Convenience is a honeypot. Consumers are drawn to simple, quick platforms with one-click ordering and minimal distractions: set up an account using auto-filled data and start shopping. This makes it very difficult to convince users to take security seriously. Few want to take the time to be secure and so risk having their data harvested and sold off or stolen, expecting the companies they are dealing with to be competent enough to protect it on their behalf.
In Bitcoin, there is a huge divide between those with good security practices and those who upload their identity documents everywhere they’re prompted. We like to feel a sense of anonymity on the internet but do little to ensure it. For many of us, the pseudonymity — partial anonymity — that is provided by a Twitter handle or a second email account, is enough. Although your real name and appearance can be hidden on public forums, it is reckless to think that this means your identity is secure.
At Trezor, we anonymize all purchases after 90 days but we still encourage our users to take additional precautions to protect their data. Companies whose data is targeted often have highly competent cybersecurity teams on their payroll. We trust them with our data because we expect them to have the best security resources available, yet they still get hacked, time after time, as new vulnerabilities crop up. So, what can we do to stop our personal data from being sold on the dark web? Don’t give it out. Ever.
What’s the Big Deal?
The ability to be anonymous is one of the key benefits of Bitcoin, though it has become more difficult to achieve in recent years. Traditional banking is a regulatory gauntlet and similar regulations have begun affecting crypto. Whether you use cash, card, or check, you are almost always interacting with banks, who know everything about you. Now, most cryptocurrency exchanges have been forced to implement Know Your Customer (KYC) procedures in many regions, meaning any bitcoins purchased through their platform can be traced directly to your passport, driving license, or other identifying data.
Not only can all your transactions be tracked from that point onward, but you have also surrendered your identity to an unknown entity whose motivations may be more sinister than just selling bitcoins, or whose security may not be up to standard, making it easier for criminals to get their hands on your data.
For most casual users, everything we interact with on the internet is traceable back to our computer’s IP address. This can be used to reveal who you are and your physical address, among other things. With all the information we upload about ourselves, especially through merchant portals, we subject ourselves to the risk that this data will one day end up in the wrong hands.
How to Protect Your Data
The difficult part for most of us is that we are already exposed. Breaches like Equifax have already revealed critical financial data and databases of your personal information are very likely to be sitting on a darkweb marketplace somewhere, waiting to be sold to the highest bidder. The first step is to cut yourself off from any data which may have been breached.
To do so, first make sure you change your passwords regularly. Check your accounts using Have I Been Pwned? to see if your data is already compromised. Even if it isn’t, changing passwords often makes it harder for anyone who has information about you to access your accounts. You should also set up a new, secure email address that does not reveal any personal information such as your name or date of birth. The idea is to create a new persona that is not in any way linked to you.
From there, one should take a holistic approach. Think about everything involved in making a purchase: who is buying it, where will it be delivered, and how will it be paid for? It is fairly easy to detach your identity from all three and still shop comfortably. When buying bitcoins or a hardware wallet, taking the time to do so will give you a security advantage.
How to Stay Secure Buying Physical Goods Online
Use an anonymous, secure email. This is a quick and easy way to make sure you’re not instantly giving away information about yourself any time you create an account somewhere.
If possible, use a collection point for deliveries. This ensures that no company will ever have your home address, keeping you safe when a leak happens. If you don’t have an alternative drop-off place you should buy sensitive goods like hardware wallets through physical stores and pay with cash.
Use Tor (not a VPN) to obscure your connection to the merchant’s website. Tor is a decentralized solution that relays your internet connection through many different servers, making it very difficult to trace back to your IP address. VPNs let you request a page through an encrypted channel and load pages to the server location, meaning you can browse without anyone knowing who is looking at the site. With VPNs, however, you are trusting a centralized server with your data, putting it at risk of hacks, and many have recently been shown to engage in highly irresponsible security practices.
Pay with Bitcoin or cash. Your bank keeps track of everything you buy via card or wire transfer; prevent this by paying with cash or by using Bitcoin. If you use Bitcoin, there are a number of steps you should take to make sure it is not traceable back to you. We will cover this more below.
How to Stay Secure Buying Bitcoin
Buy from an ATM or a peer-to-peer platform like LocalBitcoins. These have minimal identity checks, meaning the person selling to you needn’t know anything about you. Visit coinmap.org for a handy map of where to find Bitcoin ATMs, anywhere in the world.
Use a reputable coin mixer to anonymize any funds you already own and plan to use. A mixer takes bitcoins from multiple sources and heaps them together, then splits them up and sends back the original amount to a fresh wallet of your choosing. This process makes it incredibly difficult to see where the Bitcoins originated from, severing any links to a KYC exchange you may have bought from. Since you have to send the coins to them in the first place, it should only be done through a trustworthy company — check reviews and thoroughly research any company you plan to mix your coins with.
Use a hardware wallet to store your private keys offline and protect you from malware. All Trezor devices are designed to create a strictly isolated environment, limiting their operation to a few precise commands. As long as you keep your seed secure, no one can access your coins without the hardware wallet, and there are multiple barriers to someone physically accessing your device. The wallet will also prevent anyone from manipulating the destination address or amount you are sending, as it is all confirmed physically on the device.
Always send bitcoin to a freshly generated wallet address. Using the Trezor Wallet, you can easily create a new address any time you want to send or receive bitcoins. This makes it more difficult for anyone to connect your transactions and learn information about you.
Use Tor with your hardware wallet, to make it harder for your connection to be traced to your location. Take a look at this guide on how to use Tor browser with your Trezor wallet, from our Wiki.
If you aren’t using a hardware wallet, sign your transactions offline and broadcast them later over the network. This is a very secure method for sending transactions, as it creates a gap between your private keys and the network, something Trezor hardware wallets already do for you. Simply load the transaction data onto a clean (reformatted) USB drive, plug it into a networked device, and broadcast via a service like the Trezor Blockchain Explorer, directly through your browser.
Only You Can Protect Your Data
People have the right to privacy so we should all be encouraged to exercise it. The modern internet is designed to extract as much information about you in order to commercialize your online identity. If you choose to retain your privacy, you prevent third parties (governments, merchants, insurance providers, etc.) from leveraging your personal information to assert power over you.
Taking the time to protect your privacy is worth it. A great experiment to really demonstrate just how often your data gets passed around, is to start making new email addresses for each service you use and see what kind of marketing material starts coming in from companies your data was sold to. If you want to make this a habit, start entering your address with a plus sign added, followed by a unique tag for each subscription: entering firstname.lastname@example.org means emails will still find their way to John, while helping trace where Amazon might pass his data to, letting him see exactly where the related spam is originating from.
Good security is not difficult to achieve but it unravels very easily. When a shop you bought something from is breached, the only thing that is sure to protect you from someone using your data is not having it there in the first place. Even when you absolutely need hyper-convenient purchases, you should be using a secure, nondescript email address. There is always an option to share less information about yourself; with Bitcoin, you gain the freedom to do whatever you want with your money without restriction, as long as you take the steps to protect your identity.
The Only Way to Protect Your Data is to Never Provide it was originally published in Trezor Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.