Research published last week reveals that cookies and other data collected by ad trackers on e-commerce sites can be used to de-anonymize Bitcoin transactions.
The idea is that despite how careful users are to hide their identity behind a random Bitcoin address when purchasing products, the same assumption of privacy and anonymity cannot be expected from the online platform where the transaction takes place.
Usually, these sites store cookies on each user or willingly share data on their buyers with advertising companies. This is done for financial reasons as to allow advertisers to deliver targeted ads, increasing the chance of users clicking on advertisements, and boosting the store's ad revenues.
This data that e-commerce sites collect can vary from simple cookies detailing the user's system to information about purchased products, prices, abandoned carts, email, or shipping addresses.
Even if a site or ad tracker doesn't store that much information, a determined attacker or a law enforcement agency can aggregate data from multiple advertising agencies.
Aggregating data helps investigators create more accurate profiles of desired users, or link suspicious Bitcoin addresses to real-world identities, online usernames, email addresses, and other data that might have been collected by e-commerce sites and passed down to advertisers.
Furthermore, in the happiest cases, even if the e-commerce site saves little data about users, a client that once paid for a product via Bitcoin and then comes back to the site and pays via credit card or another method, can be linked via various small tidbits such as cookies.
The research — carried out by a team from Princeton University — also analyzed 130 online e-commerce sites from 21 countries that allow users to pay with Bitcoin.
Researchers looked at how these sites handle Bitcoin transactions and what information leaks during the checkout process. Their findings are below:
All this data can be crucial in de-anonymizing a user's online identity, especially if it slowly piles up on the servers of online advertisers across months or years.
While this could be damning for a crook who has obtained his funds through illegal means, it can also prove fatal for online activists trying to evade oppressive regimes.
More information about this study and proposed mitigations are available in the research paper titled "When the cookie meets the blockchain: Privacy risks of web payments via cryptocurrencies."