Cooperative unmixing for anti-money-laundering

[Tom Scholl]

Suppose everyone routinely mixes every coin they receive. A haven for money-launderers? Not if we don't want it to be...

TL;DR If a large enough % of people in a mix decide to secretly report their (input, output) mix pair to a chosen AML organisation, the organization can trace dirty money going through the mix. This can all be done automatically. This might lead to AML organizations encouraging model citizens to use mixers routinely to keep that % high.

Protocol

Whenever you make a payment to anyone with a freshly mixed coin, you generate a new Bitcoin address as a "notify" address for that coin. You sign the notify address with the address key you're paying from, and encrypt the result with Interpol's well-known public key (or it might be the UN, Bitcoin Foundation, etc).
You give this encrypted "notify" data to the person you've just paid.
If you haven't mixed your coin, you can forward any notify data you received with the coin to whoever you give your coin to, or you can decide you want to block the unmix and just don't pass on any data.

Now when Interpol sees the known proceeds of crime, address X, go into a mix, they wait for the mix outputs to hit well-known businesses like exchanges or Mike Hearn's whitelists in "Decentralized crime fighting". They talk with the exchange and ask for some help tracing address X. The exchange gives them the notify data they have for each coin coming from address X.
Then Interpol makes a standard low-value Bitcoin payment (eg min tx fee) to each notify address, from their well-known Bitcoin address corresponding to their public key.

Your wallet is watching your notify address, and can automatically take some action when it detects the payment from Interpol's address.
You'll have set your wallet to only let Interpol do so many unmixes per year, so they can't abuse the system. If they're within quota, your wallet makes a Tor connection to Interpol's server and securely submits your mix (input, output) pair, with signatures for both the mix input key and mix output key.

So every person who decides to help out Interpol sends them part of the information needed to reverse the mix, enabling them to follow the criminal's money and catch him when he spends it with a well-known business/whitelist server.

http://bitprivacy.org/files/unmixing.png

If it was a 100-person mix, and 90% decide to help Interpol, this system narrows their leads to 10 outputs. Interpol might actively encourage model citizens to routinely mix their coins, to push that percentage higher.

Adversaries
There can be any number of adversaries in a mix.
Adversaries can just be people who don't want to help that AML organization, or they may be malicious and colluding with each other and the criminal in order to implicate an honest participant.
By using the AML organization as a trusted 3rd party this algorithm is resilient to adversaries.

Why use a low-value Bitcoin transaction for notification, shouldn't this use a proper p2p messaging system like Bitmessage?
You could, but every wallet owner would have to sync up with this other messaging system just to help out with AML - I don't think the incentive is really there, hence this lightweight protocol.
Also as Bitcoin transactions are public, everyone can see exactly how much unmixing the AML organization is trying to do, and could adjust their unmix quota for them accordingly.

This tells the AML organization where my coins came from! Isn't there a better way?
Maybe. Here's what I've thought about so far:

• Broken Probabilistic Technique
  Instead of submitting your mix input/output pair to the authority, you could submit your input + a set of m outputs containing your actual output. This hides which your exact output was, and statistical analysis on the data could be able to narrow down the criminal to a few candidates. Repeat the process until you've got them.
  But if there are many malicious participants, they can now totally subvert the process, and completely implicate an innocent party. So we can't use this algorithm.
  
  
• Secure Multi-Party Computation
  You might be able to use MPC to identify the criminal without leaking private data - I don't know enough about this to say.
  

[1714144519]

1714144519

[1714144519]

1714144519

[Stephen Gornick]

encouraging model citizens

Financial privacy is NOT A CRIME!

[jackjack]

encouraging model citizens

Financial privacy is NOT A CRIME!

This


Also, citizens helping Interpol... Come on.

[cr1776]

We who? Do you really want to have every financial move you make available to be scrutinized by everyone? 

Mixing does not imply money laundering. In theory in the US you are innocent until proven guilty and exercising your rights to privacy are an important part of preserving freedom. Just because you have nothing to hide legally does not mean your bank account, sexual preferences and the like should be open to anyone else.

Suppose everyone routinely mixes every coin they receive. A haven for money-launderers? Not if we don't want it to be...

[Dabs]

All one has to do is go to Mt. Gox (or any shared wallet), let the money sit there for awhile, then cash it out. Or to confuse people following the trail, they don't even need to use a mixing service. They can just send a big chunk of it to SD (using the 99% win address) or equivalent in any other gambling game.

Of course, they can lose their money that way too (1% chance of losing it all.)

At the same time, anyone with just the reference client (bitcoin-qt) even without coin control can go about and send his coins to 10 different addresses or more. No one can prove he owns any other address except the first one.

Suppose everyone routinely mixes every coin they receive. That's probably what everyone will want to be doing anyway.

[mustyoshi]

Isn't Bitcoin designed for anonymity? Why would you want to undermine that?

[razorfishsl]

Isn't Bitcoin designed for anonymity? Why would you want to undermine that?

No it is not......
Transactions are traceable.....

[scintill]

Let the anti-anti-money-laundering tricks begin.

[Tom Scholl]

Let the anti-anti-money-laundering tricks begin.

The whole public-ledger setup of Bitcoin can lead to a technological arms race on mixing/tainting. Of course, tainting only works if it's done on an international level as otherwise there'll be a p2p market for swapping US-tainted coins for Russian-tainted coins.

Anyway, sounds like no-one is really interested in this. I suspected as such but I thought I'd throw it out there anyway.

EDIT: Having thought about coin-swapping a bit more, it's a pretty complicated problem with a lot of attacks so I don't think it would immediately kill off more local tainting.

[mustyoshi]

Isn't Bitcoin designed for anonymity? Why would you want to undermine that?

No it is not......
Transactions are traceable.....

Transactions are traceable, but within the blockchain there is nothing to say that such and such address is owned by mr bob from new york, there's barely even things that say such and such group of addresses are mr bob's.

[trout]

OP, in your scheme "cooperating" citizens don't give any more information to  the "interpol" than if they were not part of the mix at all. That is, "interpol" could just as well ask them not to take part in the mix. The only difference they make is that people who want their coins anonymised have more uncertainty as to how many people are using the system for the same purpose.

[Tom Scholl]

OP, in your scheme "cooperating" citizens don't give any more information to  the "interpol" than if they were not part of the mix at all. That is, "interpol" could just as well ask them not to take part in the mix. The only difference they make is that people who want their coins anonymised have more uncertainty as to how many people are using the system for the same purpose.

I see what you're saying. But if you assume the criminals don't all know each other and group together (which they might well do) the statistics do imply more cooperating people is good:

Say we have 900 people who would cooperate, and 1 criminal, and 99 non coops.
Now if only 100 cooperating people use mixing,
the total mix pool is 100 coops + 100 non coops.
If we're doing 10 person mixes, on average we'll get 5 coops and 5 non coops in a mix. Tracing an individual criminal is now pretty hard - you'll get 5 leads per investigation.
But if 900 cooperating people use mixing, the total mix pool is 900 coops + 100 non coops, and on average there'll be only one lead per investigation.

[scintill]

The whole public-ledger setup of Bitcoin can lead to a technological arms race on mixing/tainting. Of course, tainting only works if it's done on an international level as otherwise there'll be a p2p market for swapping US-tainted coins for Russian-tainted coins.

Anyway, sounds like no-one is really interested in this. I suspected as such but I thought I'd throw it out there anyway.

Agreed, but it seems you are jumping the gun on the arms race.  I think few people are going to care either way until "tainted" coins are not accepted by MtGox or people are getting prosecuted for dealing in certain coins.  Doing "The Moral Thing" on our own volition is too hazy of a concept to do any of this sort of thing without overwhelming economic or governmental pressure.  At that point we will start doing exactly what is required to appease those pressures, no more or less.

[threeip]

encouraging model citizens

Financial privacy is NOT A CRIME!

This


Also, citizens helping Interpol... Come on.

This this this!!!

Isn't Bitcoin designed for anonymity? Why would you want to undermine that?

No it is not......
Transactions are traceable.....

Transactions are public but the owner of the address is not^*.

^*for certain values of not.

[oakpacific]

I think OP's point is:"We the People" get to decide if someone's money should be traced, if we don't want to help out tracking down a certain person, the authorities should be powerless. Otoh, if we all decide to cooperate, whether the criminal uses Bitcoin or banknotes makes no difference, he can be traced.

[Sukrim]

As far as I understand it, "anti-launderers" can only "un-mix" as many transactions as they themselves have initiated. To uncooperative launderers that doesn't change anything, they would only increase the volume, which might lead to more customers, both reporting and non-reporting ones...

In your example, 5 inputs (2 unknown, 3 known ones) lead to 5 outputs (in reality probably 6 (--> operator's cut) or even more (--> splitting into more smaller outputs)) of which again 3 are known and 2 unknown.
I don't really see the point other than you paying fees and maybe being able to find out an algorithm behind the outputs (though I guess that can be circumvented if the laundry operator is using enough randomness) - you have the same situation as with only 2 unknown inputs and 2 unknown outputs.

It is a problem with coin laundries though that there is no clear idea who the other participants are - if you can not be convinced that these are not in fact a single entity or (worse) multiple colluding entities as you suggest, there's a problem. The "best" way to launder coins is still buying mining capacity at slightly above returns and request that coins be mined to one of your addresses. This way you'll get vanilla coins that should be untraceable. If you feel risky, you could even spend dirty coins as fee to be mined, but if your miner hits a fork/stale block just at theat moment, you're potentially screwed as other miners then would take this juicy transaction from that block and mine it themselves.

[Mike Hearn]

I think OP's point is:"We the People" get to decide if someone's money should be traced, if we don't want to help out tracking down a certain person, the authorities should be powerless. Otoh, if we all decide to cooperate, whether the criminal uses Bitcoin or banknotes makes no difference, he can be traced.

That's exactly right - oakpacific gets it.

I have a bunch of thoughts on this. But firstly I'd like to thank Tom for being willing to take the inevitable arrows in his back and further research in this direction. It's not popular but it's useful to explore these topics in a neutral manner, without passing judgement on the desirability of the resulting ideas.

I have a lot of sympathy with Stephen's position ("financial privacy is not a crime"). It's a simple, efficient and fair position with no chance of innocent people being accidentally caught up in the system. Unfortunately, it's also wrong. In today's world financial privacy is a crime, that's the entire point of AML laws and I'm sure Stephen knows this. We may hate it, but it stands as fact.

Bitcoin is so new and unexpected (to people in government) that we have a window of time in which we can define the debate ourselves. Unfortunately, if we define it simply as "you are wrong about everything" we simply piss off and make enemies of large numbers of very powerful people, people who derive their power from the belief of ordinary citizens that they are being protected by that stripping of financial privacy.

The default view especially on this forum is to see everything as a battle, usually between good and evil. I prefer to see these things as interesting mental challenges - can we find some innovative compromise solution that makes everyone happy, or at least, if not happy then not actively at war with each other?

The idea of decentralised crime fighting is to present a credible alternative to today's world in which the NSA/Treasury/FinCEN/etc  has a giant database of all financial transactions and mines them looking for terrorists. This arrangement is incredibly dangerous, opening as it does huge potential for abuse as we saw with WikiLeaks, but it also just undermines basic human dignity and is likely to produce huge numbers of false positives. And finally it reinforces the world view that solving social problems means giving ever more power to an ever larger state, a view not many of us have sympathy with. But simply saying the entire crime fighting apparatus should vanish will simply not be seen as credible by the people who were voted in to make those decisions.

So the question is can we imagine an entirely libertarian or even anarchist society in which people voluntarily co-operate to trace thieves and fraudsters? I think it's possible and Tom's research is an important part of that.

On the topic of MPC, yes, MPC can be used. In my original post I linked to a paper that showed implementing private set intersection with MPC can be efficient and is what I proposed (it also solves full set attacks).

I think the idea of quota-ing law enforcement is a good one, but it's unclear to me how people would select quotas. Perhaps some formula based on reported crime statistics would make sense - if crime in general is going down, the number of attempts to trace money flows should go down too. If you see those two statistics diverge it suggests an increasingly authoritarian government. Rather than quota, perhaps people could simply be paid for taking part - the payment from the police in this case would then not be min fee but rather, some value that tries to compensate people for giving up some of their privacy. This setup provides a nice way to decentralise things further as no particular police force or agency would be special, anyone who is willing to pay people to do a trace could do so. Probably for most people they'd be unwilling to give up that privacy no matter what amount of money is offered, but other people might feel differently.

[cr1776]

I think one of the issues that most people have with this type of proposal is that once the camel's nose is under the tent, it is invariably abused.

[jdillon]

I think one of the issues that most people have with this type of proposal is that once the camel's nose is under the tent, it is invariably abused.

Cooperative unmixing is only really voluntary if the people participating in the unmixing are anonymous. Otherwise you have known and non-anonymous individuals facing the charge of obstructing a police investigation. Though I will grant that it has the possibility of delaying investigations through multiple jurisdictions, not unlike the Tor model. Tor however is always pretty clear that participants are expected to not maintain logs, for a reason. So the question is why do we want to move away from that model? You have to ask what is so different about finance verses information that we suddenly give up our resolve to allow people freedom.

No-one talks about co-operative unmasking for Tor operators "just in case" we want to trace a crime committed over Tor that the community can agree on.

[cr1776]

I agree.  Mixing coins is not just for hiding illegality.  If I have 500 BTC at address A, and send 10 to B my hot wallet for my vacation (or to buy a Starbucks or some tequila) C will not be certain that I own A.  With pattern analysis however C can become more confident that I do and then your net BTC worth becomes much more public and you become a target.

Sure, you have a certain degree of anonymity if you are only buying online VPN services, but as soon as you purchase anything offline, you are tying one address and its chain of antecedents to you which drops your anonymity significantly.  With a usage pattern available, it becomes more troublesome.

If I were Satoshi and wished to remain anonymous, I would be holding my coins until they are p2p mixing services established and well used prior to moving coins or he would be outed quite quickly.  (Non-p2p are okay, but logs are kept and you are relying on a third party to be honest and not monitored.)

Cooperative unmixing is only really voluntary if the people participating in the unmixing are anonymous. Otherwise you have known and non-anonymous individuals facing the charge of obstructing a police investigation. Though I will grant that it has the possibility of delaying investigations through multiple jurisdictions, not unlike the Tor model. Tor however is always pretty clear that participants are expected to not maintain logs, for a reason. So the question is why do we want to move away from that model? You have to ask what is so different about finance verses information that we suddenly give up our resolve to allow people freedom.

No-one talks about co-operative unmasking for Tor operators "just in case" we want to trace a crime committed over Tor that the community can agree on.