Cryptocurrencies

EU Bureaucrats Seek to Diminish Your Cryptocurrency Privacy

Watch what happens when the drive for government surveillance meets longstanding technological ignorance.

|

I regret to inform you that the European Union is at it again. Last week, the European Commission unveiled a new proposal to expand the bloc's financial surveillance system and ensnare more cryptocurrency transactions in its web.

Wrapped in anti-terrorist rhetoric, these rules would force cryptocurrency services to collect and share datasets on millions of innocent users. While stopping short of outright banning strong privacy and security techniques, these rules would make good transaction hygiene much less accessible to Europeans while setting up a troubling precedent upon which member states will undoubtedly build.

Marketed as a means to "beat financial crime," the new EU rules would in truth merely expose more financial data to warrantless government surveillance. It is based on the draft regulations proposed by the self-styled "global money laundering and terrorist financing watchdog" called the Financial Action Task Force or FATF.

I discussed some of the major problems with the FATF draft rules for Reason earlier this year. Not only are they internally fuzzy and inconsistent, reading between the lines, it is likely that these inconsistencies will be resolved in the direction of more surveillance. Specifically, strong privacy techniques like self-hosting wallets seem to be on the chopping block. I am sure you are shocked.

It is even less surprising that these rules share the same problems as the FATF document on which they are based. Some less-than-stellar technical chops and a lust for even more citizen data birthed a mess of four documents that creates new offices and outlines increased authorities for Eurocrats to double down on our international financial surveillance network.

Most relevant to cryptocurrencies is the last document, a revision of the "2015 Regulation on Transfers of Funds" to specifically trace crypto-assets. Many people don't realize that many transfers of international funds are immediately subject to surveillance without due process or warrants.

In the biz, this is known as the "travel rule," and it mandates that financial service providers collect and share personal information of any individual who tries to send a certain amount of value (not just currency) to someone else.

Some version of the travel rule is present in most of the world. In the United States, it developed out of the Bank Secrecy Act of 1970 and subsequent augmentations through agency actions and the good ol' USA PATRIOT Act. Other countries keep up with Uncle Sam by adopting FATF updates to things like the travel rule that are considered the global standard for financial surveillance.

And so we have the new EU rules. The document states that these rules are merely intended to make enforcement "consistent with [other EU] legislation on payments and transfers of funds." In other words, people should not be exempt from the rules just because they happen to transfer value in Bitcoin instead of Euros.

It would be one thing if the rules did indeed merely standardize reporting requirements to be currency neutral—setting aside the general problems with warrantless surveillance for a moment (don't worry, we'll get back to it).

It's not great that someone has to submit to surveillance if they tell their bank to send a certain amount of euros to someone else. But telling cryptocurrency service providers that they have to do the same thing if one of their customers wants to send the equivalent amount of money is at least somewhat defensible.

This is not the case with the proposed EU rules. They would not merely impose the same reporting requirements on cryptocurrency service providers that exist on traditional institutions. They would go much farther, with the express intention of eventually banning these strong privacy techniques.

Article 58 of the proposal reads:

Owners and beneficiaries of existing anonymous accounts, anonymous passbooks, anonymous safe-deposit boxes or crypto asset wallets shall be subject to customer due diligence measures before those accounts, passbooks, deposit boxes or crypto-asset wallets are used in any way.

Translation: individuals who self-host their cryptocurrency and do not use third-party services at all may find themselves subject to surveillance requirements. It would be like if the government required individuals to collect data on a recipient anytime they exchanged a certain amount of cash.

There is a bit of wiggle room. Right now only the "beneficiaries," or recipients, of existing anonymous accounts managed by a service provider may be the only kind of non-customers that would be immediately impacted.

But this would be news to the EU's "Commissioner for Financial Services, Financial Stability and Capital Markets" Mairead McGuinness, who took to Twitter to proclaim that "our rules will now apply to the whole of the crypto sector. We will ban anonymous crypto wallets and make sure that crypto-asset transfers are traceable." Well, at least we know their intentions.

There are many huge problems with this attitude from the EU. On the most basic level, it demonstrates a flagrant disregard for individual rights to privacy. As others have noted, this posture fundamentally contradicts other EU law, most notably the General Data Privacy Regulation, as the Eurocrats involved with that set of regulations sternly intoned in a public letter in May.

Making self-hosted wallets subject to financial surveillance requirements is a kind of reverse ransomware. Instead of locking up your data until you send money, the EU would be locking up your money until you send data.

Beyond these deontological problems, our financial surveillance system isn't even very good at doing what it's supposed to. Money laundering and tax evasion run amok while institutions are bogged down in reporting requirements and millions of innocent people have their privacy violated.

In the meantime, forcing service providers to keep mega datasets on customers exposes them to hacking and breach risks. Criminals would love to get their hands on all that juicy personal data.

The press releases and headlines surrounding these EU proposals stated that the rules intend to make "cryptocurrency more traceable." But cryptocurrency is at the same time perfectly traceable and almost impossible to trace depending on the technology.

Public blockchain cryptocurrencies are radically transparent. Each transaction is viewable on the ledger of activities forever. But there are techniques that users can take to break what's called the "common-input-ownership" heuristic that is used to link transactions and determine ownership. It's just good security practice. Developers are constantly working on ways to improve user privacy and security on public blockchains.

Then there is a class of cryptocurrency called a privacycoin which makes it even harder to determine who owns what funds on a public blockchain. These are less vetted than Bitcoin, but they are relatively popular and bake in privacy practices by default.

These kinds of techniques are fundamentally at odds with the spirit of financial surveillance rules promulgated by bodies like the EU. To truly stamp them out would require a degree of force that I'm not sure such liberal-democratic bodies could publicly stomach. But it is clear that they would really like to get rid of these privacy techniques if they could.

A better use of their time might be to think of more effective ways to clamp down on financial crime. What we're doing now clearly doesn't work. Maybe that's not really the point.