|
Last week was Libra week in Congress. Both the Senate Committee on Banking, Housing, and Urban Affairs and the House Financial Services Committee held hearings on Facebook’s planned cryptocurrency. Congress wants both privacy for Libra users and compliance with global financial surveillance law. But that’s not going to happen. Indeed, Libra risks exposing the financial transactions of all users not just to good governments investigating bad guys, but to anyone investigating anyone.
The House committee’s hearing featured a bill banning Big Tech companies from a leadership role in any cryptocurrency. That shot across the bow actually aims at an outcome Facebook has promised. The Libra white paper says that the network will begin the transition to “permissionless” within five years of public launch. By that Facebook means no gatekeepers — government or corporate — will decide who runs validating nodes on the network. Control of nodes is a powerful position, as it means having the power to control transactions.
I believe the House bill is the wrong approach. Criticism should test and shape the Libra offering, as I wrote a couple of weeks ago, but Libra should not be slowed or stopped. Libra promises worthwhile competition to existing providers of money, payments, and other financial services.
The Senate is more deliberative, but it gave full display to Congress’ starkly conflicting demands on Libra. Chairman Mike Crapo’s (R-ID) generally circumspect opening remarks, for example, asked both “how individuals’ privacy will be preserved” and “how the Libra ecosystem interacts with the Bank Secrecy Act and other existing anti–money laundering regulations.”
To be blunt, you can’t have both. Privacy cannot be preserved while there is compliance with money laundering regulations.
The word “privacy” stands in for many values, but its core, as Alan Westin said, is “the claim of individuals . . . to determine for themselves when, how, and to what extent information about them is communicated.” Before 1970, it was an implied contract term in financial services that banks and their employees should not disclose information about customer accounts.
Congress made that contract term illegal almost 50 years ago with passage of the Bank Secrecy Act (BSA). The law required businesses to keep records and file reports that the Treasury Department determined to have “a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings.” After 9/11, Congress added information useful for “intelligence or counterintelligence activities, including analysis, to protect against international terrorism.”
In the mid-1970s, the Supreme Court ratified the BSA’s mandatory record-keeping and reporting obligations. Requiring banks to collect information does not disclose anything to the government, the Court in California Bankers Association v. Shultz reasoned, so it denied that the BSA implicates the Fourth Amendment. Shortly thereafter, in United States v. Miller, the Court held that a defendant has no Fourth Amendment interest in records maintained pursuant to the BSA, because they have been compiled by a third party. They are not the defendant’s to shield from government investigators.
The third-party doctrine thus born subsequently grew to reach telephone calling data, and it has stood for the proposition that shared information — even under contractual privacy promises — is fair game for government seizure and search without a warrant.
The third-party doctrine has grown increasingly untenable as we move more of our lives online. In her key United States v. Jones (2012) concurrence, Justice Sonia Sotomayor questioned the doctrine. And the Court declined to extend it to cell phone location data produced in United States v. Carpenter (2018).
In his testimonies to Congress, Facebook’s David Marcus made obligatory bows to privacy but emphasized opportunities for better-than-ever financial surveillance on the Libra network. His written submission to the Senate, for example, called Libra “an opportunity to increase the efficacy of financial crimes monitoring and enforcement,” citing “the ability for law enforcement and regulators to conduct their own analysis of on-chain activity.”
About “analysis of on-chain activity”: Blockchains are generally open data stores, meaning that anyone can access blockchain data and glean whatever they reveal. The imperfect protection for privacy in a cryptocurrency such as Bitcoin has been keeping transactions pseudonymous. Transactions do not include any known identifiers, so they only reveal that cryptocurrency changed wallets. By gathering identifiers extrinsic to on-chain transactions, such as the name of someone trading cryptocurrency for fiat on a regulated exchange, pseudonymity can be broken.
With highly compliant multinational corporations operating Libra’s on-ramps, off-ramps, and nodes, along with providing various financial services, the network’s technical pseudonymity may well give way to readily identifiable transaction flow. Libra may make financial transaction information about real people and organizations quite widely available, to good governments, bad governments, crime fighters, criminals, and marketers all simultaneously.
Facebook’s Marcus has said that the Libra network will not allow shielded transactions. Techniques for masking wallet addresses and transaction contents will not be allowed. So Libra may end up being profoundly anti-private indeed. Pains taken to provide data to government investigators may reduce the system’s overall security such that the network is too risky to use or the sum total of security falls.
The BSA and the global financial surveillance regime to which Libra pays obeisance are probably net losers for society. They probably cost more in compliance dollars and lost privacy than they gain in security. Those are difficult goods on which to calculate trade-offs, of course, and the consensus in political capitals is the opposite. But when the constitutional challenge to mass financial surveillance comes, there should be a language and intellectual structure for assessing whether law enforcement tracking of all people’s financial activity is “reasonable” in Fourth Amendment terms.
Congress made it clear in its hearings on Facebook’s new Libra cryptocurrency that it wanted to protect privacy as well as ensure compliance with money laundering regulations — but it’s not possible to have both.
|
|
