If you haven’t had a good laugh at Chainalysis’ attempts to defend the use of its blockchain forensics software for law enforcement purposes in light of recent court proceedings, now may be the time.
After having to admit to the lack of scientific evidence for the accuracy of its software and the publication of an expert report describing the use of Chainalysis’ heuristics as “reckless”, Chainalysis finds itself trying to evade an audit of its software’s source code.
Chainalysis’ source code is requested by the defense in the case US vs. Sterlingov, an early Bitcoin adopter currently awaiting trial for the alleged operation of the custodial bitcoin mixer Bitcoin Fog, to reproduce the software’s findings in light of the lack of corroborating evidence.
Sterlingov’s defense defines access to Chainalysis’ source code as “critical to Mr. Sterlingov’s due process rights given the fact neither the Government nor Chainalysis is able to produce any evidence involving Chainalysis Reactor’s error rates, rate of false positives, or rate of false negatives. Nor can the Government or Chainalysis produce a single scientific peer-reviewed paper attesting to the accuracy of their software. Nor has any independent audit or model validation been performed on Chainalysis Reactor.”
“Moreover”, the notice continues, “the Defense’s expert witness Ciphertrace’s Jonelle Still’s expert report documents numerous issues with the Chainalysis Reactor software and concludes that it should not be used in a federal criminal trial.”
Chainalysis now argues that Bitcoin Core contributor Bryan Bishop, the expert witness produced by Sterlingov’s defense to audit Chainalysis’ source code, is “unqualified” for the job due to his lack of a computer science degree, stating that “he does not appear to be a reliable software engineer, let alone a reliable evaluator of software.” On the contrary, the Bitcoin developer community has found Bishop qualified and reliable enough to serve as one of two moderators of the bitcoin-dev mailinglist since 2015.
The bitcoin-dev mailing list is an email distribution list to discuss latest technological advancements in bitcoin protocol development and adjacent fields. Its participants include cryptographer and HashCash inventor Adam Back, cryptographer and ex-Bitcoin Core maintainer Pieter Wuille, as well as a range of well respected and prolific contributors in Bitcoin development.
The bitcoin-dev mailinglist is moderated based on a number of factors, all of which Bishop evaluates before approving posts to the list. These factors include speculation, non-technical concerns, and rehashing settled topics without new data.
Bishop’s own contributions to the list include the evaluation of signature schemes, the evaluation of multisig key signing operations performed via hardware wallets, and the evaluation of security concerns regarding block size increases and merge mining.
As a respected expert in the field, Bishop has participated in lengthy discussions on elliptic curve cryptography, ECDSA signature schemes, Schnorr signature schemes, BLS signature schemes, signature aggregation schemes, post-quantum cryptography, quantum mining, and scrypt password hashing.
As a Bitcoin Core contributor, Bishop has contributed to the ongoing development of vaults, which are mechanisms to improve the security of custody. This particular contribution has been named in Chainalysis’ response to installing Bishop as an expert witness, citing a notice on Bishop’s GitHub repository, which reads: “WARNING: This is not production-ready code. Do not use this on bitcoin mainnet or any other mainnet.”
While Chainalysis appears to claim that Bishop’s notice proves his inferiority as a software developer, the installment of security notices for experimental code is common practice among engineers. Chainalysis’ interpretation of the notice can only lead us to believe that the prosecution is actively attempting to mislead the court – or that they flat out don’t know how engineering works.
Highlighting Bishop’s role as CTO and co-founder of Wyoming based Custodia Bank as a critical fact, Chainalysis attempts to taint Bishop’s reputation of 20 years in software engineering by citing Custodia’s denied application as a member of the Federal Reserve System. This leads Chainalysis to argue that “Mr. Bishop has a massive incentive to abuse his access to Chainalysis in order to attempt to figure out why he could not in his previous efforts develop software to effectively mitigate money laundering and terrorism financing risks—what stopped his prior bank from getting a license to operate by the Federal Reserve.”
What Chainalysis fails to highlight is that the very letter of denial cited names the inefficiency of Chainalysis services to map funds to real-world identities as one of the reasons to deny Custodia’s application in light of AML concerns:
“While there are private companies that investigate transactions on crypto-asset blockchains solely based on public information, such as from the blockchain or social media, without customer identification information, the services are highly imperfect. Law enforcement and specialist blockchain analytics firms, like Chainalysis, can learn information about a wallet and its holder, including whether the wallet may be associated with illicit activity or other wallets identified as suspicious or sanctioned; however, it can be difficult, relying on blockchain analysis alone, to establish the real-world identity of the person with ownership or control of a wallet with available information at the time of the transaction. Even following an investigation, such information can be difficult to establish, particularly if blockchain obfuscation techniques are used.”
The attempted denouncing of Bishop as an expert witness fit to audit Chainalysis’ code based on his prior experience is particularly rich in the face of Chainalysis’ own experts being unable to tell bytes from bits; a fundamental of computer science taught as first lessons in undergrad engineering degrees.
In short, Chainalysis is worried that an audit of Chainalysis’ source code by the defendant, defense council, or the suggested expert would cause “irreparable harm to Chainalysis’ business.” We can only wonder why.