Pile of Bitcoin

Research published last week reveals that cookies and other data collected by ad trackers on e-commerce sites can be used to de-anonymize Bitcoin transactions.

The idea is that despite how careful users are to hide their identity behind a random Bitcoin address when purchasing products, the same assumption of privacy and anonymity cannot be expected from the online platform where the transaction takes place.

Usually, these sites store cookies on each user or willingly share data on their buyers with advertising companies. This is done for financial reasons as to allow advertisers to deliver targeted ads, increasing the chance of users clicking on advertisements, and boosting the store's ad revenues.

Ad trackers pose a serious threat to Bitcoin anonymity

This data that e-commerce sites collect can vary from simple cookies detailing the user's system to information about purchased products, prices, abandoned carts, email, or shipping addresses.

Even if a site or ad tracker doesn't store that much information, a determined attacker or a law enforcement agency can aggregate data from multiple advertising agencies.

Aggregating data helps investigators create more accurate profiles of desired users, or link suspicious Bitcoin addresses to real-world identities, online usernames, email addresses, and other data that might have been collected by e-commerce sites and passed down to advertisers.

Furthermore, in the happiest cases, even if the e-commerce site saves little data about users, a client that once paid for a product via Bitcoin and then comes back to the site and pays via credit card or another method, can be linked via various small tidbits such as cookies.

Researchers investigated 130 Bitcoin-friendly online stores

The research — carried out by a team from Princeton University — also analyzed 130 online e-commerce sites from 21 countries that allow users to pay with Bitcoin.

Bitcoin leaks via ad trackers on online stores

Researchers looked at how these sites handle Bitcoin transactions and what information leaks during the checkout process. Their findings are below:

⇨ 53/130 of merchants leaked payment information to third parties, most frequently from shopping cart pages.
⇨ 49/130 merchants leaked some form of PII.
⇨ 32/130 merchants leaked email address information.
⇨ 27/130 and 25/130 merchants leaked first and last name information, respectively.
⇨ 15/130 merchants leaked username information.
⇨ 13/130 merchants leaked shipping address information.
⇨ 10/130 merchants leaked the user's phone number.
⇨ 25/130 merchants still leak sensitive information to third parties, even with tracking protection enabled.
⇨ 12/130 merchants leaked the user's Bitcoin address.
⇨ 11/130 merchants leaked the Bitcoin price for the user's products.
⇨ 28/130 merchants leaked add-to-cart events.
⇨ 107/130 merchant sites grant third-party scripts access to transaction-relevant information.
⇨ 125/130 merchant sites granted third-party scripts access to some form of  PII.

All this data can be crucial in de-anonymizing a user's online identity, especially if it slowly piles up on the servers of online advertisers across months or years.

While this could be damning for a crook who has obtained his funds through illegal means, it can also prove fatal for online activists trying to evade oppressive regimes.

More information about this study and proposed mitigations are available in the research paper titled "When the cookie meets the blockchain: Privacy risks of web payments via cryptocurrencies."

This research is not the first paper that deals with Bitcoin's privacy issues. Previous work can be found here, here, here, and here.