Privacy vs. Compliance: Debunking Myths About onchain analytics

In the CoinDesk newsletter last week The Takeaway piece was entitled “A Double Standard for Privacy” and was an impassioned piece from Dammkewl who has written a blog post in support of the bitcoin mixing service Samurai Wallet - who’s devs were arrested and the website seized earlier this year.

Back in May I wrote a piece on mixers: https://www.dhirubhai.net/pulse/2024-year-went-after-mixers-tara-annison-ndute/?trackingId=pca0e09B8KLUgcDcE1YmAA%3D%3D to outline the challenge in balancing this as an offering to support an individual’s right to privacy vs mixers’ frequent abuse by illicit actors.?

In general my position is that privacy-preserving tech should not be banned just because it can be (and often is) used by illicit actors. Since by banning it we would cut off the legitimate access that law abiding and decent human beings need from it. I came across a saying that has really stuck with me and which neatly sums this up; “If privacy is outlawed, only outlaws will have privacy.” (Philip Zimmermann)

However what struck me most from Dammkewl’s blog post is that there is still a fundamental misunderstanding of how onchain analytics and crypto compliance works. Too often, I hear criticism against it because people (wrongly) assume that every single transaction is being tracked, traced and reported on to regulators/governments/police/exchanges etc. They think that your activity is being linked and tainted by several steps forward and back in the transaction chain, even when it’s not directly relevant to your activity. This creates a pervasive picture of onchain compliance practices and makes it seem like you’ll be permanently tainted by an unlucky interaction and that any conclusions drawn from onchain analytics are likely incorrect.?

This was certainly the picture put forward in Dammkewl’s blog. So I want to clear up some misconceptions of onchain analytics and crypto compliance!

Dammkewl states:

“Some Bitcoin/crypto exchanges however, believe they do need to perform an invasive research on the history (and future use!) of your bitcoin. They dive sometimes as far as 4, maybe 5, transactions further down the line of the chain of transactions.”

The way that onchain analytics works is that it looks back as far as necessary in the chain to build up a picture of who you have interacted with and where the money you are sending has come from. This could be 4 steps, it could be 400, it could be 1. It’s not looking an arbitrary number of steps back though, it’s looking for identified entities. So if the 1 ETH you’re sending to an exchange comes from your account which has primarily interacted with DEXs, some other centralised exchanges, a few dapps and bought some metaverse related wearables, then this is what’s ‘reported’. In general you don’t trace ‘though’ these entities and go back more hops in the chain of transactions. You go as far back as you need until you hit a known entity.?

Most blockchain analytics providers don’t look to label individuals like you and I though, so the entities you’ll be connected with are services and businesses, and any unnamed entities you interact with will themselves be assessed for the entities and businesses they have interacted with. Most compliance firms also denote the difference between a direct connection (e.g you have directly sent or received crypto assets from someone) and an indirect connection (e.g there’s a few ‘hop’s/ crypto addresses in the path between you).

This is really important because where there’s a direct connection then it’s an intentional relationship where money has directly changed hands between you. However when it’s indirect then there could be an unlabelled actor in the middle and therefore a change of ownership. It could of course be an obfuscation tactic by the entity to faine a change of control, however the direct vs indirect nature is captured on chain and allows compliance professionals to investigate further before they draw conclusions.?

This approach of looking at your direct and indirect transaction activity is simply building a picture of who you’ve interacted with on chain so that your onchain persona can be assessed for risk. Just as the transactions you make from your bank account are all reviewed to see who you’re interacting with and sending money to. Every individual at a bank also has a risk/behaviour score too, so this isn’t justa? crypto compliance thing!

If you’re interacting with legitimate businesses and entities then you’ll be low risk. If it’s dark markets, CSAM vendors and hackers then you’ll be high risk.?

Dammkewl claims that this method of hopping through onchain transactions is in stark contrast to tradfi approaches (in an example of you selling your bike to an individual by bank transfer):

“Your bank won't apply any "history related scrutiny/research" to these funds. After all, you just sold a bike, nothing else happened between the two of you. Nor will your bank investigate what future recipients of your funds will do with that money.”

However this fails to recognise that if this were a tradfi transaction then it would link together you and the bike buyer. Should they later be discovered to be a nefarious actor then the payment between you will likely be scrutinised by the compliance department to check whether it had a more illicit-purpose. This is all in addition to the onboarding of you and the bike buyer by the respective banks where they collect source of funds information, due diligence information, check you against sanctions and PEPs lists and conduct ongoing monitoring for any illicit behaviour. As well as the sharing of information between banks and to regulators for suspicious activity. So unlike Dammkewl claims, there’s actually a LOT of monitoring of you, your funds and any payments you’re making within a tradfi scenario, and whilst the bike buyer’s later actions are unlike to come back towards you and your risk score, the connection between you is certainly made.

Likewise onchain, any interactions you’ve had with another address will permanently link you together, however the magnitude of the transaction and frequency of any other transactions between you, as well as the size of this relative to all your other activity is taken into account. As such it’s not necessarily the case that their future actions taint you. This is an incorrect view by Dammkewl.?

Take the following example: if you interact with the bike buyer and send them 0.058 ETH for the bike, and they later go on to spend all this money on dark markets - what’s clear onchain is that you sent funds to an address and that address later spent funds on a dark market. That does not mean that YOU have sent funds to a dark market, and any business who is effectively using onchain analytics to manage risks would be assessing the direct nature of your funds into the bike buyer’s address vs the indirect nature of it going onwards to an illicit destination. They would be assessing this in line with your wider direct and indirect activity. Therefore if all your direct activity is to legitimate sources and it’s just this indirect connection to an illicit source, the conclusion to be drawn is that someone you directly sent funds to, later spent them with an illicit source.?

The benefit of the blockchain and crypto compliance tooling is that these transactions can be visualised, the metadata can be assessed, the direct and indirectness can be analysed, and this is all compared against the spectrum of your wider activity. This can be done in both an automated and manual fashion and allows crypto compliance professionals to come to risk based decisions and conclusions. They don’t simply assume that you’re bad because you have indirect exposure to an illicit source.

Dammkewl therefore paints an incorrect picture that this multi-hop approach of analytics means that other’s activity will taint you. It would only do so if someone didn’t understand how to effectively and correctly use blockchain analytics.?

As such, his closing statement draws an incorrect conclusion:

“Before the exchange allows you access to the bitcoin you've just sent to them, they may end up first looking at thousands of people their transaction history, if not more, just so that they can feel "safe" to handle your bitcoin. And that's regardless of how large or small an amount of Bitcoin you send to the exchange. Remember that with any bank transfer to an exchange, that number is nowhere near thousands, it's zero!”

The exchanges are looking at the funds you have sent them and where you got them from, as well as your overall activity. This is because risk assessment should not be at an individual transaction level but looking at their activity as a whole.?

Imagine a terrorist who just received ￡20 in a birthday card from their gran. He wants to use this to buy your hand knitted plushie. Do you sell it to him? The answer should be no. They are a terrorist after all. Regardless of the fact that the money he would hand you was originally from his gra,n itt’s now tainted by the fact that it’s his.?

Likewise when an exchange is receiving or sending funds, it needs to consider the total activity of the person sending/receiving it - not just that transaction in isolation.

To refer back to Dammkewl’s example: you shouldn’t just look at the bike payment, you should look at who’s buying it and who’s selling it.

That’s what effective risk management is.?

What’s also incorrect is Dammkewl’s notion that the exchange is looking at thousands of people’s transactions to decide if you should have your transaction approved or not. The assessment is of your activity and to what entities. Just because a criminal has used Uniswap and you’ve used Uniswap doesn’t mean that you’re linked to this criminal. It means you’re linked to Uniswap. It’s also incorrect to say that a bank transfer looks at zero people. It looks at you and the recipient/sender so that’s at least two! Plus there is ongoing monitoring of each person’s activity to other individuals and entities.

In both cases, TradFi and crypto compliance are building a picture of the individual or entity’s activities by looking at who they have interacted with and they’re using this to come to a risk based score/assessment.

I write this not to necessarily disagree with Dammkewl’s overarching position e.g privacy preserving technology is important, but because there is still a fundamental misunderstanding of crypto compliance and how it works, and I believe it undermines a pro privacy point if you’re arguing for it based on incorrect fundamentals.?

Crypto compliance is incredibly important to stop bad actors using crypto. Privacy preserving technology is incredibly important to ensure that good actors have access to privacy (whether needed or just wanted).?

Crypto compliance allows businesses to make risk based decisions, and iff done badly then it will mean that they come to incorrect risk based decisions. Privacy technology makes these decisions harder (because information is missing) but can still be part of a risk based decision model.

Dammkewl’s Full Blog: https://blog.ronindojo.io/freesamourai/?utm_source=Sailthru&utm_medium=email&utm_campaign=The%20Node%2C%20June%2025%2C%202024&utm_term=The%20Node