TITANIUM: Tools for the Investigation of Transactions in Underground Markets

Data Privacy Statement

This privacy statement solely concerns the data processing within the TITANIUM project. The privacy statement regarding processing of personal data due to the operation of the website can be found in the Imprint.

There are two versions of this Privacy Statement. The binding version on the left side contains all the important legal and technical details but may be more difficult to read. To ease readability we have added a non-binding version on the right side. This version is shortened, excludes legal terms where possible and is generally written in a simpler way.

Data Privacy Statement (Version: May 2018)

In order to research, develop, and validate novel data-driven techniques and solutions designed to support Law Enforcement Agencies (LEAs) the project consortium (hereinafter ‘TITANIUM’) needs to process personal and non-personal data from various sources. Aiming to design a set of services and forensic tools, which operate within a privacy and data protection environment, the project consortium puts special emphasis on carrying out the project research in compliance with data protection law. Particularly, we provide data subjects concerned by our research with information on our data processing pursuant to the transparency requirements laid down in Articles 12 ff. GDPR. Where data is obtained from data subjects directly, the project consortium provides them with the necessary information pursuant to Article 13 GDPR and obtains their informed consent previously. However, the project consortium primarily processes pseudonymous data from public sources. For the processing of such data that is not obtained from the data subjects, by this statement, the project consortium makes information on the data processing publicly available in accordance with Article 14 (5) (b) GDPR.

Data Privacy Statement (Version: May 2018) – Easy Language

We (the TITANIUM consortium) process personal data to research, develop, and validate novel data-driven techniques and solutions designed to support Law Enforcement Agencies (LEAs) investigating illicit activities in the darknet.
We put particular emphasis on privacy-awareness and legal compliance of the research and development. This includes the provision of information to the data subjects where necessary and possible. We mostly process publicly available and pseudonymous data. This means we are not able to identify the person behind this data without recourse to additional information.
Below are the contact details of the Data Protection Officer (DPO) and the project coordinator, as well as information and your specific rights relating to the processing of your personal data by TITANIUM.

1. Contact Details

Project Coordinator (Controller)

Dr. Ross King
Mail: project@titanium-project.eu
AIT Austrian Institute of Technology GmbH
Giefinggasse 4
1210 Vienna
Austria

Data Protection Officer (DPO)

Dr. Paulina Jo Pesch
Mail: dpo@titanium-project.eu
Karlsruhe Institute of Technology (KIT)
Center for Applied Legal Studies (ZAR)
Institute for Information and Business Law (IIWR – Boehm)
Vincenz-Prießnitz-Str. 3
76131 Karlsruhe
Germany

Personal data received through these channels will be processed as far as necessary to effectively handle your requests. This data will not be shared with others and deleted when it is no longer required to handle your requests. The rights described in section 5 also apply to this personal data.

1. Contact Details

Project Coordinator (Controller)

Dr. Ross King
Mail: project@titanium-project.eu
AIT Austrian Institute of Technology GmbH
Giefinggasse 4
1210 Vienna
Austria

Data Protection Officer (DPO)

Dr. Paulina Jo Pesch
Mail: dpo@titanium-project.eu
Karlsruhe Institute of Technology (KIT)
Center for Applied Legal Studies (ZAR)
Institute for Information and Business Law (IIWR – Boehm)
Vincenz-Prießnitz-Str. 3
76131 Karlsruhe
Germany

2. Joint controllers

The TITANIUM project connects 15 partners from various fields who jointly determine the purposes and means of processing within the project (joint-controllers). These partners can be split up into groups (2.1 – 2.4) with different tasks in the project. The specific tasks and goals are defined in an agreement between the European Union and the partners. You can find a short description of the tasks and the influence on the purposes and means of processing below.

2.1. Research organizations

Research organizations in TITANIUM cover a broad spectrum of activities in the project. Most partners research technological possibilities to meet the requirements of LEAs in their respective field of expertise. Others research the legal and ethical implications of the developed tools. All fields (tech, legal, ethics) are put into consideration when determining purposes and means of the processing.

Technology:

  • Austrian Institute of Technology GMBH, AT
  • Nederlandse Organisatie voor Toegepast Natuurwetenschappelijk Onderzoek TNO, NL
  • University College London, UK
  • University of Innsbruck, AT
  • Fundacion Centro de Tecnologias de Interaccion Visual y Comunicaciones Vicomtech, ES

Law & Ethics:

  • Karlsruhe Institute of Technology, GER
  • Trilateral Research Ltd., UK

2.2. Industrial partners

Industrial Partners in TITANIUM bring in practical knowledge as well as previously developed tools. These partners develop specific microservices in the TITANIUM tool-chain.
  • Coblue Cybersecurity BV, NL
  • Countercraft SL, ES
  • dence GmbH, GER

2.3. Law Enforcement Agencies (LEAs)

LEAs provide research organizations and industrial partners with important information on requirements for software which shall be used by LEAs. They do not carry out any investigation or development of tools within the project. Personal data is not shared with LEAs unless there is a legal obligation to do so.
  • Bundeskriminalamt (BKA), GER
  • National Bureau of Investigation (NBI), FIN
  • Bundesministerium für Inneres, AT (representing Austrian LEAs)
  • Ministerio del Interior - Policia Nacional, ES
  • The International Criminal Police Organization (INTERPOL), FR

2.5. Associated partners

Various associated partners also support TITANIUM, who are not actively involved in the project at this point. These partners offered their support (e.g. by answering specific questions) but do not determine the purposes of processing, and are hence no ‘joint controllers’ within the meaning of Article 26 GDPR. Whenever associated partners get involved in the determination of purposes and means of the processing, this statement will be updated accordingly.

2. Joint controllers

The TITANIUM project connects 15 partners from various fields who jointly determine the purposes and means of processing within the project (joint-controllers). These partners can be split up into groups with different tasks in the project. The specific tasks and goals are defined in an agreement between the European Union and the partners. You can find a short description of the tasks and the influence on the purposes and means of processing below.

3. Purposes of processing

TITANIUM researches, develops, and validates novel data-driven techniques and solutions designed to support LEAs charged with investigating criminal or terrorist activities involving virtual currencies and/or underground markets in the darknet. The expected result of TITANIUM is a set of services and forensic tools, which operate within a privacy and data protection environment that is configurable to local legal requirements. The TITANIUM tools will particularly support LEAs with tracing cryptocurrency transaction flows and utilizing public information related to darknet markets. The project consortium processes personal data, in order to:
  • Research trends in virtual currency and darknet market ecosystems,
  • develop tools that help LEAs to identify pseudonymous blockchain or darknet users involved in illicit actions, (Details: Section 8), and
  • assess potential risks of the TITANIUM tools to the protection of personal data, enabling the researchers to implement appropriate safeguards to mitigate such risks and technically enforce compliance with data protection law to the extent possible.

3. Purposes of processing

We research and develop, novel data-driven techniques designed to support LEAs charged with investigating criminal or terrorist activities involving virtual currencies and/or underground markets in the darknet. Therefore, we process (personal) data to understand underground transactions in the darknet and develop a set of investigative tools. Not all cryptocurrency transactions or actions in the darknet are of illicit nature. Therefore, we also develop and research possible safeguards in these tools to reduce the risks to fundamental rights of the users of such platforms and exclude them from the processing as far as possible.

4. Limitations to the provision of information and updates to this statement

Pursuant to Article 14 GDPR, where personal data have not been obtained from the data subject, the controller is generally obliged to provide the data subject with information such as the identity and the contact details of the controller and the data protection officer (DPO), and various details on the processing. The TITANIUM consortium provides this information within this statement.

Nonetheless, pursuant to Article 14 (5) (b) GDPR the extent to which information has to be provided can be limited where the provision proves impossible or would involve a disproportionate effort, in particular for processing for scientific purposes. As TITANIUM does not obtain data from the data subject and carries out scientific research, it falls under the scope of this article. TITANIUM only processes pseudonymous data and does not identify specific individuals. Identification (de-pseudonymization) of the data subjects would be necessary to provide specific individuals with information. De-pseudonymization is only possible by connecting pseudonymous data with further information, though. This information is not available to the consortium. Pursuant to Article 11 (1) GDPR the project consortium is not obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with the GDPR.
Due to the lack of further identifying data, the de-pseudonymization, and hence the individual provision of information would involve a disproportionate effort. Moreover, the connection with further data information Consequently, the project consortium is not obliged to directly provide data subjects with information on the processing of the data on its own accord. However, TITANIUM takes appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including the publication of information on the processing within this statement. Regarding this publication of information, it is inherent to research in the field of law enforcement that some information is subject to confidentiality. The exposure of detailed information in this data privacy statement is hence partially limited to avoid impairment of the projects pursued purposes. In addition to that, some of the information (e.g. technical details of the processing, specific sources) is classified information (EUCI). This information does not have to be provided pursuant to Article 14 (5) (d) GDPR in conjunction with Commission Decision (EU, Euratom) 2015/444 of 13 March 2015 and Commission Decision 2001/844 of 29 November 2001 on the security rules for protecting EU classified information.

Over the course of the project, this statement will be updated, in order to cover further data processing procedures not yet defined and carried out.

4. Limitations to the provision of information and updates to this statement

As we mainly research and develop tools for Law Enforcement Agencies (LEAs), unfortunately, a lot of information is confidential and cannot be shared with the public. Nevertheless, within these limitations we provide you with general information on the processing. If something changes over the course of the project, this privacy statement will be updated.

5. Data subjects’ rights and limitations

TITANIUM processes pseudonymous data from the sources stated below. Some sources may contain data, which makes the identification of individuals potentially possible (e.g. where user names match real names). The project consortium is not in a position to detect those matches or bits of information without additional data. Data subjects generally have the right to request access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability. These rights may be restricted under the conditions described below. However, any requests to the abovementioned points of contact will be carefully assessed on a case-by-case basis and replied to.
Pursuant to Article 11 (1) GDPR the project consortium is not obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with the GDPR. However, pursuant to Article 11 (2) GDPR where data subjects provide additional information in order to exercise their rights under Articles 15–22 GPDR, the TITANIUM consortium will handle the request compliant with technical and legal requirements. In this regard, the identity of the data subject, as well as the relation to the data referred to in the request has to be sufficiently verified.
The exertion of some of the data subjects’ rights (4.1 – 4.4) may be further restricted pursuant to Article 89 (2) in conjunction with the respective national legislation. The following rights are generally available to the data subjects.

5.1. Right to access (Article 15 GDPR)

The data subject has the right to obtain confirmation as to whether or not processing of personal data concerning them takes place in the TITANIUM project. If this is the case the data subject can request access to his/her data. Granting the right to access only occurs where the identification of the data subject is possible.

5.2. Right to rectification (Article 16 GDPR)

The data subject has the right to obtain the rectification of inaccurate personal data concerning them. The exercise of this right is only possible where the data subject can be identified and the inaccuracy of data is verified.

5.3. Restriction of processing (Article 18 GDPR)

The data subject has the right to obtain the restriction of processing, where
  • the accuracy of the personal data is contested;
  • the processing is unlawful, the data subject opposes the erasure of personal data and requests the restriction of processing instead;
  • the controller no longer needs the personal data, but they are required by the data subject for the establishment, exercise or defense of legal claims;
  • the data subject has objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject. (see 4.4.)
The exertion of this right may require provision of further information to allow identification of the data subject as described in section 4.

5.4. Right to object (Article 21 GDPR)

The legal basis for the processing of personal data in the TITANIUM project is Article 6 (1) (f). The data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning them unless the TITANIUM consortium demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
The exertion of this right may requires provision of further information to allow identification of the data subject as described in section 4.

5.5. Right to erasure (’Right to be forgotten’) (Article 17 GDPR)

The data subject has the right to obtain erasure of personal data concerning them, if
  • the data subject objects to the processing pursuant to Article 21 (1) and there are no overriding legitimate grounds (see 4.4);
  • the personal data have been unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
Pursuant to Article 17 (3) (d) GDPR the right to erasure may be restricted to the extent that the processing is necessary for scientific purposes and would render impossible or seriously impair the achievement of objectives of the processing. The TITANIUM consortium will assess the possibilities to erase personal data under the conditions stated in section 4.

5.6. Right to lodge a complaint with a supervisory authority (Article 77 GDPR)

The data subject has the right to lodge a complaint with a data protection supervisory authority in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.
A list of national supervisory authorities can be found here.

5. Your rights

Although there are some exceptions, you can generally exercise specific rights related to your personal data if you disagree with the processing of it. If you are concerned about your rights or how we process your data you can contact our Data Protection Officer (DPO@titanium-project.eu), so we can find a solution. Please keep in mind, that due to the specific goals/research purposes and setup of the project, some rights may be restricted. However, any requests to the abovementioned points of contact will be carefully assessed on a case-by-case basis and replied to.

5.1. Right to access (Article 15 GDPR)

You can ask us to provide you information if we process personal data related to you. If that is the case you have a right to access the data. As almost all data are pseudonymous, though, we may ask for further information from your side to verify your identity.

5.2. Right to rectification (Article 16 GDPR)

You have the right to request us to rectify any errors in your personal data to ensure its accuracy. As almost all data are pseudonymous, though, we may ask for further information from your side to verify your identity.

5.3. Restriction of processing (Article 18 GDPR)

You also have the right to restrict the processing of your personal data, in particular, if personal data is inaccurate, or the lawfulness of the processing is in question. As almost all data are pseudonymous, though, we may ask for further information from your side to verify your identity.

5.4. Right to object (Article 21 GDPR)

TITANIUM processes data in the public interest. Therefore, you have the right to object on grounds relating to your particular situation. We will assess if it is possible to not process your data. If this is the case, your data will be excluded from the processing. As almost all data are pseudonymous, though, we may ask for further information from your side to demonstrate you are affected and to verify your identity.

5.5. Right to erasure (’Right to be forgotten’) (Article 17)

If you successfully objected, the processing was unlawful or there is another legal obligation, you have the right to obtain erasure of your personal data. This right may be restricted if your data is necessary for the purposes of the processing. We will carefully assess if this is the case.

5.6. Right to lodge a complaint with a supervisory authority

You can also at any time lodge a complaint with the data protection supervisory authority of the country you live or work in or where you the alleged infringements of your rights took place. A list of national supervisory authorities can be found here.

6. Legal basis of the processing

The processing of personal data by the TITANIUM project is based on Article 6 (1) (f).

Article 6 (1) (f) GDPR allows processing where it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

The common legitimate interest of all partners in TITANIUM goes along with the project goals and is to effectively participate in the project and development and research of novel data driven techniques to support LEAs in underground investigations. TITANIUM is jointly controlled by the partners (see Article 26 GDPR ‘Joint controllers’) and the individual interests beyond the overall goal may differ. For private businesses (e.g. Dence, Countercraft, CoBlue) the processing of data is a key element of their business model. Therefore, their legitimate interest within the TITANIUM project also extends to be able to run and strengthen these business models in particular by developing their technical capabilities through research. Research partners in TITANIUM (e.g. AIT, TNO, UIBK, UCL) have a legitimate interest to study, analyze and understand novel technologies such as cryptocurrencies or darkweb markets. While some of these partners solely focus on scientific research, others additionally pursue economic interests similar to the private companies mentioned above. Business interests are protected by Article 15 and Article 16 of the Charter of Fundamental Rights of the European Union. Scientific research is protected under Article 13 of Charter of Fundamental Rights of the European Union. Although some of the interests of the partners differ, they all pursue the goal to make underground investigations more effective through development and research of novel data driven techniques thereby helping making societies more secure and following legitimate interests.

The TITANIUM consortium conducted a data protection impact assessment, and is aware of the risks to fundamental rights and freedoms of the data subjects affected by the processing. These risks may result in interests contrary to the interests of the TITANIUM consortium. Those interests go along with the protection of personal data and the right to privacy protected under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. The TITANIUM carefully weighed these different interests. Putting into respect the public availability and pseudonymity of the data, the specific interest in development of privacy aware tools, as well as the implementation of high safeguards to protect the rights and freedoms of the data subjects in the project, these contrary interests do not outweigh the legitimate interests of the project partners described above.

In some countries processing in TITANIUM may be based on specific research clauses in national law. Where this is the case, the processing is based on Article 6 (1) (e) GDPR in conjunction with these specific research clauses. Where such clauses do not exist, the processing is based on Article 6 (1) (f) GDPR as described above.

6. Legal basis of the processing

The data processing in TITANIUM is therefore based on Article 6 (1) (f) GDPR. TITANIUM is a scientific research project. The main interest of the projects is to develop tools which will help LEAs to effectively police the darknet. This interest is complemented by business and scientific interests of the TITANIUM partners, all of which are legitimate interests. We carefully put into consideration contrary interests of the people concerned by our data processing (data subjects), in particular their rights to data protection and privacy. As a consequence, we implemented high safeguards to protect these interests and rights. TITANIUM does not share findings on potentially illicit activities with LEAs, unless there is a legal obligation to do so. If the purposes of the processing change over the course of the project, this statement will be updated accordingly.

7. Categories of personal data

TITANIUM processes the following categories of personal data:
  • Cryptocurrency transaction data from public blockchains
  • Network communication data sent over blockchain systems’ P2P networks insofar as technically necessary to run these systems
  • Data from darknet fora and markets
  • Data from clearweb fora and markets, stemming from top level domains like .ua, .ru., .net, .com, .au, or .org, for the purpose of correctly tuning the algorithms. Examples would be bitcointalk.org, developerweb.net, or computerforum.com.
  • Public data from cryptocurrency exchanges, including data on cross-currency transactions
  • Public address annotation information
  • Research databases: GWERN Darknet Market Archives
All databases/sources are publicly available and the specific processing procedures performed on them are subject to previous evaluation by the projects data protection officer.

7. Categories of personal data

TITANIUM processes the following categories of personal data:
  • Cryptocurrency transaction data from public blockchains
  • Network communication data sent over blockchain systems’ P2P networks insofar as technically necessary
  • Data from darknet fora and markets
  • Data from clearweb fora and markets, stemming from top level domains like .ua, .ru., .net, .com, .au, or .org, for the purpose of correctly tuning the algorithms.
  • Public data from cryptocurrency exchanges, including data on cross-currency transactions
  • Public address annotation information
  • Research databases: GWERN Darknet Market Archives
All sources are publicly available and the specific processing procedures performed on them are subject to prior evaluation by the project’s Data Protection Officer.

8. Processing details

TITANIUM focuses on the analysis of data from publicly available sources, (e.g. darknet platforms; permissionless blockchain ledgers; FIAT exchange rates). De-pseudonymization of this data is only possible by connecting it with further data/information (e.g. Names, addresses, phone numbers). This data is not available within the project. Pseudonymous personal data is obtained from (darknet) fora and markets and permissionless blockchain ledgers. Further information can be found below.

8.1. Tracing and analyzing cryptocurrency transactions and networks

In order to develop tools, that enable LEAs to trace and analyze cryptocurrency transactions, TITANIUM researchers participate in cryptocurrency systems by connecting to the respective P2P networks (e.g. Bitcoin, Ethereum, ZCash, Lightning).
This involves downloading the cryptocurrency’s blockchains including the full transaction history. The TITANIUM researchers index the transactions, making it possible to follow transaction flows. Also, heuristics for the clustering of cryptocurrency addresses that are likely to be owned by the same entity are used. Moreover, participating in cryptocurrencies’ P2P networks necessarily involves the processing of network communication data from P2P networks, such as other participants’ IP addresses. Additionally, TITANIUM researchers use cryptocurrency exchange information (e.g. from shapeshift.io), in order to research and analyze transaction flows and the traceability of transactions on individual and across multiple cryptocurrency systems.

8.2. Collecting information on darknet activities

TITANIUM collects information on darknet markets and fora, in order to analyze and understand the structure and contents of these sources. This provides a basis for the development of privacy-aware tools for the collection of data from these sources (e.g. Dream Market). Additionally, a small set of data from clear web fora and markets, for the purpose of correctly tuning the algorithms is processed (e.g. bitcointalk.org, developerweb.net, computerforum.com).

8.3. Annotation of cryptocurrency addresses

For the development and testing of the tools and techniques TITANIUM uses public annotation data (e. g. from blockchain.info, walletexplorer.com) which are used as metatags for addresses. Metatags are solely used for research purposes and will not be exchanged with LEAs as part of the project outcomes.

8. Processing details

TITANIUM focuses on the analysis of data from publicly available sources (e.g. darknet platforms; permissionless blockchain ledgers; FIAT exchange rates). These data are pseudonymous, which basically means that they do not contain your real name/identity. This data can – for example – contain usernames, addresses of cryptocurrencies (comparable to bank account numbers) or content which was posted in a forum. To identify individual persons behind this data further information (e.g. an address or a name) would be necessary, which is not available to us. The following sections give you an overview about the data processing in TITANIUM.

8.1. Tracing and analyzing cryptocurrency transactions and networks

We try to analyze and trace the flow of cryptocurrencies over various blockchains. We rely on publicly available data from the blockchains as well as on data from various service providers in this field (e.g. exchange services).

8.2. Collecting information on darknet activities

We process information from darknet (and partially from clearweb) markets and fora, to understand how they are functioning. This provides a basis for the development of privacy-aware and legally compliant tools for the collection of data from these sources.

8.3. Annotation of cryptocurrency addresses

For the development and testing of such tools, we also use public annotation data (e. g. from blockchain systems).

9. Recipients or categories of recipients of the personal data

The personal data may be shared between research partners/institutions involved in the project based on contractual agreements. Research Organizations and Industrial Partners will not share any personal data with LEA partners or external LEAs unless there is a legal obligation to do so.

9. Recipients or categories of recipients of the personal data

Personal data processed for research purposes is not shared with third parties, internal LEA partners or external LEAs, unless there is a legal obligation to do so. Personal data may be shared between research partners/institutions involved in the project.

10. Storage and retention

Personal data are not intended to be stored longer than necessary for the research purposes pursued by the TITANIUM project. At the end of the project in May 2020, it will be reassessed for each partner individually, if further storage is necessary and lawfully possible. In this regard, the differences between industrial partners, LEAs and research organizations have to be taken into account. In order to assess the necessity of further storage, data review takes place periodically over the course of the project. Unnecessary data will be anonymized or deleted.

10. Storage and retention

Personal data are not intended to be stored longer than necessary for the research purposes pursued by the TITANIUM project. With the end of the project in May 2020, it will be re-assessed for each partner individually, if further storage is necessary and lawfully possible. Moreover, data will be reviewed periodically over the course of the project to assess the necessity of ongoing storage. Data which are not necessary anymore will be anonymized or deleted.