In a disturbing sequence of events, Bittrex chose to quickly silence a user in their Slack channel who tried to share a privacy policy concern. The Bittrex user was attempting to withdraw his funds in a routine manner when he was denied access to his money due to a policy the user was not yet made aware of that involved a third party identity verification service called Jumio.

In a wise show of due diligence, the Bittrex user did some research and read the privacy policy on the Jumio website. An interesting note, at the time of writing, there is a distinctly unsettling sentence in Jumio’s Policy that says

“This Privacy Policy (“Policy”) describes our privacy practices concerning information collected in connection with Jumio’s payment, verification, and related online services, including Fastfill, Netswipe, and Netverify (the “Services”). A separate policy, available here , describes our privacy practices in connection with our online website, located at www.jumio.com”

In the above text, quoted verbatim from the privacy policy page at Jumio’s website, the word “here” is underlined, and its context combined with the underlined text choice implies a hyperlink should be attached to the word, but the word does not contain any link at all. Is it a decoy, or just a minor mistake? Perhaps it is just a coincidence, and maybe “here” refers to the page itself. In any of these possible explanations, it shows that they are either trying to mislead us or that they didn’t think it through. If they didn’t think it through, I would wonder why, then, did the person who typed it deliberately select only the one word “here” and then decide to underline it? It looks like redundancy at best and the result no matter the intention is certain misdirection.

A mere sentence later in the Jumio policy they explain that they are not in control of your personal data and that they only use your data as ordered to by the controller of the data, in this case, that is Bittrex. To make it utterly confusing they then add to the baffle with the following contradictory statement.

“Notwithstanding the above, Jumio may process certain individual users’ information in pseudonymized or anonymized form for its own purposes, thereby acting as a controller in this limited regard.”

Is your head spinning yet? After going back and forth from one policy to another it starts to become cumbersome and overwhelming at the same time. This is why instead of reading the terms of use and privacy policy of the sites we visit we all tend to click the little box that lets us in yet, that little box signifies an agreement that is binding.

After reading the self-contradicting Jumio privacy policy I took a moment to compare it with the Bittrex Privacy Policy which is hard to find, and when explaining how your private data is used the policy has many vague, blanket statements that end with phrases like “…To Carry out any other purpose for which the information was collected.“.

Between the two policy pages, we learn that

1.Jumio does what Bittrex tells it to.

2. Jumio does what it wants, sometimes.

3.Bittrex and Jumio both are essentially acting as a broker for your private data which is shared with third parties- from whom they collect funds for their advertisements and integrations on the Bittrex site.

It means they are your data-pimps, if, in fact, you are a verified user. Even if you have been comfortable for a while, and have not been asked to verify- just watch and wait because it is coming.

The user who brought this to attention was a regular user, with multiple withdrawals in his past. Now he is being denied unless he verifies his identity through the third-party service. Naturally, concerned, this user (who happens to be a well known ‘Investigative Journalist’) wanted to understand why he was being forced to agree to all this before accessing his own money. He went into the Bittrex Slack channel a pasted a sentence from the privacy policy and within two minutes he was banned from that chat room, as the image in this post shows.

It is outrageous that they make users vulnerable to such vague and exploitable privacy practices but it goes up a few notches on the red flag list when they stamp out the voice of a user because of his quotation of their own policy. Why so hush-hush?

They would be wise to let people have their money, and if they are required by law to act in this manner then they need to prove it in writing to the individuals that are being forced to send selfies to a vendor who is likely selling data.

This would not be the first time that Bittrex comes up in social media with shady practice alerts and scam accusations. In fact, one user of the bitcointalk.org forum started a thread labeled “Bittrex serves great tacos” which shows the address that is supposed to be where Bittrex is located only…the address advertised leads to a taco shop in Las Vegas Nevada. Que Paso?

If this leaves an unsettling cloud looming over your affection for Bittrex, perhaps a different option should be considered such as Kraken or Bitstamp.

Do yourself a favor and know what you are agreeing to by reading the terms of use and privacy policy.

Good luck.

*This is not advice, please make informed decisions based on your own assessment.