, and AdRoll for advertising purposes. Similarly, Venmo says it shares geolocation data for advertising purposes.

Cash App specifies that it shares information with third parties including Google but that the data is aggregated and anonymized so individual user identities are protected.

In addition to the data collection practices of payment apps, users must also consider the policies of their third party integrations like Plaid. In TMIBP02, I highlighted class action lawsuits that had been filed against them for violating consumer privacy and computer data protection laws. On November 5th, the Department of Justice’s Antitrust Division filed a complaint against Visa’s acquisition. EFF staff technologist Bennett Cyphers wrote that the merger should be stopped because it “is about more than just competition in the financial technology (fintech) space; it’s about the exploitation of sensitive data from hundreds of millions of people.”

That’s what Visa is doing. It’s acquiring everything Plaid has ever collected and — more importantly — access to data flows from everyone who uses a Plaid-connected app. It can monetize the data in ways Plaid never could. And the move completely side-steps restrictions on old-fashioned data sales.

… Beyond this specific case, Congress should take a hard look at the trend of data-grab mergers taking place across the industry. New privacy laws often regulate the sharing or sale of data across company boundaries. That’s great as far as it goes — but it’s completely sidestepped by mergers and acquisitions.

November 19th - CIVIL LIBERTIES VERSUS DIGITAL MERCENARIES

The Cato Institute’s Center for Monetary & Financial Alternatives (CMFA) virtually hosted their 38th Annual Monetary Conference with a focus on “central bank vs. private (centralized and decentralized) digital currencies.” During a panel about “Digital Currency and Civil Liberties” with Martin Chorzempa and Open Money Initiative co-founder Jill Carlson, Human Rights Foundation (HRF) director Alex Gladstein discussed the growing “financial dragnet” around the world, both in democracies and authoritarian dictatorships.

It’s important to note that more than four billion people around the world live under authoritarian governments. We’re talking a majority of the world’s population here, in ninety-five countries. For them, seeking some sort of financial privacy through law is not an option. Maybe it is in the United States, or in Europe, or Japan, etc. But even here, in these countries, we’re having a really hard time preserving any sort of financial privacy.

In TMIBP01 and TMIBP03, I summarised his debates with executives of blockchian surveillance companies. In the same TMIBP01 and TMIBP03 issues, I’ve also followed the foundation’s grants toward developers making Bitcoin “more private, decentralized, and resilient.”

On November 4th, CoinDesk privacy reporter Benjamin Powers had published an article on blockchain surveillance, with comments from Gladstein, O’Brien, Chainalysis communications director Maddie Kennedy, and the Electric Coin Company’s head of growth Josh Swihart. Kennedy claimed that her company, which Gladstein described as one of many “digital mercenaries,” checked whether their clients used their tools to violate human rights.

Chainalysis does engage in such a practice and has a policy of understanding how customers use its data, according to Kennedy. She said that the countries in which the firm sells its product have strong requirements of rule of law and individual privacy. Chainalysis also has an “internal committee and use external data and consultants to approve clients based on a decision framework,” Kennedy said.

She also confirmed Chainalysis would consider canceling a government or law enforcement contract if the company’s services were being used in an unethical manner, and it evaluates government relationships on an ongoing basis.

Such promises provide little comfort to the vigilant. Commercial surveillance companies like the Milan-based Hacking Team historically made similar claims, and even continued to assert them after a data breach of their emails, documents, and code showed this to be clearly false. As I’ve covered extensively in TMIBP01 and elsewhere, the company failed to recover and retain business, and has since splintered off into other firms, including a blockchain surveillance startup acquired by Coinbase in February 2019. If the upper management of a notorious spyware company managed to join one of the largest cryptocurrency exchanges due to “a gap in our diligence process,” we can only wonder what else may be slipping through in other corners of the space.

November 24th - COLDCARD BETA PAYJOIN SUPPORT

Hardware wallet provider Coinkite published a beta release of Coldcard firmware version 3.2.1, which includes new “support for signing Payjoin PSBT files based on BIP-78.” This type of CoinJoin is currently also supported by BTCPay Server, Wasabi, and JoinMarket, which I have covered in TMIBP03 and TMIBP05.

As mentioned in Bitcoin Optech Newsletter #124, another wallet to add PayJoin support recently is Sparrow, a multi-platform lightweight client designed to run with Electrum servers. It already comes with coin control features, hardware wallet compatibility, and Tor.

November 27th - TAPROOT’S IMPACT ON BITCOIN PRIVACY

As the community continues to watch for developers and miners to signal their support for Taproot activation, Blockchair founder Nikita Zhavoronkov published a presentation on why he believes Taproot will have a negative impact on Bitcoin’s privacy.

Zhavoronkov’s arguments hinge on the assertion that “adding new address types leads to a privacy degradation,” using a two output transaction as an example, where the payment and change outputs are sent to different address types. However, “an analyst” could have many other ways of determining which one is change, such as rounded numbers and wallet fingerprints concerning the order of outputs. He does not explain how using one and only one address type renders such analysts “unable to extract valuable information.” Consolidation of UTXOs when migrating to a new wallet can have privacy consequences regardless of the address types used. This concern can also be mitigated when using Samourai Wallet, which will generate a like-type change output that corresponds to the address being spent to.

For example, if you are sending to a segwit enabled address, the change output returned to your wallet will also be segwit enabled. Conversely, if you’re sending to a standard bitcoin address, the change output will be a standard address.

Chris Belcher, developer of JoinMarket, Electrum Personal Server, and CoinSwap, indirectly responded to these claims with a thread on the privacy benefits. If Zhavoronkov is concerned about multiple address types, then he should also be concerned about different multi-signature schemes; Taproot “allows us to do multisig but where all that information is hidden and it looks exactly the same as a single-sig.” With Schnorr signatures, engaging with Lightning will become less obvious: “Scriptless scripts also mean that unilateral LN channel closes will become undetectable. Right now these transactions publish a visible contract on-chain.”

It’s great to see how far we’ve come even with the last soft fork of Segwit which allowed Lightning to come to bitcoin. That’s a huge privacy benefit. Just think of the millions of off-chain transactions that were made and aren’t stored forever in public view on the blockchain.

I have previously covered the privacy benefits of Taproot in TMIBP02, TMIBP03, and TMIBP05. Nick has summarised the significant development events here.

:information_source: Check out Bitcoin Optech Newsletter #122 and #125 for summaries on Taproot activation and other recent technical developments beyond Bitcoin privacy.

November 30th - INTRODUCING SOROBAN

Samourai Wallet released version 0.99.96 of their mobile app, “focused primarily on improving load times, improving Tor reliability, streamlining PayNym functionality,” and the public release of Soroban, an “app agnostic, Tor based encrypted communication protocol” for coordinating collaborative CoinJoins. They had opened it for public beta testing in September.

These types of automated and secure communications are particularly useful when trying to compose complex bitcoin transactions with multiple parties. As such, Soroban can also be leveraged for existing technologies like JoinMarket, and in-development technologies like Coinswap and Snickr.

… By leveraging Soroban we can now offer users a reliable and fast way to get around the QR Dance. Instead of manually having to share and scan 5 different QR codes, everything is automatically communicated with your collaborator in encrypted private messages delivered over Tor.

Thanks for reading! Feel free to :bookmark: bookmark or subscribe to catch the next edition of ‘This Month in Bitcoin Privacy.’