Today, EFF submitted comments to the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) opposing the agency’s proposal for new regulations of cryptocurrency transactions. As we explain in our comments, financial records can be deeply personal and revealing, containing a trove of sensitive information about people’s personal lives, beliefs, and affiliations. Regulations regarding such records must be constructed with careful consideration regarding their effect on privacy, speech and innovation.
Even in an increasingly digital world, people have a right to engage in private financial transactions.
FinCEN’s proposed rule is neither deliberative nor thoughtful. As we’ve written before, this rule—which would require regulated businesses to keep records of cryptocurrency transactions over $3,000 USD and to report cryptocurrency transactions over $10,000 to the government—would force cryptocurrency exchanges and other money services businesses to expand their collection of identity data far beyond what they must currently do. In fact, it wouldn’t only require these businesses to collect information about their own customers, but also the information of anyone who transacts with those customers using their own cryptocurrency wallets.
In addition to the concerns we’ve already raised, EFF believes the proposed regulation as written would undermine the civil liberties of cryptocurrency users, give the government access to troves of sensitive financial data beyond what is contemplated by the regulation, and have unintended consequences for certain blockchain technology—such as smart contracts and decentralized exchanges—that could chill innovation.
The agency has not provided nearly enough time to consider all of these risks properly. And, by announcing this proposal with a short comment period over the winter holiday, FinCEN’s process did not allow many members of the public and experts the necessary opportunity to provide feedback on the potentially enormous consequences of this regulation.
That’s why EFF is urging the agency not to implement this proposal. We are instead asking that FinCEN meet directly with those affected by this regulation, including innovators, technology users, and civil liberties advocates to understand the effect it will have. And we’re calling on the agency to significantly extend the comment period to a minimum of 60 days, and offer additional time for comments after any adjustments are made to the proposed regulation.
This Rushed Proposal Threatens Financial Privacy, Speech, and Innovation
Even in an increasingly digital world, people have a right to engage in private financial transactions. These protections are crucial. We’ve seen protestors and dissidents in Hong Kong, Belarus, and Nigeria make deliberate choices to use cash or cryptocurrencies to protect themselves against surveillance. The ability to transact anonymously allows people to engage in political activities, protected in the U.S. by the First Amendment, which may be sensitive or controversial. Anonymous transactions should be protected whether those transactions occur in the physical world with cash or online.
The proposal would require businesses to collect far more information than is necessary to achieve the agency’s policy goals. The proposed regulation purports to require cryptocurrency transaction data to be provided to the government only when the amount of the transactions exceed a particular threshold. However, because of the nature of public blockchains, the regulation would actually result in the government gaining troves of data about cryptocurrency users far beyond what the regulation contemplates.
Bitcoin addresses are pseudonymous, not anonymous—and the Bitcoin blockchain is a publicly viewable ledger of all transactions between these addresses. That means that if you know the name of the user associated with a particular Bitcoin address, you can glean information about all of their Bitcoin transactions that use that address. In other words, the proposed regulation would provide the government with access to a massive amount of data beyond just what the regulation purports to cover.
That scale of such collection introduces considerable risk. Databases of this size can become a honeypot of information that tempts bad actors, or those who might misuse it beyond its original intended use. Thousands of FinCEN’s own files have already been exposed to the public, making it clear that FinCEN’s security protocols are not adequate to prevent even large-scale leakage. This is, of course, not the first time that a sensitive government database has been leaked, mishandled, or otherwise breached. Over the past several weeks, the SolarWinds hack of U.S. government agencies has made headlines, and details are still emerging—and this is hardly the only example of a large-scale government hack.
There are also significant Fourth Amendment concerns. As we argue in our comments:
The proposed regulation violates the Fourth Amendment’s protections for individual privacy. Our society’s understanding of individual privacy and the legal doctrines surrounding that privacy are evolving. While 1970s-era court opinions held that consumers lose their privacy rights in the data they entrust with third parties, modern courts have become skeptical of these pre-digital decisions and have begun to draw different boundaries around our expectations of privacy. Acknowledging that our world is increasingly digital and that surveillance has become cheaper and more ubiquitous, the Supreme Court has begun to chip away at the third-party doctrine—the idea that an individual does not have a right to privacy in data shared with a third party. Some Supreme Court Justices have written that “it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties.” In 1976, the Supreme Court pointed to the third-party doctrine in holding in U.S. v. Miller that the then-existing Bank Secrecy Act reporting requirements did not violate the Fourth Amendment.
Two developments make continued reliance on the third-party doctrine suspect, including as the source for regulations such as those contemplated here.
First, since the Miller decision, the government has greatly expanded the Bank Secrecy Act’s reach and its intrusiveness on individual financial privacy. Although the Supreme Court upheld the 1970s regulations in an as-applied challenge, Justice Powell, who authored Miller, was skeptical that more intrusive rules would pass constitutional muster. In California Bankers Association v. Shultz, Justice Powell wrote, “Financial transactions can reveal much about a person's activities, associations, and beliefs. At some point, governmental intrusion upon these areas would implicate legitimate expectations of privacy.” Government intrusion into financial privacy has dramatically increased since Miller and Shultz, likely intruding on society’s legitimate expectations of privacy and more directly conflicting with the Fourth Amendment.
Second, since Miller, we have seen strong pro-privacy opinions issued from the U.S. Supreme Court in multiple cases involving digital technology that reject the government’s misplaced reliance on the third-party doctrine. This includes: U.S. v. Jones (2012), in which the Court found that law enforcement use of a GPS location device to continuously track a vehicle over time was a search under the Fourth Amendment; Riley v. California (2014), in which the Court held that warrantless search and seizure of the data on a cell phone upon arrest was unconstitutional; and Carpenter v. U.S., in which the Court held that police must obtain a warrant before accessing cell site location information from a cell phone company. EFF is heartened to see these steps by the courts to better recognize that Americans do not sacrifice their privacy rights when interacting in our modern society, which is increasingly intermediated by corporations holding sensitive data. We believe this understanding of privacy can and should extend to our financial data. We urge FinCEN to heed the more nuanced understanding of privacy rights seen in modern court opinions, rather than anchoring its privacy thinking in precedents from a more analog time in America’s history.
Finally, we urge FinCEN to consider the potential chilling effects its regulation could have on developing technologies. FinCEN should be extremely cautious about crafting regulation that could interfere with the growing ecosystem of smart contract technology, including decentralized exchanges. We are in the very earliest days of the exploration of smart contract technology and decentralized exchanges. Just as it would have been an error to see the early Internet as merely an extension of the existing postal service, it is important not to view the risks and opportunities of these new technologies solely through the lens of financial services. The proposed regulation would not only chill experimentation in a field that could have many potential benefits for consumers, but would also prevent American users and companies from participating when those systems are deployed in other jurisdictions.
Because of the proposed regulation’s potential impact on the civil liberties interests of technology users and potential chilling effect on innovation across a broad range of technology sectors, we urge FinCEN not to implement this proposal as it stands. Instead, we ask that it does its due diligence to ensure that civil liberties experts, innovators, technology users, and the public have an opportunity to voice their concerns about the potential impact of the proposal.
Read EFF’s full comments.