Their example is a wallet with 10 bitcoin, 3 were stolen.
* poison: all BTC is the wallet is considered stolen, and all BTC in every wallet the BTC moves through from there is considered stolen
* haircut: BTC in the wallet is considered 30% stolen, and it's diluted as the money moves through other wallets
* FIFO (their solution): the first 3 BTC transferred from the wallet is considered stolen
But, the principle given in the paper is "nobody can give what isn’t theirs". Why isn't it the last 3 BTC transferred from the wallet that's considered stolen? The wallet had 7 legitimately acquired BTC to spend, so why isn't spending beyond that 7 what's tracked?
Someone could have a wallet or bank account (from the 1816 example) and not know stolen amounts were given to them. The first amount they spend should be considered legitimate.
The FIFO method doesn't track the first 3 BTC, it depends on what the first transfer into the wallet was.
If the first transfer in was 3 tainted BTC, it taints the first 3 out. If the first transfer in was 2 clean BTC and the second transfer in was 3 tainted BTC, it taints the 3rd, 4th and 5th BTC transferred out.
They don't seem to really have a way of measuring where the illicit value actually goes, so the comparison is just hand waving (in terms of forensics that's what tainting is for anyway, enumerating the accounts to consider; enumerating less accounts isn't necessarily an advantage).
This is not a technological solution. It's an attempt to create a legal convention of applying a particular form of centralized blacklisting.
The power of this method is directly proportional to how widely it's adopted.
And the reference to a precedent gives a false sense of legal legitimacy to this form of blacklisting. The decision referenced dealt with creditor claims to a shared asset.
The relevant legal precedent is from 1749. That's when a court sided with the Royal Bank of Scotland in its legal challenge to a request for a blacklist for notes used in crime. The RBS argument was that making money responsible for the acts of its previous holders would "render the Notes absolutely useless":
For hundreds of years, that has been the legal treatment of cash, which has facilitated commerce, by making cash fungible.
Jurisdictions around the world have been steadily degrading the principle of fungibility over the last 40 years to institute a mass surveillance system to stop the drug trade, money laundering and income tax evasion (it's worth noting the income tax didn't exist in 1749).
The result is concentrated power structures accumulating ever greater bureaucratic control over the traditional financial system.
Well it seems like even the actors who influence the G20 finance minister talking heads[0] cant even agree on what to do, except for asserting that somehow they will need to be in charge.
I think that concentrated power structures (that exist today or evolve in time) that can exploit this environment will win in the long run, but it won't necessarily be in any particular nation states interest.
Any centralization of a sector of an economy needs to be politically coordinated so the fact that the G20 heads don't agree on a plan is promising. I think it's possible some of finance ministers of the G20 members like the disruptive potential of cryptocurrency.
With BTC you can have multi input multi output transactions: in the same tx you can spend 2 legit BTCs and 2 stolen BTCs and send those to 8 addresses, each getting 0.5 BTCs.
Which of those resulting addresses contain tainted BTCs and which contain the clean ones?
A transaction such as the above would make it clear that the thief has control over the whole stolen wallet, but that's it. It doesn't mean that the recipient's addresses are thief's addresses, even though they could be. And we can't consider all of the end addresses as tainted, because what happens when the thief sends some of these to the address holding the silk road BTCs confiscated by the feds? Will they arrest themselves?
There’s still a ‘native ordering’ of the inputs and outputs, so this FIFO process will still be able to ‘taint’ a specific deterministic set of the value-units, across one or more of the outputs.
Whether that’s a fair allocation of the taint is a separate issue. They have a case, in some jurisdictions based on that precedent, that the law would support their allocation, and further that this treatment has other efficiencies.
It’s sometimes the case that laws are construed to be predictable, and easy-to-apply, rather than maximally ‘fair’ according to deeper subjective case-by-case analysis.
Indeed, there is an ordering, but that's decided exclusively by the creator of the transaction, so he could easily manipulate the future tainted addresses.
The FIFO (or LIFO for that matter) rule seems like an arbitrary chosen one which could easily be overcome: the thief can put the stolen funds in an address and only use those when the atomic swap protocol between chains is created, for example. Or exchange those funds on decentralized exchanges, or sell on localbitcoins.
Yes, the possessor can control where the ‘taint’ goes by their spending choices, just like someone with stolen property can choose who to give/sell it to.
The point of this FIFO method isn’t exclusively — or even primarily — to outwit thieves. Rather, it’s just to have a tractable (and legally-based) rule for deciding which balances, arbitrarily later, can be deemed ‘the stolen amount’.
This seems like precisely the thing that a mixer service exists to defeat. I'd be curious to see how effective the approach is after the coins pass through such a service.
Personally, I remain unconvinced that coins could be reliably traced through an "ideal" mixer service that moves a large number of coins between a large number of addresses via a large number of transactions.
Edit: A further requirement would be that the service would have to involve a large number of "legitimate" coins. This does disregard the possibility that the so-called legitimate coins would be considered illegitimate simply by association with said service.
That said, perhaps the difficulty lies in actually meeting such requirements.
That is, mixers work by not returning your coin, but rather someone else's coin. So if you mix stolen coin, you may get clean coin, but many others get dirty coin.
I have read that some mixers draw on freshly mined coin. But coin from users must go somewhere, right?
It seems that if you can just blacklist coins, and since eventually bitcoin will be all mined out (for all practical purposes) that eventually all bitcoins would become tainted since humanity will always have crime and money laundering. Am I missing something here? I'm sure gold was used for all sorts of nefarious uses but nothing stops that "bad gold" from going back into the gold monetary system. This just seems like a bad idea all the way around.
The problem with this method, is it gives bad actors complete control over how and where the "bad" coins go just by doing some structured transactions.
Only if they are tainted with the same "tag".
What if one of the theft is only recognized in one jurisdiction? What if Alice and Bob separatly track their coins?
So, say Alice her money was transferred first, and bob's money second.
Then, after you've spend N coins, anyone looking for bob's coins sees you no longer have them. Anyone looking for Alice's coins sees they are still with you. This is because it is FIFO, so the outgoing transaction is only spending from Bob's coins.
I found the computerphile video odd, for reason's I hope I can elucidate below:
1) It seemed to suggest that the increased precision given by this approach is somehow surprising. It totally isn't? I mean, the difference between taint-all (poison) and this approach is in the branching factor, you don't have to run the experiment to see the outcome?
2) The choice of FIFO is very weird (I don't really care about the case law.) For a given branching factor, surely there are numerous schemes that could be considered, and they don't seem to discuss the merits of any others. Off the top of my head LIFO seems to correspond much more naturally to intuition, but I think there is a better answer than that. If a untainted priority scheme was used, whereby tainted coins were always spent last from a given balance, then this would have the effect of keeping the taint as close as possible to the original thief, and separates the bizarre relationship between cash-flow and culpability that FIFO introduces.
In the case, the funds transferred out of the account were treated as "dissipated" and thus unrecoverable. The case was about deciding between claims from innocent parties for money remaining in a mixed bank account, which is quite a different activity than tracing the flow of the stolen value.
I think the better method would be FBIFO (no pun intended)
FBIFO = first bad coin in - first out.
Presumption is that bad coins are urged to be laundered first. So even if good and bad are mixing in - the bad ones ought to be first out
But if they are tainted on what can they spend that money?
Say I have 10 BTC you transfer me 3 stolen ones I want to clean my wallet where do I transfer those 3 BTC and what happens to that wallet?
What happens when you don’t actually notice that it happened and try to purchase and item with your BTC? Do you get declined by the merchant because some % of that was tainted? If so how do you get that translation reversed?
If you get those 3 stolen coins, and don't want them. The easiest is to just transfer them to a burn-address.
If you fear people are ever going to demand it back, either try to transfer it back, or transfer it to a separate holding wallet. Authorities might also set up a special address for collecting these kinds of coins.
This makes me think, what happens to fees?
Suppose I take those 3 BTC and 'burn' it by creating a chain of 100 transactions, each with a fee of 10%? At the end, all of the stolen coins have evaporated into fees. Are those fees tainted?
If not, miners could try to white-wash coins this way.
When first using Graphistry to analyze cryptocurrency transactions, a couple years ago, we did a cool mix of temporal (vs 1816) + poisoning. Full taint analysis... except only consider tainted after the first tainted transaction date. We loaded the full blockchain into memory and then ran this on the Silk Road bust. Real-time, pretty cool!
It worked quite nicely, and we quickly reproduced what showed up in court... and with some fun extras. Combining the temporal (NOT 1816) and taint approach was a good way to trace the incident. Superimposing on regular (atemporal) taint analysis gives a broader view of the crime network beyond the individual incident.
As folks are noting here, tumblers and exchanges still make this a mess, even for 1816. They can go off-chain. However, those are generally where governments want to intervene anyways. Either way, we traced the full incidents, including how the silk road was moving money around, with our approach.
If you're into this kind of thing, professionally or for fun, let us know! Wouldn't be hard to repeat with more specific variants of 1816.
That's interesting, but it will still rely on some method of enforcement to do something about it, the entire point of bitcoins existence seems to be to make that harder.
The previous method ("haircut" tainting) - wheretransactions from a wallet with "bad" bitcoins are marked as "X% tainted" where X := (#bad_coins / #total_coins) - quickly marked all the active bitcoins on the recent blockchain as ~10% tainted.
With the new FIFO method, the tainting doesn't dilute as quickly. The give an example of a "theft of about 1000 bitcoins in 2014 and trace it forward to 2016", poison tainting and haircut tainting affect ~1.5 million addresses. With FIFO tainting, only 11,000 addresses are affected.
This 'solves' the problem of dilution, but it does not address the issue of following the flow of tainted crypto-cash, because the root cause of that problem is that bitcoin do not have identities (they are bosons, not fermions?) This 'solution' is just one of several similar possible schemes that arbitrarily assign a provenance to each atomic unit of the currency, and is not fundamentally more sound than any other.
Any scheme like this is pointless without a mechanism to sanction the use of 'bad' bitcoin, and belongs in the realm of cryptocurrency regulation, not blockchain mechanics. A scheme something like this does exist for banknotes, in that if you are found to have a counterfeit bill, it will be confiscated. The only reason this does not have a stifling effect on the use of paper money is that the probability of this happening to you is slight.
its equally silly as the other methods. even worse as should have been obvious by the fact they quote a video.
imho poison is the ONLY method slightly acceptable.
with fifo it's all too easy to mislead the system with a honest transaction and now the vendor has the stolen btc, even though they delivered something in exchange for it and behaved honestly all the way.
edit: they measure total coins marked as stolen from begining to end of each tracking process, not correctness. as all the exchanged want is to have less poisoned coins to work with.
I steal 100 bitcoins. I then transfer a satoshi to as many legit bitcoin addresses I can find. Now any transaction those addresses make will be illegal?
No, any money in those addresses that was there before your dirty satoshi would still be considered clean. That's one of the claimed advantages of their technique.
I get that, but the first transaction they make is considered dirty. So everyone I transfered to is going to make an illegal transaction first thing they do...
* poison: all BTC is the wallet is considered stolen, and all BTC in every wallet the BTC moves through from there is considered stolen
* haircut: BTC in the wallet is considered 30% stolen, and it's diluted as the money moves through other wallets
* FIFO (their solution): the first 3 BTC transferred from the wallet is considered stolen
But, the principle given in the paper is "nobody can give what isn’t theirs". Why isn't it the last 3 BTC transferred from the wallet that's considered stolen? The wallet had 7 legitimately acquired BTC to spend, so why isn't spending beyond that 7 what's tracked?
Someone could have a wallet or bank account (from the 1816 example) and not know stolen amounts were given to them. The first amount they spend should be considered legitimate.