Ethereum is losing its privacy, warns a new paper, as “careless” users make linking their addresses to real-world identities easy.
With the disquieting title, “Blockchain is Watching You,” the paper – a joint-publication from researchers at the Institute for Computer Science and Control in Hungary, Eötvös Loránd University, Széchenyi István University and HashCloak – argues governments and private-entities are quickly learning how to strip away anonymity from Ethereum. And that’s in part because users are making it easy for them.
“Careless usage easily reveals links between deposits and withdraws and also impact the anonymity of other users, since if a deposit can be linked to a withdraw, it will no longer belong to the anonymity set,” the authors write.
The researchers argue that Ethereum’s account-based model makes it more susceptible to surveillance than some other protocols, such as Bitcoin.
“The lack of financial privacy is detrimental to most cryptocurrency use cases,” they continue. “We do believe if users were using the technology in a sound way or a privacy-focused wallet software would have helped them and abstracted away potential privacy leaks.”
This concern isn’t new: news organization Decrypt identified a number of Ethereum users by connecting addresses to personal information, citing user actions as being partly to blame.
Unlike Bitcoin, which relies on an Unspent Transaction Output (UTXO) model, the Ethereum protocol keeps track of a user’s ether. Rather than effectively creating a new address for each payment (as with Bitcoin), Ethereum records what a user has sent out, say, 1 ETH, but still has 10 ETH, remaining.
A good analogy is Bitcoin is like physical cash in a leather-wallet, with a balance being the amount of unspent cash. Meanwhile, Ethereum is more like a bank account, where a bank, or in this case protocol, knows how much money the account holder has and updates it accordingly.
While this difference has often been glossed over, the paper’s authors argue that a dearth of understanding of the ramifications of Ethereum’s account-based model has left many users, unknowingly, wide-open to the possibility of full-scale surveillance.
Third parties know when an account is most active, allowing them to determine the time-of-day and infer a user’s timezone. Another one is gas-prices. Most users rarely change their gas-price settings, instead of leaving it on the default settings. What this means is that accounts with adjusted gas prices become very easily identifiable and can be tracked across the protocol.
The report also highlights that Ethereum’s account-based model makes it possible for hackers to perform Danaan-style attacks – where they send a user a very specific amount of ether and use that as a “fingerprint,” again to track them around the protocol.
Of course, the researchers argue, it is easy to stop the surveillance. All Ethereum users need to do is use their accounts a couple of times and make sure they don’t put any identifiable information, such as their addresses, on any public forum.
But, if anything, Ethereum users seem to be doing the exact opposite.
Rather than discarding accounts, many users are in fact customizing them, using the Ethereum Name Service (ENS) to add human-readable names, which makes it even easier to identify a user on the blockchain.
Not only that, but many users publicize their ENS names on their social media profiles, in particular Twitter – which gives third-party surveillance everything they need on a platter. Researchers said they were able to connect 890 Ethereum accounts to real people, just by searching for them on Twitter.
“We observed that the publicly revealed ENS names already expose sensitive activities such as gambling and adult services,” the report reads. “Therefore, users should avoid sensitive activities on addresses easily linkable to their public identities, such as ENS name or their Twitter handle.”
There are also freely available resources online that can help tack identities to Ethereum addresses. The Humanity DAO, for example, acts like an address book, giving third parties access to an immutable registry of real names and Ethereum addresses.
Bad luck if you’ve already registered.
In the end, researchers were able to use the Ethereum block explorer, to link more than 1.1 million transactions to over 4,200 addresses, where they knew the real people. “[C]areless usage easily reveals links between deposits and withdraws and also impacts the anonymity of other users, since if a deposit can be linked to a withdraw, it will no longer belong to the anonymity set,” they said.
But are Ethereum users entirely to blame? Considering the speed of innovation in blockchain technology, Hudson Jameson, one of Ethereum’s main developer liaisons, says “it’s not fair to put all of the onus on Ethereum users to know best practices to preserve privacy.”
He reckons more can be done by developers and project teams to create applications that instill best privacy practices in by default. That could already be well underway, he said, with solutions such as Tornado Cash – a private ether mixer – already providing users with a means to break the traceability link and restore financial privacy.
But Jameson argues, education is also very important. More should be done to ensure users understand the rudiments of blockchain privacy, possibly even going so far as to tell them they need to treat their Ethereum account information like they would their bank accounts.
He isn’t the only one. Ethereum lead Peter Szilagyi highlighted there should be more done to ensure users remain aware of the vulnerabilities inherent in an account-based model. “We can’t expect people to be aware of every single sensitivity in all the layers,” he tweeted. “Anything we can fix, we must fix.”
Ethereum isn’t the only account-based model – TRON and EOS use the same system too. But Ethereum is the largest and, arguably, the most active smart contract platform around.
The report points out there isn’t much time as the vultures may already be circling: “state-sponsored companies and other entities like Chainalysis are already “performing large-scale deanonymization tasks on cryptocurrency users.”
Unless Ethereum users wise up, and wise up fast, the report argues, there’s a chance Ethereum users could forfeit their right for financial privacy completely, and for good.