The Breakdown - Is 2023 the Year the US Gets Serious About Protecting Privacy?
Episode Date: January 29, 2023On this week’s “Long Reads Sunday,” it’s all about privacy. NLW reads: “Sweeping Crypto Regulation? First Update the Bank Secrecy Act” - Mark Lurie “Privacy Is a Human Right – and th...e 118th Congress Must Defend It” - Lia Holland, Eseohe Ojo Enjoying this content? SUBSCRIBE to the Podcast Apple: https://podcasts.apple.com/podcast/id1438693620?at=1000lSDb Spotify: https://open.spotify.com/show/538vuul1PuorUDwgkC8JWF?si=ddSvD-HST2e_E7wgxcjtfQ Google: https://podcasts.google.com/feed/aHR0cHM6Ly9ubHdjcnlwdG8ubGlic3luLmNvbS9yc3M= Join the discussion: https://discord.gg/VrKRrfKCz8 Follow on Twitter: NLW: https://twitter.com/nlw Breakdown: https://twitter.com/BreakdownNLW - Join the most important conversation in crypto and Web3 at Consensus 2023, happening April 26–28 in Austin, Texas. Come and immerse yourself in all that Web3, crypto, blockchain and the metaverse have to offer. Use code BREAKDOWN to get 15% off your pass. Visit consensus.coindesk.com. - “The Breakdown” is written, produced by and features Nathaniel Whittemore aka NLW, with editing by Rob Mitchell and research by Scott Hill. Jared Schwartz is our executive producer and our theme music is “Countdown” by Neon Beach. Music behind our sponsor today is “Swoon” by Falls. Image credit: Matt Anderson Photography/Getty Images, modified by CoinDesk. Join the discussion at discord.gg/VrKRrfKCz8.
Transcript
Discussion (0)
Welcome back to The Breakdown with me, NLW.
It's a daily podcast on macro, Bitcoin, and the big picture power shifts remaking our world.
The breakdown is produced and distributed by CoinDesk.
What's going on, guys? It is Sunday, January 29th, and that means it's time for Long Read Sunday.
Now, before we get into that, if you are enjoying the breakdown, please go subscribe to it,
give it a rating, give it a review, or if you want to dive deeper into the conversation,
come join us on the Breakers Discord.
You can find a link in the show notes or go to bit.ly slash breakdown pod.
All right, friends, well, today I am excited for this LRS.
It's on a topic that I think is hugely important.
It is certainly related to crypto, but it is also bigger than crypto.
Today, we are talking about privacy and what privacy means in the Internet age and what privacy means in the crypto age.
To frame the conversation, we have two pieces that we're going to read.
The first is by Mark Lurie and is about the Bank Secrecy Act.
and the second is about the responsibility of Congress to defend privacy as a human right,
which is by Leah Holland and Isiejo Ojo of Fight for the Future.
We start with Mark Lurie's piece, sweeping crypto regulation.
First, update the bank Secrecy Act.
The crypto collapses of 2022 spurred widespread fear that U.S. officials would soon clamp
down on the industry, but don't expect sweeping new crypto regulations anytime soon.
As much as Washington, D.C. bigwigs might want to put crypto in a box,
regulators should first get their priorities in order.
The primary regulatory approach of relevant federal agencies is rulemaking,
or the process by which bodies like the U.S. Securities and Exchange Commission
craft, review, and finally approve and establish legal boundaries.
But this would likely fail with crypto for two reasons.
First, the legally mandated process, which involves drafting the rule,
publishing the rule, and taking public comments before a judicial review, takes years.
Given how quickly crypto moves, there's a good chance that by the time a new set of rules
goes into effect, the industry will have evolved beyond it or adapted their products to avoid it.
Second, regulators must work within the framework of the Bank Secrecy Act or BSA.
This law lays out a comprehensive framework for AML slash CFT,
shorthand for anti-money laundering and combating the financing of terrorism rules
built on the foundation of Know Your Customer, aka KYC.
But stringent KYC within decentralized finance is not only unnecessary, it's all but impossible.
Defi platforms do not actually hold user funds, so it's not clear how KYC is even relevant.
Sure, these protocols oversee and approve users' financial transactions, but Defi's non-custodial
nature makes it all but impossible to implement effective and responsible KYC policies.
For instance, if the SEC were to shut down Uniswap, a popular decentralized exchange,
1,000 developers around the world would simply deploy forks without batting an eye.
Regulators would soon end up playing whack-a-mole with Defi, a quixotic exercise that would echo
efforts to end file sharing by suing college students for downloading music. The
likeliest outcome would be regulators with egg on their face. Another option is regulation by
enforcement, with laws that are so broadly written that they could apply to just about any
transaction, but are in the end rather selectively enforced. Strategic ambiguity is itself
the deterrent. This route is likely to further disorient and frustrate many honest crypto actors,
but it appears to be the only practical path for regulators to walk. Instead of updating existing
legislation, Congress should unravel the BSA.
Role of Regulation
Enacted after the September 11, 2001 attacks, the BSA is a compilation of several acts,
including the Patriot Act. By outlining a comprehensive AML-C-FT framework,
the BSA essentially mandates all financial institutions to enact stringent KYC policies
and monitor all transactions, including increasingly rigorous due diligence as
transactions become larger and more suspicious. If the risk is seen as significant,
banks and financial bodies must submit a suspicious activity report or SAR to the Treasury Department's
Financial Crimes Enforcement Network or FinCEN, which reviews the reports to detect illicit activity.
Financial institutions filed more than 3 million SARS in 2022 alone. That's a lot of SARS.
Yet BSA enforcement is delegated to a variety of agencies. The SEC enforces it for securities
exchanges, for instance, while the Office of the Comptroller of the Currency enforces it for banks.
FinCEN enforces it for any actors not explicitly assigned to another federal regulator such as money
transmitters. The foundational problem with the BSA is that when it was written, large sums of
money could only be transmitted through intermediaries. Further, transaction databases were siloed
within each intermediary, making them easy to surveil. In this context, the BSA is logical and
effective. But blockchain and DFI have changed the game, enabling the legal exchange of vast
sums of money with no intermediary. Such transactions are also permissionless, meaning they require
no administrative oversight and are largely anonymous. This contradicts the basic assumptions of the BSA,
rendering it largely impractical and unenforceable. Yet the BSA's KYC framework is so ingrained within
U.S. regulator's compliance culture that it has become gospel. Speaking out against the received
wisdom on KYC is blasphemous akin to siding with crooks and grifters. But in the real world,
guilt until proven innocent has never been an effective means of regulation. KYC is not an
end in itself, but a means to an end. Preventing money laundering and terror financing need
not require a broad brushstroke that kneecaps new business models and stunts innocuous user
activity. The reality is that crypto comes with its own regulatory tool, the blockchain. Rather than
siloing transaction databases across multiple financial oversight bodies, the blockchain ledger
provides a single consolidated database for all relevant transactions. Know your transaction.
Instead of KYC, regulators should shift to KYT or know your transaction. Given blockchain's
open source nature, the non-custodial design of most defy platforms, and user's ability to effortlessly
spin up multiple addresses, the only way to effectively regulate the space,
is on the individual transaction level. After all, it's not the financial histories of individual
users that should concern regulators, but the origins of the funds. KYT would institute blockchain
review mechanisms that would follow the money and prohibit unsanctioned transactions.
From the tech perspective, requiring platforms to check funds origins before transaction approval
would be relatively straightforward with existing tools and technology. Whenever wallets and
its funds are found to have been tainted by a bad actor, such as a sanctioned address or
known hacker wallet, the protocol could simply reject the transaction. This approach could be risk-based,
allowing protocols to avoid banning innocent defy users for transactions they did not facilitate.
Something along these lines happened after Tornado Cash was sanctioned by the U.S. government,
when Aves' front-end website temporarily blocked victims of a dusting attack involving funds
from the sanctioned anonymizing protocol. KYT could be even more effective than KYC,
enabling authorities to monitor the entire transaction database, not just the red flag transactions
within submitted SARS. The BSA is considered untouchable, but when the law was first drafted back in
1970, its creators could have never imagined today's financial reality. It's time to overhaul this
outdated regulatory mechanism into the 21st century and effectively mitigate money laundering
while ensuring the continued maturation of crypto. All right, guys, back to NLW here. I think
it's great that Mark is bringing up these issues. A couple of things that I would push back on
or just suggest a different approach to, though. First of all, from a pure logic of argument standpoint,
I don't really think that saying, hey, DFI makes BSA rules irrelevant anyway, so
why not just get rid of it, which is obviously a vast oversimplification of what Mark is suggesting
here, is going to be a good approach. Or at least, it's going to be an approach where the natural
response from politicians would be, fine, band defy. I think instead, the argument has to start
from a more fundamental re-evaluation of the efficacy of BSA and KYC rules. And more broadly, a societal
conversation needs to happen around the tradeoffs of surveillance versus safety. That's a conversation that is
always ongoing and never ends, but it's a good moment to reevaluate right now. And then I do think
that Mark is dead on to point out that there are new types of tools that come with this blockchain
technology that could be as or more effective than the existing systems we have. Anyway, all in all,
I think more conversations about the BSA are incredibly important, and I'm glad Mark has written
about it here. Join CoinDesk's Consensus 2023, the most important conversation in crypto and
Web 3, happening April 26 through 28th in Austin, Texas.
Consensus is the industry's only event bringing together all sides of crypto, Web 3, and the
Metaverse.
Immerse yourself in all that blockchain technology has to offer creators, builders, founders,
founders, brand leaders, entrepreneurs, and more.
Use code Breakdown to get 15% off your pass.
Visit consensus.com or check the link in the show notes.
All right, next up, we turn to this piece from Fight for the Futures Leah and Esseohe,
called Privacy is a Human Right, and the 118th Congress must defend it.
As the 118th U.S. Congress begins, the stakes surrounding our privacy rights have never been higher.
For decades, lawmakers have utterly failed to defend everyday people,
much less those who are the most vulnerable online, from dangerous encroachments into our digital privacy.
Just last week, the American Civil Liberties Union revealed a massive surveillance dragnet of people
who use services like Western Union to send remittances. Now, both sides of the aisle begin
2023 having painted a target on the backs of privacy-preserving software projects and those who
build them. This attitude poses a real danger not only in the U.S., but for people across the globe.
It's time for software projects that value privacy to get organized. This is why our organization,
Fight for the Future, has released a letter signed by 40-plus open-source decentralized and-or-privacy
preserving projects that asks lawmakers to protect a pro-privacy future. Signatories on this letter
include Tor, the Blockchain Association, NIM, Protocol Labs, Proton, Zcash, Tudanota, and Mysterium.
We have four simple asks. Constitutional and Human Rights protections, both on and offline.
The first asks to Congress is straightforward. Do more to protect our constitutional and human right
to privacy. The right to privacy has always been a foundational principle of the U.S.
There are expressed for implied rights to privacy in the first, third, fourth, fifth, ninth, and
14th amendments to the U.S. Constitution.
Even the legal victory that established a constitutionally protected right to code was about
encryption, meaning it was about privacy.
Unfortunately, that decision did not settle the law.
Threats to the right to code and the right to privacy are inextricably entwined,
especially as more of our lives move into digital spaces where our rights are ignored,
and invasive surveillance is the default.
To seriously and vigorously defend these rights,
many in Congress would need to shift their thinking on the simple act of writing code,
to recognize that this freedom is core to the technologies that empower democracy and must be defended.
That also means our representatives must analyze the potential impacts of new laws
and regulatory action on First Amendment protections when drafting new legislation.
This should be the rule, not the exception.
Champions of the right to privacy in the First Amendment must stridently oppose any actions
that criminalize building and using privacy tools or the simple act of writing and running code.
Proactively, lawmakers should consult those most impacted,
and consider new legislative shields to defend our rights against the corrosive powers of short-termism,
political theater, and poorly drafted bills, as well as from big tech and finances lobbying pressure.
Support the decentralization of power. Secondly, Congress should be unwavering in its efforts
to address power imbalances and support decentralization of power. The argument of the surveillance
state is simple. Safety demands sacrifice. If you aren't doing anything wrong, you have nothing to
worry about. This thinking is deeply flawed because surveillance concentrates power and surveillance
states and human rights abuses go hand in hand. From East Germany pre-unification to current
day Russia or Saudi Arabia, to communities across the U.S. and U.K., the dangers of surveillance
are clear. We've seen the results in the news, in history books, and in dystopian fiction like
1984. The more you are surveilled, the more power state and corporate actors have over your life.
This issue compounds as decisions about our basic digital infrastructure and online safety are made
unilaterally by out-of-touch billionaires. Surveillance capitalism pervades our digital economy,
causing market forces to constantly erode user privacy by design.
It's beyond time for Congress to invest in creating more resilient digital infrastructure,
where power is decentralized and decisions are made by users,
not the market or Mark Zuckerberg or Elon Musk.
There are a host of strong legislative actions
that would break big tech's monopolistic and oppressive stranglehold on the internet.
Lawmakers should also be analyzing regulations for their potential to unintentionally entrench big tech
by, for example, making compliance so expensive or business so risky
that only the largest players can afford to exist.
Solutions and paradigm shifts often come from the margins,
and the open-source software community's experimentation and community-owned
and governed alternatives to big tech should be encouraged and embraced for the liberatory activity it is.
Champion Privacy Technologies
Another obvious action Congress should take is championing privacy technologies,
such as end-to-end encryption.
Although our situation is dire, all is not lost when it comes to our digital privacy.
Open source developers and activists have done wonders for the human
right to privacy by creating and promoting access to tools like end-to-end encryption and zero-knowledge
proofs. Privacy innovations can restore trust in our communications and financial activity,
yet many prominent lawmakers are reacting to these tools with condemnation. They find surveillance
appealing as it proposes a convenient, if facile, way to combat real problems such as illegal
activity, tax avoidance, and sanctions dodging. Surveil everyone at all times. It's not worth it.
This backsliding on our constitutional rights puts open-source development of privacy tools in danger.
legislation has effectively required that software developers put surveillance tools in their projects
if they could ever possibly be used to host or transact in cryptocurrencies.
These moves from Washington, D.C. have shocked the open-source software community and chilled
the creation and use of human rights preserving tech. Instead, lawmakers must reverse course
on pressuring companies not to implement or to break end-to-end encryption and other privacy
preserving technologies and speak out when the FBI and Attorney General try to paint privacy
as nothing more than a shield for criminality.
Pass Data Privacy Laws
The final demand is the passage of long overdue data privacy legislation. Even as Congress undermines
privacy in practice, a nonpartisan majority of lawmakers understand that privacy is important to their
constituents. Many conservatives, especially libertarians, want to protect private spaces from
government intrusion and censorist corporate spying. Meanwhile, marginalized communities, which often lean left
in their politics, need private spaces to protect themselves from authority figures who would harm
or de-platform them to score cheap political victories. Various forms of digital privacy legislation,
including some that are well-intended but deeply flawed, have swirled around the U.S. Capitol for
years. There has been no groundswell of support for these bills, and none have come close to passing.
It's time to change that and show Congress's commitment to protecting constituents from surveillance,
identity theft, discrimination, and harassment. Lawmakers need to work with key stakeholders
including marginalized communities, anti-surveillance civil society organizations,
and open-source developers of privacy tools to craft a new privacy standard for everyone
that includes severe crackdowns on the Titanic Government and commercial surveillance operations
that have infected our internet.
As these demands make abundantly clear,
the value of privacy and privacy tools is not abstract.
The essential nature of protecting our data
is easily illustrated by any basic analysis
of real-world threats to activists,
journalists, abuse survivors,
and everyday people around the world.
At home, the penumbar rights to privacy
based on landmark U.S. Supreme Court cases
are now being rolled back.
Roe was overturned and the threat to same-sex marriage
established in Obergefell was severe enough
that Congress passed the Respect for Marriage Act.
Today, more, not less marginalized people are at risk of being criminalized by surveillance-enhanced
state laws and state police actions. The U.S.'s role in protecting and preserving human rights
around the world should rank among the greatest prides of democracy. Traditionally, the U.S.
has used diplomatic pressures to promote freedom of association, organization, and access to
information. All of these freedoms rely on privacy as a backstop against arrests and violent crackdowns.
It's not just diplomatic pressure that allows the advancement of human rights. It's privacy
tools that are often created and run in the U.S.
In October, for example, over 18,000 people in the U.S. ran Tor
Snowflake to help Internet users facing censorship in countries such as Russia and Iran
privately circumvent it.
Tor was created by MIT graduates and U.S. Naval Research Lab personnel to prevent
tracking, surveillance, and censorship worldwide.
Failure to protect the right to privacy will hurt democracy and particularly
marginalized communities both in the U.S. and abroad.
A growing number of technology and thought leaders are urgently calling on the U.S. Congress
to return to the principles of the Constitution.
as well as their own innate understanding of the harm surveillance has wrought among their core
constituencies.
Everyday people should never be treated as criminals, guilty until government and corporate
invasions into their privacy prove them innocent.
And the time for our legislators to take action is now.
All right, back to NLW here.
I think this is a great piece and an even better movement.
I think that fight for the future is right to recognize that this is an issue that extends
across core principles and the Constitution, across multiple different types of political
constituencies and where there is a role for new technology. Now, one tiny bit of good news or at least
optimistic news. I did a show earlier this week about recent interviews with some of the new
House leadership. And while it wasn't super explicit, there are these little notes of privacy
becoming a bigger issue. Remember, Representative French Hill said explicitly that his new
subcommittee on digital assets and financial inclusion was likely to look at a national privacy law.
We, of course, don't yet know what that means, but it's encouraging to hear that it's on
legislative agenda. I hope that
2023 is a year where we make progress
on one of the most important issues that faces us.
I want to say thanks again to all the authors for their great work,
and thanks to you guys for listening. Until tomorrow,
be safe and take care of each other. Peace.