Finally, the cryptocurrency lender argued that since many of its customers reside in different jurisdictions all over the world, disclosing their PII could “expose [Celsius] to potential civil liability and significant financial penalties.” The document notes specifically the United Kingdom General Data Protection Regulation (U.K. GDPR) and the European Union’s GDPR.
The U.S. trustee, on the other hand, argued that Celsius “do not and cannot rely on any exceptions to the general rule that bankruptcy proceedings should be open, public and transparent” and have offered “nothing more than vague statements supporting their request” to redact the confidential information.
They also argued that the PII that Celsius sought to redact “is neither confidential nor commercial information.”
“The U.S. Trustee argues that [Celsius’] own privacy policies support the argument that customers’ information is not confidential because it allows customers names and contact information to be shared with third party ‘business partners’ and, therefore, is not confidential,” per the court document.
Additionally, the “U.S. Trustee contends that the information is not truly commercial in nature because the Debtors are not seeking to redact all creditors’ names and identifying information and are instead requesting that identifying information be redacted for only certain creditors, ‘but information with respect to another group will be fully disclosed because of where such creditors live.’”
On the international laws aspect, the U.S. trustee also reasoned that, under United States bankruptcy law, bankruptcy proceedings should be public, and those should prevail over the U.K. GDPR and EU GDPR.
Finally, and most shockingly, “the U.S. Trustee contends that [Celsius’] arguments that creditors might be subject to violence if their identities were revealed amounts to anecdotal evidence, which does not rise to the level of evidence necessary to overcome the presumption for open and public bankruptcy.”
In response, Celsius published another motion, seeking to implement a complete anonymization process to not reveal detailed user information. That went beyond the initial motion submitted, which requested the ability to redact home and email address of U.S. customers and name, home address and email address of U.K. and EU customers.
The court ruled against the majority of Celsius’ requests. It dismissed the differentiation between U.S. and U.K./EU customers based on the arguments above and allowed the company to only redact home and email addresses. It denied the anonymization motion completely.
Court’s decision. (Screenshot/Celsius restructuring court document)
Here’s What Doxxed Users Can Do
There are many options one can take if they find themselves exposed in the Celsius documents, but none of them will be able to erase the past. The closer one can get to that, in the event that the release of those data points has the potential to tangibly harm the person, they can legally change names as an (extreme) option of last resort. One could also move to a different address, but since the court authorized Celsius to redact home addresses, that might not be such a big issue to try and mitigate. It is worth noting, however, that unredacted versions of the filings are accessible to “the U.S. Trustee, and counsel to the Committee, and that any party in interest” that requests and is granted access; the case for moving homes can still be made.
Users can also take measures to mitigate some of the threats on the digital world. When it comes to the on-chain addresses that observers can de-anonymize by looking at the blockchain and the information disclosed in the document, good privacy-focused tools can come to the rescue.
The simpler alternative is to CoinJoin funds. Even though that won’t erase the user’s transaction history, if done correctly it will enable the user to enjoy good forward-looking privacy. This means that spending from that point on won’t be clearly spotted as a transaction coming from the doxxed user. (Similar to how the bank knows when you withdraw cash at an ATM but can’t get detailed information on what you spend it on afterwards.) The user can embark on other privacy tools, like PayJoins , that also break heuristics that bad actors use to infer information from on-chain data .
But perhaps the most important thing that users can do is take the low-time-preference approach and avoid using centralized services that harvest user data. Financial services companies worldwide, in cryptocurrency and beyond, need to comply with know-your-customer (KYC) and anti-money laundering (AML) rules. Though such laws are likely well-intentioned, their effectiveness is disputed and the downsides are clear –– as in this Celsius case.
In the information age, data is the most valuable commodity and, as such, companies that collect vast amounts of data become honeypots, effectively becoming targets of cyber attacks as hackers and others seek to monetize that information.
While world governments don’t realize this gigantic issue in the 21st century, users are incentivized to do what they can to take ownership of their data and claim back their privacy. As the status quo pushes people to share as much about their lives as possible, the right to privacy should not be seen as something law-abiding citizens don’t need but rather as the very right that enables all the other ones.
