October 2021

Welcome to the seventeenth issue of ‘This Month in Bitcoin Privacy’ newsletter. Enjoy!

"69.006 BF1976 Privet Hawk-moth, Sphinx ligustri" by Patrick Clement. is licensed under CC BY 2.0

Table of Contents

1. FATF Travel Rule Updates
2. The State of Lightning
3. A Future Under Central Bank Digital Currency
4. Privacy Tools Adds Bitcoin Wallets
5. Financial Sovereignty Through Mining

OCTOBER 1st - FATF TRAVEL RULE UPDATES

In TMIBP02, TMIBP04, TMIBP05, TMIBP06, TMIBP07, TMIBP10, TMIBP11, TMIBP12, TMIBP13, and TMIBP14, I have followed reports from the Financial Action Task Force (FATF) and the impact of its guidance around the world, specifically regarding the Bank Secrecy Act (BSA) Travel Rule, which “requires all financial institutions to pass on certain information to the next financial institution” when a transfer fits certain criteria. Towards the end of September, the German federal ministry of finance (Bundesministerium der Finanzen) released the “Crypto Asset Transfer Regulation,” or Kryptowertetransferverordnung (KryptoWTransferV), scheduled to come into force on the 1st of October.

[DE] Die lückenlose Rückverfolgbarkeit der an einer Übertragung von Kryptowerten Beteiligten dient der Verhinderung, Aufdeckung und Ermittlung von Geldwäsche und Terrorismusfinanzierung sowie der Überwachung von Sanktionsumgehungen. Die Verordnung ordnet ferner an, dass ein Verpflichteter sicherstellen muss, dass Angaben zum Begünstigten oder Auftraggeber einer Übertragung erhoben werden, wenn die Übertragung von oder auf eine elektronische Geldbörse erfolgt, die nicht von einem Kryptowertedienstleister verwaltet wird, auch wenn eine Übermittlung der Daten in diesem Fall nicht in Betracht kommt.

[EN] Full traceability of the parties involved in a crypto value transfer serves to prevent, detect, and investigate money laundering and terrorist financing, as well as to monitor sanctions evasion. The regulation also orders an obligated party to ensure that information on the beneficiary or originator of a transfer is collected when the transfer is made from or to an electronic wallet that is not managed by a crypto value service provider, even if a transfer of the data is not an option in this case.

On October 13th, the German language Bitcoin magazine BTC21 tweeted at Berlin-based neobank Nuri (formerly known as Bitwala) regarding a customer whose account had been frozen or closed after it was found that coins withdrawn from the service had subsequently gone through a CoinJoin.

[DE] Kann @NuriBanking erklären, wieso sie einem Kunden das Konto sperren, nur weil zwei seiner Transaktionen zum Coinjoinen benutzt wurden? Coinjoins sind nicht illegal. Es geht euch überhaupt nichts an, wohin Kunden ihre Coins senden, nachdem sie euer Wallet verlassen haben.

[EN] Can @NuriBanking explain why they block a customer’s account just because two of their transactions were used to coinjoin? Coinjoins are not illegal. It is none of your business where customers send their coins after they leave your wallet.

Their screenshot shows a series of questions, presumably sent from Nuri to the customer, regarding two transactions made in February:

[DE] Welchen Zweck hat / haben folgende/n Transaktion/en? Welche Beziehung besteht zwischen dir und der Gegenpartei? Bitte stelle uns der/n Transaktion/en zugrundeliegende Dokumente zur Verfügung (z.B. Rechnungen, Verträge, Vereinbarungen).

[EN] What is the purpose(s) of the following transaction(s)? What is the relationship between you and the other party? Please provide us with the underlying documents of the transaction(s) (e.g. invoices, contracts, agreements).

Nuri responded to the tweet:

[DE] Durch die gestellten Fragen und deren Beantwortung kommen wir, als auch unser Banking-Partner, unseren rechtlichen, als auch regulatorischen Pflichten nach. Wir verstehen, dass die Fragen weitreichend sind, können dir aber versichern, dass diese streng vertraulich behandelt und nur zur Erfüllung unserer Pflichten verwendet werden.

[EN] By asking and answering these questions, we, as well as our banking partner, fulfill our legal and regulatory obligations. We understand that the questions are extensive, but we can assure you that they will be kept strictly confidential and will only be used to fulfill our obligations.

Towards the end of the month, Nuri wrote that they were taking direction as a tied agent of their partner bank, Solarisbank.

A short thread and statement re: #coinjoin and recent regulations: As a tied agent of @solarisbank, we 100% adhere to their policies and directions when it comes to interpreting rules and regulations regarding crypto and money transfers. There is a lot of new regulation coming into effect, the interpretation of which is not always 100% clear. Be assured that behind the scenes, we are doing everything we can to maintain “Freedom of Transaction” for everyone as much as possible. We are taking all concerns very seriously and are doubling down on our efforts to educate our customers, partners, competitors, and regulators about the technical and social possibilities of bitcoin.

In TMIBP13, I noted that the FATF planned to finalise their guidance in October. On October 28th, they released their 111-page “Updated Guidance for a Risk-Based Approach for Virtual Assets and Virtual Asset Service Providers.” Coin Center’s director of research Peter van Valkenburgh summarised the changes and remaining issues with it.

The penalties for failure to obey financial surveillance obligations in the US are severe, including felony criminal liability, substantial fines, and jail time. It is, therefore, inappropriate for a law with such unforgiving penalties to be drafted with such circumspect and uncertain terms.

As a silver lining, remember that this guidance document is entirely non-binding. FATF is not a creature of law or treaty and nothing that they release is self-executing. Moreover, only the FATF “recommendations,” themselves, (rather than their “guidance” publications) are intended to set standards that member states should adopt into actual law. Those recommendations have not been changed by this recent release from FATF. In the US, at least, our existing rules from FinCEN are already sufficient to implement the FATF recommendations. Therefore, this guidance does not and should not necessitate any new policy from our AML regulators here in the US.

OCTOBER 5th - THE STATE OF LIGHTNING

The Oslo-based analysis and consulting group Arcane Research published a “comprehensive overview of usage on the Lightning Network,” titled ‘The State of Lightning.’ Using “gathered private data from several companies in the Lightning ecosystem, among other popular wallet providers,” a few privacy-related points they highlight include estimates about the ratio of public versus private / unannounced channels…

From May 1st till September 30th, the number of public channels grew by 80% from 39,281 channels to 70,583 channels, amid a period of unusually low on-chain fees. This does not reflect the complete picture of the number of channels on the Lightning Network, as many channels are private and not broadcast to the entire network. Thus, the actual channel count is likely far higher than what’s reflected by the public data. BitMEX Research estimated that 27.8% of all Lightning channels were private in January 2020. To our understanding from talks with industry-leading experts, the share of private channels on Lightning could be even higher now. Thus, the BTC capacity, channel count, and node count from public data is most likely a significant underestimation of the current size of the Lightning Network.

usage statistics for payments toward goods and services (though it’s not clear what ‘privacy services’ consists of)…

In terms of payment value, trading and privacy services account for a large portion of spending, totaling about three-quarters of a million dollars each. We further estimate that about $230,000 was used on gift cards, $150,000 for gambling and gaming, $130,000 for merchant payments, and $400,000 for other purposes.

and how Lightning will impact e-commerce data collection practices.

There are several reasons for why the Lightning Network will play a vital part in these industries in the future. This is not only related to instant micropayments to make a more seamless experience, where consumers meet a simple QR code when they want to pay for goods and services and payments are instant, but also in terms of privacy. We will gradually move over to using services that require less personal information, credit card information and other details connected to your profile. Why? Because the only tool you need to access your Lightning wallet will be you. This will also enhance privacy from what we see with on-chain bitcoin transactions today, as the public won’t know what you’re using your Lightning funds for.

However, as we can see from the methodology of this report and Bitfury’s Lightning Peach in 2019, users must be careful with their wallet and node software choices, as use of second-layer networks does not eliminate avenues for data collection. I have previously covered Lightning privacy in TMIBP01, TMIBP02, TMIBP03, TMIBP04, TMIBP05, TMIBP07, TMIBP08, TMIBP10, TMIBP11, TMIBP12, and TMIBP14. This month, Wasabi’s Trellz Lewis summarised a podcast on the topic featured in TMIBP10.

OCTOBER 9th - A FUTURE UNDER CENTRAL BANK DIGITAL CURRENCY

In TMIBP05, TMIBP08, TMIBP12, and TMIBP14, I have followed exploration and criticism of central bank digital currencies (CBDCs). The topic has attracted the attention of whistleblower and Freedom of the Press Foundation president Edward Snowden, who published a long form piece to his personal Substack with the sub-title: “Central Banks Digital Currencies will ransom our future.” In the essay, Snowden uses a theoretical future user of “e-dollars” to draw the link between financial surveillance and censorship.

Will a CBDC be helpful to him? Will an e-dollar improve his life, more than a cash dollar would, or a dollar-equivalent in Bitcoin, or in some stablecoin, or even in an FDIC-insured stablecoin?

Let’s say that his doctor has told him that the sedentary or just-standing-around nature of his work at the bank has impacted his health, and contributed to dangerous weight gain. Our guard must cut down on sugar, and his private insurance company — which he’s been publicly mandated to deal with — now starts tracking his pre-diabetic condition and passes data on that condition on to the systems that control his CBDC wallet, so that the next time he goes to the deli and tries to buy some candy, he’s rejected — he can’t — his wallet just refuses to pay, even if it was his intention to buy that candy for his granddaughter.

Or, let’s say that one of his e-dollars, which he received as a tip at his gas station job, happens to be later registered by a central authority as having been used, by its previous possessor, to execute a suspicious transaction, whether it was a drug deal or a donation to a totally innocent and in fact totally life-affirming charity operating in a foreign country deemed hostile to US foreign policy, and so it becomes frozen and even has to be “civilly” forfeited. How will our beleagured guard get it back? Will he ever be able to prove that said e-dollar is legitimately his and retake possession of it, and how much would that proof ultimately cost him?

On October 20th, Wasabi published an op-ed by community manager Karo Zagorus that also focused on this potential reality:

To better control money, it has become important to control who spends what and where. Today’s digital banking is not fully digitalized since it still relies on a bank’s internal ledger system to run the accounts. But as Central Banks take further control with Central Bank Digital Currencies (from now on CBDCs), the more control they will have over inflation.

The next system will have the bank’s centralized accounts running on the national central bank’s own ledger. This will allow the central bank to directly monitor the flow of money. The smallest spending you make in the future will be permanently recorded by the government and will be open to analysis by third parties. Privacy will not exist in this world because to stop the effects of inflation from being realized, they need to find new creative ways to stop you from spending your money.

On October 25th, the European Central Bank (ECB) announced the members of their new “Digital Euro Market Advisory Group,” consisting of “30 senior business professionals” belonging to various merchants, payment processors, and banks. They note that “meetings are to be held at least quarterly, starting in November 2021.”

OCTOBER 11th - PRIVACY TOOLS ADDS BITCOIN WALLETS

Privacy Tools, a popular online resource for “services, tools and knowledge to protect your privacy against global mass surveillance,” announced that they had added a new section for privacy-focused Bitcoin wallets. The list includes Samourai Wallet, Sparrow Wallet, and Wasabi Wallet. Note: Their hardware wallet recommendation is unknown to me. More than a week later, they added another new section about Monero.

OCTOBER 22nd - FINANCIAL SOVEREIGNTY THROUGH MINING

In TMIBP06, TMIBP07, TMIBP12, and TMIBP15, I have looked at privacy in the mining process and industry. This month, the mining marketplace and service provider Compass Mining held an interview with ‘Diverter’ (author of “Mining for the Streets”) and Human Rights Foundation (HRF) director Alex Gladstein about “the usefulness of bitcoin mining as a tool for financial sovereignty.” They encouraged listeners to see at-home mining as a way to acquire bitcoin more privately, and contribute to the security and decentralization of the network.

What I’m fond of saying, and a couple others are as well, is that it’s not so much that there is a premium on non-KYC sats. The reality is, the non-KYC price… that is the price, that’s the street price. When you buy on a centralized KYCed exchange, you’re actually getting a discount. You’re getting a discount for your data.

… Suddenly within a year, I’ve watched this whole narrative change now, to where it’s not immediately dismissed anymore. Now we’re down to the nitpicking stuff, you know, whether it’s actually anonymous or private.

Gladstein argued that “at-home mining / very small operation or off-grid mining actually could be more resilient in some ways to state capture and attack than large industrial-scale” facilities; ‘Diverter’ clarified that this consisted of being “still on the grid, but you blend in like everyone else,” and he sees this as “the future of Bitcoin mining.” He also cautioned mining pools against data collection on participants, given the regulatory attention it could invite.

For information on the viability of independent, at-home mining to acquire non-KYCed bitcoin (U.S.-focused), read here.

No stories on Taproot this month, but still: check out Bitcoin Optech Newsletter #169, #170, #171, and #172 for their “weekly series about how developers and service providers can prepare for the upcoming activation of taproot,” and other recent technical developments beyond Bitcoin privacy.

Thanks for reading! Feel free to bookmark or subscribe to catch the next edition of ‘This Month in Bitcoin Privacy.’