Why Celsius exposes user information and what you can do about it

Celsius’ bankruptcy exposed the personal information of thousands of users during its restructuring process. Here’s what happened and what you can do to protect yourself.

This week, Celsius Network released a large document containing all of its customers’ account balances.

The move is part of the company’s ongoing restructuring process following its Chapter 11 bankruptcy filing earlier this year. The document reflects user balances as of July 13, 2022, when the company’s restructuring began, and customer transactions that took place in the 90 days prior to the Chapter 11 filing, according to the company’s FAQ. .

Unsurprisingly, the release of such detailed customer data, which includes balances, transactions and names, has caused a uproar on Twitter. This information can not only shed light on the financial information of each user, but also allow observers to analyze the blockchain and de-anonymize on-chain addresses, since the amounts and date of transactions are detailed in the document.

Putting all of this together, it becomes clear that users’ privacy has been invaded and their security compromised. But don’t worry (yet); this article explains why this happened and what can be done to mitigate certain threats if you are one of the doxxed users.

Why did Celsius make this document public?

As mentioned earlier, this document is part of Celsius’ restructuring process. Celsius was forced to disclose customer information as part of its restructuring process, given the necessary transparency required by US law. While this generally only applies to company assets, since Celsius held customer assets, they were also affected.

According to a court document, Celsius submitted a request to reduce the publication of the client’s personally identifiable information (PII) through a redaction process before making it public. The lender presented three arguments.

First, Celsius argued that such a large database of consumer information was too valuable for the company to make public. This would “significantly diminish the value of the customer list as an asset in any potential future asset sale,” the company claimed.

(Screenshot/Celsius Restructuring Court Document)

Second, Celsius made the argument that if customers’ PII were exposed, they could become the target of “spoofing, blackmailing, bullying, stalking and doxing,” according to the document. court.

(Screenshot/Celsius Restructuring Court Document)

Finally, the cryptocurrency lender argued that since many of its customers reside in different jurisdictions around the world, disclosing their PII could “expose [Celsius] potential civil liability and significant financial penalties. The document specifically mentions the UK General Data Protection Regulation (UK GDPR) and the European Union GDPR.

The US trustee, on the other hand, argued that Celsius “does not and cannot invoke any exception to the general rule that bankruptcy proceedings must be open, public and transparent” and offered “nothing more than vague statements in support of his claim” to redact confidential information.

They also argued that the PII that Celsius sought to redact “is neither confidential nor commercial information.”

“The US Trustee contends that [Celsius’] own privacy policies support the argument that customer information is not confidential because it allows customers’ names and contact details to be shared with third-party “business partners” and, therefore, is not confidential,” according to the court document.

Further, the “US trustee argues that the information is not truly commercial in nature because debtors are not seeking to remove all names and identifying information from creditors and are instead requesting that identifying information be removed only for certain creditors’, but information pertaining to another group will be fully disclosed due to the residency of such creditors. »

In terms of international law, the US trustee also took the view that under US bankruptcy law, bankruptcy proceedings should be public and should take precedence over the UK GDPR and EU GDPR.

Finally, and most shockingly, “the US administrator maintains that [Celsius’] arguments that creditors could be subject to violence if their identity were revealed constitute anecdotal evidence, which does not reach the level of proof necessary to rebut the presumption of open and public bankruptcy.

In response, Celsius issued another motion, seeking to implement a comprehensive anonymization process to not reveal detailed user information. This went beyond the original request submitted, which requested the ability to remove the home address and email address of US customers and the name, home address and email address of UK and EU customers.

The court dismissed the majority of Celsius’ claims. He rejected the differentiation between US and UK/EU customers based on the above arguments and allowed the company to remove only personal and email addresses. He completely denied the anonymization request.

Court decision. (Screenshot/Celsius Restructuring Court Document)

Here’s what Doxxed users can do

There are many options one can take if they find themselves exposed in the Celsius documents, but none of them will be able to erase the past. The closer one gets to this, in the event that releasing these data points has the potential to tangibly harm the person, it can legally change its name as an (extreme) last resort option. One could also move to a different address, but since the court allowed Celsius to redact home addresses, that might not be such a big deal to try to mitigate. It should be noted, however, that unredacted versions of the filings are available to “US Administrator and Committee Counsel, and any interested party” who requests and is granted access; the case of the move can still be made.

Users can also take steps to mitigate some of the threats to the digital world. When it comes to on-chain addresses that observers can anonymize by looking at the blockchain and the information disclosed in the document, good privacy-focused tools can come to the rescue.

The simplest alternative is to CoinJoin funds. While this will not erase the user’s transaction history, if done correctly, it will allow the user to enjoy good forward-looking privacy. This means that spending from then on will not be clearly identified as a transaction originating from the doxxed user. (Similar to how the bank knows when you withdraw money from an ATM but cannot get detailed information about what you spend afterwards.) User can launch into other tools privacy policies, like PayJoins, which also break the heuristics that bad actors use. to infer information from string data.

But perhaps the most important thing users can do is take the low time preference approach and avoid using centralized services that collect user data. Financial services companies around the world, in cryptocurrency and beyond, must comply with know-your-customer (KYC) and anti-money laundering (AML) rules. While such laws are likely well-intentioned, their effectiveness is disputed and the downsides are clear –– as in this Celsius case.

In the information age, data is the most valuable commodity and as such, companies that collect large amounts of data become honeypots, becoming the target of cyberattacks as hackers and others seek to monetize this information.

While governments around the world fail to realize this gigantic problem in the 21st century, users are driven to do what they can to take ownership of their data and reclaim their privacy. As the status quo pushes people to share their lives as much as possible, the right to privacy should not be seen as something that law-abiding citizens do not need, but rather as the very right that allows all others.

The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.