This week, Celsius Network released a lengthy document containing all of its customer account balances.
The move is part of the company’s ongoing restructuring process following its Chapter 11 bankruptcy filing earlier this year. The document reflects user balances as of July 13, 2022, when the company’s restructuring began, and customer transactions that occurred in the 90 days prior to the Chapter 11 filing, according to the company’s FAQ. .
Unsurprisingly, the release of such detailed customer data, including balances, transactions, and names, caused a scandal in Twitter. That information can not only shed light on each user’s financial information, but also allows observers to analyze the blockchain and de-anonymize addresses on the chain, as transaction amounts and date are detailed. in the document.
Putting it all together, it is clear that users’ privacy was invaded and their security compromised. But don’t worry (yet); This article reviews why this happened and what can be done to mitigate some threats if you are among the doxxed users.
Why did Celsius make this document public?
As mentioned above, this document is part of the Celsius restructuring process. Celsius was forced to expose customer information as part of its restructuring process, given the necessary transparency required by US law. While that generally applies only to company assets, since Celsius held client assets in custody, they were also affected.
According to a court document, Celsius submitted a request to reduce the customer’s personally identifiable information (PII) that is published through a redaction process before going public. The lender presented three arguments.
First, Celsius argued that such a large database of consumer information was too valuable for the company to make public. Doing so “would significantly decrease the value of the customer list as an asset in any potential future asset sales,” the company said.
Second, Celsius argued that if customers’ PII were revealed, they could become targets of “identity theft, blackmail, harassment, stalking, and doxing,” according to the court document.
Finally, the cryptocurrency lender argued that since many of its customers reside in different jurisdictions around the world, disclosing their PII could “expose [Celsius] to potential civil liability and significant financial penalties.” The document specifically points to the United Kingdom General Data Protection Regulation (UK GDPR) and the European Union GDPR.
The US trustee, on the other hand, argued that Celsius “does not and cannot rely on any exceptions to the general rule that bankruptcy proceedings must be open, public and transparent” and has offered “nothing more than statements statements that support your request” to redact the confidential information.
They also argued that the PII Celsius sought to redact “is not confidential or business information.”
“The United States Trustee argues that [Celsius’] own privacy policies support the argument that customer information is not sensitive because it allows customer names and contact information to be shared with third-party ‘business associates’ and is therefore not sensitive.” according to the court document.
Further, the “U.S. Trustee contends that the information is not truly business in nature because the Debtors do not seek to remove all creditor names and identifying information and instead request that identifying information be removed. only for certain creditors, ‘but information regarding another group will be fully disclosed because of where those creditors live.’”
On the international law aspect, the US trustee also reasoned that under US bankruptcy law, bankruptcy proceedings should be public and should take precedence over UK GDPR and UK GDPR. the European Union.
Finally, and most shockingly, “the Trustee of the United States holds that [Celsius’] arguments that creditors could be subject to violence if their identities were revealed amount to anecdotal evidence, which falls short of the level of evidence necessary to overcome the presumption of open and public bankruptcy.”
In response, Celsius posted another motion, seeking to implement a full anonymization process so as not to reveal detailed user information. That went beyond the initial motion filed, which requested the ability to redact the email address and home address of US customers and the name, home address, and email address of US customers. UK and EU.
The court ruled against most of Celsius’s requests. He ruled out differentiation between US and UK/EU customers based on the above arguments and allowed the company to redact only home and email addresses. He completely denied the anonymization motion.
This is what Doxxed users can do
There are many options one can take if one finds oneself exposed in the Celsius documents, but none of them will erase the past. The more you can get to that, in case publishing those data points has the potential to tangibly harm the person, they can legally change names as an (extreme) option of last resort. One could also move to a different address, but since the court authorized Celsius to redact house addresses, that might not be as big an issue to try to mitigate. It is worth noting, however, that the unredacted versions of the submissions are accessible to “the US Trustee and the Committee’s counsel, and any interested party” who requests and is granted access; the case for moving house can still be made.
Users can also take steps to mitigate some of the threats in the digital world. When it comes to on-chain addresses that observers can anonymize by looking at the blockchain and the information disclosed in the document, good privacy-focused tools can come to the rescue.
The simplest alternative is CoinJoin funds. While that won’t erase the user’s transaction history, if done correctly, it will allow the user to enjoy good, forward-looking privacy. This means that spending from then on will not be clearly detected as a transaction coming from the doxxed user. (Similar to how the bank knows when you withdraw cash at an ATM, but can’t get detailed information about what you spend it on next.) The user can embark on other privacy tools, such as PayJoins, which also break the heuristics used by bad actors. to infer information from string data.
But perhaps the most important thing users can do is take the low-time-preference approach and avoid using centralized services that collect user data. Financial services companies around the world, in cryptocurrencies and beyond, must comply with know-your-customer (KYC) and anti-money laundering (AML) regulations. While such laws are likely well-intentioned, their effectiveness is questioned and the downsides are clear, as in this Celsius case.
In the information age, data is the most valuable commodity, and as such, companies that collect vast amounts of data are caught in the trap and become targets of cyberattacks as hackers and others seek to monetize that information.
While the governments of the world do not realize this gigantic problem in the 21st century, users are encouraged to do what they can to take ownership of their data and reclaim their privacy. Since the status quo pushes people to share as much of their lives as possible, the right to privacy should not be seen as something that law-abiding citizens do not need, but rather as the right that allows everyone else.