Topic: Decentralised crime fighting using private set intersection protocols - page 2. (Read 33406 times)

I have no problem with people using taint analysis techniques on the blockchain to investigate. I do have a problem with taint-marked coins being in any way less spendable than unmarked. I think encouraging people to check public taint-lists before accepting payment is bad for the network. It is in effect guilty-until-proven-innocent.

Nonetheless I remain skeptical of taint analysis until we have seen it in practice. I would like to see someone set up a taint test service which allows one to mark an output as tainted and compare what various taint calculating algorithms say about subsequent outputs. This would allow people to test out exploits and use cases to see if such analysis is worthwhile or not. I know Blockchain.info has a taint analysis tool but it's address-based and I'm not sure how it's calculate.

If you have 1 tainted BTC and split it into 0.49 BTC and 0.51 BTC, then both these outputs will be considered tainted, and not just the bigger one. But I did not mention that.


Taint should always be looked at with reason. If you steal a car and then sell it to someone before the car got reported as stolen, the police won't punish the buyer either. Of course, they will question him to find out how he got the car, but as long as he can make plausible that he is innocent, he won't get into trouble.

Generally, I think a lot of the "reasons" people bring forward here against taint are only valid when thinking in absolutes. But the reality is more differentiated. Sherlock Holmes combines a multitude of hints to catch the criminal. Taint analysis can provide leads, but it cannot automagically bring justice.

Hermel thanks for the reply. I have some concerns with the methods you described:

Full taint:
 - Thief cycles stolen coins through mixer and/or e-wallet before tainting services mark the output(s). Now many people have tainted coins.
 - Thief sends small Tx with fee every block for a while, tainting the Coinbase. Mining pools would distribute tainted coins to participants.

Diluted taint:
 - Assume 0.1% acceptable taint level
 - Thief makes 1000 even bets with SatoshiDice 0.09% which pays out 999.429x the bet
 - At the end, he has 98.1% of original value on average with less than 0.1% taint to all his coins, because SD pays winnings from different coins.
 - Mixers/e-wallets could also dilute the taint enough

Compact taint:
 - Thief creates Tx with 51% of coins to random address and 50% back to him at new address.
 - He now has 50% of the stolen coins taint free

There are ways to mitigate these exploits, but they require compliance from services. For example, force e-wallets to broadcast a Tx for internal transactions and put coin control methods in place that don't mix one account's coins with another. Most major services would have to run blacklists so they could ignore tainted coins sent to them. Basically, non-fungibility requires changes to much of the way bitcoin services currently operate.

Now, we can still use the concept of taint without burdening users. That is, law enforcement can analyze the blockchain after the theft in the same way taint is calculated, but users/services don't have to implement taint avoiding rules. The downside is of course eliminating the possibility of preventing the thief from spending coins in certain ways.

If taint becomes prominent, there will basically be a short window of opportunity for thieves not using the aforementioned exploits or other obfuscation methods. If the time between the theft and the marking as tainted is longer than an hour, then the thief can successfully send someone a 6-confirmation Tx without them knowing the coins will soon be marked. Anonymous P2P cryptocurrency exchanges could be a major victim of this.

Tainted money schemes are completely, idiotically misguided.

This particular idea is an attempt to find the "fairest" way to oppress people. This is totally stupid.

If you use your mind for 5 minutes and follow any tainted money scheme, no matter how "decentralized" or "fair" you think it is, down every path it could possibly take, you will always end up in a place of oppression and control.

Public consensus on any issue, including what dirty money is, is heavily manipulated. Just watch the "news".

When you have a media cartel like we have, public consensus is what they tell you public consensus is, not what it really is. Actual events are what they tell you actual events are, not what they really are. Things the media cartel omits, didn't happen, even though they really did. Issues whose importance is artificially inflated aren't really very important compared to issues that are not reported.

This is the unavoidable, indisputable reality in an environment where the mainstream media outlets are a non-competitive cartel, which is the environment most people trust to get their information from this very day.

Are we going to use misinformation and propaganda to taint people's money?

Furthermore, any other system you can think of to label money as dirty will be manipulated. It already is.

Excellent question. I don't think there is one single "right" answer that always works. Depending on the severity of the crime, the size of the transaction, the time passed since the crime, and many other factors people will apply different methods. One might even try to follow the transaction fee, as someone might use that to launder his Bitcoins by issuing a transaction whose fee is 100% and mining the block himself.

Here are a number of approaches:

Full taint: every output of a transaction involving tainted coins gets fully tainted as well. One might even want to taint the transaction fee the miner gets from the theft-transaction. This is the most radical approach and only makes sense when trying to track down a once-in-a-decade scale crime. Applied to your example, all outputs as well as the transaction fee would be considered tainted.

Diluted taint: works like dirty water. You start with 100% dirty coins and dilute them as they get combined with clean coins. In your example, the transaction's outputs would be 25% dirty, including the transaction fee. Combined with the other say 99 BTC mined in that block, the miner would get 1% dirty coins. Note that in this case it is reasonable to have a closer look at the miner since a 0.5 BTC transaction fee is somewhat suspicious. If the acceptable dirtiness of a coin is 0.1%, then it takes 999 clean BTC to launder 1 dirty BTC.

Compact taint: here, we try to keep the tainted coins together by applying some more or less random rules to artificially separate the tainted coins from the rest. In your example, one could say that Out2 will take the tainted coin (consisting of 1 dirty and 0.5 clean BTC). The rule behind this is that the tainted coins are always assigned to the output such that dilution is (locally) minimized. So normally, it would go to the smalles output that is at least as large as the amount of tainted coins. You might be bothered by this rule being somewhat unpredictable and random. However, the goal here is not to have a philosophically pure solution, but to find a pragmatist rule to say who is responsible to clean the mess. In your example, it would give the recipient of the 1.5 BTC the responsibility to get the Bitcoins into a clean state again (e.g. by helping to track down the thief). It might not be entirely fair, but effective. It's a little like the rule "the last one leaving the building locks the doors", which also works even though it does not assign that piece of work very fairly considering that it might always be the same one leaving last.

There might be other mechanisms to handle taint. I don't think it is necessary to stick to a specific one. Each blacklist-providing service might apply their own heuristics, depending on the type of crime they are after. Unlike Mike, I don't think we need an elaborate technical solution here. A simple API like "how tainted is address X" is ok in most cases, even though it reveals the fact that someone is interested in that address to the provider. The provider will notice that anyway when a transaction involving that address appears in the block chain. The "private set intersection" proponents have found a very sophisticated hammer, and now they are desperately looking for a nail.

If Bitcoin is widely adopted I think that many people will opt to use tools that increase their privacy. I fear blockchain analyzing tools will increase removing peoples privacy. Imagine going to a store and buying a pop and the store computer has software installed by the worker that instantly shows I'm likely rich and also like to purchase embarrassing item A. Perhaps he's trying to decide who to rob. Or even corrupt states around the world monitoring it's citizens. If tools, such as zerocoin, or methods of mixing coins become popular to protect our right of privacy, would that make your scheme pretty much useless?

Can someone explain to me how taint would be calculated?

Say we have three inputs:

And three outputs:


So we now have three new outputs, Out1, Out2, and Coinbase of the block which contains the Tx and thus gets the Tx fee.

What is the "taint level" of each output? I haven't seen a demonstration of a way to calculate it that isn't easily exploitable.

Yeah, coins are closer, but there are even efforts to have every individual coin serialized.

Right now the serial numbers on dollar bills aren't too much of a worry but there are a lot of efforts underway to incorporate bill scanners into ATM's and even cash registers (with RFID) combined with massive databases to track the movement of every last bill. It might not be many more years where even if you could pay cash, if you did so at most places a RFID scanner in the till would cause an alarm had your bill come from a blacklisted transaction.

Bitcoin doesn't have to go this route if we don't want it too. Provably anonymous trust free mixing is possible among many other solutions: https://bitcointalksearch.org/topic/m.1790026 It's actually possible for every single transaction you make to participate in a trust-free mix, and doing so is actually a bit cheaper because making multiple payments in one transaction costs less in transaction fees than doing one payment per transaction.

A dollar bill is not as fungible as you think. All bills are numbered. There are blacklists of bills (e.g stolen from a bank heist). When you are detected giving such a blacklisted bill to the bank, you will be asked a few questions, but the bill won't loose its value. Same could happen for blacklisted Bitcoins: as Mike and others have described, they could get white-listed again if you are willing to identify yourself and can make plausible that you are not connected to the reason for their blacklisting (e.g. by showing a receipt that says where you got them from).

(emphasis mine)

If you want your Bitcoins to remain fungible, not just not, but also in the future when a crime is detected long after it was committed you are better off ensuring it isn't possible to know where they came from.

I'm reminded a bit of John Dillon's pull request, particularly the replies by Mark Karpeles (MtGox) and Gavin Andresen. Neither sees anonymity as valuable or something the Foundation should push for, particularly Mark, yet if you receive Bitcoins that you know are anonymous and/or know you can spend anonymously you have a very solid guarantee that you will be able to spend them later without having to worry that a theft may be discovered after the fact, retroactively causing them to be blacklisted.

If Bitcoin wants to be the electronic cash of the internet, it has to be possible to break the inherent lack of anonymity the blockchain implies, or a Bitcoin will never be as fungible as a dollar bill.

And you are not alone. There is a lot of talent and money currently not flowing into the Bitcoin economy due to such concerns. Today, it is the wild west. If you want to make Bitcoin a currency mainstream users feel comfortable with, there must be some possibilities to track down severe criminals. What if Bitcoin becomes the first choice for ransom? After the third time you read a headline like "kidnappers demand 10'000 BTC ransom to release 5-year old Alice", you will start to doubt whether you still want your friends and relatives to think of you as the "bitcoin-guy". What will happen sooner or later is that someone opens a database of stolen Bitcoins. Once it becomes relatively easy to verify whether a Bitcoin was stolen or not, legal pressure will form on exchanges and merchants to not accept them. In most countries, knowingly handling stolen goods is a crime. So step by step, we will get those blacklists in one form or another. And it is better to get them sooner and in a way we can shape - than to passively watch them appear.

To conclude: I'm with Mike on this.

While this is true, it would be hard to launder large amounts of money in that way due to the rather small tx fees at the moment. I understand the analogy with a Casino's profits, but it seems to me that the creation of a block is a rather hefty price to pay for laundering such a sum. Take into account that a miner who is able to mine a bloc and "clean" such shady transactions could instead have cashed in on regular tx fees for other transactions. These regular tx fees not received represent a loss for the miner. Thus, it seems to me that the coins should become clean once they are included in a tx fee simply because it is not efficient for a miner to participate in such a cleaning scheme.

It gets better than that: the tainted coins can be thrown away by spending them to transactions, either obviously in one big high-fee transaction, or as a bunch of low-fee transactions - possibly even as an input to a network security assurance transaction.

Now are all coins derived from the coinbase outputs of the blocks in question tainted? It's easy to argue that they should be: miners can easily accept transactions privately with little risk of losing the fees due to an orphan, and large miners can still afford to return the fraction of the transaction corresponding to the hashing power they control even if the transaction is submitted to the network normally. It's already common for money to be laundered through gambling establishments by simply accepting the cut the casino takes as overhead.

Indeed, anyone can see that the coins might be hiding something: that is why they are tainted.  One point I didn't mention is that the coins might be recognized as tainted only after a mixing or after a transaction. Just imagine Bob steals some bitcoins and quickly uses a mixer, tainted or untainted. After an hour or so, the coins are reported stolen and whoever got them in the mixing is "stuck" with tainted coins. Now what? The fact that the coins are tainted does not give any "tips" to anyone. People knew that these coins were shady, which is why some entity marked them as tainted in the first place. The only information you gain on the perpetrator is that he used a mixer, which can be seen by observing the blockchain anyways. All this information could have been derived without this whole taint proposal.

Thus, in this case, the taint is useless.

It seems you made some mistakes with your quotes there...

Answering your question: If mixers end up segregated among "blacklisted" and "non-blacklisted", somebody receiving coins coming out of "mostly blacklisted mixers" would be able to:

• Know the coins have a high degree of blacklisted taint
• Know the coins likely got through some mixer (that's visible)

These two things might lead people to believe that those coins might be hiding something. That alone is not enough to prosecute anybody (at least not in places where the most basic justice principles are still respected, like innocent until proven guilty), but it might give some tips.

Yes, it will sound some alarm, but whoever is receiving these tainted coins does not know, by design of the mixer, who sent them these coins. They have an address since the transaction is visible in the blockchain, but they may not know anything about whom that address belongs to.From a law enforcement perspective, the trail dies. In this case, is there anyone that benefits from the knowledge that these coins are "tainted"?

Edit: quote formatting

If the majority of coins being mixed are tainted, you would still get tainted coins out. True, that should make it difficult to discover which particular taint applies to you, but tainting only should never be enough to criminalize anybody anyway. The whole idea, if I got it right, was to help law enforcement to find criminals.
What I'm saying is that the coins getting out of this "blacklisted mixers" would still sound some alarms...

This whitelist/blacklist approach to criminality linked bitcoins seems very interesting due to its decentralized aspect, at least in theory. I find the Spamhaus analogy to be quite appropriate. While I am uncertain of the overall efficiency of AML laws in our societies, I agree that some compromise will probably have to be done eventually.

However, the loss of fungibility still makes me uneasy. Would it be easy/free to get a coin whitelisted? I believe the hassle of tainted coins not being accepted or causing a delay in a restaurant might be excessive. A more reasonable option would be if the restaurant accepting the payment without a word and then reporting the event to the appropriate authorities if they deem it necessary. Thus regular users really wouldn't care if their coin was tainted or not, and enterprises would not want to discriminate for fear of driving away consumers with tainted coins. The downside I see is that enterprises would have no real incentive to do appropriate reporting other than being good citizens, and I believe that mandatory reporting would be against the spirit of Bitcoin although this might end up being what happens.

Sadly, it seems to me that this whole proposal would be made useless by the use of mixers. Bad guy Bob could simply use a mixer and be done with it, having received fresh coins. Some mixers, centralized or decentralized, could adopt as a policy to only accept untainted coins, but then that might incentivize some mixers to accept tainted coins and change a higher fee. While I would think that most people who use these tainted mixers would have something to hide (otherwise why pay the extra fee and received possibly tainted bitcoins?), these mixers would still provide plausible deniability for the origin of the coins. This would make the whole proposal useless. I also believe in the necessity of mixers for the anonymity of Bitcoin and I wouldn't want them banned if that were even possible.

In any case, I believe that the Bitcoin community needs to address these concerns and discuss them instead of doing witch hunts for statist pawns. Mike's proposal might not be perfect both for technical and ideological reasons, but the community needs to seriously consider what is going to happen when governments around the world start making laws.

Thanks for sharing thought process with us. 

However this is not the way to go about fighting crime, whatever that might mean to you.  No matter how fancy your money is, if people are mentally ill, children abused, adults sexually repressed, people put into top-heavy power roles with no checks, facism not avoided, mental illnesses allowed to spread from generation to generation, and inefficient and short-sited resource division is continued, we all know what the result will be.  More crime.  Freezing peoples money isn't going to do shit apart from getting the people who control the freezing to be tempted to join the corruption.   

TL/DR:  Regulatory Capture. 

The people who run the blacklists WILL become the people doing whatever it is you are trying to stop. 

operating blacklists for tainted coins is an exercise in futility. i understand that mike and others want to "play ball" with the authorities and give them similar abilities to what they currently have to stave off negative regulatory action.

my immediate response to this push for self-regulation is that LE needs to do their own damn homework. the inventor(s) of bitcoin clearly put a lot of thought and work into the system in an attempt to empower the individual at the expense of the state. if the state wants to clamp down on nefarious activity on bitcoin, they can dig through the public tx ledger like anyone else.

the idea of blacklisting currency because it was misused is as stupid as sitting in a bank for 3 hours to open an account.