Financial records contain a trove of sensitive information about people’s personal lives, beliefs, and affiliations—which is why law enforcement should be required to get a warrant in order to obtain financial transaction data. Courts and lawmakers have gotten this wrong in the context of traditional banks—and a June 30 ruling by a federal appeals court applied this outdated thinking to cryptocurrency. This is particularly concerning because one of the most important aspects of cryptocurrency is that it imports the privacy protections of cash into the digital world.
In U.S. v. Gratowski, the U.S. Court of Appeals for the Fifth Circuit ruled that law enforcement does not need to get a warrant in order to obtain financial transaction data from cryptocurrency exchanges. In deciding that Gratowski lacked a reasonable expectation of privacy in records of his cryptocurrency transactions, the court relied on the third-party doctrine. Under that doctrine, when people use services like banks, they lose their reasonable expectation of privacy in the information that they voluntarily turn over to a third party. This means that, instead of getting a warrant, law enforcement can use subpoenas—which do not require probable cause or prior approval by a judge—to obtain people’s data from those third parties.
This doctrine, and the court’s reliance on it in Gratowski, is wrong. Users should not lose their reasonable expectation of privacy in their data just because it is stored by a third party. In today’s digital world, it is almost impossible to navigate daily life without using essential services like email that give third parties access to sensitive information. With cryptocurrency transactions, people’s expectations of privacy are arguably even stronger, given that the technology allows for anonymous transactions online.
The defendant in the case, Gratkowski, was accused of accessing a child pornography website. Federal agents found him by analyzing transactions on the Bitcoin blockchain and asking a cryptocurrency exchange for information about his identity and cryptocurrency transactions. The defendant challenged the legality of obtaining this information without a warrant.
The Bitcoin blockchain is a distributed ledger that publicly and permanently records all Bitcoin transactions. For each Bitcoin transfer, the information that is publicly displayed includes the Bitcoin address of the sender and the receiver—an alphanumeric string akin to a username, which a user can use once or for multiple transactions. Bitcoin addresses are pseudonymous. While the information recorded on the Bitcoin blockchain ledger might be that address “123…” transferred 1 bitcoin to address “456…,” if someone independently knows that Jane Smith controls address 456, they will know that in fact the user who controls address 123 transferred 1 bitcoin to Jane Smith.
In today’s digital world, it is almost impossible to navigate daily life without using essential services like email that give third parties access to sensitive information. With cryptocurrency transactions, people’s expectations of privacy are arguably even stronger, given that the technology allows for anonymous transactions online.
There are a few ways to obtain Bitcoin. One way is to “mine” Bitcoin. But the more common way is to exchange Bitcoin for something else of value, like U.S. dollars or another currency. There are a variety of cryptocurrency exchanges that allow people to exchange their Bitcoin (and other cryptocurrencies) for U.S. dollars and other currencies. There are also hosted wallet services that act like a bank account for Bitcoin and other cryptocurrencies, and many exchanges offer wallet services as well. These exchanges typically collect the real identities of their users—in addition to knowing at least some of their users’ Bitcoin addresses.
In this case, federal agents learned the Bitcoin addresses of a website they were investigating. In order to find out who had transferred Bitcoin to that website, federal agents asked a popular cryptocurrency exchange for the identities of anyone who had sent Bitcoin to the website’s Bitcoin addresses. Federal agents could have sought and obtained a warrant in order to get that information from the exchange. But instead of getting a warrant, the agents served the exchange with a subpoena—a less onerous process. The exchange responded by providing Gratkowski’s name and personal information, as well as records of his Bitcoin transactions, leading to his arrest.
Gratkowski asked the trial court to suppress the evidence because the analysis of the blockchain and the subpoena to the exchange violated the Fourth Amendment; the trial court denied this request. On appeal, the Fifth Circuit court agreed with the trial court’s denial of the request, and found that the government had not violated Gratkowski’s reasonable expectation of privacy in (1) the information published on the Bitcoin blockchain, and (2) the information customers shared with the exchange.
The Bitcoin blockchain is public—albeit pseudonymous—so it is easy to understand the court’s holding that there is no reasonable expectation of privacy for information that is shared publicly on the Bitcoin blockchain.
But the court’s second holding—that there was no reasonable expectation of privacy for information shared with an exchange—is troubling.
The court missed an opportunity to follow the Supreme Court’s lead in recognizing stronger privacy protections for digital data held by third parties. In Carpenter v. U.S., the Supreme Court ruled in 2018 that individuals have a privacy interest in their cell phone location records, even though that information is held by third parties. In Carpenter, the Court noted that location records provided “an all-encompassing record of the holder’s whereabouts” and “an intimate window into a person’s life, revealing not only particular movements, but through them [their] familial, political, professional, religious, and sexual associations.”
In Gratkowski, the court held that a person’s virtual currency transactions do not “provide agents with ‘an intimate window into a person’s life.’” But a person’s financial transactions are deeply personal and revealing. Like the location records in Carpenter, financial records reveal “familial, political, professional, religious, and sexual associations”—what organizations a person donates to, what family members a person supports, what services a person pays for, and what books and products a person buys. Indeed, financial records are often revealing of a person’s location—and location data was exactly what was at issue in Carpenter.
This outcome is perhaps unsurprising in light of how courts and lawmakers have treated financial records in the past. In 1976, the Supreme Court held in U.S. v. Miller that bank customers lack a reasonable expectation of privacy in their bank records, pointing to Congress’s enactment of the Bank Secrecy Act, which requires banks to maintain financial records because of their usefulness in investigations. But the fact that the transactions are made through cryptocurrency rather than through traditional financial channels indicates that the transactions are more likely to be sensitive, and that the person making the transaction may be turning to cryptocurrency precisely because of the privacy protection it provides.
Cryptocurrency allows for anonymous transactions online, which—like cash—is important for protecting civil liberties. For example, news reports from the Hong Kong protests showed long lines at subway stations as protestors waited to purchase tickets with cash so that their electronic purchases would not place them at the scene of the protest. These photos underscore that a cashless society is a surveillance society, and the importance of importing the anonymity of cash to the digital world.
Cryptocurrency is also important because it is censorship resistant. Many traditional financial intermediaries have engaged in arbitrary financial censorship, cutting off access to financial institutions for adult social networks, adult booksellers, and controversial websites, even when these websites have not violated the law. In some of those cases of financial censorship, the censored organization has turned to cryptocurrency (most famously, in the case of Wikileaks). That is why cryptocurrency transactions are more likely to be sensitive—and more likely to carry with them a reasonable expectation of privacy.
The federal agents in this case could have easily sought a warrant from a judge, rather than merely sending a subpoena to the exchange. The court’s decision that the agents could obtain this sensitive cryptocurrency transaction data without a warrant sets a dangerous precedent. A decision that the government can obtain certain information without a warrant is not just about individual criminal cases like Gratkowski’s; rather, it enables the government to partner with private companies to implement mass surveillance programs like the one at issue in EFF’s lawsuit against the NSA for its warrantless dragnet surveillance of Americans in cooperation with AT&T. This is particularly concerning against the backdrop of regulators applying certain data collection obligations of the Bank Secrecy Act to cryptocurrency.
EFF is increasingly worried about law enforcement turning to intermediaries such as cryptocurrency exchanges and hosted wallet providers to obtain sensitive user data. That is why EFF has called on cryptocurrency exchanges to publish regular transparency reports about how many law enforcement requests they recieve, how many they fulfill, and how many user accounts are implicated, as well as to publish policies clearly setting forth procedures for protecting user data from overreaching requests. The court’s disappointing decision in this case is all the more reason for cryptocurrency exchanges to provide this transparency and to fight for users’ privacy.