You hear both "bitcoin is anonymous" and "all bitcoin transactions are public". What's going on? If I send 10 BTC (bitcoins) to wikileaks can people find out that I did it?

First there's network and IP tracking. If a computer under my control emits a transaction sending money to wikileaks I'm caught. This is like cash: it doesn't matter that cash is anonymous if you pay someone while standing in front of a security camera. So you'd need to set up tor or something similar to hide your connection by sending it through many intermediate computers. So I do that; are my bitcoin transfers anonymous?

Let's have some background on bitcoin. There are addresses and coins. Every address has some number of coins, and this is fully public knowledge. To move coins between addresses you create transactions. For example, in this transaction address A sent 194.62 BTC to two addresses, 191.2 BTC to B and 2.42 BTC to C. Address C then sent out everything it had as 189.2 BTC to D and 2 BTC to E. As you can see, transactions are also fully public knowledge. [1]

If each person had only one address then we would have very weak anonymity. Initially no one would know your address, but anyone you transacted with, sending to or receiving from, would have to know your address and then could look up all your past transactions. Which people have tried to do.

There is nothing stopping people from having multiple addresses, however. If every time I accept money I first create a new random address to receive it at, it is much harder to connect my transactions. Kind of like paying people by passing around pre-paid credit cards of various values, using them as cash-backed-tokens instead of swiping them in machines. Managing all these different addresses with different amounts of money is pain, but it's the sort of thing we can make software handle for us, even if we don't have it yet.

This is now pretty good, but my identity still is still vulnerable. Imagine wikileaks pays for webhosting in bitcoin, but the hosting provider gets raided by the government. The government discovers the list of addresses the webhost received wikileaks money on. While wikileaks was privacy aware and didn't keep any logs on who paid it, when the government traces the money back through the transaction history they eventually find a known address. Perhaps it's like:

  A  a hosting provider address
  B  a wikileaks address
  C  ? (secretly me)
  D  ?
  E  Company X

Then they subpoena the identity of D out Company X and discover that it's John Smith, a freelance web developer they hired. John reveals under threat that he paid C to play a contra dance [2] and that C is me. Now the government knows I gave money to wikileaks. If everyone involved in moving money around is careful and doesn't keep logs then you might be ok, but you don't want your anonymity to depend on others like this.

What would have made this chain harder to follow? What if it looked like:

  A  a hosting provider address
  B  a wikileaks address
  C  ? (secretly me)
  F  a bitcoin mixing organization

Here F is an organization that accepts coins from many places and sends them out to many places. Which input led to which output is the essential question for tracking movements, and by running transfers through in batches you can make that close to unanswerable. The idea is that anyone who wants to can send X BTC to a published mixing address along with an address at which they would like to receive the anonymized money. Many people do this, and then the mixer transfers X BTC to each of the provided output addresses. Everyone ends up with the same amount of money as they started with, but the money is now at an address that's only loosely connected to their original address.

Unfortunately, you have to trust the mixing service. They could run away with the money, or keep logs on whose address was whose. Perhaps the mixing service is actually run by the government? It turns out you can get around this with a complicated protocol and fancy math. Roughly, the idea is that a bunch of people who want to mix their money to increase anonymity set up a transaction that looks like:

  A  1 BTC       F  1 BTC
  B  1 BTC       G  1 BTC
  C  1 BTC  -->  H  1 BTC
  D  1 BTC       I  1 BTC
  E  1 BTC       J  1 BTC

Each of the five participants puts in 1 BTC and gets out 1 BTC, but no one knows whose is whose. So perhaps I'm both B and G while you're A and J. Even if I know that you're A, all I know about the output is that you're not G. There's tricky multi-party sorting math in making sure the output addresses are right without knowing whose are whose, but it's possible. No one has this set up yet, but we could see it soon.

So back to my earlier question: is it anonymous? Can I start sending money to wikileaks and rest assured that no one can track me? The answer is "yes", but only if I do all the right things:

• use tor
• generate a new address for every transaction
• use a mixing service I trust not to keep logs

If you're using bitcoin casually, you're probably not doing those things, in which case you're vulnerable to people tracking through logs and identifying you.

(I know very little about the law here, but if you're thinking of doing this you should talk to someone who does. The mixing step, and possibly other steps, might be money laundering or structuring.)

[1] As there are more and more transactions people might throw away old ones, as the protocol is designed to let you do this. To rely on this for anonymity, however, you need to know that no one is keeping a full history, which seems unlikely.

[2] Contraband is reputed to be the primary use of bitcoin.