Cryptocurrencies

Surprise: DOJ Is Not a Big Fan of Privacy-Preserving Cryptocurrencies

Privacy is a right, not a “high risk” and “possibly criminal” activity

|

The Department of Justice has been busy thinking about how to deal with cryptographic technologies. This past month, DOJ has issued two major statements on privacy-preserving tech, one of them an international rallying cry to build government backdoors into secure communications and the other a "clarification" of federal policy surrounding cryptocurrency applications. Unsurprisingly, both documents view privacy-preserving technologies as impediments to DOJ operations.

The encryption statement was mostly a reiteration of long-standing government issues with secure communications, this time wrapped in the packaging of saving children from criminals. Signatories from the Anglo governments ("Five Eyes") plus India and Japan again asserted that "public safety [can] be protected without compromising privacy or cyber security." This is obviously true in the abstract, but not when the "protection" in question is a government backdoor that necessarily compromises privacy and security. No new ground was broken here.

The cryptocurrency report, on the other hand, does give new insight into the developing priorities of federal bodies grappling with the rise of cryptocurrency. It's not a lawmaking document, but rather a backgrounder laying out how cryptocurrency works and where certain applications might run afoul of established agency guidance. Still, it provides a valuable look into where the next battles in the war between privacy and surveillance will be fought. Specifically, DOJ has indicated a strong unease with "anonymity enhanced cryptocurrencies" (AECs), more commonly known as privacycoins, such as Monero and Zcash, as well as coin-mixing techniques.

The report, "Cryptocurrency: An Enforcement Framework" begins with a brief description of blockchain technologies before sparing an even briefer few words for the "breathtaking possibilities for human flourishing" that distributed ledger technologies may raise. The reader will be treated to two curt paragraphs discussing limited "legitimate uses," including eliminating the need for a financial intermediary, minimizing transaction costs, providing an inflation shelter and micro-payments, and improved security controls. Even then, these are caveated.

This perfunctory nod to positive use cases dwarfs in comparison to the roughly fourteen pages of horribles that follow. The report recounts in exhausting detail every possible crime that could be or has been committed using cryptocurrency. There are three major categories: 1) financial transactions used to commit crimes, e.g. drug trafficking and terrorism; 2) money laundering to hide crimes or tax evasion; and 3) cryptocurrency scams and hacks.

It shouldn't surprise anyone that America's top cops would spend more time fearmongering on worse case scenarios than describing, say, how cryptocurrencies have been a lifeline to people in tyrannical or failing states. But a bit of context would have provided much needed clarity.

For example, the first page of the report states that "cryptocurrency is increasingly being used to buy and sell lethal drugs … contributing to an epidemic that killed over 67,000 Americans by overdose in 2018 alone." The citation just leads to the CDC statistics on total overdose deaths, yet the claim makes it seem like it was mostly cryptocurrency that directly caused these deaths.

There is no attempt to establish exactly what proportion of cryptocurrency use is linked to overdoses or even the drug trade in general, let alone how that compares to traditional financial channels. In fact, blockchain forensics suggests that around one percent ($600 million) of global cryptocurrency transactions are linked to criminal darknet markets, which involve not only drugs but also things like forgeries and identity theft. Compare this to the some $150 billion that Americans alone spend on illegal drugs using boring old money each year. Perspective matters.

Similar problems permeate throughout. The report gives examples of serious crimes involving cryptocurrency, but there is rarely an attempt to contextualize these crimes in terms of what proportion of cryptocurrency activity is involved in such deeds and how that compares to traditional finance. An alien reading this document would come away thinking that cryptocurrency is a kind of Mos Eisley Cantina of transacting, with nary a good reason for getting involved.

This is a shame, as many of the beneficial uses of cryptocurrency could greatly aid the victim groups the DOJ rightly seeks to protect. Good guys need privacy, too—often more than anyone else. A source seeking to expose a planned terror attack might use encryption and cryptocurrency to coordinate with authorities while limiting the risk of reprisal, for instance. Having an unbalanced picture of the risks and benefits of any technology can limit the use cases that would actually further stated goals.

The report admits that most of the described crimes are and have been committed using good old-fashioned cash, yet it maintains that the scale and ease that cryptocurrency affords makes crime that much easier. Worse yet, the privacy options and nested communities of cryptocurrency makes these crimes all the opaquer to law enforcement.

There is no question that criminals may choose to use cryptocurrency, and this requires new law enforcement strategies. The DOJ extols several crackdowns on criminal activities: There is Operation DisrupTor, which took down international darknet drug markets, the Welcome to Video bust of child exploitation merchants, and the dismantling of terrorist financing campaigns. It is fantastic that violent criminal enterprises have been taken down, and blockchain forensics play a large role in these law enforcement successes.

In other words, like with encryption in general, while cryptocurrency does create new challenges for law enforcement, it also offers new opportunities for creative yet constitutional investigations of clearly anti-social criminal activities.

As someone who thinks a lot about privacy and security holes with cryptocurrency, it's interesting to see outsider perspectives that assume things like bitcoin offer strong privacy by default. As a series by privacy researcher Eric Wall makes clear, perfect cryptocurrency anonymity is almost comically hard to achieve even with custom-built "privacycoins" offering stronger anti-surveillance tools. There are so many ways that users can leak identity data to powerful and motivated adversaries like the DOJ—if the blockchain doesn't get you, your IP address, wallet software, poor address hygiene, and even your sleep schedule trivially could. It's no wonder the DOJ can boast of so many crypto-seizures.

And the DOJ is far from the only sheriff in town. The report provides a helpful overview of the current regulatory landscape, which is well-regulated indeed. The Financial Crimes Enforcement Network (FinCEN) manages financial surveillance under the Bank Secrecy Act, the Office of Foreign Assets Control (OFAC) enforces international financial sanctions, the Office of the Comptroller of the Currency (OCC) oversees banks providing cryptocurrency custodial services, the Securities and Exchange Commission (SEC) chases after illegal securities trading under the guise of "initial coin offerings" (ICOs) or "decentralized finance" (DeFi), the Commodity Futures Trading Commission (CFTC) sniffs out dodgy derivatives trading, and of course there is the good old IRS to hunt down what Uncle Sam thinks is his. This doesn't even get into state and international regulators. Needless to say, cryptocurrency is hardly a wild west.

That's not good enough for the DOJ. One of the most concerning sections comes towards the end of the report when discussing privacycoins like Monero and Zcash. These are distributed networks like bitcoin that integrate stronger privacy techniques like ring signatures and zk-SNARKs by default. Because they are not centralized, they should be treated in the same legal bucket as bitcoin.

But the DOJ says that it considers "the use of AECs to be a high-risk activity that is indicative of possible criminal conduct." This default suspicion of Americans who choose to exercise their right to privacy is not only alarming, it is contrary to our values as an open society.

It's also slippery policy language: regulated exchanges must maintain financial surveillance on customers by law regardless of cryptocurrency type. For example, Gemini, a U.S.-based cryptocurrency platform, offers Zcash trading to customers in a compliant manner.

Similar problems arise when the report discusses general privacy hygiene techniques. It specifically discusses centralized mixers and "chain hopping," which is the practice of shuffling money among different cryptocurrencies to frustrate chain analysis.

Centralized mixers already violate established law (besides being just dumb to use from a privacy and security standpoint), and in fact FinCEN just took action against one last week. But there's nothing inherently wrong with keeping transactions discreet through decentralized means like CoinJoins and avoiding address reuse—things that FinCEN has clarified do not violate financial surveillance law.

Is DOJ confused or muddying the waters? In the worst-case scenario, governments could waste time targeting legal and secure decentralized privacy techniques when they should be focused on central parties illegally providing these services to criminal enterprises.

Since criminals often aren't the brightest people in the world, they might tend to make a good number of identity-leaking mistakes with cryptocurrency. The DOJ should focus its attention on learning these pitfalls so they can get the biggest bang for their buck. Casting clouds of suspicion over law-abiding and innocent privacy-minded cryptocurrency users is not only contrary to our values; it wastes precious resources that could be spent sharpening effective and legal forensics tools against real crypto-criminals.