As regulators attempt to institute KYC and AML rules at the peril of our personal data, Bitcoin and encryption offer salvation.
Our world is filled with atrocious threats, crimes and violence. Human trafficking, child abuse, state-sponsored violence, terrorism and a laundry list of other heinous acts require tools to fight back and ultimately reduce their frequency to as close to zero as possible. Unfortunately, there are massive disagreements about the types of tools we should use in order to be as successful as possible in this endeavor.
In one camp, we have offensive tactics. These tools attempt to reduce the level of horrific crimes by making the criminal activity more difficult. This could be in the form of cutting off terrorist financing through know-your-customer (KYC) anti-money laundering (AML) regulations or giving corporations the power to scan user photos to catch images of child abuse.
What is KYC?
Know your customer (KYC) regulations are sets of rules implemented by the U.S. Financial Crimes Enforcement Network (FinCEN). These rules apply to actors in the investment and securities industries, including broker-dealers, banks and cryptocurrency exchanges such as Coinbase. The stated purpose of KYC is to prevent money laundering and other criminal activity. In order to comply with KYC, firms must verify the identification of all customers as well as continuously review customer activity for any suspicious activity. While KYC proponents claim that these regulations reduce the amount of illegal activities in the financial sector, the anti-KYC side argues that KYC is a privacy disaster that simply pushes criminals to better hide their activities or use different tools.
NOTE: In this post, I define KYC as the requirement for a person to provide identification and/or private information before they can receive a product or service, regardless of industry.
What is AML? How is it related to KYC, and how is it different?
Anti-money laundering (AML) regulations were created by an unelected global organization called the Financial Action Task Force (FATF). Similar to KYC rules, the stated intention of AML rules is to target criminal activity in the banking and financial sector, specifically to target money laundering and terrorist activities. In short, AML puts the burden on the institution to determine whether or not its customers are participating in illegal activities. These rules require companies to collect private information about their customers and continuously monitor activity for any suspicious transactions.
While KYC and AML are similar in their intentions, KYC is technically a subset of AML. KYC is specifically about verifying the identity of customers, whereas AML is a broader set of requirements. AML requirements include KYC, as well as things like reporting any transactions over $10,000 and verifying the origin of large amounts of money. KYC and AML rules require surveillance and mass collection of customer data. While this data is collected for a stated purpose of reducing criminal activity, it also provides a honeypot of information for potential attackers, a massive regulatory burden for companies and a hurdle for the most vulnerable members of society to access financial services.
While offensive tactics are easy to rally people behind — who doesn’t want to stop human trafficking? — the long-term effectiveness and downstream consequences of these tactics are rarely discussed. Some of the consequences, such as a reduction in business efficiency, are easily laughed off by proponents of offensive tactics. Who cares if a corporation loses some profits if it means we can catch child abusers? However, these tactics come with very real costs to the most vulnerable among us, as well as society at large. Furthermore, the long-term effectiveness of offensive tactics is questionable at best.
The Downsides Of Offensive Regulation Tactics
Let’s talk about the downsides of offensive tactics, using KYC regulations as an example. While the legal definition of KYC is specific to banking and finance, there are similar rules in place across various industries. In this post, I define KYC as the requirement for a person to provide identification and/or private information before they can receive a product or service, regardless of industry. KYC is required for getting bank accounts, healthcare, employment, housing and even phone/internet services. The stated purpose of KYC is essentially to ensure that a terrorist is restricted from using the banking system to finance their activities, or a human trafficker is prevented from using the local internet provider. This sounds noble enough, but is it actually effective?
In the short-term, KYC can be effective at catching the less intelligent and less adaptable criminals. It is certainly possible that banks will help catch some money laundering when an ID verification program is first launched. However, we should expect most criminals to quickly adapt by using forged documents, bribing officials or going outside of the banking sector entirely. The more skilled criminals will find and design tools that allow them to continue their activities in the long run.
While the benefits of KYC are fuzzy, the costs are clear. First, the costs to everyday people are massive. Personally-identifying information such as social security numbers, birthdates and addresses can be used to steal identities, physically attack or financially rob completely innocent individuals and their families. Even if the data is not stolen from the primary source, it can be sold to secondary organizations without the user’s permission. While some people may prefer to opt-in to such a system, the inability to opt-out of personal data collection is an asymmetry that benefits corporations and governments at the expense of everyday people.
Second, KYC presents incalculable potential future costs for society at large. KYC provides a treasure trove of data to government entities. If you trust the current government regime, this may seem fine. However, an increase in power for political leaders that you like today also means an increase in power for political leaders that you may vehemently disagree with tomorrow. If you would be terrified to grant a certain power to an enemy, then that power should simply not exist in the first place.
To sum up the societal costs: In the short-term, KYC requires all users to upload private information, increasing the potential attack surface for every single individual. In the long-term, KYC provides increased surveillance powers to unknown future government leaders who may use this power to harm society.
How does the proposed U.S. infrastructure bill fit in?
KYC and AML regulations are especially relevant right now with the recent battle over the U.S. infrastructure bill. An initially proposed version of the bill included extremely broad definitions of a “broker” which could be interpreted to apply to miners, nodes or developers. If this broad interpretation is to be used in practice, it would potentially require almost all cryptocurrency participants to collect and report information about the transactions they are interacting with.
For example, a Bitcoin miner could be required to report customer information to the IRS related to the transactions included in any block that it mines. While it would be impossible for many participants to comply with such a regulation, the concept has major negative implications for user privacy and security purposes. Someone mining Bitcoin in their garage should not be expected to collect the private information of thousands of users; nor should a user be forced to provide their private information to a random person mining Bitcoin in their garage.
While it wouldn’t fall directly under KYC or AML regulations, this provision could have similar impacts on the Bitcoin ecosystem, if enforced. Users would be harmed by being coerced to give up private information which could be hacked or sold to third parties. Operators would be harmed by needing to comply with stringent regulations — many, if not most, would likely shut down or move to a different jurisdiction. Meanwhile, criminals or tax evaders looking to use cryptocurrencies would simply use the tools to route around these regulations. Similar to KYC and AML regulations, the net effect of this infrastructure bill provision would likely be bad for good actors and neutral for bad actors.
Beyond the societal costs that impact everyone, KYC comes with major costs for the most vulnerable members of society. A natural effect of KYC is that anyone who wants to participate in society needs to have a government-issued ID. This seems harmless, until we consider the types of people who either do not have a government-issued ID, cannot get a government-issued ID or feel unsafe needing to use government-issued ID. The people who have trouble getting government identification typically come from a difficult background. Whether this is someone with deadbeat parents that never registered them with the state or a refugee with no official records on hand, KYC requirements exclude people from society, often based on factors that are completely beyond their control.
Even people who have government-issued IDs may not necessarily feel safe putting their information out there where it can be leaked, hacked or sold to unknown actors. Victims of domestic abuse, those who escape cults and whistleblowers must fear for the safety of themselves (and their family) due to the mass availability of their personal information. If a major goal of KYC is to protect the most vulnerable among us by preventing heinous crimes, then we cannot ignore instances where KYC does the exact opposite by negatively impacting the health and safety of the victims of humanity’s most atrocious acts.
The importance of considering the scope of offensive tactics cannot be understated. While certain types of targeted offensive tactics such as investigative work done by the police are effective tools, many of the offensive tactics employed today (e.g., KYC) are broad brush regulations that impact everyone, regardless of their relation (or lack thereof) to criminal activity. Police work directly affects those who are involved or adjacent to a crime, while KYC directly affects every single person in the entire jurisdiction.
Bitcoin Presents Hope
While broadstroke offensive tactics provide a litany of downsides with questionable upside, there is yet hope. If the goal is to prevent bad actors from winning, defense is more important than offense due to a key asymmetry: if you score, you might win; if your opponent does not score, they cannot win. Thus, providing the tools for individuals to defend themselves and others is paramount.
KYC is a clunky, one-size-fits-all approach. As such, it is destined to be mostly ineffective, as individual criminals can adapt far faster than national or global KYC regulations can. Encryption, however, provides a defensive tool that individuals can harness in different ways, depending on the circumstances. Encryption, when done properly, is unhackable and thus completely private from any and all attackers. It is the ultimate defensive tool for individuals in the digital age. Remember, if attackers cannot score, they cannot win. Whether encrypted messaging (e.g., Signal), encrypted email (e.g., ProtonMail), or encrypted value (e.g., Bitcoin), encryption gives power not only to those who want privacy, but most importantly, to those that truly need privacy. While KYC harms vulnerable people that require privacy, encryption enables these same people to defend against threats.
The current state of the world makes it quite difficult to live in society without consistently giving up private information. However, this is quickly changing. First, the increased amount of data collection and surveillance has woken many people up to the importance of privacy. The common question of “why do you need privacy if you’re not a criminal?” is being challenged more potently with each major data leak and each personalized advertisement based on an item mentioned in a private conversation. While increased surveillance has forced many to start caring more about their personal privacy, perhaps the most important development is the increase in encryption-based tools available to the world.
For many, the introduction to Bitcoin, the world’s premier encrypted money, leads them to discover the world-changing power of encryption. Bitcoin uses encryption to provide the most defensive form of property that has ever existed. It is an unhackable method of value storage which can be effectively teleported anywhere on earth, secured across multiple physical jurisdictions using multisig or carried across borders via memorization. Traditional forms of value storage such as gold, dollars and real estate are limited either by their physical nature, regulations such as KYC or both. Dollars cannot be teleported across an ocean in ten minutes. Gold cannot use multisig to distribute its bearer properties across different physical locations. One cannot memorize words, flee a dangerous situation and use those words to regain access to one’s house once in a safe location.
Many politicians argue that Bitcoin and other encryption-based innovations are a threat because they cannot be regulated like more traditional technologies. Others conclude that encryption-based technologies are primarily for evading taxes or hiding bad deeds. Both completely miss the point by framing the situation through the lens of the existing system. Encryption is a step change in the fabric underpinning our entire society. Never before has there existed a thing that is non-confiscatable, unhackable and undestroyable.
Encryption allows for these things to exist, while Bitcoin provides the financial incentive for people across the globe to learn, use and advocate for encryption. The critics are indeed correct that Bitcoin and other encryption tools cannot be regulated and can be used to evade taxes or hide bad deeds. However, their being correct is as useless as a king from the 1400s realizing that the printing press can be used to print information he does not want to be published. In the long run, they are fighting against an inevitable force that cannot be shut down, hacked or destroyed. When faced with an inevitable technology, it is far better to embrace, build upon, and advocate for its positive qualities than to waste energy trying to stop it. Fortunately, all types of people from across the world are starting to realize this, with Bitcoin leading the way due to its embedded financial incentives.
The power and availability of defensive tactics has never been as strong as it is today. The reality is that criminals can and will use the most powerful tools available to them in order to commit terrible crimes. This has and always will be true. Again, we must remember the importance of defense over offense: an attacker cannot win if they cannot score. Would-be victims and those living in fear can now start to improve their safety by simply reducing their attack surface. If we want to help the most victimized people among us, we must encourage the distribution of defensive tactics to empower everyday people rather than take untargeted offensive actions that harm everyday people.
This is a guest post by Mitch and inspired by @AnarkioC's Medium post. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.