The Department of Justice has been busy thinking about how to manage cryptographic technologies. Last month, the DOJ released two major privacy technology statements, one of them an international rallying cry to build government backdoors into secure communications and the other a “clarification” of the federal policy surrounding applications of cryptocurrency. Unsurprisingly, both documents view privacy technologies as obstacles to the Department of Justice’s operations.
The cryptographic statement was primarily a reiteration of long-standing government problems with secure communications, this time wrapped up in the package of rescuing children from criminals. The signatories of the Anglo governments (“Five Eyes”) plus India and Japan have again stated that “public safety [can] be protected without compromising privacy or IT security. “This is obviously true in the abstract, but not when the” protection “in question is a government backdoor that necessarily compromises privacy and security. No new ground has been opened here.
The cryptocurrency report, on the other hand, provides new insight into the developing priorities of federal bodies grappling with the rise of cryptocurrency. It is not a legislative document, but rather a background that illustrates how cryptocurrency works and where some applications may conflict with the guidance of the established agency. However, it does provide a valuable glimpse into where the next battles in the war between privacy and surveillance will be fought. Specifically, the DOJ indicated strong discomfort with “anonymity-enhanced cryptocurrencies” (AEC), more commonly known as privacycoins, such as Monero and Zcash, as well as coin-mixing techniques.
The “Cryptocurrency: An Enforcement Framework” report begins with a brief description of blockchain technologies before dedicating a few even shorter words to the “breathtaking possibilities for human growth” that distributed ledger technologies can increase. The reader will be treated with two short paragraphs discussing limited “legitimate uses”, including eliminating the need for a financial intermediary, minimizing transaction costs, providing a haven against inflation and micro- payments and better security checks. Even then, these are cautioned.
This superficial nod to positive use cases is dwarfed by the roughly fourteen pages of horrible ones that follow. The report comprehensively recounts every possible crime that could be or was committed using cryptocurrency. There are three main categories: 1) financial transactions used to commit crimes, such as drug trafficking and terrorism; 2) money laundering to conceal crimes or tax evasion; and 3) cryptocurrency scams and hacks.
It should come as no surprise to anyone that America’s best cops would spend more time fearing worst-case scenarios than describing, for example, how cryptocurrencies have been a lifeline for people in tyrannical or bankruptcy states. But some context would have provided the necessary clarity.
For example, the report’s front page states that “cryptocurrency is increasingly being used to buy and sell lethal drugs … contributing to an epidemic that killed over 67,000 Americans from overdoses in 2018 alone.” The quote only leads to CDC statistics on total overdose deaths, but the claim makes it appear that it was primarily cryptocurrency that directly caused these deaths.
There is no attempt to establish exactly what percentage of cryptocurrency use is linked to overdoses or even drug trafficking in general, let alone how it compares to traditional financial channels. In fact, blockchain forensics suggests that roughly one percent ($ 600 million) of global cryptocurrency transactions are linked to criminal darknet markets, which involve not only drugs but also things like forgeries and identity theft. Compare this to the roughly $ 150 billion Americans spend each year on illegal drugs using boring old money. Perspective matters.
Similar problems permeate everywhere. The report provides examples of serious crimes involving cryptocurrency, but there is rarely an attempt to contextualize these crimes in terms of what proportion of cryptocurrency assets are involved in such actions and how it compares to traditional finance. An alien reading this document would come out thinking cryptocurrency is some kind of Mos Eisley Transaction Cellar, with no good reason to get involved.
This is unfortunate, as many of the beneficial uses of cryptocurrency could greatly help the victim groups the DOJ rightly seeks to protect. Nice Guys need privacy too, often more than anyone else. A source looking to expose a planned terrorist attack could use cryptography and cryptocurrency to coordinate with authorities limiting the risk of retaliation, for example. Having an unbalanced picture of the risks and benefits of any technology can limit the use cases that would actually be further stated goals.
The report admits that most of the crimes described are and have been committed using old-fashioned money, but argues that the scale and ease offered by cryptocurrency make the crime much easier. Worse still, privacy options and nested cryptocurrency communities make these crimes completely obscure for law enforcement.
There is no doubt that criminals can choose to use cryptocurrency and this requires new law enforcement strategies. The DOJ exalts several crackdowns on criminal activities: there is the DisrupTor operation, which brought down the international drug markets on the darknet, the Welcome to Video bust of child exploitation merchants and the dismantling of terrorist financing campaigns. It’s great that violent criminal enterprises have been demolished and blockchain forensics plays a big part in these law enforcement successes.
In other words, as with crypto in general, while cryptocurrency creates new challenges for law enforcement, it also offers new opportunities for creative but constitutional investigations into clearly antisocial criminal activity.
As someone who thinks a lot about privacy and security holes with cryptocurrency, it’s interesting to see outside perspectives that assume that things like bitcoin offer strong privacy by default. As a series by privacy researcher Eric Wall makes clear, cryptocurrency’s perfect anonymity is almost comically difficult to achieve even with custom “privacycoins” that offer more powerful anti-surveillance tools. There are so many ways that users can disclose identity data to powerful and motivated adversaries like the DOJ – if the blockchain doesn’t get you, your IP address, wallet software, poor address hygiene, and even your sleep schedule could trivially do that. No wonder the Justice Department can boast of so many crypto seizures.
And the Department of Justice is far from the only sheriff in town. The report provides a useful overview of the current regulatory landscape, which is indeed well regulated. The Financial Crimes Enforcement Network (FinCEN) manages financial oversight under the Bank Secrecy Act, the Office of Foreign Assets Control (OFAC) applies international financial sanctions, the Office of the Comptroller of the Currency (OCC) oversees the banks that provide Cryptocurrency Custody Services, the Securities and Exchange Commission (SEC) Chases Illegal Securities Trading Under the Pretext of “Initial Coin Offerings” (ICO) or “Decentralized Finance” (DeFi), the Commodity Futures Trading Commission (CFTC) sniffs out fraudulent derivatives trading, and of course there’s the good old IRS to hunt down what Uncle Sam thinks is his. This does not even reach the state and international regulators. It goes without saying that cryptocurrency is hardly a wild west.
Not good enough for the Justice Department. One of the most troubling sections comes towards the end of the relationship when it comes to privacycoins like Monero and Zcash. These are distributed networks like bitcoin that integrate stronger privacy techniques like ring signatures and zk-SNARK by default. Since they are not centralized, they should be processed in the same legal bucket as bitcoin.
But the DOJ says it views “the use of AEC as a high-risk activity that is indicative of possible criminal conduct.” This suspicion of default by Americans who choose to exercise their right to privacy is not only alarming, it is contrary to our values as an open society.
It’s also elusive political language: regulated exchanges must maintain financial oversight of customers by law, regardless of the type of cryptocurrency. For example, Gemini, a US-based cryptocurrency platform, offers Zcash trading to clients in a compliant manner.
Similar problems arise when the report discusses general privacy hygiene techniques. It specifically discusses centralized mixers and “chain hopping,” which is the practice of mixing money between different cryptocurrencies to frustrate chain analysis.
Centralized mixers already violate established law (as well as being just plain stupid to use from a privacy and security perspective), and indeed FinCEN just took action against one last week. But there’s nothing inherently wrong with keeping transactions discreet through decentralized means like CoinJoins and avoiding address reuse – the things FinCEN has made clear don’t violate financial surveillance law.
Is the DOJ confused or muddies the waters? At worst, governments could waste time targeting legitimate and secure decentralized privacy techniques when they should focus on the core parties illegally providing these services to criminal businesses.
Since criminals are often not the brightest people in the world, they may tend to make a good number of identity leak mistakes with cryptocurrency. The Justice Department should focus its attention on learning these pitfalls so they can make the most of them. Throwing clouds of suspicion on law-abiding and innocent privacy-conscious cryptocurrency users is not only against our values; it wastes valuable resources that could be spent on sharpening effective and legal forensic tools against real crypto criminals.