Risks and Regulation in Bitcoin Tyler Moore, CS 7403, University of Tulsa Some slides adapted from Arvind Narayanan, Joseph Bonneau, Edward Felten, Andrew Miller, Princeton University

Overview Risks in Bitcoin Digression on deanonymizing transactions Regulating Bitcoin

Overview Risks in Bitcoin Digression on deanonymizing transactions Regulating Bitcoin

Risks in Bitcoin 1. Market Risk 2. Shallow Markets Problem 3. Counterparty Risk 4. Transaction Risk 5. Operational Risk 6. Privacy-Related Risk 7. Legal and Regulatory Risk

1. Market Risk

2. Shallow Markets Problem Buying or selling large amounts of bitcoin will affect the market price Many “Bitcoin Millionaires” cannot readily convert their fortunes into hard currency

3. Counterparty Risk Exchanges serve as de facto banks Around half close, sometimes suddenly and without reimbursing customers (Moore and Christin, FC 2013) Digital wallet services and exchanges are frequent targets for theft of coins Some services are simply scams

3. Counterparty Risk Vasek & Moore, Financial Crypto 2015:

4. Transaction Risk Irreversibility of bitcoin payments creates elevated transaction risk No clear resolution mechanism when fraud or error arises Risks due to delay in clearing transactions Uncertainty over what becomes authoritative block Double-spending risk

5. Operational Risk Any action that undermines Bitcoin’s technical infrastructure and security assumptions Malware in wallets Operator error Vulnerabilities in bitcoin core software Distributed denial-of-service attacks

5. Operational Risk Vasek, Thornton & Moore, BITCOIN 2014:

6. Privacy Risk Risk that transactions can be linked back to the people that made them See Section 6.2 in the Princeton book We now take a brief digression into how to de- anonymize Bitcoin

Overview Risks in Bitcoin Digression on deanonymizing transactions Regulating Bitcoin

Some say Bitcoin provides anonymity “ Bitcoin is a secure and anonymous digital currency ” — WikiLeaks donations page

Others say it doesn’t “ Bitcoin won't hide you from the NSA's prying eyes” — Wired UK

What do we mean by anonymity? Literally: anonymous = without a name Bitcoin addresses are public key hashes rather than real identities Computer scientists call this pseudonymity

Anonymity in computer science Different interactions of the same user with the system should not be linkable to each other Anonymity = pseudonymity + unlinkability

Pseudonymity vs anonymity in forums Reddit: pick a long-term pseudonym vs. 4Chan: make posts with no attribution at all

Defining unlinkability in Bitcoin Hard to link different addresses of the same user Hard to link different transactions of the same user Hard to link sender of a payment to its recipient

Trivial to create new address Best practice: always receive at fresh address So, unlinkable?

Alice buys a teapot at Big box store Single transaction

Linking addresses Shared spending is evidence of joint control Addresses can be linked transitively

Clustering of addresses An Analysis of Anonymity in the Bitcoin System F. Reid and M. Harrigan PASSAT 2011

Change addresses Which address is change?

“Idioms of use” Idiosyncratic features of wallet software e.g., each address used only once as change

Shared spending + idioms of use A Fistful of Bitcoins: Characterizing Payments Among Men with No Names S. Meiklejohn et al. IMC 2013

To tag service providers: transact! A Fistful of Bitcoins: Characterizing Payments Among Men with No Names S. Meiklejohn et al. 344 transactions Mining pools Wallet services Exchanges Vendors Gambling sites

Shared spending + idioms of use A Fistful of Bitcoins: Characterizing Payments Among Men with No Names S. Meiklejohn et al.

From services to users 1. High centralization in service providers Most flows pass through one of these — in a traceable way 2. Address — identity links in forums

7. Legal and Regulatory Risk Law-abiding user might lose their funds if an exchange is shut down for criminal activity Uncertain tax treatment of gains/losses due to currency fluctuations Let’s talk about Bitcoin’s regulatory environment

Overview Risks in Bitcoin Digression on deanonymizing transactions Regulating Bitcoin

Bitcoin’s original vision is in tension with regulation and government control Strong cyber-libertarianism streak The decentralized design makes it harder, but by no means impossible, to regulate

Making the case for oversight Untraceable digital cash defeats capital controls Country can’t stop Bitcoin value from flowing in or out Government countermeasure: disconnect BTC world from financial institutions Example: China

Making the case for oversight Untraceable digital cash facilitates some crimes: kidnapping and extortion tax evasion sale of illegal items

Silk Road largest online market for illegal drugs ran as a Tor hidden service payment in Bitcoins site held BTC in escrow while goods shipped eBay-like reputation system run by “Dread Pirate Roberts” operated February 2011 to October 2013

Ross Ulbricht operator of Silk Road Arrested October 2013 Charged with money laundering, computer hacking, conspiracy to traffic narcotics Convicted and sentenced to life imprisonment in 2015 He tried to cover his tracks, but they connected the dots government seized 174,000 BTC auctioned them to the public

lessons: hard to keep real and virtual separate hard to stay anonymous for a long time Feds can “follow the money” ⇒ money becomes untouchable

Making the case for oversight Consumer protection When Mt. Gox collapsed, lost $300M worth of bitcoins Need orderly process to distribute assets equitably Risk of collapse motivates need to disclose risks Information asymmetries among providers are rife Irreversible bitcoin payments run counter to many protections developed for traditional methods

Regulatory Options for Exchanges 1. Already, US FinCEN has issued guidance requiring exchanges to register as “money- services businesses” and comply with regs 2. No consumer protection thus far for dealing with fraudulent transactions 3. FDIC-style deposit insurance and authority to wind down failing exchanges possible, but not under consideration

Tax treatment 2014 IRS guidance Transactions to and from virtual currencies may create taxable events Gains and losses may be ordinary income or capital income

Anti-Money Laundering (Section 7.6) goal of AML: stop large amounts of money from (1) crossing borders, or (2) moving from underground to legitimate economy without detection

Know Your Customer (KYC): (1) identify and authenticate clients, (2) evaluate risk of client, (3) watch for anomalous behavior.

Mandatory reporting in U.S.: Must report currency transactions over $10,000. ⇒ file “currency transaction report” Must watch for clients “structuring” transactions to avoid reporting. ⇒ file “suspicious activity report” Requirements differ by country; consult your lawyer.

Note well: government takes this very seriously! Bitcoin businesses have been shut down. Businesspeople have been arrested.

Conclusion Virtual currencies create many opportunities, but also introduce many risks As Bitcoin (or its successor) becomes more popular, regulation will inevitably take hold