Bitcoin-accepting shops leave cookie trail that crumbles anonymity – The Register

Bitcoin transactions might be anonymous, but on the Internet, its users aren't and according to research out of Princeton University, linking the two together is trivial on the modern, much-tracked Internet.

In fact, linking a user's cookies to their Bitcoin transactions is so straightforward, it's almost surprising it took this long for a paper like this to be published.

The paper sees privacy researcher Dillon Reisman and Princeton's Steven Goldfeder, Harry Kalodner and Arvind Narayanan demonstrate just how straightforward it can be to link cookies to cryptocurrency transactions:

Sorry Alice: we know who you are. Image: Arxiv paper.

Only small amounts of transaction information need to leak, they write, in order for Alice to be associated with her Bitcoin transactions. It's possible to infer the identity of users if they use privacy-protecting services like CoinJoin, a protocol designed to make Bitcoin transactions more anonymous. The protocol aims is to make it impossible to infer which inputs and outputs belong to each other.

Of 130 online merchants that accept Bitcoin, the researchers say, 53 leak payment information to 40 third parties, most frequently from shopping cart pages, and most of these on purpose (for advertising, analytics and the like).

Worse, many merchant websites have far more serious (and likely unintentional) information leaks that directly reveal the exact transaction on the blockchain to dozens of trackers.

Of the 130 sites the researchers checked:

It doesn't help that even for someone running tracking protection, a substantial amount of personal information was passed around by the sites examined in the study.

A total of 49 merchants shared users' identifying information, and 38 shared that even if the user tries to stop them with tracking protection.

Users have very little protection against all this, the paper says: the danger is created by pervasive tracking, and it's down to merchants to give users better privacy.

Since, as they write, most of the privacy-breaching data flows we identify are intentional, that seems a forlorn hope.

Sponsored: The Joy and Pain of Buying IT - Have Your Say

Read this article:
Bitcoin-accepting shops leave cookie trail that crumbles anonymity - The Register

Related Posts

Comments are closed.