Friday, August 30, 2013

On stolen coins and transaction blacklists

This blog post was originally email, written in response to a reporter's questions, such as:  Why can we not recover or blacklist stolen coins?

As usual, the answer is not "we can" or "we cannot" but very complex, and outside the realm of engineers in my opinion.  Theft of private property, and money in particular, is of course wrong and illegal in most jurisdictions.

First, bitcoin is a global phenomenon.  It is impossible to get 100% agreement on what coins are even considered stolen.

Second, Stolen coins are fundamentally a legal, not technical concept.  That complicates the matter immensely.  Anyone may track any bitcoin transaction via the public blockchain, but the easy part ends there.

Some exchanges and payment processors already refuse to credit payments made with coins from some well known, large thefts.   This is done on an individual, business-by-business basis.

One key difficulty is defining a stolen coin.  It is possible to claim that one's coins were stolen, yet possess the private key that spends those funds.  Even if the victim is indeed an honest victim, the problem becomes one of reviewing and authenticating police reports from jurisdictions around the world, matching those up to bitcoin transactions, deciding on a technical disposition, executing that in software, and finally, gain the community's support to upgrade to your transaction blacklist.

It is not the place of engineers to sort through police reports, and pronounce judgements on each transaction as "good" or "evil".  The act of centrally administering a transaction blacklist is a job no one in the bitcoin community wants.  A transaction blacklist is fundamentally human-driven financial censorship, a concept almost antithetical to bitcoin itself.

Any one person or company administering a transaction blacklist exposes themselves to very real legal risks -- lawsuit if a blacklist mistake costs money -- as well as physical threats such as intimidation and blackmail.

At its most basic level, the bitcoin protocol destroys each coin, when it is spent, and creates brand new coins for the recipient.  Example: sending 1.0 BTC to me might involve destroying coin #1111 (0.5 BTC) and coin #1112 (0.5 BTC), and creating coin #6789 (1.0 BTC).  Thus, beyond a single transaction, you cannot say that a coin is 100% stolen.

From a technical standpoint, you can see that a coin is "related" to a stolen coin, but you cannot know how many innocent people lay in the chain after the theft.  Thief Alice can give a coin to Bob, who doesn't know the coin is stolen.  Bob sends the coin, along with some others, to Charlie.  Charlie sends those coins, along with some others, to David.  Bob, Charlie, and David are all unknowingly holding coins /related/ to a stolen coin, but from a technical standpoint, it is at that point impossible to say which coins should be blacklisted without making subjective, non-technical, human judgements. Businesses and exchanges receiving bitcoins are in the best position to know their customer, and make some sort of judgement about that.

The outside observer looking for stolen coins does not see an Alice, Bob, Charlie or David or any other identity information.  Observers only see coins #1110, #1111 and #1112 being destroyed, and coins #2222 and #3333 being created.

On recovery:

Stolen coins are, by definition, sent to another bitcoin address outside the victim's control.  There are no private keys to recover. The victim's private keys are rendered useless, because the thief's private key controls the stolen coins.

If a person simply loses their private keys, sometimes hard drive forensics may be able to recover the keys from a backup.  Depends on what "lost" means.  Keys are simply encrypted data, which may be recovered (or not) after a data disaster just like any other encrypted data.

Finally, and very important to economists, is   It is important that the value of one bitcoin is the same as the value of another bitcoin. Otherwise it becomes impossible for software and average users to figure out which bitcoins they should hold, and which they should avoid.


  1. Basically, Bitcoin will force it's users to resort back to: "if you're strong enough you can force people to give back your money"

    If you have the power to track where the coins went, you (as an individual, a company or through an organised network like government) can force people to return the money.

    Bitcoin 'theft' becomes a very subjective term, based on the who gets to keep it, instead of a single consistent law.

    1. It is quite consistent with paper dollars (cash).

      Police may catch and convict the thief, but there is no guarantee your dollars will be returned to you.

  2. This comment has been removed by the author.

  3. I don't know why this is a surprise to anyone. If a thief steals $500 in cash and uses it to purchase goods from various retailers, are those retailers complicit in the theft? Should they be punished for the theft? Bitcoin is analogous to digital cash; you can build eversible payment systems *on top* of Bitcoin, but by its very definition it should not allow for transactions to be reversed.

    1. But imagine the coins were stained with ink from an exploding ink pack, suggesting they'd been stolen from a bank. In that case presumably a court would say the retailer should have known that they were stolen, so they were somehow complicit in the theft.

      Now instead of "stained with ink from an exploding ink pack", substitute "listed on a real-time police blacklisted transaction database". You could make the case that the retailer could reasonably be expected to know that those coins were stolen.

      I really hope nobody tries to mess with fungibility like this, and it's certainly in the interests of Bitcoin users that they don't, but it looks to me like financial censorship via a transaction blacklist could be:
      1) Technically possible.
      2) Sometimes helpful to law enforcement.
      3) (Possibly) something that could be forced on vendors using existing laws about receiving stolen property and money-laundering.

  4. Jeff, i'm really glad to see you've arrived at this conclusion.

  5. The technical issue of tracking stolen coins is very easy, so I think that it is inevitable that it will be done. Like you said, some bushiness already have their own private blacklist.

    A blacklist may catch relatively innocent people who only "received stolen property". However legally speaking, possession of stolen goods can be a crime, and is almost always subject to forfeiture.

    While building a blacklist into the bitocoin protocol would indeed be antithetical to the basis of bitcoin, having a public or commercial blacklist that vendors or users can voluntarily opt to use as they see fit is not antithetical, and should be freely available to those who wish.

    While "freezing" the account of stolen bitcoins is not possible, it is potentially possible to use blacklisted coins as a means to find or deter a thief. In your scenario, if Bob's coins come up as blacklisted when he is giving them to Charlie, Bob may wish to notify the victim of Alice's identity as the source of his coins, and the thief. Depending on how the community chooses to handle situations like this, the victim could incentivize Bob to do this by removing the blacklist once the thief has been identified or apprehended.

    1. Don't be so sure about the technical ability to track stolen coins being a given.

      Where software can be used to identify patterns, other software can be used to obscure them.

      See CoinJoin.

    2. Interesting, I wasn't familiar with CoinJoin, but it makes sense.

      I would still say from a simple technical standpoint, all the outputs from a CoinJoin transaction contain an equal portion of each of the inputs. So if you were tracking stolen coins that were spent CoinJoin style, all of the outputs would contain a diluted portion of stolen coins.

  6. "Theft of private property, and money in particular, is of course wrong and illegal in most jurisdictions."

    Except of course, by government. Not just in the form of taxation, but also asset forfeiture and eminent domain.

  7. With CoinJoin and other mixing, eventually, like the US$100 bill, the majority of Bitcoin would be tainted, like the Benjamin is with cocaine.

    All bitcoin would once again be fungible as they would all be equally "redlisted."