Facebook’s new cryptocurrency Libra has garnered attention from lawmakers and consumer groups since it was announced last month. And it’s no wonder: with a wince-inducing history of data disclosure scandals, the Facebook brand has become synonymous with ineptitude at protecting privacy. They’re bringing that tarnished reputation to cryptocurrency, a field that has already attracted more than its fair share of bad actors that too often overshadow the blockchain innovators working to protect user rights. As Congress gears up to investigate this issue, we’re frankly worried. On top of our many concerns about the implications of Libra, there is a serious possibility that reactive legislation could further harm consumers.

Poorly-crafted laws today could chill innovation tomorrow.

We’ve criticized Facebook for years, and we share the concerns of regulators who want to ensure people’s privacy and rights are protected from Facebook’s abuses. But make no mistake: a disproportionate regulatory backlash to Libra could have dire consequences for Internet users. Legislation that tries to ban the publication of open source software, impose onerous licensing obligations on creators developing code, or which attempts to regulate non-custodial blockchain services as if they were banks will have a chilling effect on innovation in the space. The end result would be that the only companies able to navigate the complicated regulatory landscape are those with significant financial and legal resources. In other words, regulatory backlash today could serve to entrench Facebook’s role in the space rather than unseat it.

Libra is a cryptocurrency set to launch in 2020 which, according to its whitepaper, seeks to “enable a simple global currency and financial infrastructure that empowers billions of people.” Like other blockchain-based projects, Libra uses cryptographic hashes to create a decentralized ledger that is extremely difficult to edit, meaning its history of transactions is immutable under most circumstances. This is one of the cornerstone innovations of blockchain technology: since the technology is designed in a way that removing or editing a prior transaction is extremely difficult, users can trust that once they have received a digital token it is truly theirs and can’t be transferred to someone else without their permission. Unlike the decentralized but computationally-intensive Bitcoin mining system, Libra uses a set of trusted validators to verify and attest to the transactions on Libra (rejecting transactions that would fraudulently attempt to double spend coins that have already been spent elsewhere, for example). Libra is also unusual in that it is a so-called stable coin, and is designed to see less fluctuations in value because the Libra Association intends to be “fully backing each coin with a set of stable and liquid assets.

Facebook also announced Calibra, a new digital wallet for Libra. This wallet, which Facebook intends to make available in its other products like Messenger and WhatsApp, will enable users to send Libra to one another through the apps, and potentially to merchants as well.

There’s a lot being written about Libra and its wallet Calibra. For users concerned about their digital rights, there are a few things to focus on:

  • New innovations around transactional privacy are not part of Libra’s design. Whereas the first Bitcoin whitepaper proposed a ledger that would be pseudonymous but publicly accessible, new innovations in applied cryptography have found ways to successfully verify transactions and maintain a distributed ledger without disclosing the sending account, the receiving account, and the amount sent. However, Facebook has not chosen to integrate these privacy features into the Libra protocol.
  • The key features of decentralization that are the hallmark of Bitcoin and numerous other blockchain technologies were not built into Libra’s design. Many people have criticized Bitcoin for using a lot of energy in order to verify transactions. Alternatives to an open and permissionless blockchain give up some level of decentralization in order to be more efficient in energy consumption, transaction speed, and scalability. Similarly, Libra’s design choice creates a set of trusted intermediary organizations who communicate to reach consensus on which transactions are valid. These verifiers could, in theory, collude or be legally compelled to block or delay transactions in ways users might not expect. They could also collectively decide to roll back transaction history that they decided represented improper activity.
  • Calibra, the Facebook wallet for Libra, is a custodial wallet. The user doesn’t control the wallet’s security; the Calibra service does. That means that Calibra can see and interfere with transactions, block accounts from receiving funds, remove funds from user wallets, disclose users’ activities to law enforcement and governments, and can freeze or cancel accounts altogether. Calibra has put out an initial statement (PDF accessed from this URL on July 10; crossposted here for archival purposes) about their commitments to consumers that describes efforts it will implement to monitor the accounts of users and report on those activities to governments. Unfortunately, this document doesn’t promise much transparency or accountability about the data that will flow to governments. 
  • In addition, while Calibra cites the millions of unbanked people around the world in its press release, it notes that it intends to take steps to identify customers by requiring ID verification as well as using “the latest technologies and techniques, such as machine learning” to enhance its efforts to identify customers and report on their activities to governments.

A scalable, easy-to-use cryptocurrency built into popular global applications could expand the reach of cryptocurrencies. But Libra and Calibra aren’t currently in alignment with the ideas that make cryptocurrencies exciting from a digital rights perspective. Instead, we are promised a system that will be hardly more privacy-protective than Venmo (which trumpets the sexual encounters and drug purchases of users) and will have the same censorship tools as PayPal—which has a long history of freezing accounts with little explanation or option for appeal.

With Calibra rolling out to put Libra into the smartphones of people across the globe, we could soon see Libra itself become something akin to a default form of money for the Internet. Even if another wallet could rival Calibra’s functionality and ease of user interface, how many users will actually download a new app when Instagram, Whatsapp, and Facebook Messenger are already on their phones?

As Bloomberg’s Matt Levine points out, “if you replace the traditional social-regulatory technology of money creation with a new sort of computer technology of money creation, odds are that the power of money creation will end up not so much in the hands of free-spirited individual hackers around the world, but in the hands of some giant tech company.”

The advent of Libra has also brought increased regulatory scrutiny to this topic, and it’s no wonder: lawmakers were already thinking through how to hold Facebook accountable for its repeated abuses of people’s privacy rights. But short-sighted regulatory reactions today could prove a double harm to consumers, who not only will be living in a world where privacy-eroding Libra becomes increasingly used but in which onerous and technologically-specific regulations make better cryptocurrency alternatives less likely.

Early regulatory battles in this space have provided a glimpse into what a regulatory reaction might look like. Recently, the UK Treasury sought feedback as it updated its anti-money laundering regulations. Included in the feedback requests were questions about whether the publication of open source code should be regulated as a way to crack down on bad actors using cryptocurrency. The UK isn’t alone; a few months earlier, we saw similar worrisome language about punishing people for merely writing and publishing code in statements put out by the SEC related to their settlement with a decentralized exchange.

Regulation could still harm consumers even if it didn’t go as far as banning the publication of open source software. In May, a member of Congress called for a bill to outlaw cryptocurrency purchases by Americans, a move that would hamper future innovation. We’ve seen worrisome proposals like the original New York BitLicense, which sought to require that innovators go through a costly and lengthy licensing process and had implications for users as well as innovators. Poorly-crafted legislation could impose privacy-invasive regulations in the name of combating money laundering that could undermine new cryptocurrency technologies like ZCash and Monero, which endeavor to provide digital currency users with some of the same financial privacy enjoyed by anyone who uses cash.

Some regulators have recognized that their initial reactions to blockchain technologies were too severe. For example, a U.S. Commodity Futures Trading Commission (CFTC) Commissioner publicly stated his view that smart contract developers should be accountable when they could “reasonably foresee” that people would later use their code in a way that violated the law. Just four months later, after discussions with the blockchain community, he retracted that position.

Poorly-crafted laws today could chill innovation tomorrow. The end result of this would be that only companies that are rich enough to hire an army of lawyers and lobbyists will be able to wade through the complicated regulatory landscape—companies such as Facebook.

This is not to say that any regulation around cryptocurrency would be a bad idea. Those who abuse cryptocurrency to defraud consumers should be held accountable, and EFF participated in the United States Uniform Law Commission’s process for considering how to approach regulation in a way that could crack down on fraudsters without sacrificing future innovation. We would urge any policymakers moving into this space to similarly engage human rights and technology experts.

We’ve identified a few rules of the road for any policymakers stepping into this space to ensure they minimize the harm to consumers. Any regulation around blockchain:

  • Should be technologically neutral.
  • Should not punish those who merely write and publish code.
  • Should provide protections for individual miners, merchants who accept cryptocurrencies, and individuals who trade in cryptocurrency as consumers.
  • Should focus on custodial services, not non-custodial services that can’t trade assets without user participation.
  • Should provide an adequate on-ramp for new services to reach compliance.
  • Should recognize the human right to privacy and the deeply personal nature of financial transactions, and should not undermine privacy-enhancing innovation in this space.
  • Should recognize the important role of decentralized exchanges and other decentralized technologies in empowering consumers.
  • Should not chill future technological innovation that will benefit consumers.

Adhering to these principles while also attempting to pass a law through Congress—with all the concomitant pressure from the lobbyists of big tech companies and the traditional financial services—is no simple feat, especially when many in Congress may be unaware of the intricacies of how the technology works.

Lawmakers that were already unsympathetic to cryptocurrency’s freewheeling evolution are not going to be reassured by a currency associated with Congress’ least favorite company. But we urge them not to let their suspicion of Mark Zuckerberg lead them to restraining the many other innovators eager to compete with him.