How the original pizza day transaction raises privacy concerns.
On May 22, 2010, Bitcoin was used for the first documented real-world transaction.
The day now referred to as “Pizza Day” has become a milestone in Bitcoin’s history, not only because of the significance of such a breakthrough for Bitcoin's use as a medium of exchange, but also because of the transaction's current value. The man behind the famous transaction spent 10,000 bitcoin for two pizzas and a coke, which is now worth millions of dollars.
Hundreds, if not thousands, of publications have been written about the price and how much the two pizzas are worth at today’s value. But how many articles address the privacy concerns that this transaction raises?
Satoshi Nakamoto said in a Bitcointalk thread:
“The possibility to be anonymous or pseudonymous relies on you not revealing any identifying information about yourself in connection with the bitcoin addresses you use. If you post your bitcoin address on the web, then you're associating that address and any transactions with it with the name you posted under. If you posted under a handle that you haven't associated with your real identity, then you're still pseudonymous. For greater privacy, it's best to use bitcoin addresses only once.”
With This quote in mind, let's take a look at the historic pizza day transaction that kicked off Bitcoin's decade-long meteoric rise, and all the privacy concerns that were compromised on that day.
A Bitcointalk user and his pseudonym
On May 18, 2010, a user under the pseudonym "Lászlo " started a "Pizza for Bitcoins?" message asking for “a couple of pizzas.” In this message, Lászlo shared his Bitcoin address as well as the physical address where the pizzas should be sent in a text.
“I didn’t know much about privacy and how it worked back then and I didn’t really think it was important to worry about it since it wasn’t a very big deal that time.”
On May 22nd, 2010, Lászlo sent another message, confirming that the 10,000 Bitcoin transaction had been completed and that he had received the two pizzas. Shortly after that, he posted a URL to a website with pictures of the pizzas.
How much sensitive public data has been given up to this point? There are four infractions to work with when it comes to tracking the consumer as well as the transaction Lászlo was involved in, and we will discuss these below.
The compromised identity of a forum user
Assume there is an entity that wants to track a single person. The first thing they would check is if this individual has shared any personal information on the platform. Trackers and hackers can see if the user has posted any addresses that are entirely their own. The first thing they will do is check whether the user has posted some identifying information on the website (in Laszlo's case, it was that forum where history was made).
Is this even possible? How are they able to do this?
Yes, this is possible and sometimes, too easy. That is why we, Wasabi Wallet, work hard to raise awareness about the value of privacy and are invested in educating people about making smarter decisions about their privacy.
But what exactly was the issue in Lászlo's pizza case? Why should users think about improving their privacy?
Well, the explanation is simple. He shared his bitcoin and physical address, the amount of Bitcoin used in the infamous transaction as well as photos of the pizza, after their successful delivery.
Users should never post their bitcoin address on the internet and they should never link it to their physical address. Obviously, no one could have predicted Bitcoin's huge increase at that time, thus Lászlo could have ignored it as well.
His address has been used in many transactions in the future, and it helped allow the trackers to monitor not only the exact transaction, but also previous and future ones. As a consequence and with an unassuming step, Lászlo's past, present and future transactions became as visible as an open book.
Trackers could quickly search for transactions involving the same amount around the time period because the blockchain is a transparent and immutable ledger. They could also find that the associated transaction relates to the amounts as well as any other information or addresses that were visible at first after a simple check in this open ledger.
Is it okay to reuse Bitcoin addresses?
The answer is: NO! DO NOT USE THE SAME BITCOIN ADDRESS!
But why? The point is straightforward: if an address is used several times, the same private key will be able to spend all of the coins. It is then very easy to locate all of the UTXOs (Unspent Transaction Outputs) associated with this particular address, and therefore to determine how many bitcoins the private key currently holds or previously held.
What about a Transaction of Change? Is that a good Idea?
The answer is: NO! IT IS NOT A GOOD IDEA!
Lászlo’s pizza transaction raises another privacy issue: by making a change output connected with the same input, trackers can keep records of more and more purchases by the user. It implies that the source of funds from a particular address can be monitored permanently. The detectors have not only discovered how much Bitcoin an individual has, but they can also monitor all of his future Bitcoin transactions.
Should round numbers be used in Bitcoin transactions?
The answer: DO NOT USE ROUND NUMBERS WHEN MAKING TRANSACTIONS!
When sending bitcoins, the destination address is typically given a round number. This is because the human brain follows trends which, for the most part, likes to think in terms of defined numbers since a number like "10,000" is far easier for our brains to grasp than "10,021.92583769." This helps clarify that the non-round number output is the return to the sender.
Referring to Lászlo’s case, both of the outputs in the previously discussed Bitcoin Pizza transaction were round numbers.
Should a person's address ever be made available to the public on the internet?
As if you haven't been paying attention. The answer is: NO!
We've shown how multiple cyber attacks in recent decades have stripped away the feeling of security that any human being deserves, and we're not only referring to Bitcoin-related privacy violations. Our recommendations and the backstory justifying them applies to every service or product that people purchase or use on the internet.
Cyber attacks occur at a rate of over 530 per second. Everybody will be a victim of a hack or data theft at some point in the future, and it should not be a Bitcoin related issue. Everyone uses the internet, banks, social media....etc. Attackers can easily access everything connected to the Internet. What is posted on the internet is open to watchful eyes.
So how can people feel secure in the holiest place of all, our home, if it is shared with the rest of the world?
What about sharing your geographic location?
The answer: Is this for real? If you value your privacy, DO NOT share your geographic location.
Also, when you send a Bitcoin transaction, you're basically sending a message from your device to the Bitcoin network. Someone running a large number of Bitcoin nodes could be able to match some of your transactions to your IP address, monitoring your bitcoin balance and exact location.
On a desktop, this can be avoided reasonably easily by filtering all transactions through Tor - a free worldwide volunteer overlay network with thousands of relay nodes that protects a user's location and also from anyone undertaking network surveillance or traffic analysis.
“Things have changed dramatically since Bitcoin is very valuable nowadays. Privacy is more important now than ever before.” ~ Lászlo
What is the solution to all of these concerns?
First and foremost, be conscious of what you post online. If you're openly sharing personal information or details, even the best and strongest technologies can only do so much to protect your data and rights. Second, there's CoinJoin by Wasabi Wallet, the open-source non-custodial, privacy-focused Bitcoin wallet for Desktop, that implements trustless CoinJoin. It has Tor built in and all data seen between customer and server goes through it by default, so IP addresses are shielded and hidden; furthermore, the users' privacy is protected.
By conjoining your bitcoin it is significantly more difficult for others to track your transactions on the blockchain. CoinJoin is an excellent service which combines multiple coins in a single, big transaction. This protects your money and gives you privacy. It maximizes the security and the privacy of your future by maintaining the transparency of the Bitcoin ecosystem.
Wasabi also provides all of the usual security features, such as Hierarchical Deterministic wallets as well as address reuse prevention, moreover, coin control and labeling specifications. The wallet has a one-click partial full node integration and uses BIP-158 Client-side block filtering to access its own transaction history in a private manner. If a user already has a Bitcoin full node on a local or remote device, the IP address and port, or the Tor onion service, can be defined, and Wasabi will use it to verify and apply Bitcoin rules.
“Wasabi Wallet is my favorite non full node Bitcoin wallet. It uses modern methods to filter transactions and has a privacy first design. The built in CoinJoin functionality is probably the most interesting part. But even for users who are not interested in this feature it is a great wallet that encourages labeling the user’s coins and being aware of what inputs the user is spending.” ~ Lászlo
It also includes specialized cutting-edge features such as:
- Opt-in PayJoin
- Dust attack protections
- Custom change address
- Anti wallet fingerprinting
- Wasabi also has a complete and detailed documentation containing explanations on the architecture of the program,on its functionality and tutorials on how to use it.
The Wasabi Team is also working on Wasabi Wallet 2.0, a combination of user interface (UI), user experience (UX) and coinjoin (CJ) improvements.
On the CoinJoin front, the long awaited WabiSabi will also make its debut. It will facilitate faster, more cost-efficient collaborative transactions without waste, lay the foundation for payments within CoinJoin and open the door for combinations with other technologies.
All in all, even though no one will pay 10,000 BTC for two pizzas today, the privacy issue is a big concern that everybody should consider in the future.
One last piece of advice to help you keep your data private at all times: check the privacy settings on every platform that you use on a regular basis. Or if you ever want to make your Bitcoin more private, check out Wasabi Wallet and put it to use.
What sets us apart from other wallets? Why is Wasabi Wallet so important for privacy?
Because Wasabi Wallet safeguards YOU, your loved ones, and your associates. Because Wasabi Wallet will help you protect your Bitcoin.
What is the point of this, exactly?
The answer is that Wasabi Wallet is determined to reclaim your privacy.
No data. Just privacy.
Recommended reading on Bitcoin privacy: