Skip to content

Instantly share code, notes, and snippets.

@6102bitcoin

6102bitcoin/privacy.md Secret

Created Jan 17, 2021
Embed
What would you like to do?
privacy

Privacy

Bitcoin privacy is very nuanced, this guide is a starting point.

Also see bitcoinprivacy.guide and the bitcoin wiki.

Getting Bitcoin Privately

To buy bitcoin privately use services which don't link your identity to the purchase. We recommend buying with cash at a meetup or from a friend. You can find alternate methods here.

To receive bitcoin privately do not reuse addresses. Ideally use BIP47 enabled wallets (currently only Samourai Wallet on Android) to make this very easy.

Spending Bitcoin Privately

Spend from your own wallet connected to your own full node. See our guide.

Use the following bitcoin wallet functions where possible;

Function Description
Address labelling Add a note to each address describing what it is used for
Coin control Select the utxo's you wish to spend
CoinJoin Multiparty transactions that obfuscate the history of utxo's
Advanced spending tools Spending methods that have multiple interpretations when looking at the blockchain

We recommend Samourai Wallet on Android, in part because it has address labelling, coin control, can be used with whirlpool (a CoinJoin implementation_ and has the most advanced spending tools available in any wallet.

On desktop we recommend Specter Wallet which is used in conjunction with Bitcoin Core. It has address labelling and coin control.

Storing Bitcoin Privately

Storing bitcoin privately requires that you avoid the many potential data leaks that can easily be made. Many of these are mitigated by using your own wallet connected to your own node.

For each potential data leak we have identified: 
- Action:       How you might leak data
- Data Leak:    What information you may leak and to whom
- Mitigation:   How you can avoid the data leak

Block Explorers

Action:

You use an online block explorer to check whether you have received payment.

Data Leak:

The company/individual running the block explorer can link any info you enter into the site (e.g. bitcoin address / transaction id) to your IP address.

If you check whether a bitcoin address has a bitcoin balance it is an indication that you were part of the transaction (sender or receiver).

Mitigation:

Run your own block explorer which gets data from your own full node.

Access 3rd party block explorers via TOR


Exact Amount Conversion

Action:

Searching for X.XXXXXXXX BTC in $.

Data Leak:

If the amount of bitcoin you search matches a recent transaction the search provider can link your IP address with that coin. If the search provider is google and you are logged in then it's likely that they can link the utxo to you.

Mitigation:


Browser Plugins

Action:

You use a plugin with access to all website data & do one of the above.

Data Leak:

Plugin developer gets a copy of the data leaked above.

Mitigation:

  • Avoid plugins which have broad access to your web browsing
  • Use a browser without plugins when doing anything bitcoin related
  • Use incognito / private browsing when doing anything bitcoin related to disable plugins

Hardware Wallet Software

Action:

You use the wallet software from your hardware wallet provider.

Data Leak:

Most hardware wallets come with software that sends your addresses or xpubs to the servers of the hardware wallet manufacturer. This means that the hardware wallet manufacturer can link your IP address to your coins.

If the hardware manufacturer requires you to have an account or share other personal information then this could also be linked to your coins. If you provided your home address for shipping they can link the coins to you.

Mitigation:

Use a bitcoin wallet that is connected to your own node. See our guide.


Wallet with Email 2FA

Action:

You use a wallet with email 2FA that isn't exclusively connected to your own node.

Data Leak:

Your email address can be linked to your coins because your wallet leaks information about your coins to the wallet developer’s server along with your IP address (which could be logged when supplying your email address).

Mitigation:

  • Avoid email 2FA (use an open-source authenticator app where 2FA is required) for bitcoin wallets
  • Connect your wallet to your own node. See our guide.

Limited Block Download

Action:

You use a light wallet that has unsophisticated clear-net block downloading rules.

Data Leak:

Many light wallets download only the blocks that are relevant to your transactions making it easy for someone able to monitor the blocks you download (i.e. your ISP) to to identify the addresses common amongst blocks. Your ISP can then link your internet connection point / IP Address with your coins.

Mitigation:

Use a wallet connected to your full node which downloads every block. See our guide.


HTTP

Action:

You do any of the above things without an encrypted connection to the server you are communicating with (i.e. over http).

Data Leak:

Your ISP can intercept all the data from the above leaks.

Mitigation:

Only connect via HTTPS (look for the green padlock to the left of the URL).


Email Confirmations

Action:

You buy bitcoin on an exchange to a previously used cold-storage address.

Data Leak:

Confirmation emails confirming the withdrawal leak your address to your email provider. The exchange can also link your email to the cold storage address.

Mitigation

  • Disable notifications if possible
  • Use a dedicated email not connected to your identity.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment