Web merchants routinely leak gegevens about purchases. And that can make it straightforward to verbinding individuals with their Bitcoin purchases, say cybersecurity researchers.
- by Emerging Technology from the arXiv
- August 23, 2018
An enhancing number of online merchants now offerande the capability to pay using the cryptocurrency Bitcoin. One of the superb promises of this technology is anonymity: the transactions are recorded and made public, but they are linked only with an electronic address. So whatever you buy with your bitcoins, the purchase cannot be traced specifically to you.
Recommended for You
This is handy for some, but the anonymity is by no means volmaakt. Security experts call it pseudonymous privacy, like writing books under a nom den plume. You can preserve your privacy spil long spil the pseudonym is not linked to you. But spil soon spil somebody makes the listig to one of your anonymous books, the ruse is exposed. Your entire writing history under your pseudonym becomes public. Similarly, spil soon spil your individual details are linked to your Bitcoin address, your purchase history is exposed too.
That raises an significant question for people hoping to use Bitcoin to make anonymous purchases: how effortless is it to verbinding them with their Bitcoin transactions?
Today wij get an response thanks to the work of Steven Goldfeder at Princeton University and a number of pals. Thesis guys say the way information leaks during ordinary purchases makes it straightforward to listig individuals with the Bitcoin transactions they make, even when purchasers use extra privacy protections, such spil CoinJoin.
The main culprits are Web trackers and cookiesвЂ”small lumps of code deliberately embedded into websites that send information to third parties about the way people use the webpagina. Common Web trackers send information to Google, Facebook, and others to track pagina usage, purchase amounts, browsing habits, and so on. Some trackers even send personally identifiable information such spil your name, address, and e-mail.
Ter this way, information about a transaction leaks onto the Web, where governments, law enforcement agencies, and malicious users can readily collect and analyze it.
The question that Goldfeder and co investigate is how effortless it is to use this information to connect people to their Bitcoin transactions. This process requires the eavesdropper to know an individualвЂ™s personally identifiable informationвЂ”name and e-mail, for exampleвЂ”and then to verbinding that with a specific Bitcoin address.
The team began by listing major merchants that permit Bitcoin transactions. They came up with 130 of them, including Microsoft, NewEgg, and Overstock.
They then studied how Web trackers leak information from each of thesis sites during the purchase process. вЂњWe find that at least 53/130 of merchants leak payment information to a total of at least 40 third parties, most frequently from shopping cart pages,вЂќ say Goldfeder and co.
Most of this information leakage is intentional for the purposes of advertising and analytics. But the researchers also say some toegevoegd information is also sent. вЂњWe find that many merchant websites have far more serious (and likely unintentional) information leaks that directly expose the precies transaction on the blockchain to dozens of trackers,вЂќ they say.
ThatвЂ™s bad news for people hoping to keep their Bitcoin purchases anonymous. But even when the precies transaction is kept hidden, it is still possible to make the verbinding when the leak includes the amount and time of the purchase.
Ter that case, the eavesdropper needs to convert the purchase amount into Bitcoins using the exchange rate at the time and then search the blockchain for a transaction of that amount at that uur. This exposes the Bitcoin address of the user. Any other purchases made using that address are then trivial to track down.
There are a duo of extra factors that make this process trickier. The Web tracker might leak the cost of the product but not include shipping, so the total Bitcoin purchase may not be clear.
There may also be a gap inbetween the time the user viewed the pagina the information leaked fromвЂ”the checkout cart, for exampleвЂ”and the time when the purchase wasgoed actually made. Bitcoin purchases are time-stamped, so it becomes firmer to track them down if the time is not known accurately.
The purchase amount is usually given te a local currency such spil dollars or pounds and then converted into Bitcoin at the instant of purchase. Because of the large variability ter Bitcoin exchange rates, it can be hard to work out the precies Bitcoin value if the purchase time is not known accurately.
All thesis factors make it firmer to listig individuals to their Bitcoin transactions, but it is by no means unlikely. вЂњWe find that unique linkage is possible ter overheen 60% of cases for realistic values of thesis parameters,вЂќ the researchers say.
There are ways to further hide Bitcoin transactions. One of the most popular is CoinJoin, a service that linksom users who want to make similar payments and then permits them to pay together. This mixes their bitcoins, making it stiffer to identify them.
But Goldfeder and co point out that if an individual uses CoinJoin to make several purchases te this way, it is straightforward to verbinding them back: вЂњIf the victim employs Trio rounds of CoinJoin and the adversary observes two of the victimвЂ™s payments, he can listig them back to hier wallet (despite mixing) with 98% accuracy.вЂќ
There are several ways buyers can protect themselves using implements such spil Ghostery, AdBlock Plus, or uBlock Origin. Thesis are useful but can sometimes miss trackers and at other times prevent purchases entirely. вЂњSuch defences can be fairly effective, but they are far from ideal,вЂќ say Goldfeder and co.
All this will come spil depressing news to people hoping to preserve their privacy online.
But it will also be music to the ears of law enforcement agencies hoping to track nefarious activities. вЂњLike virtually all deanonymization attacks on cryptocurrencies, our technics could be used to build forensic devices for law enforcement use,вЂќ admit Goldfeder and co.
And like all deanonymization technics, that will have advantages and disadvantages.
Ref: arxiv.org/six pack/1708.04748 : When the Cookie Meets the Blockchain: Privacy Risks of Web Payments via Cryptocurrencies
Hear more about Bitcoin from the experts at the Business of Blockchain on April 23, 2018 te Cambridge.