Tag Archives: bitcoin

Bitcoin and the Blockchain

It’s hard to believe that a whole year has passed since I last wrote on the topic of bitcoin, and my remaining 1 bitcoin is worth rather less than it was back then. During the week I presented at the Sydney Financial Mathematics Workshop on the topic of bitcoin, taking a rather more technical look at the mechanics of the blockchain than in my previous posts here on the Mule. For those who are interested in how Satoshi Nakamoto solved the “double spend” problem, here are the slides from that presentation.

Bitcoin and the Blockchain

As part of my preparation for the presentation, I read Bitcon: The Naked Truth About Bitcoin. If you are a bitcoin sceptic, you should enjoy the book. If you are a Bitcoin true believer, you will probably hate it. It is over-blown in parts and gets a few technical details wrong, but I am increasingly convinced by the core argument of the book: the blockchain is an extraordinary innovation which may well change the way money moves around the world, but bitcoin the currency will prove to be a fad.

I’m with Felix

FT blogger Felix Salmon and venture capitalist Ben Horowitz have very different views of the future of Bitcoin. Salmon is a skeptic, while Horowitz is a believer. A couple of weeks ago on Planet Money they agreed to test their differences with a wager.

Rather than a simple bet on the value of Bitcoin, the bet centres of whether or not Bitcoin will move beyond its current status, as a speculative curiosity, to serve as a genuine basis for online transactions. The test for the bet will be a survey of listeners in five years’ time. If  10% or more of listeners are using Bitcoin for transactions, Horowitz wins. If not, Salmon wins. The winner will receive a nice pair of alpaca socks.

I have been fascinated by Bitcoin for some time now and have a very modest holding of 1.6 Bitcoin. Nevertheless, I believe that Felix is on the right side of the bet. I have no doubt that the technological innovation of Bitcoin will inform the future of digital commerce, but Bitcoin itself will not become a mainstream medium of exchange.

Volatility

Only days after the podcast, the price of Bitcoin tumbled as MtGox, the largest Bitcoin exchange in the world, suspended Bitcoin withdrawals due to software security problems. Sadly, this means my own little Bitcoin investment halved in value. It also highlights how much of a roller-coaster ride the Bitcoin price is on. As long as Bitcoin remains this volatile, it cannot become a serious candidate for ecommerce. It is just too risky for both buyers and sellers. Horowitz acknowledges that the Bitcoin market is currently driven by speculators, but is confident that the price will eventually stabilise. I doubt this. Even during its most stable periods, the volatility of Bitcoin prices is far higher than traditional currencies, and has been throughout its five year history.

Bitcoin drop

The Ledger

One of the key innovations of Bitcoin is its distributed ledger. Everyone installing the Bitcoin wallet software ends up downloading a copy of this ledger, which contains a record of every single Bitcoin transaction. Ever. As a result, there is no need for a central authority keeping tabs on who owns which Bitcoin and who has made a payment to whom. Instead, every Bitcoin user serves as a node in a large peer-to-peer network which collectively maintains the integrity of this master transaction ledger. This ledger solves one of the key problems with digital currencies: it ensures that I cannot create money by creating copies of my own Bitcoin. The power of the ledger does come at a cost. It is big! On my computer, the ledger file is now almost 12 gigabytes. For a new Bitcoin user, this means that getting started will be a slow process, and will make a dent in your monthly data usage. A popular way around this problem is to outsource management of the ledger to an online Bitcoin wallet provider, but that leads to the next problem.

Trust Problems

A big part of the appeal of Bitcoin to the more libertarian-minded is that you no longer have to place trust in banks, government or other institutions to participate in online commerce. In theory, at least. If you decide to use an online Bitcoin wallet service to avoid the problem of the large ledger, you have to trust both the integrity and the security capability of the service provider. The hacking of inputs.io shows that this trust may well be misplaced. Even if you have the patience and bandwidth to maintain your own wallet, trust is required when buying or selling Bitcoin for traditional currency. There are many small Bitcoin brokers who will buy and sell Bitcoin, but invariably you have to pay them money before they give you Bitcoin, or give them Bitcoin before you get your money. Perhaps the big exchanges, like MtGox, should be easier to trust because their scale means they have more invested in their reputation. But they are not household names, the way Visa, Mastercard or the major banks are. Growth of commerce on the internet has been built on trust in the names providing the transactions more than trust in the technology, which most people don’t understand. I would be very surprised to see the same level of trust being established in the Bitcoin ecosystem, unless major financial institutions begin to participate.

The Authorities

But will banks jump onto the Bitcoin train? I doubt it. Not because they are afraid of the threat to their oligopoly—most bankers still only have the vaguest idea of exactly what Bitcoin is, or how it works. What they do know is that virtual currencies are attractive to criminals and money launderers. Last year saw the FBI crackdown on Liberty Reserve, followed by the crackdown on the underground black-market site Silk Road. More recently, the CEO of one of the better-known Bitcoin exchanges was arrested for money-laundering. In the years since September 11, the regulatory obligations on banks to ensure they do not facilitate money laundering have grown enormously. The anonymity of Bitcoin makes it hard for banks to “know their customer” if they deal with Bitcoin and as law-enforcement increases its focus on virtual currencies, providing banking services to Bitcoin brokers becomes less appealing for banks. When I bought my Bitcoin last year, I used the Australian broker BitInnovate. For several months now, their Bitcoin buying and selling services have been suspended and, I’m only guessing, this may be because their bank closed down their accounts. To become a widely-accepted basis for commerce, Bitcoin will necessarily have to interface effectively with the traditional financial system. At the moment, the prospects for this don’t look good.

For these reasons, I think Felix has a safe bet, and can look forward to cosy feet in alpaca socks. But, even if Bitcoin does not become widely accepted, its technological innovations may well revolutionise commerce anyway. Banks around the world can adopt ideas like distributed ledgers and cryptographically secure, irrevocable transactions to make the mainstream global payments system more efficient.

Can I trust MtGox with my passport?

Liberty Reserve logoIn March 2013, the US Financial Crimes Enforcement Network (“FinCen”) published a statement saying that companies which facilitate buying and selling of “virtual” currencies like Bitcoin constitute “money service businesses” and are subject to reporting obligations designed to prevent money laundering and other financial crimes.

A couple of months later, the seizure by US authorities of Liberty Reserve has shaken money service businesses around the world, whether they deal in “real” or “virtual” currencies.

Two days later, the largest Bitcoin exchange, MtGox, tightened their anti-money laundering (AML) controls, posting the following statement on its website:

Attention Users: From May 30th 2013 all withdrawals and deposits in fiat [real] currency will require account verification. However withdrawals and deposits in Bitcoin (BTC) do not require verification.

What MtGox is attempting to do here is meet one of the most fundamental requirements of AML legislation around the world: know your customer. It is so fundamental that it too earns its own three-letter abbreviation, KYC.

So, how does an online business like MtGox verify the identity of its customers? After all, you can’t walk into the local MtGox branch with a fist full of paperwork. Instead, you must upload a scan of “proof of identity” (passport, national ID card or driver’s licence) and “proof of residency” (a utility bill or tax return).

MtGox are not alone in this approach. More and more online money service businesses are attempting to get on the right side of AML rules by performing verification in this way.

Here in Australia, there are still some Bitcoin brokers which do no verification whatsoever, including BitInnovate (who helped me buy my first Bitcoin) and OmniCoins. Australia’s AML regulator, AUSTRAC publishes a list of  “designated services”, which make business subject to reporting obligations including customer verification. The list includes

exchanging one currency (whether Australian or not) for another (whether Australian or not), where the exchange is provided in the course of carrying on a currency exchange business

So I strongly suspect that all local Bitcoin brokers too will soon be demanding scans of your driving licence and electricity bill.

But is the MtGox approach to customer verification a good idea? I don’t think so. I believe it is a bad idea for MtGox and a bad idea for their customers.

It is a bad idea for MtGox because scans of fake identity documents are very easy to come by. For example, one vendor at the online black market Silk Road offers custom UK passport scans with the name and photo of your choice, complete with a scan of a matching utility bill.

It’s a bad idea for the customer too, because it exposes them to increased risk of identity theft. Although my intentions were not criminal, I chose BitInnovate when I bought Bitcoin precisely because I did not have to provide any personal documents. How well do you know MtGox or any other online money service? How confident are you that they will be able to keep their copies of your documents secure? Securing data is hard. Every other week it seems that there are stories of hackers gaining access to supposedly secure password databases. I have no doubt that scans of identity documents will also find their way into the wrong hands.

So what is the alternative?

Third party identity management.

Using a passport or driver’s licence scan is effectively outsourcing identity verification to the passport office or motor registry respectively. Before the days of high quality scanning and printing, these documents were difficult to forge. A better solution is to retain the idea of outsourcing, but adapt the mechanism to today’s technology.

Here’s how it could work.

A number of organisations would establish themselves as third party identity managers. These organisations should be widely trusted and, ideally, have existing experience in identity verification. Obvious examples are banks and government agencies such as the passport office.

Then if I wanted to open an account with MtGox, its website would provide a list of identity managers it trusted. Scrolling through the list, I may discover that my bank is on the list. Perfect! When I first opened an account with my bank I went through an identity verification (IDV) check (ideally, this would have been done in person and, even better, the bank would have some way to authenticate my passport or driver’s licence*), so my bank can vouch for my identity. I can then click on the “verify” link and I am redirected to my bank’s website. Being a cautious fellow, I check the extended validation certificate, so I know it really is my bank. I then log into my bank using multi-factor authentication. My bank now knows it’s really me and it presents me with a screen saying that MtGox has asked for my identity to be validated and, in the process, has requested some of the personal data my bank has on file. The page lists the requested item: name, address, email address and nationality. I click “authorise” and find myself redirected to MtGox and a screen saying “identity successfully verified”.

MtGox is now more confident of my true identity than they would be with scanned documents and I have kept to a minimum the amount of information I need to provide to MtGox: no more than is required to meet their AML obligations.

This authentication protocol is a relatively straightforward enhancement to the “OAuth” protocol used by sites like Twitter and Facebook today. OAuth itself is subject to some controversy, and it may be better to create a new standard specifically for high trust identity management applications like this, but the tools exist to put identity management on a much safer footing.

* Today, unfortunately, banks and other private sector entities are not readily able to authenticate passports or driver’s licences. Once government agencies are able to provide this service, the options for third party identity management will be even greater.

 

Bitcoin: what is it good for?

Bitcoin has been a hot topic in the news over the last few weeks.

The digital currency has its adherents. The Winklevoss twins, made famous by the movie Social Network after suing Mark Zuckerberg for allegedly stealing the concept of Facebook, now purportedly own millions of dollars worth of Bitcoins.

It also has its detractors. Paul Krugman has argued that the whole enterprise is misguided. Bitcoin aficionados are, he writes, “misled by the desire to divorce the value of money from the society it serves”.

Still others cannot seem to make up their mind. Digital advocacy group, Electronic Frontier Foundation (EFF) accepted Bitcoin donations for a time, but became uncomfortable with its ambiguous legal status and shady associations, such as with the online black market Silk Road, and decided to stop accepting Bitcoin in 2011. A couple of years on and the EFF’s activism director is speaking at a conference on Bitcoin 2013: The Future of Payments.

Recent media interest has been fuelled by the extraordinary roller-coaster ride that is the Bitcoin price. In early April, online trading saw Bitcoins changing hands for over US$200. At the time of writing, prices are back below US$100. As with many markets, it’s hard to say exactly what is driving the price. Speculators, like the Winklevoss twins, buying Bitcoins will have helped push up prices, while reports that Silk Road has suffered both a deflation-driven collapse in activity and hacking attacks may have contributed to the down-swings.

Bitcoin (USD) prices

Although not obvious on the chart above, dramatic price movements are nothing new for Bitcoin. Switching to a logarithmic scale makes the picture clearer. After all, a $2 fall from a price of $10 is just as significant as a $40 fall from a price of $200. The 60% fall from $230 to $91 over April has certainly been dramatic. But back in June 2011, after reaching peak of almost $30, the price fell by 90% within a few months.

Bitcoin price history (log scale)

The volatility of Bitcoin prices is orders of magnitude higher than traditional currencies. Since the start of the year the price of gold has been tumbling, with a consequent spike in its price volatility. Even so, Bitcoin’s volatility is almost ten times higher. The chart below compares the volatilities of Bitcoin, gold and the Australian dollar (AUD).

Historical volatility of Bitcoin

A week or so ago, armed with this data, I was well advanced in my plans for a blog post taking Bitcoin as the basis for a reflection on the nature of money. I would start with some of the traditional, text-book characteristics of money. A medium of exchange? Bitcoin ticks this box, with a growing range of online businesses accepting payment in Bitcoin (including WordPress, so not just underground drug sites). A store of value? That’s more dubious, given the extremely high volatility. It may appeal to speculators, but with daily volatility of around 15%, it’s hard to argue that it is a low risk place to park your cash. A unit of account? Again, the volatility gets in the way.

That was the plan, until a conversation with a colleague propelled me in a different direction.

She asked me what this whole Bitcoin business was all about. Breezily, I claimed to know all about it, having first written about Bitcoin two years ago and then again a year later. I launched into a description of the cryptographic basis for the operation of Bitcoin and went on to talk about its extreme volatility.

I then remarked that when I first wrote about it, it was only worth about $1, but had since risen to over $200.

“So,” she asked, “did you buy any back then?”

That shut me up for a moment.

Of course I hadn’t bought any. What gave me pause was not that I had missed an investment opportunity that would have returned 20,000%, but that I was so caught up in the theory of Bitcoin that it had not occurred to me to see what transacting in Bitcoin was actually like in practice. So I resolved to buy some.

This turned out not to be so easy. While there are many Bitcoin exchanges, paying for Bitcoins means jumping through a few hoops. Perhaps because the whole philosophy of Bitcoin is to bypass the traditional banking system. Perhaps because banks don’t like the look of most of them and will not provide them with credit card services. Whatever the reason, your typical Bitcoin exchange will not accept credit card payments. Many insist on copies of a passport or driver’s licence before allowing wire transactions, neither of which I would be prepared to provide.

Eventually I found BitInnovate, which allows the purchase of Bitcoin through Australian bank branches. Even so, the process was an elaborate one. After placing an order on the site, payment must be made in person (no online transfers), in cash, at a branch within four hours of placing the order. If payment is not made, the order is cancelled. Elaborate, but manageable, and no identification is required.

But before I could proceed, I had to set myself up with a Bitcoin wallet. As a novice, I chose the standard Bitcoin-Qt application. I downloaded and installed the software, and then it began to “synchronise transactions”. This gets to the heart of how bitcoins work. As a purely digital currency, they are based on “public key cryptography”, which is also the basis for all electronic commerce across the internet. The way I make a Bitcoin payment to, say, Bob is to electronically sign it over to him using my secret “private key”. Anyone with access to my “public key” can then verify that the Bitcoin now belongs to Bob not me. Likewise, the way I get a Bitcoin in the first place is to have it signed over to me from someone else. In case you are wondering what one of these Bitcoin public keys looks like, mine is 1Q31t2vdeC8XFdbTc2J26EsrPrsL1DKfzr. Feel free to make Bitcoin donations to the Mule using that code!

In this way, rather than relying on a trusted third party (such as a bank), to keep track of transactions, the ownership of every one of the approximately 11 million Bitcoins is established by the historical trail of transactions going back to when each one was first “mined”. Actually, it’s worse than that, because Bitcoin transactions can involve fractions of a Bitcoin as well.

So, when my Bitcoin wallet told me it needed to “synchronise transactions”, what it meant was that it was about to download a history of every single Bitcoin transaction ever. No problem, I thought. Two days and 9 gigabytes (!) later, I was ready for action. Now I could have avoided this huge download by using an online Bitcoin wallet instead, but then I would have been back to trusting a third party, which rather defeats the purpose.

The cryptographic transaction trail may be the brilliant insight that makes Bitcoin work and I knew all about in it theory. But in practice, it may well also be Bitcoin’s fatal flaw. Today, a new wallet will download around 10 gigabytes of data to get started, and that figure will only grow over time. The more successful Bitcoin is, the higher the barrier to entry for new users will become. I suspect that means Bitcoin will either fail completely or simply remain a niche novelty.

Still, it is an interesting novelty, and despite the challenges, I decided to continue with my investigations and managed to buy a couple of Bitcoins. The seller’s commission was $20 and falling prices have since cost me another $20 or so. So, I am down on the deal, but, as I have been telling myself, I bought these Bitcoins on scientific rather than investment grounds.

Of course, if the price goes for another run, I reserve the right to change my explanation.

Bitcoin revisited

Just over a year ago, I wrote about the digital “crypto-currency” Bitcoin. It has been an eventful year for Bitcoin.

Designed to provide a secure yet anonymous, decentralised means for making payments online, the first Bitcoins were virtually minted in 2009. By early 2011, Bitcoin had begun to attract attention. Various sites, including the not-for-profit champion of rights online, the Electronic Frontier Foundation (EFF), began accepting Bitcoins as payment. But when Gawker reported that Bitcoins could be used to buy drugs on “underground” website Silk Road, interest in the currency exploded and within a few days, the price of Bitcoins soared to almost $30.

This kind of attention was unwelcome for some, and shortly afterwards EFF announced that they would no longer be accepting Bitcoins, fearing that this would be construed as an endorsement of the now controversial currency. Around the same time, the first major theft of Bitcoins was reported and the Bitcoin exchange rate fell sharply.

Bitcoin price history

Bitcoin Exchange Rate

More recently, another high-profile theft has caused ructions in the Bitcoin economy, prompting e-payments provider and PayPal competitor, Paxum, to abandon the Bitcoin experiment, which in turn forced one of the larger Bitcoin “exchanges” to shut down. The anonymity of Bitcoin is a design feature, but it also makes it almost impossible to trace thieves once they have their virtual hands on Bitcoins.

How much damage this does to the fledgling currency remains to be seen, but it certainly makes for a volatile currency. The free-floating Australian dollar is a reasonably volatile real-world currency but, as is evident in the chart below, Bitcoin volatility is an order of magnitude higher. That in itself is reason enough for any online business to think twice about accepting Bitcoins.

Bitcoin volatilityRolling 30 day volatility (annualised)

Whatever its future, Bitcoin is a fascinating experiment and, even if it does not survive, digital currencies of one form or another are surely here to stay.

Data sources: Bitcoin charts, Bloomberg.

Virtual currency

Thanks to my new job, the rate of Stubborn Mule posts has declined somewhat over the last few weeks (to say nothing of Mule Bites podcasts!). Still, my commute has allowed me to catch up on my podcast listening and a particularly interesting one was the recent Security Now episode about the “virtual currency” Bitcoin. Here is how Bitcoin is described on their website:

Bitcoin is a peer-to-peer digital currency. Peer-to-peer (P2P) means that there is no central authority to issue new money or keep track of transactions. Instead, these tasks are managed collectively by the nodes of the network.

Given that e-commerce is already widespread on the internet, what exactly is new about this idea of a virtual currency? The key to this question is understanding the difference between money in the form of “currency” (notes and coins) and money in the form of balances in your bank account. Currency is essentially anonymous. If I hand you a $10 note, we don’t need anyone to facilitate the transaction and you can take that $10 and spend it with no further reference to me or anyone other else. To move $10 from my bank account to yours is quite different. Before we could even start, we both had to provide extensive identification to our respective banks to open bank accounts. Then, you would have to provide me with enough account information for me to instruct my bank to transfer money from my account to yours. Both banks would retain records of the transfer for a long period of time and, if the transaction was rather bigger than $10, the chances are that there may even be requirements for our banks to notify a government agency in case we were engaged in money laundering. Even if I paid you using a credit card, the information exchange would be much the same.

The Bitcoin virtual currency aims to mimic some of the essential characteristics of currency while allowing transactions to be conducted online. To do so, it makes very creative use of a powerful encryption technology known as “public key cryptography”.

Public key encryption involves encrypting data in a rather unusual way: one key is used to encode the data and a different key is used to decode the data. This is in contrast to “symmetric key encryption” in which the same key is used for both encoding and decoding data. To appreciate the difference, consider a less electronic scenario. I want to exchange messages with you using a locked box and ensure no-one else can open it. If we already have identical keys to the one padlock there is no problem. I simply pop my message in the box, pop on the padlock and post it to you. When you receive the box, you can use your key to open the box, read the message, reply and pop the same padlock on the box before sending it back. But what do we do if we don’t both have keys to the one padlock? There is a tricky solution. I put the message in the box, secure it with my padlock and send it to you. Once you get it, although you cannot open my lock, you add your own padlock to the box and return it to me. Once I get it back, I unlock my own lock and send the box back. You can then open your lock and read my message. While in transit, no-one can open the box. It’s certainly an elaborate protocol and, of course, I’m ignoring crowbars and the like, but it gives a rough analogy* for how public key encryption works.

When it comes to data encryption, both users will create a “key pair”. One key they keep to themselves (this is known as the “private key”) and one key they can share with the world (the “public key”). I can then let you (and indeed the whole world) know what my public key is. When I want to send you a message, I encrypt it using your public key and send it to you. The only way to decode it is using your private key, which only you have. Even though everyone can find out what your public key is, only you can decode the message. When you want to send a message back to me, you encode it using my public key. So, anyone who knows my public key can send me a message for my eyes only. As a side benefit, public key encryption can also provide authentication. If you send me a message encrypted using my public key, I would ideally like to confirm that it really came from you not someone else (after all, everyone knows my public key). To deal with this, you can also send a copy of the same message encoded using your private key. Once I have decoded your message with my private key, I can also decode the second message using your public key. If the two messages are the same, I know that whoever sent me the encoded message also had access to your private key, so I can be reasonably sure it was you. In practice, authentication works a little bit differently to this, using a “hash” of the original message (otherwise anyone could decode the secret message using your public key). This authentication process is known as “digital signing”.

All of that may seem like a bit of a diversion, but public key cryptography is at the heart of the Bitcoin idea. Essentially, a Bitcoin is a blob of data and if I want to give you one of my Bitcoins, I add your public key to the blob and then sign it using my private key. This means that anyone who has access to my public key (i.e. the whole world) can confirm that I intended to pass the coin onto you. As a result, Bitcoins have their entire transaction history embedded in them! To decide who “owns” a Bitcoin, we just need to look at the last public key in the transaction chain. Whoever owns that key, owns the Bitcoin.

“How is that anonymous?” I hear you ask. Since “keys” are just strings of data themselves, there is no reason you have to advertise the fact that, say “6ab54765f65” is your public key. While the whole world can see that the owner of “6ab54765f65” owns a number of Bitcoins, that does not mean that anyone has to know your secret identity.

The other important feature of Bitcoins is that there is no centralised coordinator of the Bitcoin records. There is no bank keeping the records. The Bitcoin algorithm is public and information about Bitcoin transaction histories is shared across a peer-to-peer network which allows anyone to independently verify Bitcoin transactions.

It’s a fascinating idea and I don’t know if it will take off. It is only in beta, but there are a number of websites that have begun accepting Bitcoins for payment, as well as sites which will trade Bitcoins for “real” money. I will be watching with interest.

* It really is quite rough, only showing that a secure exchange without key exchanges is possible. Other features, such as authentication and the key asymmetry (either key can lock and then the other key unlocks) are not captured.