Most of us like myself became aware of Sam Bankman-Fried because
of the purchase of Blockfolio by a newly formed entity called FTX. Over several weeks the Blockfolio app was rebranded as the FTX app which now had its own exchange. It also had a new set of Know Your Customer rules, Anti-Money Laundering policies, a new Terms of Service, as well as its own custodial wallet held by FTX, we assumed.
Here you can see the Terms of Service at Blockfolio from June 30, 2017:
Blockfolio avidly argued that they were not and would not ever sell user data. Blockfolio even attempted to de-identify users with a hashing mechanism for IDs to not even let themselves identify and connect user portfolios to email addresses; this apparently never happened after the purchase and transformation into FTX.
Source: FTX Terms Of Service 2022
This all has brought up questions around this merger and the acquisition that happened in the cryptocurrency industry only a few years ago. I am concerned because after the fallout of this exchange, FTX going bankrupt and all of its assets potentially being put up for auction, I would like to know the state of the personal identification information that FTX had been forced to gather because of KYC and AML laws. My concern is the vast amount of information gathered including passports, phone numbers, IP addresses, home addresses, cryptocurrency wallet addresses, email addresses, passwords and government IDs. All of these could be sold at auction as customer data or customer profiles to whoever finds them valuable.
Now the assets held by FTX whether they were actually real cryptocurrency such as bitcoin or made up tokens built on another layer one network such as ethereum are not too important in this conversation in my opinion. What is important is the data, the privacy data, the data mining operation that could have or will be done on all of this data FTX had gathered on customers either it was done by them or it will be done by whomever buys this data at auction. Even more so, the jurisdiction of that data is open to anywhere on earth.
As someone who has personally worked on coin analysis concepts and technology for the United States Military, as well as consulted on this for the Department of Defense as a so called “subject matter expert,” I can personally attest that it is very easy to correlate a person to their Bitcoin wallet address using nothing more than the amounts of bitcoin held on specific addresses, as well as the device data that is keeping track of those specific amounts on specific addresses — this is simple SIGINT, MASINT or HUMINT, all of which are different forms of intelligence gathering.
Source: Wikipedia Search For HUMINT
If you are keeping track of any bitcoin on any wallet over any Bitcoin explorer that is looked through a browser or app on any device, phone, laptop or tablet, there is now a record that will be connected to the IP address, the MAC number, the SIM phone number, the VOIP number, credit card number, home address and any other personal identifying information that is attached in any way to this device. I know this because Edward Snowden leaked documents showing that the NSA had a program called XKEYSCORE and applications were used like OAKSTAR and its subprogram MONKEYROCKET to specifically keep track of Bitcoin users at the NSA.
Now what I’m getting at is this data that FTX was forced under AML and KYC law to be gathered. This is potentially one of the largest gatherings of this type of data in the cryptocurrency industry ever done in history. This data, combined with coin analysis information related to bitcoin, ethereum and other cryptocurrency amounts being tracked by the previously titled Blockfolio app has created a situation where KYC data personal identifying information can be now superimposed over Blockfolio email addresses, UTXOs and watch addresses that plenty of people used on Blockfolio without any personal information being divulged to the app.
So this means that people that used Blockfolio to keep track of the amount of cryptocurrency they had, wanted to buy or were keeping track of for whatever reason will now be able to be correlated to very detailed personal identification information. The concern I have is not whether FTX and its hundreds of subsidiaries were keeping track of this information from Blockfolio or using it in any way, but that their vast new pool of customer information and data will be binded in the future to the Blockfolio data. I don’t assume FTX was intelligent enough to do this for any purpose such as advertising, or data sharing with a hedge fund like Robinhood was caught doing, but I do assume that they may have considered selling this data to law enforcement agencies, to advertisers or to actors in the intelligence community as SBF said there was an open door to regulators and law enforcement agencies at FTX.
What we need to think about now is when the assets of FTX go up for auction, which they will, that not only the digital currencies and tokens as well as the licenses will be sold to some new party, but it will be the customers themselves, personal identifying information and the massive data mining that could have been or will be done with that data.
I was never an FTX user, I never created an account with FTX or FTX.us and I never wired any money to Alameda. Unfortunately, because of my longevity in the Bitcoin space, I used Blockfolio like many Bitcoin users before me to keep track of the amounts of Bitcoin I had in multiple locations and their total value. Now that data that I thought was private will be connected to KYC data of anyone I know, interacted with over a wire and any device they used, especially if through multiple connections it leads back to FTX in any way.
What we need to do now is ask the serious questions and not focus on the financial obligations or mishandlings of SBF and FTX. But we must ask who has this data? What has been done with this data and who will be owning this data in the future? The reality is FTT dissolving into nothing isn’t a “Force Majeure Event,” so most of the users are screwed.
Source: FTX Terms Of Service 2022
If this at all concerns you or involves you, I would suggest we all find the proper channels to protect ourselves from the worst case scenario from this fallout of data. This is the biggest problem with KYC and AML laws,because after all of this financial chaos, there is now a criminal-run exchange that is in possession of millions of people’s personal information about their devices, their homes, their financials and more, all available to the highest bidder.
You must sign in through Zendesk to view the missing Blockfolio TOS/PP as well as the new FTX TOS/PP which means I had to give an email and PPI to even see the documents.
This is a guest post by Morgan Rockwell. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.