4 February 2015

Privacy and Bitcoin transaction

data

A short discussion

© 2015 Deloitte The Netherlands

• Degree in Media and Knowledge Engineering / Information & Communication Theory / Bioinformatics

from TU Delft

• Started working in privacy in 2008

• Involved in Bitcoin since 2010-2011 as a hobby

• Supervised an internal report on Bitcoin general properties and business interests in 2012-2013

• Currently manager in the Deloitte privacy team, which helps organisations using personal data

My involvement in privacy and Bitcoin

Add your footer here, Go Header and Footer to edit2

© 2015 Deloitte The Netherlands

Many projects are ongoing and planned for the next couple of years

Transaction data is becoming an important value source for financial institutions

Many banks have been analysing transaction data for some time to assess loan risk

ratings and predict defaults

Several banks are using transaction data analysis for loyalty schemes:

• BoA operates the targeted cash back scheme BankAmeriDeals

• RBS has discussed a service to provide targeted advertisements from business clients

to consumers

Generating direct income from (anonymised or aggregated) transaction data is also

increasing:

• US company cardlytics buys access to and analyses transaction data and offers

marketing solutions

• MasterCard Advisors has several products based on transaction data analysis

• Barclays is planning on selling (anonymised) transaction data to other companies

Transaction data is valuable and banks are realising this value

Add your footer here, Go Header and Footer to edit3

© 2015 Deloitte The Netherlands

Knowing who is who is important though

The blockchain contains all transactions: anyone can analyse the data

There is no ‘data monopoly’ for banks or payment network operators

The value of blockchain transactions will be lower than financial institution datasets though, due to:

• Transaction volume (currently lower)

• Level of identification

• (Meta) data quality and volume

Identification is important: Bitcoin pseudonymity is not very strong

When analysing transaction data several business models will require identifying (to some degree) who is involved

in the transaction

Bitcoin transactions are pseudonymous, but this is not a strong property, especially when users are careless

Re-identification efforts can be made through coupling of data sources and analysis

• Coupling with identifying information by exchanges or other sites / merchants

• Reuse of Bitcoin addresses and simultaneous transaction analysis

• Self-publication of identifying information

• Initial transaction node IP-address

The Bitcoin blockchain provides transactions and their inherent value to anyone

Add your footer here, Go Header and Footer to edit4

© 2015 Deloitte The Netherlands

Legal and ethical matters can become complex quickly

Is it ethical to analyse transaction data?

In The Netherlands the financial sector efforts to use client data raised a lot of questions:

• Is it ethical that payment networks use personal data (without compensation or sometimes knowledge)?

• What is the role of the financial sector, and what kind of services are within the expectations of consumers?

The Bitcoin community generally seems to value their privacy: would it be permissible to analyse user data? Should

users be educated to be able to hide their identities?

Involving the data subjects themselves will be preferable in any case, are there viable business models that include

users?

Legal matters

As soon as individuals – including IP addresses – can be identified data analysis may be within scope of data

protection legislation in the EU:

• A legitimate ground needs to be found for processing data (permission, contract, legal obligation, legitimate

interest)

• Consumer rights include requesting information, correction, deletion, objection

US and EU points of view will vary widely (US generally being less restrictive), but is the legal aspect

relevant when there is an almost unlimited choice of jurisdiction?

There are many ethical and legal questions

Add your footer here, Go Header and Footer to edit5

© 2015 Deloitte The Netherlands

High transaction volume and sophistication of analysis are key factors

• Enriching online advertising profiles with transaction analysis:

• Based on initial transaction generating node detected by highly connected node in network (may not be legal

in the EU)

• Using identification through a network of organisations accepting Bitcoin (could be part of a contract with the

user)

• By providing incentives to users to self-identify (e.g. providing discounts, rebates or lowering transaction fees)

• Selling market and competition analyses by looking at transaction data:

• Identifying organisation Bitcoin addresses by sending probing transactions and analysing transactions with all

organisation transaction links (may not be legal in the EU)

• Analysing transaction clusters and inferring knowledge from transaction properties and statistics (frequency,

volume, timing, etc.)

There are many possible uses for transaction data

Add your footer here, Go Header and Footer to edit6

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities.

DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see

www.deloitte.nl/about for a more detailed description of DTTL and its member firms.

Deloitte provides audit, consulting, financial advisory, risk management, tax and related services to public and private clients spanning multiple industries. With a globally

connected network of member firms in more than 150 countries and territories, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights

they need to address their most complex business challenges. Deloitte’s more than 210,000 professionals are committed to becoming the standard of excellence.

This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte

network”) is, by means of this communication, rendering professional advice or services. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained

by any person who relies on this communication.

© 2015 Deloitte The Netherlands