Most people picture blockchain surveillance as something exotic. Machine-learning models trained on transaction graphs, intelligence agencies with classified capabilities, billion-dollar compliance firms running tooling you cannot replicate at home. The reality is more mundane. The single most productive heuristic in the entire field was described in the original Bitcoin paper and is trivial to reproduce against a full node in a weekend. It is called the common-input-ownership heuristic, and if you have ever spent bitcoin the default way, it has very likely already done its job on your wallet.

The heuristic follows from one protocol fact. A Bitcoin transaction does not carry a message saying "Alice sent Bob ten." It is a reorganization of UTXOs in which the sender's wallet selects inputs that equal or exceed the amount being sent, signs them, and produces a new set of outputs, usually one to the recipient and one back to the sender as change. Every input signature must come from keys controlled by the same entity, because nothing else produces a valid transaction. That single assumption, that any transaction consuming multiple inputs reveals those inputs as commonly owned, collapses the anonymity set for billions of dollars in history into a contiguous ownership graph covering a large fraction of all circulating coin.

The change-address side is just as damaging. When a wallet produces two outputs, surveillance software does not have to be right every time; only more often than not, across millions of transactions. Round-number heuristics, script-type matching between inputs and one of the outputs, address-reuse patterns, and the deterministic change-position behavior of specific wallet software are each individually weak. In aggregate they produce labels that hold up in practice, even where they would fail as formal proofs.

CoinJoin and PayJoin, in technical terms, break the common-input-ownership assumption. CoinJoin has inputs from multiple independent wallets, each signing only its own contributions, structured so that clustering cannot distinguish whose output went where. PayJoin goes further by making the receiver contribute an input, so that even a single-user payment looks multi-party. Both are available in open-source wallets today. Neither is used by the median holder.

This matters because chain analysis is admitted as evidence in forfeiture and criminal proceedings with essentially no serious challenge to its methodology. Courts treat clustering output as if it were measurement rather than inference. The interesting question is not whether legal rights should backstop privacy after the fact. It is whether a protocol default that leaks ownership information by construction should be treated as the end of the design road or as a first draft. Silent payments, covenants enabling non-custodial pooled UTXOs, and similar proposals move in the right direction. None of them change the base today. Until they do, the common-input-ownership heuristic is not an attack on Bitcoin. It is Bitcoin, working as specified.