How The FTX Collapse Could Leave Blockfolio Users Exposed – Bitcoin Magazine
This is an opinion editorial by Morgan Rockwell, founder of Bitcoin Kinetics.
I’m not concerned with Sam Bankman-Fried allegedly getting a loan from Alameda, which was actually FTX customer funds wired through Alameda to be credited on FTX. I’m not concerned with the moral compass of the celebrity investors who gave billions to a kid they didn’t really know or understand, yet endorsed with wealth and credibility. I’m not very concerned with the financial and market effects upon the many companies, exchanges and traders who for some reason depended on FTX in any form.
I’m most concerned with Sam Bankman-Fried getting the personal identification information of millions of customers, and using that data to do chain analysis on the Blockfolio app he purchased which was used by many Bitcoiners and cryptocurrency holders as a tracking tool of Bitcoin, Ethereum and other watch-only cryptocurrency wallets.
Source: Google Images
If you aren’t aware, Blockfolio was an app that was used by many Bitcoin holders and other cryptocurrency holders to keep track of the exchange rate or the prices of their coins held in cold storage or on wallets that they only wanted to be watching and not have actively on a hot wallet on their mobile device. Storing the wallet addresses actually were not even needed on the app. You could just put in a amount of a certain cryptocurrency that you wanted to watch and say that you had — but there was also a feature to connect to exchanges to keep track of all of your coins across all of the exchanges you had them on in one app. This was the beauty of Blockfolio as it didn’t necessarily ask for too much personal identification information other than an email to help keep track of your account so you can log in from multiple devices.
Most of us like myself became aware of Sam Bankman-Fried because of the purchase of Blockfolio by a newly formed entity called FTX. Over several weeks the Blockfolio app was rebranded as the FTX app which now had its own exchange. It also had a new set of Know Your Customer rules, Anti-Money Laundering policies, a new Terms of Service, as well as its own custodial wallet held by FTX, we assumed.
Here you can see the Terms of Service at Blockfolio from June 30, 2017:
Source: Blockfolio Privacy Policy 2017
Blockfolio avidly argued that they were not and would not ever sell user data. Blockfolio even attempted to de-identify users with a hashing mechanism for IDs to not even let themselves identify and connect user portfolios to email addresses; this apparently never happened after the purchase and transformation into FTX.
Here you can see the stark difference in the new FTX Privacy Policy:
Source: FTX Privacy Policy 2022
Here is what little is mentioned about personal identifiable information within the FTX Terms of Service, which is a different document than the Privacy Policy.
For reference, if you have never read a Terms Of Service or Privacy Policy of a company before, I strongly recommend you grab a strong beer and enjoy this word soup!
This all has brought up questions around this merger and the acquisition that happened in the cryptocurrency industry only a few years ago. I am concerned because after the fallout of this exchange, FTX going bankrupt and all of its assets potentially being put up for auction, I would like to know the state of the personal identification information that FTX had been forced to gather because of KYC and AML laws. My concern is the vast amount of information gathered including passports, phone numbers, IP addresses, home addresses, cryptocurrency wallet addresses, email addresses, passwords and government IDs. All of these could be sold at auction as customer data or customer profiles to whoever finds them valuable.
Now the assets held by FTX whether they were actually real cryptocurrency such as bitcoin or made up tokens built on another layer one network such as ethereum are not too important in this conversation in my opinion. What is important is the data, the privacy data, the data mining operation that could have or will be done on all of this data FTX had gathered on customers either it was done by them or it will be done by whomever buys this data at auction. Even more so, the jurisdiction of that data is open to anywhere on earth.
As someone who has personally worked on coin analysis concepts and technology for the United States Military, as well as consulted on this for the Department of Defense as a so called “subject matter expert,” I can personally attest that it is very easy to correlate a person to their Bitcoin wallet address using nothing more than the amounts of bitcoin held on specific addresses, as well as the device data that is keeping track of those specific amounts on specific addresses — this is simple SIGINT, MASINT or HUMINT, all of which are different forms of intelligence gathering.
If you are keeping track of any bitcoin on any wallet over any Bitcoin explorer that is looked through a browser or app on any device, phone, laptop or tablet, there is now a record that will be connected to the IP address, the MAC number, the SIM phone number, the VOIP number, credit card number, home address and any other personal identifying information that is attached in any way to this device. I know this because Edward Snowden leaked documents showing that the NSA had a program called XKEYSCORE and applications were used like OAKSTAR and its subprogram MONKEYROCKET to specifically keep track of Bitcoin users at the NSA.
Now what I’m getting at is this data that FTX was forced under AML and KYC law to be gathered. This is potentially one of the largest gatherings of this type of data in the cryptocurrency industry ever done in history. This data, combined with coin analysis information related to bitcoin, ethereum and other cryptocurrency amounts being tracked by the previously titled Blockfolio app has created a situation where KYC data personal identifying information can be now superimposed over Blockfolio email addresses, UTXOs and watch addresses that plenty of people used on Blockfolio without any personal information being divulged to the app.
So this means that people that used Blockfolio to keep track of the amount of cryptocurrency they had, wanted to buy or were keeping track of for whatever reason will now be able to be correlated to very detailed personal identification information. The concern I have is not whether FTX and its hundreds of subsidiaries were keeping track of this information from Blockfolio or using it in any way, but that their vast new pool of customer information and data will be binded in the future to the Blockfolio data. I don’t assume FTX was intelligent enough to do this for any purpose such as advertising, or data sharing with a hedge fund like Robinhood was caught doing, but I do assume that they may have considered selling this data to law enforcement agencies, to advertisers or to actors in the intelligence community as SBF said there was an open door to regulators and law enforcement agencies at FTX.
What we need to think about now is when the assets of FTX go up for auction, which they will, that not only the digital currencies and tokens as well as the licenses will be sold to some new party, but it will be the customers themselves, personal identifying information and the massive data mining that could have been or will be done with that data.
I was never an FTX user, I never created an account with FTX or FTX.us and I never wired any money to Alameda. Unfortunately, because of my longevity in the Bitcoin space, I used Blockfolio like many Bitcoin users before me to keep track of the amounts of Bitcoin I had in multiple locations and their total value. Now that data that I thought was private will be connected to KYC data of anyone I know, interacted with over a wire and any device they used, especially if through multiple connections it leads back to FTX in any way.
What we need to do now is ask the serious questions and not focus on the financial obligations or mishandlings of SBF and FTX. But we must ask who has this data? What has been done with this data and who will be owning this data in the future? The reality is FTT dissolving into nothing isn’t a “Force Majeure Event,” so most of the users are screwed.
If this at all concerns you or involves you, I would suggest we all find the proper channels to protect ourselves from the worst case scenario from this fallout of data. This is the biggest problem with KYC and AML laws,because after all of this financial chaos, there is now a criminal-run exchange that is in possession of millions of people’s personal information about their devices, their homes, their financials and more, all available to the highest bidder.
Notes:
This is a guest post by Morgan Rockwell. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.