Why Celsius Exposed User Information And What You Can Do About It
Bankrupt Celsius exposed personal information of thousands of users amid its restructuring process. Here’s what happened and what you can do for protection.
This week, Celsius Network published a large document containing all the account balances of its customers.
The move is part of the company’s ongoing restructuring process following its Chapter 11 bankruptcy filing from earlier this year. The document reflects user balances as of July 13, 2022, when the company’s restructuring began, and customer transactions that happened in the 90 days preceding the Chapter 11 filing, per the company’s FAQ.
Unsurprisingly, the release of such detailed customer data, which includes balances, transactions and names, caused an uproar on Twitter. That information can not only shed light on each user’s financial information but also enable observers to analyze the blockchain and de-anonymize on-chain addresses, since the transaction amounts and date are detailed in the document.
Putting it all together, it becomes clear that users’ privacy got invaded and their security compromised. But don’t fret (yet); this article reviews why this happened and what can be done to mitigate some threats if you’re among the doxxed users.
Why Did Celsius Make This Document Public?
As mentioned previously, this document is part of Celsius’ restructuring process. Celsius was obliged to expose customer information as part of its restructuring process, given the necessary transparency demanded by U.S. law. While that usually applies only to the company’s assets, since Celsius held customer assets in custody they were affected as well.
According to a court document, Celsius submitted a request to cut back on the customer personally identifiable information (PII) being released though a redacting process before making it public. The lender submitted three arguments.
First, Celsius argued that such a large database of consumer information was too valuable for the company to be made public. Doing so would “significantly decrease the value of the customer list as an asset in any future potential asset sale,” the company claimed.
Second, Celsius put forward the argument that, were customers’ PII revealed, they could become targets of “identity theft, blackmail, harassment, stalking and doxing,” per the court document.
Finally, the cryptocurrency lender argued that since many of its customers reside in different jurisdictions all over the world, disclosing their PII could “expose [Celsius] to potential civil liability and significant financial penalties.” The document notes specifically the United Kingdom General Data Protection Regulation (U.K. GDPR) and the European Union’s GDPR.
The U.S. trustee, on the other hand, argued that Celsius “do not and cannot rely on any exceptions to the general rule that bankruptcy proceedings should be open, public and transparent” and have offered “nothing more than vague statements supporting their request” to redact the confidential information.
They also argued that the PII that Celsius sought to redact “is neither confidential nor commercial information.”
“The U.S. Trustee argues that [Celsius’] own privacy policies support the argument that customers’ information is not confidential because it allows customers names and contact information to be shared with third party ‘business partners’ and, therefore, is not confidential,” per the court document.
Additionally, the “U.S. Trustee contends that the information is not truly commercial in nature because the Debtors are not seeking to redact all creditors’ names and identifying information and are instead requesting that identifying information be redacted for only certain creditors, ‘but information with respect to another group will be fully disclosed because of where such creditors live.’”
On the international laws aspect, the U.S. trustee also reasoned that, under United States bankruptcy law, bankruptcy proceedings should be public, and those should prevail over the U.K. GDPR and EU GDPR.
Finally, and most shockingly, “the U.S. Trustee contends that [Celsius’] arguments that creditors might be subject to violence if their identities were revealed amounts to anecdotal evidence, which does not rise to the level of evidence necessary to overcome the presumption for open and public bankruptcy.”
In response, Celsius published another motion, seeking to implement a complete anonymization process to not reveal detailed user information. That went beyond the initial motion submitted, which requested the ability to redact home and email address of U.S. customers and name, home address and email address of U.K. and EU customers.
The court ruled against the majority of Celsius’ requests. It dismissed the differentiation between U.S. and U.K./EU customers based on the arguments above and allowed the company to only redact home and email addresses. It denied the anonymization motion completely.
Here’s What Doxxed Users Can Do
There are many options one can take if they find themselves exposed in the Celsius documents, but none of them will be able to erase the past. The closer one can get to that, in the event that the release of those data points has the potential to tangibly harm the person, they can legally change names as an (extreme) option of last resort. One could also move to a different address, but since the court authorized Celsius to redact home addresses, that might not be such a big issue to try and mitigate. It is worth noting, however, that unredacted versions of the filings are accessible to “the U.S. Trustee, and counsel to the Committee, and that any party in interest” that requests and is granted access; the case for moving homes can still be made.
Users can also take measures to mitigate some of the threats on the digital world. When it comes to the on-chain addresses that observers can de-anonymize by looking at the blockchain and the information disclosed in the document, good privacy-focused tools can come to the rescue.
The simpler alternative is to CoinJoin funds. Even though that won’t erase the user’s transaction history, if done correctly it will enable the user to enjoy good forward-looking privacy. This means that spending from that point on won’t be clearly spotted as a transaction coming from the doxxed user. (Similar to how the bank knows when you withdraw cash at an ATM but can’t get detailed information on what you spend it on afterwards.) The user can embark on other privacy tools, like PayJoins, that also break heuristics that bad actors use to infer information from on-chain data.
But perhaps the most important thing that users can do is take the low-time-preference approach and avoid using centralized services that harvest user data. Financial services companies worldwide, in cryptocurrency and beyond, need to comply with know-your-customer (KYC) and anti-money laundering (AML) rules. Though such laws are likely well-intentioned, their effectiveness is disputed and the downsides are clear –– as in this Celsius case.
In the information age, data is the most valuable commodity and, as such, companies that collect vast amounts of data become honeypots, effectively becoming targets of cyber attacks as hackers and others seek to monetize that information.
While world governments don’t realize this gigantic issue in the 21st century, users are incentivized to do what they can to take ownership of their data and claim back their privacy. As the status quo pushes people to share as much about their lives as possible, the right to privacy should not be seen as something law-abiding citizens don’t need but rather as the very right that enables all the other ones.