Topic: Bitcoin Privacy - How easy it is for someone to find all your wallets addresses (Read 466 times)

Because exchanges don't care. They care only about their profits, and not at all about their customers.

Take Coinbase as an example. At the end of last year they upgraded their cold storage system. They spent millions on research, development, and implementation. They spent months doing practice runs of moving all their coins from the old to the new wallets. It was a huge undertaking, and most valuable mass movement of bitcoin ever.

Where is the millions spent on securing their KYC database? Where are the months of practicing to make sure that database is secure before it is used? Nowhere. In fact, a few months after this cold storage upgrade and it emerges they are willingly selling clients' data to third parties.

Add in unannounced and surprise KYC, accounts being locked for weeks or months on end, terrible customer service, etc., (not just on Coinbase but across most exchanges) and it's pretty clear exchanges don't care about you. They only care about your money.

In Germany we still have some "less invasive" requirements to open a normal bank account (without online banking). It's possible to go to a local bank store, ask for a bank account and your identity will be verified there, by showing them only your government ID. Of course they'll note your name, address and ID number to link it to your account but when I see which crazy requirements users have to deliever on crypto exchanges, maybe even after funds are already locked, thats insane. So, the procedure here is much better.* AFAIK, there is no need to upload documents if you register locally.
For everything else I'm using cash, Germany is one of the few countries where cash is still very valued in public even if some people are pushing negative and misleading claims against it very hard.

*I know, this procedure is still not perfect since the database of the bank can be hacked, a better model would be where the name of the account owner isn't directly linked but is stored offline in the (offline) archives of the bank and if there's any violation by the bank account the name of the account owner can be checked in case if there's a suspicion manually. Everything stored offline. That would work finde to prevent money laundering / terrorism financing while securing the privacy of normal users...I've still the hope that people will realize how important privacy is and start to claim it (again).  


I'm always wondering why consumer protection doesn't play any role in the KYC discussion. There's only much talk about how to prevent terrorism, how to prevent money laundering and how to push stricter KYC. It's nothing about consumer protection when we are put at risk of identity theft by enforced KYC everywhere. And even if we don't handle much money we are forced to do KYC if we want to convert fiat to crypto / crypto to fiat or if our exchange has already frozen our funds because of some random reasons.  

The whole problem is digitalizing user data and sending it away where we don't know how it's handled. Is it sold to 3rd parties? Will it be hacked? Who will gain access? I've no doubt that digitalized data handled on centralized services will be hacked somewhere in the future and that's why I've also a strong aversion against using any fingerprint / retina scan verification (besides KYC  ). If that's hacked we can't get it back (never!) because it's an unique data set. Hackers can do a lot of damage when they gain access to such biometric data.
Users are exposed to huge risks with submitting digital data like for KYC and I'm missing the consumer protection part totally in this debate. The KYC discussion has gotten way to unbalanced and it seems it's going further away from any customer perspective.

We don't have much choice here I guess but personally I'm boycotting as much as possible all services where invasive KYC is required. The purchase of physical gold with cash in Germany was lowered to 2000€ (2200$) per day recently and some crypto services require much lower levels already when KYC is enforced...

Yeah, I'd use Bisq, and probably be looking for cash, although I might accept some form of money transfer if I was desperate for fiat in a hurry. Bisq uses security deposits and multi-sig escrow. My bitcoin would not be released to the buyer until I confirmed I was paid. I would feel happier doing that than I would do using a centralized exchange and wondering if they were going to freeze my account, demand to know the source of my bitcoin, and ask ridiculously invasive KYC questions.

Each to their own. I trust exchanges as far as I could hypothetically throw them.

Coinbase have already admitted selling customers' data to third parties without their knowledge or consent. Binance were hacked for thousands of users' worth of KYC documents. There have been plenty of other leaks and hacks we know about. Think about how many we don't know about.

Unfortunately, yes. I have a job which pays in fiat, and I still require fiat to pay for most of my bills and living expenses. However, that doesn't mean I should just give up all hope of privacy and send my KYC documents to anyone who wants them.

Maybe for very small volumes, but you need to consider security as well. Depending on how much you are invested, it is very risky and uncomfortable to use those services you mentioned.

For example, if you want to sell 3 BTC. That's like 30k USD now. Would you do it in this forum? In a service like BISQ?

You cannot do it in small quantities like 300 USD each time, it would take 100 txs.

Personally, I trust much more in an environment like Coinbase or Bitstamp or Binance. Don't you think?

I really doubt those exchanges are not going to sell your documents to scammers around the world.
Don't you use exchanges for traditional investments, like Interactive Brokers (IB)? Don't you have a bank account somewhere, where you did KYC? They need your documents as well. Are you affraid they are going to sell it online?

Using IB or Coinbase is like the same to me. Coinbase is heavily regulated already, as far as I know.

Thanks for that info. It's been a while since I used LBC, and wasn't aware of their new KYC regulations. Another exchange to avoid, then. What a shame.

It is possible to link multiple inputs in the same transaction together, though. If you know I own address A, and you see a transaction with both address A and address B sending coins to address C, you can reasonably assume I own address B (as well as address D, the change address, if you can tell which output is change). You can then look at address B, and similarly link it to some other addresses. Rinse and repeat.

It doesnt mean what you think it does. Inputs/outputs is how bitcoin works but it doesnt mean user X spend it.
Privacy is needed for Bitcoin as one of most important addition that should be worked on. It is. When it will be ready nobody knows.

Unfortunately, LocalBitcoins is no longer the good example for such mention. They actively cooperate with the finnish authorities and applied the KYC/AML by introducing a mandatory KYC starting from 1k euro per year. And the fact that they store funds at their addresses makes them somewhat closer to centralized exchanges.

https://localbitcoins.com/blog/id-verification-update/

I totally that we should avoid an exchange site or whatever site that is if it needs you to complete a KYC, since it needs us to submit our personal information and the wallet address will be linked to our information. Right?. It's what I can think of making yourself use centralized exchange which needs KYC for us to complete.

As far as I am concerned, if you care about your privacy, then avoid KYC demanding exchanges altogether.

If you complete KYC, you have no idea how many people at that exchange have access to the information linking your real name to your deposit and withdrawal addresses. You also have no idea which third parties or governments the exchange is either selling or passing on your details to, and how many people at each of those have access to this information. If you mix coins before depositing or after withdrawing, some exchanges may freeze your account due to unspecified "suspicious activity" until you complete even more invasive KYC.

With the ongoing growth of exchanges like LocalBitcoin, Paxful, and BISQ, as well as a large peer-to-peer marketplace on this forum and others, there isn't really an absolute need to use a centralized exchange. Sure, it might be easier and quicker, but it's very rare that using one is your only option.

That's not true, linking someone's addresses is a step on the path of finding someone's identity, as each address has a chance of being tied to identity. Even in your example people link their social media accounts when they do bounties, and often this information is public on spreadsheet, so you can quite simply find someone's real name just by looking at their wallet in this case. And if we are talking about governments, they can easily do this to with exchanges, as exchanges know about your bank card, and bank card has your name on it.

Walletexplorers won't help other people identify your personal identity but it will only help you connect all the addresses being used in one wallet, that is why this has been a big tool for alt account hunters linking bounty abusers in the forum. It may link members here and their alt accounts but it can't show you anything about the identity of the owner of that wallet. As long as you don't use your address publicly or is not tied up to you in anyway on any KYC process then the addresses you are using will remain anonymous and can't be linked to you.

The problem here is not that exchange knows it, but that third parties can easily use it to break someone's privacy. If a user has wallet A and wallet B, and uses them both to deposit to a service with static deposit address, then it's not hard to link wallets A and B. I've browsed wallet explorer and it's really easy to spot wallets of services - if a wallet has huge amount of addresses and transactions, big volumes and holds/used to hold a lot of BTC's - then it's a service. And if different addresses send coins to the same address of a service, chances are they belong to the same person. Although if someone uses their exchange as a wallet, then other entities will by falsely linked with this analysis.

It's not about security, it's just that generating new addresses requires some extra coding and maybe extra work for support when people send coins to old addresses, so they don't see reasons to do it, because so far it worked well for them - users almost never complain about it, because they don't care about their privacy. I think it just shows that an average exchange users doesn't care much about Bitcoin's ideals, they just want to make money (and that's okay).

There's a difference between the NSA and general ISP or government mass surveillance, being "doxxed", being targeted by scammers, and so forth. If the NSA wanted to track you down, there is probably very little you could do to stop them. That doesn't mean you should just give up all your privacy and let anyone who wants to spy on you and your activities.

Sure. I meant simply that it's not like that for every new user that joins there is a person sitting at the other end generating a new deposit address and manually entering it in to the exchange's database. Every new user can just hit the button that says "Generate a deposit address", and the system will create one for them automatically. There is no good reason to not allow existing users to generate a fresh deposit address.

Wallet addresses are not generated automatically upon joining, most of the time the users need to click a "generate address" button.
Kraken is the only exchange I've been using that lets you generate a new address, I've never see another one.
If most exchanges don't provide it, I suppose it's a matter of infrastructure convenience (or security)

it has always been.

One more great quote from Snowden:

Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.
https://en.wikiquote.org/wiki/Edward_Snowden

We can conclude that privacy is a very challenging task today, and that most internet users including ones that use cryptocurrency do not have the knowledge and skills to remain anonymous. Even if we try to use VPN, Tor, mixers, coin control or any other way to ensure privacy, three-letter agencies are very likely a step or two ahead of us.

Snowden shows that NSA is working on tracking Bitcoin users at least from 2013 by using different spy tools (Xkeyscore. MAC addresses. OAKSTAR. MONKEYROCKET), and it is not difficult to imagine what they have accomplished to this day.

At Bitcoin conference Snowden is say : “The lack of privacy is an existential threat to bitcoin. Is the only protection users have from political change,”, but also: “If you know how the system works, you can still have privacy,”

That's pretty poor customer service really. Considering all these services are set up to automatically generate a new deposit address for each new customer who signs up, it is trivial for them to offer the ability to customers to generate a new deposit address for themselves. I suppose if you are willing to share your KYC documents freely across the internet then you aren't the most privacy conscious person, but not reusing addresses is a pretty basic bitcoin practice.

Agreed. I have never and will never complete KYC at an exchange, but I'd be much more likely to use an exchange for trading bitcoin to the few alts I'm interested in if they gave me the option of generating new addresses.

Still, obviously none of this matters if someone at the exchange themselves wants to track your addresses, since they will still be able to see all your different deposit addresses. High quality and high volume DEXs can't come soon enough.

I think CryptoBridge exchange is still offering that option to generate new address every 15 minutes.

Would be nice if we can have a list of exchanges that have this option of generating new addresses.

From my experience of using exchanges and other services, the ability to generate new addresses is very rare, so it's indeed quite bad. You'd need to mix only the amount you want to deposit and send it all to an exchange, because any change output can later link your wallet(s) together. And it's not only about exchanges, casinos and other services that have deposits suffer from it too.