Anonymity

[theymos]

The current BitCoin implementation is certainly better than using a credit card, but I wouldn't use it in environments requiring strong anonymity without a lot of changes.

The history of a coin is publicly available. Anyone can see the flow of BitCoins from address to address.



This becomes a problem when certain points in the "transaction chain" become known to the attacker. In the image below, the attacker controls both the source of Mr. Doe's BitCoins and the destination. Since Doe bought his coins using non-anonymous methods, he is easily identified. His identity is tied to an address in the transaction chain.



A more likely scenario is for your BitCoin balance to come from transactions made over insecure channels (email, this forum, etc.). If you're particularly careless, the destination can just Google all of the addresses in the transaction chain. Maybe he'll find that one of them is in your forum signature here.

I've thought of two ways to make this harder. The first is to randomly send your coins to new addresses that you've generated just for this purpose. The coins are still part of your balance, but it's impossible for an outsider to prove that you sent the coins to yourself instead of a real person. However, the transaction chain still has your identity in it. In a real investigation, you would be targeted for close examination because you either know (directly or indirectly) the real person who is under investigation, or you are that person.



The second way is for an external service to take the coins of many different people, mix them up, and send similar amounts back to those peoples' addresses. If the mixer keeps no logs of who gets which coins, any investigation must stop here.



For maximum security, BitCoin should have the capability to automatically send coins through several external mixers. Assuming at least one of them doesn't keep logs (and all of them actually return your coins), this should keep you completely safe.

There's a problem with safely coordinating all of this. You want all of your coins to be mixed at least once, but keeping track of this in a database will ruin your plausible deniability. Probably you'd have to initially keep track, but then delete the database after all the coins have been made safe.

Unrelated to the chain issues above, BitCoin is vulnerable to network analysis. If an attacker can watch all of your incoming and outgoing traffic, he can easily see which transactions are yours. If the connection is unencrypted (as it is now), he can see when you broadcast a transaction that you didn't receive.

Even when encrypted (through Tor or a built-in mechanism), it's not impossible for an attacker to see which transactions are yours if he can see both ends of one of your connections to the BitCoin network.

Your transactions can be identified through Tor like this:
1. The attacker fills the BitCoin network with IP addresses that he controls.
2. When one of these "evil nodes" receives a packet, the attacker sees if it was received close to the time when he saw you send a packet. If this happens a few times, the attacker knows who you are and can see your transmissions to the network.
3. When you send a transaction, the attacker knows it's yours if you send it without receiving a packet in a while.

To fix this, BitCoin should implement encryption, padding (to prevent any size-based identification), dummy packets, and randomization in sending times. Some plausible deniability could also be added if BitCoin could export and import transactions to/from a file (importing would broadcast the transaction to the network, while exporting would not). Then you could transmit this file in other ways (a flash drive, for example).

I also see two structural problems not related to anonymity:
- If the network is segmented at the network layer (because the PoTUS executed his "Internet kill switch", for example), the block chain will be forked. This would be really bad.
- It's very easy for an attacker with lots of IP addresses to fill the network with cancer nodes. I'm not sure how badly BitCoin could be affected by this.

[Gavin Andresen]

Whatever mechanism is chosen, it had better not significantly slow down the network or client unless strong anonymity is required/requested.

I've tried I2P and Tor, and, for me, super-strong privacy isn't worth the performance cost.

Also, regarding forking the block chain by a network split:

It's only "really bad" if I can get away with double-spending some coins before the network merges again.
If I'm buying valuable stuff, then the merchants will likely require 6 confirmations before releasing the goods, so I'd have to be able to keep the network split for an hour or more.

Merchants will likely have very-well-connected, long-running nodes.  For example, the Bitcoin Faucet has 66 connections right now.  If I wanted to try to implement a "fork the block chain attack" I'd have to somehow manage to insert my "cancer nodes" in between two merchants that I want to rip off (I'll end up ripping off one of the two, because eventually one of the two double-spend transactions will "win").

I don't know enough about network analysis to figure out how many cancer nodes you'd need to have a significant chance of getting in between two merchants with 60+ connections in a network of (say) 1,000 non-cancerous nodes, but I bet it is a very large number.

[theymos]

Everything I mentioned could be user-configurable, and most of it wouldn't slow down actual transactions. Even if you had all of these security features disabled, just having them implemented would give you plausible deniability in certain cases.

Block generation would be slowed in the case of a network split, so executing a double-spend would be even more difficult. I was thinking more of a problem like the Cogent-Level3 peering dispute, where there is no path between two ISPs for a long while. In this case, lots of transactions would be lost when the network is recombined and one of the chain's branches is discarded.

[Gavin Andresen]

Would the transactions on the other block chain be lost?

I thought they'd just be re-integrated into the new-best-chain (if they were valid), just starting with '1 confirmation' again...

[theymos]

I don't know how this is currently handled. It might already be fixed. I haven't looked at the source.

[llama]

Anonymity is not a feature that most users need.

[NewLibertyStandard]

*Strong

Anonymity is not a feature that most users need.

[llama]

*Strong

Anonymity is not a feature that most users need.

That's my Steve Jobsian statement of the day

I'm not saying that it's not something worth working on, but we shouldn't prioritize anonymity features ahead of basic functionality, ease-of-use, and driving adoption.  There can always be a special implementation (maybe a separate client even) down the road that takes care of all of the features for ensuring anonymity.   As Gavin implied, many anonymity features would come at cost to users who don't need them.

[Bitcoiner]

I don't know, I personally find it rather disconcerting if users in the chain can be identified. For example, it wouldn't be enough for me to simply get bitcoins at an exchange, send them to a random address, and then use them from that point on. Your identity would still be linked. However, given the public nature of the transactions, I'm not sure if there is any way around this.

I agree with you though, the software needs to be usable with a well-designed UI, and it needs to be robust. Bitcoin needs a full security audit to see how robust it is to different kinds of attacks, and what is compromised.

*Strong

Anonymity is not a feature that most users need.

That's my Steve Jobsian statement of the day

I'm not saying that it's not something worth working on, but we shouldn't prioritize anonymity features ahead of basic functionality, ease-of-use, and driving adoption.  There can always be a special implementation (maybe a separate client even) down the road that takes care of all of the features for ensuring anonymity.   As Gavin implied, many anonymity features would come at cost to users who don't need them.

[Gavin Andresen]

I don't know, I personally find it rather disconcerting if users in the chain can be identified. For example, it wouldn't be enough for me to simply get bitcoins at an exchange, send them to a random address, and then use them from that point on. Your identity would still be linked. However, given the public nature of the transactions, I'm not sure if there is any way around this.

I'm sure somebody somewhere would/will be happy to sell you bitcoins anonymously; just put cash and a bitcoin receiving address in an envelope and mail it.  The exchange (who you'd have to trust to actually send you the coins) takes the cash and send coins to the address.  They have no idea who you are, and your identity isn't linked to the coins.

Well, it isn't linked to the coins until you forget to turn on TOR or I2P before spending coins on something illegal.  Or you remain completely and utterly anonymous right up until you spend coins on something physical and have it shipped to your home address.  Or you arrange to have contraband "dead dropped" somewhere, and you get arrested when you go to pick it up.

None of which have anything to do with Bitcoins, and all of which seem to me to be more likely ways of getting into trouble than somebody managing to figure out that "transaction for purchase of illegal stuff" is linked to "Gavin purchased a bunch of Bitcoins from Bobby's Discount Bitcoin Emporium" last year.

[NewLibertyStandard]

+1 to Previous Post by gavinandresen

Because Bitcoin transactions are not forced through the regulated banking system, bitcoins can range from being not at all anonymous if I announce my transactions on twitter, to being completely anonymous so long as I purchase anonymously, obfuscate ownership by transferring to one or more intermediary addresses and then spend them anonymously. There's nothing wrong with adding that obfuscation optionally, but it's overkill to apply it to all transactions because not everyone needs that level of anonymity and no matter how anonymous you make it, it's never going to be anonymous to the folks who voluntarily reveal their identity.

[Anonymous]

90% of money has cocaine on it.

[Timo Y]

Real life example

1) I set up a fresh Bitcoin address/Bitcoin Client in a VPS hosted in Panama, connected via Tor.

2) I purchase a 100 EUR paysafecard code at some newsagent in a big, densely populated city. I pay cash, and make sure the newsagent is 2 km away from my home.

3) I advertise the sale of the paysafecard code on this forum, via Tor and a free public wifi hotspot,  using a fresh username.

4) A buyer shows up. I send him my bitcoin address and the paysafecard code from a freshly set up webmail address, again via Tor and a free public wifi hotspot.



Using above precautions, it will be very difficult to link my physical identity to my bitcoin address. Not impossible, but difficult enough for my purposes.

[llama]

Not bad.

As far as anonymous internet connections go, prepaid phones aren't a bad choice either.  They're cheap, nearly impossible to tie to the user, and can be destroyed when finished.  Again, they can be bought in densely crowded shopping malls or walmarts.

Dont forget to use an anonymous method to pay for the VPS foreverdamaged.  Perhaps a prepaid credit card also bought from a crowded location would do the trick.

By the way, I like to imagine that this user is in China and is trying to buy a book about freedom

[satoshi]

It's hard to imagine the Internet getting segmented airtight.  It would have to be a country deliberately and totally cutting itself off from the rest of the world.

Any node with access to both sides would automatically flow the block chain over, such as someone getting around the blockade with a dial-up modem or sat-phone.  It would only take one node to do it.  Anyone who wants to keep doing business would be motivated.

If the network is segmented and then recombines, any transactions in the shorter fork that were not also in the longer fork are released into the transaction pool again and are eligible to get into future blocks.  Their number of confirmations would start over.

If anyone took advantage of the segmentation to double-spend, such that there are different spends of the same money on each side, then the double-spends in the shorter fork lose out and go to 0/unconfirmed and stay that way.

It wouldn't be easy to take advantage of the segmentation to double-spend.  If it's impossible to communicate from one side to the other, how are you going to put a spend on each side?  If there is a way, then probably someone else is also using it to flow the block chain over.

You would usually know whether you're in the smaller segment.  For example, if your country cuts itself off from the rest of the world, the rest of the world is the larger segment.  If you're in the smaller segment, you should assume nothing is confirmed.

[throughput]

It's hard to imagine the Internet getting segmented airtight.  It would have to be a country deliberately and totally cutting itself off from the rest of the world.

Any node with access to both sides would automatically flow the block chain over, such as someone getting around the blockade with a dial-up modem or sat-phone.  It would only take one node to do it.  Anyone who wants to keep doing business would be motivated.

If the network is segmented and then recombines, any transactions in the shorter fork that were not also in the longer fork are released into the transaction pool again and are eligible to get into future blocks.  Their number of confirmations would start over.

It is easy to imagine some bug in implementation, that may be triggered by some invalid specially crafted network message,
let it cause bitcoin client to hang, but only after retransmission of the same message to peers and after damaging the blockchain
database on disk.

If there will be only one implementation with the same bugs shared among versions and platforms, then the entire network will lose blockchain and when the majority will eventually recover, every separate node will reconnect to some existing majority with it's own notion of history. If that event happens as a coordinated attack, then we may get very different history.
How can that affect previous transactions?
BTW, is there a blockchain backups?

PS: Let's not discuss how impossible it is to exploit software vulnerabilities so precisely. That is an art with it's own secrets and surprises. And no, I cannot do that right now to prove it is possible.

[nimnul]

Anonymity is not a feature that most users need.

Well, we need a poll. For me, anonymity is the only feature I need

[Tritonio]

I bet anonymity is a must for many users. We definitely need a poll.
What happens if i send all my money to one of my unused addresses? I guess that coins from all other addresses are gathered in one and no one is able to tell if I sent them to myself. Right? As the OP (I think) said, I will be still in the "suspect" list but nevetheless it offers some deniability.

BTW when you send money to yourself the transaction log doesn't even list which the receiving account is... 

[lfm]

Block generation would be slowed in the case of a network split, so executing a double-spend would be even more difficult. I was thinking more of a problem like the Cogent-Level3 peering dispute, where there is no path between two ISPs for a long while. In this case, lots of transactions would be lost when the network is recombined and one of the chain's branches is discarded.

I don't think that "peering dispute" would have bothered Bitcoin networking really. Only direct connections between the two "warring" factions were cut. Indirect connections through one or more nodes not in either of the disputed territories could still link to both sides. (Both sides kept their connections to Google and Microsoft and so on.)

[theymos]

I bet anonymity is a must for many users. We definitely need a poll.
What happens if i send all my money to one of my unused addresses? I guess that coins from all other addresses are gathered in one and no one is able to tell if I sent them to myself. Right? As the OP (I think) said, I will be still in the "suspect" list but nevetheless it offers some deniability.

BTW when you send money to yourself the transaction log doesn't even list which the receiving account is... 

Don't send coins from one address to a different one on the same computer. This actually reduces your anonymity because it combines several different coins (some of which, such as generations, might be pretty anonymous). It's also obvious what you're doing because Bitcoin makes a special transaction when you send coins to yourself: it includes the full public key for the destination instead of the hashed public key used in normal transactions.

Right now, the best way to make your balance anonymous is to use MyBitcoin through Tor. MyBitcoin (presumably) pools all of its customers' balances, so it acts a bit like one of the external mixing services I described in the OP. However, unless they modified Bitcoin, they keep logs of every transaction, so they could identify you if they had to. It's like using a web proxy that keeps logs.

If I really wanted to make an anonymous transaction, this is what I would do:
- Send entire transaction amount to a new MyBitcoin account as a lump sum.
- Set up a brand new (empty) Bitcoin installation using Tor.
- Every day, withdraw 5% of the transaction amount to the new installation. Bonus points: add some randomization to the amount of Bitcoins you withdraw and the time between doing it.
- Finally, send the transaction from the new installation

I doubt you'll ever be traced after doing this unless you're doing something really illegal. If you want more anonymity, you can:
- Send fewer coins from MyBitcoin to your new installation over a longer period of time.
- Also add Vekja (another service like MyBitcoin). This is like chaining encrypted proxies: both will need to be compromised for you to be identified.

MyBitcoin and Vekja don't act like "true" external mixing services because they don't try to mix balances. If you're transferring a lot of money in this way, you're likely to get back most of your own coins, which would greatly reduce your anonymity.