Swapping Bitcoin Privacy for Banking Convenience

Editor's note: This post originally appeared on PaymentsSource.

I've always had this nagging feeling about Coinbase's exchange service and I just couldn't quite put my finger on it.

The San Francisco startup receives praise for its simple method of acquiring and selling bitcoins, a digital currency, via one's U.S. bank account. In fact, Coinbase, founded in June 2012, is now selling over $1 million worth of bitcoins per month. The firm apparently ran out of inventory last week.

Then, it hit me. This is just like buying bitcoins from your bank – or from the Internal Revenue Service. If a bank offered a bitcoin purchasing option from its website, it would look like Coinbase. If Coinbase cut them in on the commission, it could probably white-label the service directly to banks.

Nothing wrong with that, but it means Coinbase fails to leverage the unique financial privacy aspects of the Bitcoin network. I do not fault founder and CEO Brian Armstrong, because he's launched a much-needed Bitcoin service at a critical point in the digital money's evolution. Here's the rub: to address the fraud and compliance issues around the irreversible sale of a privacy product, Coinbase has simplyremoved the privacy.

Currently, Coinbase provides its exchange service in the U.S. only and it offers two methods for linking a bank account, “instant account verification” and “challenge deposit verification.” For those who are uncomfortable providing their private online banking usernames and passwords to Coinbase, the alternate method offers a typical challenge deposit process similar to linking a bank account to PayPal. (In challenge verification, a company makes two small deposits to the user's account, and the user proves she is the accountholder by entering those amounts into the company's site.) Coinbase does not allow for other less-intrusive payment methods, such as a cash deposit at a bank branch, via an intermediary like TrustCash, or cash bill payment at a retail location, through a network like ZipZap.

(Coinbase also signs up merchants to accept bitcoin and landed Reddit as a client last week.)

Coinbase is not licensed as a money transmitter in any state, nor is it registered as a money services business with the U.S. Treasury's Financial Crimes Enforcement Network. I applaud the company for dispensing with these formalities because, since it is only selling a cryptographic token and not a financial instrument, such registration and licensure is not legally required.

The company says it has an anti-money laundering program, but it was not listed on their web site, and again, it is not a legal requirement for this business. Besides, the majority of what constitutes an AML program is already covered via Coinbase's strong relationship to the user's financial institution, with one of the exceptions being the identification of aggregated transactions from multiple bank accounts. But even this would be easy enough for Coinbase to determine based on the additional user data collected. 

According to its privacy policy, Coinbase collects data about visitors to the site sent by their computer or mobile phone (e.g. IP addresses) and device information including but not limited to identifier, name and type, operating system, location, mobile network information and standard web log information. Those who sign up for the service may have to provide their name, address, phone number, email address, and bank or credit card numbers. Before using the service, customers may further have to give a Social Security number or birthdate, and they are subject to credit checks or identity verification by third parties.

Furthermore, there is no indication that Coinbase deletes the internal bitcoin wallet transfer logs or the associated bitcoin address logs. With more observable data points, the privacy of all bitcoin transactions can become cumulatively degraded.

By criticizing the collection of personal information for the purchase of bitcoin, a harmless cryptography product, I am not simply "letting the perfect be the enemy of the good." Caution is strongly advised when dealing with Coinbase. The potential exists for enhanced surveillance and network traffic analysis enabled by the supreme identity management that comes built-in with Coinbase. For instance, it would not be advisable to play Bitcoin casino games or poker with Coinbase-acquired bitcoins that weren't properly "mixed."

Of course, not everyone requires privacy in their transactions, so Coinbase may suit some users' purposes just fine. However, Satoshi Nakamoto, the pseudonymous creator of Bitcoin, didn't sit down and code the decentralized protocol because he was upset about banking efficiency and trusted third parties. He wrote Bitcoin as a value transfer system that could survive hostile attacks.

When Armstrong says, "our goal is to make [B]itcoin easier to use, and (longer term) to help bring fast, cheap, international payments to the whole world" and "Bitcoin represents a fundamental leap forward in payment technology and it's going to bring massive efficiencies to many areas of commerce," he's playing only to the low-fee, frictionless attributes of Bitcoin. He doesn't mean that Coinbase's goal is to facilitate payments for the anonymous and safe purchase of WordPress features in authoritarian countries or to bypass a politically-motivated blockade against WikiLeaks.

When it comes to the financial privacy and censorship-resistant payment attributes of Bitcoin, Coinbase falls short, and that, I think, is likely to impede the startup's growth. The firm seems not to care. Its privacy policy states, "We may share your personal information with law enforcement, government officials, or other third parties when we are compelled to do so by a subpoena, court order or similar legal procedure."

When that time comes, you better believe that Coinbase will have a lot to share.

Jon Matonis is an e-money researcher and crypto economist focused on expanding the circulation of nonpolitical digital currencies. His career has included senior posts at Sumitomo Bank, Visa, VeriSign, and Hushmail. Currently, he serves on the board of the Bitcoin Foundation. Follow him on Twitter.