Protecting Your Bitcoin Identity (BANB2020 Presentation)
14 min read

Protecting Your Bitcoin Identity (BANB2020 Presentation)

This is the speech and slides I presented at the 2020 Bear Arms 'n Bitcoin conference. It was not recorded, so this is for those that didn't get to make it. 2021 presentations were recorded, so keep an eye out for the release of those soon.
Protecting Your Bitcoin Identity (BANB2020 Presentation)

Protection comes in two forms, off-chain and on-chain, and both are very important to be able to unlock the full power of a digital form of cash. Off-chain protection means avoidance of compliance with ineffective, dangerous KYC regulations that are designed to deanonymize and track the activity of bitcoin users. Registration leads to confiscation. Period. The reason they want you to register your firearms is the same reason they want you to register every dollar you spend on bitcoin. And hint: it’s not about the children.

It’s surveillance. It’s guilty until proven innocent, punish 99% to try and catch 1% type regulation. In bitcoin, it’s especially detrimental because bitcoin is a transparent ledger that keeps an immutable record of every transaction. The baked-in protection that bitcoin possesses is pseudonymity, so what appears on the public ledger is a string of characters and protocol data. But as soon as you are required to hand over all your personal identity information like name, date of birth, social security number, physical address, and photo ID with selfie to a centralized 3rd party, you have effectively given any protection you were afforded by the protocol away.

Coinbase has active contracts with the IRS, DEA, and Secret Service to share their own surveillance technology.

We have also seen the development of what is described as a “decentralized bulletin board” designed to allow major exchanges to share information, including such exchanges as Bitgo, Kraken, Gemini, and others. A Federal appeals court recently upheld that the so-called “3rd Party Doctrine” governs bitcoin exchanges. What that says is if a user willingly gives over all their personal data to an institution that has reasonable expectation to retain that data, then that user has absolutely no expectation of privacy over that data, and it can be obtained without even having a warrant.

These things combined create a sort of worst case scenario; a panopticon. We have to move completely away from these unnecessary, ineffective regulations and back toward an unstoppable digital cash between two parties without involving anyone else or permission seeking at any point along the way.

One way to do that and acquire bitcoin without doing KYC is to mine
it. I wrote a piece called “Mining for the Streets” where I talk about the effectiveness of running ASIC miners in your own home to receive regular payments in bitcoin.

The write-up and links can be found on my site, but the thing is, running bitcoin miners at your home, (unless in the very specific situation of having completely free electricity) likely requires a good amount of upfront investment of money and time, and is essentially you making a long term bet on the success of bitcoin. I do personally mine bitcoin and have been doing so successfully for a little while.

While some may be interested in doing so, the truth is the purpose of this conference is not to sell you on the idea of making a long-term financial bet on bitcoin. Not here to advertise savings technology (literally don't know what that means) or 401k additions. The purpose of this conference is to put the subversive power of bitcoin into the hands of some people who 100% WILL need to be able to use it to protect themselves and transact in a censorship resistant way outside of govt control and surveillance. You don’t need to “believe in bitcoin”. You simply need to be able to acquire it and use it the proper way. I’ll provide a link at the end to the paper, for now lets talk ATM’s. Bitcoin ATM's.

This is a map pulled from the site CoinATMRadar and shows over 7500 bitcoin ATM’s scattered across the US.

You will need a burner phone or to use a service like TextVerified to achieve SMS verification, as you wouldn’t want to use your own SIM card tied to your identity, and VOIP numbers like those 2nd phone apps or Google Voice won’t work. So there’s your inconvenience. But you can search your area to find these, pay in cash, and acquire BTC.

We also have online peer-to-peer (P2P) exchanges being operated today, which allow users to create accounts without doing full KYC, then use either cash, money order, or legacy online payment systems to conduct trades for bitcoin.

Some of these include LocalCryptos, LocalCoinSwap, HodlHodl, and the truest of all peer-to-peer exchanges, Bisq Network.

Instead of giving over all your personal info to a company to be warrantlessly obtained by govt agencies, you may expose only a very small part of your info to your direct counterparty in the trade only. Exchanges like HodlHodl may be operated by a centralized company but the only requirement for registration is email verification. You’ll need to use a VPN or Tor and an email not tied to your identity. Also, liquidity will likely be less than KYC exchanges, and you may end up paying some sort of premium over market value at P2P exchanges and ATM’s. These are the inconveniences.

So you see what this all comes down to is convenience and acceptable tradeoffs. Now when buying a latte or a subscription to ESPN Magazine it may be acceptable to use fiat payment systems that don’t have censorship resistance or identity protection. But when dealing in explicitly subversive technologies and movements, that is not the time to go for maximum convenience. Why go through all the trouble of having to order a printer, download files, and put together your own printed gun at home? If you live in the US especially? The answer to that question is the same as the question of why not just use something like Cashapp or Coinbase to buy your bitcoin.

When you give up your off-chain bitcoin identity and let go of the protection that protocol level pseudonymity provides, there is no way to completely wash that off. You have no legal expectation of privacy over that data, and it will be used against you for extrajudicial punishments without you having to commit an actual crime, without a warrant, without any sort of due process or opportunity to fight back on your side. I cannot overstate how important avoiding KYC is in any area of your life where it can be done. Best way of all to do this is to begin charging for goods and services to be paid in bitcoin using some of the stuff Josh went over. And take advantage of meetup times like this to acquire it for cash in person. Bitcoin for the streets is the best kind of bitcoin.

Once you’ve acquired some bitcoin without going through KYC, you’ll need a proper wallet to use for transacting while protecting your bitcoin identity on-chain as well. When a person comes on Keybase or Twitter like “I’m ready to get started printing my own gun at home” do they get told to just search for 3d printers and pick whichever one shows up? Of course not. There are clear recommendations of specific tools that are best suited to accomplish the goal. The same holds true for bitcoin wallets and the goal of actually transacting in a privacy protecting way.

The tool I recommend for this is Samourai Wallet—and for the record I am in no way affiliated with the Samourai team, and I have nothing coming from this recommendation, other than probably a hard time on Twitter.

The first reason is one of the first things you’ll see once you’ve downloaded and opened the wallet, which is PayNyms.

When you post normal addresses publicly, you are giving surveillance firms a starting point to track you. That is a thread for them to pull. All these publicly posted bitcoin addresses get scraped off Twitter, Facebook, Reddit, or wherever and fed into the surveillance machines. Any transactions to and from those addresses are trivially tracked, so it’s deanonymizing you and potentially harming others. It is a major, major problem.

Do. Not. Post. Public. Bitcoin. Addresses. Ever. Even if you don’t have BTCPay setup or don’t have a PayNym connection, at the very least use DM’s to exchange address information, and even then preferably on encrypted chat platforms like Keybase.

Gonna pick on somebody a bit here, but I really wanna drive home how bad this is for your bitcoin identity. A couple weeks ago a Twitter post was put out by a 3d gun developer being interested in doing some work on a design as a side-project, and a bitcoin address was provided for funding. I used the free platform OXT and entered the address just like anyone on the planet with internet can do and what I found was about 5 or 6 donations that went out that day to that address.

I clicked one to see what information I could get about the person making the donation. Or, I may say it another way—I clicked to see what information I could find out about the person that had just used bitcoin for “terrorist financing” by funding development of “ghost guns, weapons of war” or whatever scary word they’ll use. Think how fast this stuff can change and what an immutable ledger actually means. What I found was that this donation came directly from Coinbase. Straight from the Coinbase exchange account of a user, straight to the publicly posted address for funding development of [insert scary word] weapon.

Need I remind you about Coinbase specifically?

About the 3rd party doctrine ruling? Ever seen Twitter accounts made by those supposedly aligned “against fascists” to track movements of bitcoin donated to people they disagree with? They’re out there, believe me. Not to mention, when Twitter was hacked, several users at Coinbase that tried to send funds to the hackers were stopped. This was touted as a win, "we helped stop fraud" type victory, but truth is if they can stop that transaction for fraud they can certainly stop a transaction of this type as well.

Turns out you actually can stop the signal if you don’t use the correct platforms and tools from which to propagate that signal. So by posting this address, not only did the developer give up his bitcoin identity, but it could very well lead to this donor having problems since Coinbase has their entire off-chain identity as well.

If you don’t give them a KYC starting point, and you don’t give them a publicly posted address starting point, you have alleviated a massive amount of bitcoin privacy concerns. Even still, a dedicated adversary may deploy something like a “mystery shopper attack”, which is just a fancy way to say they’ll make a donation to you or make a purchase from you. What is likely is at some point you'll merge those smaller outputs into a single larger one.

Super high level, basically if a bunch of smaller outputs get merged together into a single larger one, it is implied that the owner of the one large one also controlled all the smaller ones. Not gonna get into the weeds with you here about bitcoin heuristics, just understand they may try to sneak in anyway.

So how do you get would-be trackers off your tail on a public, transparent ledger? You do it using math, and by breaking these heuristics. Whirlpool is Samourai’s equal output coinjoin implementation.

What an equal output coinjoin does is in this case take 5 different entities and uses a single input from each. What comes out the other side is 5 outputs that are all identical in size.

What that means in practice is that it is mathematically infeasible to assign ownership of any of the outputs to any of the inputs at any sort of meaningful level. It severs all reliable links right there in a single transaction, like a brick wall. There are 1,496 possible interpretations of a Whirlpool coinjoin. Time constraints don’t allow me to go into specifics here, but more than that, the point is that you don’t actually need to understand all the technical aspects of how it works to be able to use it satisfactorily.

This isn't the first time people have been capable of putting together their own firearm in their own home. So what’s the breakthrough now, why the hype about this FGC-9 or Plastikov? So much of the process has been abstracted away that you no longer need to be a highly skilled operator to achieve success and now you can come away with a highly functioning, properly constructed weapon; not just a single shot or less reliable one. You no longer need to spend tons of money and have fancy, expensive tools. The same thing is true for Samourai Whirlpool and proper mixing.

Whirlpool can now be done with the literal clicking of a few buttons on your mobile phone in the app,

which will guide you to the next step

and abstract and default away the messy technical bits that are ways users accidentally mess up.

An example of this is the way Whirlpool completely segregates unmixed change in a process called Tx0.

So when done, mixed coins are held and spent from a totally separate account in the same wallet as unmixed coins. You’ll be prompted with warnings and the unmixed change is auto tagged.

The outputs broken down from the one, big output into smaller, like sized outputs are held in the postmix section, and as a bonus, can be remixed completely for free for as many times as you like until you are ready to spend them.

Without going too much into the way the anonset and everything works, the real key is the equal amounts and remixing.

Each mix has 2 to 3 “remixers” as participants. So even if you, yourself don’t get a remix, anytime a different party that was in your transaction does, as far as the blockchain observer can tell, that could have been you. No one looking from the outside can be sure, and so has to begin following every single path which begins to grow exponentially, making it infeasible to follow, not to mention trying to assign ownership.

Even cooler, after mixing when you go to buy those rails or make that donation using your postmix outputs, Samourai incorporates a default spending algorithm called Stonewall, which will attempt to construct a fake, "mini-coinjoin" which only goes to increase the amount of deniability.

It all sounds very complex and technical, I know, and the actual processes being done by the wallet are very complex and technical. The thing about Samourai Wallet is that it offers the entire scale of bitcoin privacy. All this I’m describing to you happens in the background of the wallet, all you are doing is pressing some fast action pop up buttons on a phone or pasting the address you are sending to just like you do with any other wallet and any other spend. This enables everyone to enjoy the benefits of the tools, but also allows users to dig much deeper if they so choose and find a plethora of tools and cool things not available anywhere else.

I’ll be doing a mix from start to finish at some point when we get time for anyone interested in seeing exactly how easy it is, but it has been simplified down the same way it has been simplified down to downloading a file and using an Ender 3. These very complex and technical processes have been made available to the masses in an irrevocable way—that is the breakthrough.

So. Do not post normal bitcoin addresses publicly. This avoids first touch attacks and attributions. Use services like BTCPay as Josh went over, use PayNyms, or worst case DM on sites like Keybase to pass address information. Coinjoin funds using Whirlpool before spending. You don’t wait until someone breaks into your home or when you need a gun to say “hang on, gimme a bit to order this 3d printer and make my gun”. You order the printer, download the code, and perform the action in preparation for what comes later. Same thing with coinjoin and Whirlpool. Avoiding address reuse ties in with not using public addresses. If you have a static address in your social media profile for bitcoin donations, remove that immediately; replace it with a PayNym.

Unmixed change and other complex and technical parts of bitcoin privacy must be abstracted away and default for them to be effective. You should not be expected to go fully down the bitcoin rabbit hole in order to be able to transact without being spied on by surveillance companies—but you should have a tool powerful enough to accommodate you if you do wish to do so. And finally, avoid KYC at all costs. You wouldn’t give up your identity to download the files for the FGC-9 just because it was faster or easier. It’s an unacceptable tradeoff and wholly unnecessary. Don’t sacrifice your identity for a bit of convenience. KYC should be regarded as an illicit activity, not the other way around.

Don’t be overwhelmed and do the “it’s too hard” thing, as to me that’s the same as saying “it’ll blow up after one shot”. Defeatism like that doesn’t encourage people to explore these massively powerful freedom technologies, and on top of that, they’re both just flat out wrong. You don’t even have to believe bitcoin is "real money" to be able to use it.

I’m not here to try and convert you, but I firmly believe this tool will be absolutely integral to the funding of this movement as it continues to grow. We’ve already started to see evidence of that recently with the deplatforming of some folks in this very room, and to think that type of action will lessen in the future is a hard thing to do when you look out over the state of society. A circular economy outside of the fiat regulations and controls would be ideal, and we should continue to build and work toward that. But for now, at some point someone will likely need to exchange bitcoin for cash or vice versa. These on/offramps are their target chokepoints and for success to be possible, we must make them as robust and permissionless as possible.

Demand less regulation and surveillance. Not in the voting booth. Vote with your feet and your money. Abandon KYC compliant centralized exchanges, and Whirlpool your way out of the crosshairs of surveillance companies. Stay vigilant in protecting your bitcoin identity. An unstoppable signal needs an unstoppable money; so don’t compromise or give an inch on what personal info you reveal for either one. Thank you so much for coming, thanks to the Guns 'N Bitcoin team and everyone involved for putting this together, truly an honor to get to speak with you today. Thanks.

Enjoying these posts? Subscribe for more