Epicenter - Learn about Crypto, Blockchain, Ethereum, Bitcoin and Distributed Technologies - Michael Gronager: Chainalysis – Surveillance and the Path to Mass Panic
Episode Date: March 17, 2015When spinning up a few hundred data-gathering Bitcoin nodes prevented some breadwallet users from transmitting bitcoin transaction, a minor panic quickly erupted about the Bitcoin compliance startup C...hainalysis and their supposed sybil attack on the Bitcoin network. Chainalysis CEO Michael Gronager joined us for a discussion of what happened and what role transaction monitoring will play in the future. We dove deep into the tension between the desires for user privacy and the requirements to achieve integration into existing financial services. Topics covered in this episode: How Chainalysis’ nodes caused problems for breadwallet What damage a large scale sybil attack could really do to Bitcoin The role transaction monitoring will play to achieve Bitcoin integration in existing systems Why transaction-related blockchain analysis does not threaten Bitcoin’s fungibility The best way users can protect their anonymity Episode links: CoinDesk: Chainalysis CEO Denies Launching Sybil Attack Bitcoin Talk Discussion Reddit: A Bitcoin Compliance Startup is Sybil Attacking the Network Reddit: Chainalysis versus Mycelium Story Inside Bitcoin Article This episode is hosted by Brian Fabian Crain and Sébastien Couture. Show notes and listening options: epicenter.tv/070
Transcript
Discussion (0)
This episode of Epicenter Bitcoin is brought to you by Shapeshift.I.O.
With no account or sign up required, it's the easiest way to buy and sell light coin,
doche coin, dark coin, and other leading cryptocurrencies.
Go to shapeshift.io to instantly convert all coins and to discover the future of cryptocurrency exchanges.
Hello, welcome to Epicenter Bitcoin, the show which talks about the technologies, projects,
and startups driving decentralization and the global cryptocurrency revolution.
My name is Sebast Sienkw.
And my name is Brian Fabian Crane.
We're here today with Michael Grunager.
He's the CEO of Chain Analysis.
And previously he was the CEO of Grecken, which is one of their main Bitcoin exchanges.
I know Michael from a while ago, I think we met in Amsterdam two years ago almost.
And he's been in a bit on Reddit.
And there's been a lot of controversy and news about his service and something that happened.
So thanks very much for coming on today, Michael.
Sure, you're welcome.
So we're also meant to have Peter Todd on.
He was going to ask a lot of great critical questions of Michael,
but he's in San Francisco and it seems like he didn't manage to make it in time.
So we'll have to take on that role.
But of course, we'll more than happy to do so.
So yeah, I look forward to the discussion today.
So to get started.
started, can you just run a sweep briefly? What happened there?
Yeah, sure, I can. Yes. So essentially, a few months ago, we decided to set up this
experiment where we essentially wanted to see how easy it is to get from transactions
to countries. What we wanted to do was essentially to do a map of what's the movement
of Bitcoin around the world. So what funds are moving?
from country to country in terms of Bitcoin.
It's kind of an interesting exercise.
But also, of course, in the long run,
if you're doing compliance in different ways,
what's interesting is, of course, original funds
because that would be a question that you get.
So where did they come from, from which country did they originate?
And also, you should acknowledge that there's some laws
where there's actually some countries,
you're not allowed to trade with other countries and so on.
So that's a question we would get at some point from customers.
So that's why we did a checkup on this,
and first we meant to do a blog post
and later on essentially before we're doing anything,
announced that what we are doing.
So we set up a carefully drafted experiment
where we chose to do one class C network,
so that would never conflict with a normal Bitcoin decline
because that is protected against that.
And then we kept it running for a couple of months
and see what data it could collect,
and also it becomes, of course, at some point, a honeypot,
so nodes would always connect to that one,
And this means that we could get a pretty high, pretty high estimate, a pretty good estimate on from what country a Bitcoin transaction originated.
Also, what happened, and that's really what was the cause of the controversy, was that Red Wallet apparently don't have this protection.
And this meant that Bread Wallet were some of the bread wallet instances will connect them directly to our servers.
And we had, well, as you're a startup, you're not always doing everything as good as you wanted to.
So we built in the way that we could monitor for transactions, but we didn't forward transaction.
It should be said that all SPV clients have the same behavior.
They don't forward transactions either, and you will find tons of different behaviors and different clients around there.
But our clients, a note, caused breadwallet, some.
spread product users to experience issues.
That's highly unfortunate.
And we only learned about that Friday, I think, where we saw the posts on Bitcoin talk
and some of the friends I know say, hey, you're being mentioned here and there.
And then we looked into the issue and shut down our service because we thought it was
better to shut it down before we caused anyone else's issue.
And why weren't you forwarding transactions?
I'm curious.
Why?
Simply because the way that we set it up was that it's much easier to have, it requires a channel back to forward the transaction.
So it would require some extra code writing and us to forward it.
The way we set it up now, we are serving blocks and Merkel blocks.
So we are only requesting data from one local super instance, so to speak.
And then we are only sending back the digest, the country to,
to transaction mapping once in a while, that that is getting pulled.
So we don't really need to connect back and send the transaction forward.
And it's not, well, it's not a demand that you do that.
But of course, it will annoy someone, especially if you're on a bread wallet.
So, I mean, the main sort of meat, I think, of today's discussion is also going to be
kind of looking beyond when we think about what does that mean when you have this transaction
monitoring.
I mean, you were talking about, for example, enforcing capital controls, which is always
going to be something governments want and it's obviously something and many people in the
Bitcoin space are very much opposed to. The very idea of Bitcoin for them and for many people
is that it liberates one from that. So I think there's an interesting discussion there of very
different views of what Bitcoin should do. Yeah. Just coming back to what happens here, I'm curious
how you found out about the sort of controversy that was happening on Bitcoin Talk Forum and on Reddit
and how you responded to it?
Yeah, so I think I got a text, I got a message on Skype Monday morning at some point
where I was sitting and reading emails and someone sent me a link to the discussion there
on Bitcoin talk.
And then I went in there, discussed it with my CTO, and then we essentially tried to find out
what's actually heads and tails on this.
What is ups and downs?
Is it, well, what are you being accused for and what is actually the problems here?
First of all, it was not clear whether it was causing real issues for the Bitcoin network or not.
So we needed to do some problem analysis before we started to give back any feedback.
And then from there, I chose to say, okay, the proper source here is I got in contact with the two journalists,
one from inside Bitcoins, I think, and the other one from CoinDesk.
And then I took the discussion with them because that would be relayed to the highest number of people.
And then later on, after we shut down the servers and so on,
started answering questions on Bitcoin talk.
So thinking a bit deeper in here, now, bread wallet connects to, does it just connect to some random node?
And it was unlucky that in this case, it was a note that was a forwarding transactions.
People would try to send transactions, but they would never be broadcasted a network.
Is that what happened here?
Essentially, yes.
However, the Bitcoin protocol works this way or indirectly this way,
that if you are on the network for a long time and you become popular,
then you grow and your ranking kind of grows indirectly.
This means that a lot of other nodes are connected to you
and they would send your IP to other ones.
They would just forward it.
And that would essentially, in the long run,
that would mean that a lot of nodes would connect to you.
So this means also that Brett Wallet would, in the long run,
connect to us.
That's okay, but it's not okay if they only connect to us because they wouldn't be able
to forward their transactions.
So normally they're pretty well connected, but for some reason, some of them, it could
also be purely coincidental that they only got, had one of our notes there.
We did some code around that, so we'd never connect to, we simply drop a connection if the same
nodes tried to connect more than two times to us.
So then we drop them.
So if they had two connections and they were only to us, then they would be affected.
So normally you would expect an SPV wallet to be connected to multiple nodes,
broadcast a transaction of multiple nodes, and then, you know, hopefully even if one of them doesn't forward it,
it doesn't matter because one other one does.
But for some reason here, where wallet only connected to one?
Yeah.
Yeah.
Okay.
That's very interesting.
I mean, one of the things we wanted to ask Peter, but I think I'm sure it's also something,
you can address here.
Like you guys weren't malicious here, right?
You weren't trying to stop red wallet users
from buying their coffee or something.
But what if, are there some kind of dangerous scenarios
we see here that if somebody actually does
want to do something malicious
and does, I don't know,
instead of a few hundred nodes, get a few thousand nodes
and what are the kind of risks here in dangers?
What could someone do?
I think definitely you could do that.
And if you ask me, I would say that the Bitcoin network as it is today is probably too vulnerable
against these kind of things.
So we have been into Bitcoin for a long time and we did best effort to do everything in the
right way.
And as it is a very heterogeneous network today, we didn't know all the implementations
and all the details in all the wallet.
So it meant that we unfortunately caused issues for some other people.
Other notes are causing issues from other people again, and that's just how it works.
It means that we need to build clients in the future expecting that stuff like this would happen,
expecting other kind of attacks.
And as I see it today, my main worry is, as the trading grows and as you see reactions on different things,
let's say you want to earn some money in Bitcoin.
So what do you do?
You buy a few, I'd say a few thousand nodes.
You set up a network similar to hours.
and then at the right time you say now I buy a lot of bitcoins
no you don't now you sell a lot of bitcoin you go short on them
and then you switch them off or switch them on essentially
so they don't forward transaction anymore they cause a lot of problems on the network
you would see a lot of issues because you might even have
have coins split for a while other kind of ugly things
because they were essentially they became the new backbone
of the Bitcoin network.
And then the price will drop because people usually react to it that way.
You go in there, you buy some coins, and you go back again,
and then you have earned some money on that one.
You definitely, you could definitely do stuff like that.
And it's not good because it's just the way things are today.
Yeah, no, it's interesting because just two episodes ago,
three, we talked about the idea of shorting Bitcoin, especially in the long run and
what kind of risks will there be, especially if you're able to take a very large short
position and then some financial players can come in with large resources.
And what's interesting is that we sort of assumed in all that discussion
a kind of a best case scenario for Bitcoin, assume, you know, what are the risks if
somebody actually has to like acquire control of a majority of the hashing power, right?
But of course, it's an absolute best case scenario for the security of Bitcoin.
And even then there are risks, but an attack group probably doesn't even have to do that.
Can have there many, many way cheaper attacks.
I think definitely, yeah, it would be through a button it.
That's obvious.
It would be true a button as the setup.
And the normal mitigation that exchanges users, if someone tried to manipulate price,
they actually have compliance officers that go through all trades.
And that would also happen in, for example, there was this case on Wall Street a few years ago
where someone hacked a Twitter account from a prominent source
and managed to make some indexes go down 1 or 2%.
There's a lot of money.
And what you look at there is that who earned from this?
And then you scrutinize every single person
and figure out who could it be that was of the causes of the problem.
That would never happen in Bitcoin.
There's no central organization, any control, anything there.
So you're home free doing it.
You can essentially do it as a happy hacker
and then you can just go there, get up your button at running,
and earn some money on the exchanges.
And the normal mitigations, looking into each transaction and figure out,
or each trade and figure out who earned a lot from this,
who actually had the magic bill that knew when the price would go down,
that kind of things would never happen.
And I think it should before, it's something that we need to,
that exchanges would need to do at some point.
I mean, one related point to that also is the question, to what extent is it illegal, right?
So when you hack a Twitter account and make some fake tweet and personally it's someone, obviously that's illegal.
But when you hire a lot of nodes and don't forward transactions and stuff, well, that may be against sort of expected behavior of Bitcoin and maybe against what people want to do, maybe against some sort of.
of standards, but it's hardly illegal or probably not.
I mean, it's hard to know, but it should be very possible there to do attacks that are perfectly
illegal.
So you can't even, I think even if he identified the people, there may be no recourse you
can take.
I think the only recourse you can take is if they do it for price manipulation is illegal
and it's illegal in almost all jurisdictions.
So as long as you can pinpoint that and clearly make the case that, that the case that
this person deliberately tried to do price manipulation and he earlined one million bucks on that one,
then you can definitely do take legal actions on that part.
If someone is doing whatever experiment, doing even just trying to just for the fun of it,
because they like light coin better than Bitcoin, try to do a DDoS attack on the Bitcoin network,
you couldn't do anything about it.
Not as I see it.
It wouldn't be, it would be impossible to run that case in a,
in a big way.
Now, but you talk about price manipulation, but, I mean,
price manipulation on what, on regulated assets?
I mean, I don't think Bitcoin falls into the category of something
that would fall under price manipulation.
You might be right.
You might be right, yeah, yeah.
Today's magic word is duality, D-U-A-L-I-T-Y.
Head over to letstocktetcoin.com to sign in, enter the magic word,
word and claim you're part of the listener award.
So taking a step back, you mentioned a little bit about the kind of goals you are pursuing
of chain analysis, you know, that for example, you gave the example of capital controls.
But can you expand a little bit on what's the, what are the objectives of the company?
So essentially, I talk to bankers in different countries, for a lot.
a few years, well, last year essentially, and to regulate us as well and so on.
And also in trying to obtain bank accounts and having these discussions,
CoinDisc ran along feature around why it's so hard for Bitcoin companies to get a bank account.
And also, I've been running, lately been running compliance courses as well.
And I get approached by compliance officers from banks and they say, well,
We actually would like to on board Bitcoin, but we don't have any measures to, we don't have any tools to do our, do our customer due diligence.
We don't know, we don't have any way to actually oblige to the law, follow the law regarding anti-money laundering other things.
So essentially what the only thing we would able to do would be either keep an extremely low amount of Bitcoin, but even that would cause a liability if they accepted that.
So they don't really know how to treat Bitcoin and not cause liabilities for themselves.
So that's why there was definitely a requirement for different tools to help them doing that.
So one thing, for example, if you look to US, there are the OFAC lists of individuals you're not allowed to trade with.
There's also companies you're not allowed to do transactions with and there are even countries you're not allowed to do that.
And the precautions, if you do it anyway, are pretty hard.
And this means that if you, for example, accepted a Bitcoin transaction from, say, North Korea or Afghanistan or wherever, one of the countries on that list.
And that was used for some kind of terror attack.
You're pretty certain that you would probably go to jail for doing so, unless you could state a story where you could say,
I actually did my best to check that that was not the case.
And then the question is, how do we establish what is the best?
And the best by industry standards.
And early on, when we had discussions with regulators in US,
there was a lot of people, developers, all the core developers and so on,
claimed, well, we shouldn't be regulated as hard as cash,
because bitcoins are actually traceable.
They're much more traceable than cash.
And that was the expectation from regulators from early on.
I also talked to Natcha from CSFF in Luxembourg, the regulator there, and she also heard the same story and approached me last year and say, hey, but you always claimed that Bitcoins were much easier to trace than cash.
I heard that from all people.
So this also means that we need some tools.
We actually need to be able to utilize this feature of Bitcoin if we are not to regulate them as cash.
And if they were to be regulated completely 100% as cash, it would be impossible to know what's the origin of funds.
And you would lead a lot of statement from users and the utility of Bitcoin in that scenario would be awful because you wouldn't be able to use them in.
It would be very hard to integrate them in the existing banking system.
Of course, you could use them for other purposes.
But that would be mainly for medium of barter and they can be used for that as well.
You raised another question just before around, would you still, well, if you have this
kind of knowledge around the original funds and other things, would you suddenly be locked
out?
Some people couldn't use certain exchanges or you could state that if you used a tumbler,
couldn't you use an exchange or whatever.
Whatever you use in Bitcoin, I don't see that you can still trade bitcoins with everyone
in the Bitcoin environment, but if you want to go to Fiat land and if you actually want to go
to one of the exit and entry points of Bitcoin, then they are under a lot of regulations.
They have to follow a lot of rules.
And if you don't want to accept that they have to follow these rules, you're essentially
just asking them to take your risk.
Just saying, well, I don't care.
I just expect you to run that risk and don't check anything.
me because I don't want you to do that.
And they will just end up in jail in some point because at some point some
money launder guy would actually end up there and they would get a case against
them.
And I don't want that.
Yeah, I don't think that you're only concerned when you're interacting with
Fiat.
I mean, you could also be concerned when interacting in the Bitcoin payment system itself.
And so the question that we had for you is like, does this sort of labeling of clean
and dirty coins threaten the fungibility of Bitcoin where we need.
now have a situation where some coins are coins non grata and are not accepted by major exchanges
or perhaps even merchants.
Yeah.
So what I see is that at least in our view, in our way of implementing solutions for
compliance solutions, we don't like the idea at all of red lists, blacklist, white lists of coins.
We see, and that's how compliance works, you need to look at the story around a transaction.
So I have this favorite example.
Let's say you go into a bank and you have a million dollars with you.
You're a new customer.
They never seen you before.
And you say, I just want to deposit these million dollars in cash.
They'll probably say no.
We can't do that.
Or if they do, they would definitely file a suspicious activity report on you.
And because they would feel that we don't know the original fund,
it's not clear in any way that this guy should pop up with one million dollar.
The dollars are still fungible,
though you couldn't put them in there. You would still be able to take the dollars one by one
and buy grocery or whatever for them. That would be totally okay, but moving one million
dollar into a bank account would be impossible. The other scenario would be that you have been,
you're the head of Red Cross, you're doing a collection in your community and you're getting
a lot of, you're out in the streets and getting a lot of money as donations. Your bank knows
that. He knows your history. You still come in with a million dollar again. Then you can still put
the million dollar in there. So it's not the dollars and the coins in Bitcoin land that became
tainted. It would be the story around them. So I don't see a scenario where if you end up with certain
coins, you can't get rid of them again. But if you end up with certain coins in huge amount,
it will definitely be hard to do it. So let's say that you for some reason chose to, uh, to
switch light coin with Bitcoin for everything that the latest hacker at BitStamp got out there,
then you might have some issues getting rid of them afterwards because it would be a huge amount.
But if you had smaller amounts from the Bitcoin hacker at BitStamp last,
latest time, you'd probably not see any issues.
Some institutions might raise a flag because they found out that there was this trail of the money.
but if it was only smaller amounts and you had a good history and a good record otherwise,
I don't see that they would be any reason for them to think that there was anything
dodgy going on.
Yeah, I mean, I think it's an interesting question that you brought up,
Sibans here, and it's kind of, it's hard to wrap your head around this sometimes, right?
So on what kind of level does the monitoring and this happen,
does it happen on a user level, on a transaction level, or on a coin?
level and and I mean I think it's it's definitely the case in my view at least and I think in the
view of most people almost everyone in the Bitcoin community that the idea to have it on the coin level
it just makes no sense right I mean that that would be a total disaster yeah yeah and also it
would be awful because it would essentially mean if you had a sensory repository of
different colors of coins then you would
For each transaction, even smaller transaction, you would need to go central to, in order to maintain it.
And it's just not in the spirit of Bitcoin.
And it's not the things you want.
You just want to be able to, well, like with the normal dollars, you can turn them over between different people and that's okay.
So can you explain a bit how you would conduct these analysis?
So to say like this is, you know, this is okay.
Maybe a bank can take on this money on exchange can take on this money except this deposit versus there is some sort of some flag here.
Does that mean you would, for example, as a company, you would keep a track of, let's say, stolen coins and things like that?
Or how would that work?
So essentially, we don't like to have the liability as a company of.
claiming what is good or bad.
That's essentially up to the user to upload that to us
and then they can reuse what they got afterwards.
If they wanted to collaborate somehow on sharing between them,
they could do that as well.
But that's really something they choose to do
and we don't choose to do.
If you would definitely be good to have a list of stolen coins
and also what we have at many exchanges and so on,
a lot of people are doing fraud there.
so they would show up with a credit card that's false or stolen or whatever and go Bitcoin and then run away.
And I think there's definitely an exchange that would like to avoid that.
And if it happens to them, they see it as people stealing money from them.
And that's actually what happened.
So they would like these money not to be easily laundered on other exchanges.
so they probably tell other exchanges and everyone that this was the case.
You see it all the time with Bitcoin hacks.
Everyone are keen to tell these are actually stolen.
Please don't take them or please tell me where they are.
So that's part of it.
What we are doing in terms of our customers,
you need to look at compliance as a bigger thing.
So essentially you have a customer and around that customer is a lot of different data.
So what they need to have to have a customer today would probably be to have a passport.
It could be vetted.
It could also, it could might be only a Bitcoin address.
They definitely have your IP address.
They would do that all the time.
Today, any company into financial services, also the Bitcoin companies would check your IP address.
They would check where you log in from.
Do you log in from different sources?
and depending on the pattern of use, what you do, and so on, if you, for example, only go from
Bitcoin to Fiat, they might not be that worried. If you go from Fiat to Bitcoin, they would
worry more because Fiat land is known for easy fraud. So they might actually try to exit with
Bitcoin. So different things would apply there. And that would be the whole picture of that,
that would weigh in on them to figure out whether this was risky or not. So what we can
provide extra there is essentially to see on the Bitcoin side of things. So if they receive some
Bitcoin or if they're sending Bitcoin somewhere, then we can help them see, okay, is this the
same wallet that we're being used at an earlier fraud case on our exchange? Because we don't want
the same guy to pull the same number at us twice. And the only thing they can do today in the
simple way is just to look for the same address. And that doesn't help much. What we can help them
is the clustering part to cluster things together into wallets.
I'm not saying that this can't be tricked or whatever.
I'm just saying that what you need to do to do your compliance
is to do the best stuff available.
And best stuff available today is not to just look at single addresses.
It's probably to look at wallet level and at least ensure that's the part of it.
You could also look at the specific user, what's kind of their pattern and other things.
So different things in that scenario would be,
what we are providing.
Well, let's come back to this in just a second.
I want to talk about user protection as well.
I mean, come back to this attack scenario
because I think there's some other topics
that would be interesting to talk about.
Before we do that, let's talk about Shapeshift.
So, Shapeshift is the fast and easy way
to buy and sell alt coins.
If you ever tried to buy alt coins on an exchange,
we've been talking about exchange,
you know that that is somewhat complicated.
You have to create an account there
send them a bunch of personal information,
and that just takes a lot of time,
and it's sort of a hassle.
Shapeshift makes it easy with their currency conversion tool.
Looks a lot like Google Translate for cryptocurrencies.
So basically, you go to Shapeshift.io,
you choose the currency you want to deposit,
and you choose the currency you want to deposit too.
If you have a look here,
for those of you watching on YouTube,
you'll see that they support about,
about two dozen different currencies including Dogecoin, Feathercoin, NewBits, Potcoin, if you're into that, Ripple.
And recently, unobtainium.
Still not sure what that is, but they do support...
It's finally obtainable.
They do support Adeptionium.
So basically, you go to ShapeShift.io, you enter the address of the currency you want to convert to.
So in this case, for instance, we want to buy some light coin from Bitcoin.
You put your light coin address, you hit start, you will be shown a QR code to which you will send your Bitcoin.
And in just a few seconds, you'll get light coin on your account.
Or it could be someone else's account.
Could be a merchant that you're sending it to, could be someone you're tipping.
There's really lots of possibilities here.
And what's really great as well is they're adding some interesting tools to their toolkit.
So one tool that we've talked about recently is the Shapeshift, the Shifty button rather,
which is kind of cool.
So it allows you to just basically add a button to your website.
So if you've got a Bitcoin address, in our case, on our tipping page, we've got a Bitcoin
address.
We used to have a bunch of different wallet addresses there for a light coin and doge coin, et cetera.
But we got rid of all those, and we just added the Shifty button.
And with one single button, people can now tip us with up to 25 different altcores,
whatever the amount of coins they support us.
So go to ShipShift.io, give it a try.
Tell us what you think.
it's really fast and easy
and it doesn't require any personal information
to be given to them.
You don't even need to create an account.
And so we'd like to thank ShipShift.io
for the support of Epicenter Bitcoin.
So yeah, coming back to just briefly
to the civil attack.
So we mentioned who was affected by this.
So in one instance,
breadwallet users were affected by this.
Now, a lot of,
so we've been talking about SBG wallace recently.
we had Tomah from Electrum on.
Electrum is an SPV wallet, but uses a different scheme.
So there's servers that are somewhat centralized,
and the transactions go through there.
It's not like I guess what you would call it,
a true implementation of SPV where it connects directly
to Bitcoin nodes.
Like, what percentage would you say
of Bitcoin users would be directly affected by this?
If someone were to try to implement
at like a large scale attack vector where they had maybe like 10,000 nodes on the network.
And to what extent would the Bitcoin network be paralyzed if that were to happen?
So, I mean, what would be the, say we had 10,000 fake nodes on the network,
how would that affect the network in a practical sense?
It's actually a good question. I think that what would be affected would be people trying to buy beer and cafes.
whatever use of smaller SPV bullets.
I think that would be the prime victims in the first place.
The question is how bad it would be for the Bill Bitcoin network
if you would get some nodes that would effectively become disconnected
and be, well, falling behind.
So my question is then, so that's it then.
So it's only those SPV wallets that would be affected?
Or could we expect the network to just generally be.
slow and sluggish and transactions not making it to the miners for some reason.
I think actually the latter.
I think that could happen.
If you really do a full, a real civil attack on the Bitcoin network,
that would definitely be something you could do.
It's not good, but that would be the case.
So then my next question is, how do you think the Bitcoin network as a whole can protect
itself from this sort of attack?
There's one thing, the one way
it's protected already today is that miners
connect directly to each other.
So the mining would still go on.
The other thing is that
I might guess that
some of the bigger players would also
connect directly to the mining network.
And this means this is a kind
of a centralization, you could say, because
that's a
peer-to-peer thing is someone agreeing
that we do it this way because
we are important and we do it. We want
quality of service.
So they would not be affected either.
The ones being affected would be, well, people on a normal client and other ones running
that scenario there.
And they would most likely be, either they would get, see that they didn't get the blocks
fast enough, they would have problems getting their transactions confirmed.
And then at some point, I guess that they would see that something was wrong and try to
restart.
And once restart notes, they would go.
go to these seed sites and some of them actually are ran by Bitcoin Core, another centralization
part.
And this means that they would get some of the nodes that would actually give them the
the right connection to the network and they would be back again.
So it would cause some annoyance, definitely.
The core part of the network being the miners would probably not be affected at all.
Okay.
And how can, so on, so that's, I guess, on the network security side, the security of the network as a whole.
As far as users go, how, so what your research is doing is aggregating IP and location data from users.
If I'm a user of the Bitcoin network and I want to protect myself against this.
type of what some may consider to be invasion of my privacy. I'm not saying that's particularly
my case, but how could one protect oneself against this type of gathering of the data?
I think that what you should do, you should go through the Tor network. That would be the right
way to do it. If you really want anonymacy, I think that has been a well-known fact in among Bitcoin
call people at least for a while. That the only way you can
protect you against stuff like that would be going to tour and run your transaction and send
them to tour.
You could say that in our setup, the only thing that we would gain there that would be
that this is a tort transaction.
So that's a big country of tour, which is good enough.
We don't, we don't, we definitely have no intention whatsoever to try to look into where,
where things come from inside the tour network.
And that would be, I think that's, that's a, that's a, would apply to everyone.
So that would be it.
But then I presume you would have, for example, an exchange or some bank, etc.
They would say, oh, a transaction coming from Tor then is suspicious, probably.
Perhaps.
Perhaps.
It's hard to tell.
Today, a lot of transactions come from Tor network as well, a tour exit note.
And that doesn't mean that they're suspicious either.
But you could say that if they see that this is from the Tor network,
Again, it also adds up to the entire picture of this customer and this specific transaction.
So it's not just either or.
So if you have one customer that only send you money as a bank to tour, you would probably say,
I need to ensure that this guy is actually who he claims is before you accepted that in the long run.
because you would feel that I don't have this extra
kind of info telling me that he is telling the truth
so you would probably say okay is he really from
is he really the guy who thinks it so you look at an extra time
as his passport you might call him and say hey
it's you we just saw you send all everything to chores
perfectly okay with us but well we just want to know that you're there
you pick up the phone when we call you and they say yeah it's me
I just like privacy you say okay cool
I think that would be the normal scenario around that.
Yeah, but some may consider that to be some sort of an intrusion and,
you know, some sort of mass surveillance of what people do.
So the other side of that and what I think sort of the spirit of Bitcoin is that we don't
have to have that sort of, that sort of assumption of guilt, some might call.
I don't think it's an assumption of guilt that way.
It's more like, well, I think essentially the Bitcoin has a lot of, at least what I've seen the last few days,
there's definitely an assumption of guilt up front.
So that's what I have seen.
But I think that if we assume guilt, if you don't see that we necessarily assume guilt here
just by checking up on people things.
Also, if you're a financial institution following the law, you need.
to do it. And what you could choose to do is that you could either not check these things
and just do extra extra KYC on your customers and do other things that in the normal space,
or you could take a higher risk and risk getting out of business because you got a fine
at some point. That's essentially the three scenarios you have. So you can either make a very
very low friction user path, use different
products to make to make a good guess whether people are actually good or bad.
And for that purpose, you need a lot of data points.
That's one way.
You could say you are invading privacy, but you could also state that on your side,
that that's your policy.
That's how you're checking up on people.
That's why you are so good at it.
The other version, number two, is that you say, I just ensure totally upfront that I know
who I'm dealing with, so people can't get an account here unless they meet up in person.
and then you would also have done your due diligence in a good way.
And then afterwards, you're not checking anything electronically.
The third option is to just take the risk.
You just say, okay, I'm in exchange, I'm perfectly okay with that.
I take the risk.
But again, that could just be different market forces,
and as a user could choose different schemes there and different exchanges.
As an exchange provider, as a financial service,
it's up to you to choose what kind of risk profile.
or scenario you prefer.
So let's talk a little bit about dark wallet or mixers.
What kind of role do you see for that in the future?
And I mean, I also presume, right, when you, if you use those and you start interface with
banks or regulated companies that would raise, that would probably be a problematic way of
using it, right? Or I guess it would be one factor that...
Yeah, I, well, I could give her two-penny advice, and that would probably be that
use your mixer against the already legal services that you need to interact with and try
to use something that looks more, well, okay, if you're interacting with banks.
That would probably be the best way. So if you're dealing with, if you want to buy something
on Silk Road, it's not there anymore, but if you want to do stuff like that, then it would be
through a mixer or so you didn't get your kind of history to taint it.
Still, you'd be able to see you'd use the mixer, I think.
But again, I would go for that scenario.
Otherwise, I say, what would be the role of mixes?
Well, you could say that they're still there.
The problem is that you are definitely trying to upfuscate something.
And depending on the policy of a financial institution,
they can choose to say, there's a good reason for that,
or they could say that you don't see a good reason for that,
so that's why we think it's suspicious
that you're trying to obfuscate what you're doing,
and then we choose to do something about it,
whatever that can be.
It's hard to say what will be the specific choices there.
So what's your personal view on this?
Do you think mixes and dark wallet
in those kind of projects are a good thing for Bitcoin,
or do you think it would be more desirable if those didn't exist
because it would make it easier maybe to get acceptance from any integration
in existing financial services?
I think that I think we will see now we have this this era where we try to get Bitcoin
kind of legal, get it, well, mainstream being Bitcoin to some extent.
I think that Bitcoin being mainstream would not mean at the same time
that all the other cryptocurrencies will go mainstream at the same time.
So it depends on what level of compliance tools and other things you can build around them.
And if you build stuff like zero coin and other things, I think that would be even harder.
So they don't have this story I referred to earlier saying that while we are much more traceable than cash, no, they're really cash.
You can't trace them at all.
This means that you need a lot more in the banking sector,
you need a lot more due diligence around customer,
taking onboarding customers and so,
and that probably hinder the acceptance of stuff like that.
I have to say that's a really interesting perspective,
and it's a perspective that I don't think I've heard before, right?
To think of these services, right, like mixers or these anonymity services,
If you think of those from the perspective of the banks or of those sort of, let's call them,
regulated entities that, you know, bridge between Fiat and Bitcoin, there they just create
additional work, right, because they make the compliance harder.
And then that's very interesting, right?
So, of course, my thinking on this has often been it's really important that,
people can stay very anonymous because to the extent that, let's say, law enforcement or other
entities are able to, for example, de-anonymize all Bitcoin users or like Bitcoin users to a large
extent, most Bitcoin users, you know, it's a threat on a few levels, right?
Like you can, if you don't like Bitcoin, if a company wants to ban Bitcoin, it can go against
Bitcoin users directly.
And, you know, it can make Bitcoin less attractive because potentially, you know, huge privacy
risks.
Yeah, I should add that I definitely would see that as a nightmare scenario if you try to
de-anonymize all Bitcoin users and all their transactions.
For example, take there was a leak earlier this year.
There was one last year from Mangox.
And there was another leak just recently where someone leaked the user database.
And if you take these leaks and put them together, you have the entire transaction history for all the users that were ever signed up on Gox.
That's kind of a leak that says something about privacy.
If you go in there, you can find all transactions.
You need a bit of work to do it, but you can do it.
And that's bad.
And that's kind of the, that would be a horror scenario.
So imagine that you could do that with Bitcoin, it would be possible.
So not only would it be done by some weird government agencies, it would also.
happened by that someone else would do it and suddenly it would be just out in the open and it would
not, the value of Bitcoin would disappear because, well, if anyone could see what everyone was
buying, I think that's perhaps one of the issues with Whipple that as soon as you transact with one
guy wants, then you can see what he's buying all the time. That's one of the issues and you don't want
that to happen with Bitcoin. You essentially want to see that, well, don't mind you can see everything
what happening on the network on a statistical level, but you don't like to, well,
share every single purchase that you made.
Do you think this is a plausible scenario?
Is that a danger you worry about?
I don't think that we will have, no, I don't think so.
I think it's too hard.
Still, again, if you're trying to do the de-anonymization
to IP addresses, it's hard to get a complete coverage of things anyway.
You could probably pinpoint down to some level.
But then again, you would have run into other problems.
You would see that people use different IP addresses.
They are different in many ways.
So just example, that you have IP addresses for different using a mobile phone,
then you would change IP address all the time.
So you would have these kind of scenarios.
It's not that easy.
Again, we have tour.
So if you really need to be private, then you would use that as well.
And if it will be a war on tech.
So if you have more of more tools of that degree, people probably start to use Tor more often, I think.
But I think perhaps Tor would have the same issue.
You could probably de-anomize that as well if you really made a huge effort and run simple attacks there.
We don't like that either.
It's, I don't see any point in doing so.
Well, I think so we get into some sort of a scenario where people that have the technical ability to use Tor and to use anonymizers would have
relatively good anonymity and privacy and people that don't would be vulnerable to having
their identity and their anonymity be compromised.
I mean, to some extent, it's probably also true about general technology.
I think it is.
Yeah.
So can you talk a little bit about where you see Bitcoin going?
What kind of role do you see Bitcoin taking in a few years from now?
How will this be integrated into existing systems or used on the side?
Or like, what's your vision for Bitcoin?
So essentially, as I see it, is that initially when I saw Bitcoin first time,
I saw that this is just awesome because what you have here is online cash.
And I've never been a huge fan of paying through watching different kind of commercial ads on the internet.
So I essentially always prefer to pay for services in smaller transactions and whatever way you need to do it.
So I think that there's definitely a case in the future.
We need some different developments completely separate from what we're doing on micropayments and other things.
But I think we will use Bitcoin as cash online.
That will open up for the entire third world to be able to trade with us.
All the unbanks suddenly become, will be able to be included in our.
economy and that's kind of a revolution as I see it. So just that part is a revolution by itself.
When we are there, then we are moving into the completely speculative scene. And before getting
there, I think we need to have Bitcoin mainstream. So it means that, well, your bank,
everyone would just accept that Bitcoin is another medium of exchange, something you can use
to pay will and that's perfectly okay. That would include a lot of other players in our economy
and that would be awesome.
So if you go from there and the heads, then you can only speculate,
but some people would speculate that we will see an error where, well, you only have
cryptocurrencies, it would be no point in keeping fear currencies around.
That might be the case.
And that would be all, I think probably would be cool, but it's just too far in the future.
So I can't really dream that far.
I think that first step, as I see it, and the first goal is that if we have a technology
at hand here by which we can include the on banks, we can include the third.
world, they can become part of our economy and we can also as individual, we can have an app store
on the entire internet where we can choose to buy for smaller services and get rid of all these
strange subscriptions you need to do here and there and just use Bitcoin instead.
Cool. I mean, I agree, but I also think that it's important that we try to, as much as
possible, protect ourselves against the sort of things that the financial system has been
accused of in recent years and that we try to make sure that whatever this whatever happens
in the future with Bitcoin or any other cryptocurrency is in the interest of just the people
in general right I mean I totally agree I think one of the best the worst scenario the really bad
scenario we had in banking I whatever you can say about banking they can earn as much as they want
and they can do whatever they want but I think what we had the worst
nightmare scenario we had the last few years had been too big to fail.
So it's not really bad that a bank does a lot of illegal things and in the end they go to jail
and they go bankrupt.
So that's how the system should work.
It's not a big deal.
I wouldn't even get offended in any way by them doing it.
They probably do it.
But the bad thing is that if they do a lot of bad things and you get a scandal like HSBC that
have been participating in money laundering on the level of several billion euros,
And at the same time, you end up saying, well, they're too big to fail.
You can't put them in jail.
They'll get a fine.
And that's it.
It's not okay.
That's bad.
We don't want that to happen in Bitcoin.
We don't want a future like that.
So I totally agree there.
So with this whole, I guess, you probably call it some sort of a fiasco,
but with this whole ordeal that you've been through these last couple of days,
you know, I was reading through the Bitcoin Talk form.
and we were following on Reddit.
Whatever you learned from this experience,
from being sort of,
I guess, a target of the Bitcoin community.
So I think that, I think there's two things.
I think the made outcome, what we learned from is that if you want to do surveillance,
you should probably do it even in more stealth mode.
Still, I think that was not really our purpose on things.
What we wanted to do was.
was to build this transaction, the block around transfer the fund between countries.
And I think we shaped our experiment pretty well.
Unfortunately, some users got hit on bread wallet and that was bad.
What we perhaps also should do is to say that this is a legitimate use.
There is a use case in what we are doing there.
So perhaps you should advertise it.
I suggested that on one of the Bitcoin talk posts that you could, for example,
just state out frankly in the link that this is the running the statistics that why we are here
and then you could be able to sue that in some of the messages you're post that this is the kind of
note you are connecting to now. That's one of the discussion points, takeaway points from that.
Beside from that, I think we expected all the time when we went from doing normal coding stuff
and went into the compliance thing of Bitcoin, we definitely expected to have discussions
on whether that was a good idea for Bitcoin or not,
whether that was the way Bitcoin should move.
Is it an idea?
Is it totally wrong?
Are what we are doing unethical to do,
to help financial services being able to administer the risk in dealing with Bitcoin?
Is that wrong?
Should we completely keep it pure crypto land or whatever?
I think that kind of discussion will be ongoing and go for a long time
and we'll probably also get some bashing for that part.
So I think you said something quite interesting there.
And what I'd like to add is,
so there's sort of an expectation of transparency in the ecosystem
and an expectation of,
I know the word in French, but, you know, like,
showing your hands, I mean, I'm not sure what I'm trying to say there.
Oh, I know what I mean, yeah.
But yeah, so showing your cards, right.
Yeah.
And perhaps one thing that one may want to consider doing it
when doing analysis like this on the blockchain
or any sort of large scale operation is to put it out there beforehand.
Yeah, that's right.
Go on the forums and say, like, we're going to do this.
By the way, if you're trying to protect yourself
against some sort of an attack,
you can block these IP addresses rather than letting people
like talk about it for four or five days
and then finding out that your IP addresses belong to your company
and then finally coming out and saying,
yeah, this is us.
So perhaps this is one of the lessons to be learned
and to others who may want to engage in it in the future
would have that behavior.
It's delicate.
I totally agree.
The only thing is that it's delicate
because if you're building a business,
to some extent, you also don't want competitors
to pick up the same ideas.
You go in this kind of little stealth ball initially
and you build your ideas
and want to say, okay, when we're ready to present this for the world, we'll do it.
But in this specific case, it's probably better to go, well, show clearly what your intent is up front.
I agree.
But I think, you know, this discussion has been very interesting.
And I think it is very interesting if we look at, for example, there was the response of mycelium on Reddit.
And, you know, they talked about how they are building all these tools that, you know,
are meant to really make Bitcoin more anonymous by default.
So, for example, they say, coin join will be implicated.
it by default in the future.
I think they want to go through Tor,
I guess also by default,
or something like that.
And you know, that's interesting.
And I think so, you know, on the one hand, we have these tools
being built that, you know,
will make this much more anonymous, much harder.
And then I think I can totally see why,
and I see a lot of value in that, and I can understand that.
And I think, you know, any one of us, you know,
since the Snowden cases, it's just, it's, it's,
it's become extremely abundantly clear that surveillance is a huge problem.
And it's a huge threat, I think, to liberty and all.
And then at the same time, you know, companies like what you are doing,
you know, that's just, there's just not going to be any way to integrate Bitcoin into the financial system
or to have any kind of mass use of cryptocurrencies without that thing either.
You know, so I think there's this sort of both are, you know, both are inevitable, both are part of, of, of, uh, what Bitcoin and Crypt currencies are. And I don't think either is, it's going away. I agree. It's definitely it's, uh, we will have to fight that dualism a long time from now because we don't, we don't want the scenario of, of, uh, of surveillance. And also we can't fight surveillance with regulation. It doesn't work that way. You need to fight it some somewhere, some other by some other means.
you need to ensure that you protect yourself against surveillance.
It's pretty hard to do that.
And again, as you say, it will only be the savvy ones that can protect themselves against surveillance,
and then they might end up become the ones that people question what their intentions are sometimes.
So it's really a strange scenario.
And again, you need, as you say, you need tools for financial services for them to onboard Bitcoin.
and it's probably good that they onboarded, as I see it.
Now, I'm curious.
So I believe it was one of your co-founders who was involved with the Mycelium project in the past.
And so since this whole story broke out, like they've some sort of distance themselves from what you guys are doing,
even though your co-founder is still somewhat involved with the project as an advisor.
or what are your thoughts on them, you know, distancing themselves from what you guys are doing,
where you still have ties with them?
I think that, well, we both have good connections back to our former companies and talk to them
while almost on a daily basis in many ways.
But I think that definitely they should just distance themselves from this part.
You don't want to be subject of stuff like that.
You don't want to answer these questions, I think.
But we did that completely as channelysis.
That's how we present ourselves and any association of our services towards mycelium or Creighton, for that matter.
It's not justified in any way.
So, besides from that, there were some speculations.
I think it was in Reddit or Bitcoin talk that what were happening here was mycelium trying to make it harder to use bread wallet to gain some customers for breadwall.
And I think that it will be going to this thing about assuming, well, assuming that someone is doing things in good face first instead of assuming the opposite.
I think this is definitely an example of, it's just, well, come on.
Yeah, that does sound like a very absurd.
At least it's fun.
But again, it's just, it's not the case.
And no, yeah.
Well, Michael, thanks so much for coming on.
It was very interesting talk to you.
also very interesting to dive a bit deeper into that story because obviously reading the top
Reddit comments, it doesn't always give you the most profound analysis.
And I think it's a very interesting topic.
We had a chance to cover here.
I mean, I think as we mentioned, this duality between the need for privacy, the desire
for privacy and anonymity is just so integral and so much part of Bitcoin.
And then this need and desire to get integrated and acceptance.
Bitcoin use and financial services is just as much part of Bitcoin.
It's just as much part of the vision.
And I think it's, yeah, thanks so much for that discussion.
I thought it was very interesting and very enjoyable.
Definitely.
Likewise, thanks for inviting me.
Yes, thank you very much.
And thank you for coming on such short notice.
Sure.
Yeah, and the listeners, thanks very much for listening.
You can follow us on Twitter at Epicenter, BTC.
And you can also leave us a tip if you want to.
And that's it.
with any of your
on-optanium
light coin
or god-nose
or pot-coin
and you can do that
at eBetanandibicon.com
slash tips.
Yes,
send us your potcoins.
Yeah, thanks so much
and we'll be back
next week.