Week of July 20, 2020

Blogging this week

Disintermediating the media with… Substack?
The startup is the great hope of heterodox writers and readers, but it could end in tears.

You have no property rights over your Twitter data
Maybe we should mandate data portability, but that has nothing to do with property rights.

Do we really need more guidance from FinCEN?
While it may be tempting to ask for further formal guidance from FinCEN, the result could be more specificity that does not improve on the general principle already articulated.


Podcasting this week

There is no such thing as “a bitcoin”

A popular misconception about Bitcoin is that there are individual coins that can be tracked on the blockchain like dollar bills with serial numbers.

Recently on Twitter, the St. Louis Fed’s David Andolfatto asked an interesting question:

That is, would it be possible to mark a particular bitcoin as having been paid in ransom so that such tainted coins could not be exchanged for dollars at regulated exchanges without first paying a tax? Putting aside whether that would be good policy, the threshold question is whether it’s technically possible to trace individual bitcoins in this way. In a later tweet he elaborated,

My shorthand answer to this question is, no because there are actually no such things as “a bitcoin” that can be traced. Twitter did not prove to be an auspicious medium to convey what I meant by that shorthand, so here’s a stab at explaining the concept in detail.

Many people who generally understand how Bitcoin and its blockchain system works are nevertheless under the erroneous impression that there are such things as atomic units of bitcoin that are moved from address to address and can therefore be tracked on the public chain. I think this mistake has its roots in language and analogy.

Bitcoin is a digital currency, “coin” is in its name, the White Paper describes it as electronic cash and mentions “wallets.” As a result we talk about it like we talk about physical currency; like we talk about paper bills or coins. We say things like, “She gave me a bitcoin.” As a result, people tend to quite justifiably envision bitcoins as atomic units that are passed around. Even if they understand that bitcoins are sub-divisible to eight decimal places, and that those units are called satoshis, they may still think that those are the atomic units.

This leads people to conceptualize bitcoins like dollar bills with serial numbers.

And since people know that the blockchain keeps a public record of all transactions, they imagine that this means that individual bitcoins can be traced by their “serial numbers” moving from address to address, from wallet to wallet.

But the coins and wallets analogy is just that: an analogy. This is not at all how Bitcoin works.

So how does it work? Suppose Alice wants to send some Bitcoins to Bob. What she does is compose a new transaction message to be broadcast on the network for validation and inclusion in the blockchain by a miner. In the transaction message she must reference one or more previous transactions on the blockchain of which she was a recipient.1 Those referenced transactions are called inputs; they are in essence the funds with which she’s transacting. The sum of the inputs must total to exactly or (almost invariably) more than the amount she wants to send to Bob. She must also, of course, note the address or addresses to which she wants to send funds. These are called outputs. She signs the transaction message with the private keys corresponding to the input addresses and broadcasts it on the peer-to-peer network. If all goes well, a miner will include the transaction in the next block after verifying that the inputs and signatures are valid. The transaction is now complete and Bob can now reference this completed transaction as an input into a future transaction when he wants to move the funds.

In the simplest case, there is only one input and only one output. Alice references a transactions in which someone sent her exactly one bitcoin and she sends exactly one bitcoin to Bob’s address. In such a case, it might not be unreasonable to say that we can track the movement of one particular bitcoin, just as if it was one particular $100 bill. However, such a transaction is not only improbable, I’m not sure there have ever been any like it.

First, miners don’t typically work for free. In addition to block rewards, miners are incentivized by fees they can collect from each transaction they include in a block that they add to the blockchain. These fees are voluntary, but miners will almost always ignore transactions that don’t have fees (or have fees below the current market rate). So, if Alice wants to send one bitcoin to Bob, it’s likely she will have inputs to the transaction that total, say, 1.01 bitcoins. Whatever is the balance between the inputs and the outputs in a transaction message is understood to be the fee and the miner gets to keep it.

Second, users typically don’t have exact change. It’s unlikely that Alice will have a single prior transaction that she can use as an input to pay Bob (i.e. 1.01 BTC, exactly one bitcoin for bob plus the appropriate mining fee). More likely she will have many different possible inputs to choose from—for example, one for 87 bitcoins, one for .51, one for .7365, one for 14.98, etc. As a result, the number of inputs and/or outputs in her transaction will increase. For example, if she wants to send Bob one bitcoin, and wants to also include a .01 bitcoin mining fee, she has to find inputs equal to 1.01 bitcoins or more. So, she can use one big input (like the one for 87 bitcoins) and get change of 85.99 bitcoins back by including a second output for that amount to an address that she controls. The transaction would now have one input and two outputs. Alternatively she could use two small inputs (like the ones for .51 and .7365) but still want change (i.e. 0.2365) for which she would provide a change address. That transaction would therefore have two inputs and two outputs.

One last wrinkle I’ll add is that when Alice composes a transaction message to pay Bob, she can also take the opportunity to pay Charlie as well. She can send up to the total of her inputs to as many addresses as she wants, so the number of transaction outputs can be very large. So, a not uncommon bitcoin transaction will look like this:

A bitcoin transaction.

The key thing to realize is that there are no individual, atomic units of bitcoin that are transferred among addresses. Indeed, there are no such things as bitcoins that one can point to, much less track. What individuals “own” are not bitcoins per se, but unspent transaction outputs (UTXOs) that can serve as inputs for new transactions. When a new transaction is added to the blockchain, the transactions that served as inputs are of course still visible on the ledger, but they can no longer be spent,2 and new unspent transaction outputs are available in the newly created transaction. The input and new transactions are certainly linked in a chain, but in no way can we identify in the new UTXO a particular satoshi that was present in the input UTXO—again, because individual satoshis don’t really exist.3

Let’s now bring it back to Andolfatto’s proposal to tax blacklisted bitcoins when they are presented to a regulated exchange. We can now see that in Bitcoin it makes no sense to say that a particular bitcoin was paid in ransom and is now being brought to an exchange. One can nevertheless trace the movement of funds on the blockchain and show that a particular UTXO has somewhere in its chain an illicit transaction, but that’s not the same thing as saying that a particular bitcoin was part of an illicit transaction.

In the figure above, suppose the UTXO with 87 bitcoins are the proceeds of crime, while the rest are not. When Alice sends bitcoins to Bob and Charlie (and pays a mining fee to do so), there is no meaningful way in which we can say that Bob, Charlie, or the miner received some of the 87 ill-gotten bitcoins. And it’s just as meaningless to say that either Bob’s or Charlie’s or the miner’s coins came from the legitimate UTXOs. It’s not just that we can’t be sure, it’s that the concept of particular coins changing hands makes no sense because individual coins don’t exist.

At this point, I hope I have answered the initial question, is it possible to track individual units of bitcoin? It’s not.

What someone might then say is, why not simply treat each of the new UTXOs as containing a share of the illicit input coins in proportion to the value of the outputs illicit coins? Couldn’t you then tax that proportion of Bob or Charlie’s coins? The answer is sure, I guess you could do that, but that would be a policy choice external to the mechanics of Bitcoin, and I imagine it would be seen as a pretty inequitable policy. There’s a reason the currency rule emerged.

As a result, what’s developed in practice by industry, regulators, and law enforcement is to focus on addresses and not individual bitcoins. You can know with certainty that a particular address received a ransom payment, and you can know which other addresses have been sent funds from that ransom address and on and on. They also look at what proportion of each transaction comes from previous illicit transactions and how many suspect transactions an individual may be tied to. This information can be used by exchanges to require more information from customers with addresses in close proximity to known illicit transactions, and law enforcement can use all this to prosecute crimes. Using solely the information available on-chain, however, it’s not really possible to automate justice in any sensible way.

Finally, I’d like to say that I wrote this post because I couldn’t find any publication explaining the above in detail. After writing the preceding 2,000 words, however, I came across this article by Northern Illinois University philosopher Craig Warmke, which although it doesn’t address exactly the same issue, would have worked as a reference for the proposition that you can’t track individual bitcoins. It’s very interesting and worth reading.

Thank you to Tom Robinson of Elliptic for reviewing a draft of this post.


[1] By this I mean that the transactions in question were sent to a public address for which she controls the corresponding private key. More specifically she would reference UTXOs, which will be explained momentarily

[2] That’s because also visible on the ledger is the fact that they have been used as inputs in another transaction.

[3] UTXOs are the closest analogy we have to discrete coins, but they are “destroyed” when they are used in transactions, and new UTXOs created with the same aggregate value.

More on CBDCs, AML, and anonymity in electronic cash

My recent post on central bank claims that their CBDC designs would be subject to AML regulations got a lot more attention than I imagined it would. While most folks understood the point I was making, some did not, so here’s some hopefully clarifying follow up.

One objection that was raised by several persons was that indeed there are AML obligations on cash. After all you have to declare cash over $10,000 when you cross the border, and transactions over this amount must be reported by financial institutions (as defined in law) to the authorities.

This is something I specifically acknowledge in the original post when I wrote, “Sure, financial institutions that deal with cash have obligations, like collecting customer identification and reporting transactions over $10,000, but those are not obligations on cash itself.” Perhaps this was too subtle, so let me spell it out.

In the U.S., and I suspect in other OECD countries, AML laws do not regulate the central bank; they regulate private parties like banks, payments companies, casinos, estate agents, car dealerships, etc. When you withdraw more than $10,000 in cash from your bank to buy a car, for example, the bank and the car dealer you pay in cash both have an obligation to report the transaction to the government, but the central bank that issued the cash has no obligations. When you cross a border with more than $10,000, it is your obligation to report it, not the central bank’s. This is what I mean when I say that there are no AML obligations on cash itself, only on certain parties to cash transactions.

That is not merely a pedantic point. It matters because it means that although we have all kinds of AML regulations, there is no law that precludes the central bank from creating and maintaining a system of completely anonymous and untraceable payments (i.e. cash). And yet, in describing how they might design a CBDC, we’re seeing central banks cite “AML obligations” to justify why any new digital version of cash cannot be as anonymous and untraceable as physical cash. I’m not aware of any such restrictions on central banks and that is what I was pointing out.

In the post I was not advocating for CBDCs to be anonymous and untraceable, as some seemed to assume. I was only arguing that if a central bank decides that its CBDC should not be anonymous, then it should explain why it reached that conclusion and engage in a policy discussion with the public about it. It should not simply justify the choice by gesturing to non-existent “AML obligations.” If nothing else, it should have to reconcile why it’s fine that its physical cash is anonymous and untraceable (and the Bank of England sings the praises of physical cash in its CBDC paper), but electronic cash cannot be.

As I pointed out to the IMF’s John Kiff on Twitter, if we had an open and transparent policy debate about the tradeoffs of anonymity in CBDC design, I think what would happen is that a broad consensus would emerge: it should be built so that individuals can enjoy the privacy and autonomy that anonymity affords up to a certain “reasonable” level (and part of the debate would be what constitutes that level), but that it would be proper for a central bank to build the system in such a way that it can surveil larger transactions (or balances, that would be part of the debate, too). The problem with this, however, is that I haven’t seen a way that this could be accomplished technically. How do you have a system where transactions or individual holdings below a certain threshold are as anonymous as cash, but above that threshold they are traceable?

So it doesn’t get lost, let me now highlight the clause “as anonymous as cash” in the last sentence. “As anonymous as cash” means anonymous. Not “nearly-anonymous” and not merely “private,” but anonymous and untraceable. If it’s not anonymous for at least certain transactions, then one can’t really call a CBDC “cash-like,” merely P2P. I don’t see how such a tiered system is technically feasible, but I would love it if anyone can point me to references that explain how it can be done.

Kiff pointed me to the Bank of Canada, which in a couple of staffnotes discusses the concept of a “universal access device” that apparently aims to do this. But I have not been able to find the technical details about the device and the way the staff notes discuss it, it does not seem to me that they contemplate it to offer CBDC payments that are as anonymous as cash. I would appreciate any light anyone might be able to shed on this scheme.

Finally, if it is indeed the case that a CBDC cannot be engineered to be as anonymous as cash for certain transactions but not for others, then what central banks will have is a choice between a CBDC that is completely anonymous or not. One that is electronic cash and one that is not. One that presents the same kinds of risks as physical cash does today, and one that tries to avoid them by curtailing the privacy and autonomy of individuals. Choosing between these is a conversation that should be had out in the open.

Loading more posts…