Coinbase’s acquisition of Neutrino caused quite a bit of outrage, leading to a #deletecoinbase hashtag and an apology of sorts from the company itself.
Here’s what happened:
- Coinbase announced the acquisition
- Internet detectives shared that Neutrino’s leaders were founders of a company called Hacking Team, an Italian spyware company that helped authoritarian regimes monitor dissidents
- The #deletecoinbase hashtag started1
- Coinbase released baffling statement number one, which said that it was aware of the Hacking Team affiliations but moved forward with the acquisition because Neutrino was the best they could find to “understand the flow of cryptocurrencies and manage risks across public blockchains.”
- Coinbase exec appeared on Cheddar making baffling statement number two, which said: “It was important for us to migrate away from our current providers […] They were selling client data to outside sources and it was compelling for us to get control over that and have proprietary technology that we could leverage to keep the data safe and protect our clients.”
Chainalysis and Eliptic both released statements clarifying that they do not sell client data to outside sources
- Coinbase releases apology and fires the Neutrino team members that were involved with Hacking Team
In sum, Coinbase acquired Neutrino to bring the chain analytics capabilities they need to stay compliant and list tokens in-house, rather than rely on third party providers. Users were concerned with the acquisition because of the team’s history of enabling authoritarian regimes through surveillance. Coinbase then alarmed users further by suggesting that data they had previously shared with third party had been and was continuing to be sold. Then Coinbase announced they would fire some members of the Neutrino team, which seems to have mollified most.
Everybody has been focusing on the actions of Coinbase which seemed in bad-faith at the time of the acquisition and now maybe in good-faith with the apology and announcement of the firings. Overall, I think concern for Coinbase’s actions were overblown2 and concern for the chain analytics companies were under appreciated.
This news cycle just highlights what was already public information: using a regulated exchange makes your coins non-fungible and chain analytics companies help make coins non-fungible. Non-fungible coins enable bad and good actors to marginalize groups of users.
Both exchanges and chain analytics companies play a role in non-fungilizing coins, but who plays a bigger one? Which is the bigger threat to privacy over time?
Who is Facebook and who is Cambridge Analytica?
One can’t help but see parallels between Coinbase-Neutrino and Facebook-Cambridge Analytica.
In Coinbase-Neutrino, a consumer company with sensitive user data revealed they were sharing data with a third party that specialized in aggregating and utilizing user data.
In Facebook-Cambridge Analytica, well, exactly the same.
In both cases, the angry responses mostly came from people mad that their data was being sold. In both cases, no data was being sold (though I’d bet most people still think that Facebook sold data to Cambridge Analytica).
Casey Newton noted in The Interface in December of 2018:
Here are two last things to chew over as we think about this story in the coming days. One, it’s now clear that a data partnership with Facebook can create reputational risks for the companies making the deals. Every company named in the report will be held account for the Times’ findings, and they better have good and thorough answers when shareholders, lawmakers, and reporters start asking.
Two, it’s amazing how much oxygen we all have given to the false notion that Facebook sells your data — when the real story was the data they were giving away.
Rather than generate income from selling user data, Facebook was trying to position themselves at the center of a huge data aggregation operation. Via their GraphAPI, they would give partners user data in exchange for data from their partners. As Ben Thompson wrote in a member update:
To my mind, scale is the key here: with the Graph API Facebook was positioning itself as the center of everything — it would give its data to whoever wanted it in exchange for their data, which would result in everyone having Facebook’s original data plus their own data, and Facebook having the data from everyone. It’s not that user data isn’t a competitive advantage; it’s that having all the data is an even bigger one.
Whereas partners would get one to one data (theirs plus Facebook’s), Facebook would get one to many data (theirs plus many partners). Facebook could then use that data to do revenue generating stuff.
Similarly, neither Coinbase nor the chain analytics companies were selling data. Both Chainalysis and Eliptic published statements to that effect. And Eliptic emphasized they do not have access to PII.
Elliptic has no access to end users’ personally identifiable information. Our exchange clients, including Coinbase, do not provide us with any personally identifiable information about their users. Our clients use our solutions to screen specific transactions for risk. We do not require or request any transaction data that we can link to individuals, and do not have any other client information such as names, addresses or social security numbers.
We do not support or enable the violation of any individual’s financial privacy. We firmly believe that no individual should be subject to unlawful access to their financial data by any government body, and no financial institution or service provider should reveal this financial data to third parties without the individual’s permission. We only allow our solutions to be used in order to combat financial crime, and do not allow it to be used for marketing, business intelligence, or any other purpose.
Aside: not having direct access to PII does not mean they do not have the ability to identify individuals through various data sources, though.
Coinbase needed the chain analytics companies to stay compliant with laws and regulations (e.g. AML). Without help from chain analytics companies, they would be unable to list tokens, among other things.
Chain analytics companies need data to provide their services to their customers, which include exchanges, yes, but also regulators, other corporations, and nation-states (I don’t know exactly who all their clients are–it’s not public–but I do not know of any restrictions to the clients they can take).
While it’s tempting to think of Coinbase as Facebook and chain analytics companies as Cambridge Analytica, the nature of the relationship between exchanges and chain analytics companies suggests the opposite: chain analytics companies are trying to build massive data operations (one to many) and exchanges are forced to participate in data exchange (one to one) to run their businesses.
So chain analytics companies are Facebook, exchanges are Cambridge Analyticas.
An aside: this is why acquiring a chain analytics company like Coinbase did is actually pro-privacy for users. Instead of two entities having your data (Coinbase and Chainalysis, for example), only one does. And that one that has it isn’t aggregating data about your behavior from other sources. It’s a bit of a shame that Coinbase became the scapegoat due to awkward communications. They had the opportunity to take the privacy highground.
The fungibility loss ecosystem
If you care about fungibility, you should probably opt out of this entire ecosystem.
Even if everybody acts in good faith (which I believe they are), using regulated exchanges and transacting on public blockchains makes your coins non-fungible. Non-fungible coins reduce your privacy. Coinbase buying Neutrino or firing Neutrino team members doesn’t really impact the big picture.
That said, fungibility could be considered a spectrum (rather than binary, though I tend to think privacy and fungibility are all or nothing). And regulated exchanges trying to lock down their user data (making it a black box for third parties) is certainly better for fungibility than alternatives. I think this is what Coinbase is trying to do by bringing chain analytics in house and I hope they are successful.
I’m planning to explore this concept more in next week’s public post. So if you disagree with anything I’ve said here (I think many of you might), please let me know. Would very much appreciate your feedback.
- Udi Wertheimer is credited for starting it
- We should just assume that our data is not private if we are using a centralized operator like an exchange. How many times do people have to learn this? Second, we should just assume that our on-chain transactions are also being monitored. They are all public.