Private key management system Casa just revealed its privacy model in a blog post. Casa was founded with the goal of making it easy for non-technical crypto asset owners to be their own bank.
One of the biggest advantages of a cryptocurrency is that it allows anyone to “be their own bank”. As long as you keep your private keys secure, you can retain control of your funds. However, this isn’t easy for all users. Some people aren’t technical, for example, and others worry about losing all their funds because of a simple mistake – like throwing out a paper wallet. Casa wants to solve these problems.
“While we have no intention of providing custodial services to our users,” explains the blog post from Casa, “We do wish to provide financial software and services that help facilitate our users in their quest for financial sovereignty.”
Because of this approach, Casa claims that there will be some data that Casa users are required to share with third parties – including everyone from your ISP to your mobile phone manufacturer:
“…there will be some data that third parties such as Casa may know about your crypto activity. We keep as much of your data private as possible, but here is some detail on what third parties will see and your options for taking steps to strengthen your privacy if you so desire,” explains the blog post.
Being your own bank is advantageous. However, how private will Casa really be? Will Casa really allow anyone to safely and securely store cryptocurrencies? Will someone be able to track your crypto assets held in Casa’s private key management system? Casa happily answered all of these questions.
Which Companies Will Know About Your Crypto Funds?
If you use Casa’s private key management system, then you’re going to reveal certain information to certain third parties. The Casa blog post revealed complete information about which third parties will know about your crypto funds:
Members Of The App Ecosystem
The entity that owns the app store – like Apple or Google – will know that you have the Casa app installed. Your mobile phone service provider (your carrier) is also a member of the app ecosystem, and they will know you have the Casa app installed. All of these parties may collect statistics regarding your use of the app.
Casa, fortunately, has an easy solution:
“If you want the ultimate level of privacy, then you’d need to create a new AppleID / Google account that isn’t connected to your identity, buy a smart phone with cash and either buy a no-contract prepaid phone plan or limit yourself to only using the phone via wifi.”
Your internet service provider (ISP) will know that you are using Casa, although your ISP will be unable to determine what you’re doing with Casa. Traffic between your device and Casa is encrypted, but your ISP will be able to see requests you send to Casa’s servers.
Casa, again, has an easy solution:
“If you want to improve this aspect of your network privacy then you’ll want to use a VPN on your phone and other devices that you use to interface with Casa. This way your ISP only knows that you’re sending traffic to a VPN server. This isn’t perfect privacy though, because you’re still trusting a third party (the VPN service) to not spy on your activity. If you wanted to take it a step further then you’ll want to configure Tor clients on any device that you use to interface with Casa.”
Casa, to its credit, does not plan to log the IP addresses of clients who connect to its servers. However, a proxy or a service like Tor is a guaranteed way to avoid having your IP address end up in Casa’s logs. Casa also describes how they use Cloudflare, so it’s possible that your IP address will be logged by Cloudflare.
Crypto Asset Network Users
Blockchain observers – anyone who checks the bitcoin blockchain, for example – will be able to view certain details of your transactions. Someone can see that you’re spending from a 3-of-5 multisig wallet, for example. Network observers might also be able to determine that transactions are being broadcast from Casa’s nodes.
Casa’s team claims they could use Tor (or eventually Dandelion) to make it difficult for network observers to link a transaction with Casa.
Network Attackers That Compromise Casa’s Servers
Casa describes how an attacker that compromises Casa’s servers could obtain information about the company’s users. However, they wouldn’t be able to steal your funds.
Casa does store a name and an email address, but they welcome users to use a pseudonym. Casa also stores the extended public keys of users. With a public key, an attacker who compromised Casa’s network security could determine all your addresses and transactions, but they would be unable to spend your funds.
Casa users can choose to receive a hardware key management device mailed to their address – say, if you need to replace your hardware key management device. This means Casa may store shipping address information for some users. However, customers are free to use a PO box or choose the USPS “hold for pickup” option if they don’t want Casa to know their home address.
Real World Identity Information, Video And Audio Recording
One of the key selling features of Casa is the ability to recover your funds if you lose multiple sets of keys. However, in order to provide this service, Casa needs to have a way to verify the identity of the person making a recovery request.
To verify identity, Casa stores an audio & video session for its records. Casa’s support agents will use these records in the future to verify, via videoconferencing, that it is the real account owner trying to access the account.
Casa Is 100% Honest About The Privacy Of Its Services
It’s refreshing to see Casa take an honest approach to privacy. The company is fully upfront about how their service works, how private it actually is, and how you can enhance that privacy even further. The tradeoff of a service like Casa is that you’re giving up some basic privacy.
However, as we learned above, there are ways to limit the effects of those privacy concerns. Some people are also willing to give up a little bit of privacy concern – like the risk of Casa’s servers getting hacked – for the peace of mind of having their funds accessible even when they lose all their private keys.