Thoughts tagged "privacy"

Short thoughts, notes, links, and musings by . RSS

A Coinbase data breach filing with the Maine Attorney General finally gives us some more detail than Coinbase’s vague “less than 1% of monthly transacting users”. 69,461 people were affected, and Coinbase says the data breach occurred on December 26, 2024.

Data Breach Notifications Entity Information Type of Organization: Financial Services Entity Name: Coinbase, Inc. Street Address: 248 3rd Street #434 City: Oakland State, or Country if outside the US: CA Zip Code: 94607 Submitted By Name: Michael Rubin Title: Attorney Firm name (if different than entity): Latham and Watkins LLP Telephone Number: (415) 395-8154 Email Address: michael.rubin@lw.com Relationship to entity whose information was compromised: Outside Counsel Breach Information Total number of persons affected (including residents): 69461 Total number of Maine residents affected: Approximately 217 If the number of Maine residents exceeds 1,000, have the consumer reporting agencies been notified: Date(s) Breach Occured: December 26, 2024 Date Breach Discovered: May 11, 2025 Description of the Breach: Insider wrongdoing Information Acquired - Name or other personal identifier in combination with: Notification and Protection Services Type of Notification: Written Date(s) of consumer notification: May 30, 2025 Copy of notice to affected Maine residents: Appendix_A_-_Coinbase_Template_Individual_Notification_Letter.pdf Date of any previous (within 12 months) breach notifications: 07/16/2024 Were identity theft protection services offered: Yes If yes, please provide the duration, the provider of the service and a brief description of the service: We are offering all impacted individuals one year of free credit monitoring and identity protection services provided by IDX. The services include credit monitoring, a $1,000,000 insurance reimbursement policy and identity restoration, and dark web monitoring to identify if any information is made available through illegal online forums.

It took them almost five months between the incident and the incident disclosure, although the company has since admitted it knew customer support agents were suspiciously accessing customer data as far back as January.

Security researchers who have spent months trying to call Coinbase’s attention to serious issues at the company are disputing Coinbase’s claims about the timing of the breach. “Threat actors had ongoing access via multiple insiders over a prolonged period of time.”

Oh good apparently now the Coinbase breach happened on Dec 26, 2024. LOL So since Coinbase won't be straight with you, I will. Threat actors had ongoing access via multiple insiders over a prolonged period of time. (Screenshot of Maine AG notification)
As evidence, here's a very small cutout of one high value customer's Coinbase account. This wasn't pulled on Dec 26, 2024 honey. (Screenshot showing dates between 2025-02-07 and 2025-02-10)

The SEC requires material cybersecurity incidents be disclosed within four business days; state laws often have a 30-day disclosure deadline. It’s not clear if customers outside the US were affected; if so, other disclosure laws may apply.

It's interesting to me that the Fifth Circuit only considered "control" at the smart contract level, and does not seem to consider the role of validators in their opinion. A substantial portion of ETH blocks are built with relays that censor transactions with OFAC-sanctioned contracts, and it seems to me there is now an open question as to whether validators that use non-censoring relays could be sanctioned directly.

The software codes here—the twenty Tornado Cash addresses for immutable smart contracts—are tools used in providing a service of pooling and mixing the deposited Ether prior to withdrawal. Indeed, the immutable smart contract provides a “service” only when an individual cryptocurrency owner makes the relevant input and withdrawal from the smart contract; at that point, and only at that point, the immutable smart contract mixes deposits, provides the depositor a withdrawal key, and, when provided with that key, sends the specified amount to the designated withdrawal account. In short, the immutable smart contract begins working only when prompted to do so by a deposit or entry of a key for withdrawal. More importantly, Tornado Cash, as defined by OFAC, does not own the services provided by the immutable smart contracts. A homeowner may own the right to trash-removal services and a client may own the right to legal services performed by a lawyer, but neither the homeowner nor the client owns the person performing the trash-removal services or the lawyer—for good reason. Similarly, Tornado Cash as an “entity” does not own the immutable smart contracts, separate and apart from any rights or benefits of the services performed by the immutable smart contracts.76 

(Not saying they should, just remarking on the fact that it seems to have gone completely unaddressed.)

Of course this was a concern already, but what with the Treasury focused on the Tornado Cash contracts, it was less central than I suspect it might be soon. This strategy would be somewhat in keeping with legal theories around other "malicious" code, where it's broadly speaking legal to write a devastating computer virus, but a whole lot less legal to run one.

Please do not record your abortions on the blockchain

I must once again urge you: please do not record your abortions on the blockchain.

There are a lot of very worried people right now, fearful of an impending regime that may well crack down on things like reproductive care, gender-affirming care, or the ability for immigrants to even continue to remain in the US. Some have suggested people get familiar with cryptocurrencies in the event they might have to circumvent an authoritarian state.

I’ve said it before and I’ll say it again: in very bad situations, bad solutions can sometimes still be better than nothing. I make no secret of my views on the cryptocurrency industry, but I am the last to judge a person for using whatever means they have available to them to take care of themselves and others.

But please remember that most popular cryptocurrencies use public ledgers, where every transaction is visible to anyone who cares to look (no warrant required), where true anonymity is extremely challenging, and where tracing technology is getting only more sophisticated. Popular on-ramps like Coinbase and Gemini and other exchanges require customers to provide similar kinds of identification as banks, linking your future transactions to your real-life identity. (And many of these companies have thrown themselves wholeheartedly behind Trump, by the way, despite their “anti-authoritarian” claims). 

There are cryptocurrencies that are more anonymous than the bitcoins and ethereums of the world (privacycoins like Monero and Zcash for example), though there are still attempts to trace these types of tokens and you have to be knowledgeable and very cautious about how you use them so as not to inadvertently reveal your identity.

If you’re in a bad situation, do whatever it is you need to do. I’m certainly not going to judge you. But please be very cautious, and be highly skeptical of anyone who presents cryptocurrency as a magic solution to authoritarianism.

Further reading: “Abuse and harassment on the blockchain”, “Anonymous cryptocurrency wallets are not so simple

PSA: Paying for a subscription on the crypto version of OnlyFans using a public blockchain does not give you "true privacy", regardless of what the models there might say.

The allure of Only1 extended beyond a different option for sharing exclusive, gated content. Jaylene highlighted the platform's unique features compared to traditional platforms like OnlyFans. "I like the fact that Only1 being on-chain allows the customer to have true privacy," she said. "From a creator's perspective, the biggest issues with traditional platforms such as OnlyFans are issues with payment processing. Only1 solves this issue as the payments go directly to your wallet, providing creators with peace of mind and full control over their earnings."
There’s people who are really angry about a lot of tech stuff who disagree with each other about everything, including whether or not they really even have a problem. But all of their problems start with the fact that there’s a lot of commercial surveillance. So these people might disagree about everything else, but they will agree that their problem could be solved if we could do something about commercial surveillance.
So if you think Mark Zuckerberg made grampy into a QAnon, or if you think Insta made your teenager anorexic, or if you think that TikTok is convincing millennials to quote Osama bin Laden, right? Or if you think that it’s ugly that red state attorneys general are following teenagers into out-of-state abortion clinics, or that Google reverse warrants reveal the identity of everyone in a black lives matter demonstration or for that matter, the January 6th riots, or if you are worried about deep fake porn, or if you’re worried that people of color are having the surveillance data captured about them mobilized to discriminate against them in employment and financial products, right? All of these different things all start with cutting off the supply of surveillance data.
– Cory Doctorow
Cory Doctorow Coined "Enshittification." He Sees 4 Ways to End It. (Podcast).
Ethan Zuckerman in Reimagining the Internet. Initiative for Digital Public Infrastructure at UMass Amherst.

"it's all stored locally" is not a panacea for these alarming privacy-invading products!

what exactly is stored locally? what data is extracted from that local data and sent to the company's servers? is that local data being backed somewhere?

what additional risks are now being posed to people who share devices, whose devices might be accessed by others or compromised, or who might not realize these tools are running? what is the risk that the company might later change its decision on local storage?