Internet users, policy analysts, and tech companies alike might be forgiven for feeling gaslit by the U.S. government’s manic, on-again-off-again relationship with consumer privacy.
In one version of reality, policymakers and regulators are united in their outrage at the systematic surveillance and privacy infringement that is all but written into FAANG business models. The message is clear: whether through antitrust or compliance, Big Tech must be made to do more to protect consumer privacy. But peer through the looking glass, and you’ll find Washington demanding the exact opposite from crypto.
The situation is much the same across the pond: The European Union, which gave us the GDPR’s celebrated limitations on data collection and the right to be forgotten, has just voted on draconian measures to increase data collection in the name of anti-money laundering – ensuring privacy coins never forget exactly who you are.
It’s a weird time in the compliance cryptosphere. But then again, that’s to be expected. We’re still early.
So it was refreshing to read President Biden’s rather optimistic and open-minded Executive Order (EO) on Ensuring Responsible Development of Digital Assets. But while surprisingly friendly toward crypto on the whole, the EO carries on the government’s unwavering tradition of providing inconsistent, fragmented, and often contradictory policy guidance on privacy.
On one hand, the EO represents a significant stride toward legitimizing crypto. By ordering numerous executive agencies to cooperate, research, and issue policy recommendations within 120 days of its signing, the EO invites thoughtful discussion about an informed official response and polishes away some of the tarnish of controversy that has dogged the industry. At the same time, Sections 5 and 7 place national security and law enforcement concerns in direct conflict with the EO’s commitment to privacy and commercial competitiveness, leaving the industry in a bit of a compliance pickle.
Section 2, for example, specifically calls for the “responsible development of digital assets to protect consumers, investors, and businesses” that “maintain privacy” and “shield against arbitrary or unlawful surveillance”. The EO then articulates the U.S. national interest in implementing protocols “in a responsible manner that includes privacy and security in their architecture.” Section 5 explicitly requests recommendations for “measures to protect consumers, investors, and businesses” against “theft, privacy and data breaches, and unfair and abusive acts or practices” in crypto.
Ostensibly, this is a boon for privacy, giving advocates reason for optimism about America’s forthcoming and – hopefully, finally – coherent policy on crypto. But, nope!
The conflict is introduced in Section 7, which requests an interagency coordination plan “for mitigating the digital-asset-related illicit finance and national security risks” that specifically includes “measures to increase financial services providers’ compliance with AML/CFT obligations,” an acronym that stands for Anti Money Laundering and Combating Financial Terrorism.
Certainly, the government’s interest in introducing thoughtful regulation to protect businesses and consumers against fraud and financial crimes is laudable and well founded. Unfortunately, AML/CFT measures in crypto tend to produce the opposite effect: they exacerbate harm to consumers and drastically erode already dwindling privacy protections without making commensurate gains in preventing cybercrime and illicit activity.
Privacy harms from (largely unsuccessful) attempts to combat crypto crime usually arise from two poorly architected measures:
Financial privacy – for regular people and commercial entities alike – is a legitimate and defensible requirement of a free an open society. It is also a prerequisite for mainstream commercial adoption of and sustained American competitiveness in crypto, recognized in the EO as a priority for U.S. lawmakers. According to a Perkins Coie report on AML/CFT in crypto:
“Businesses rely on and expect financial privacy. Without maintaining confidentiality, commercial transactions would be visible for competitors and nefarious actors to analyze, predict, front-run, and exploit. This radically transparent type of environment would likely result in market manipulation by participants, a hindrance to innovation, and an unfair advantage for competitors and counterparties alike…Competitors would be able to readily identity each other’s supply chain partners, investment strategies, and primary sources of profit, thereby empowering them with valuable, proprietary information. Ultimately, this would have a negative impact on the overall economy and would consequently affect business and individuals alike.”
There is actually very little evidence that privacy coins are even the currency of choice for criminals. A Rand Corporation study found that privacy coins have a very minor presence in the dark web compared to Bitcoin, which accounts for more than 90% of addresses linked to criminals. Privacy coins provide confidentiality for mostly law-abiding citizens and businesses while criminals by and large resort to other methods to conceal their transactions, including the already fully transparent Bitcoin public ledger.
The risk from privacy coins is not higher than or unique compared to other high-risk financial products that fall under the umbrella of AML/CFT compliance. So why should they be subject to outsized scrutiny and more stringent requirements at the expense of privacy? This adversarial stance is driven by fear of what lawmakers do not understand as well as electoral posturing to look like they’re “doing something”. Probably both!
Despite the combative environment toward privacy in crypto, several protocols are proactively engineering ways to protect confidentiality while enabling selective compliance. Findora, for example, “envisions a world where financial networks are compliant and publicly auditable at all times” and which aims to “prevent fraud and make compliance with regulations easier through the use of auditability tools, without sacrificing privacy”. Horizen is a protocol focused on “auditable transparency with privacy”. And Zcash, a popular privacy coin, is specifically “designed to protect consumers’ financial privacy while retaining compatibility with global AML/CFT standards”.
Law-abiding citizens and businesses are too often caught in the government’s dragnet to fight cybercrime – a dragnet that erodes privacy without producing commensurate outcomes for law enforcement. Meanwhile, complaint, privacy-enhancing innovations are emerging organically in crypto that have the potential to free consumers and businesses from having to choose between cooperating with law enforcement and asserting their legitimate right to confidentiality and autonomy.
And government can and should play a critical role in encouraging these innovations!
Indeed, agencies should view this EO as an exciting opportunity to contribute research and expertise, encourage innovation, and provide regulatory clarity. There is historical precedent for the government to reverse a previously adversarial stance on privacy by embracing innovation.
In the internet’s early days, the National Security Agency lobbied hard to ban all commercial use of cryptography for fear that it might give terrorists and criminals a leg up. As a result, cryptography was considered a munition subject to export rules. Today, HTTPS is a standard requirement for data transmission and is no longer classified as a weapon. Crypto privacy may follow a similar trajectory if government pursues appropriate alternatives to misdirected privacy crackdowns.
Saying that “more research is needed” may sound like reluctant equivocation and foot-dragging on necessary measures, but in the case of crypto, this really is true. In a space so nascent and uncharted, steadfast research is an indispensable first step before considering regulatory remedies that materially alter the flow of finance or that drastically curtail privacy.
The EO is bullish on crypto, and that’s wonderful. So why not spur innovation to address problems before turning to regulation as a last resort? If the government must be seen to do something, then perhaps its first step might be to fund -- or at least incentivize -- the solutions it wishes to see.
For example, to meet the EO’s stated commitment to making the U.S. globally competitive in crypto, government might allocate budget through the National Science Foundation or another scientific body to fund research in how zero-knowledge (ZK) cryptography could alleviate the mass data collection burden of AML/CFT measures.
If the purpose of KYC is to help compliance professionals establish sources of funding and verify legitimacy of transactions in order to combat crime, then what if we could find another way to accomplish the same goal, but without all the invasive anti-privacy measures? ZK allows individuals to prove that a given statement is true – such as that funds are legitimate – without undermining privacy by furnishing further details of that proof and thereby exposing extraneous personal data to requesting parties. If ZK can provide the verification that compliance professionals seek without exposing private data, government should ardently encourage development of this technology to further sections 2, 5, and 7 of the EO.
One concept especially worth exploring involves using the W3C’s open standards for decentralized identifiers and verifiable credentials to create a self-sovereign identity (SSI) solution that issues designated entities (such as government agencies) a token key to reveal identifying information encrypted in a ZK proof upon compelling evidence of malicious activity. It’s a bold idea that’s worth testing! Making this technique commercially available requires funding, research, and coordination, which government can facilitate and encourage.
In addition, crypto would benefit from definitional clarity about what constitutes sufficient evidence of malicious activity in the first place. As the authors of the above concept paper on KYC-compliant ZK point out, “A particular topic that warrants further research and discussion is the definition of what constitutes ‘strong suspicion of being a bad actor in a DeFi protocol’ as a trigger for a designated governance entity to be able to request the identity of a DeFi user to be revealed”.
It is provably possible for protocols to rely on risk profiles and activity patterns to distinguish illicit from legitimate transactions, as demonstrated by the successful detection and reversal last year of a financial crime on the Poly Network without knowing the identity of the participants. Such advancements require dedication of time, resources, and research. American competitiveness in crypto would be greatly strengthened by government support and definitional clarity in this area. Given that smart contract code constitutes deterministic law, policy consensus around what constitutes “cheating” and how to infer intent based on activity patterns would provide protocols with invaluable guidance on coding for and identifying criminal activity and proactively cooperating with law enforcement. Such public-private collaboration in crypto would preserve critical access to confidential financial instruments, encourage American competitiveness in a healthy business climate, and protect the values of a free society.
Any compliant privacy-preserving innovation in crypto must balance the safety and privacy of consumers against the government’s legitimate interest in prosecuting and preventing crime. There are always tradeoffs, but here are four criteria to form a starting point for achieving that balance:
When confronted with theft on the scale of more than half a billion dollars as happened last month on Axie Infinity’s Ronin network, the reflexive regulatory response is often to cite the public interest and run roughshod over individuals’ privacy rights.
But while it may be tempting to equate the desire for privacy with wanting to hide something, privacy protections actually advance the collective welfare of the public. Criminal activity in crypto is an aberration that merits dedicated study and innovation, not suspension of civil liberties. The public may find it comforting to observe policymakers doing their part by being “tough on crypto.” But studies show that this security theater imposes unbearable privacy costs on regular consumers while presenting only minimal inconveniences and friction to criminals, most of whom transact on the already transparent Bitcoin public ledger.
We must bring law enforcement and financial security into alignment with empirical reality and the welfare of businesses and regular people. The answer lies in supporting and spurring innovation to create the conditions for compliant privacy, not in blocking technological advancement by altogether banning privacy in crypto.