Your Privacy is Not Guaranteed Online: Introducing A Framework for Privacy in eCommerce via Bitcoin
Josh Humphrey is the infrequent host of the Bottomshelf Bitcoin
In today's world of cancel culture, doxxing, and collusion between tech companies and government agencies to harass and interfere with businesses that offend their delicate sensibilities, there is a need for the ability to conduct online business in a way that protects the privacy of the business, its employees, suppliers and customers.
One of the biggest problems with the current digital fiat system is the need for identity verification as a form of collateral against credit card fraud or chargebacks.
These supposed security measures however, turned out to be pretty weak, and actually transformed stores and databases (which were never meant to be secure vaults) into honey pots of sensitive data for hackers and points of control for bankers and government agencies.
We've seen banks, stores and even crediting agencies themselves get hacked and have their customers information taken. We've also watched governments make use of their power over banks to cut off entities like WikiLeaks and Defense Distributed.
But now we have Bitcoin, and as the saying goes, Bitcoin fixes this.
Bitcoin is a push only system. This sacrifices conveniences of subscriptions and recurring payments for the security of finality.
Yes, we could debate about the amount of blocks one should wait to consider a transaction confirmed and theoretically, an alien hash-bomb could re-org us all back to the Genesis block, but you cannot simply cancel or reverse a Bitcoin transaction by calling your bank.
Because of this, Bitcoin obviates the need for information collateral and therefore allows us to make truly private electronic transactions, where the buyer and seller need not exchange identifying information.
This is the central idea of the framework presented here, which I call Mithril
. These are not new ideas, but rather a conglomeration of existing ideas and methods, combined into a framework to help with the launching of privacy conscious businesses powered by Bitcoin.
1. The outrage mob wants to destroy anything of controversy or good humor
2. Don't put your real name on anything
3. Pay with Bitcoin
4. Only accept Bitcoin (Use BTCPayServer)
5. Use Nyms and PO boxes
6. Encourage and use mixing technologies
7. Educate your customers
What's in a name?
The easiest attack is the social one. This typically consists of screeching about a person or business on social media and hoping that this shames them into bending to your will.
If this doesn't work, the next step is attempting to shame someone else that does hold sway over your enemy. If you've seen or read The Crucible, you'll remember the climactic scene where John Proctor tears up his signed confession and allows himself to be hanged rather than submit his family and descendants to the shame of having his name forever displayed as a witch.
(Side note: There's a lesson to be learned here. Public apologies will not appease the outrage mob). If what you're selling is essentially yourself, this may be hard to combat.
Consider someone like Owen Benjamin, a comedian who was blackballed for having the audacity to say that people shouldn't give their children drugs or surgery to transition them to a different gender.
Owen has been able to make use of alternative avenues like podcasts and youtube to get his content out there and is still able to sell shows, but he can't just rebrand himself anonymously. If you're selling a product though, especially a good one, chances are customers don't care about the name(s) behind the product.
Do you care about the name of the guy who designed your laundry detergent? I'm guessing no.
What's my point? Unless your name is critical to the success of the product, keep it separate and a secret. There's no need to tell all of your customers your name. In fact you should create an entirely separate set of contact information for this business.
I recommend starting with a cash purchase of a prepaid cellphone. It would be nice if your phone number wasn't required, but the reality is, it is harder and harder to find email providers that do not require another email address or a phone number.
Use cash in person to buy and activate the burner number and use this to activate a privacy focused / pseudonymous email like ProtonMail.
ProtonMail does accept Bitcoin for their higher tier mail services, but confusingly only for already active accounts. You cannot initialize an address with Bitcoin.
Either way, once you have your email address, you can register social media accounts or whatever you need for your company with that address. Use this email for things you'll be receiving on a regular basis.
For one-off things that require an email address, I recommend TenMinuteMail.
We'll hit this multiple times in this article, but now that you've worked to create your privacy DON'T SCREW IT UP. Don't share something on the company social media and then turn around and be the first person to repost it or smash the like button from your personal account.
Don't repost things from your personal account to the work one. These are separate entities, do not associate them. In fact, if you want to step it up, use a separate browser (preferably TOR) or at least use incognito mode.
Alright, remember what I said about people who hold sway? You have to protect yourself there as well. You can't do much about social media.
There are no good meteorologists for how the winds of TOS enforcement are blowing at Twitter, YouTube and Facebook on any given day, but the sum of the evidence leans towards suppressing anything that can be construed as different from the NPC marching orders.
It would be a good idea to familiarize yourself with Gab and Mastodon in the event that you're forced to use them one day.
Where you do have more options is in the realm of webhosting, domain registration and DNS proxies. We have seen in the past that companies like Cloudflare, GoDaddy, Zoho and others are willing to drop clients that are socially objectionable rather than commit to defending free speech.
But despite this, 8chan, the Daily Stormer (regardless of my personal feelings about them) and others have found providers and are still online. Because I can't see the future, rather than tell you specific companies to use, I'm gonna give you things to look for in a domain registrar, webhost, and any other third party you are forced to depend on:
1. They don't require identifying information
2. They accept Bitcoin
3. (bonus) They have history of sticking up for free speech or at least ignoring troll mobs
4. (bonus) If state actors are part of your harassment threat model (IRS, ATF, CNN, whatever), consider picking a host outside of their jurisdiction.
1 and 2 are usually a packaged deal. If they do ask for a name, see if a pseudonym works. Assuming they take Bitcoin, they probably won't make any effort to verify your identity.
If they require a phone number you've got that covered with the burner number. If you find one with 3 and/or 4 that's gravy on top. Even without 3, the worst they can do is cut you off. Not great, but they can't give up your identity.
One last thing on names: protect the names of your suppliers or any other company you deal with upstream of the end client.
There's usually not much reason to give these names out anyway, but you want to protect them from harassment and keep them from becoming a way for your enemies to get to you as well.
Dirty Fiat Surveillance
As I mentioned earlier, digital payments over fiat rails, specifically credit cards, debit cards and bank transfers, all leave bright shiny trails and they have many checkpoints along the way.
Payments can be blocked by either party's bank, as well as various government agencies. On top of that, in order to accept payments for your website, you need to employee some sort of payment processor.
The most popular processors are Stripe, Square and Paypal, though there are several others as well. Paypal famously cut off Wikileaks in 2017 (luckily they've accepted Bitcoin since 2011). Both Paypal and Stripe gave Gab the boot after a Pittsburgh shooting, because free speech is the same as murder or something.
You could argue that the WikiLeaks thing was forced on Paypal by the U.S. government but that still makes my point. Even if they don't cut you off, they are selling your purchasing behavior on a grand scale for other companies to analyze.
For a great look at where your data goes when you purchase with Paypal, see Rebecca Risks' visualization
. Lastly, even eCommerce services (the part of the site that handles the inventory and shopping experience) like Shopify have been complicit in cutting off businesses
that were firearms related, without a care for companies that had practically built their entire platform around their service.
There is no way to know what issue will be taboo tomorrow, and we're gearing up for another election cycle in America, which means the emotions and rhetoric will be on full-strength.
With so many opportunities for failure, how does one operate an online business without being in a constant state of dependence on fickle third parties?
Stop. Accepting. Fiat.
This is easier said than done for already established companies, especially large ones. Smaller companies are more nimble and able to make such a change, though it is still complicated depending on the tax rulings in your area. But for a new business, it's simple, just don't ever start accepting fiat.
An Open Source Stack
Assuming you want to reach a wide audience and not be dependent on third parties (they're security holes), I highly recommend the following stack: Wordpress, WooCommerce, BTCPay Server.
WordPress is an Open Source website framework. While it is not the easiest or best to work with, it's been around for a while, you don't need anyone's permission and it is well documented.
There are also a million plugins available (some free, some paid) for anything you don't want to code yourself. WooCommerce is a commerce platform for listing items. It's got a plugin for WordPress and is, again, well documented and free.
These are pretty standard tools in ecommerce sites, so I'm not going to explain how to install or set them up here because there are a million tutorials out there. The main difference for us is that instead of using Stripe or Paypal, we next use BTCPay Server.
If you've been living under a rock for the past two years, BTCPay Server was the brain child of Nicolas Dorier, who in a fit of righteous anger sent out a tweet to the biggest bitcoin processor at the time Bitpay, saying that he would make them obsolete.
Over the last two years he has been joined by a team of geographically disparate developers working to create a fabulous product for processing bitcoin payments in a self-sovereign way.
is an amazing tool that let's you process your own Bitcoin payments in a non-custodial fashion without risk of loss.
BTCPay accomplishes this by allowing users to input public keys (xpubs) from a separate wallet, including hardware wallets like ColdCard or Trezor. Connecting your public keys allows BTCPay to serve up new individual addresses for each customer checkout interaction, without having access to your private keys.
BTCPay will keep track of these invoices and is capable of outputting all invoice information as CSVs so you can do whatever you want with this data. While it is possible to use another person's BTCPay instance, I discourage it because that gives the owner of that server access to your xpub, meaning they know which UTXOs are yours. They can't steal your funds, but they can definitely track you.
BTCPay also works with Lightning Network, though it requires its own full node to do so. These means you can ignore all the FUDers going on and on about high fees and skip straight to the micro-payments. Privacy for your coffee addiction!
Lightning also adds a layer of privacy, since it makes use of onion routing and also doesn't have change addresses.
Again, you'll need to run your own instance and not use somebody else's to make use of lightning. Just like with the web hosts and domain providers, I'm not going to recommend a specific way of setting up BTCPay.
Since your needs may differ from other people's and as the project is constantly updated, I don't want to give a walkthrough on something that will become obsolete in a few months.
say that over at BTCPayserver.org
they have plenty of tutorials. I have also had good experience with LunaNode in the past and that they have finally decided to run their own BTCPay server (when Lightning?) and don't force you to pay them via Bitpay, so that's a plus.
But nobody knows what will happen in the future, so check out BTCPay for the most up to date practices on actual installation.
If your product is digital, like music or images, you could be done here, since this stack would allow email or digital downloading at this point. However I'm assuming you're sending physical goods.
Why Individual Addresses Matter
Let's step back a second though, and look at why generating new addresses for each client and pairing to their invoice matters. Let's say that for the most basic bitcoin commerce you post items on a page or social media with a single bitcoin address and people email or DM you with what they want.
Once they pay the appropriate amount to that address, they send you another email with the transaction ID so you can match to their order. Now you have to keep checking block explorers to make sure you get enough confirmations.
Once that is done you mail it to them. In this scenario the business has the headache of matching transactions to invoices and making sure there are sufficient confirmations.
On the client side they've paid to a known, public address. Now let's imagine that the next customer is a member of antifa or the proud boys or some other socially objectionable group and they blab about it on social media.
Now this public bitcoin address is known more publicly and anyone doing blockchain surveillance can say (whether true or not) that everyone contributing to this address is also a member of said objectionable group.
Anyone with a brain can say this is absurd, but that doesn't stop the outrage mob and we all know it. It also provides an anchor from which to track back all inputs to this address and attempt to dox those customers.
In short, using a single address is bad for customer privacy.
Conversely, with BTCPay you have individual addresses for each transaction and BTCPay connects that transaction to the invoice on your commerce platform. In fact it will monitor and send you an alert when your customizable preferred amount of confirmations have been reached.
Data Retention (or Not)
Lastly, BTCPay combined with WooCommerce has another privacy feature that is probably underutilized, but has incredible potential. You can set how long the database retains customer information. This means you can choose to erase your customers' info after 30 days, after 7 days, or whenever it has arrived if you use order tracking.
This means that if some enterprising "hacktivist" or government agency abusing their power compromises your database, they have only the "in process" orders to work with, not your entire client history.
The downside to this is that once the customer's info has been dumped there's not much available in the way of proof for customer support. I recognize this is difficult for some people to accept, but it's a tradeoff. I also believe that there will be someone clever who comes up with a way around that in the future.
Unfortunately there isn't much you can do to prove to your customers that you've dumped their info. I have a proposal on this but you'll have to read through the rest of the article (or jump to the bottom) for that.
Okay so you've got a web store set up with Wordpress, WooCommerce and BTCPay server and the orders are rolling in. Now you need to ship your products. As much as I dislike USPS for their slow, inconsistent results and their monopoly on residential mail, they are usually the cheapest option in the U.S. so that's what I'll discuss here.
However there are plenty of third party processors out there that will let you order labels, etc. right from your Wordpress instance and then just drop the product in the mail instead of walking in to the post office. Unfortunately I haven't found any that will accept Bitcoin anonymously yet.
If you know of one, let me know so I can check them out! I highly recommend having a PO Box for your company so your home address isn't attached to anything. At least in the U.S. you will be required to have a government ID to open a PO Box.
However once it has been created, you can add additional people who are authorized to pick up mail from your box. Here's the great thing, you should be able to add a pseudonym like "John Smith" as an authorized person and then simply give out "John Smith at PO Box 123" as the address for all of your business needs. You don't need to list your business' name or yours.
In my experience though, if you don't add this authorized person, any mail to John Smith will get kicked back to the sender. When you send your packages, you'll have to decide whether or not you want to make use of tracking. If you're shipping the same thing with a low monetary value and consistent weight, you could just slap the right number of stamps on it and drop it in a mail box (again, assuming USPS).
If you have a higher value item though, you'll probably want tracking on it. At least your customers will. If you choose tracking, you'll have to either physically go in to the post office, which is about as pleasant as the DMV, or pick a shipping service as mentioned above that lets you buy paid labels.
If paying for labels, I recommend using prepaid Visa gift cards or similar, bought with cash at local stores.
Now for the packaging. Conventional business practices would recommend that you make your packaging part of the experience. You know when you see a package at your door whether or not it came from Amazon.
They've even turned it into its own form of advertising, which is great when you don't care if people know what it is. However that's not our goal here. If you're going for privacy, keep it low key.
Boring, simple boxes and tape. Nothing to draw attention to yourself or your customer. The reality is that USPS doesn't scan every package, they don't have the time or manpower to do that.
But if you put "we sell gun parts!!! Pew! Pew!" on your box, then don't be surprised if they start scanning your stuff periodically. Also, since you have a pseudonym and a PO Box, if you need to list a return address, use those instead of your business name.
Lastly, when considering shipping, part of this should be educating your customers that they should be using privacy practices as well. I'm engaging in post-mortem equestrian abuse here, but since you got paid in bitcoin you don't need their personal info.
All you need is an address to send it to. So you should teach your customers to give you a pseudonym for the order and a PO Box to ship to. Same thing for them though, they'll want to list that pseudonym with the post office so the package doesn't bounce back to you.
Bonus: For the extra paranoid, register your PO Box at a post office that isn't near your house and drop your packages in a different mailbox location.
Mix it up.
This is probably not necessary, but the only trade off is inconvenience so decide for yourself.
Following the above protocol will deter your average blue checkmark or snoopy blogger...er...journalist. But those with technical know-how or money to buy it, will be able to track transactions on the blockchain. How? If I was trying to track your store, here's what I'd do:
1. Buy your product. Pay for it with bitcoins and make a note of the bitcoin receipt address. This provides me with a known address that you control and serves as a starting point for my blockchain tracking.
2. Set an alert for when bitcoins are sent from the receipt address I used to pay you. This lets me know that you are moving the bitcoins I sent you.
3. Check all inputs. If the bitcoin transaction used to spend coins from your receipt address includes inputs from other bitcoin addresses, I can assume that you also controlled these coins as well. Evaluating the additional inputs may lead to information about other customers and purchases. Now I'm going to track them back and see if I can doxx them.
4. Keep watching the bitcoin move and see if I can associate your outputs with other known entities. Who are your suppliers or infrastructure providers?
So how do you thwart this? One way is to use Lightning. I mentioned it briefly earlier, but since lightning payments use an onion routing system, you can't audit the lightning payments, only opening and closing channel payments.
Lightning isn't perfect privacy, but it's similar to TOR in that whatever happens between exit nodes is difficult to track.
Another way to protect yours and your customer privacy is to Coinjoin any on-chain payments. I personally recommend Samourai Wallet's Whirlpool, as I think it is the best, but other's would disagree. You can read more on Whirlpool here
(or the Github repo here
The Coinjoin transactions will help break the link between your coins' past and future transaction histories. This is not a privacy silver bullet, but Coinjoin makes the analysis described above extremely difficult if done properly.
While everything in this article should be taken as a work-in-progress, this part is definitely in alpha. For Whirlpool, inputs should be greater than or equal to multiples of whatever denominated pool you choose to participate in.
For example if you're in x pool, you need at least x bitcoins to fund that transaction plus miner and mixing fees. Ideally you would coinjoin more than 2x the pool size to reduce your fee paid.
If you have 0.8x (let's call this UTXOa), sorry you'll have to complete another transaction in which you combine it with something at least 0.2x (UTXOb) and *then* move that 1x into the Whirlpool mixer.
Merging UTXOa and UTXOb is a problem, because blockchain spies will assume that a single entity controlled these coins. This can be damaging to yours and your customer's privacy, because now you've linked a and b, which we are trying to avoid.
Using Samourai Wallet's Ricochet transaction feature to send these UTXOs to yourself will put distance between your receipt transactions and mix transactions. Samourai Wallet also has additional transaction tools such as STONEWALL (which are mini-fake coinjoins) that allow users to merge UTXOs in a transaction with better privacy than a normal bitcoin transaction.
Neither of these tools are foolproof, but again they make the analysis described above more costly.
Another possible solution would be to make use of two lightning nodes that are not directly connected to move funds across the lightning network through routing nodes and then combine those funds (different UTXOs at that point) on the other end into a Tx0 address.
I'm still working on smoothing out the explanation of this. It's also very tedious because each UTXO has to individually be moved from whatever wallet it's in to a Lightning wallet, then to a lightning channel, then the value moved across the lightning network to a channel on your second node, then that channel closed and only then can you combine those other UTXOs to one Tx0 input.
I'm hopeful that we can get some sort of Coinjoin included into BTCPay in the future and I'm also looking into the possibilities with LoopOut
as it gets developed. If you have more suggestions, please contribute to the Github repo
The Seized Server Problem
The final thing I'd like to add which I teased earlier is a proposed method for providing more transparency to customers regarding what information about them you have.
Let us assume you are using the information dump feature mentioned earlier. You've set it up so that, as soon as the package is marked "delivered", the database erases all information for that order. In this way, if for some reason your server is seized, there is no information out there on customers who have concluded their business with you.
But what about customers that have placed orders, but not yet received their items? That information is still available in the database. Yes they used a pseudonym and didn't give their home address (if they followed your instructions), but it doesn't take much to link that PO Box listed to the real owner if the malicious party has government authority.
At this moment, I don't know how much we can do to stop this, but we can at least make our customers aware.
At some level this idea is still trust based, but it is a step in the right direction. Here's how it would work in theory, though I'm not a programmer so I haven't actually tested this yet:
A script on the WordPress/WooCommerce server runs at a set interval, let's say every 24 hours. The script cycles through each order still in the WooCommerce database and pulls only the invoice number of each. The script then posts these invoice numbers as a list to a dedicated PasteBin page or something similar.
When customers place an order, the confirmation email that they receive should instruct them on what their invoice number is and where to access this page.
You want to pick a page outside of your server and ideally one outside of whatever jurisdiction the agency seizing your server is located, otherwise they will take that down as well. The page would be simple, something like this:
If your order invoice is listed below, your information is still in our servers. Invoice numbers can be found on the confirmation email you received when you placed your order. When your package has been delivered, your information will be deleted from our servers and your invoice number should be removed from this page within 24 hours:
In this way, if your servers are seized, your customers can know if their information was still in your database at the time of seizure and plan accordingly.
The benefit of using only invoice numbers is that customers cannot find information out about each other. This solution doesn't do much if attackers gain access to your server without shutting it down or alerting you to their presence.
In that case, they would be able to slowly gather information on your and your customers' behaviors. Again, choose your hosts with regard to jurisdiction and use strong passwords.
Conclusions and room for improvement
As I've said before, Mithril is not foolproof and is definitely not strong enough against dedicated, state-level actors. But it should hopefully provide a way to set up and run an online business that accepts Bitcoin and provides goods on the open internet despite social opposition, by making troll-level attacks too costly in terms of time and effort (sorry, that was wordy).
It does all of this in a way that does not require customers to learn to navigate onion addresses or other deep web technologies. This article is simply an announcement, please see the Github page for the most up to date version.
If you see issues with the framework presented here or know of ways to improve this framework, please open an issue and contribute. Known areas that need improvement are as follows:
1. Better ways of protecting customers from Blockchain surveillance when paying on chain
2. More pseudonymous ways of taking physical delivery of goods on both customer and business ends
3. Warning system to alert customers if your servers have been seized/accessed by outside forces but the website has not been taken down.
4. Ways of providing customer support if their order data has been deleted from your system.
5. Considerations for shipping and delivery for other carriers and other countries.
Thanks for reading. I look forward to your contribution on Github
Special thanks to ErgoBTC, Ragnar Lifthrasir and Clark Moody for their feedback on this project and article; the SamouraiWallet / OXT team, everyone at BTCPay, and the designers and producers at Deterence Dispensed (especially Railman) for their products; Matt Odell, Sarah Corvus, BeautyOn_ and a bunch of others I don't have space to mention for your inspiration and advise on Bitcoin, privacy and more.
Subscribe to get your daily round-up of top tech stories!