08 October 2021
CD40: using bitcoin privately at Human Rights Foundation Oslo Freedom Forum with Evan Kaloudis and Janine Roem
Presentation at the Human Rights Foundation Oslo Freedom Forum.
https://oslofreedomforum.com
https://oslofreedomforum.com/bitcoin-academy-off2021
@J9Roem: https://twitter.com/J9Roem
@evankaloudis: https://twitter.com/evankaloudis
streamed live every tuesday:
https://citadeldispatch.com
twitch: https://twitch.tv/citadeldispatch​
bitcointv: https://bitcointv.com/video-channels/citadeldispatch/videos
podcast: https://anchor.fm/citadeldispatch​
telegram: https://t.me/citadeldispatch​
support the show: https://tippin.me/@odell
stream sats to the show: https://www.fountain.fm/
join the chat: http://citadel.chat/
[00:00:00]
Unknown:
Alright, everyone. So welcome to using Bitcoin privately. We have 3 distinguished guests here. 2 of which are here in person, and one is tuning in. Again, we wanna talk about privacy and surveillance and using Bitcoin as safely as possible. A lot of people here in Miami or New York using Bitcoin may not be that worried, about people understanding, their their Bitcoin usage, but folks around the world, have have a deep, a deep need to understand this topic. So I'm delighted to have 3, 3 experts on this. Just give me a second to to quiet the the venue, and then you guys can can go. Just give me a second.
[00:00:53] Unknown:
Testing. Testing. How's it going, guys? Janine, can you hear us? Yeah. I can hear you. Awesome. Okay. Here we go. Hey. So we have Janine joining us remotely. My name is Matt O'Dell. I'm a independent Bitcoin privacy advocate. We're here to talk about a very important conversation, which is using Bitcoin privately and the different privacy gotchas that involve Bitcoin. This after we have our conversation, there's gonna be a 10 minute q and a. So if you have any questions, consider them, and we're we're looking forward to the questions. We find them very productive. I wanted to thank Alex and HRF for hosting the Bitcoin Academy.
It's a really important initiative, for hosting Oslo Freedom Forum in general. You know, a lot of these activists, they're very motivated, very determined. They put their lives at risk every day, and I really do think, you know, that's part of the reason that we put so much effort into Bitcoin. So it really it it really does make it all worth it, being here and hearing those stories. Before I pass it over to Evan, I'm curious here. How many people have sent a Bitcoin transaction? Okay. Good.
[00:02:11] Unknown:
Evan, you wanna introduce yourself? Yeah. Sure thing. Hey, all. I'm Evan Kaludis. I am a software engineer. You guys might know me from my open source project, Zeus, which is a lightning wallet for people who run their own full node. I also work at Kraken, trying to get the lightning integration out the door there. 2 weeks? 2 weeks. Let's see. Let's see. But, yeah, just really glad to be here and talk to you guys about a really important topic. You know, Bitcoin is something that has a lot of misconceptions behind it, and I'm sure, you know, many of you when they first heard about Bitcoin, you know, had this misconception that it was a private asset, you know, that its transactions were completely private, and that's just not the case.
So, yeah. So the goal of our talk is to, you know, introduce you guys to some method you could use to maintain privacy when using Bitcoin and,
[00:03:10] Unknown:
knowing some of the gotchas. Janine, you wanna introduce yourself?
[00:03:16] Unknown:
Yeah. Hi there. My name is Janine, and, I'm an investigative journalist and privacy researcher currently at, CASA, actually. Earlier this year, I received a grant from Human Rights Foundation for my newsletter this month in Bitcoin privacy, which is a relevant resource for anyone here who is interested in the topic of our session today.
[00:03:37] Unknown:
Thank you, Janine. We have a lot of respect for Janine. She's doing the privacy advocacy correct because you can't see her right now. So she brings shame to me and Evan. So first and foremost, Bitcoin is not private by default. If you send a Bitcoin transaction, it is on the ledger called the blockchain. That ledger is viewable by everyone. It will probably outlive all of us. So mistakes you make today can affect you in the future, especially if you're an activist and authoritarian regime. They will try and track your transactions. They will try and use it against you. You need to be aware of that risk that it exists in the first place.
The second big thing I really want to hone in here is that most people who are entering Bitcoin nowadays enter through regulated onramps. Those regulated companies require identification information, KYC information, email addresses, phone numbers, Social Security numbers, driver's licenses. Those are all connected to your Bitcoin addresses when you withdraw. So if you don't take privacy precautions at that point, it can be used against you in the future. Even if the company is not malicious, they might not be able to secure it correctly. It might get hacked. It might get bought, stolen.
We just had Coinbase recently. They had 6,000 people's intimate personal information, home addresses, every withdrawal address, all get leaked. And so you you might think you're protected now, but if that happens in the future, then a malicious actor can go and use look back on the blockchain and go back and see your transactions that they might not have been able to see before. Janine, you have any opening thoughts over there? We might have some connectivity issues, or she might be muted. Evan, what what are you thinking?
[00:05:38] Unknown:
So yeah. So when you're dealing with the blockchain, which is this immutable database, it's, you know, quite quite crucial to do things correctly. You can't undo your mistakes. Right? Once a transaction is broadcast and more importantly, like, confirm, there's no undoing it. That record is sealed, and it's on the hard drive of everyone who's running a Bitcoin note.
[00:06:03] Unknown:
Janine, can you hear me now?
[00:06:07] Unknown:
Yeah. I can hear you. Awesome. Just a bit, noisy.
[00:06:11] Unknown:
So did you could you hear what we were saying? Do do you have any thoughts before we move on to risks?
[00:06:19] Unknown:
Yeah. I mean, the main thing I wanted to say, because a lot of, I've especially heard in the last couple of days that there are some people, saying that not your keys, not your coins, even Even though it's been a popular mantra in Bitcoin for many years, they say that this is now somehow outdated advice, and that you for user experience reasons, for quote exposure, it's better to get on board through a top five exchange. And what I have to say to that is that if your user experience requires compromising your ethics, your safety, your privacy, or your liberty, then it's not really a user experience. It's more of a user cage, maybe a nice gilded cage that gives you 7% monthly returns on deposits or access to the latest revolutionary pump and dump token, but it's still a cage. And that maybe the price for your freedom is not as high, one to pay for you because you live in a rich and safe city in the world under a government that doesn't have much interest in oppressing you. But for most of the world, that price is too high to pay. For most of the world, this so called open financial system of crypto exchanges is not one that they have even the choice to enter.
Because actually as a legally documented person of the United States myself, I actually can't open a Coinbase account, for example, even if I wanted to because I don't possess the right kinds of documentation to satisfy their KYC policies. So imagine how much harder it is for people who are less privileged than me. Imagine having worse financial inclusion than banks and marketing yourself as open. And so I think that's very much related to privacy because a lot of the times, things that are, custodying your coins, a lot of the time that also comes with less privacy. There's a link between the 2. So this is just, an example of why financial privacy is also a financial inclusion and, therefore, a human rights issue. And that's what I hope we can share with you today about how to avoid in creeping traditional financial surveillance into Bitcoin.
[00:08:16] Unknown:
That was fantastic, Janine. They're clapping for you. And, also, by the way, I don't know if you realize, if you can tell from the video stream, but Udi is, like, sitting right in front of me. So it's very it's very relevant. A mic? No. You do not get a mic. So, I mean, right here, we have we have different risk factors that people should be considering. First and foremost, I know this sounds very, very intimidating, and I know that even in our non Bitcoin lives, we don't really have much privacy. It feels very overwhelming. It feels like we're already screwed, so what what's the point of trying to improve our situation?
And I I really think it's important that people realize that little things you do, can improve your situation. They do make a difference. And at scale, as more people try and improve themselves little by little, it helps all of us. And and and that's that's what we I think is really important for people to really get, right, is that it's not all or nothing, and you can do actionable things today that will improve yourself. Yeah. Absolutely. And when you're thinking about mass surveillance,
[00:09:27] Unknown:
you know, it's been a hot topic the last decade pretty much. The small things that you can do in, you know, helping add to your privacy in Bitcoin is not only just helping yourself, but helping us all. If we make the cost of surveillance on Bitcoin high enough, then it can't be done at scale. And that's one of the major things that we were trying to avoid.
[00:09:50] Unknown:
Yeah. The goal is less targeted attacks. Like if if you have a sophisticated attacker who's trying to compromise your privacy, you're probably gonna get owned. But but cheap, easy, efficient mass surveillance, can be mitigated to a degree, and I I think that's where do a lot of the focus should be. So, Janine, do you wanna walk us through these main risk factors that we have up here?
[00:10:22] Unknown:
Yeah. There's quite a few. And the reason I kind of phrased it as risk factors but also actors is that some of them are factors, obviously, it would be great if we could trust third parties and obviously, it would be great if we could trust 3rd parties and they could be reliable. But the problem is that sometimes they can't even act on their own interests. They have to act on the interests of, you know, the government's legal situation that they have in the jurisdiction that they operate in. And so they may be forced against their will-to-do things that they don't wanna do. And so therefore, they are a risk regardless of whether they are you know, it's a business operated by nice people who claim to care about privacy. That's all great. But if the legal system forces them to, then they can't care as much anymore or they have to shut down.
So things like custodial wallets and exchanges are a threat because by most, by most laws, in a lot of countries, they have to collect certain personally identifiable information. That information can be leaked. For example, not to make Coinbase the, big bad ult in the room, but they recently revealed that, due to a flaw in their 2FA, second factor system. Their process, about 6000 coin based customers had their accounts compromised, and that not only included, you know, theft of coins, but also, you know, whoever had access to their accounts could obviously probably access their personal information that they used to open those accounts. But, of course, this can happen at any exchange that gets compromised.
Also a good reason, as we'll maybe mention later, don't use SMS based 2FA. Very bad. Then then kind of more general categories, you have physical attacks. That's, you know, people who notice that you walk around in a Bitcoin shirt. I personally have a rule. I don't know if anyone else does, but I have a rule that I only wear Bitcoin merchandise actually at Bitcoin events or Bitcoin meetups. I do not in general walk around Bitcoin stuff, and I know maybe that's not so great for Bitcoin marketing because you can't all find each other out in the cafe or the public square. But I the threat of someone thinking that I have a lot of money and they can just come to my house, follow me home and get my money.
There's also virtual attacks. A lot of SIM swapping, stories lately in the last couple of years. There's identity theft related to trusted third parties. There's scams. All kinds of ways that you can be attacked virtually as well. And then finally, favorite category of mine, blockchain surveillance. And I would like to clarify that, a lot of them like to say that they do blockchain analysis. And something that I distinguished many years ago between blockchain analysis and surveillance is that blockchain, you know, blockchain surveillance is blockchain analysis, but it has this added, let's say, element to it where it is being done on behalf of law enforcement. As in the results of the analysis, the conclusions that it comes to, which may be wrong because a lot of blockchain analysis is about probabilities, not certainty, is a person getting put in jail or a person getting fined. There's a law enforcement aspect. And so my I personally say, if your analysis is being done on that kind of purpose, it's surveillance.
I call that surveillance. You're a surveyor. So these are kind of there's a lot other risk factors and actors, but I think these are the main categories.
[00:13:52] Unknown:
So thank you, Janine. So, I mean, there's a couple of things I would add to what Janine was talking about. First of all, we do have these surveillance firms. They're actively watching, both the blockchain, and they're they're checking all this KYC data with the exchanges. They have partnerships with all the major regulated services in Bitcoin. They are actively, constantly looking for people. They are a regulatory requirement by a lot of these services that they need them to be compliant. And by all means, I do not think you know, I'm I'm not asking regulated services to break the law, but these laws are ineffective. These KYC laws, these ID laws, they say it's to stop criminals.
The criminals buy all all of our stolen KYC information, and then they use that to open accounts. So it's not stopping criminals. It's hurting law abiding citizens. The other thing I would add is, she mentioned probabilities, and the whole way their systems work is trying to figure out when you send a transaction on chain, whether or not ownership switched hands. So, obviously, with Bitcoin, you can send Bitcoin to yourself. They use different heuristics to look at that on chain data and make a determination if that Bitcoin passed for me to Evan or if Evan just sent it to himself. And that is that is the key to everything right there is those heuristics and those probabilities.
And the ideal situation is to have tools that make it so those heuristics get broken. And as a result, their probabilities go way lower down, and they can't be certain exactly, you know, if ownership changed. So hope is not lost. We do have mitigations currently and a lot of things, that are being improved. Janine, you wanna walk us through this?
[00:15:48] Unknown:
Yeah. Before we go into mitigations, because I I definitely do want to incorporate, you know, the the feature or the the focus of the conference human rights as much as possible in this because I think a lot of people don't realize that. And so some of you may have heard, you know, Udi's in the audience. Hi, Udi. Some of you may have heard of me from the delete Coinbase campaign. Udi came up with the hashtag, or got it really going in early 2019. And in February of that year, the reason that campaign started, it had caught my attention that, Coinbase had acquired a blockchain surveillance company called Nutrino, which was staffed by former upper management of hacking team. Specifically, Giancarlo Russo, Marco Valeri, and Alberto Onagi. Yes. That hacking team, the infamous, offensive intrusion and surveillance software company that at one point trained members of a kill team that would go on to murder Jamal Khashoggi and has likely helped target attendees of Oslo Freedom Forum itself.
I managed to find and publish the Neutrino Coinbase Acquisition Agreement. So that's why we know a bit more about that. And in response to the backlash that I helped contribute to, Coinbase claims that they had made an oversight, a due diligence oopsie. That they neglected their values as a company, by welcoming these people, all these men, into the Coinbase family, as they called it. Of course, what did they do as a result? They transitioned them out, but slowly. And, of course, kept whatever blockchain surveillance technology those people had produced, rebranded it as Coinbase Analytics. They've since received contracts from Immigration and Customs Enforcement or ICE, the US Department of Homeland Security, the US Secret Service, Drug Enforcement Agency, DEA, the IRS, and the FBI.
You can see the details of these contracts at techinquiry.org/explorer. To anyone who believes the devil speak of these blockchain surveillance firms about privacy, by the way. If any of you are here, I doubt it. But please show yourselves, then quit your job. And then ideally, give us some internal docs for the journalists. To anyone who says that, to anyone who says that block chain surveillance is not a human rights issue, I would challenge you to explain to the victims of hacking team software why they should feel comfortable using services like Coinbase or any exchange that maybe uses one of these blockchain surveillance firms, which not only in in this particular case, gave 1,000,000 of dollars to people who facilitated the compromise of their devices on behalf of their not so human rights from the governments, but continue to profit off of their software through state sponsor sponsorship.
Why should they give their sensitive personal information to a business that can't even Google or DuckDuckGo the names of bad actors whose emails were leaked in 2015 before hiring them?
[00:18:34] Unknown:
Janine really doesn't like Coinbase. Thank you, Janine. That was that's very important point, and I'm very glad that you brought it
[00:18:43] Unknown:
up here. It's,
[00:18:45] Unknown:
I mean, they obviously did know. That's just, some some PR bullshit. So here we have, some I guess I did kinda skip a slide. We have different ways of mitigating things, on the privacy side. You have a a a great way of acquiring Bitcoin in a private fashion is at home mining. Mining is permissionless. You can plug in a miner, and you can receive Bitcoin, in a in a very private way. A follow-up talk today is gonna be focused on mining, so I will leave it at that. But you should definitely be here for that because it's it's a really it's gonna be a really great conversation. KYC free services, services basically, like p2p trading, being able to trade with other people without going through a centralized third party that is collecting your ID information.
Another thing is earning Bitcoin for goods and services. If you have a store, you can accept Bitcoin, then a person is paying you Bitcoin. You're not relying on those on those services, you know, those centralized exchanges. And then we have layer 2, which we're going to be talking about lightning and coin join. Coin join is a technique, that allows you to break those heuristics on chain through collaborative transactions. The idea of having multiple people together making a transaction. When I first started working with Alex and the Freedom Fellows at HRF, we had, I think, 1 coin join wallet in 2019, and today, we have, 4, and we have even more that are in development right now. I guess we don't even have join market up here. Nope. So we have 5, all with different varying trade offs.
But the focus on basically trying to add privacy to Bitcoin through the app layer has been a major focus because one of the main value props of Bitcoin is that it's extremely hard to change. So expectations that, we would see, like, major privacy improvements that happen by default on Bitcoin, I people don't really expect that. I mean, I don't expect that. Probably not. Right. So instead, the idea is to do it at the app layer and have these software tools that allow you to kind of automate it to a degree so it's not as complicated.
[00:21:12] Unknown:
Yeah. Absolutely. Big challenge in this is the user interface. And, thankfully, we're getting more and more interfaces to easily conduct a CoinJoin transaction, you know, every day. So, lately, we got Sparrow Wallet on board. That was, like, this week? Yes. Very lately. And they got into the Whirlpool, which is a coin join that's coordinated by the folks at Samurai Wallet. So we're really stoked about this one. It's a cross platform desktop app, and you could CoinJoin your funds right in it.
[00:21:52] Unknown:
So we're actually kind of starting to run out of time here, and I do want to do a q and a. One of the issues with Bitcoin privacy is that it also relies on Internet privacy in general. So you have a lot of gotchas on the Internet side of things. How do you send Bitcoin addresses to someone who's gonna pay you? How do you secure your phone? How do you secure your computer? Bitcoin provides a financial incentive to try and improve your security because, otherwise, your money or your financial transactions are at risk. It would behoove me to say that if your life is at risk and it's a life or death situation and you can use cash, you probably should just use cash.
Cash is very private, at least for spending and and receiving in person. But we have some things here, you know, encrypted messaging. Janine, you wanna jump in here at all?
[00:22:47] Unknown:
Yeah. As I said before, as I said before, always good. And as other people and other counsels have said, always good to use, 2 factor authentication, but there are a number of reasons why you shouldn't use SMS based 2FA. So if, for example, you use an exchange that has that, you should probably use something else if you can or move to a different wallet or exchange. Anytime SMS based 2FA has given us an option, avoid it. Obviously, Tor Browser and VPNs, There is, there is or was, actually my my, kind of nickname, that one privacy girl comes after that one privacy guy who runs a VPN comparison website. That one privacy site, I think.
And it actually compared, VPNs and, but according to a number of characteristics, like jurisdiction and whether they log and those and so it's for most people, if you get your VPN recommendations form, for example, YouTube ads or sponsorships, you should rethink that. Most of pretty much all of the VPNs I've seen recommended on YouTube are not ones that I would recommend. So definitely rethink that and try to use Tor whenever possible. Ideally, even more than so than VPNs. Encrypted messaging. I'm personally, try to be as phone free as possible, so I don't use signal as much. But there are other there are actually a lot of phone free options.
And the reason in general that I, would recommend going phone free or at least as phone free as possible is that there's a number of issues with, for example, using phone numbers as identifiers. Using phones in general. There's just certain attack vectors there that are not, they're almost impossible for the user to patch in any way. That's why we have since swapping because you don't actually own your phone number. And then there's a whole bunch of browser extensions that you can add to prevent ad tracking. UBlock Origin, basically, the number one recommendation for that, and there's a bunch of others. You can all find those at a resource that we list at the end called privacy guides, dot org, which goes through all of those.
And so yeah.
[00:25:10] Unknown:
Thank you, Janine. I really as with VPNs, it's a it's a trusted relationship. So instead of your ISP, your Internet service provider, being able to see all your traffic, you're basically passing that off to another company. Ideally, what's what's kind of nice about that trade off balance is you can pay with Bitcoin with some of the good ones. I really like molevad.net. And so they do have by by design, they have less information, about yourself than, than your Internet service provider, like your cable company or something like that. So now we're going to the Lightning Network. This is, Evans Fort. He loves he loves Lightning. He has one of the the best Lightning wallets, on the market.
Thanks for the kind words. Hopefully, he'll implement CoinJoin in it so that you can do a CoinJoin in the lightning.
[00:26:01] Unknown:
We'll see about that. But, yeah, I just wanna talk a little bit about Lightning Network. And, Lightning Network provides a lot of great benefits privacy wise because your transactions are no longer being written to this immutable ledger in the form of the blockchain. However, there are a couple other trade offs and things people should be aware of. So, we got a couple of diagrams up about what the payment flows look like from both a sender and receiver's perspective and what is known by all the parties. So over here, we have, a beneficiary and an originator for making a payment.
And in green is what the receiver knows and in gray is what they don't know. So the receiver over here, they know, of course, themselves, the beneficiary nodes, and they know the routing node of the last hop from which the payment came from. So Lightning Network uses, onion messaging, somewhat similar to how the Tor network works. And, basically, it's like a stack of encrypted blobs, sort of like, one of those old Russian dolls that you could keep tearing apart. And it's pretty much it's only encrypted so that you know things on a need to know basis. You pretty much, have this data, and you just know what the next hop is gonna be. Right. So in this situation, routing node 2 knows his payment came from routing node 1 and is going to the beneficiary node.
Yeah. Let's hit the next slide. So this is the payment flow from the sender's perspective. The originator knows the whole flow of the payments. They know that it went through their node and they use this whole path of routing nodes and they know what the destination is, whereas the beneficiary doesn't necessarily know the where the payment came from. However, the important thing to know here is that as things currently stand, the receiver doesn't really have privacy in that their public key for their node is embedded in the payment request that they're paying. It's a unique identifier for the node. Yeah. And and there's ways to sort of mitigate this. I think we're going to see some great enhancements with something called Rendezvous Routing on the Lightning Network. And, some of the app wallets have been getting creative. Like in Moon, you can, like, rotate Through with 2 use, by the way. Justine recommended it earlier. It's 2 use.
So, that one sorta has lets you change your public key up, so it's a little better for
[00:28:40] Unknown:
for receiving from a privacy perspective. High level high level with lightning, senders are getting better privacy than receivers. Absolutely. So if you're taking donations, a lot of activists, that's the main thing that they wanna do is take donations. Or if you're a merchant, these are these are considerations you have to make if you're accepting lightning payments. Also, lightning is is very new still. Yeah. It's a 3 year old protocol right now. Right. So, it hasn't really it it it hasn't really existed necessarily in an adversarial environment. So there are some gotchas that maybe we're not even really aware of yet. Yeah. That's true. And and ideally but what's really cool about Lightning is because it's a second layer, development happens much, much quicker than on Bitcoin. Bitcoin is very hard to change. Lightning changes very quickly and improves very quickly. Yeah. We don't need, like, a mass consensus
[00:29:32] Unknown:
to roll out a new feature on lightning. All you need is 2 people to agree to run the software and
[00:29:37] Unknown:
agree to a new scheme. So, hopefully, all this in, like, 2 years is completely irrelevant. That'd be nice. Hopefully, we'll be back to update y'all on that. So we have a list of resources here, because it is a very dense topic. Once again, I wanna say, you know, don't get overwhelmed. Make little improvements. Learn as you go. Try and improve your improve your setup. It is can be very intimidating,
[00:30:02] Unknown:
but but hope is not lost. You can you can figure it out. Yeah. Absolutely. And if anyone ever has questions, feel free to reach out to Matt, Janine, and I. We'd love to help you all out. And, do we do we have time for q and a? Yeah. We have 7 minutes for q and a. Alright. Let's do it.
[00:30:19] Unknown:
So I I love I don't wanna go off topic from the lighting network. I love the lighting network, but just wanted to to because it's I know it's recent, but what's most recent and it's it's more threatened to to us and to me and perhaps to more activists that are here from everywhere, it's, Pegasus. And the fact that they can get into your phone I know there was a session yesterday. It was kind of it was good. It was a good session. It's but not not in person just like you guys. So I just wanted to to perhaps even combine even if we if we're using the lighting network and and my my devices are compromised with Pegasus on a computer or or or the my iPhone. How how does that what do you guys think of that in terms of privacy, in terms of all in general? I'm investigating that for myself as well. How how that works? Absolutely. So,
[00:31:14] Unknown:
malware, especially created by, like, NGOs and nation states, is gonna be prevalent in a lot of places. So unfortunately with Lightning Network, those wallets are typically hot wallets and have to be on active devices. So my general my general advice would be for Lightning Network, I would use for, you know, smaller amounts that you could afford to lose and have your Bitcoin in form of savings on the device that's not touched the Internet. So you could have it on a hardware wallet or in cold storage. Yeah. Feel free to reach us out to us, and we'll get you in the right direction with that.
[00:31:51] Unknown:
Back there? I'm gonna answer your question. I think a good idea is to run your own Lightning Network, your own Lightning node because we know, like, not your keys, nor your coins, nor your nodes, nor your rules. Then no. But no. The yeah. But when when you run your own Lightning node in a Raspberry
[00:32:17] Unknown:
like, in a different device the node can still be compromised because it's connected to the Internet, which is the problem. So while I do still recommend you use a Raspberry blitz or something like that, I love Raspberry blitz, you still have to be cognizant that anything connected to the Internet can still be popped, especially with all these 0 days that, you know, these intelligence agencies, you know, pretty much buy. Even even using tour. Yes.
[00:32:44] Unknown:
Sorry, Alex. Let's please keep it to questions.
[00:32:47] Unknown:
White shirt in the back.
[00:32:52] Unknown:
Thank you. Question for the panel. Leading to one of the questions, Matt said, if you are targeted by a sophisticated state actor, this is probably you're probably owned. This is a conference of people who are regularly targeted by state security actors. Do you ever see, all this, as easy to operate as a toaster so that you don't need, ninja level security.
[00:33:21] Unknown:
I mean, that's the dream. Right? Unfortunately, we're not really there yet. I think, I I you know, this is all very new. We've never had such a digital world, and as more of our lives become digital, people will get burned. The leaks and the hacks will get bigger and bigger. And as these attacks escalate, hopefully, there'll be a natural, you know, market incentive and market forces and and just motivation by people who wanna see things change, to improve things. But, unfortunately, I tend to I'm optimistic, but I'm kind of optimistic because I think it'll get pretty bad. And as it gets worse, like, people will see the need for it. Right? Because if it happens at a smaller scale, people don't really
[00:34:11] Unknown:
the the will isn't there. Yeah. Absolutely. I I think that we're gonna see a lot of great UI and UX improvements as far as using Bitcoin, especially using Bitcoin privately. Obviously there are a lot of people who are passionate about it and that are cranking out great new software every day. But, I I think it's gonna take a little more investment from other parties to really make the products that we wanna see happen. So
[00:34:36] Unknown:
Quick question. Are all of these, software are all of these layered softwares depending on Bitcoin or any cryptocurrency
[00:34:46] Unknown:
will work? This is all Bitcoin specific. Our focus, I can speak for Janine as well as Evan, is our focus has been purely on Bitcoin. It's a a a massive opportunity to improve the world, so we try not to get too distracted on other projects.
[00:35:04] Unknown:
Yeah. I just don't think any other project has the infallibility that Bitcoin has. Like, everything else is is not subject to the same assurances that Bitcoin has. They could easily be manipulated, whether from, you know, the the founders being compromised, pressure being put on there, the networks not being decentralized, centralized choke choke points on exchanges with a lot of them. Yeah. Just just no other cryptocurrency is is nearly as resilient as Bitcoin. So we we need to make sure we get this one right. Or or either one. Yeah.
[00:35:43] Unknown:
That being said, you know, in terms of development point of view, I'm really, kinda concerned about, compromising security. A lot of these new products are coming in, you know, based on other development programs, faster, quicker, and it's compromising security. So and this happens because the, finance may not understand the developing work. Why should it invest more in Bitcoin programming, because it is more secure? So what can we do as community to say, hey. Do not compromise security over, you know, cheaper, faster, doesn't necessarily mean better. So I I really wanna see more Bitcoin developers get paid a bit better because it is more of a challenging program, but there's a reason for that.
And, also, I wanna see the community to understand why that is important because security has to do a lot to do it. So, hopefully, you know, I just wanna bring more awareness to that. We definitely agree.
[00:36:48] Unknown:
Unfortunately, we're out of time. I do want to use that opportunity to say if you go to hrf.org /devfund, you can donate Bitcoin or fiat, and, the HRF is providing grants to open source Bitcoin developers who are aren't making much money, if anything, at all. So you should definitely consider doing that. Yeah. Thanks to HRF.
[00:37:10] Unknown:
They gave a 1 Bitcoin grant to the Zeus project. We turned around and put out 5 different bounties for contributions to the Zeus source code. And as a result, we've got support for many more different kinds of Lightning implementations. And now we have Tor caked into the app. And, you know, that's thanks to HRF, so I'd just like to say thank you for that.
[00:37:38] Unknown:
Thank you, Janine.
[00:37:41] Unknown:
Thank you, Janine. Thanks, Alex. We'll see you soon. Thank you. Thank you.
Alright, everyone. So welcome to using Bitcoin privately. We have 3 distinguished guests here. 2 of which are here in person, and one is tuning in. Again, we wanna talk about privacy and surveillance and using Bitcoin as safely as possible. A lot of people here in Miami or New York using Bitcoin may not be that worried, about people understanding, their their Bitcoin usage, but folks around the world, have have a deep, a deep need to understand this topic. So I'm delighted to have 3, 3 experts on this. Just give me a second to to quiet the the venue, and then you guys can can go. Just give me a second.
[00:00:53] Unknown:
Testing. Testing. How's it going, guys? Janine, can you hear us? Yeah. I can hear you. Awesome. Okay. Here we go. Hey. So we have Janine joining us remotely. My name is Matt O'Dell. I'm a independent Bitcoin privacy advocate. We're here to talk about a very important conversation, which is using Bitcoin privately and the different privacy gotchas that involve Bitcoin. This after we have our conversation, there's gonna be a 10 minute q and a. So if you have any questions, consider them, and we're we're looking forward to the questions. We find them very productive. I wanted to thank Alex and HRF for hosting the Bitcoin Academy.
It's a really important initiative, for hosting Oslo Freedom Forum in general. You know, a lot of these activists, they're very motivated, very determined. They put their lives at risk every day, and I really do think, you know, that's part of the reason that we put so much effort into Bitcoin. So it really it it really does make it all worth it, being here and hearing those stories. Before I pass it over to Evan, I'm curious here. How many people have sent a Bitcoin transaction? Okay. Good.
[00:02:11] Unknown:
Evan, you wanna introduce yourself? Yeah. Sure thing. Hey, all. I'm Evan Kaludis. I am a software engineer. You guys might know me from my open source project, Zeus, which is a lightning wallet for people who run their own full node. I also work at Kraken, trying to get the lightning integration out the door there. 2 weeks? 2 weeks. Let's see. Let's see. But, yeah, just really glad to be here and talk to you guys about a really important topic. You know, Bitcoin is something that has a lot of misconceptions behind it, and I'm sure, you know, many of you when they first heard about Bitcoin, you know, had this misconception that it was a private asset, you know, that its transactions were completely private, and that's just not the case.
So, yeah. So the goal of our talk is to, you know, introduce you guys to some method you could use to maintain privacy when using Bitcoin and,
[00:03:10] Unknown:
knowing some of the gotchas. Janine, you wanna introduce yourself?
[00:03:16] Unknown:
Yeah. Hi there. My name is Janine, and, I'm an investigative journalist and privacy researcher currently at, CASA, actually. Earlier this year, I received a grant from Human Rights Foundation for my newsletter this month in Bitcoin privacy, which is a relevant resource for anyone here who is interested in the topic of our session today.
[00:03:37] Unknown:
Thank you, Janine. We have a lot of respect for Janine. She's doing the privacy advocacy correct because you can't see her right now. So she brings shame to me and Evan. So first and foremost, Bitcoin is not private by default. If you send a Bitcoin transaction, it is on the ledger called the blockchain. That ledger is viewable by everyone. It will probably outlive all of us. So mistakes you make today can affect you in the future, especially if you're an activist and authoritarian regime. They will try and track your transactions. They will try and use it against you. You need to be aware of that risk that it exists in the first place.
The second big thing I really want to hone in here is that most people who are entering Bitcoin nowadays enter through regulated onramps. Those regulated companies require identification information, KYC information, email addresses, phone numbers, Social Security numbers, driver's licenses. Those are all connected to your Bitcoin addresses when you withdraw. So if you don't take privacy precautions at that point, it can be used against you in the future. Even if the company is not malicious, they might not be able to secure it correctly. It might get hacked. It might get bought, stolen.
We just had Coinbase recently. They had 6,000 people's intimate personal information, home addresses, every withdrawal address, all get leaked. And so you you might think you're protected now, but if that happens in the future, then a malicious actor can go and use look back on the blockchain and go back and see your transactions that they might not have been able to see before. Janine, you have any opening thoughts over there? We might have some connectivity issues, or she might be muted. Evan, what what are you thinking?
[00:05:38] Unknown:
So yeah. So when you're dealing with the blockchain, which is this immutable database, it's, you know, quite quite crucial to do things correctly. You can't undo your mistakes. Right? Once a transaction is broadcast and more importantly, like, confirm, there's no undoing it. That record is sealed, and it's on the hard drive of everyone who's running a Bitcoin note.
[00:06:03] Unknown:
Janine, can you hear me now?
[00:06:07] Unknown:
Yeah. I can hear you. Awesome. Just a bit, noisy.
[00:06:11] Unknown:
So did you could you hear what we were saying? Do do you have any thoughts before we move on to risks?
[00:06:19] Unknown:
Yeah. I mean, the main thing I wanted to say, because a lot of, I've especially heard in the last couple of days that there are some people, saying that not your keys, not your coins, even Even though it's been a popular mantra in Bitcoin for many years, they say that this is now somehow outdated advice, and that you for user experience reasons, for quote exposure, it's better to get on board through a top five exchange. And what I have to say to that is that if your user experience requires compromising your ethics, your safety, your privacy, or your liberty, then it's not really a user experience. It's more of a user cage, maybe a nice gilded cage that gives you 7% monthly returns on deposits or access to the latest revolutionary pump and dump token, but it's still a cage. And that maybe the price for your freedom is not as high, one to pay for you because you live in a rich and safe city in the world under a government that doesn't have much interest in oppressing you. But for most of the world, that price is too high to pay. For most of the world, this so called open financial system of crypto exchanges is not one that they have even the choice to enter.
Because actually as a legally documented person of the United States myself, I actually can't open a Coinbase account, for example, even if I wanted to because I don't possess the right kinds of documentation to satisfy their KYC policies. So imagine how much harder it is for people who are less privileged than me. Imagine having worse financial inclusion than banks and marketing yourself as open. And so I think that's very much related to privacy because a lot of the times, things that are, custodying your coins, a lot of the time that also comes with less privacy. There's a link between the 2. So this is just, an example of why financial privacy is also a financial inclusion and, therefore, a human rights issue. And that's what I hope we can share with you today about how to avoid in creeping traditional financial surveillance into Bitcoin.
[00:08:16] Unknown:
That was fantastic, Janine. They're clapping for you. And, also, by the way, I don't know if you realize, if you can tell from the video stream, but Udi is, like, sitting right in front of me. So it's very it's very relevant. A mic? No. You do not get a mic. So, I mean, right here, we have we have different risk factors that people should be considering. First and foremost, I know this sounds very, very intimidating, and I know that even in our non Bitcoin lives, we don't really have much privacy. It feels very overwhelming. It feels like we're already screwed, so what what's the point of trying to improve our situation?
And I I really think it's important that people realize that little things you do, can improve your situation. They do make a difference. And at scale, as more people try and improve themselves little by little, it helps all of us. And and and that's that's what we I think is really important for people to really get, right, is that it's not all or nothing, and you can do actionable things today that will improve yourself. Yeah. Absolutely. And when you're thinking about mass surveillance,
[00:09:27] Unknown:
you know, it's been a hot topic the last decade pretty much. The small things that you can do in, you know, helping add to your privacy in Bitcoin is not only just helping yourself, but helping us all. If we make the cost of surveillance on Bitcoin high enough, then it can't be done at scale. And that's one of the major things that we were trying to avoid.
[00:09:50] Unknown:
Yeah. The goal is less targeted attacks. Like if if you have a sophisticated attacker who's trying to compromise your privacy, you're probably gonna get owned. But but cheap, easy, efficient mass surveillance, can be mitigated to a degree, and I I think that's where do a lot of the focus should be. So, Janine, do you wanna walk us through these main risk factors that we have up here?
[00:10:22] Unknown:
Yeah. There's quite a few. And the reason I kind of phrased it as risk factors but also actors is that some of them are factors, obviously, it would be great if we could trust third parties and obviously, it would be great if we could trust 3rd parties and they could be reliable. But the problem is that sometimes they can't even act on their own interests. They have to act on the interests of, you know, the government's legal situation that they have in the jurisdiction that they operate in. And so they may be forced against their will-to-do things that they don't wanna do. And so therefore, they are a risk regardless of whether they are you know, it's a business operated by nice people who claim to care about privacy. That's all great. But if the legal system forces them to, then they can't care as much anymore or they have to shut down.
So things like custodial wallets and exchanges are a threat because by most, by most laws, in a lot of countries, they have to collect certain personally identifiable information. That information can be leaked. For example, not to make Coinbase the, big bad ult in the room, but they recently revealed that, due to a flaw in their 2FA, second factor system. Their process, about 6000 coin based customers had their accounts compromised, and that not only included, you know, theft of coins, but also, you know, whoever had access to their accounts could obviously probably access their personal information that they used to open those accounts. But, of course, this can happen at any exchange that gets compromised.
Also a good reason, as we'll maybe mention later, don't use SMS based 2FA. Very bad. Then then kind of more general categories, you have physical attacks. That's, you know, people who notice that you walk around in a Bitcoin shirt. I personally have a rule. I don't know if anyone else does, but I have a rule that I only wear Bitcoin merchandise actually at Bitcoin events or Bitcoin meetups. I do not in general walk around Bitcoin stuff, and I know maybe that's not so great for Bitcoin marketing because you can't all find each other out in the cafe or the public square. But I the threat of someone thinking that I have a lot of money and they can just come to my house, follow me home and get my money.
There's also virtual attacks. A lot of SIM swapping, stories lately in the last couple of years. There's identity theft related to trusted third parties. There's scams. All kinds of ways that you can be attacked virtually as well. And then finally, favorite category of mine, blockchain surveillance. And I would like to clarify that, a lot of them like to say that they do blockchain analysis. And something that I distinguished many years ago between blockchain analysis and surveillance is that blockchain, you know, blockchain surveillance is blockchain analysis, but it has this added, let's say, element to it where it is being done on behalf of law enforcement. As in the results of the analysis, the conclusions that it comes to, which may be wrong because a lot of blockchain analysis is about probabilities, not certainty, is a person getting put in jail or a person getting fined. There's a law enforcement aspect. And so my I personally say, if your analysis is being done on that kind of purpose, it's surveillance.
I call that surveillance. You're a surveyor. So these are kind of there's a lot other risk factors and actors, but I think these are the main categories.
[00:13:52] Unknown:
So thank you, Janine. So, I mean, there's a couple of things I would add to what Janine was talking about. First of all, we do have these surveillance firms. They're actively watching, both the blockchain, and they're they're checking all this KYC data with the exchanges. They have partnerships with all the major regulated services in Bitcoin. They are actively, constantly looking for people. They are a regulatory requirement by a lot of these services that they need them to be compliant. And by all means, I do not think you know, I'm I'm not asking regulated services to break the law, but these laws are ineffective. These KYC laws, these ID laws, they say it's to stop criminals.
The criminals buy all all of our stolen KYC information, and then they use that to open accounts. So it's not stopping criminals. It's hurting law abiding citizens. The other thing I would add is, she mentioned probabilities, and the whole way their systems work is trying to figure out when you send a transaction on chain, whether or not ownership switched hands. So, obviously, with Bitcoin, you can send Bitcoin to yourself. They use different heuristics to look at that on chain data and make a determination if that Bitcoin passed for me to Evan or if Evan just sent it to himself. And that is that is the key to everything right there is those heuristics and those probabilities.
And the ideal situation is to have tools that make it so those heuristics get broken. And as a result, their probabilities go way lower down, and they can't be certain exactly, you know, if ownership changed. So hope is not lost. We do have mitigations currently and a lot of things, that are being improved. Janine, you wanna walk us through this?
[00:15:48] Unknown:
Yeah. Before we go into mitigations, because I I definitely do want to incorporate, you know, the the feature or the the focus of the conference human rights as much as possible in this because I think a lot of people don't realize that. And so some of you may have heard, you know, Udi's in the audience. Hi, Udi. Some of you may have heard of me from the delete Coinbase campaign. Udi came up with the hashtag, or got it really going in early 2019. And in February of that year, the reason that campaign started, it had caught my attention that, Coinbase had acquired a blockchain surveillance company called Nutrino, which was staffed by former upper management of hacking team. Specifically, Giancarlo Russo, Marco Valeri, and Alberto Onagi. Yes. That hacking team, the infamous, offensive intrusion and surveillance software company that at one point trained members of a kill team that would go on to murder Jamal Khashoggi and has likely helped target attendees of Oslo Freedom Forum itself.
I managed to find and publish the Neutrino Coinbase Acquisition Agreement. So that's why we know a bit more about that. And in response to the backlash that I helped contribute to, Coinbase claims that they had made an oversight, a due diligence oopsie. That they neglected their values as a company, by welcoming these people, all these men, into the Coinbase family, as they called it. Of course, what did they do as a result? They transitioned them out, but slowly. And, of course, kept whatever blockchain surveillance technology those people had produced, rebranded it as Coinbase Analytics. They've since received contracts from Immigration and Customs Enforcement or ICE, the US Department of Homeland Security, the US Secret Service, Drug Enforcement Agency, DEA, the IRS, and the FBI.
You can see the details of these contracts at techinquiry.org/explorer. To anyone who believes the devil speak of these blockchain surveillance firms about privacy, by the way. If any of you are here, I doubt it. But please show yourselves, then quit your job. And then ideally, give us some internal docs for the journalists. To anyone who says that, to anyone who says that block chain surveillance is not a human rights issue, I would challenge you to explain to the victims of hacking team software why they should feel comfortable using services like Coinbase or any exchange that maybe uses one of these blockchain surveillance firms, which not only in in this particular case, gave 1,000,000 of dollars to people who facilitated the compromise of their devices on behalf of their not so human rights from the governments, but continue to profit off of their software through state sponsor sponsorship.
Why should they give their sensitive personal information to a business that can't even Google or DuckDuckGo the names of bad actors whose emails were leaked in 2015 before hiring them?
[00:18:34] Unknown:
Janine really doesn't like Coinbase. Thank you, Janine. That was that's very important point, and I'm very glad that you brought it
[00:18:43] Unknown:
up here. It's,
[00:18:45] Unknown:
I mean, they obviously did know. That's just, some some PR bullshit. So here we have, some I guess I did kinda skip a slide. We have different ways of mitigating things, on the privacy side. You have a a a great way of acquiring Bitcoin in a private fashion is at home mining. Mining is permissionless. You can plug in a miner, and you can receive Bitcoin, in a in a very private way. A follow-up talk today is gonna be focused on mining, so I will leave it at that. But you should definitely be here for that because it's it's a really it's gonna be a really great conversation. KYC free services, services basically, like p2p trading, being able to trade with other people without going through a centralized third party that is collecting your ID information.
Another thing is earning Bitcoin for goods and services. If you have a store, you can accept Bitcoin, then a person is paying you Bitcoin. You're not relying on those on those services, you know, those centralized exchanges. And then we have layer 2, which we're going to be talking about lightning and coin join. Coin join is a technique, that allows you to break those heuristics on chain through collaborative transactions. The idea of having multiple people together making a transaction. When I first started working with Alex and the Freedom Fellows at HRF, we had, I think, 1 coin join wallet in 2019, and today, we have, 4, and we have even more that are in development right now. I guess we don't even have join market up here. Nope. So we have 5, all with different varying trade offs.
But the focus on basically trying to add privacy to Bitcoin through the app layer has been a major focus because one of the main value props of Bitcoin is that it's extremely hard to change. So expectations that, we would see, like, major privacy improvements that happen by default on Bitcoin, I people don't really expect that. I mean, I don't expect that. Probably not. Right. So instead, the idea is to do it at the app layer and have these software tools that allow you to kind of automate it to a degree so it's not as complicated.
[00:21:12] Unknown:
Yeah. Absolutely. Big challenge in this is the user interface. And, thankfully, we're getting more and more interfaces to easily conduct a CoinJoin transaction, you know, every day. So, lately, we got Sparrow Wallet on board. That was, like, this week? Yes. Very lately. And they got into the Whirlpool, which is a coin join that's coordinated by the folks at Samurai Wallet. So we're really stoked about this one. It's a cross platform desktop app, and you could CoinJoin your funds right in it.
[00:21:52] Unknown:
So we're actually kind of starting to run out of time here, and I do want to do a q and a. One of the issues with Bitcoin privacy is that it also relies on Internet privacy in general. So you have a lot of gotchas on the Internet side of things. How do you send Bitcoin addresses to someone who's gonna pay you? How do you secure your phone? How do you secure your computer? Bitcoin provides a financial incentive to try and improve your security because, otherwise, your money or your financial transactions are at risk. It would behoove me to say that if your life is at risk and it's a life or death situation and you can use cash, you probably should just use cash.
Cash is very private, at least for spending and and receiving in person. But we have some things here, you know, encrypted messaging. Janine, you wanna jump in here at all?
[00:22:47] Unknown:
Yeah. As I said before, as I said before, always good. And as other people and other counsels have said, always good to use, 2 factor authentication, but there are a number of reasons why you shouldn't use SMS based 2FA. So if, for example, you use an exchange that has that, you should probably use something else if you can or move to a different wallet or exchange. Anytime SMS based 2FA has given us an option, avoid it. Obviously, Tor Browser and VPNs, There is, there is or was, actually my my, kind of nickname, that one privacy girl comes after that one privacy guy who runs a VPN comparison website. That one privacy site, I think.
And it actually compared, VPNs and, but according to a number of characteristics, like jurisdiction and whether they log and those and so it's for most people, if you get your VPN recommendations form, for example, YouTube ads or sponsorships, you should rethink that. Most of pretty much all of the VPNs I've seen recommended on YouTube are not ones that I would recommend. So definitely rethink that and try to use Tor whenever possible. Ideally, even more than so than VPNs. Encrypted messaging. I'm personally, try to be as phone free as possible, so I don't use signal as much. But there are other there are actually a lot of phone free options.
And the reason in general that I, would recommend going phone free or at least as phone free as possible is that there's a number of issues with, for example, using phone numbers as identifiers. Using phones in general. There's just certain attack vectors there that are not, they're almost impossible for the user to patch in any way. That's why we have since swapping because you don't actually own your phone number. And then there's a whole bunch of browser extensions that you can add to prevent ad tracking. UBlock Origin, basically, the number one recommendation for that, and there's a bunch of others. You can all find those at a resource that we list at the end called privacy guides, dot org, which goes through all of those.
And so yeah.
[00:25:10] Unknown:
Thank you, Janine. I really as with VPNs, it's a it's a trusted relationship. So instead of your ISP, your Internet service provider, being able to see all your traffic, you're basically passing that off to another company. Ideally, what's what's kind of nice about that trade off balance is you can pay with Bitcoin with some of the good ones. I really like molevad.net. And so they do have by by design, they have less information, about yourself than, than your Internet service provider, like your cable company or something like that. So now we're going to the Lightning Network. This is, Evans Fort. He loves he loves Lightning. He has one of the the best Lightning wallets, on the market.
Thanks for the kind words. Hopefully, he'll implement CoinJoin in it so that you can do a CoinJoin in the lightning.
[00:26:01] Unknown:
We'll see about that. But, yeah, I just wanna talk a little bit about Lightning Network. And, Lightning Network provides a lot of great benefits privacy wise because your transactions are no longer being written to this immutable ledger in the form of the blockchain. However, there are a couple other trade offs and things people should be aware of. So, we got a couple of diagrams up about what the payment flows look like from both a sender and receiver's perspective and what is known by all the parties. So over here, we have, a beneficiary and an originator for making a payment.
And in green is what the receiver knows and in gray is what they don't know. So the receiver over here, they know, of course, themselves, the beneficiary nodes, and they know the routing node of the last hop from which the payment came from. So Lightning Network uses, onion messaging, somewhat similar to how the Tor network works. And, basically, it's like a stack of encrypted blobs, sort of like, one of those old Russian dolls that you could keep tearing apart. And it's pretty much it's only encrypted so that you know things on a need to know basis. You pretty much, have this data, and you just know what the next hop is gonna be. Right. So in this situation, routing node 2 knows his payment came from routing node 1 and is going to the beneficiary node.
Yeah. Let's hit the next slide. So this is the payment flow from the sender's perspective. The originator knows the whole flow of the payments. They know that it went through their node and they use this whole path of routing nodes and they know what the destination is, whereas the beneficiary doesn't necessarily know the where the payment came from. However, the important thing to know here is that as things currently stand, the receiver doesn't really have privacy in that their public key for their node is embedded in the payment request that they're paying. It's a unique identifier for the node. Yeah. And and there's ways to sort of mitigate this. I think we're going to see some great enhancements with something called Rendezvous Routing on the Lightning Network. And, some of the app wallets have been getting creative. Like in Moon, you can, like, rotate Through with 2 use, by the way. Justine recommended it earlier. It's 2 use.
So, that one sorta has lets you change your public key up, so it's a little better for
[00:28:40] Unknown:
for receiving from a privacy perspective. High level high level with lightning, senders are getting better privacy than receivers. Absolutely. So if you're taking donations, a lot of activists, that's the main thing that they wanna do is take donations. Or if you're a merchant, these are these are considerations you have to make if you're accepting lightning payments. Also, lightning is is very new still. Yeah. It's a 3 year old protocol right now. Right. So, it hasn't really it it it hasn't really existed necessarily in an adversarial environment. So there are some gotchas that maybe we're not even really aware of yet. Yeah. That's true. And and ideally but what's really cool about Lightning is because it's a second layer, development happens much, much quicker than on Bitcoin. Bitcoin is very hard to change. Lightning changes very quickly and improves very quickly. Yeah. We don't need, like, a mass consensus
[00:29:32] Unknown:
to roll out a new feature on lightning. All you need is 2 people to agree to run the software and
[00:29:37] Unknown:
agree to a new scheme. So, hopefully, all this in, like, 2 years is completely irrelevant. That'd be nice. Hopefully, we'll be back to update y'all on that. So we have a list of resources here, because it is a very dense topic. Once again, I wanna say, you know, don't get overwhelmed. Make little improvements. Learn as you go. Try and improve your improve your setup. It is can be very intimidating,
[00:30:02] Unknown:
but but hope is not lost. You can you can figure it out. Yeah. Absolutely. And if anyone ever has questions, feel free to reach out to Matt, Janine, and I. We'd love to help you all out. And, do we do we have time for q and a? Yeah. We have 7 minutes for q and a. Alright. Let's do it.
[00:30:19] Unknown:
So I I love I don't wanna go off topic from the lighting network. I love the lighting network, but just wanted to to because it's I know it's recent, but what's most recent and it's it's more threatened to to us and to me and perhaps to more activists that are here from everywhere, it's, Pegasus. And the fact that they can get into your phone I know there was a session yesterday. It was kind of it was good. It was a good session. It's but not not in person just like you guys. So I just wanted to to perhaps even combine even if we if we're using the lighting network and and my my devices are compromised with Pegasus on a computer or or or the my iPhone. How how does that what do you guys think of that in terms of privacy, in terms of all in general? I'm investigating that for myself as well. How how that works? Absolutely. So,
[00:31:14] Unknown:
malware, especially created by, like, NGOs and nation states, is gonna be prevalent in a lot of places. So unfortunately with Lightning Network, those wallets are typically hot wallets and have to be on active devices. So my general my general advice would be for Lightning Network, I would use for, you know, smaller amounts that you could afford to lose and have your Bitcoin in form of savings on the device that's not touched the Internet. So you could have it on a hardware wallet or in cold storage. Yeah. Feel free to reach us out to us, and we'll get you in the right direction with that.
[00:31:51] Unknown:
Back there? I'm gonna answer your question. I think a good idea is to run your own Lightning Network, your own Lightning node because we know, like, not your keys, nor your coins, nor your nodes, nor your rules. Then no. But no. The yeah. But when when you run your own Lightning node in a Raspberry
[00:32:17] Unknown:
like, in a different device the node can still be compromised because it's connected to the Internet, which is the problem. So while I do still recommend you use a Raspberry blitz or something like that, I love Raspberry blitz, you still have to be cognizant that anything connected to the Internet can still be popped, especially with all these 0 days that, you know, these intelligence agencies, you know, pretty much buy. Even even using tour. Yes.
[00:32:44] Unknown:
Sorry, Alex. Let's please keep it to questions.
[00:32:47] Unknown:
White shirt in the back.
[00:32:52] Unknown:
Thank you. Question for the panel. Leading to one of the questions, Matt said, if you are targeted by a sophisticated state actor, this is probably you're probably owned. This is a conference of people who are regularly targeted by state security actors. Do you ever see, all this, as easy to operate as a toaster so that you don't need, ninja level security.
[00:33:21] Unknown:
I mean, that's the dream. Right? Unfortunately, we're not really there yet. I think, I I you know, this is all very new. We've never had such a digital world, and as more of our lives become digital, people will get burned. The leaks and the hacks will get bigger and bigger. And as these attacks escalate, hopefully, there'll be a natural, you know, market incentive and market forces and and just motivation by people who wanna see things change, to improve things. But, unfortunately, I tend to I'm optimistic, but I'm kind of optimistic because I think it'll get pretty bad. And as it gets worse, like, people will see the need for it. Right? Because if it happens at a smaller scale, people don't really
[00:34:11] Unknown:
the the will isn't there. Yeah. Absolutely. I I think that we're gonna see a lot of great UI and UX improvements as far as using Bitcoin, especially using Bitcoin privately. Obviously there are a lot of people who are passionate about it and that are cranking out great new software every day. But, I I think it's gonna take a little more investment from other parties to really make the products that we wanna see happen. So
[00:34:36] Unknown:
Quick question. Are all of these, software are all of these layered softwares depending on Bitcoin or any cryptocurrency
[00:34:46] Unknown:
will work? This is all Bitcoin specific. Our focus, I can speak for Janine as well as Evan, is our focus has been purely on Bitcoin. It's a a a massive opportunity to improve the world, so we try not to get too distracted on other projects.
[00:35:04] Unknown:
Yeah. I just don't think any other project has the infallibility that Bitcoin has. Like, everything else is is not subject to the same assurances that Bitcoin has. They could easily be manipulated, whether from, you know, the the founders being compromised, pressure being put on there, the networks not being decentralized, centralized choke choke points on exchanges with a lot of them. Yeah. Just just no other cryptocurrency is is nearly as resilient as Bitcoin. So we we need to make sure we get this one right. Or or either one. Yeah.
[00:35:43] Unknown:
That being said, you know, in terms of development point of view, I'm really, kinda concerned about, compromising security. A lot of these new products are coming in, you know, based on other development programs, faster, quicker, and it's compromising security. So and this happens because the, finance may not understand the developing work. Why should it invest more in Bitcoin programming, because it is more secure? So what can we do as community to say, hey. Do not compromise security over, you know, cheaper, faster, doesn't necessarily mean better. So I I really wanna see more Bitcoin developers get paid a bit better because it is more of a challenging program, but there's a reason for that.
And, also, I wanna see the community to understand why that is important because security has to do a lot to do it. So, hopefully, you know, I just wanna bring more awareness to that. We definitely agree.
[00:36:48] Unknown:
Unfortunately, we're out of time. I do want to use that opportunity to say if you go to hrf.org /devfund, you can donate Bitcoin or fiat, and, the HRF is providing grants to open source Bitcoin developers who are aren't making much money, if anything, at all. So you should definitely consider doing that. Yeah. Thanks to HRF.
[00:37:10] Unknown:
They gave a 1 Bitcoin grant to the Zeus project. We turned around and put out 5 different bounties for contributions to the Zeus source code. And as a result, we've got support for many more different kinds of Lightning implementations. And now we have Tor caked into the app. And, you know, that's thanks to HRF, so I'd just like to say thank you for that.
[00:37:38] Unknown:
Thank you, Janine.
[00:37:41] Unknown:
Thank you, Janine. Thanks, Alex. We'll see you soon. Thank you. Thank you.
Introduction to Bitcoin privacy and the importance of using Bitcoin privately
The risks and actors involved in Bitcoin privacy
Mitigations for improving Bitcoin privacy, including home mining, KYC-free services, earning Bitcoin for goods and services, and using layer 2 solutions like Lightning Network and CoinJoin
Challenges and future improvements in Bitcoin privacy, including the need for user-friendly interfaces and the importance of Internet privacy
