Last August, Gal Vallerius flew from France to compete in the World Moustache and Beard Championships in Austin, Texas, where he hoped his majestic red whiskers would win the “full beard 30.1-45cm” category. But he encountered the wrong Austin: Drug Enforcement Agent Austin Love. While on a layover in Atlanta, the DEA intercepted Vallerius and searched his laptop, discovering $500,000 in cryptocurrencies, the super-private Tor communication program, and an encryption key connected with the name OxyMonster, an online pseudonym they had been following. The DEA promptly arrested Vallerius and charged him with conspiracy to distribute controlled substances, including cocaine, fentanyl, methamphetamine, LSD, and oxycodone. If convicted, he faces up to life in prison.
Vallerius’s arrest was far from a random catch. For over a year, Love and other DEA agents had been investigating a dark web drug bazaar called Dream Market. In one key step, they noticed that an administrator of the site named OxyMonster was collecting Bitcoin donations through an online tip jar and that 15 of the 17 transactions moving Bitcoin out of the tip jar went to accounts belonging to a user named Vallerius on the site LocalBitcoins.
The agents searched for the uncommon name online and found several threads that seemed to connect the OxyMonster account to French national Gal Vallerius. For instance, OxyMonster often used the word “cheers,” double exclamation marks, and intermittent French in his posts; on Instagram and Twitter, Vallerius displayed the very same habits. The Bitcoin link provided enough evidence for a warrant for Vallerius’s arrest; soon after he set foot in the U.S. for the first time, he was nabbed.
Today, many people see cryptocurrencies as anonymous, untraceable digital money—and indeed, some of the first uses were to launder money and buy illegal drugs. But that reputation for privacy isn’t entirely warranted, as shown by the capture of Gal Vallerius. Rather than shield our identities, cryptocurrencies can function as sponges for information and could, perversely, further endanger our online privacy.
We already see some of the creepy potential of online tracking, like when we are presented with ads on a website that clearly relate to Google searches we did previously. Digital currencies could dramatically raise the stakes. If we start broadly using them and our purchase histories leak through accidents or hacks, much of our private lives could be exposed: all the books and movies we enjoy; all the medication and treatments we are prescribed; all the birth control, prophylactics, and intimate products we discreetly order.
Even many digital-money proponents say the lack of privacy is a major problem. “If we were to go to a Bitcoin world now, it would be a net negative,” says Emin Gun Sirer, a Cornell computer scientist and outspoken fan of cryptocurrency. “I can’t imagine doing that now. That would be crazy.”
Yet some hopeful programmers are working on various tools to turn cryptocurrencies into safeguards of our information. With virtual money edging ever closer to mainstream adoption, the design choices made now may determine whether it ends up being mostly a means for illicit activities, a tool for free interaction, or simply a more efficient way for us to be watched.
At their heart, cryptocurrencies are digital stores of value that are exist entirely as code. They’re built upon a technology known as blockchain that works as a decentralized ledger: instead of a list of transactions stored in a central hub like a bank or exchange, they’re distributed to a network of computer nodes that each keep a record of all transactions for each currency.
The great challenge to using a decentralized system like this is ensuring that each bit of digital money exists in one place at a time—like hard cash rather than easily duplicated software—and that all the nodes agree on who owns what. A solution to this problem was revealed in 2008, when the mysterious author (or authors) known as Satoshi Nakamoto published a technical paper outlining the design for Bitcoin.
The paper included an ingenious plan for how nodes could come to a consensus about ownership of virtual currency: users who want to make transactions announce them to the network of computers running the Bitcoin software. Then computers called “miners” race to record new transactions in a block of information by solving a problem that mathematically ties the transactions together. Each block also connects in a specific way to earlier ones, forming a chain of blocks. Once a miner hits on the solution, it transmits it out to the network and all the nodes add it to their copies of the ledger. The miner is rewarded with Bitcoins. Each new block confirms the transactions in the existing chain, preventing the chain from being altered or hacked.
A central feature of the peer-to-peer blockchain, and a key distinction from traditional centralized money, is that everyone can see every transaction. Of course, the users aren’t identified by their names or social security numbers or other personal information—only by an address made of a jumble of letters and numbers. At first glance, it seems like this achieves what Nakamoto was trying to accomplish: currency without a government, transactions without a bank, and openness without surveillance.
But as more data piled up on the Bitcoin blockchain, it became clear that even if a single transaction is anonymous, multiple transactions might not be. By connecting scraps of information from many transactions on a public blockchain, observers can find out a surprising amount about what they represent.
In 2013, back in cryptocurrency’s ancient past, UCSD researcher Sarah Meiklejohn and her colleagues inserted themselves into the Bitcoin blockchain by making a series of 344 transactions: they gambled, joined mining pools, and bought a range of goods, from cupcakes to a used CD from the band Boston to a Guy Fawkes mask (a reference to the hacker group Anonymous, which uses the mask as a logo of sorts). The activities revealed public Bitcoin addresses for the counterparties, which included many hubs of the Bitcoin economy, such as major exchanges. The researchers could then follow and study the flow of Bitcoins through the network. They could, for instance, easily trace some of the many Bitcoins that have been stolen from individuals and exchanges. Often they could tell when coins were changing ownership or merely moving between different accounts belonging to the same user, though some of the stolen coins took complicated paths that made it difficult to follow.
With all of this data visible to anyone looking, a number of companies have sprung up offering sophisticated ways of analyzing blockchain data. And agencies like the FBI now routinely analyze information gleaned from blockchains to investigate ransom demands from hackers and other suspects—including alleged dark web drug kingpins headed to beard competitions.
There are also big risks to the privacy of regular, non-criminal users of cryptocurrencies, according to a study published by researchers at Princeton last summer. They found that big gobs of information are dripping out from blockchains through one of the internet’s great privacy holes: cookies and web trackers. These bits of code track people online to make websites more convenient to use and to target advertising around the web. The study showed that shopping websites often show web trackers the details of transactions, which can then be paired with other data, sometimes including the user’s address, email, and name. For people paying in virtual money, their crypto histories, including past purchases, could then be available to the many companies using trackers—and to any hacker who gains access to that data or who sneaks a malicious tracker onto a shopping site.
But many of the biggest supporters of virtual money have been hard at work trying to fix cryptocurrencies’ privacy shortcomings. The simplest solution is simply to remove blockchains from public view. Some financial firms have done this by segregating projects from established blockchains like Bitcoin and Ethereum, the network that hosts the second-biggest cryptocurrency. The firms themselves run these walled gardens and give certain people permission to access them. This provides privacy and much greater efficiency but is fundamentally unsuitable for a cryptocurrency open for anyone to use.
A number of “tumbler” services make traceable cryptocurrencies more private by mixing many piles of money from different accounts. This obscures where each bit of digital money goes and who owns it. Though mixing makes coins harder to trace, it leaves some questions about whether there are enough mixing partners, whether deposits to and withdrawals from the pool are truly obscured, whether putting your money into a tumbler connects it with money being laundered, or even whether tumbling is itself an indication of money laundering.
Some developers are taking the more extreme step of creating entirely new, privacy-oriented currencies. One of the most prominent, Monero, uses three approaches to obscuring what’s happening on its blockchain. When someone sends a payment, it’s identified with a “ring signature” that includes cryptographic keys from multiple users, camouflaging the true sender. Similarly, the recipient of a payment is hidden, since each payment goes to “stealth address.” And RingCT, or ring confidential transactions, which Monero instituted in early 2017, cloak even the amount of money being transferred.
Zero Knowledge Transactions
More recently, there has emerged a new currency that boasts a more sophisticated privacy safeguard. Zcash allows users to securely encrypt all their transaction information so that it’s completely unreadable. That itself is an easy task; computer scientists have many clever ways of keeping information private, such as the public key encryption employed in secure web-browsing and email systems.
The trick, then, is verifying the data: if no one can see the details on the blockchain, how can you confirm that they’re correct? To do this, Zcash employs a new and frankly mind-boggling freak of math called a zk-SNARK. (The goofy-sounding name is an acronym for “zero knowledge succinct non-interactive argument of knowledge”—and aren’t you glad you asked.) The zk-SNARK is a special kind of proof that establishes the truth of a mathematical argument without revealing anything about what’s being proven. When a user makes a private Zcash transaction, it comes with a mathematically airtight assurance that it’s legitimate—that one account passed money to another and that it had enough Zcash to do so. Then a miner can look at the transaction, validate its proof, and record it in the blockchain for the world to see. Everyone can trust that the transaction is above board, even though no one knows the specifics of what happened. (The math is incredibly complex—well beyond the scope of this article. If you want more information, the Zcash site has a more in-depth overview and the Ethereum blog dives into the details.)
Before integrating zk-SNARKS into the Zcash protocol, developers had to generate numbers called parameters that computers in the network would use to create and validate the proofs. But the process of creating parameters for public use also births an evil twin: a private counterpart that an unscrupulous person could use to secretly generate, out of the blue, a limitless amount of Zcash. (This wouldn’t compromise anyone else’s privacy or affect their accounts, but it could crash the value of the currency.)
To prevent anyone from monitoring the calculations and finding the private key—they refer to it as “toxic waste”—Zcash developers went to what, under other circumstances, would seem like pathological lengths. The parameters were generated in what developers called a “ceremony” in which six participants around the globe worked together in a carefully choreographed sequence. One person would do calculations on a computer not connected to the internet, burn the result to a DVD, walk the DVD over to a networked computer (crossing an unhackable “air gap”), securely send the data to another participant, who would burn it to another DVD, bring that to their airgapped computer for more calculations, and so on, for 27 tense yet boring hours.
To further decrease the possibility of spying, the participants wrote their own software, bought all new computers from random stores, set up their computing stations in obscure motel rooms, physically removed all the communication hardware from the airgapped computers, and recorded every step of the process on video. One participant ran his calculations in a car driving across British Columbia, on a laptop held in a cardboard box lined with aluminum foil. After the ceremony, they erased all traces of the data through high-tech means like destroying the computer components with a grinder or blowtorch. If someone wanted to gain the power to generate Zcash at will, they would have to get the private “shard” from each participant and combine them to form the private key.
Zcash and Monero don’t just diverge in their technical approaches—their family trees are very different, too. Monero is a freewheeling affair run by a community of unpaid enthusiasts with a libertarian-anarchist vibe. Like Bitcoin, a significant amount of the early interest came from drug dealers and other users of the dark web looking to hide from the law. Zcash, in contrast, was launched by a company, with significant outside investment. For the first four years of the currency’s existence, 20% of the mined coins will go to the founders, investors, and a non-profit that looks after the protocol. (With Zcash’s current price at $481, that reward would have a total value of over $700 million.) Zcash hasn’t made as much headway in retail applications as Monero over its short life, but it has a technology partnership with JPMorgan, and they recently worked together to launch a zero-knowledge security option for a blockchain product offered by the bank. (The financial industry is interested in private blockchains because firms need to be able to trade secretly so competitors can’t horn in on their positions.) The two currencies have developed a rivalry, with each side trumpeting its own strengths and sniping criticisms at the other.
Between Two Currencies
In truth, each of these leading privacy-oriented currencies has its own strengths and weaknesses. In April, two different research groups announced that they’d found significant problems in how Monero hid user information, which could let careful observers identify the accounts involved in many transactions, though not the identities of the people behind them. (The issues were mainly present in the currency before RingCT was released last year but persisted in milder forms even after that.) There were ways that careful users could avoid revealing their information, but people in general are notoriously bad at taking active steps to preserve their privacy. Like tumblers, Monero depends on exacting sequences of steps, and with all the information available on a public blockchain, there could be small leaks that reveal people’s information.
Zcash has an advantage in that privacy is baked right into the protocol, so users and computers running the software don’t need to take any action to hide their tracks. But the possibility of someone accessing the private key still casts a faint shadow of doubt over the currency, even after it’s been accepted by many users and has a cumulative market value of over $1 billion.
Peter Todd, the ceremony participant who did his calculations from the mobile compute station driving across Canada, says the security measures were not as ironclad as they appeared. For instance, he points out that if the software for creating the parameters was compromised and made to generate “random” numbers that were not so random, a hacker might be able to recreate the private key and mint their own Zcash. Moreover, he says that even if the ceremony was safe, the high-powered math behind Zcash might not be. “zk-SNARKs are a very sophisticated mathematical technique, but you’ve got to remember how novel this math is,” he told Fortune magazine. “It would not surprise me and many other cryptographers if, in the future, that math got broken, making the entire system no longer secure.”
Many of the developers working on the two currencies acknowledge these shortcomings and are working hard on fixes. Monero, for example, plans to continue to refine its dummy transactions so as to better hide the real ones. Zcash is planning a major upgrade to its code that will include a second ceremony, in which hundreds or even thousands of people will participate. For the currency to be safe from a would-be private-key villain, they’ll need just one of them to successfully destroy their private shard.
At this point, it’s hard to predict whether these developers will succeed in providing secure, powerful ways for regular internet users to exchange value online. But money, brainpower, and optimism are all in abundant supply. These are hopeful days for cryptocurrencies.