In the midst of the #DeleteCoinbase furor and the following announcement from the exchange that former Hacking Team members will “transition out” of the company, a damning comment from Coinbase’s head of sales, Christine Sandler, was left dangling.
As Sandler explained the Neutrino acquisition to Cheddar on March 1, “It was important for us to migrate away from our current providers. They were selling client data to outside sources, and it was compelling for us to get control over that and have proprietary technology that we could leverage to keep the data safe and protect our clients.”
It’s surprising that a Coinbase sales director would drop this information so casually. One would expect some kind of further explanation, or even an apology that the exchange violated its own customer data security policy. So what did Sandler’s comment really mean, and which “providers” was she talking about?
There are only a few blockchain intelligence providers that a massive exchange like Coinbase would use to remain KYT (Know Your Transaction)-compliant and prevent money laundering (the services Coinbase hired Neutrino to provide). Chainalysis is perhaps the biggest and most well-known, and there’s also Elliptic, Blockchain Intelligence Group, Ciphertrace, and Coinfirm.
Elliptic confirmed that Coinbase is among its clients and came out with a public statement yesterday in light of Sandler’s comments. In the statement, CEO James Smith wrote, “I have been disappointed to see reporting in the past few days which has incorrectly implied that Elliptic is distributing personal information for financial gain. Such comments fundamentally misunderstand the data we analyse, the insight we share with our clients, and the role we play in the industry.”
He continued, “Elliptic has no access to end users’ personally identifiable information,” explaining that Coinbase doesn’t give Elliptic any data that could “personally identify” users. This includes “names, addresses, [and] social security numbers.” According to the post, all Elliptic asks for from clients like Coinbase are transaction hashes and associated blockchain addresses, sometimes along with a customer ID that the blockchain intelligence company describes as a “random, unique identifier used by the exchange” that is not connected a user’s personal identity.
Get the BREAKERMAG newsletter, a weekly roundup of blockchain business and culture.
The purpose of having this information is, essentially, to keep tabs on individual customers’ suspicious behavior. If any single Coinbase customer ID started exhibiting patterns indicative of money laundering, for example, Elliptic could alert the exchange to that specific user’s activity.
As for reporting any of this information to third parties, Elliptic offered an indirect explanation. In answer to the FAQ, “What third parties does Elliptic provide data to?” the company responded by explaining how “all clients can benefit from improved risk assessment,” meaning the company might share data between its different clients. (Elliptic has not yet replied to a request for further comment.)
When asked whether Ciphertrace has ever worked with Coinbase, CEO David Jevans told BREAKERMAG, “I’ve definitely met with Coinbase numerous times. I can tell you we were definitely not a vendor that was used to sell data to other people. They’ve used a number of different vendors.”
Jevans added, “We don’t make data available to sellers unless customers agree to that explicitly. … I appreciate that there are other people at other companies that do that, but that’s not what we do.” Ciphertrace may ask clients if they’d like to add more information to data sets that other clients can see in the case of, for example, “stolen funds floating around,” so other exchanges can know to “lock up” those funds. But this is all done based on explicit consent, Jevans said. He would not say which exchanges Ciphertrace works with.
Chainalysis would not confirm nor deny whether it works with Coinbase to BREAKERMAG. “We don’t comment on who we work with and in what capacity, past or present, unless of course we issue a joint partnership announcement,” wrote a representative from the company, adding specifically that Chainalysis is “not commenting on Coinbase.” The representative directed us to a blog post that explains how Chainalysis works with exchanges.
The post echoes Elliptic’s in that Chainalysis says it does not receive “personally identifiable customer data” from exchanges, but it does share transaction information across clients. Chainalysis also identifies the “services their customers send cryptocurrency to and receive cryptocurrency from … labeling addresses with the real-world entities that control them.”
So based on the below example provided by Chainalysis, it seems that an exchange user would be identified by the exchange they’re using. Chainalysis would also identify the specific entity the user is sending funds to—in this (dated) example, the Silk Road.
Mike Dudas, founder and CEO of The Block, interpreted this to mean Coinbase customer data “wasn’t sold.” He added that Coinbase “no longer” uses Chainalysis’s KYT product.
Still in the running as a blockchain intelligence firm that works or has worked with Coinbase, Blockchain Intelligence Group, based in Vancouver, declined to comment when asked about its involvement with Coinbase. “I’m sorry, we can’t help you at this time,” wrote director of financial strategy, Teresa Anaya, in an email.
In February, Blockchain Intelligence Group signed SBI BITS Co. as a client, a subsidiary of SBI Holdings, a Tokyo-based financial services company. It doesn’t appear to list any additional clients besides noting that its services are “trusted by” Einstein, a Canadian crypto exchange that appears to be in beta, and The AML Shop on its website. However, that doesn’t rule out the possibility that it provides services to additional exchanges.
Of course, it is possible that Sandler simply misspoke in her interview with Cheddar. By acquiring Neutrino, Coinbase is bringing KYT and AML (anti-money laundering) in-house, meaning it could potentially gain more oversight of customer data—data it was previously sharing with third party blockchain intelligence groups. Still, “selling client data to outside sources” seems like strong wording for a misspeak.