Wednesday, May 08, 2024

The Government Wants to Turn Blockchain Firms into Servants of the State

From Mises.org (July 28, 2023):

In recent years, blockchain surveillance (BS) companies have become increasingly important players in the cryptocurrency industry. Their business model consists in developing proprietary software that collects and interprets public data available on public blockchains and in selling their services to governments, banks, exchanges, and others that need access to this data. Usually, governments are interested in collecting information about financial crimes, while other institutional players use BS companies for compliance, especially with regard to customer due diligence. This article argues that BS companies can be understood as governmentalities.

Michael Rectenwald deploys this term to “refer to corporations and other non-state actors who actively undertake state functions.” The partnership between the state and BS companies threatens cryptocurrency users’ privacy and their ability to transact freely, away from the prying eyes of unwanted third parties.

Guilty until Proven Innocent

BS companies help institutional players and law enforcement implement the risk-based approach (RBA) developed by the Financial Action Task Force (FATF). According to the RBA, customers of regulated intermediaries such as cryptocurrency exchanges are first and foremost considered to be risks to the stability of the financial system; they are considered to be customers secondarily. Consequently, all customers are categorized based on the level of risk they pose to the ability of intermediaries to comply with regulations. Different BS firms may implement the RBA differently, but the classification of risk remains more or less constant: Severe risk is usually tied to indicators of child abuse, terrorist financing, and sanctions. Ties to dark-net markets and ransomware; use of ATMs; protocol privacy; peer-to-peer activity; use of cryptocurrency mixers, and indicators of gambling are normally classified as high or medium risk factors. The use of decentralized exchanges and smart contracts poses medium to no risk by default.

If customers are a risk, it follows that the burden of proof is on them to demonstrate their innocence by providing all the required information. When BS companies flag activity as suspicious, exchanges eventually start asking questions of their customers, and if the answers are unsatisfactory, customers’ funds are blocked. As is clear from the list provided above, an activity is considered risky not only when it is an obvious crime like child abuse but also when it is a legitimate and legal action such as exchanging cryptocurrencies peer to peer, using a crypto ATM, or taking advantage of protocol privacy.

It is important to not overstate what BS companies can do. Thanks to pseudonymity, personal identities are not part of the bitcoin blockchain: only public addresses that control some funds show up in the blocks. The very purpose of customer due diligence procedures is to attach real-world identities to addresses and to follow their trails. When users’ money is not in the custody of third parties, heuristic rules can be used to guess where the funds went; however, these rules can at best provide good approximations, not infallible results.

For example, according to the common input heuristic, if more than one input appears in a bitcoin transaction, then the same entity owns them. A similar assumption usually works in everyday life: if a payment consists of a ten-dollar bill and a five-dollar bill, it is reasonable to assume that the two bills are owned by the same person. However, this is not always true. In bitcoin, CoinJoin is a transaction scheme designed to break the common input heuristic with “an anonymization strategy that protects the privacy of Bitcoin users when they conduct transactions with each other, obscuring the sources and destinations of BTC used in transactions.”

The fact that the ambiguity of well-constructed CoinJoin transactions cannot be eliminated explains why BS companies classify them as medium risk, even if there is nothing illegal about them. It cannot be stressed enough that even the most basic transactions are interpretable in many equally legitimate ways and that every heuristic rule can be broken. Still, regulated entities and law enforcement often regard transactions as risky when they are flagged by BS company software, not understanding the inner workings of cryptocurrencies and of that software.

Comparing the FATF’s travel rule with BS companies’ know-your-transaction (KYT) platforms shows the arbitrariness of blockchain surveillance practices. On the one hand, the travel rule requires intermediaries such as exchanges that transact on behalf of their customers to share information about the sender, the receiver, and the amount of any transaction with each other, and, upon request, with law enforcement. While the travel rule harms privacy and pseudonymity significantly, it at least leaves no room for discretion—intermediaries must transmit and store only objective and definite data.

On the other hand, KYT software is developed by BS companies to help crypto institutions comply with regulations and to assist law enforcement in tracking criminals. KYT platforms analyze on-chain data and data from other sources through proprietary algorithms to follow funds and flag suspicious behavior. Differently from the travel rule, KYT software is developed behind closed doors, which means that the public does not know how it works or what kind of hidden heuristic assumptions it adopts. This is morally and legally problematic because closed-source software that is sold for profit and that implements arbitrary heuristic rules can be used to charge users with criminal behavior. Moreover, while most legislation treats crypto users as risks by default, it is not clear what legal tools are available to hold BS companies accountable when their obscure and arbitrary KYT software leads to judicial errors.

Unsubstantiated claims by BS companies can do great harm. The case of Roman Sterlingov is significant in this regard. US prosecutors accuse him of operating Bitcoin Fog, a centralized mixer that was used to launder money; because of this, he has been jailed since 2021 while awaiting his trial. However, according to his attorney, Tor Ekeland,

This case shows how easy it is for an advanced legal system to ruin people’s lives using spurious blockchain surveillance tools. [read more]

No comments: