A License to Kill Innovation: Why A.B. 1326—California’s Bitcoin License—is Bad for Business, Innovation, and Privacy
With assistance from Joseph Bonneau, Lee Tien, and Jamie Williams
Bitcoin creator Satoshi Nakamoto would never have qualified for a license under California’s proposed virtual currency regulation
A.B. 1326 (Dababneh) is a bill that would require “virtual currency businesses” to apply for and obtain a license in order to offer services in California, and it includes significant fees and administrative hurdles. Unfortunately, the bill’s language is so vague that it’s unclear what companies are, in fact, “virtual currency businesses.” So in spite of carve-outs for smaller companies and for software developers who don’t exercise control over the currency, the proposal threatens the future of virtual currency experimentation and innovation in the state.
The bill has percolated in the California legislature for months. EFF has been engaged with the author of the bill, explaining our concerns, opposing the bill, and helping to strip out some of the worst elements of the initial text.
But the time for conversation is over: the bill is moving ahead for a vote in the next few weeks, and it still has huge problems. We’re urging concerned Californians to speak out against this legislation by calling, emailing, and tweeting at their state elected officials immediately. Please speak out now.
We have philosophical issues with A.B. 1326—both the type of regulatory scheme it’s proposing as well as the timing of this regulation in relation to the development of new virtual currency technologies—and we also have concerns about how the bill is technically written. Here’s an overview of our concerns, starting with the larger philosophical issues:
- The regulation is premature; digital currency is an industry in its infancy.
While we sympathize with the ideals behind the legislation—protecting consumers—we fear this bill will have unintended long-term consequences that hurt consumers more than it helps. We don’t know what the future of cryptocurrencies will look like, but this legislation locks in a burdensome regulation before we know either where the technology is headed or what its likely uses will be.
We’ve seen this happen before in the technology policy space. In 1986, Congress rolled out an email privacy law known as the Electronic Communications Privacy Act (ECPA). While it was forward-thinking at the time, it didn’t envision that people would store years of email in free webmail services, and as a result ECPA has weak privacy protections for emails stored with a service provider for more than 180 days. We’ve spent more than a decade combating ECPA’s obsolete assumptions about email use, arguing that law enforcement can’t access emails in the cloud without a warrant even if they are older than 180 days. We’re still fighting in Washington to update the law. Years of battling over email privacy law could have been averted if the law wasn’t tied to a specific moment in the early development of email technology.
Virtual currencies are developing as quickly—or even more quickly—than email was back in the late ‘80s and early ‘90s. Let’s make sure that a forward-thinking law aimed at protecting consumers doesn’t have unintended negative consequences in the future as the technology changes, like ECPA did. That means watching the early development of technology before rushing in to regulate and being extremely cautious about adopting clear, narrowly tailored, and accurate legal definitions of technological terms relating to crypto currencies. As we explain below, A.B. 1326 fails in these respects.
- Having different regulations for cryptocurrencies in every state will create confusion for consumers.
This bill is attempting to regulate virtual currency businesses that maintain “full custody or control of virtual currency in this state on behalf of others” (emphasis added). Not only is this language vague, but virtual currencies transcend state borders. As a result, pretty much all virtual currency businesses would have to either cut off California customers or seek a license in the state.
But this won’t stop with California. New York has already adopted digital currency regulations, and we’ve seen regulatory proposals elsewhere. Lobbyists have described A.B. 1326 as model legislation that could be replicated in other states.
This could create wildly different standards for individual users, who may not know what rights they have and what legal protections exist. Even lodging a complaint could be confusing, with different regulatory bodies and processes in every state.
Strong state laws are often appropriate and can help establish rights for individual consumers—such as in the case of data breach notification and health privacy laws. But banking regulation is already an amalgamation of confusing standards. (As Rose Marie Kushmeider describesit for the FDIC Banking Review: “the overlap in tasks among federal regulators and between federal and state regulators, particularly for banks, creates a confusing system that no one building a system anew would want to duplicate.”) Adding state regulations for cryptocurrencies will only exacerbate the complexity of regulatory standards, leaving consumers in a miasma of legal uncertainty.
At the end of the day, cryptocurrencies are distributed software projects that can be accessed from across the world. They shouldn’t be regulated like brick-and-mortar businesses that serve a specific locality or community.
- The bill could chill virtual currency innovation in California.
The bill is designed for established Bitcoin businesses—companies with the significant financial and administrative resources needed to navigate the licensing process. Compliance requires substantial nonrefundable fees for registration and for examination. The bill proposes a carve-out for startups and small companies, but as we explain below, that carve-out is woefully inadequate to protect the rights of hobbyists and innovators.
This means that California consumers might not benefit from groundbreaking new developments in the virtual currency space, as a complicated and burdensome regulatory process scares off potential innovators. This would be at odds with a state that has long been a haven for innovation and experimentation, and which currently has a thriving community of virtual currency enthusiasts and companies.
We also have concerns about how the bill was drafted. The bill language indicates technological ignorance about cryptocurrencies, indifference to due process for license applicants, and inadequate safeguards for hobbyists and innovators in the cryptocurrency space.
- The bill’s definition of “virtual currency businesses” is vague, so it’s impossible to tell what the bill will do.
As mentioned, the bill defines “virtual currency business” as “maintaining full custody or control of virtual currency in this state on behalf of others.” But the bill doesn’t explain what it means to have “full custody or control” of a virtual currency or what it means for a virtual currency to be located “in this state,” and the drafters have so far refused to further define these terms. As is, this bill could be applied far too broadly, such as to smart contracts.
- The application requires irrelevant data from the applicants, and applicants can be denied a license with no explanation with limited opportunity to appeal.
To qualify for a virtual currency license, applicants have to turn over extensive data. For any entity applying for a license, the following must be provided for every officer, manager, director, or “person that has control” (another term that is not defined, as discussed in more detail below):
- Legal name
- Any fictitious or trade name
- Home and work address
- Employment history for 10 years
- Any criminal convictions and material litigation in the last 10 years
- Educational background
There is a range of problems inherent in this type of data collection. First, a lot of this data simply isn’t relevant to whether a virtual currency is well-run and protecting consumers. The rule requires applications to include convictions for nonviolent drug offenses, peaceful protests, or reckless driving. Being a college dropout might also crop up. Will these things bar the applicant from receiving a virtual currency license? Will having five different employers in a 10-year period be a black mark on an application?
Nobody knows. Because while the virtual currency license is very clear on the data that must be handed over to the commissioner, there’s little information about why an application could be rejected. If an application is rejected, there’s no inexpensive administrative appeal option, and the commissioner isn’t required to provide any report to the denied applicant. In fact, the commissioner doesn’t even have a specific time period in which he must respond. Applications can languish unresolved—indefinitely.
This type of data collection could also deter innovators and developers who prioritize privacy and security. Many with a deep passion for privacy might not want to hand over all this data to the government, either because it’s invasive or because they fear that the government databases storing the data won’t be secure. People who might bring powerful innovation to the virtual currency space—especially those who might be most interested in privacy-protective features—may well steer clear.
A prime example? Satoshi Nakamoto—the pseudonymous creator of Bitcoin—never provided his home address, employment history, or educational background. Satoshi would never have qualified for a license under California’s regulatory proposal unless he sacrificed his much-guarded privacy.
- The commissioner has complete discretion to revoke licenses.
The commissioner can revoke a license for a wide range of reasons. This means the commissioner, at his sole discretion, can choose to favor some virtual currency services over others, which builds a lot of ambiguity into the bill. Reasons for revocation include:
- If a licensee doesn’t “cooperate” with an investigation or examination.
- If the commissioner believes that the “competence, experience, character or general fitness” of the licensee or any director, officer, employee (yes, employee), or person “in control of a license” indicates that “it is not in the public interest” to allow the person to provide virtual currency services.
- The provisional license is no panacea.
The bill has a carve-out for small businesses and startups, whereby they can get a provisional license for two years for only $500 (instead of the typical $3,500 application fee and $2,500 renewal fee). To be clear, we’re glad this carve-out exists. But this isn’t a cure-all for the things wrong with the proposal. The commissioner has an amazing amount of discretion with the provisional license, just as he does with the primary virtual currency license, so it’s ambiguous who will even qualify for a provisional license and how it will operate.
- Qualifying for the carve out might be harder than it seems: to qualify for the carve-out, a business must both be conducting business with less than $1 million in outstanding obligations and have a business model that the commissioner decides at his sole discretion represents “low or no risk to consumers.” Both of these criteria are troubling. First, this regulation fails to take into account how volatile virtual currency markets can be, as they are driven entirely by market interest. One could easily imagine spikes in the market creating obligations of over a million dollars that lasted mere days. If this happens, the business has a mere 15 days to notify the commissioner and then must apply for a virtual currency license within 30 days. Similarly, the smallest company in the world might not qualify for the provisional license if the commission decides it is a “risk” to consumers. Since virtually all cryptocurrency businesses carry some risk to somebody, this exception could swallow the provisional license provision entirely.
- Just like the virtual currency license, qualifying for the provisional license may require detailed personal data. It’s unclear from the bill whether the provisional license applicants must turn over all the data that are necessary to apply for the regular virtual currency license. It almost doesn’t matter, because the commissioner can always requests more “reports and documents” and may audit the provisional license applicants at will—raising the same data collection concerns that exist with the full license.
- The legislation is technically inaccurate.
- The bill defines a virtual currency business as “maintaining full custody or control of virtual currency in this state on behalf of others.” Not only is this vague and overbroad, but it also does not reflect how many virtual currencies actually function. For example, what constitutes being “in this state” is unclear. Virtual currencies don’t exist in a single physical location. Instead, cryptocurrencies’ “existence” often reflects the location where keys are stored—which might be in the cloud, on a server in your house, or in several other geographic places all at the same time!In addition, the question of who maintains “full custody and control” of virtual currencies will likely prove to be complicated and implicate multiple parties specified in a “smart contract.” To dive into the technology for just a moment: new cryptocurrencies such as Ethereum allow arbitrarily complicated user-written contracts to be written in a form of code to determine who controls a given unit of the currency. Due to the classic Halting Problem in computer science, it is in fact impossible to always determine which parties may be in control of currency in such a system. The vague language of the bill will undoubtedly leave those in the virtual currency space unclear about their obligations, and may also deter those who are thinking about getting involved in the nascent industry.
- The bill often refers to a “person in control,” a “person in control of a licensee,” or a “person that has control.” These traditional concepts do not easily translate to the world of virtual currencies. In cryptocurrencies, it is keys—not people—that dictate control. A server holding Bitcoin keys can run some software and make automated decisions to move money without any individual signing off on it. Is the person in control the individual who installed and configured all the software? Or does the term refer to somebody with higher-level administrative control to set policy? The term “person in control,” as it is currently used, is vague and not reflective of the technical complexity of virtual currencies.
- The bill forces all virtual currency companies that get a license to provide a disclosure statement to consumers. The statutorily mandated disclosure is written to be specific to Bitcoin—despite that there are and will be many other types of digital currencies. Yet despite its focus on Bitcoin, its description of how Bitcoin works is just wrong. For example, it requires a company to state: “once submitted to the network, a virtual currency transaction will be unconfirmed for a period of time (usually less than one hour, but up to a day or more) pending sufficient confirmation of the transaction by the network.” However, there is no fixed amount of time after which a Bitcoin transaction is definitively “confirmed”; six confirmation blocks (roughly one hour on average but highly variable) is simply a popular choice. Even worse, this language is completely inaccurate for many other types of cryptocurrencies. Some popular currencies (e.g., Litecoin) use the same model as Bitcoin, but with 10 times faster the “confirmation.” For other virtual currencies (such as Stellar, Ripple, or Tendermint), the notion of confirmation time is completely different; transactions are confirmed within seconds. More generally, it is a mistake to mandate this kind of technical description given the large variety of possible technical designs.
- It’s bad for video games.
The bill attempts to exempt video game currencies from regulation. However, many video game currencies would still fall within the regulation. The bill states that “Virtual currency does not include ... Digital units that are used solely within online gaming platforms with no market or application outside of those gaming platform.” This exception only applies to trade of digital artifacts that have no value whatsoever outside of the game. But any game currency that can be shared, traded, or gifted among users may result in market value outside the game, whether or not the company’s terms allow for these transactions. Because the definition of “virtual currency business” includes maintaining full custody of the currency, this bill could require any video game company that offers an in-game currency that can be traded externally to get a license.
We recognize that the most recent draft of the legislation is greatly improved over earlier drafts, and we appreciate that the author of the bill has made adjustments to address many of our original concerns. We also share the California legislature’s concerns about consumer welfare during the rocky and unpredictable rise of cryptocurrencies. But rather than rushing to adopt comprehensive regulations, the legislature should carefully observe the landscape as it develops This would allow the legislature to better address a wider range of virtual currency models and challenges.
In the meantime, there are immediate ways to protect consumers. This could include public education campaigns, working with virtual currency services to improve security practices to avoid malicious hacking, and convening virtual currency companies to help create self-regulatory standards that prioritize protecting consumers, privacy, and freedom.
If you are in California, please speak out against this bill.