This week, Celsius Network released a large document containing all of its customers’ account balances.
The move is part of the company’s ongoing restructuring process following its Chapter 11 bankruptcy filing earlier this year. The filing reflects user balances as of July 13, 2022, when the company’s restructuring began, and customer transactions that occurred in the 90 days prior to the Chapter 11 filing, according to the FAQ of the company
Unsurprisingly, the release of this detailed customer data, including balances, transactions and names, sparked a racket activated Twitter. Not only can this information shed light on each user’s financial information, but it also allows observers to analyze the blockchain and de-anonymize addresses on the chain, as transaction amounts and dates are detailed in the document.
Putting it all together, it’s clear that users’ privacy was invaded and their security compromised. But don’t worry (yet); this article reviews why this happened and what can be done to mitigate some of the threats if you are among the doxxed users.
Why did Celsius make this document public?
As mentioned above, this document is part of Celsius’ restructuring process. Celsius was forced to disclose customer information as part of its restructuring process, given the necessary transparency required by US law. While this usually only applies to company assets, since Celsius held client assets in custody, they were also affected.
According to a court filing, Celsius filed a request to redact customer personally identifiable information (PII) through a redaction process before making it public. The lender presented three arguments.
First, Celsius argued that such a large database of consumer information was too valuable for the company to take public. Doing so would “significantly diminish the value of the customer list as an asset in any future potential asset sale,” the company said.
Second, Celsius argued that if customers’ PII were revealed, they could become targets of “identity theft, blackmail, harassment, stalking and doxing,” according to the court filing.
Finally, the cryptocurrency lender argued that since many of its customers reside in different jurisdictions around the world, disclosing their PII could “expose [Celsius] to possible civil liabilities and significant financial penalties”. The document specifically notes the UK General Data Protection Regulation (UK GDPR) and the European Union GDPR.
The American trustee, on the other hand, argued that Celsius “cannot rely on any exception to the general rule that bankruptcy proceedings must be open, public and transparent” and has offered “nothing more than vague statements supporting your request” to redact the confidential information.
They also argued that the PII that Celsius tried to redact “is not confidential or commercial information.”
“The US trustee argues that [Celsius’] The privacy policies themselves support the argument that customer information is non-confidential because it allows customers’ names and contact information to be shared with third-party “business partners” and is therefore non-confidential,” according to the court document
Additionally, the “United States Trustee asserts that the information is not actually commercial in nature because the debtors do not seek to withhold the names and identifying information of all creditors and instead request that the identifying information only be drawn up for certain creditors”, but the information with respect. to another group it will be fully disclosed because of where those creditors live.’”
Regarding international laws, the US trustee also reasoned that under US bankruptcy law, bankruptcy proceedings should be public and should prevail over the UK GDPR and the EU GDPR. EU
Finally, and most surprisingly, “the US administrator states that [Celsius’] Arguments that creditors could be subject to violence if their identities were revealed amount to anecdotal evidence, which does not reach the level of evidence necessary to overcome the presumption of open and public bankruptcy”.
In response, Celsius issued another motion, attempting to implement a full anonymization process so as not to reveal detailed user information. This went beyond the initial motion presented, which called for the ability to redact the home address and email address of US customers and the name, home address and email address of UK customers United and the EU.
The court ruled against most of Celsius’ requests. It ruled out differentiating between US and UK/EU customers based on the above arguments and allowed the company to redact only home and email addresses. He completely denied the motion for anonymity.
Here’s what Doxxed users can do
There are many options that can be taken if exposed to the Celsius documents, but none of them will be able to erase the past. Closer to that, in the event that the release of these data points has the potential to tangibly harm the individual, they can legally change names as an (extreme) option of last resort. He could also move to a different address, but since the court allowed Celsius to redact the home addresses, that may not be as important an issue to try to mitigate. It’s worth noting, however, that unredacted versions of the submissions are accessible to “the US Administrator and the Committee’s counsel, and any interested parties” who request and are granted access ; the case of changing house can still be made.
Users can also take steps to mitigate some of the threats in the digital world. When it comes to on-chain addresses that observers can de-anonymize by looking at the blockchain and the information revealed in the document, good privacy-focused tools can come to the rescue.
The easiest alternative is CoinJoin funds. While this will not erase the user’s transaction history, if done correctly, it will allow the user to enjoy good forward-looking privacy. This means that spending from this point on will not be clearly seen as a transaction coming from the doxxed user. (Similar to how the bank knows when you withdraw cash from an ATM, but then can’t get detailed information about what you spend it on.) The user can embark on other privacy tools, such as PayJoins, which also break the heuristics used by bad actors. to infer information from string data.
But perhaps the most important thing users can do is adopt the low-time preference approach and avoid using centralized services that collect user data. Financial services companies around the world, in cryptocurrency and beyond, must comply with Know Your Customer (KYC) and Anti-Money Laundering (AML) rules. While these laws are probably well-intentioned, their effectiveness is disputed and the disadvantages are clear, as in this Celsius case.
In the information age, data is the most valuable commodity, and as such, companies that collect large amounts of data become honeypots, effectively becoming the target of cyber attacks as hackers and others seek to monetize this information.
While world governments are oblivious to this gigantic problem in the 21st century, users are incentivized to do whatever they can to take ownership of their data and reclaim their privacy. Because the status quo forces people to share as much as possible about their lives, the right to privacy should not be seen as something that law-abiding citizens do not need, but as the very right that allows to all the others.