A recent bankruptcy filing by digital asset lending platform Celsius has revealed the names and transaction history of nearly half a million depositors. It illustrates a risk that arises from the transparency and traceability of the blockchain.
The privacy standard in most public blockchains is based on pseudonymity, which can be easily pierced to track user activity and balance. As a result, data leaks of names and wallet addresses can harm the privacy of blockchain users, since anybody with an internet connection can easily match the on-chain activity and wallet addresses of named Celsius users disclosed in the filing with the dates and amounts of every transaction on their wallet, exposing wallet owners to the risk of theft or extortion.
As a practical matter, such data leaks can also occur simply by transacting with another party who knows your identity. Consider for example using crypto in your payroll. Employees would be able to see the employer’s account balance and the paycheck of their team members. If you use crypto to pay, your local coffee shop could access information on how much you make and where you shopped yesterday.
To mitigate this risk, digital asset holders employ additional privacy-enhancing technologies to protect the confidentiality of their financial information. The problem is that current techniques to manage illicit finance risk on blockchains rely on transparency and traceability in order to assess user identity. As a result, the same tools used to protect legitimate privacy interests on public blockchains can also frustrate government investigations into malicious activity.
One widely used privacy protocol was Tornado Cash, which was sanctioned this summer by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) on the grounds that it had been used in connection with more than $7 billion in illicit financial activity. This puts innocent blockchain users in a bind: rely on privacy through pseudonymity–which can be pierced–or have their funds associated with criminal activity, increasing the risk that they could face penalties, have their funds blocked, or their risk profile increased, potentially limiting their freedom to transact.
In traditional finance, the balance between privacy and legitimate government interests is achieved through financial intermediaries. In Europe and the U.S., a civil right to privacy and financial confidentiality limits the ability of intermediaries to use financial and other data for commercial or other purposes, while carving out exceptions for sharing legally required information with law enforcement and regulators.
While the assumption that financial intermediaries can effectively protect sensitive personal information has proved problematic (witness the frequency of data breaches), it’s untenable in the context of blockchain technology and decentralized finance. This raises an important question: Can illicit finance risks in virtual assets be mitigated while preserving the baseline confidentiality citizens enjoy in the traditional financial system?
The one novel thing blockchains can do is enforce rules automatically by programming them into smart contracts, effectively a digital “if-then” statement between transacting parties. Originally, blockchains implemented rules that merely governed who owns virtual assets and when they moved around–but it is now possible to add additional rules that satisfy the need to address illicit finance and other compliance risks. Cryptographic technology, such as zero-knowledge proofs (methods that ensure the validity of a given statement without conveying unnecessary information) can address risks identified by authorities and policymakers and are currently being developed by technologists in the blockchain space. These technologies, which have been in academia for decades and are used in some existing blockchains, promise to reconcile the competing claims of privacy and compliance in a more robust way than currently possible.
Such solutions could, for example, allow the blocking of unlawful transactions, automated reporting to government agencies, as well as selective visibility of sensitive information, with access restricted to authorized agents who have information viewing rights–while transactions and wallet balances remain private and protected against malicious actors.
Policymakers and regulators cannot stand on the sidelines. They must adopt flexible regulatory approaches that permit and encourage these technical developments that achieve more effective outcomes than currently possible.
Through these technologies, and with the support of regulators, both compliance and financial privacy can become an integral part of the virtual asset ecosystem.
Shlomit Azgad-Tromer, P.h.D, is a co-founder and CEO of Sealance. Jai Ramaswamy is the Chief Legal Officer of Andreessen Horowitz. Eran Tromer, P.h.D, is an associate research scientist at Columbia University’s Department of Computer Science and a co-founder of Sealance.
The opinions expressed in Fortune.com commentary pieces are solely the views of their authors and do not necessarily reflect the opinions and beliefs of Fortune.
More must-read commentary published by Fortune:
- The Fed may be running out of ammunition–but U.S. banks have never been healthier. It’s time to admit Dodd-Frank is paying off
- The inventors of ESG: ‘Critics have a point—here’s the new global reporting system that will address it’
- I got rich by betting that inequality would destroy the U.S. and U.K. I’m sorry
- America’s richest want to pay more taxes–but we won’t let them. We need a tax bracket and rate overhaul
