Beware the BitLicense: New York’s Virtual Currency Regulations Invade Privacy and Hamper Innovation
With assistance from Marcia Hofmann
What if you picked up a cup of coffee on your way to work and paid $2.00 in cash, only to have the man behind the counter request your home address?
"My home address?" you might ask.
"Yes," he might reply, "And your full legal name. I’m keeping it in a file for the next 10 years, just in case the government wants it."
The State of New York has proposed BitLicense, a sprawling regulatory framework that would mandate licenses for a wide range of companies that intersect with digital currencies. The proposal creates expensive and vague new obligations for start-ups and infringes on the privacy rights of both Bitcoin businesses and casual users.
Right now NY DFS is accepting comments from the public about its proposal. Whether you are a startup, a student, an engineer, or just an Internet user with a passion for individual rights, please submit a comment. Click here to get started, or read on to find out what’s wrong with the regulatory framework.
Even if You Don’t Need A BitLicense, This Affects You
People affected by this proposal fall into two broad categories: those who must obtain a BitLicense and those who may be affected, but don’t need to obtain a BitLicense.
So, who will need a license? It’s not as clear as one would hope. The regulations seem to require BitLicenses from anyone who converts digital currency, transmits digital currency, stores digital currency, secures digital currency, or "receives digital currency for transmission" "involving" New York or a resident of New York.1 (There are some specific exceptions.)
Who might this include? Anyone who makes virtual currency wallets, exchanges, or storage tools, as well as people innovating new types of digital currency. The regulations are worded vaguely enough that they may even sweep up innovators building Bitcoin-related businesses that aren’t financial services. Basically, this implicates developers, entrepreneurs, middlemen, and other providers of services related to virtual currency. There are no carve-outs for academics or security researchers.
Then there is everyone else who might be affected by this. The NY DFS states that “the license is not required for merchants or consumers that utilize Virtual Currency solely for the purchase or sale of goods or services.” However, as written, the proposal would require companies with with licenses to keep records about transactions of everyone who uses their services, so the privacy of individual Bitcoin users would be affected. Think back to the coffee shop at the beginning of this article. If this coffee shop were using a Bitcoin payment provider to process transactions, that payment provider would need to obtain a BitLicense from New York. While the coffee shop and its customers would not need to get a license, every digital transaction processed by the payment provider would have to follow the BitLicense record-keeping requirements. We elaborate on these mandates below, but among other things they require licensees to keep 10 years of records about all transactions, including identity information about all parties to a transaction.
There is also vagueness in the language of the proposal about whether P2P node operators and miners of digital currencies might need a BitLicense2, and whether there are circumstances in which users hosting their own wallets and transmitting coins directly to other users might fall under the regulations.
Financial Privacy Under Threat
One of the benefits of Bitcoin and similar digital currencies is that they offer the potential for private financial transactions. Of course, not all Bitcoin transactions are private in nature; in fact, the public block chain has a level of transparency closer to a public stock exchange than a private bank account. However, there are already technical measures that can be taken to mask one’s real identity when using Bitcoin, and future innovations in digital currency could continue to preserve privacy.
We can think of a hundred reasons why someone may prefer privacy in her financial transactions. Consider an NSA employee who wants to donate money to EFF, a teenager who wants to buy contraceptives for the first time, or a grassroots political organization raising money for the legal defense of a political prisoner. In each case as well as countless others, there are legitimate reasons why someone may want to spend money without having that fact linked to his or her identity for a decade.
Bank cards and websites where you can donate money or make purchases almost always come with terms of service, many of which may have onerous provisions that limit certain types of transactions to those the middle man considers acceptable. Websites and payment providers can make arbitrary decisions to shut down speech that is controversial even when it’s legal. We saw an example of this when Mastercard, Paypal, and Visa blockaded payments to WikiLeaks, a website publishing classified documents that had not been charged with a crime.
Bitcoin and other digital currencies are attempting to recreate some of the censorship-resistant and privacy-protecting attributes of cash. And that’s good; it’s an innovative way of preserving some of those offline protections in a digital world. It could mean digital payments without terms of service or privacy violations.
The BitLicense proposal threatens all of that.
Infringing Privacy Rights of Innovators, Developers and Businesses
Companies that are subject to BitLicense—including developers, innovators and businesses looking to create new digital currency products—would have to forfeit their privacy by making extensive personal disclosures to the state of New York. This might mean people who care about their privacy might choose to avoid working in the digital currency space altogether.
Virtual currency businesses would have to submit an application for a BitLicense. The application requires a wealth of information, including that every applicant and certain key individuals within the business submit:
- Detailed information, including name, physical and mailing address and “information and documentation regarding their personal history, experience and qualification.”
- A background report prepared by an independent investigatory agency.
- A set of complete fingerprints to be handed over to both state and federal law enforcement.
- Two portrait-style photographs.
- Details about any legal proceedings they’re involved in, even those that have nothing to do with business activities.
In short, the BitLicense could spell the end of entrepreneurs and engineers hacking on new virtual currency tools and functions without turning their lives into an open book for the government to peruse.
Infringing Privacy Rights of End Users and Merchants
If enacted, this regulation would affect the privacy of end users as well as businesses that offer Bitcoin payment options. While these folks might not need a BitLicense, they may well rely on service providers that do need it – such as payment providers. Those payment providers, in turn, would be collecting more information on customers.
For every transaction, the licensed business must keep:
- The amount, date, and precise time of the transaction, and any payment instructions;
- The total amount of fees and charges received and paid to, by, or on behalf of the licensee;
- Names of the parties to the transaction;
- Account numbers of the parties to the transaction; and
- Physical addresses of the parties to the transaction.
All these records must be kept for at least 10 years, “in a condition that will allow the superintendent to determine whether the Licensee is complying with all applicable laws, rules, and regulations. ”
While we are generally concerned that forcing companies to maintain detailed records on every transaction is both burdensome and unnecessary, we are particularly concerned about the requirement that every transaction include name and physical address for all parties. This would, in effect, threaten the possibility of having any cash-like interactions in the digital world.
While you might be able to drop a couple quarters into an open guitar case as you walk down a busy street today, you’d never be able to anonymously send a street performer a few satoshi with an app on your smartphone. You’d also never be able to make a donation to a politically radical cause through a payment provider without linking your identity to it for a decade. Transactions – regardless of how big or small, how sensitive or mundane – would have a 10-year data trail that points back to your legal name and physical address.
An Industry in Its Infancy Does Not Merit Chains
It’s premature to craft extensive regulations for an industry that’s so new and still in flux. We think New York should play it cool for a few years and see what the market does before rushing in to clamp down on an industry in its infancy.
However, if NY DFS is intent on pushing ahead with this proposal, then we must call for safeguards to protect digital rights. The NY DFS is letting the fear of money laundering drive a massive regulatory proposal forward. NY DFS should respect the rights of technology users, and limit its regulation to what is proportionate to the real threat at hand.
Even if you aren’t a Bitcoin enthusiast, you should care about BitLicense. None of us knows what innovative new technologies might spring up in future years, including new ways that virtual currency protocols might be used for anything from combatting spam to facilitating international remittance. If enacted, the BitLicense proposal could stifle this innovation before it had a chance to get a foothold.
Submit comments to NY DFS, and ask your friends to do the same.
(Note: EFF is proud to accept Bitcoin; you can choose Bitcoin after hitting donate on any eff.org page).
Marco Santori's What New York's Proposed Regulations Mean for Bitcoin Businesses
Harley Geiger's NY's Proposed BitRegs a Threat to Privacy and Innovation
- 1. According to NY DFS’ press release, the new DFS BitLicenses will be required for firms engaged in the following virtual currency businesses:
- Receiving or transmitting virtual currency on behalf of consumers;
- Securing, storing, or maintaining custody or control of such virtual currency on the behalf of customers;
- Performing retail conversion services, including the conversion or exchange of Fiat Currency or other value into Virtual Currency, the conversion or exchange of Virtual Currency into Fiat Currency or other value, or the conversion or exchange of one form of Virtual Currency into another form of Virtual Currency;
- Buying and selling Virtual Currency as a customer business (as distinct from personal use); or
- Controlling, administering, or issuing a Virtual Currency. (Note: This does not refer to virtual currency miners.)
- 2. While the NY DFS' press release clearly states that miners will not need to get a license, the regulations themselves are not nearly so clear.