63 minute read

Welcome to the twenty-third issue of ‘This Month in Bitcoin Privacy’ newsletter. Enjoy!

Comet moth

"Argema mittrei" by Erland Refling Nielsen is licensed under CC BY-NC 4.0 .

“Happened stories are all alike, every unhappened story is unhappened in its own way… Can the past be resurrected or re-member-ed again? Should it be? And how much past can a person bear?”

― Georgi Gospodinov, “Time Shelter” (2022)

“[Jesse Thistle:] ‘.. I’m helping re-member. Not just remember, like a memory. Like re-member, reassemble this history that has been disembodied by the state and forgotten.’”

― Gabor Maté, “The Myth of Normal” (2022)

This moth, whose homeland is history, flutters ahead through a pitch-█████ hollow, alighting ███████████ upon pillars of streaming, cascading electronic waves. Reflecting a rainbow of pixelated droplets, the moth’s eyespots seem to wink at you. ██████████ columns of radiant data lure the tiny creature more than ██████. After each brief landing, the wings pulse ███ shed soft scraps of note paper █ artfully burned around the edges like a lining of mascara. Too many for one ██████ to catch ██ to hold, ███ alone read. Stalagmites grow slowly in the wake of your pursuit, █████ the meandering waters of digital light may someday lap at a new edge of darkness. Choose your pillars wisely…

Table of Contents

  1. Ledger Recover Service
  2. Harper Lawsuit Against IRS Update
  3. PayJoin, Splice, and Everything Nice?
  4. Silent Payments BIP Draft, Continued
  5. Tor Network Adds Proof-of-Work Defense
  6. Human Rights in Finance Challenge to Travel Rule
  7. CBDC Tracker Fellowship, Continued
  8. Project Atlas
  9. The Fog of Analysis, Continued
  10. Tornado Cash Update, Continued
  11. FinCEN Proposed Rulemaking on Mixing

:information_source: Are you an open-source contributor to Bitcoin or related infrastructure? Consider applying for a grant at Open Sats, a 501(c)(3) non-profit organization. In July, we opened a new long-term support (LTS) program. We want to create a sustainable, independent, and consistent ecosystem of funding for free and open-source software and projects. In the United States, all gifts and donations are tax-deductible to the full extent of the law.

LEDGER RECOVER SERVICE

On May 16th 2023, hardware wallet maker Ledger had announced the approaching launch of “an optional paid subscription service” for Nano X users called ‘Recover.’ If enabled, the user would first submit some form of identification to Ledger’s partner, Coincover, a U.K.-based “crypto insurance platform” founded in 2018. Once the identity verification process is complete, the user’s Ledger device will then “duplicate, encrypt and fragment your private key into three parts [using Shamir Secret Sharing] within the Secure Element chip… These encrypted fragments are securely sent to three independent providers – Ledger, Coincover, and EscrowTech that will store them in Hardware Security Modules (HSMs).”

Since the announcement, Ledger and Coincover have jointly published six detailed articles on how ‘Recover’ will work. The fourth post, released on September 7th, focuses on the identity verification (IDV) step, which involves a combination of providing a government-issued identification document and passing a “biometric test” / comparison with a live selfie and video. Ledger is also a ‘backup provider’ and “relies on Tessi services to validate your identity when you request a restore.” Tessi is a “Business Process Services partner” offering ‘solutions’ in digital identities and know-your-customer (KYC), among other things.

What is the difference between Ledger Recover identity verification and KYC? Identity verification is not the same as KYC. Identity verification inherently collects much less information compared to KYC. To go through Ledger Recover identity verification you need a valid, government-issued document and be the rightful owner of that document. KYC involves ID verification but it can also include revenue information, record of criminal activity, citizenship check, etc. Again, Ledger Recover uses identity verification, not KYC.

While Ledger claims these operations are “not KYC”, it is still rather clear how the ‘IDV’ acronym originates from, and that these services support, efforts to introduce digitized and often more intrusive KYC requirements in response to anti-money laundering (AML) regulations. For example, Plaid, the financial technology company that faced class action lawsuits and anti-trust complaints (TMIBP02, TMIBP06, TMIBP20), offers identity verification and explicitly includes ‘IDV’ as part of their AML screening process. Should you fail the first two IDVs with Ledger ‘Recover’, then a third manual IDV can be performed through Coincover, but involving “another independent service provider IDNow,” a identity verification, screening and compliance platform. Ledger says that “in accordance with our data retention policy, your IDV data is securely retained until you unsubscribe from the service and then archived in a database with strict limited access for litigation purposes only.” Their privacy policy states that this retention period is at least 7 years.

The issue is that the code which instructs the device to export the keys is part of the new OS, without an opt-in system. The Ledger Recover system introduces the possibility of third party risk that didn’t exist before. You can opt-in to using the service, but you cannot opt-in to having that function installed on your device unless you choose not to update, which ultimately can cause problems on devices because updates are used to push security and functionality updates.

― “Ledger Recover Saga” by Pamela Morgan

Blockchain Commons founder and executive director Christopher Allen commented that the crux of the controversy was “in large part because we didn’t expect seeds to ever leave the Ledger device.”

As it turns out (as all hardware wallet designers already know), all it requires is a signed firmware update, and seeds can go wherever they want. Why? The problem is that no existing SE chips can do secp256k1 (the curve used by Bitcoin & Ethereum) natively and safely in semiconductor logic. This isn’t an issue with Ledger; it’s an issue with all current chips used by wallets today. This means that in order to do secp256k1, a SE has to hand a key off to a code execution process in the SE or to an MPU. That’s what opens the doors for doing unexpected things with that key — things that most didn’t expect from a personal hardware wallet.

In other words, the public might have had the expectation that keys weren’t going to ever leave the Ledger, but that expectation is actually impossible to support today, because keys already have to leave the most trusted part of the Secure Enclave to be used!

On October 19th, CEO Pascal Gauthier began “the countdown for our launch” and shared the published code for ‘Recover’ (the majority of their operating system remains closed-source). On October 24th, they announced that it was “now available for Ledger Nano X users,” though only those with a national identity based in the U.S., Canada, and Europe. According to the dedicated page, ‘Recover’ costs “9,99€ per month after the first free month.” Why such a not-KYC process should require government identification, and not possibly work with various alternative forms of identity or web-of-trust proofs, is a question left to the reader:

Ledger Recover availability depends on the country in which your passport, national identity card, or driving license was issued. At the moment, a passport/national identity card issued by the European Union, the United Kingdom, Canada, and the United States, or a driving license issued in the United States, is required to subscribe to the service. We will be covering more countries and adding support for more documents. Stay tuned.

HARPER LAWSUIT AGAINST IRS UPDATE

In TMIBP02, TMIBP05, TMIBP09, and TMIBP20, I have followed Jim Harper’s lawsuit against the IRS “for violation of my Fourth Amendment and Due Process rights” in relation to the sharing of his financial data by a third-party service, Coinbase.

At issue in this case is whether either the U.S. Constitution or federal statutes impose meaningful restrictions on Internal Revenue Service authority to gain surreptitious access to a taxpayer’s confidential financial records without providing the taxpayer any opportunity to object and without showing a substantial need for the information.

On May 26th 2023, District Judge Joseph N. Laplante granted the IRS’ motion to dismiss the case. On October 13th, Harper filed his opening brief to appeal the dismissal, followed so far by amicus curiae briefs from the Americans for Prosperity Foundation, National Taxpayers Union Foundation, the “research-driven investment firm” Paradigm, research and advocacy group DeFi Education Fund, and Coin Center. NTUF senior attorney Tyler Martinez explained:

This case tests whether the IRS met the safeguards of 26 U.S.C. § 7609(f) and under the Due Process Clause. The asserted interest is one of privacy — and once information is disclosed, it cannot be remedied any more than a bell can be unrung. This Court has a chance in this case to clarify that only pre-confiscation process is adequate to protect privacy rights — especially where, as here, the IRS sought the records of thousands of accounts.

… John Doe warrants are dangerous tools that should only be used in limited circumstances against a cognizable limited pool of potential targets. The provision was not designed to allow for thousands of innocent taxpayers’ data to be handed over to an IRS agent in the hopes of finding a wayward file or two. Americans have substantial rights in the privacy of their data and should not be presumed to be tax cheats simply for using new technology like cryptocurrency.

… Privacy is unlike other property interests in that, once disclosed, the harm cannot be undone. Due process before disclosure is the only way to protect privacy.

In June, Harper had written about the consequences of introducing so-called artificial intelligence (e.g. more algorithmic account analysis) into anti-money laundering investigation. “Our nation was founded in rejection of the ‘general warrant’ to rummage people’s things that King George III’s agents enjoyed in the colonies. Today’s overweening sovereign rummages via customer service agents.” In September, he also explored the topic of whether or how data should be treated as property.

PAYJOIN, SPLICE, AND EVERYTHING NICE?

In TMIBP22, we saw Dan Gould’s proposal for “Serverless Payjoin” and the launch of the new Payjoin Software Development Kit (SDK). On June 27th, Gould formalized the PayJoin SDK with Martin Habovštiak (TMIBP14, TMIBP18, TMIBP19) and outlined its progress so far.

You might think Payjoin is just bitcoin, so it belongs in BDK. When you take a look at the bdk crate you see that it’s a wallet abstraction. That is meant to manage key material and synchronize apps with the network. Payjoin in contrast is an interactive transaction building protocol with some networking parameters. The two compliment each other well, and while the day where PDK’s payjoin crate compiles as part of bdk may well come soon, in order to provide well engineered and reviewed components, PDK lives in its own repository for specialized scrutiny so each effort can focus on their individual strengths.

In mid-May, Gould had briefly discussed the similarities between PayJoin and splicing with Core Lightning developers Lisa Neigut and ‘Dusty Daemon’, who proposed the splicing specification back in April 2021. Last year, Gould had already shifted focus towards combining PayJoin and Lightning (TMIBP21), so there was mutual interest in interoperability.

Splicing is a new feature that is being added to the lightning protocol that allows you to update an active lightning channel. This means that you can add or remove funds from a channel without closing it. This is a very powerful feature because it allows you to have a channel that is always open and still be able to do on-chain transactions with the present balance. It also builds off of dual-funded lightning channels using the same interactive-tx protocol. This allows for peers to interactively construct bitcoin transactions together that will result in a splice of the peers channels.

… Splicing can enable remixing for lightning channels. This can allow for lightning channels to even further intermingle and be indistinguishable from other on-chain utxos. This means that we can have a lightning channel that is always open, but is constantly changing its on-chain history, and is constantly being remixed with other utxos. With this, we can boostrap potentially all lightning liquidity to a single coinjoin liquidity pool.

― “Channel Coinjoins” by Lightning Privacy Research

On July 11th, the Paris-based ACINQ – which had already added a custom splicing prototype to their Eclair implementation in June – announced that their mobile Phoenix Wallet now supports splicing. “Splicing makes the distinction between on-chain and off-chain really blurry.”

Another way to look at it is that we are moving from N UTXOs/user to 1 UTXO/user. It is simply the current optimum for self-custody on Bitcoin. Further reducing the on-chain footprint implies sharing UTXOs amongst users, either in a simplistic trusted way (custodial wallets), or by introducing concepts like virtual UTXOs.

We believe that the efficiency gains brought by splicing are so phenomenal that all wallets will eventually implement it. That is why this technological improvement marks the beginning of a new generation of self-custodial wallets.

On the same day, SLP490 was released with ‘Dusty Daemon’ further explaining the benefits of splicing. The end of the announcement hinted that ‘blinded paths’ and ‘Taproot’ were among the next upcoming privacy-related changes for Phoenix Wallet. CTO Bastien Teinturier was the primary developer on route blinding (TMIBP10, TMIBP18, TMIBP22), which was merged into the BOLTs in March of this year. Teinturier was also interviewed for SLP513 in September. As fellow privacy researcher Seth has pointed out, an immediate benefit of blinded paths would be more payment privacy protection from their default routing node.

Disclosure: I am a board member of the non-profit Open Sats and in July, we announced that we would support ‘Dusty Daemon’ with a grant and listing of his splicing work on our website.

On July 17th, Gustavo Echaiz, who contributes to an informational website about CoinJoin, published a blog post with Wasabi about “why Lightning Network-enabled coinjoin transactions is a powerful idea that is already possible with Vortex, and how a future WabiSabi implementation combining both technologies could differ and solve some caveats.” On August 5th, a browser-based Lightning wallet called Mutiny was formally released in beta by Tony Giorgio, Ben Carman, and Paul Miller. Among the primary features, they highlight that “Mutiny Wallet and Vortex will join forces, integrating on-chain and lightning privacy tools.. Ben Carman’s Vortex coinjoin project is ready, but needs the vertical integration to really succeed” (TMIBP20). There are a few open pull-requests to enable PayJoin sending & receiving, but support for the PayJoin SDK was already merged on September 25th; Gould tried it out on tesnet.

On August 9th, Gould shared an intermediate draft of the Serverless PayJoin proposal “before opening a draft on GitHub for the BIP editors, and before this exact specification has a complete reference implementation.” On August 12th, the draft was submitted as a pull-request.

On October 31st, Voltage frontend engineer Brandon Lucas published a long-form article titled “Payjoin for a Better Bitcoin Future,” summarising “current attacks on Bitcoin privacy, the history of payjoin from the perspective of privacy, how it works and how it can provide so many benefits with no changes to Bitcoin, and the current state of adoption.”

SILENT PAYMENTS BIP DRAFT, CONTINUED

In TMIBP19, TMIBP20, TMIBP21, and TMIBP22, I have followed Ruben Somsen’s ‘Silent Payments’ proposal, “a new scheme for private non-interactive address generation without [extra] on-chain overhead.” On June 29th, the Bitcoin Improvement Proposal (BIP) draft by Somsen and Core contributor Josie Baker was assigned a number, BIP-352. It remains an open pull request in the BIP repository as the community reviews it. As of October 19th, BIP-352 was voted as a top-three “priority project” within the next six months of Bitcoin Core development and review.

Project priorities are those which the frequent contributors to this project have voted on to have more focused review on until the next feature freeze (or until they are completed). They will become permanent topics in our weekly IRC meetings so that we can get updates on the progress of each project and determine the next step to move them forward.

On July 27th, Human Rights Foundation (HRF) chief strategy officer Alex Gladstein opened, among others, a bounty worth “2 BTC for a mobile wallet which can send and receive Silent Payments in a private manner without requiring the user to run a full node.”

Disclosure: I am a board member of the non-profit Open Sats and in August, we announced that we would be supporting Baker with a Long-Term Support (LTS) grant, which includes his “work on BIP-352: Silent Payments, focusing on adoption in wallets outside of Bitcoin Core and supporting mobile clients.”

TOR NETWORK ADDS PROOF-OF-WORK DEFENSE

In TMIBP05, TMIBP07, TMIBP08, and TMIBP16 I have followed the Tor v3 transition and the importance of network privacy. Between June 2022 and the spring of 2023, the Tor network was under a distributed denial-of-service (DDoS) attack (TMIBP20). In TMIBP04, TMIBP06, TMIBP21, and TMIBP22, I highlighted that the Tor Project was considering “a token-based approach” for “prioritiz[ing] good clients over malicious clients when a denial of service attack is happening,” with support from the Onion Services Resource Coalition. On August 23rd, they announced that they “are officially introducing a proof-of-work (PoW) defense for onion services designed to prioritize verified network traffic as a deterrent against denial of service (DoS) attacks with the release of Tor 0.4.8.”

The inherent design of onion services, which prioritizes user privacy by obfuscating IP addresses, has made it vulnerable to DoS attacks and traditional IP-based rate limits have been imperfect protections in these scenarios. In need of alternative solutions, we devised a proof-of-work mechanism involving a client puzzle to thwart DoS attacks without compromising user privacy.

Proof of work acts as a ticket system that is turned off by default, but adapts to network stress by creating a priority queue. Before accessing an onion service, a small puzzle must be solved, proving that some “work” has been done by the client. The harder the puzzle, the more work is being performed, proving a user is genuine and not a bot trying to flood the service. Ultimately the proof-of-work mechanism blocks attackers while giving real users a chance to reach their destination.

The stable release of 0.4.8.4 includes more detailed notes on how it works.

Disclosure: I am a board member of the non-profit Open Sats and we are part of the Onion Services Resource Coalition, supporting bitcoin donations to the Tor Project.

HUMAN RIGHTS IN FINANCE CHALLENGE TO TRAVEL RULE

On April 20th, MEPs approved the Markets in Crypto-Assets (MiCA) regulation and the application of the Funds Transfer Regulation (FTR) / Transfer of Funds Regulation (TFR) to crypto-assets.

TMIBP22, “EU CASP Reporting and Transaction Restrictions” (April 2023)

In early August, Dutch engineer, financial history consultant, and Human Rights in Finance (HRiFEU) founder Simon Lelieveldt (TMIBP11, TMIBP14, TMIBP21) wrote about his intention to challenge the constitutionality of the application of the Travel Rule to crypto-assets in Europe; under the rules of annulment, “parties can request the Court of Justice of the European Union (CJEU) to rule on the legality of EU acts.” On August 14th, he outlined the basis of his claim, mainly focused on the lack of proportionality, and confirmed that he was “coordinating and executing the efforts to create the right setting for this annulment action.” On August 23rd, the deadline for filing any actions, he sent a letter to then Dutch Minister of Finance and first Deputy Prime Minister Sigrid Agnes Maria (S.A.M.) Kaag.

In my opinion, both the political and fundamental rights impacts have not received sufficient attention. This has been the case since 2019 when the initial thoughts arose, and I considered it my civic duty to point out the inappropriateness of continuing with ineffective monitoring/surveillance of banks, now also extended to crypto with even greater intensity. The challenge for regulators is not to persist on that dead-end path, but to do the opposite. The realm of administrative law needs to be cleared of the excessive overkill based on FATF recommendations/requirements that is clearly disproportionate. This regulation is a prime example of that, and its cancellation will make a significant difference in terms of not harming innocent citizens worldwide.

On August 24th, Lelieveldt and digital identity expert Jacob Boersma established the foundation with the aim “to keep banks and governments in check, preventing them from going too far with their violation of fundamental rights and their actual investigative behavior and regulations.”

On September 4th, the foundation formally submitted documents “that mark the beginning of a cancellation procedure” at the Registry of the General Court. On September 13th, the Amsterdam-based Privacy First foundation announced they were supporting the annulment action, under the Article 263 EU Working Treaty, on the basis that the “Regulation was blindly copied from international recommendations and insufficiently tested for fundamental rights.”

CBDC TRACKER FELLOWSHIP, CONTINUED

In TMIBP05, 08, 12, 14, 17, 19, 20, and 21, I have followed exploration, promotion, and criticism of central bank digital currencies (CBDCs). In February, a team composed of myself, Matthew Mežinskis, and Nick Anthony were awarded a fellowship to build an online resource that tracks CBDCs around the world “and flags their risks for civil liberties” (TMIBP22), in collaboration with Johns Beharry and Marina Spindler from Peak Shift. At this year’s Oslo Freedom Forum (OFF), the website and promotional video were premiered: cbdchumanrights.org :purple_heart:

As of this writing, we are just days away from the full launch of the global map that will combine economic stats like the status of CBDC research, development, and implementation, and the human rights risks in each particular country or region that could be exacerbated by the imposition of a CBDC. While our fellowship ends with this publication, we intend to have it continually updated, and my investigation of CBDCs will build upon this work.

According to the results of a Bank for International Settlements (BIS) survey published in July, “there could be 15 retail and nine wholesale CBDCs publicly circulating in 2030,” and “60% of surveyed central banks reported that they have stepped up their CBDC work in response to the emergence of cryptoassets,” particularly “stablecoins such as Tether and USD Coin.”

93% of surveyed central banks are engaged in some form of CBDC work and more than half are running concrete experiments or working on pilots.

UNITED STATES

On May 8th, the non-profit Regulatory Transparency Project (RTP) hosted a panel discussion about CBDCs and financial privacy with U.S. Representative Tom Emmer (TMIBP07), Jim Harper, Electric Coin Company (ECC) head of U.S. public policy and strategic advocacy Paul Brigner, former FinCEN director Michael Mosier (TMIBP08, TMIBP11, TMIBP19), former DOJ associate deputy attorney general and current ConsenSys director of global regulatory matters William ‘Bill’ C. Hughes, and associate professor of law J.W. Verret. Emmer compared the development of CBDCs to the creation of the U.S. Foreign Intelligence Surveillance (FISA) Court and its potential to “be abused” and “weaponized against American citizens,” and implied that there was also non-public resistance to CBDCs among members of the Democratic Party despite the Biden administration’s support for them. A Cato Institute 2023 CBDC National Survey found that “Republicans are slightly more familiar (34%) than Democrats (25%) and independents (25%). However, Democrats are about twice as inclined (22%) to support adopting a CBDC than are Republicans (11%).”

Mosier, consistent with his comments to a Senate committee in March 2022 (TMIBP19), advocated for minimising data collection as much as possible, that pegging it to the policy decisions of any given administration was “just too fragile,” and cited the conclusions of Project Hamilton, a multi-year joint research effort between the Federal Reserve Bank of Boston and the Massachusetts Institute of Technology (MIT) “into the technical feasibility of a potential central bank digital currency” that completed in December 2022.

Any payment system’s architecture is influenced by the design choices made around data privacy, access, and retention, and achieving robust privacy requires making explicit architectural choices at each layer of a system’s design.

― “A High Performance Payment Processing System Designed for Central Bank Digital Currencies” by James Lovejoy, Cory Fields, Madars Virza, Tyler Frederick, David Urness, Kevin Karwaski, Anders Brownworth, and Neha Narula (2022)

On the question of whether CBDCs were competition for cash or cryptocurrencies, it was argued that the primary opponent is actually stablecoins, though Harper thinks they are still “small potatoes”; he later wrote about European Central Bank (ECB) president Christine Lagarde’s comments during a BIS event panel in March, on “the digital euro as more privacy-protective than competitive alternatives such as stablecoins offered by Big Tech companies.”

Her comments are a classic illustration of the transatlantic divide on privacy. Americans see privacy as a liberty value and distrust government. Europeans see privacy as a dignity value and distrust companies — perhaps especially American ones.

RTP has published short animated informational videos about CBDCs and the Bank Secrecy Act (BSA) with Norbert J. Michel and Jennifer Schulp (TMIBP20, TMIBP21).

On September 12th, Emmer (MN-06) reintroduced the “CBDC Anti-Surveillance State Act,” which he had originally drafted back in January 2022. On September 14th, the House Financial Services Committee held a hearing titled “Digital Dollar Dilemma: The Implications of a Central Bank Digital Currency and Private Sector Alternatives.” On September 20th, the bill was considered and agreed to during a markup session by the Committee. Emmer described it as “a historical step in defending against an ever-expanding government surveillance state.”

Specifically, the CBDC Anti-Surveillance State Act prohibits the Federal Reserve from issuing a CBDC directly to individuals, ensuring the Fed cannot mobilize itself into a retail bank able to collect personal financial data on Americans. It prohibits the Fed from indirectly issuing a CBDC to individuals through an intermediary, preventing the Fed from launching a retail CBDC through our two-tier financial system. Finally, it prohibits the Fed from using any CBDC to implement monetary policy, ensuring the Federal Reserve cannot use a CBDC as a tool to control the American economy. The legislation protects innovation and any future development of digital cash.

CANADA

From May 8th to June 19th, the Bank of Canada (BoC) held “an online public consultation on the features that could be included in a digital Canadian dollar.” On May 25th, only a couple weeks into the survey, the BoC tweeted that “no decision has been made” to issue a CBDC. “The decision rests with the Government of Canada, not the Bank. We don’t see the need to issue one right now, but we have to be ready for whatever the future holds.” On June 22nd, following the end of the consultation period, the BoC reported that they had received over 85,000 responses. As of writing, their summary report is yet to be published.

The BoC first published staff research about the possibility of issuing a CBDC back in November 2016, with “Central Bank Digital Currencies: A Framework for Assessing Why and How.” They observed that a number of so-called ‘foregone transactions’ – defined as “those that are economically beneficial (i.e., improving the welfare of the transacting parties) but do not occur because of various frictions” – were due to privacy concerns around “how their payment information is stored and transferred.” Therefore, a CBDC with a “higher level of anonymity may protect privacy and thus promote adoption and usage.” In a subsequent discussion paper one year later, “Central Bank Digital Currency: Motivations and Implications,” a footnote suggested that “a central bank could consider issuing both an anonymous benchmark CBDC (with a cap on the maximum amount that could be held) along with an I-CBDC (with no cap on balances).” In June 2020, they published an analytical note on “what is technologically feasible for privacy in a central bank digital currency (CBDC) system.”

A CBDC system is required to comply with regulations (e.g., KYC and AML). This can dictate the level of privacy and the selection of privacy techniques. KYC may require entities to store personal data with proper classification. Generally, achieving high levels of privacy while complying with regulations is complicated. A designer, however, could build a system with hybrid privacy levels. In this, unregulated holdings and transactions (offering maximum privacy to users) would be permitted within limits (e.g., a maximum amount) alongside regulated ones without limits.

A key difference in the justifications for issuing a CBDC, compared to those in Europe or the United States, is (a lack of) consideration for the unbanked, let alone the debanked. In “Is a Cashless Society Problematic?” the staff cite the results of a “Methods-of-Payment Survey” from 2013, in which “besides cash, 98% [of respondents] have a debit card, while about 82% have a credit card.” This is consistent with other multi-year public surveys, though it should be noted that the proportion of unbanked is noticeably higher for indigenous Canadians: “there is an estimated rate of 15% of individuals without bank accounts in First Nation communities.” Instead, this paper focused on issues with “seigniorage, monetary policy, payments and financial stability,” such as the stark contrast in the quantities of ‘inside’ vs. ‘outside’ money. Interestingly, they believe that “Bitcoin can also be considered outside money, although it is private money (e.g., Garratt and Wallace 2016).”

As noted above, almost all of the money used in a modern economy is inside money created by the banking system. Therefore, one way to interpret the prospect of a cashless society is that a particular kind of outside money (cash) falls into disuse and even greater reliance is placed on inside money (deposits), which already accounts for almost all of the money in Canada.

You can follow a feed of BoC research regarding CBDCs and related topics here.

EUROPE

On May 26th, the European Central Bank (ECB) published a summary of the prototyping exerciese conducted between July 2022 and February 2023, as part of the investigation phase for the digital euro project. The design scope of the prototype included that the centralised “settlement engine which processes digital euro payment and funding/defunding transactions,” called N€XT, was “based on a UTXO data model.” Apache Kafka, “an open-source messaging technology, serves both as the inter-service communication platform and as a multi-site sharded data store for transactions and UTXOs.” They argued that this model was advantageous for privacy:

One of the advantages of a UTXO-based data model is in fact the ease of implementing a centralised ledger that does not allow balances to be associated with any given individual. The N€XT prototype natively supports one-time UTXO addresses and does not need to know which wallet holds the UTXOs, nor the identity or pseudonym of their owner, in order to process UTXO transactions. Thus, the prototype showed that the Eurosystem would be able to perform the settlement tasks without being able to know the balance or to infer the payment patterns of any user. However, this approach will require intermediaries to manage one-time addresses and to implement certain features such as checks on holding limits. Furthermore, it would require the incorporation of procedures to ensure that end users can recover their funds if their intermediary suddenly ceased to operate.

They also claimed that ‘market particpants’ were “experimenting with innovative approaches, such as self custody wallets, which could potentially allow for more privacy – pending legislative developments.” They support the idea of “tiered due-diligence checks” and “specialised identity verification service providers” as gatekeepers, without specifying what degree of identification will be expected.

The main learning with regard to these checks was that it is technically feasible and potentially advantageous to unbundle checks that are dependent on the user’s identity (such as AML/CFT11 checks) from the payment flow, so that they can be either skipped for low-value payments – if permitted by legislation – or potentially performed by different entities. In such a set-up, the use of the digital euro would come closer to the use of cash from a privacy perspective, and benefits could be achieved by relying on specialised identity verification service providers who would ideally adhere to harmonised pan-European standards, rather than relying on intermediary-specific identity solutions.

The FAQ page managed by the European Commission also states, regarding “limits on the amount of digital euro you can hold,” that “holding limits would be set by the European Commission for the use of digital euro offline, in order to limit money laundering and terrorism financing risks.”

On June 28th, the Directorate-General for Financial Stability, Financial Services and Capital Markets Union (DG FISMA) department of the Commission published a draft regulation package with a proposal for a new Payment Services and Electronic Money Services Directive (PSD3) and “a new Payment Services Regulation (PSR),” to create “an efficient and integrated market for payment services in the EU.” Though it does not appear that the proposals mention a digital euro, the ECB’s fourth report cites them as “facilitating the possible introduction of a digital euro.” On the same day, the Commission also adopted a legislative proposalon the legal tender of euro banknotes and coins, to safeguard the role of Euro cash.”

This proposal is also consistent with the European Accessibility Act, which covers ATMs, and with the Union’s policy efforts to support social inclusion, including in the context of the European Pillar of Social Rights. It aims to ensure that everyone in the euro area has sufficient and effective access to cash. This is particularly relevant for vulnerable groups with a dependency on using cash for payments, which typically include older people, those with a disability who may have difficulty inaccessing digital payments, people with limited digital skills and/or income. These groups tend to have a strong preference to use cash to settle their payments over electronic means of payments. Furthermore, financially excluded people, such as the unbanked, asylum seekers and migrants, who may not be able or willing to use means of payment supplied by the private sector, also rely on cash as their payment method. Moreover, evidence shows that the main reasons why cash is preferred are that (i) cash is considered to make one more aware of one’s own expenses, and (ii) cash is perceived as anonymous (and therefore protects privacy)7, whilst it has the unique feature of allowing for direct payments with immediate settlement without the need for a third party. In terms of preserving cash as a payment option, the 2022 ECB SPACE study8 shows that 60% of consumers still considered the option to pay with cash to be important or very important. It confirms that “despite the impact of the pandemic and related lockdown measures and self-reported preferences, an increasing share of euro area consumers would like to have cash as a payment option”9.

In mid-July, the ECB published their fourth progress report for the investigation phase. They still believe it is feasible that “a digital euro could work both online and offline, using independent designs,” “thereby also increasing the resilience of the digital euro ecosystem.” The four core principles of the compensation/ funding model include:

The Eurosystem is of the opinion that a digital euro should offer basic services to citizens free of charge, reflecting its status as a public good and in line with users’ experience with cash. To foster network effects, the Eurosystem believes that intermediaries should be compensated for the services they provide, as they are for comparable electronic payments, while legislative safeguards should prevent merchants from being overcharged by intermediaries. The Eurosystem would bear its own costs, as it does today for banknotes.

On July 11th, the ECB hosted a ‘civil society seminar’ featuring Evelien Witlox and José Ignacio Terol Rodriguez, managers of the digital euro project, with deputy head of public communication Ronan Sheridan moderating. Regarding the holding limit, Witlox confirmed it was still likely to be set around €3,000 because then “there would be no impact or concern for financial stability.. just to avoid that, in a time of crisis, there would be a big outflow of liquidity [from] the bank in one go.” The limits would be finalized closer to the date of issuance. She also said that the offline version would “be indeed something like a bearer instrument.” Terol Rodriquez added that it “would only be available for proximity payments,” like typical cash transactions. Regarding ‘inclusion’, their slides state that the digital euro “will be designed to take on board people with no access to a bank account and low digital or financial skills, as well as people with disabilities.”

It is not the ECB which is setting what might be, in different countries, the maximum payment which can be done with cash. That entails a judgment of privacy versus anti-money laundering. It’s not a central bank decision, it’s a political decision. That’s why, at least in the legislative proposal, it’s proposed that [the maximum offline payment amount be] equivalent [to the] maximum amount of a payment with cash. That would lie with the European Commission to set it… The overall holding limit of a digital euro would be established by ECB.

On August 16th, I attended a talk at Chaos Communication Camp 2023 by Epicenter.Works executive director Thomas Lohninger. His civil rights organisation has been paying close attention to both the digital euro project and the related development of the European Digital Identity Wallet under an updated international electronic identification (eID) system and reformed ‘Electronic IDentification, Authentication and Trust Services’ (eIDAS) regulation; their counter-lobbying efforts have contested, delayed, or even removed the inclusion of undesirable features, such as unique and persistent identifiers. Recently, Lohninger and more than “409 scientists and researchers from 33 countries” signed an open letter to the Parliament and Council, opposing certain elements of the near-final text of the eIDAS reform because it “radically expands the ability of governments to surveil both their own citizens and residents across the EU by providing them with the technical means to intercept encrypted web traffic, as well as undermining the existing oversight mechanisms relied on by European citizens.” I highly recommend watching his presentation.

On October 18th, the ECB announced that the governing council had decided to move on to the “preparation phase following conclusion of two-year investigation phase.” The ECB has recently updated their FAQ page and opened a promotional page of the ‘key’ planned features. You can follow all publications from the ECB about the digital euro project here.

The next phase of the digital euro project – the preparation phase – will start on 1 November 2023 and will initially last two years. It will involve finalising the digital euro rulebook and selecting providers that could develop a digital euro platform and infrastructure. It will also include testing and experimentation to develop a digital euro that meets both the Eurosystem’s requirements and user needs, for example in terms of user experience, privacy, financial inclusion and environmental footprint. The ECB will continue to engage with the public and all stakeholders during this phase. After two years, the Governing Council will decide whether to move to the next stage of preparations, to pave the way for the possible future issuance and roll-out of a digital euro.

On the same day, the European Data Protection Board (EDPB) and Supervisor (EDPS) Wojciech Wiewiórowski issued a joint opinion on the design proposals so far, including a “call for clarifications on the processing of these identifiers” and “strongly recommend[ing] to introduce a ‘privacy threshold’ for online transactions, under which neither offline nor online low-value transactions are traced.”

In addition to the highly speculative nature of the purported benefits, CBDCs raise considerable privacy and surveillance risks. A new digital pound would collect sensitive payment and user identity information and simultaneously be programmable and traceable, thereby carrying potentially disastrous consequences. Examples of CBDC development abroad paint a cautionary tale: China’s digital currency development has been linked to an increase in population surveillance,11 whereas Nigeria has explored ways to “keep full control”12 of its CBDC despite the rollout of the new currency receiving public backlash and a legal intervention.13 The possibilities of state surveillance and financial control that a centralised digital currency can bring are deeply concerning and incompatible with the rights and freedoms integral to democratic British society. As Danny Kruger MP said during a Treasury Committee evidence-gathering session on CBDCs, “if we get this wrong, it is catastrophic”.14

In May, the U.K. civil liberties non-profit and campaign group Big Brother Watch launched “NoSpyCoin” (similar to the ‘NoSpyCashcampaign in the U.S.), opposing “the Government’s plan to pilot a Central Bank Digital Currency by 2025” and encouraging citizens to contact their members of Parliament. They had already submitted their response to a February 2023 consultation paper on the ‘digital pound’ (aka “Britcoin”) issued by the Digital Pound Taskforce, a partnership between the Bank of England (BoE) and HM Treasury. The paper claims that:

.. the digital pound is at least as private as current forms of digital money, like the money in a commercial bank account or e-money. Digital pound users will be able to make choices about the way their data is used. We are supportive of, and encourage, firms to offer services that enable holders to opt for enhanced privacy functionality and exert greater user control of personal data.

… Neither the Government nor the Bank would have access to digital pound users’ personal data except for law enforcement agencies under limited circumstances, prescribed in law, and on the same basis as currently withother digital payments. The digital pound would not be anonymous because the ability to identify and verify users is needed to prevent financial crime.

Public comment and questions – of which they reportedly received more than 50,000 – were accepted until June 30th, and as of writing they are still being analysed. You can follow this filtered news feed for updates on their activity.

On September 6th, London-based Financial Times (FT) banking and fintech correspondent Siddharth Venkataramakrishnan published an article about how discussion and development of CBDCs is being thwarted by “culture warriors,” that this “risks undermining adoption and entrenching fears about government surveillance.” Yet in his own article, he cites the Nigerian ‘eNaira’, and how the ‘e-yuan’ “offers greater control and surveillance,” based on the same February 2021 article in the FT that explicitly argues it is “tied up in the Communist party’s drive to maintain its control over society and the economy. The technology is partly designed to reinforce its surveillance state.” He also quotes experts who acknolwedge that there is legitimate fear and distrust:

A series of financial scandals this year have exacerbated distrust, says Aoife Gallagher, a senior analyst at the Institute for Strategic Dialogue. “Events like the Coutts saga [in which the private bank closed former Brexit party leader Nigel Farage’s bank accounts] and the Silicon Valley Bank collapse serve as further justification within these communities,” she says.

:information_source: For more perspective on the history and nature of CBDCs, check out economic anthropologist Brett Scott’s “Zen and the Art of CBDC Analysis.”

PROJECT ATLAS

In March, the Bank for International Settlements (BIS) announced that they would be collaborating with the central banks of the Netherlands (DNB) and Germany (DBB) on Project Atlas, “a data platform that sheds light on the macroeconomic relevance of cryptoasset markets and decentralised finance (DeFi).” On October 4th, they published their first project report on the proof-of-concept.

Project Atlas provides data tailored to the needs of central banks and financial regulators. It fuses data gathered from crypto exchanges (off-chain data) with data from public blockchains (on-chain data) gathered from nodes. By connecting various sources, Atlas allows for data vetting, giving users tools to evaluate these markets’ economic significance more accurately.

The report notes that the Vienna-based Iknaio Cryptoasset Analytics GmbH is the ‘private sector partner’ that provides “the aggregation of proprietary attribution data on crypto exchanges.” The service commented that they are “proud to support this initiative.”

With clustering heuristics, it is possible to construct the entity network, representing asset flows between address clusters probably controlled by the same real-world entity. A single entity can control several address clusters. Building on the entity network abstraction, blockchain addresses are de-anonymised and linked to real-world entities using public and proprietary information, referred to as attribution data. Attribution data include information on the acting entity, such as the name of a crypto exchange. The strength of the approach lies in combining address clusters with attribution data. One data point that attributes a single address to a real-world entity can identify a large address cluster. This way, the approach can at times even deanonymise a couple of hundred thousand addresses with a single data point.

However, generating attribution data is usually expensive since it relies on sample interactions with a particular crypto exchange, crawling for published addresses or other more elaborate data-gathering procedures. There are public sources for attribution data (eg walletexplorer.com or etherscan.io). In addition, private companies increasingly offer attribution data as part of their business model. Therefore, comprehensive attribution data are often proprietary information. While the focus often lies on forensics or transaction screening, Atlas employs attribution data focusing on macroeconomic relevance. Atlas employs public attribution data combined with proprietary data provided by Iknaio research, which is also based on third parties that specialise in cryptoasset data or indirectly collected attribution data.10 The platform updates data from different repositories and can incorporate further sources of attribution data.

The report did not offer much insight into what they have used it to study, beyond that “an initial analysis of data collected by the platform indicates that cross-border flows are substantial in economic terms and unevenly distributed across geographical regions.” They also state that their purpose is to “serve as a starting point for preliminary assessments and inform the drafting of data reporting requirements and regulation of crypto market actors.” It should also be noted that ‘walletexplorer.com’ is operated by Chainalysis and has surreptitiously associated visitor IP data and addresses, which was then fed to law enforcement (TMIBP06, TMIBP22). With that in mind, it is undeniable that the BIS is now directly engaging in blockchain surveillance.

THE FOG OF ANALYSIS, CONTINUED

As you consider whether and how to incorporate blockchain analysis into your investigative strategy, be forewarned: There may be myriad challenges — legal and practical — to admitting blockchain analysis evidence at trial. For example, some analytical tools may incorporate sensitive or proprietary techniques that cannot be readily presented in open court. As discussed further below, these difficulties are hardly insurmountable, but a savvy prosecutor may conclude that employing tools in other ways that avoid undue litigation risk may be the more prudent course.

― “Using Blockchain Analysis From Investigation to Trial” by C. Alden Pelker, Christopher B. Brown, and Richard M. Tucker in the ‘Technology and Law’ issue of the Department of Justice (DoJ) Journal of Federal Law and Practice, Vol. 69, No. 3 (May 2021)

The legal presumption, as applied in practice, has exposed widespread misunderstanding about the nature of computer failures – in particular, the fact that computer failures are usually failures of software – because of the naïve belief that computers were just ‘mechanical instruments’. The presumption has been the cause of widespread injustice.

… We propose that the presumption that computer evidence is reliable be replaced with a process where if computer evidence is challenged, a party must justify the correctness of the evidence upon which they rely. The proposed process, summarised below, requires the disclosure of documents that would already exist in any well-managed computer system. The procedural and evidential safeguards of the kind we propose would probably have avoided the disastrous repeated miscarriages of justice over the past 20 years. The Post Office Horizon scandal is not unique.3

― “Briefing Note: The Legal Rule That Computers Are Presumed To Be Operating Correctly – Unforeseen and Unjust Consequences” by Nicholas Bohm, James Christie, Peter Bernard Ladkin, Bev Littlewood, Paul Marshall, Stephen Mason, Martin Newby, Steven J. Murdoch, Harold Thimbleby and Martyn Thomas CBE in Digital Evidence and Electronic Signature Law Review, Vol. 19 (October 2022)

In TMIBP20 and TMIBP22, I highlighted the case of Roman Sterlingov, accused of creating and operating Bitcoin Fog, a centralised proto-mixing service. He was arrested on April 27th 2021, and has already spent over 900 days in pre-trial detention. A key point of contention in the case has been the accuracy and validity of the blockchain surveillance processes used by the IRS Criminal Investigation (IRS-CI) agent(s), namely the software services of Chainalysis. There have been three significant developments.

Firstly, on July 18th, Chainalysis’ head of investigations for government solutions Elizabeth A. Bisbee filed a declaration with the court concerning their “clustering methodology,” which included the following statements [emphasis added]:

Chainalysis clustering methodologies have not been peer-reviewed in the sense that an academic paper would get peer-reviewed with data and methodology(ies) reviewed in a separate study by other scientists. However, every single clustering heuristic in the system has been reviewed by numerous Chainlaysis data scientists, intelligence analysts, and investigators that specialize in blockchain analytics.

… If the information were incorrect, the exchange receiving the legal process would respond that the address does not match or be [sic] controlled by them. Chainalysis does not know how often this happens but this is extremely rare otherwise law enforcement customers would not be able to use Chainalysis tools to further their investigations.

… Historically, Chainalysis has not gathered and recorded in a central location false positives / false negatives because there is design to be more conservative in the clustering of addresses. In response to the Court’s inquiry, Chainalysis is looking into the potential of trying to collect and record any potential false positives and margin of error, but such a collection does not currently exist.

“Looking into the potential of trying to” do science, how lovely! These admissions were all further confirmed in-person during the Daubert hearing on June 23rd, where Bisbee and Federal Bureau of Investigation (FBI) staff operations and virtual currency specialist Luke Scholl were questioned on the subject.

Secondly, on August 8th, Ciphertrace director of investigations and intelligence Jonelle Still filed a 41-page expert report “reveal[ing] errors, omissions, and a lack of methodological rigor” in the so-called evidence provided by Chainalysis and TRM Labs, “calling the Government’s conclusions into serious doubt.”

For the reasons discussed below, Chainalysis’ attributions are unverifiable and should not be used in a Court of law. These data have never been verified externally nor independently, have not been audited, utilize novel algorithms, are based upon experimental research, and, as expert witness Elizabeth Bisbee, from Chainalysis, testified at the Daubert Hearings, there are no known error rates, false positive rates, false negative rates, or any scientifically peer-reviewed inquiry validating the accuracy of Chainalysis’ data application of its models. Therefore, I cannot verify the vast majority of Chainalysis’ attribution as presented by the Government.

… Blockchain forensics should only be used to generate investigatory leads. Standing alone, they are insufficient as a primary source of evidence. What is striking about this case is the conclusions reached without any corroborating evidence for the blockchain forensics.

The blockchain forensics and tracing tools used in this case were misused to erroneously conclude that Mr. Sterlingov was the operator of Bitcoin Fog when no such evidence exists on-chain.

The failures in the blockchain analysis in this case highlight some of the structural problems with this space. To prevent wrongful arrests like this one, and failures in compliance, like with FTX, it is recommended that Chainalysis, and their methodologies of blockchain analysis be independently audited.

In September, I gave another presentation on “the overlap between blockchain analysis companies, private spyware firms, and government intelligence agencies” at the Baltic Honeybadger conference in Riga, Latvia, as a follow-up to the one I gave at Paralelní Polis in October 2022 (TMIBP21, TMIBP22). It focused on the risk of “becoming legally sandwiched between a new category of ‘junk science’ in forensics and the non-judiciability of many cases that fall under counter-terrorism law / policy.”

Thirdly, despite much resistance from Chainalysis, it now seems possible that an expert witness may be allowed to access and evaluate their software on behalf of the defense. On August 31st, within a notice to the court, Chainalysis offered to “voluntarily provide the government with the following information which the government may produce to the defendant: (1) the specific assumptions and logic tests used by heuristic 2 (behavioral clustering) for the results in this case; (2) information on how heuristic 1 (co-spend clustering) detects and controls for CoinJoin; and (3) information regarding whether any manual alterations were applied to heuristic 3 (intelligence-based clustering).” They are still otherwise resisting the requests to disclose their source code in part or in full, arguing that “a protective order would be insufficient to protect the proprietary source code” and disclosure to the “Defendant, Defense counsel, or their suggested expert” would “cause irreparable harm to Chainalysis’ business.” Bisbee and attorney William Frentzen filed supportive declarations to that effect. However, on September 12th, they still filed two drafts for a “Heuristic Information / Code Protective Order” that would bar anyone from using or disclosing information about their software outside of closed court proceedings; they subsequently also requested the inclusion of “a five-year noncompete requirement.” On September 13th, Judge Moss accepted the proposed protective order draft that Still would be subject to if chosen as the reviewer, and “the new trial start date tentatively is set for February 12, 2024.” Still declined the invitation, given that this could “subject Ciphertrace to extensive potential intellectual property and other claims by Chainalysis” and disrupt “her ability to work for future employers in blockchain related fields.” She “is still available to testify based on her review of the discovery and her expert report produced to the Court.” On September 29th, Ekeland and Hassard protested that “this leaves Mr. Sterlingov’s attorneys as the only ones currently able to review this specific, produced, novel material evidence… Mr. Sterlingov cannot meaningfully and effectively participate in his own defense.”

This ban on Mr. Sterlingov’s personal review of the evidence directly relevant to a core issue in this case – the inaccuracy of Chainalysis Reactor software and its lack of scientific validity – violates Mr. Sterlingov’s Fifth Amendment due process rights, particularly his right to put on a complete defense, and his Sixth Amendment rights to effective assistance of counsel and to confront his accusers.

Bonus ‘What Is Wrong With This Picture?’ Moment: On November 2nd, FTX CEO Sam Bankman-Fried was found guilty on all charges of wire fraud, wire fraud conspiracy, conspiracy to commit money laundering, conspiracy to commit commodities fraud, and conspiracy to commit securities fraud; the remaining charges from the indictment, of “conspiracy to defraud the Federal Election Commission and commit campaign finance violations,” may reportedly still be prosecuted at some future date. Back in April, New York Times (NYT) technology reporter David Yaffe-Bellany, writing about the United States v. Ryan Felton case (coincidentally where Bisbee’s testimony apparently “helped secure Felton’s guilty plea”), stated that “Chainalysis has come to occupy an increasingly important position in the industry.”

After the FTX exchange imploded, its bankruptcy lawyers hired Chainalysis to disentangle the web of entities at the center of Sam Bankman-Fried’s empire and track the $400 million in crypto that a hacker stole from FTX’s accounts. Chainalysis has also been conducting some light diplomacy: In April, it hosted a conference in Manhattan to bring together government officials and the newly chastened crypto executives who are trying to win back their trust. Guests received socks stitched with the Chainalysis logo.

… In 2021, an official at TRM emailed the Treasury Department to question its decision to award an exclusive contract to Chainalysis, according to email logs obtained through a public records request.

The TRM representative asked for a “rationale as to why this procurement isn’t following a competitive bid process,” according to the emails. “There are multiple providers with analogous capabilities that meet” the requirements, the representative wrote. By early last year, TRM had secured its own contract with the Treasury Department, according to a company spokeswoman. And TRM was hired alongside Chainalysis to work on FTX’s bankruptcy.

According to the testimony of attorney and FTX’s new CEO John J. Ray III to the House Financial Services Committee in December 2022, Chainalysis was involved in the ‘Asset Protection & Recovery’ operations of the bankruptcy proceedings, which they have indeed offered as a service since at least November 2020. Neither the NYT article nor the testimony mentions the fact that Chainalysis was not only a creditor of FTX, but their compliance partner while they were still operating, monitoring “all deposits and withdrawals” as well as on-chain “flows into and out of” the exchange (TMIBP21). :ok_woman::computer: Control+Shift+V Cat-Monkey meme.

TORNADO CASH UPDATE, CONTINUED

In TMIBP20, TMIBP21, and TMIBP22, I covered the designation of Ethereum-based mixer Tornado Cash as a sanctioned entity, the subsequent arrest & pre-trial detention of developer Alexey Pertsev in the Netherlands, and related lawsuits challenging the criminalisation of mixing software. Pertsev’s trial is currently scheduled for March 26-27th 2024.

Having been released from pre-trial detention in April, Pertsev and his lawyer Keith Cheng were able to personally attend the ETHDam community conference and hackathon on May 21st at Pakhuis de Zwijger in Amsterdam. Introduced by Pertsev, Cheng gave the first mainstage talk of the event on “insight into the Tornado Cash case in the Netherlands.” Supporting the argument that Pertsev and the other contributors had ‘no criminal intent’, Cheng pointed to their incorporation of Chainalysis sanctions screening oracle tool within about a month after its free release in March 2022 (TMIBP19).

The fact that Tornado Cash includes a compliance tool demonstrates the developers’ commitment to responsible use.

Regarding Joseph Van Loon et al. v. Department of the Treasury, on May 18th, an additional amicus curiae brief was filed by the D.C.-based Bank Policy Institute (BPI), this time in support of the Treasury. The BPI argues that “the regulated financial system.. provides safe, efficient, and privacy-protected financial services to billions of customers around the world,” “ever-increasing inclusion for its current and prospective customers,” and “that our citizens’ right to privacy is extensive but must be subject to the limited oversight necessary to protect them.” Further, “any insinuation that banks and other regulated institutions as an industry engage in discrimination or otherwise ignore their legal obligations is untenable.” (:eyes: Say what?) On August 17th, Judge Robert Lee Pitman granted the Treasury’s motion for full summary judgement. “The Court finds that Tornado Cash is an entity that may be properly designated as a person under IEEPA,” that “the smart contracts constitute property, or an interest in property,” that “OFAC’s designation of Tornado Cash does not exceed its statutory powers,” and the “Plaintiffs have not shown that the government’s action in any way implicates the First Amendment.” Pitman “ordered that Plaintiffs’ claims against the government are dismissed with prejudice.” On September 18th, the plaintiffs filed to appeal the decision.

The parties’ filings frame three issues — (1) whether OFAC exceed[ed] its statutory authority by designating Tornado Cash’s core software tool; (2) whether the designation was arbitrary or capricious; and (3) whether the designation violated the First Amendment.

… In sum, because foreigners (e.g., Tornado Cash’s founders, developers, and DAO) have a financial “interest” in the increased use and popularity of the Tornado Cash service as a whole, OFAC did not exceed its statutory authority by designating all of the addresses affiliated with the service, including the core software tool, under the IEEPA.

Regarding Coin Center v. Yellen (TMIBP21), very similar amicus curiae briefs from the Blockchain Association, DeFi Education Fund, investment firm Paradigm Operations, and venture capital firm Andreessen Horowitz supporting the plaintiffs, and BPI supporting the Treasury, were filed in June. Out of court, in response to the August 23rd indicment against Roman Storm and Roman Semenov for “conspiracy to commit money laundering, conspiracy to commit sanctions violations, and conspiracy to operate an unlicensed money transmitting business” relating to their “alleged creation, operation, and promotion of Tornado Cash,” Peter van Valkenburgh wrote that “all of those facts point to the defendants fitting squarely within FinCEN’s guidance on anonymizing software providers rather than them being money transmitters.”

We’re still researching but to our knowledge the only control that the defendants ever had over the smart contracts was the ability to change aspects of cryptography related to Tornado Cash’s privacy features and never had any ability to actually access, move, or direct the user funds in the contract. If that technical analysis is accurate then it does not seem likely the defendants ever had the sort of “independent control” over the transmitted value that FinCEN describes in its guidance, and, accordingly it seems that this alleged activity would also not constitute unlicensed money transmission.

In September, journalists Inbar Preiss and Aleks Gilbert wrote that “despite similar charges, legal experts and industry representatives have noted stark differences in how law enforcement agencies in the two countries have pursued” Storm and Semenov versus Pertsev.

On October 30th, Judge Thomas Kent Wetherell II ruled that “the designation of Tornado Cash falls squarely within the authority delegated to OFAC,” that “the designation of Tornado Cash was not arbitrary or capricious,” and “did not implicate Plaintiffs’ First Amendment rights.” Identically, “all claims in Plaintiffs’ amended complaint are dismissed with prejudice.” Coin Center director of communications Neeraj K. Agrawal tweeted that they plan to appeal this decision as well. When asked by financial writer John Paul Koning, “Would it be fair to say that one of the biggest differences between your OFAC challenge and Coinbase’s challenge is that you narrowed your focus to the 21 non-upgradeable contracts whereas Coinbase focused on the entirety of OFAC’s designation?” Agrawal replied, “yes.”

FINCEN PROPOSED RULEMAKING ON MIXING

In TMIBP02 and TMIBP05, I covered the development of an inter-VASP customer data sharing system for compliance with the Bank Secrecy Act (BSA) Travel Rule, and how FinCEN was seeking to lower the threshold [of reportable activity] (a proposal for which they received “roughly 2,900 comments”); in TMIBP02, TMIBP04 and TMIBP06, I’ve followed challenges to the use of the third-party doctrine regarding financial records; in TMIBP05, I also highlighted how the effectiveness of anti-money laundering policies came under scrutiny with the release of the ‘FinCEN Files’, and interest in identifying ‘crypto-exposed persons.’

TMIBP07, “The PATRIOT Act: Share It All” (December 2020)

In TMIBP07, TMIBP08, and TMIBP09, I followed an attempt by the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of Treasury, “to require banks and money service businesses (‘MSBs’) to submit reports, keep records, and verify the identity of customers in relation to transactions involving convertible virtual currency (‘CVC’) or digital assets with legal tender status (‘legal tender digital assets’ or ‘LTDA’) held in unhosted wallets.” This notice of proposed rulemaking (NPRM) was ultimately suspended in January 2021, but FinCEN continues to justify increasing requirements under the USA PATRIOT Act of 2001.

On October 19th, FinCEN announced a new NPRM that would “require covered financial institutions to report information about a transaction when they know, suspect, or have reason to suspect it involves [Convertible Virtual Currency] CVC mixing within or involving jurisdictions outside the United States,” with the stated goal of “increas[ing] transparency around CVC mixing to combat its use by malicious actors including Hamas, Palestinian Islamic Jihad, and the Democratic People’s Republic of Korea (DPRK).” They argue that mixing is “a class of transactions of primary money laundering concern,” which under the PATRIOT Act gives the Secretary of the Treasury power to “prohibit, or impose conditions upon, the opening or maintaining in the United States of correspondent or payable-through accounts for or on behalf of a foreign banking institution.” They cite the Bitcoin Fog case (TMIBP20, TMIBP22), and OFAC’s designation of Ethereum-based mixer Tornado Cash as a sanctioned entity (TMIBP20, TMIBP21, TMIBP22) as a successful prior action. They claim that “this additional transparancy would serve two purposes,” namely “support[ing] money laundering investigations” against any “threat to U.S national security and the U.S. financial system,” and “deter illicit actors’ use of CVC mixing services… to facilitate WMD proliferation, ransomware attackers’ laundering of ransoms, and obfuscation of transactions associated with the use of illicit darknet markets.”

FinCEN recognizes that there are legitimate reasons why responsible actors might want to conduct financial transactions in a secure and private manner given the amount of information available on public blockchains. FinCEN also recognizes that, in addition to illicit purposes, CVC mixing may be used for legitimate purposes, such as privacy enhancement for those who live under repressive regimes or wish to conduct licit transactions anonymously.70 Still, CVC mixing presents an acute money laundering risk because it shields information from responsible third parties, such as financial institutions and law enforcement.

… Thus, the legitimate applications of CVC mixing must be carefully weighed against the exposure of the U.S. financial system to ongoing illicit use of CVC mixing. Given the substantial risks posed by CVC mixing, the fact that CVC mixing can be used for some legitimate business purposes does not alter FinCEN’s conclusion that this class of transactions is of primary money laundering concern.

The proposal does not itself mention specific mixing tools beyond the services that have already been sanctioned or shut down, and unlike prior reports (TMIBP01, TMIBP05, TMIBP22) from both themselves and the European Union Agency for Law Enforcement Cooperation (Europol), they do not include the distinction between mixing “service providers” and “software providers” in their definition of a “CVC mixer.”

The term “CVC mixer” means any person, group, service, code, tool, or function that facilitates CVC mixing. FinCEN acknowledges this definition is relatively broad; however, given the nature of CVC mixing, FinCEN deems the breadth of this definition to be necessary.

The reportable information to be required from covered institutions, “within 30 calendar days of initial detection of a covered transaction,” includes: the amount of any CVC transferred, in both CVC and its U.S. dollar equivalent when the transaction was initiated; CVC type; the CVC mixer used, if known; CVC wallet address associated with the mixer; CVC wallet address associated with the customer; transaction hash; date of transaction; IP addresses and time stamps associated with the covered transaction; narrative (e.g. “a description of activity observed by the covered financial institution, including a summary of investigative steps taken, … [and] if there is an uncharacteristic change in pattern of behavior”); the customer’s full name, date of birth, residential or business address, email address, and unique identifying number (such as an IRS TIN or foreign equivalent, passport number or other government-issued photo identification number, such as a driver’s license).

Blindly trusting the results of blockchain analytics platform is the recipe for a disaster waiting to happen. And the result of this collective laissez-faire is that we have now a blockchain analytics company (Chainalysis) refusing to let a man access elements that would allow him to prepare his defense. The impunity that was collectively granted to these companies for years is pure insanity and it’s our collective duty to fix the situation.

LaurentMT, developer of the OXT blockchain analysis tool

In relation to Hamas and the recent escalation in Gaza, it is also important to note that blockchain surveillance tools have been misused to support greatly exaggerated claims about bitcoin and other crypto-assets being used to support violence and terrorism. On October 10th, Wall Street Journal (WSJ) global finance reporters Angus Berwick and Ian Talley cited Elliptic as a source for their assertion that “digital-currency wallets that Israeli authorities linked to the PIJ received as much as $93 million in crypto between August 2021 and June this year.” Specifically, they conclude the article by naming “Matthew Price, a former IRS investigator who now leads Elliptic’s business working with law enforcement.” As I pointed out in the last TMIBP22, Price was previously ‘Global Head of Intelligence and Investigations’ at Binance and one of the two main IRS-CI special agents behind the allegations against Sterlingov in the Bitcoin Fog case, “after a stint at the CIA.” Elliptic and Chainalysis, blockchain surveillance companies which both have prior and/or currently active service contracts with the Treasury Department and FinCEN specifically, have issued corrections on the matter:

ELLIPTIC: Over the past two weeks, politicians and journalists have portrayed public crypto fundraising as a significant source of funds for Hamas and other terrorist groups, but the data simply does not support this. No public crypto fundraising campaign by a terrorist group has received significant levels of donations, relative to other funding sources.

… there is no evidence to suggest that crypto fundraising has raised anything close to this amount, and data provided by Elliptic and others has been misinterpreted. We have spoken to representatives of the lead signatory, Senator Warren, as well as the authors of the Wall Street Journal article, to clarify this.

CHAINALYSIS: … we have also seen overstated metrics and flawed analyses of these terrorist groups’ use of cryptocurrency, and feel compelled to address some misconceptions.

However, the language of these corrections obscures their own glaring culpability. The Elliptic source, though not cited directly in the WSJ piece, was likely none other than “Israel Orders Seizure of Crypto Wallets Worth $94 Million Linked to Palestinian Islamic Jihad,” originally published by “Senior Crypto Threat Analyst” Eray Arda Akartuna on July 6th 2023. Akartuna is a PhD researcher at the Dawes Centre for Future Crime at UCL, under the topic of “money laundering and terrorist financing future directions” and with input to “detection and mitigation of financial fraud in the cryptocurrency space.” In 2021, Akartuna was a research assistant on “cryptocurrency fraud,” with a policy brief document that mentions how “law enforcement agencies are able to use a variety of new forensic techniques and tools to analyse illicit flows of Bitcoin.” According to his LinkedIn, between June 2022 and January 2023, Akartuna was involved in a joint project between UCL and the Australian National University (ANU) “to scope the future of money laundering and terrorist financing through cryptoassets.”

As of at least October 11th, the day after the publication of the WSJ article, the included chart was titled “Number and Value of Crypto Transactions Received by Palestinian Islamic Jihad.” Yet the chart’s new and current title, as of October 25th at the latest, is “Number and Value of Crypto Transactions Received by Wallets Linked to Palestinian Islamic Jihad by the NBCTF” (the Israeli National Bureau for Counter Terror Financing, which has issued various seizure orders for cryptocurrency since July 2021). The WSJ article was then subsequently updated on October 27th with qualifications in various places, including “Elliptic says it isn’t clear if all of the transactions it identified directly involved PIJ” and “it couldn’t be determined whether the crypto they received was directly used to finance the assault.” However, this was more than ten days too late, as Senator Elizabeth Warren (TMIBP01, TMIBP05) had amplified the original copy, published a WSJ opinion piece with the inflated numbers to promote their own Digital Asset Anti-Money Laundering Act (TMIBP22), and used all this to support a bipartisan letter to Treasury Under-Secretary for Terrorism and Financial Intelligence Brian E. Nelson and White House national security advisor Jake Sullivan, demanding to be informed of the “Treasury’s plans to address the serious national security threats posed by the use of cryptocurrency to finance terrorism no later than October 31, 2023.”

On October 23rd, Nelson attended a meeting of the Executive Committee of the Terrorist Financing Targeting Center (TFTC) in Riyadh, Saudi Arabia, “to continue close coordination on countering terrorist financing” with Bahrain, Kuwait, Oman, Qatar, Saudi Arabia, and the United Arab Emirates. Among his remarks:

We also have to think systemically about how we can harden our financial system against those who are seeking to exploit new technologies. That’s why we proposed a new regulation to enhance transparency in convertible virtual currency and combat terrorist financing.

UPDATE: On February 14th 2024, during an oversight hearing of FinCEN and the Office of Terrorism and Financial Intelligence (TFI), Nelson was asked by Emmer about the “erroneous” WSJ article. Nelson confirmed that those figures were not accurate. “We also assess that terrorists still prefer, frankly, to use traditional products and services… We can have a classified conversation about the precise numbers… We don’t expect the number is very high particularly.”

On October 26th, the U.S. Senate Committee on Banking, Housing, and Urban Affairs hosted an open session on “Combating the Networks of Illicit Finance and Terrorism.” One of the expert witnesses was Dr. Shlomit Wagman, a former director-general of the Israel Money Laundering and Terror Financing Prohibition Authority (IMPA) and co-chair of the Financial Action Task Force (FATF) Risk, Typologies and Methods Working Group. Among other points, she spoke to the “gaps and challenges in the specific context of virtual assets.” Besides predictably recommending “blockchain analytic tools” and “Customer Due Diligence for every transaction above $/€1,000” for VASPs, she acknowledged that uptake of the FATF’s so-called ‘rules’ (TMIBP11, TMIBP14) has been poor:

As of June 2023,2 four years after the FATF’s adoption of standards on VAs and VASPs, 75% of the countries that went through their routine reviewing process have not implemented the framework in full. In addition, one-third of the countries have not conducted a risk assessment, and a similar number have not yet decided if and how to regulate the VASP sector. Moreover, more than half of the countries have not taken any steps towards Travel Rule implementation.

During what was likely one of the most re-watched portions of the session, Democratic senator John Fetterman asked Wagman “why didn’t Hamas use its American Express card to finance that awful terror?” Wagman responded that “actually they are using bank accounts, credit cards, and payment cards. I know that first-hand because many Israelis are now monitoring all [fundraising] campaigns and they see that… Traditional channels are also being used.”

FinCEN’s NPRM is open for public comment until January 22nd 2024.

Final note: The last three stories in this newsletter touched on some very serious topics: the fallibility of blockchain surveillance (not just the software, but the humans that create, analyse, interpret, and even manipulate its output), the lack of scientific rigor and transparency in online media, and how both then go on to influence national and even international legislation and policy, potentially impacting the lives of millions of people. Elements of these stories would have been costly or not even possible to evaluate retrospectively without archival services like the Internet Archive and CourtListener by the Free Law Project. :heart:

If the ethical or professional fears of the average journalist were a Halloween monster, it would be a not-so-translucent ghost of all their past mistakes, haunting every piece they write. How journalists and/or their corporate media handlers deal with these ghosts falls on a spectrum – from full-scale denial and cover-up to appeal-to-authority to post-facto stealth edits to explicit corrections to retractions to (just maybe) apologies – but rarely do any of these responses result in a re-thinking of their journalistic process itself. I fully agree with Nic Carter’s point that “stealth edits allow them to avoid accountability and pretend they got it right the first time.” This deceives not only the public but also themselves, and neutralizes what should have been an impetus for improvement, building enough awareness to avoid even more catastrophic blunders. That is why I have long been using and encouraging the principles of scientific journalism, particuarly with the extension of revision control, to prevent such behaviour. I too have a ghost, but through my process I’ve made peace with mine.

:information_source: Are you interested in regular, high-quality, and deeply technical updates on the state of Bitcoin beyond just privacy? Check out the Bitcoin Optech newsletter and podcast. And congratulations to David Harding on officially becoming a co-author for the third edition of “Mastering Bitcoin”!

Thanks for reading! Feel free to :bookmark: bookmark or subscribe to catch the next edition of ‘This Month in Bitcoin Privacy.’