This is a nice write-up.<p>That said, I hope this is less of a surprise to people now: I coauthored one of the first pieces of working pointing out basically these same issues back in 2011 - almost 5 years ago:<p><a href="http://anonymity-in-bitcoin.blogspot.ie/2011/07/bitcoin-is-not-anonymous.html" rel="nofollow">http://anonymity-in-bitcoin.blogspot.ie/2011/07/bitcoin-is-n...</a><p>It's interesting to see what perceptions have changed. That there's still confusion shows how hard it is to disseminate information about encryption and privacy; maybe this the same reason e2e email encryption seems so difficult to get adopted, even decades after PGP: it's just hard to communicate about the bounds of privacy.<p>One point: the 'clusterisation' mentioned in the linked article isn't 'magic': most of the techniques people are using are actually very simple heuristics, based on properties of the Bitcoin protocol (transaction input linking, which we demonstrated), or assumptions about transaction 'change' (prone to false positives).<p>It's worth noting that there are more sophisticated tools that could be applied: machine learning or stats methods - but I've not seen them yet. Possibly because its hard to come up with good training datasets (unless you are a retainer or wallet?) and not worth investing in when simple methods show so much.
But its worth bearing in mind that more complex analysis is possible.<p>The overall conclusion being, IMO, that if you want privacy, it's probably usually easier to design it in from the start, rather than retrofit by progressively patching holes in a leaky system, against progressively better attacks: the latter is so hard to get to the point where it works solidly: for human reasons as much as technical ones; I think Bitcoin privacy seems destined to be an example of this.
Money is a claim on value, and fungibility forces everyone to honor all claims on value. An incorruptible record of the flow of trade through an economy allows you to eliminate fungibility. You can withdraw your consent for people to trade claims on your production. This ability requires no one's permission and makes you more powerful as an individual.<p>ISIS, for instance, can only hold territory because everyone accepts the claims on value that they give their foot soldiers. I want to stop honoring those claims to reduce their power. Manufacturers shift their carbon emissions to friendly jurisdictions instead of, you know, not risking our only home for cheap consumer goods. They do this to acquire more claims on value, and I don't want to honor those claims because I like Earth.<p>Fungibility is literally killing people and destroying our planet. I think we'll be better off without it, though as with all significant social shifts, it probably needs more study to avoid unforeseen consequences like genocides and stuff. Blockchains are not anonymous—their incorruptible histories give us the tools to reshape our society. Use them.
Shameless plug for Monero <a href="https://eprint.iacr.org/2015/1098.pdf" rel="nofollow">https://eprint.iacr.org/2015/1098.pdf</a> (ring ct author here)<p>edit: See also <a href="https://github.com/shennoether/ringct" rel="nofollow">https://github.com/shennoether/ringct</a> and <a href="https://github.com/monero-project/bitmonero" rel="nofollow">https://github.com/monero-project/bitmonero</a>
I'm weirdly ambivalent about Bitcoin privacy/anonymity. On the one hand I deeply value my privacy, and would personally love it if Bitcoin were fully anonymous.<p>Yet - I also deeply felt intuitively that the Panama Papers exposed bad behavior. The bad behavior it exposed were people aiming to archive financial privacy.<p>I can't really reconcile the two beliefs.
What's next?<p>Well, true anonymity via zero knowledge proofs of course.<p><a href="https://z.cash/" rel="nofollow">https://z.cash/</a>
Google Cache, if anyone else is having trouble accessing Medium right now: <a href="https://webcache.googleusercontent.com/search?q=cache:rU5Ohf8AKUUJ:https://medium.com/bitaccess-inc/bitcoin-users-reveal-more-private-information-than-they-realize-d783f0cd57f3+&cd=1&hl=en&ct=clnk&gl=us" rel="nofollow">https://webcache.googleusercontent.com/search?q=cache:rU5Ohf...</a>
True privacy is (probably) coming to Bitcoin in the form of Confidential Transactions [1], a new construction of Pedersen Commitments and Range Proofs, as combined with some number of other mechanisms (such as CoinJoin).<p>[1]: <a href="https://www.elementsproject.org/elements/confidential-transactions" rel="nofollow">https://www.elementsproject.org/elements/confidential-transa...</a>
I have no illusions about my privacy when using bitcoin, and privacy is not the reason why I would use it in the first place.<p>From what I gather the key to bitcoin always was that it was decentralized, not that it was private. And over time even the decentralized has been hollowed out quite a bit.
Bitcoin has full anonymity only when you know what you're doing. And it is hard for an average joe to maintain that.
There are many other coins to choose from - Ethereum, Dash, Monero <a href="https://www.coingecko.com/en" rel="nofollow">https://www.coingecko.com/en</a>
"This also means whenever a transaction has multiple input addresses, we can safely assume those addresses belong to the same wallet."<p>This is not true.<p>You can sign partial parts of a transaction and have M of N signatures. This is what mixing services are designed to do.
For privacy, this is one of those pesky places where having judicial law and oversight is useful. With laws you can control who can and can not use personal data.<p>With fiat currency you get the good and the bad. With digital currency you get the good and the bad.
I hope everybody here knows about BitcoinFog, Shared Send, and other mixers. And uses them for random transactions now and then to give the rest of us plausible deniability.