NY’s Proposed BitRegs a Threat to Privacy and Innovation

The New York State Department of Financial Services recently proposed sweeping regulations for digital currencies – the first such rules in the United States dedicated to digital currency – that would require this burgeoning privacy-friendly industry to watch their users’ every move. New York’s proposed regulations would impose more restrictions on digital currency than on standard currency, requiring many digital currency services to identify all customers and track all transactions, and retain this data, largely for the sake of state surveillance.

Digital currency, such as Bitcoin, is a disruptive technology with vast potential to democratize financial services and spawn a new generation of innovative products from startups. In addition to its decentralized nature and global transferability, an appealing feature of most digital currencies is relative anonymity, since transactions are not directly linked to users’ names. Other than cash and prepaid cards, options for private transactions are limited. As fewer people carry cash, digital currency is shaping up to be important to the future of financial privacy. However, digital currency faces scrutiny from law enforcement and regulators due to persistent questions about security, volatility, and the potential to fund criminal activity.

New York should ensure its “BitRegs” take digital currencies’ unique nature into account and do not unnecessarily invade user privacy or stifle innovation.

While the illicit financing risks that digital currencies pose are real, New York should ensure its “BitRegs” take digital currencies’ unique nature into account and do not unnecessarily invade user privacy or stifle innovation. The regulations aren’t set in stone yet – New York is still taking comments – but the finalized rules may have a broad impact due to New York’s position as a center of world finance.

[Check out CDT’s previous post on mobile payments and privacy.]

Government requiring businesses to invade privacy and create risk

An individual’s identity combined with her financial transaction history are sensitive data. New York’s proposed requirement that many services collect and maintain this information is a serious privacy threat to any user of digital currency, and a liability for companies that must protect the information from hackers. New York’s proposed regulations require digital currency companies to have cybersecurity and user privacy programs, which is generally a good thing, but ironically the regulations themselves enhance the risk to privacy and security.

New York’s proposed regulations would require digital currency services, wherever they are headquartered, to obtain a “BitLicense” to operate in New York or serve New York customers. The BitLicense would require a wide range of digital currency services to identify their customers by name and physical address. Importantly, the regulations would also require digital currency services to record the details of every transaction, including the identities and physical addresses of the parties involved. As a result, each service with a BitLicense must not only collect detailed identifying and transactional information from users, but would also need to swap this information with other services with each transaction. Digital currency services would be required to maintain these records for ten years.

New York’s proposed regulations cover a broad range of services, including any person that controls or issues a digital currency (administrators), stores or maintains control of digital currency on behalf of customers (wallets), transmits digital currency or receives digital currency for transmission (transmitters), exchanges digital currency into any other type of currency (exchanges), or secures digital currency on behalf of others.

New York’s BitLicense would go beyond what is currently required under federal law.

New York’s BitLicense would go beyond what is currently required under federal law. The Bank Secrecy Act and the PATRIOT Act currently impose anti-money laundering rules on a wide variety of financial institutions to prevent illicit activity. In 2013 the U.S. Treasury Dept. issued guidelines making clear that digital currency exchanges and administrators are subject to the existing rules for “money transmitters”, which require customer identification. Yet New York’s BitLicense would extend far beyond exchanges and administrators, and would impose requirements – such as identifying all parties to a transaction – not currently applied to money transmitters.

Overbreadth: Wallets & the Wand of Woh

CDT is still developing an official position on the “BitRegs,” and we would welcome feedback on the following initial recommendations that we are considering.

1)   New York should remove the requirement that all digital currency services record the identity and physical address of every party involved in every transaction. This would require services to routinely share the identifying information of their users, to the detriment of user privacy and control, and may be a very difficult technical mandate for companies to fulfill securely. If this requirement must exist at all, it would be better relegated to transactions involving a high dollar amount, high risk parties, or high risk goods.

2)   New York should reconsider applying its customer identification and transaction tracking requirements to every type of digital currency wallet. New York’s regulations would cover services that “store” or “maintain control” of digital currency on behalf of others. Wallets are crucial to users of digital currency since the currency (or, more accurately, the credentials that indicate the user’s ownership and control of currency) must reside somewhere. The regulations would cover wallets that store the user’s currency/credentials in the cloud, locally on a user’s hard disk, or even physically via a paper printout. Even if a wallet is created solely by the user (not on behalf of others), the wallet could be subject to the regulations if the wallet “transmits” the digital currency to another person – a fundamental feature for many e-wallets, because a wallet is of limited use if you can’t transfer money out of it.

Users should not be required to provide identifying information and submit to transaction tracking to use a wallet software product that the user downloads to a local machine and that stores the user’s digital currency or credentials locally. Reporting requirements for high value or high risk transactions could still apply. For custodial accounts accessible to or controlled by third parties holding funds or credentials on behalf of users, the BitLicense should be no more intrusive or onerous than current federal requirements for money transmitters.

3)    New York should clarify its rules to exclude services that are incidental to digital currency exchanges, storage, and transactions. New York’s proposed regulations cover businesses that “secure” digital currency on behalf of others. Does this mean cybersecurity or antivirus software vendors must identify digital currency users whom they protect? The proposed regulations would also cover businesses that “transmit” digital currency. Does this include Internet service providers, like Comcast or Sky Broadband, whose networks transport digital currency credentials?

New York’s proposed regulations should include clarifying language to prevent such unreasonably broad interpretations. For example, current federal anti-money laundering regulations include an important list of exemptions to the definition of money transmitters that New York’s proposed rules lack.

4)    New York should widen its exception for video game currencies. New York’s proposed regulations include an exception for online video game currency, but only if the currency has no market outside of the gaming platform. Yet game currencies and rare items for most major online games are often sold in online marketplaces for fiat money. For example, Eve Online’s Intersteller Kredit is readily available from unauthorized sellers, at least one exchange openly trades Second Life Linden Dollars for Bitcoin, and Diablo 3’s Wand of Woh is currently for sale for *only* $168 on eBay. Given the external markets for such gaming currencies and artifacts, it would seem many gaming companies – as issuers of digital currency – may not be protected by the proposed regulations’ exception for video game currency.

Such activities are generally not authorized by the gaming company, but New York’s proposed regulations do not make that distinction. If video game currencies must be regulated by the “BitLicense” at all, it may make the most sense to include video game companies only to the extent that the currencies they issue have company-authorized marketplaces outside of the game.

Square pegs, round holes

New York’s proposed “BitLicense” has generated a fair amount of controversy. While some business leaders embrace the regulations, others express outrage and mull whether to cut off New Yorkers to avoid the BitLicense requirements. The writing is on the wall, though: lawmakers are looking to more closely regulate digital currency. The question is whether any new regulations will be a positive force in “legitimizing” the industry or a negative force by eliminating user privacy and imposing such heavy compliance costs that only well-capitalized outfits can compete. As currently written, we question whether New York’s BitLicense rules are in the best interests of digital currency users and companies, and urge New York to scale back its proposal to better balance the interests of law enforcement, user privacy, and innovation.