Schrodinger’s Cryptocurrency – Both Private and Not

Everyone knows that Bitcoin is an anonymous currency. Except when it isn’t. Bitcoin and other cryptocurrencies attempt to achieve the incompatible goals of providing strong accountability for transactions through blockchain and strong anonymity. If the government wanted to obtain information about a user’s bank account, it would simply subpoena the records from a bank under the Bank Secrecy Act and the powers of the grand jury and obtain the information they needed. Not so for Bitcoin, since there is no “central authority” from which to get records of transactions.

Cryptocurrency Under the Privacy Microscope

On June 30, 2020, the U.S. Court of Appeals for the Fifth Circuit ruled that federal agents could obtain information about Bitcoin and blockchain transactions from cryptocurrency exchanges such as Coinbase with a simple subpoena because users of cryptocurrency, which is specifically touted for its privacy and anonymity features, have no “reasonable expectation of privacy” in the transactions that occur on a public ledger system such as Bitcoin. It’s Schrodinger’s cryptocurrency: both anonymous and public at the same time.

The case arose out of an investigation of child pornography purchased from a website using Bitcoin. As the federal appeals court noted:

When a Bitcoin user transfers Bitcoin to another address, the sender transmits a transaction announcement on Bitcoin’s public network, known as a blockchain. The Bitcoin blockchain contains only the sender’s address, the receiver’s address, and the amount of Bitcoin transferred. The owners of the addresses are anonymous on the Bitcoin blockchain, but it is possible to discover the owner of a Bitcoin address by analyzing the blockchain. For example, when an organization creates multiple Bitcoin addresses, it will often combine its Bitcoin addresses into a separate, central Bitcoin address (i.e., a “cluster”). It is possible to identify a “cluster” of Bitcoin addresses held by one organization by analyzing the Bitcoin blockchain transaction history. Open source tools and private software products can be used to analyze a transaction.

Currency exchanges such as Coinbase maintain records of users who have transferred funds from or to these “clusters,” which can be identified from public records. In the course of the child porn investigation, the government issued a grand jury subpoena to Coinbase to try to identify the Bitcoin user associated with the cluster, and therefore with the child porn. The question for the federal court was whether the government could get those records from Coinbase with a simple subpoena or whether it needed a search warrant supported by probable cause. And to decide that, the court had to decide whether people have a reasonable expectation of privacy in these records.

No Party Like a Third Party

As a general rule, you have a reasonable expectation of privacy in your own records, unless you have voluntarily exposed such records to the public. There’s a lot to unwind in that sentence, though. First, what are “your records”? Are your bank records “yours,” or are they the bank’s records of how you used the service? What about your phone records, hotel records, travel records, credit card records, library account, internet browsing history, GPS records and other records created by third parties and held by them? Are those “your” records for which you have a reasonable expectation of privacy and for which the government has to get a search warrant, or are they the records of the institution that either creates the records or stores them? If they are things such as your personal e-mails and chats (unless made public), they are yours, you have an expectation of privacy and a warrant is required.

The U.S. Supreme Court waded into this quagmire some years ago when it ruled in 1979 that no warrant was required to get telephone toll records since the caller knew that the phone company kept such records and that, by using a phone, they voluntarily exposed their calls to the phone company (these were the days even before caller ID). Besides, it noted, the phone book gave the user a warning (terms of service?) that such records were created. This was the so-called “third party” doctrine, whereby the government could get, by grand jury subpoena, things such as your accountants’ work papers, bank records or other “third party” records.

In 2018, the Supreme Court changed course in a case involving cell tower location records, holding that, even though the records of a cell phone’s location (based on which towers it was pinging) were records of a third party (the phone company), the user had a reasonable expectation of privacy in what these records revealed about them (their location everywhere, every time they had a phone) and therefore a search warrant rather than a subpoena was needed to obtain the records. The test was not ownership or possession but privacy.

So what about blockchain and bitcoin? Private or not?

Privacy in ‘Public’ Information

The Supreme Court’s holding that cell tower location records were “private” was unusual in that the underlying information—where someone is when they are traveling in public—is (or can be) publicly available. When you are driving around in the public, no warrant is needed to follow you around and track your movements, and while a warrant may be needed to attach a GPS device to your car, no warrant is needed to track you in public.

Blockchain and bitcoin transactions occur in public. The Fifth Circuit noted that “Bitcoin users are unlikely to expect that the information published on the Bitcoin blockchain will be kept private, thus undercutting their claim of a ‘legitimate expectation of privacy’” because it “is well known that each Bitcoin transaction is recorded in a publicly available blockchain.” The court finally concluded, “There is no intrusion into a constitutionally protected area because there is no constitutional privacy interest in the information on the blockchain” and therefore, it’s OK to monitor cryptocurrency and other such transactions with software and obtain transaction records without a warrant. Somewhat gratuitously, the court concluded also that, unlike ubiquitous cell phones, which are a staple of modern life (a necessity), cryptocurrencies are not “central to most people’s daily lives.”

The takeaway here is that transactions, communications, records or recordings that, while anonymous (or nearly so), occur in a public arena may not be entitled to legal protections because the public nature of the forum may create the concept that the records are not entitled to any expectation of privacy—despite the fact that the transactions are encrypted, secured, obscured and anonymous. Or at least partly so. As Scott Fitzgerald noted, “The test of a first-rate intelligence is the ability to hold two opposed ideas in mind at the same time and still retain the ability to function.” So we need more first-rate intelligence.

Featured eBook
The State of Cloud Native Security 2020

The State of Cloud Native Security 2020

The first annual State of Cloud Native Security report examines the practices, tools and technologies innovative companies are using to manage cloud environments and drive cloud native development. Based on a survey of 3,000 cloud architecture, InfoSec and DevOps professionals across five countries, the report surfaces insights from a proprietary set of well-analyzed data. Sponsorships ... Read More
Palo Alto Networks
Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 157 posts and counting.See all posts by mark