Privacy, the tech industry's kryptonite, was back in the headlines this week. Tim Berners Lee announced he was launching his privacy-focused blockchain, Solid and Google updated its Chrome browser to better protect user's privacy from crypto-jackers. Further afield, Facebook confessed its recent data breach was because of a poorly thought out privacy tool, and Apple CEO Tim Cook told Vice that Apple is privacy's biggest fan. It was a subject that defined day one of crypto-conference with a difference, Crypto Springs.
Things all started out really rather well. Jay Graber of privacy coin Zcash—explained how the network's recent Sapling protocol upgrade would make the network's already respectable privacy features more robust.
Cathie Yun of Stellar, unveiled its newest privacy feature aptly titled Bulletproofs. But arguably one of the more fascinating talks on the topic at Crypto Springs was Dandelion, the cute name for the collaboration between Carnegie Mellon and the University of Illinois, who are attempting to improve Bitcoin's patchy approach to privacy.
With little more than a few off the shelf IP tracing tools, someone could reveal a bitcoin user's identity. Indeed, it was this very approach Robert Mueller used to discover and indict Russian hackers using bitcoin to fund their illicit activities. While other networks like Zcash have privacy baked into them, Bitcoin doesn't, which is why Dandelion's proposal is so exciting. Its aim is to create a few extra steps to how transactions flow across the network that would make tracking a transaction back to its source a lot more difficult.
Currently, when a transaction is picked up by a node on bitcoin, it broadcasts it immediately to all the other nodes in the network. Dandelion's idea is to change that process so that the first node sends the transaction randomly to another node, who repeats the process, until enough nodes agree the transaction is legit. If someone were to snoop on the transaction, they might find it one node, but will have no clue if it was the first node, or where the transaction originated.
Giulia Fanti, of Carnegie Mellon, concedes that there are already systems—TOR and I2P—that seek to provide anonymity, but Dandelion, she says, fits a niche between these solutions and provides a “lightweight propagation algorithm that makes it difficult to link users to their IP addresses.”
Not so smart contracts
But with every silver cloud comes a rainy lining. Bringing the privacy down a peg or two was Cem Paya, of digital assets company, Gemini (founded by the Winklevii), who kicked off his discussion by saying that Mt Gox hack was an obvious lesson in how important privacy is to the industry. But, he asserted, while there are lessons to be learned, ultimately security is an impossible problem to solve—and an existential issue for crypto.
And, Paya went on, because funds are impossible to recover, the focus has to be on prevention. But this is far from easy, and privacy can be breached even when all manner of conditions are fulfilled. “Smart contracts create lots of smart ways to lose money,” Paya points out. “Everything can be perfect and you can still experience loses, due to a bug that you have no control over.”
Reserving his worst criticism for Ethereum, he questions the maturity of the tools and Solidity, in particular. “While it looks like a high-level modern language, in some ways, it’s resurrected bugs from the past,” he claims, concluding rather depressingly that, “we’re still waiting for best practice to arrive. It feels like the early 90’s—an immature market.”
Privacy, like kryptonite, is the Achilles Heel we have no cure for.