Somebody’s Watching: Princeton Researchers Find That Ad Trackers Can Reveal Identities of Bitcoin Users

To protect users’ identities, Bitcoin uses something called CoinJoin. CoinJoin combines two transactions into a single one with multiple inputs and outputs to confuse anyone who might be trying to figure out who is sending or receiving Bitcoin. For example, if Marcus wants to send Bitcoin from X to Y, and Kaitlin wants to send Bitcoin from A to Z, CoinJoin will put the transactions together so that they become a single transaction with two inputs (X and A) and two outputs (Y and Z).

While this offers a basic level of security, it is possible for an onlooker to discover the identity of a user by observing the behavior patterns underlying transactions. Kristov Atlas famously created the “CoinJoin Sudoku” software that used transactional information to identify users. Thankfully, this was just for research purposes. 

A new vulnerability to Bitcoin’s anonymity has recently been discovered in what many consider to be a somewhat obvious place–ad trackers. Online retailers who allow customers to pay with Bitcoin often use cookies and “device fingerprinting” technologies that are intended to provide the retailers with information about their customer’s behavior patterns online.

Trackers Link Crypto Transactions with Behavior Patterns, Personal Information

This was discovered by researchers at Princeton, who examined 130 online retailers that accept Bitcoin. Stunningly, over one-third of the retailers “leak payment information to a total of at least 40 third parties, most frequently from shopping cart pages”. Most often, the information leaked is not directly related to the customer’s identity. Rather, most of the leaked information has to do with the patterns of behavior the trackers are attempting to record for analysis.

However, researchers also discovered instances of more serious information being leaked–for example, names and addresses required for shipping purposes can be leaked along with the transactional information itself.

This is not a problem that is specific to Bitcoin. Really, any online transaction involving personal information along with the use of just about any cryptocurrency can tie the transactions to the data.

Protecting Yourself

Luckily, protecting yourself against ad trackers is a pretty simple process. Using an encrypted browser, like Epic or Tor, is a great place to start. If you don’t feel like downloading either of those (they’re free!), use the “incognito” function on your browser as often as possible.

Also, be aware. If you are a regular user of sites like Facebook or Google, know that either of those can track your activity when you’re logged into their services even if you’re not using their websites directly. For example, any webpage that has a Facebook “like” button on it is a window through which Facebook can watch you.

Why Does this Matter?

Some might argue that this is only an issue for crypto users who are involved in criminal dealings. However, not all crypto users who prioritize anonymity are criminals–any are against the collection of personal data online by principle. In our increasingly digital world, it has become increasingly easy for governments and institutions to know where we are, who we are with, how and where we spend our money, and more.

While many people do not really care if the government knows their data, we must remember that it’s not really the actual data collected that is usually the problem. Rather, the problem lies in the relationship that governments, institutions, and (in this case) retailers have with the people they serve, and how the power is allocated. In other words: for most people, it’s more about consent than it is about the actual data collected. Retailers must be held accountable for the actions that they take without their customers’ knowledge or permission.