When the cookie meets the blockchain: Privacy risks of web payments via cryptocurrencies

Open access


We show how third-party web trackers can deanonymize users of cryptocurrencies. We present two distinct but complementary attacks. On most shopping websites, third party trackers receive information about user purchases for purposes of advertising and analytics. We show that, if the user pays using a cryptocurrency, trackers typically possess enough information about the purchase to uniquely identify the transaction on the blockchain, link it to the user’s cookie, and further to the user’s real identity. Our second attack shows that if the tracker is able to link two purchases of the same user to the blockchain in this manner, it can identify the user’s cluster of addresses and transactions on the blockchain, even if the user employs blockchain anonymity techniques such as CoinJoin. The attacks are passive and hence can be retroactively applied to past purchases. We discuss several mitigations, but none are perfect.

[1] Step by step running the tumbler. Github, https://github.com/JoinMarket-Org/joinmarket/wiki/Step-by-steprunning-the-tumbler, 2017.

[2] Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, and Claudia Diaz. The web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of ACM Conference on Computer and Communications Security, 2014.

[3] Elli Androulaki, Ghassan O Karame, Marc Roeschlin, Tobias Scherer, and Srdjan Capkun. Evaluating user privacy in bitcoin. In Financial Cryptography and Data Security, 2013.

[4] Julia Angwin and Jennifer Valentino-Devries. Google’s iphone tracking. Wall Street Journal, 2012.

[5] K Atlas. Weak privacy guarantees for sharedcoin mixing service, 2014.

[6] Kristov Atlas. The inevitability of privacy in lightning networks. https://www.kristovatlas.com/the-inevitability-ofprivacy-in-lightning-networks/, 2017.

[7] Eli Ben-Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer, and Madars Virza. Zerocash: Decentralized Anonymous Payments from Bitcoin. In IEEE Symposium on Security and Privacy, 2014.

[8] Alex Biryukov, Dmitry Khovratovich, and Ivan Pustogarov. Deanonymisation of clients in bitcoin p2p network. In Proceedings of ACM Conference on Computer and Communications Security, 2014.

[9] Alex Biryukov and Ivan Pustogarov. Bitcoin over tor isn’t a good idea. In IEEE Symposium on Security and Privacy, 2015.

[10] George Bissias, A Pinar Ozisik, Brian N Levine, and Marc Liberatore. Sybil-resistant mixing for bitcoin. In Proceedings of WPES. ACM, 2014.

[11] Joseph Bonneau, Andrew Miller, Jeremy Clark, Arvind Narayanan, Joshua A. Kroll, and Edward W. Felten. Research perspectives and challenges for bitcoin and cryptocurrencies. In IEEE Symposium on Security and Privacy, 2015.

[12] Joseph Bonneau, Arvind Narayanan, Andrew Miller, Jeremy Clark, Joshua A. Kroll, and Edward W. Felten. Mixcoin: Anonymity for bitcoin with accountable mixes. In Financial Cryptography and Data Security. 2014.

[13] Justin Brookman, Phoebe Rouge, Aaron Alva Alva, and Christina Yeung. Cross-device tracking: Measurement and disclosures. 2018.

[14] Ceren Budak, Sharad Goel, Justin Rao, and Georgios Zervas. Understanding emerging threats to online advertising. In Proceedings of the ACM Conference on Economics and Computation, 2016.

[15] Peter Eckersley. How unique is your web browser? 2010.

[16] Steven Englehardt and Arvind Narayanan. Online tracking: A 1-million-site measurement and analysis. In Proceedings of ACM Conference on Computer and Communications Security, 2016.

[17] Steven Englehardt, Dillon Reisman, Christian Eubank, Peter Zimmerman, Jonathan Mayer, Arvind Narayanan, and Edward W Felten. Cookies that give you away: The surveillance implications of web tracking. In Proceedings of the Conference on World Wide Web, 2015.

[18] Giulia Fanti and Pramod Viswanath. Anonymity properties of the bitcoin p2p network. arXiv preprint arXiv:1703.08761, 2017.

[19] Arthur Gervais, Alexandros Filios, Vincent Lenders, and Srdjan Capkun. Quantifying web adblocker privacy. IACR Cryptology ePrint Archive, 2016.

[20] Arthur Gervais, Hubert Ritzdorf, Mario Lucic, and Srdjan Capkun. Quantifying location privacy leakage from transaction prices. ESORICS, 2016.

[21] Google. Google charts faq. https://developers.google.com/chart/interactive/faq.

[22] Ethan Heilman, Leen Alshenibr, Foteini Baldimtsi, Alessandra Scafuro, and Sharon Goldberg. Tumblebit: An untrusted bitcoin-compatible anonymous payment hub. NDSS, 2016.

[23] Ethan Heilman, Foteini Baldimtsi, and Sharon Goldberg. Blindly signed contracts: Anonymous on-blockchain and offblockchain bitcoin transactions. In Financial Cryptography Workshops, 2016.

[24] Matthias Hellwig and Alexander Souza. Approximation algorithms for generalized and variable-sized bin covering. In Approximation, Randomization, and Combinatorial Optimization. Algorithms and Techniques, pages 194–205. 2012.

[25] Jordi Herrera-Joancomartí and Cristina Pérez-Solà. Privacy in bitcoin transactions: new challenges from blockchain scalability solutions. In Modeling Decisions for Artificial Intelligence, pages 26–44. Springer, 2016.

[26] Kashmir Hill and Surya Mattu. Before You Hit ’Submit,’ This Company Has Already Logged Your Personal Data. https://gizmodo.com/before-you-hit-submit-this-companyhas-already-logge-1795906081, 2017.

[27] Péter L Juhász, József Stéger, Dániel Kondor, and Gábor Vattay. A bayesian approach to identify bitcoin users. arXiv preprint arXiv:1612.06747, 2016.

[28] Harry Kalodner, Steven Goldfeder, Alishah Chator, Malte Möser, and Arvind Narayanan. Blocksci: Design and applications of a blockchain analysis platform. arXiv preprint arXiv:1709.02489, 2017.

[29] John Koetsier. 90% of marketers say retargeting now as good as search ads, email marketing. VentureBeat, https://venturebeat.com/2014/12/16/90-of-marketers-sayretargeting-now-as-good-as-search-ads-email-marketing/, 2014.

[30] Philip Koshy, Diana Koshy, and Patrick D. McDaniel. An analysis of anonymity in bitcoin using P2P network traffic. In Financial Cryptography and Data Security.

[31] Balachander Krishnamurthy, Konstantin Naryshkin, and Craig Wills. Privacy leakage vs. protection measures: the growing disconnect. In W2SP, 2011.

[32] Balachander Krishnamurthy and Craig E Wills. On the leakage of personally identifiable information via online social networks. In Proceedings of the ACM workshop on Online social networks, 2009.

[33] Katharina Krombholz, Aljosha Judmayer, Matthias Gusenbauer, and Edgar Weippl. The other side of the coin: User experiences with bitcoin security and privacy. In Financial Cryptography and Data Security, 2016.

[34] Amrit Kumar, Clément Fischer, Shruti Tople, and Prateek Saxena. A traceability analysis of monero’s blockchain. IACR Cryptology ePrint Archive, 2017.

[35] Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints. In IEEE Symposium on Security and Privacy, 2016.

[36] Adam Lerner, Anna Kornfeld Simpson, Tadayoshi Kohno, and Franziska Roesner. Internet jones and the raiders of the lost trackers: An archaeological study of web tracking from 1996 to 2016. In Proceedings of the USENIX Security Symposium, 2016.

[37] Timothy Libert. Exposing the invisible web: An analysis of third-party http requests on 1 million websites. International Journal of Communication, 9:18, 2015.

[38] Giulio Malavolta, Pedro Moreno-Sanchez, Aniket Kate, Matteo Maffei, and Srivatsan Ravi. Concurrency and privacy with payment-channel networks. 2017.

[39] Gregory Maxwell. CoinJoin: Bitcoin Privacy for the Real World, 2013.

[40] Jonathan R Mayer and John C Mitchell. Third-party web tracking: Policy and technology. In IEEE Symposium on Security and Privacy, 2012.

[41] Sarah Meiklejohn and Claudio Orlandi. Privacy-enhancing overlays in bitcoin. In Financial Cryptography and Data Security, 2015.

[42] Sarah Meiklejohn, Marjori Pomarole, Grant Jordan, Kirill Levchenko, Damon McCoy, Geoffrey M Voelker, and Stefan Savage. A fistful of bitcoins: Characterizing payments among men with no names. In Proceedings of ACM IMC, 2013.

[43] Georg Merzdovnik, Markus Huber, Damjan Buhov, Nick Nikiforakis, Sebastian Neuner, Martin Schmiedecker, and Edgar Weippl. Block me if you can: A large-scale study of tracker-blocking tools. In IEEE Symposium on Security and Privacy, 2017.

[44] Ian Miers, Christina Garman, Matthew Green, and Aviel D Rubin. Zerocoin: Anonymous distributed e-cash from bitcoin. In IEEE Symposium on Security and Privacy, 2013.

[45] Andrew Miller, Malte Möser, Kevin Lee, and Arvind Narayanan. An empirical analysis of linkability in the monero blockchain. Proceedings on Privacy Enhancing Technologies, 2018.

[46] Malte Möser and Rainer Böhme. Anonymous alone? measuring bitcoin’s second-generation anonymization techniques.

[47] Malte Möser and Rainer Böhme. Join me on a market for anonymity. In Proceedings of WPES. ACM, 2016.

[48] Satoshi Nakamoto. Bitcoin: A Peer-to-Peer Electronic Cash System, 2008.

[49] Till Neudecker and Hannes Hartenstein. Could network information facilitate address clustering in bitcoin?

[50] Nick Nikiforakis, Luca Invernizzi, Alexandros Kapravelos, Steven Van Acker, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. You are what you include: large-scale evaluation of remote javascript inclusions. In Proceedings of ACM Conference on Computer and Communications Security, 2012.

[51] Esteban Ordano. We need more coinjoin. https://medium.com/@eordano/we-need-more-coinjoin-c7fefd12dc5e, 2015.

[52] Joseph Poon and Thaddeus Dryja. The bitcoin lightning network: Scalable off-chain instant payments. 2015.

[53] Rebecca S. Portnoff, Danny Yuxing Huang, Periwinkle Doerfler, Sadia Afroz, and Damon McCoy. Backpage and bitcoin: Uncovering human traickers. In Proceedings of the Conference on Knowledge Discovery and Data Mining, 2017.

[54] r/Bitcoin. r/Bitcoin Bitcoin Websites. Reddit, https://docs.google.com/document/d/1pFHJ34pZ_5Umfmlk_eAIcBSscSAA-3xd6qWYzeEYhec/edit, 2017.

[55] Fergal Reid and Martin Harrigan. An analysis of anonymity in the bitcoin system. In Security and Privacy in Social Networks, pages 197–223. Springer, 2013.

[56] Franziska Roesner, Tadayoshi Kohno, and David Wetherall. Detecting and defending against third-party tracking on the web. In USENIX Symposium on Networked Systems Design and Implementation, 2012.

[57] Dorit Ron and Adi Shamir. Quantitative analysis of the full bitcoin transaction graph. In Financial Cryptography and Data Security, 2013.

[58] Tim Ruffing, Pedro Moreno-Sanchez, and Aniket Kate. Coinshuffle: Practical decentralized coin mixing for bitcoin. ESORICS, 2014.

[59] Jan-Willem Selij. Coinshuffle anonymity in the block chain. 2015.

[60] Ashkan Soltani, Shannon Canty, Quentin Mayo, Lauren Thomas, and Chris Jay Hoofnagle. Flash cookies and privacy. In AAAI Spring Symposium: Intelligent Information Privacy Management, 2010.

[61] Aditya K Sood and Richard J Enbody. Malvertising – exploiting web advertising. Computer Fraud & Security, 2011.

[62] Spendabit.co. Merchants Accepting Bitcoin - Spendabit. https://spendabit.co/merchants, 2017.

[63] Nicolas van Saberhagen. Cryptonote v2.0. https://cryptonote.org/whitepaper.pdf, 2013.

[64] Shaileshh Bojja Venkatakrishnan, Giulia Fanti, and Pramod Viswanath. Dandelion: Redesigning the bitcoin network for anonymity. arXiv preprint arXiv:1701.04439, 2017.

[65] Danny Yang, Jack Gavigan, and Zooko Wilcox-O’Hearn. Survey of confidentiality and privacy preserving technologies for blockchains. https://z.cash/static/R3_Confidentiality_and_Privacy_Report.pdf, 2016.

[66] Zhonghao Yu, Sam Macbeth, Konark Modi, and Josep M Pujol. Tracking the trackers. In Proceedings of the Conference on World Wide Web, 2016.

Journal Information


All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 2072 2019 123
PDF Downloads 1598 1537 81