When Crypto Exchanges Hold More Than Your Money

Feb 1, 2018 at 13:05 UTC
Updated Feb 2, 2018 at 11:46 UTC
OPINION

Marc Hochstein is the managing editor of CoinDesk and a former editor in chief of American Banker.

The following article originally appeared in CoinDesk Weekly, a custom-curated newsletter delivered every Sunday exclusively to our subscribers.


Each of these three stories out of Asia is significant on its own, but when you read them side by side they tell a much bigger, global story.

First, on Jan. 23 South Korea’s financial regulator set a date for the introduction of a new rule barring anonymous cryptocurrency trading accounts. (Or, as some sensitive snowflakes out there prefer we’d put it, “requiring customer identification for crypto trading accounts” – we never imagined anyone in this space would want to sugarcoat unwelcome news with euphemisms, yet here we are. But I digress…)

The very next day, a different South Korean agency fined several cryptocurrency exchanges for failing to secure customer data. “While the security threats such as virtual currency speculation and hacking of handling sites are increasing, the actual situation of personal information protection of major virtual currency exchanges is very weak,” warned the chairman of the Korea Communications Commission in announcing the fines.

Topping it all off, on Jan. 26, Coincheck, a crypto exchange in Japan, admitted it had been hacked in what appears to be the largest single theft in cryptocurrency history. Some $533 million-worth of a mid-tier crypto known as XEM were pilfered.

So let’s step back here. Taken together, these events remind us that:

  1. Concerned about money laundering and financial crime, international regulators want to make sure crypto exchanges, like most financial intermediaries, know who their customers are. Depending on how much crypto a user trades, this entails the exchanges collecting all sorts of personally identifiable information: real name, address, a copy of your passport, even a selfie.
  2. The exchanges aren’t very good at securing this data. Which isn’t a surprise, because…
  3. They aren’t very good at securing users’ funds, either.

Experienced crypto users will tell you that the answer to No. 3 is to keep most of your coins in cold storage and use the exchanges only for assets you’re actively trading. But the first two observations present a much knottier problem.

In short, the juxtaposition lays bare the fundamental tension between compliance with anti-money-laundering and know-your-customer laws, on the one hand, and data privacy on the other.

No easy fix

There are a number of ways to potentially resolve this conflict:

Revisit AML laws. Ha. Fat chance.

Not that these don’t deserve greater scrutiny. Libertarian early adopters of bitcoin may overstate their case (and invite ridicule from smug, soy-eating bluechecks) when they declare “money laundering is not a crime.” A better way to put it is this: It stands to reason that covering up a crime is itself a crime, but should it be a crime to obscure activity that is not itself illegal or harmful, simply because doing so inconveniences law enforcement?

Some would say the answer is yes. There is a lot of nasty activity going on out there, even if you exclude victimless crimes (those involving only consenting adults). But the question needs to be asked of policymakers more than it has been. Still, don’t hold your breath for much in the way of change in a political climate shaped by 9/11, Charlie Hebdo, San Bernardino, etc.

Exempt crypto businesses from AML laws. LOL, JK. See above.

Require exchanges to tighten up cybersecurity. Say what you will about Benjamin Lawsky, but the former New York State regulator and architect of the BitLicense recognized the importance of diligent security practices for digital asset custodians. In fact, the strict cybersecurity standards he wrote for cryptocurrency firms in that controversial regulation were later imposed on traditional financial institutions on the NYS Department of Financial Services’ watch (over their objections).

Granted, the BitLicense hasn’t exactly been a roaring success, with a grand total of four licenses granted since the regulation took effect in 2015 (unless you count the two trust charters given to applicants). Most startups in the crypto space have simply avoided doing business with Empire State residents or performed contortions to get around the regulations, viewed as onerous for a number of reasons. But the cybersecurity requirements aren’t usually cited among them.

More to the point, though, this approach still amounts to saying “thou shalt collect and store nuclear waste – oh, and you better secure it, too.” More creative solutions might be in order.

Thread the needle. In other words, find a way to satisfy the objective of fighting crime without making businesses hold all this data in the first place.

For example, there is an adjacent ecosystem of digital identity startups and open-source projects aiming to create personal data vaults and reusable IDs. Although models vary, a common thread is that instead of giving the keys to your identity to every stranger you do business with, you could just present them with proof that you are entitled to access a given resource.

For example, a bouncer at a club needs to know you’re old enough to drink, but not your exact birthday; similarly, if you can prove to a bitcoin exchange that you’re not on the U.S. Treasury Department Office of Foreign Assets Control’s sanctions list, maybe they wouldn’t need that copy of your passport.

The big idea is that not everyone you trade with needs to know who you are as long as someone knows who you are. Law enforcement could still trace transactions through the blockchain, to an exchange, and ultimately to an identity provider that could identify the user under court order.

Generally this concept, articulated in the 2014 Windhover Principles and elsewhere, sounds like an improvement on the status quo. But real-world applications have been rare.

Also, you could argue that even if put into wider practice, these ID solutions might amount to a mere rearrangement of deck chairs, at best. If we no longer have lots of nuclear waste facilities, but instead have a few big nuclear waste facilities (with back doors for law enforcement to boot), won’t that make identity thieves’ job even easier?

And finally, even if these ID providers are secure, who’s to say they’d insist on seeing a warrant before giving up your data to the government? The Snowden revelations showed how the odious “third-party doctrine,” which states that citizens have no reasonable expectation of privacy when they give information to a business, has undermined Fourth Amendment protections in the U.S. It’s hard to trust governments to respect constitutional limits on their power in this day and age, and Donald Trump occupying the Oval Office is really the least of it.

One sincerely hopes that the development of decentralized exchange will eventually make the issue moot, at least as it relates to trading of digital assets. Until then, stay vigilant about protecting your money, your personal information, and your civil liberties.

Chalkboard image via Shutterstock