4 February 2015
Privacy and Bitcoin transaction
data
A short discussion
© 2015 Deloitte The Netherlands
• Degree in Media and Knowledge Engineering / Information & Communication Theory / Bioinformatics
from TU Delft
• Started working in privacy in 2008
• Involved in Bitcoin since 2010-2011 as a hobby
• Supervised an internal report on Bitcoin general properties and business interests in 2012-2013
• Currently manager in the Deloitte privacy team, which helps organisations using personal data
My involvement in privacy and Bitcoin
Add your footer here, Go Header and Footer to edit2
© 2015 Deloitte The Netherlands
Many projects are ongoing and planned for the next couple of years
Transaction data is becoming an important value source for financial institutions
Many banks have been analysing transaction data for some time to assess loan risk
ratings and predict defaults
Several banks are using transaction data analysis for loyalty schemes:
• BoA operates the targeted cash back scheme BankAmeriDeals
• RBS has discussed a service to provide targeted advertisements from business clients
to consumers
Generating direct income from (anonymised or aggregated) transaction data is also
increasing:
• US company cardlytics buys access to and analyses transaction data and offers
marketing solutions
• MasterCard Advisors has several products based on transaction data analysis
• Barclays is planning on selling (anonymised) transaction data to other companies
Transaction data is valuable and banks are realising this value
Add your footer here, Go Header and Footer to edit3
© 2015 Deloitte The Netherlands
Knowing who is who is important though
The blockchain contains all transactions: anyone can analyse the data
There is no ‘data monopoly’ for banks or payment network operators
The value of blockchain transactions will be lower than financial institution datasets though, due to:
• Transaction volume (currently lower)
• Level of identification
• (Meta) data quality and volume
Identification is important: Bitcoin pseudonymity is not very strong
When analysing transaction data several business models will require identifying (to some degree) who is involved
in the transaction
Bitcoin transactions are pseudonymous, but this is not a strong property, especially when users are careless
Re-identification efforts can be made through coupling of data sources and analysis
• Coupling with identifying information by exchanges or other sites / merchants
• Reuse of Bitcoin addresses and simultaneous transaction analysis
• Self-publication of identifying information
• Initial transaction node IP-address
The Bitcoin blockchain provides transactions and their inherent value to anyone
Add your footer here, Go Header and Footer to edit4
© 2015 Deloitte The Netherlands
Legal and ethical matters can become complex quickly
Is it ethical to analyse transaction data?
In The Netherlands the financial sector efforts to use client data raised a lot of questions:
• Is it ethical that payment networks use personal data (without compensation or sometimes knowledge)?
• What is the role of the financial sector, and what kind of services are within the expectations of consumers?
The Bitcoin community generally seems to value their privacy: would it be permissible to analyse user data? Should
users be educated to be able to hide their identities?
Involving the data subjects themselves will be preferable in any case, are there viable business models that include
users?
Legal matters
As soon as individuals – including IP addresses – can be identified data analysis may be within scope of data
protection legislation in the EU:
• A legitimate ground needs to be found for processing data (permission, contract, legal obligation, legitimate
interest)
• Consumer rights include requesting information, correction, deletion, objection
US and EU points of view will vary widely (US generally being less restrictive), but is the legal aspect
relevant when there is an almost unlimited choice of jurisdiction?
There are many ethical and legal questions
Add your footer here, Go Header and Footer to edit5
© 2015 Deloitte The Netherlands
High transaction volume and sophistication of analysis are key factors
• Enriching online advertising profiles with transaction analysis:
• Based on initial transaction generating node detected by highly connected node in network (may not be legal
in the EU)
• Using identification through a network of organisations accepting Bitcoin (could be part of a contract with the
user)
• By providing incentives to users to self-identify (e.g. providing discounts, rebates or lowering transaction fees)
• Selling market and competition analyses by looking at transaction data:
• Identifying organisation Bitcoin addresses by sending probing transactions and analysing transactions with all
organisation transaction links (may not be legal in the EU)
• Analysing transaction clusters and inferring knowledge from transaction properties and statistics (frequency,
volume, timing, etc.)
There are many possible uses for transaction data
Add your footer here, Go Header and Footer to edit6
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities.
DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see
www.deloitte.nl/about for a more detailed description of DTTL and its member firms.
Deloitte provides audit, consulting, financial advisory, risk management, tax and related services to public and private clients spanning multiple industries. With a globally
connected network of member firms in more than 150 countries and territories, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights
they need to address their most complex business challenges. Deloitte’s more than 210,000 professionals are committed to becoming the standard of excellence.
This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte
network”) is, by means of this communication, rendering professional advice or services. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained
by any person who relies on this communication.
© 2015 Deloitte The Netherlands