Deanonymizing users
August 4, 2014  

Serious question: how is this research on Bitcoin deanonymization ethically different from the controversial research by CERT on Tor deanonymization?

From the paper:

To our knowledge, there has been no work that has attempted to relate Bitcoin addresses to specific IPs. The ability to create such mappings is important since there have been cases where individuals participating in P2P networks have been identified by law enforcement after their ISPs had been subpoenaed.

By analyzing 5 months of data we collected using our custom-built Bitcoin client, we were able to classify distinct transaction relay patterns and design heuristics for hypothesizing transaction ownership. We then demonstrated how Bitcoin address-to-IP mappings can be derived and evaluated using aggregate statistics from our transaction data.

The paper, by respectable researchers (one them is a former colleague who moved to academia), appeared in the Financial Cryptography and Data Security Conference. The program committee is full of well-known academic researchers. The paper shows how to determine some IP addresses of users who make Bitcoin transactions, and it does this by actively connecting to all listening peers on the Bitcoin network, continuously over 5 months. They gather 60GB of data per week, and as far as I can tell from their paper, they have not deleted the data. The IP addresses that they collect are explicitly not logged by the Bitcoin system; and it is clear that some Bitcoin users, whether foolishly or not, have some expectation of privacy.

This paper seems to have the ethical blessing of the academic security establishment. We don’t yet know the details of the CERT work, but I think in fairness it deserves to be judged by the same standard.