Privacy and Cryptocurrency, Part II: Bitcoin Wallets

This is the second part in an article series by the Human Rights Foundation (HRF) on privacy and cryptocurrency, funded by the Zcash Foundation. To read about the purpose of this article series, see our introductory piece “Privacy and Cryptocurrency, Part I: How Private is Bitcoin?”. The next part in the series will explore the set of cryptocurrencies known as “privacy coins”. This series is written by Eric Wall who recently joined the HRF as a Privacy Technology Fellow.

If you’re an activist or a journalist concerned with the dangers of having your bitcoin activity unmasked by a corporation or an authoritarian government, choosing the right wallet application could potentially mean the difference between life and death. While the previous article in this series aimed to answer the question “What traces do we leave when we’re using the Bitcoin blockchain?” to equip readers with a protocol-level understanding of Bitcoin’s privacy characteristics, this article aims to take things into the practical domain and familiarize the user with the applications we use to interact with the protocol to send and receive bitcoins; Bitcoin wallets.

The discussion being presented here is heavily focused on achieving privacy in the face of a spying corporation or government. For users who aren’t concerned by surveillance and simply wish to get started with bitcoin, this article is likely to be overkill. It is the purpose of this investigation to set fairly ambitious privacy goals for different use cases and explore the practical feasibility of achieving them using the tools currently available in the industry today.

As we approach the topic of mastering Bitcoin privacy, your first consideration should be the type of usage you are envisioning. Examples:

  • Are you planning to move some of your wealth into bitcoin for savings purposes or to protect your money from being illegitimately seized?
  • Are you a writer planning to receive bitcoin donations over the Internet and store them for later conversions into local currency?
  • Are you planning to conduct online purchases of other goods and services using bitcoin?
  • Are you planning to conduct in-person purchases of goods and services using bitcoin?

These circumstances matter, because they impact the type of operations you will need to undertake. The immediate privacy needs of a user who simply wishes to store bitcoins might be confined to the ability to generate a fresh address and make sure that the coins arrive securely. Meanwhile, a privacy-concerned user who wishes to receive bitcoin donations on a regular basis might desire a mechanism for automatically generating new addresses for each donation. Further, a privacy-concerned user who uses bitcoin to make online purchases might desire to obfuscate the source of their funds and their source IP address when transmitting the transaction. And lastly, a privacy-concerned user transacting in person might desire to achieve a similar feat, but through the comfort of a mobile device.

Keep in mind that while it’s a challenge to draw an enduring picture of a cryptocurrency protocol due to its continuous process of improvement and change, it’s even more challenging to do so for the various external applications that interface with it. As such, it’s always a good idea to make sure you have updated information about the wallet application you’re planning to use. Software products require maintenance to remain secure, and well-maintained products can improve significantly over time while others may deteriorate. Open-source projects often have GitHub repositories where you can inspect release notes and development activity, but for the average person, your best bet might be to interact with other users of a product and ask questions. One of bitcoin’s greatest strengths is its active community of enthusiasts whom you can engage with on platforms like Reddit and Twitter — make use of it!

Finding a wallet

At the time of writing, bitcoin.org contains arguably the most up-to-date and curated list of Bitcoin wallet applications sorted by category. The website sources knowledge in a transparent manner from many different contributors and is a good starting point for any user to learn the necessities when using bitcoin.

The bitcoin.org website.

Keep in mind that despite the fact that bitcoin.org aspires to be a collaborative and transparent effort, all websites are inherently subject to centralized control and their content could become compromised at any time. Always be extra mindful during the process of installing Bitcoin software — always try to assure yourself that what you’re downloading is actually the right software. A compromised webpage could look identical to the real one, with the only exception being that the wallet you download is booby-trapped to steal your funds. Below are two methods you could use to avoid this. The “advanced” option provides you with much better security assurances, but the “easy” option is still an improvement over taking no extra steps at all.

  • Easy: When downloading a wallet application from a website, always attempt to assure yourself that you’ve been directed to the right domain. For example, googling “Bitcoin Knots” will show you results from well-known sites such as Bitcoin Wiki, Bitcointalk and GitHub, each linking to the same website as bitcoin.org does.
  • Advanced: The prepared installation files for the software are often referred to as “binaries”. These binaries are often signed with PGP keys from one or multiple developers of the project. Examples: Bitcoin Core download instructions, Electrum download instructions.

Privacy score

For each wallet on bitcoin.org, there are currently four different privacy scores: Improved, Basic, Weak & Variable.

Here’s how the bitcoin.org score criteria for privacy is defined:

Privacy: Does the wallet protect users’ privacy?
To get a good score, the wallet must avoid address reuse by using a new change address for each transaction, avoid disclosing information to peers or central servers and be compatible with Tor.
To get a passing score, the wallet must avoid address reuse by using a new change address for each transaction.

From the first article in this series, we know that while the wallet qualities described here definitely improve your chances at retaining your privacy, they by no means should be interpreted as sufficient to protect one’s privacy versus a sophisticated adversary. For instance, if you use a wallet to receive bitcoins and then one day decide to send your full balance to a new wallet, the common-input-ownership heuristic will still allow a blockchain analysis tool to trivially link all the addresses you’ve used to each other.

If we then look at two wallets within the “improved privacy” category, Bitcoin Core and Wasabi Wallet, they’re both capable of ensuring the above linking doesn’t happen. With Bitcoin Core, you could meticulously use the coin control feature to manually send one output at a time in separate transactions and continuously make sure that your addresses are never blended together in any later steps. In Wasabi, the same feature is accessible to you, but on top of that, it provides you with the ability to run your coins through a Chaumian CoinJoin mixing transaction where the mentioned blockchain clustering technique become inapplicable or inaccurate. In essence, one should think of the “improved privacy” score as a rough baseline for a category of wallets, with many variations within it.

Here‘s the full list of wallets in the “improved privacy” category:

Security & privacy

In an ideal world, we would have been able to focus purely on the privacy features of wallets and leave all security aspects outside of the scope of this series. In reality, however, the challenges of security and privacy are inseparably intertwined. Without security, we have no privacy — while most software exploits in wallets today have been designed with the purpose of extracting private keys to steal people’s funds, they could just as well be designed to extract sensitive information about its users. And in our increasingly data-centric world where almost every piece of information about users can get monetized, such incentives for adversaries are on the rise.

For the outside observer, software security might seem like a gruesome challenge. And for those few who do bear the burden of it, the reality often isn’t any less unbecoming. Software seldom comes in independent packages — instead, many software packages have dependencies on other software packages. This means that vulnerabilities and exploits don’t always find their ways into wallet applications through the codebase of those specific software projects, but also indirectly through their dependencies. Example: Copay (npm package vulnerability).

The question then becomes, how should a privacy-concerned user think about these challenges when making decisions about which wallet to use? How can we know which projects are likely to have good security practices and which ones to avoid? In the world of open-source software, we can rely on one rule of thumb: the more competent, honest, eyes we have scrutinizing a piece of code, the more secure it is likely to be. Here’s Bruce Schneier on the topic (1999):

Bruce Schneier on open-source software security, September 15, 1999 (source).

As these lessons are just as true today as they were two decades ago, it leads us to a dilemma: If privacy and security are inseparably intertwined, does it mean that choosing a wallet such as the Wasabi Wallet — which has more advanced privacy features but a much less vetted codebase than Bitcoin Core — comes with non-trivial risks to privacy along with its advantages?

Adam ‘nopara73’ Ficsor, the developer of the Wasabi Wallet, discussing code audits with two Bitcoin engineers (source).

Tools which are specifically designed to subvert surveillance organizations have a history of receiving an elevated amount of attention from surveillance organizations. For instance, the NSA has been known to develop ‘honeypot’ privacy tools specifically designed to attract bitcoin users in the past. The Human Rights Foundation (HRF) reached out to Bitcoin expert Peter Todd to opine on this matter:

In general, I can say that Bitcoin Core has received an unusually thorough degree of auditing, and for that reason it’s probably more trustworthy than most. But that’s just one factor out of many. As an end user — and I am one too! — I’m more focused on what I think the development process and standards likely are, and what incentives they have. So I’d be less concerned about things like Wasabi because the goals of the project seem to be good, and the privacy-benefitting features may be better overall.
 
But it’s not an easy decision — for pure cold storage I’d be inclined to just use Bitcoin Core directly on a separate computer to minimize dependencies and make sure my wallet is backed up.
— Peter Todd

To summarize: Yes, wallets such as Wasabi Wallet are at greater risk of having security flaws with second-order risks to privacy than Bitcoin Core is, but ultimately one has to weigh risks versus practicality. For instance, running Wasabi Wallet over Tor works out-of-the-box without any configuration, whereas a user who wishes to do the same with Bitcoin Core can expect to have to manually edit config files and operate a Linux command-line interface.

No one wants to recommend that anyone should settle for weaker security than what is theoretically available to them when it comes to something as important as privacy and financial sovereignty, but we also have to be realistic with how complex software operations we can expect users to be capable of executing and willing to adopt.


Different recommendations for different situations

We’ll now go back to the example Bitcoin use cases described at the beginning of the article. We’ll use the lessons from the first article in this series as a basis for what types of traces can be captured about our transactions assuming a spying corporation or government. Using this knowledge, we’ll construct suggested approaches to avoid leaving such traces. The goals can be described as the following:

  • We want to reasonably well* hide any connection between our real-world identity and IP address to our Bitcoin addresses from third parties
  • We want to avoid linking our addresses to each other in the eyes of third parties and blockchain analysis firms
  • We prefer methods with reasonable degrees of security and methods where the integrity of our approach does not rely on centralized entities

*By leveraging tools like Tor and avoiding centralized wallet services and websites, we can make it very difficult for third-parties to collect data on us that would link our IP address to our Bitcoin addresses. This does not include protection against omnipresent adversaries with the ability to mass surveil the Internet.

The approaches described below are not aimed to act as technical guides, but rather to assess the current state of the privacy technologies in Bitcoin.

I. Privately storing wealth in bitcoin

To store wealth in a Bitcoin wallet, you need to receive bitcoin from somewhere — possibly a cryptocurrency exchange or another Bitcoin user. In the last part of this series, we will explore platforms and methods for acquiring bitcoin privately — which is a delicate task in and of itself — but for the purposes of this example, we will assume that a method has already been chosen. In this use case, we only need to concern ourselves with the reception of bitcoin, as it will be your counterparty who is transmitting the Bitcoin transaction to be mined into the Bitcoin blockchain. Your responsibility will be to provide an address and assure yourself that the coins have arrived securely. For this discussion, we’re going to assume that security is paramount and that the funds intended to be stored constitute a meaningful portion of an individual’s wealth.

There is a myriad of ways you can do this, and choosing the right one depends on the degree of security and privacy you desire. You could generate an address on bitaddress.org and wait for the transaction to confirm using a block explorer, but then you need to trust that bitaddress.org has not been compromised (breaking either your security or your privacy, or both). Unless you anonymize your IP address origin using a tool like Tor, you would also expose your IP address’ interest in that specific Bitcoin address when you search for the address in the block explorer, and you would also need to trust that explorer to provide you with correct information.

Ideally, you should run a Bitcoin Core full node on a desktop computer if you have the ability to do so (instructions). This will allow you to generate an address and validate that the bitcoins have arrived securely without searching for your address in a block explorer. Depending on the capabilities of your computer and your bandwidth, the software could synchronize in under 24 hours, but may take significantly longer. The data storage requirement is currently ~200 GB but can be “pruned” to not exceed 4 GB. We recommend that this should be done on a fresh installation of Ubuntu.

A possible addition to this, in order to avoid the risks involved when having your private keys on an online computer, is to generate the address on a hardware device and monitor the address balance on your Bitcoin Core full node. Hardware device compatibility with Bitcoin Core is emerging with the latest 0.18.0 release and is currently accessible through a command-line interface, although a currently easier approach might be to simply monitor wallet balances using watch-only addresses (see ‘importaddress’ command). In the hardware device category, Bitcoin security engineer Jameson Lopp has two recommendations: the Trezor or the Ledger Nano S, as these two devices have been put under the comparatively highest degree of scrutiny within their category.

Bitcoin Core set to monitor the balance of the key used in the Genesis block (Window → Console → “importaddress 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa”).

If you absolutely cannot run a full node, an alternative approach may be to look up your address in a handful of different block explorers using the Tor browser. Once you have assured yourself that the coins have safely been received, you need to back up your wallet so that you can later restore access to your bitcoins wherever you are in the world. Hardware devices have the advantage that they’re often compatible with BIP39 which allows you to restore access to your bitcoins simply by memorizing 12 English words.

After you’ve received the bitcoins, you still have one potential concern: the sender still knows that you received these coins and can monitor your address on the blockchain. Ideally, we would like no one except ourselves to know the status of these coins. One potential remedy is to perform a self-send. The idea is easy — by sending the coins to another address you control, due to the pseudonymous nature of Bitcoin, the original sender can no longer be sure whether you are still in control of those funds or if it is someone else. In other words, you’ll have deniability.

When you run a full node you download the entire blockchain and your software reveals nothing to the world about which addresses you are interested in monitoring. Transmitting transactions, however, is a different story. To be sure that you don’t reveal your IP address to someone who might be monitoring the network in an attempt to determine the origin of your and anyone else’transactions, configure your Bitcoin Core node to connect over Tor.

II. Privately receive bitcoin donations and convert it into local currency

For this discussion, we’re going to make two important changes to the situation above. First, we need to receive transactions continuously, so ideally we would have some way of obscuring the total aggregates of what we are receiving. Secondly, we’re going to regularly be converting these bitcoins into local currency by sending them to some entity. We are also going to assume the amounts involved to be lower, such that we can be a bit more lax on some of the security ambitions.

We analyze three different paths to achieve the desired goal:

  • Use software that generates a new donation address to every visitor (Example: BTCPay Server)
  • Use BIP47 reusable payment codes to let the sender generate a new donation address on their side instead (Example: PayNym.is)
  • Use a static donation address

Each of these methods has advantages and disadvantages.

Fresh addresses via BTCPay Server: Although BTCPay Server is fairly well-documented, not every writer is going to want to run a server just to receive donations. However, if you do choose this method and you’re blogging on pages such as Medium, you at least don’t need to change platform — you can simply attach a link to your BTCPay Server webpage at the bottom of your posts. One issue is that as you convert these donations into local currency, it does not help to have used new donation addresses for everyone if you reveal that you can move all donations by including them in one big transaction later on (common-input-ownership heuristic). That leaves you with the option of selling one or a few donations at a time or mixing.

You can configure your BTCPay Server to generate addresses using a custom key derivation scheme (zpub) — this allows you to receive donations directly into Wasabi Wallet for CoinJoin mixing before you sell these coins for local currency. However, CoinJoins are currently only accessible to users mixing a minimum of 0.10 bitcoins (≈$613 at the time of writing). On top of that, Wasabi charges a fee for this service. A more affordable alternative could be JoinMarket, but it is also a lot more difficult to use. Traditional mixers (custodial & non-Chaumian) are usually not recommended because the privacy they provide requires trust in a third party and exposes your coins to the risk of theft.

A view of the Wasabi Wallet interface for CoinJoin mixing.

Another problem with this approach is that if you chose to cloud deploy your BTCPay Server for the sake of convenience, the hosting provider will have the ability to learn about your Bitcoin addresses and your identity. And if you chose to self-host for this reason, although Tor support for BTCPay Server is being worked on, it’s still difficult to guarantee that you’ll be able to hide your server IP address from your visitors.

BIP47 reusable payment codes: While this is in theory perhaps the most elegant approach, the user experience is hampered by the fact that it requires an opening transaction to be done before a donation can be sent, and it is currently only supported in a very small selection of wallets. Further, each of the wallets currently supporting BIP47 are mobile wallets that leak your addresses to their back-end servers. Samourai is developing support to use their wallet with your own full node (a solution called Dojo), but it is not currently released as open-source yet.

Static donation address: Even if you use Wasabi Wallet and mix the coins you receive in CoinJoins and transmit your transactions via Tor, everyone who saw the address you provided will still be able to tell how many coins you received to that address, regardless of what you do with them after.

There are no solutions, only tradeoffs.
- Thomas Sowell

In this situation, we have to consider that there might not be any perfect option. However, the multitude of options at least gives us the opportunity to “choose our poison”. Perhaps your identity is already well-known, but you don’t want everyone to be able to identify the donations you’ve received — then BTCPay Server is an acceptable solution. However, if your work is controversial and risking exposing your identity via your IP address is unacceptable and you cannot trust a cloud provider to keep your details safe, then it’s probably better to receive donations to a static donation address. Yes, in this case, you’ll be exposing all the donation transactions you are receiving to the public, but if no one knows who you are, maybe that’s not the end of the world. You can try to limit this exposure by changing your deposit addresses manually regularly, but it only gives you a weak degree of obfuscation.

III. Privately conducting online purchases with bitcoin

Being able to make transactions on the Internet without a credit card company or payment processor harvesting our personal data is one of the reasons why Bitcoin was created. However, third-party tracking on websites is a very real thing and even a website you are visiting for the first time can learn your identity from your IP address, your browser fingerprint or your cookies. A first precautionary step is to use the Tor browser for online purchasing activities you wish to keep private.

Moreover, you might want to obfuscate the source of the funds you use for the payment. For example, if you withdraw bitcoins from your Binance account to your wallet and then purchase a copy of The King Never Smiles with that wallet while you are in Thailand and think that you are anonymous because you are paying in bitcoin, you run the risk of Binance providing corroborating evidence against you to the authorities, linking you to the purchase.

This leaves us the options of mixing and self-sending as mentioned in the previous examples. Wasabi Wallet is designed to make you aware of which UTXOs you are using when you are making a transaction and it also allows you to see whether this is an output that’s been previously mixed or not, which can help you achieve your goal of privacy.

A problem with the self-sending alternative when you are dealing with multiple UTXOs in your wallet is that you must weigh the advantage of the deniability you gain versus the disadvantage of consolidating outputs and thus losing privacy due to the common-input-ownership heuristic. Further, keep in mind that while the deniability self-sends provide may give you an “out” in a working legal system as long as there’s no other evidence tying you to the transaction, a suspicious person might still place a high probability on that you were the sender of the subsequent payment and act accordingly.

In the coming years, there’s a possibility that more and more stores start accepting Lightning payments. As discussed in the first article, there are many privacy benefits to Lightning over on-chain Bitcoin transactions. Among desktop applications, you can use the Lightning App. It’s built on the Lightning Network Daemon (lnd) which you can configure to run over Tor.

Even though Lightning payments are not publicly broadcasted and it’s not possible for a Lightning payment recipient to know which the initial channel in multi-hop route a payment came from, it’s always considered good privacy hygiene to first obfuscate your traces on the blockchain via mixing or self-sends before funding any Lightning channels.

Another technology to keep an eye on is sidechain technology which enables semi-trusted avenues for spending bitcoin using higher degrees of privacy than on-chain transactions (examples). Liquid, for example, already supports confidential transactions today which hides the amounts paid in transactions.

IV. Privately conducting in-person purchases with bitcoin

For in-person payments, regular cash is still a good, private, option. But for a multitude of reason, not everyone can comfortably hold their money in physical currency. A person in a hyperinflationary economy might want to be able to afford the next month’s groceries, or, a person in an abusive relationship might need to secretly hide money from their partner.

If we assume for practical reasons that we are confined to using smartphones for this use case, we run into a slight problem. As we can see on bitcoin.org, there is currently no mobile wallet applications in the “improved privacy” category. This is because smartphones typically rely on being serviced by third-parties who will learn the IP addresses of the user and their Bitcoin addresses.

There seem to be a few potential ways around this, and more solutions are likely to emerge in the coming years. The best current solution is to use a smartphone wallet application which has the ability to connect to your own full node. We have identified a few ones with this ability:

In the category of mobile wallet applications, Jameson Lopp recommends Blockstream’s Green for iOS and Samourai Wallet for Android. Currently, Blockstream Green is not listed on bitcoin.org because it does not provide the user with full access to their own coins. Instead, it uses a 2-out-of-2 multisignature solution where Blockstream holds one of the keys and co-signs transactions if the user provides a secondary form of authentication (2FA). Enabling a mode where the user is in full custody of their own funds is currently in progress.

Samourai cannot currently be used with your own full node (despite the “Set trusted node” option, which is accused for being misleading [1][2][3]), although they argue that the amount of information that they can collect about users is limited as it is the only mobile wallet currently existing with native Tor support. Samourai is also the only mobile wallet that is implementing CoinJoins for mixing purposes (see Whirlpool) which is currently undergoing an experimental testing stage for advanced users. A potential problem with Samourai’s CoinJoin mixing is that many users will likely still be using Samourai without a full node, which could inhibit the effectiveness of the mixing, but might be better than no mixing at all.

It is good to think of mobile wallets similar as to what we did in the Lightning channel discussion above; it’s always prudent to attempt to obscure the origin of our coins (mixing, self-sends) before we fund a new mobile wallet.

Android users can use Orbit to allow their smartphones to communicate over the Tor network. This makes it possible for applications such as the Bitcoin Wallet to connect to personal full nodes running over Tor. For Lightning wallets, Spark is an example of a wallet that you can run over Tor.


Conclusions

While it is possible in theory to attain a relatively high degree of privacy using Bitcoin, there’s still a long way to go in terms of user-friendliness if this degree is to be accessible to everyone. For most users who cannot master Linux command lines nor have the interest or capabilities to run servers and whose economic situation does not afford them enough bitcoin for mixing transaction minimum requirements, the path to privacy is not an easy one, especially not when faced by a spying corporation or government with plenty of resources at their disposal. And even for users that do possess those abilities, it is not currently possible to access many of these features without absorbing security tradeoffs which may in themselves ultimately destroy the very privacy they sought to preserve.

On the positive side, it is very clear that Bitcoin privacy is under active development. Several of the projects mentioned in this article have issued software releases that incrementally move the needle on what is practically achievable in terms of Bitcoin privacy just during the time that this article was written. The latest Bitcoin protocol improvement proposal announced on the Bitcoin mailing list just days ago carries several long-awaited improvements specifically targeted at Bitcoin’s fundamental privacy characteristics.

Moreover, forgetting the ambitious privacy goals of this article for a moment— the fact that a third party is for instance sometimes able to map Bitcoin addresses to IP addresses when a user operates a Bitcoin wallet doesn’t necessarily mean that someone is going to dedicate the time and money required to pin this information to a specific individual. Bitcoin could still be seen as a big improvement over traditional electronic payment systems even when used in the naive way.

In the next part of the series, we will explore the set of cryptocurrencies known as “privacy coins” to understand how they compare to Bitcoin and what we can expect when using them as tools for financial privacy and economic freedom.

Special thanks to Udi Wertheimer and Hampus Sjöberg for their thoughts and feedback to this article.

*The essays in this series will form the basis for a report to be published by Coin Center, the leading cryptocurrency policy research and advocacy group based in Washington, DC.

**The Zcash Foundation contributed funding for the project. The Zcash Foundation exists to build and support tools that enable privacy and autonomy, particularly with respect to people’s transactions and financial information. Privacy is important for numerous reasons — personal, medical, political, and more. For this reason, Zcash pioneers the use of zk-SNARKs, a novel form of zero-knowledge cryptography with strong privacy guarantees. Ultimately, the Zcash Foundation’s impact will come from serving the needs and workflows of real people, including those from many backgrounds and locations.

***The views and opinions expressed by Eric Wall do not necessarily reflect the views of his employer or any affiliated entity.