Coinbase Says It Never Shared 'Personally Identifiable' Customer Data

UPDATE (March 6, 23:47 UTC): This article has been updated with additional comments from Coinbase clarifying how the exchange shares data with third-party analytics firms.

———————

Coinbase is taking steps to clarify statements made in the wake of its controversial acquisition of blockchain analytics firm Neutrino, a startup subsequently linked to Hacking Team, a group that aided governments known for human rights abuses.

Specifically, Christine Sandler, Coinbase’s director of institutional sales, justified the Neutrino acquisition during an interview with Cheddar last Friday by saying the exchange’s previous analytics provider was "selling client data to outside sources." Coinbase now says Sandler misspoke.

A spokesperson told CoinDesk Tuesday that the exchange “never shared our customers’ personally identifiable information with any third-party blockchain analysis vendors.”

Although Coinbase declined to specify which former partner Sandler was referencing or what type of data was being commercialized in ways it objected to, it’s important to note that blockchain analytics companies sell aggregate wallet data (without names or identifying personal information) as their core proprietary product.

The standard norm across the industry is for analytics providers to collect anonymous transaction data and commercialize access to that information for customers seeking to investigate suspicious activity.

For example, Chainalysis co-founder Jonathan Levin explained to CoinDesk that firms often receive wallet and transaction information without names or other account information and use it to help customers across the ecosystem identify bad actors. He said they do not receive personal customer data and never sell data to external companies.

The competing analytics firm Elliptic confirmed in a blog post that it worked with Coinbase and wasn’t provided with “any personally identifiable information about their users.” It did provide other exchanges and clients with addresses and transactions associated with financial crimes, according to the blog post.

Although, the question of whether Coinbase would adopt a similar model, or look to other ways to monetize user data after its acquisition of Neutrino, was arguably ambiguous.

During an interview in February, Coinbase’s director of engineering and product, Varun Srinivasan, said the Neutrino team would continue serving external customers, turning other companies’ transaction data into a proprietary Coinbase offering.

A Coinbase spokesperson told CoinDesk on Tuesday that, as a part of its know-your-customer (KYC) and anti-money-laundering (AML) programs, the exchange will "continue to work with [blockchain analytics companies] that share our values," adding:

"While we will always do what’s necessary to remain compliant in the regions in which we operate, we will not share broad sets of transaction and address information with vendors if it is beyond their immediate scope of work."

The statements follow Coinbase CEO Brian Armstrong's blog post Monday in which he said that the company intends to “transition” out Neutrino employees associated with Hacking Team. However, at press time, this appears to have done little to quell user concerns.

Speaking to the widespread backlash over the news, former Coinbase user Eduardo Hernández, CEO of the investment startup Cryptico, told CoinDesk: “The lack of transparency is terrifying.”

User flight

While it's unclear how many users have left the exchange, Hernández is one out of five former Coinbase users who told CoinDesk they closed their account after the Neutrino acquisition.

He said Armstrong’s blog post lacked accountability since the post emphasized the Hacking Team co-founders have “no current affiliation” with the controversial software provider.

Another former Coinbase user, who goes by his Twitter handle @Lowbtc, told CoinDesk he is concerned about his personal data because Coinbase has a track record of allegedly failing to punish misbehaving employees, referring to an ongoing lawsuit in California that claims exchange employees engaged in insider trading.

Fortune

reported an internal investigation of the alleged insider trading at Coinbase concluded without any repercussions because two law firms contracted by the company found no wrongdoing took place.

Speaking to that broader context, @Lowbtc, who opened his Coinbase account in 2013 and closed it promptly after the Neutrino acquisition, said:

“On top of the ethical failure, I also consider this a massive security risk, letting those people have access to customer data. It's really frightening to think who has gained access to Coinbase customer data over the years.”

Image of Brian Armstrong via TechCrunch