“Expansive” standards for surveillance threaten human autonomy—our message to FATF

The global body’s draft guidance makes a substantial departure from the balance struck by existing standards

Today Coin Center submitted a comment to the Financial Action Task Force (FATF) about their recent draft guidance on virtual assets and virtual asset service providers (VASPs). Additionally, this morning I presented a condensed version of our comment to FATF’s private sector consultative forum. Here are the three major points I conveyed to them:

  1. the scope of the VASP definition can have grave implications for human rights and FATF must avoid its recently proposed “expansive approach” to its interpretation
  2. FATF should not call for prohibitions on VASPs making peer-to-peer and privacy enhanced transactions; such limitations will only drive criminals underground and harm persons using this technology for good, and
  3. FATF should not apply travel rule obligations to transactions between VASPs and non-VASPs.

Below is the summarized version I presented to FATF members this morning, but please read our full comment if you can.

Who is and who is not a VASP?

The choice of who is and who is not a VASP is one of the most consequential choices policymakers can make in the next decade. The implications of that choice will determine both the relative efficacy of policies aimed at defeating terrorism and money laundering, but also the collateral damage that is done to human rights and innovation as cryptocurrencies continue to become mainstream and widely used.

But this doesn’t have to be a tradeoff. If the category of VASP is defined with clarity and certainty, and if it is not defined too broadly, then we can achieve both maximal financial integrity and minimal disruption of innovation and human rights.

To do this, the definition must be justiciable — clearly defining a specific category of activities with little or no “gray zones” or “hard cases.” And it must reasonably narrow — we must not forget that when one qualifies as a VASP, one assumes warrantless surveillance obligations and one is forbidden from undertaking certain activities. For example, we could make a very clear and justiciable definition by saying that every person over 18 is a VASP, but we would be destroying basic human privacy and freedom in the process.

This is difficult because cryptocurrencies, as new technologies, will (irrespective of any policies adopted by FATF or member nations) enable more individuals to perform financial transactions without the need for an intermediary, and with fewer traditional intermediaries there will be less opportunity for mass surveillance. But making everyone into an obliged intermediary is not an acceptable solution to that problem, indeed it would backfire and make fighting crime and terrorism far more difficult.

FATF’s new draft guidance makes a substantial departure from the existing justiciable and narrow standard in the previous guidance and that is currently law in member states. It proposes an “expansive” standard which would not be justiciable and would obligate far more people than ever before to surveil and report on the actions of their fellow citizens.

In our full report we offer detailed examples of internal contradictions within the proposed definition that render it not justiciable. Below are a few examples. Under the proposed “expansive” conception of VASP:

One may develop and sell virtual asset platform software without being a VASP
One may not deploy programs whose functions fall under the definition of VASP

One will be a VASP if they can conduct a transaction on behalf of another person
Being unable to complete a transaction does not disqualify you from being a VASP

One may develop and sell virtual asset platform software without being a VASP
One may not automate a process that provides covered services without being a VASP.

These contradictory statements will cause mass confusion over the relative scope of the definition, undermining the efficacy of AML/CFT efforts, leading authorities on wild goose chases, generating protracted court battles, and making persons’ privacy and speech rights vulnerable to arbitrary curtailment from overzealous prosecution.

Beyond contradictions, several new sections of the guidance describe highly commonplace activities performed by thousands of persons within cryptocurrency communities as now being triggers for VASP classification including:

conducting business development

facilitating transactions

integrating software into telecommunications platforms

deploying programs

changing the rules within software protocols

None of these are straightforward and well-understood actions within cryptocurrency communities (this list could be interpreted to include Satoshi’s software release of the Bitcoin protocol, or even Coin Center’s work as a non-profit) and, worse, the most intuitive interpretation of many of these terms would include huge numbers of persons who do little more than publish free and open source networking software, or choose to freely run that software on their internet connected devices. This list could easily describe hundreds of thousands if not millions of persons who never operate a customer facing business, who never hold themselves out as a financial service provider, and who never have any actual control over the virtual assets of others. In short, it describes thousands of people who are not financial intermediaries in any sense of the term.

As we argue in our full comment, this classification would violate essential human rights to privacy and free expression described in the International Covenant on Civil and Political Rights (ICCPR), the European Convention on Human Rights (ECHR), and the U.S. Constitution. Under the ICCPR surveillance obligations must always be “reasonable in the particular circumstances” and the law must “specify in detail the precise circumstances” in which surveillance is permitted. Under the ECHR, privacy invasive laws must be “formulated with sufficient precision to give citizens an adequate indication as to the circumstances in which and the conditions on which public authorities are empowered to resort to measures of surveillance.” The proposed guidance’s vague and contradictory standards do not conform with those basic guarantees of the rule of law and human dignity described within the ICCPR and ECHR.

This non-justiciable and sweeping standard would also burden member states with a Sisyphean task that would distract from, rather than enhance, existing efforts to stop crime and terrorism. Many states, and the EU’s 5MLD included, still have not brought centralized exchange activity dealing purely in virtual assets into the regulatory perimeter and others struggle with enforcing these rules against rogue centralized exchanges. Obligating these member nations to waste resources chasing free software advocates is, to say the least, not an efficient use of government resources.

As of June 2019, FATF articulated a justiciable standard, and it is also the standard articulated by FinCEN in the U.S.: persons with independent control over the virtual assets of another are VASPs. Plain and simple. This independent control standard should remain, and the proposed new guidance should say as much. We included an addendum in our report that highlights every section where a more expansive approach is proposed and we offered suggested edits to make the scope justiciable and reasonably narrow.

P2P and Privacy Coins: Prohibition or Integration?

At various points the draft guidance suggests that member states consider banning exchanges from engaging in peer-to-peer transactions (transactions with non-VASPs or so-called “unhosted” wallets) or transactions involving privacy enhancing technologies. This prohibitory approach will not make these tools and transaction types disappear. Instead it will sever the valuable link between private peer-to-peer transactions and the regulated financial system. This will decrease law enforcement visibility into these networks and decrease points of identification where criminal users of these technologies can be caught. In short, it will enable rather than defeat criminal usage of virtual assets.

What such restrictive policies will successfully prohibit, however, is the usage of these innovative transaction types by innocent persons who need them because they’ve been left behind or unjustly censored by traditional financial infrastructure. In Belarus and Nigeria this past year we’ve seen lawful non-profits supporting pro-democracy protest movements insidiously cut off from fundraising tools and forced to turn to the only avenues that remain: Bitcoin donations. As we describe in our comment, restricting peer-to-peer and privacy-enhanced transactions will directly harm organizations like BYSOL in Belarus and Feminist Coalition in Nigeria, organizations that are fighting for democracy and the right to peaceful protest. Prohibiting peer-to-peer and private transactions will play directly into the hands of dictators and totalitarian regimes.

Additionally, important innovations that could benefit our common struggle against crime and terrorism, such as robust decentralized identity tools, rely on peer-to-peer transactions for cybersecurity and robustness. Blockchains can never solve these problems if a few vulnerable institutions hold all of the cryptographic keys.

Identity may have seemingly little to do with cryptocurrency blockchains and therefore appear irrelevant to AML policies. It is important to keep in mind, however, that permissionless blockchain networks are by far the most reliable networks from an information security standpoint. The costs of rewriting or fraudulently altering the Bitcoin blockchain are astronomical as compared with any centralized or quasi-centralized database tool. Additionally, utilizing a shared and permissionless ledger for identification eliminates the risk of lock-in and the anti-competitive consequences inherent in relying on one or two proprietary identity technology providers. It is for these reasons that companies like Microsoft have invested heavily in building enterprise identity systems on top of the Bitcoin blockchain.

With any identity tool built on top of a public permissionless blockchain there will be a need for users to make tiny payments with their self-hosted wallet in order to pay fees inherent in writing information to the distributed ledger. This means that these self-hosted wallets, even if used primarily for innovative identity solutions, will be effectively identical to self-hosted wallets used for investing or moving money. In all cases the software is the same and the cryptographic addresses are indistinguishable. Therefore, any restriction that places barriers needlessly on transactions to self hosted wallets would inevitably also burden decentralized identity tools.

When does the “travel rule” apply?

A commonsense reading of Recommendation 16 suggests that the travel rule is only applicable to transactions that are bookended by VASPs or other regulated entities, not to transactions with individuals. A commonsense reading of the U.S. Bank Secrecy Act implementing regulations (from which the term “travel rule” originally comes) also would suggest that these rules are applicable only to VASP-bookended transactions. Finally, the previous virtual asset guidance from FATF, the interpretive note to Recommendation 15, as well as the guidance offered by nations that have actually implemented the travel rule for years, all clearly lead to the conclusion that the travel rule only applies to transactions between obliged entities. And yet, for the first time anywhere, this draft guidance suggests that the travel rule should apply to transactions involving a VASP and a non-VASP.

FATF should not create a de novo standard of VASP-to-non-VASP travel rule obligations through guidance alone when that standard contradicts existing laws, FATF’s own binding recommendations, and expectations generally. At the very least, such a fundamental change in obligations would need to be made as a new binding recommendation after extensive consultation. However, as we argue fully in our comment, even that formal change would violate fundamental privacy rights and therefore should not be attempted.

In traditional travel rule compliance, no information is recorded or exchanged except information about the customers of the financial institutions in question. These customers will have already voluntarily supplied this information with their bank as a necessity of obtaining banking services. A person who is holding her own virtual assets, however, will have never voluntarily consented to any personal information being recorded or exchanged by financial institutions with which she has never even interacted. To subject these persons to invasive mass surveillance without them ever having affirmatively waived their rights to privacy violates the ICCPR and the ECHR as well as the Fourth Amendment to the U.S. Constitution. As the UN Secretary-General has found:

The suggestion that users have voluntarily forfeited their right to privacy is plainly unwarranted. It is a general principle of international human rights law that individuals can be regarded as having given up a protected human right only through an express and unequivocal waiver, voluntarily given on an informed basis. In the modern digital world, merely using the Internet as a means of private communication cannot conceivably constitute an informed waiver of the right to privacy under article 17 of the Covenant.

The personal information sought is, indeed, very private. Merely linking a name to a physical address can compromise the privacy of the resident. Linking a Bitcoin payment address (which may indicate personal wealth) to a name and physical address is extremely destructive of the owner’s privacy and indeed may jeopardize her safety as she may become a target of a kidnapping or extortion plot. Additionally, there is a high likelihood that several of these records will be reported to financial intelligence units in SARs and CTRs and through subpoenas. FinCEN’s records have recently been the subject of extensive leaks and a recent hack of a Financial Institution in India has compromised the ID scans, passports, emails, phone numbers and addresses of nearly 100 million persons. If financial intelligence units were to maintain extensive records of Bitcoin addresses and their associated legal owners and physical addresses, then it would be a substantially attractive target for hacking and the privacy and safety of persons in those records would be in profound jeopardy.

Important Choices

We made it clear to FATF that it has three important choices to make in this guidance: Should the definition of VASP be “expansive” or should it be justiciable and narrow? Should it ask VASPs to ban peer-to-peer and privacy enhanced transactions and sever the valuable link between regulated crypto exchanges and the larger network? And Should FATF obligate VASPs to engage in mass warrantless surveillance of persons who are not even their customers by applying travel rule obligations to VASP-to-non-VASP transactions? These should be easy questions to answer. Financial crime fighting and human rights are weighty issues but they are not inherently incompatible. Hopefully FATF takes our suggestions, revises its draft, and maintains a sensible approach to regulation.

Read the full comment here.