Hi Michael,
thanks for answering.
We have different views on the issues at hand. Esp. problematic is blacklisting. You stated you oppose blacklisting, but at the same time you want to help fight against criminals. To fight against criminals you need to have someone decide who is a criminal, so if the cryptolocker thief did a p2p trade and sold btc for litecoin, and the buyer of btc has his coinbase account blocked as a result of this, and even possibly had police coming to his door, busting it down and raiding all his equipment, that's so wrong..
If you have "criminal funds" sitting at address A, first off you need to have proof beyond any reasonable doubt that these are in fact "criminal funds". And whenever was it allowed for private entities to determine what constitutes "criminal funds"?
- Now if you manage to solve the problem of precisely tagging "criminal funds", the next step is to go after the culprit. It might seem natural to then block the culprits account with any large bitcoin company. So the large bitcion company subscribe to a service like chainalysis.
1. Victim pays ransom to cryptolocker criminal.
2. The address to which the ransom is paid (address A) becomes known to whichever party is doing the tracking.
Now the cryptolocker criminal, which we assume must be smart knows that the address he receives funds at is already tagged, so he needs to hide and launder the funds. If the thief deposits the money directly to any service that subscribes to a monitoring service, he might be caught, and the criminal is catched. Success!!
However, our thief is smart. He buys litecoin online from Alice. Alice gives him his address B, which is an address with Coinbase. The thief transfers the funds to address B. Alice has her account blocked with coinbase, and gets raided by local police.
The point is that the analysis entity, the exchange and the police cannot know what are the circumstances for the trade. Since the cyber criminals are smart, they don't mind putting the average joe to blame.
The thief could use a mixer, jump between various altcoins etc. In summary, it would be incredibly hard to track. Chance is that the guy ending up being questioned for having "criminal funds" is not a criminal at all. That's the major problem with taint-analysis, and it's also something which could undermine the trust of bitcoin. A bitcoin should be a bitcoin, no matter who you receive it from.
Comparison could be made to cash. Let's say we have a Mexican drug cartel who smuggles drugs into the US, and receive cash from various dealers in the distribution chain. High up in the chain, some courier does a cocaine to cash trade. That cash is now by law, proceeds from illegal trade. As such, if a bank saw a shady character coming through the door and wanting to deposit 100K USD in cash, there would be questions.. However, if the criminal kept the cash, and went to a restaurant for a meal and paid with low denominated bills, the restaurant has no business to ask the criminal where his money come from, and as far as they are concerned, the money is good.
In the world of block chain analysis, now the restaurant might be the criminal culprit and needs to be investigated. You see how wrong that is?
So let's say our cryptolocker thief had 100 BTC which he sells to 100 people doing p2p trades, now all of those 100 might have their account blocked at the exchange "pending investigation".
Of course, big players in the bitcoin economy who interface with the traditional fiat system needs to pay attention to the regulations, if not business ends in tears. But it pisses lots of users off, and it's not a user friendly environment.
Those criminals who are smart with bad intentions, will avoid the obvious traps, only the dumb and the innocent will be caught with block chain analysis tools.
Final note - I agree that if you have a wish for using bitcoin in a super private / anonymous way it is a technological solution/skills you need, not policies. Sometimes you might want to stay anonymous, sometime you don't - for sending anonymous transactions - use Tor, and, I would also recommend you to not post a bitcoin donate address on your site, that is unless you regenerate a new pr session. (it is of little value to anonymize your transaction if the sending address can be linked to a site you control, just by googling it).
I agree with this. As long as said website-operator is aware of such issues, I don't see a problem with it. If he wants to stay anonymous/private he would take technical measures to achieve those goals. Also, there's a lot of legitimate businesses that would not care either way if a tip-address is known and can be attached to their business/person.
Of course there are many possibilities for doing block chain analysis, it's only that I think the quality of the data that can be collected is of such a quality that it cannot be relied upon.
So in real life we have the scenario where you have a business that wants to do "regulatory compliance" because of local laws. The local governments have certain rules that needs to be followed. Since the bitcoin company needs to follow those rules to stay in business, they bend over backwards and do whatever the regulator tell them to do. So, if there's a blockchain analysis company that claims to do all the hard work to be "compliant", the bitcoin company is of course interested, because if they can show the local govt. that they're working hard to stay "compliant", they will get the nod of approval and stay in business.
The effectiveness of the system be damned..
So the regulators are happy, because the bitcoin business is staying "compliant", the blockchain analysis company is happy because they get customers, the bitcoin company is "happy" to stay in business and the end users are not that happy, but that's of less interest. After all, "regulatory compliance" is achieved.
How will false-positives be avoided? Can they be avoided?
This reminds me about airport-security. Because of fear of terrorists enormous amounts of money is poured into safety and screening of travelers at air-ports. If you do some research on the amount of money used, and then look at the statistics as to what really kills people, you would perhaps be surprised to see that a dis-appropriately amount of money is used for airport-security. Not long ago, I think it was in germany there was a
test of the screening procedures revealing that they weren't all that effective, in reality it was quite embarrassing.
Weapons and dangerous objects were successfully smuggled through security checks 50 percent of the time at Frankfurt airport, in a probe by European Commission inspectors, it emerged on Sunday.
Words as snake oil and security theater comes to mind.
While I'm sure lots' of bitcoin businesses would subscribe to a blockchain analysis service, just to keep regulators happy, even though they know it's not very effective, that would not make the overall picture any better.
All of this reminds me on the HSBC scandal. It's not really about doing legit regulatory compliance work, it's more about giving the impression that you are. To stay in business, you need to keep a straight face in business meetings, and state you're taking compliance
very serious. You will get the nod of approval from the regulators.
To give everybody an example of how little protection regulatory might really gives in practice, I think the following documentary describe it quite well,
Chasing MadoffA look at how one investigator spent ten years trying to expose Bernie Madoff's massive Ponzi scheme that scammed an estimated $18 billion from investors
The SEC and other relevant entities were repeatedly notified about the fraud, but failed to take action.
In summary I don't really understand how anyone actually believe that blockchain analysis services are really going to be effective and accurate. It's more like; "We need regulatory compliance." - "Ok, how do we do it" - "We could subscribe to a blockchain analysis service, the regulators will be happy" - "Ok, let's do it".
A friend once brought back some snake oil products from Asia, they had all sorts of stamps all over them stating they were legit and approved by various organizations. I guess, if I was a regulator, I would've ok'ed it - after all there were lots of nice stamps that said "legit" and "approved".
In summary, bitcoin businesses who wants to be in compliance with the current regulatory framework, needs to do whatever is required of them. That does not mean however that all the regulatory compliance is right from a universal standpoint, that it should be done, or that the tools used to achieve compliance is effective.