One of the most important aspects of cryptocurrencies from a civil liberties perspective is that they can provide privacy protections for their users. But EFF is concerned that the U.S. government has been increasingly taking steps to undermine the anonymity of cryptocurrency transactions and importing the widespread financial surveillance of the traditional banking system to cryptocurrencies.
On Friday, the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) announced a proposed regulation that would require money service businesses (which includes, for example, cryptocurrency exchanges) to collect identity data about people who transact with their customers using self-hosted cryptocurrency wallets or foreign exchanges. The proposed regulation would require them to keep that data and turn it over to the government in some circumstances (such as when the dollar amount of transactions in a day exceeds a certain threshold).
The proposal appears designed to be a midnight regulation pushed through before the end of the current presidential administration, as its 15-day comment period is unusually short and coincides with the winter holiday. The regulation’s authors write that this abbreviated comment period is required to deal with the “threats to United States national interests” posed by these technologies, but they provide no factual basis for this claim.
Although EFF is still reviewing the proposal, we have several initial concerns. First, the regulation would mean that people who store cryptocurrency in their own wallets (rather than using a professional service) would effectively be unable to transact anonymously with people who store their cryptocurrency with a money service business. The regulation will likely chill the ability to use self-hosted wallets to transact with the privacy of cash.
Second, for some cryptocurrencies like Bitcoin, transaction data—including users’ Bitcoin addresses—is permanently recorded on a public blockchain. That means that if you know the name of the user associated with a particular Bitcoin address, you can glean information about all of their Bitcoin transactions that use that address. Thus, the proposed regulation’s requirement that money service businesses collect identifying information associated with wallet addresses means that the government may have access to a massive amount of data beyond just what the regulation purports to cover.
Third, the regulation could hamper broader adoption of self-hosted wallets and technologies that rely on them, or at least make it difficult to integrate these technologies with intermediaries like exchanges. The regulations make it significantly more difficult for self-hosted wallet users to seamlessly interact with other users who have wallets provided by a service subject to the regulations. Under the proposed rules, these hosted wallet services would have to collect certain information about self-hosted wallet users who transact with their customers in some circumstances. That may complicate certain automated transactions, such as smart contracts, or be difficult to implement in scenarios involving decentralized exchanges. Despite the name, “wallets” are not just personal stores of currency: they are a way for individuals and computing systems to hold and dispense money without relying on institutions. Adding friction to these types of transactions undermines the technology’s importance in giving individuals control over their finances. It could also chill the ability of innovators to create decentralized financial platforms with a wide range of lawful uses.
Fourth, although the proposed rules purport to simply apply pre-existing regulations involving cash transactions to cryptocurrencies, they ignore that these digital financial tools exist in part to afford financial privacy and anonymity equal to and perhaps beyond that of traditional cash. In this respect, the proposed regulations are part of a larger troubling trend of the U.S. government extending the financial surveillance of the traditional banking system to cryptocurrencies. This proposal comes just two months after the Department of Justice published its Cryptocurrency Enforcement Framework, which made it abundantly clear that the DOJ wants to undermine the ability of cryptocurrency users to transact anonymously.
The Framework says, and this regulation repeats, that merely using privacy coins like Zcash and Monero is “indicative of possible criminal conduct.” The Framework also says that people operating mixers and tumblers, which make cryptocurrency transactions harder to trace, can be criminally liable for money laundering. Financial regulators, much like the NSA, apparently suspect that anyone attempting to protect their financial privacy is doing something illegal.
That Framework also targeted decentralized exchanges. Decentralized exchanges are typically open-source software allowing people to exchange cryptocurrency directly with each other, with no other party involved. The DOJ said that those projects have to register with FinCEN and have to “collect and maintain customer and transactional data” or else be subject to civil and criminal penalties.
Other concerning developments this year include the 5th Circuit’s decision that law enforcement does not need to get a warrant in order to obtain financial transaction data from cryptocurrency exchanges, and FinCEN’s proposal to lower the threshold at which institutions must collect and store transaction data from $3,000 to $250 (in cryptocurrency or fiat currency) to satisfy “Travel Rule” obligations.
These developments are an assault on the ability to transact privately online and an attempt to extend the widespread financial surveillance of the traditional banking system to cryptocurrency. Financial records contain a trove of sensitive information about people’s personal lives, beliefs, and affiliations. Nonetheless, courts and lawmakers have allowed widespread warrantless financial surveillance in the traditional banking system. The Bank Secrecy Act requires banks to maintain financial records because of their usefulness in investigations, and in 1976, the Supreme Court (in U.S. v. Miller) allowed the government to obtain bank customers’ data without a warrant. EFF is concerned about the U.S. government’s attempts to expand this surveillance to encompass cryptocurrency transactions.
Cryptocurrency is important for civil liberties because—like cash—it allows for anonymous transactions. Photos from the Hong Kong protests showed long lines at subway stations as protestors waited to purchase tickets with cash so that their electronic purchases would not place them at the scene of the protest. These photos underscore that a cashless society is a surveillance society—and the importance of importing the anonymity of cash to the digital world.
Cryptocurrency is also important because it is censorship resistant. Many traditional financial intermediaries have engaged in arbitrary financial censorship, cutting off access to financial institutions for adult social networks, adult booksellers, and controversial websites, even when these services have not violated the law.
U.S. regulators’ recent actions, including this new proposed rulemaking, threaten to undermine the privacy and civil liberties protections afforded by peer-to-peer technologies. The rulemaking requests comments from the public by January 4, 2021. EFF hopes that the civil liberties community and individuals who want to protect their financial privacy will submit comments opposing this proposed rule, despite—indeed, partly because of—its abrupt deadline.