On Tuesday, the United Nations kicked off the second-to-last round of negotiations for a new international treaty on cybercrime. The latest draft includes language that, if adopted, would impose sweeping surveillance requirements on cryptocurrency and threaten financial privacy worldwide.
Article 93 of the draft treaty would require all nations that sign the treaty to implement onerous financial surveillance laws for cryptocurrency. Those financial surveillance laws would apply to any organization “engaged in activities related to the circulation of digital financial assets and digital currency,” even if they are nothing like a traditional financial institution. Like the dangerously broad Digital Asset Anti-Money Laundering Act introduced in the U.S. Senate, this incredibly broad language could be interpreted to include software developers, custodial and self-hosted wallet providers, miners, validators, nodes, non-fungible token non-fungible token (NFT) trading platforms and even users.
Marta Belcher is the president and chair of the Filecoin Foundation and the Filecoin Foundation for the Decentralized Web, as well as general counsel and head of policy at Protocol Labs. Kurt Opsahl is the associate general counsel for cybersecurity and civil liberties policy for the Filecoin Foundation. Their views are their own.
Those organizations would be required to implement intrusive mass surveillance systems and turn over their users’ sensitive financial information to the government automatically. They would need to collect identity information for all users engaging in transactions, maintain that sensitive data so that it can be handed over to the government, monitor for “suspicious” activities and automatically report certain transactions to the government. In addition, when any person is suspected of “possible involvement” in a cybercrime, these organizations would have to give the government not only the financial records of the suspect, but also the financial records of the suspect’s “associates” and family members – a shocking overreach.
In addition, those organizations could be required to “apply enhanced scrutiny” to any individual identified by any government that is a signatory to the treaty. Because the U.N. includes states with problematic human rights records, this provision is deeply concerning because it allows countries to designate people in other jurisdictions as targets for “enhanced scrutiny” for dubious reasons.
For blockchain network participants like developers and miners, compliance is not only onerous but in many cases impossible. For example, software developers have no idea who the end-user of their software may be, and cryptocurrency miners and validators have no way of knowing the identity of the people whose transactions they are facilitating.
Read more: Marta Belcher: Reframing Privacy for the Digital Age
In addition, the draft Article 93 attempts to eliminate any “banks that have no physical presence and that are not affiliated with a regulated financial group.” While “bank” is not yet defined in the treaty, this could be interpreted to encompass some decentralized finance projects, even if they’re otherwise lawful. Nations signing the treaty would be required to prevent such “banks” from being established in their own countries.
The negotiations have been ongoing for over a year, with language expected to be finalized in the fall. More than 130 human rights organizations and academics from around the world have already raised concerns about the adequacy of the treaty’s human rights protections, and tech policy experts have questioned its effectiveness against cybercrime. While protecting against ransomware, malware, and other attacks from cybercriminals is a noble goal, laws designed to enhance police powers in the name of crime prevention can too often lead to civil liberties violations.
Many leaders from civil society are taking part in the negotiations and working to make sure that the treaty respects human rights. We urge all those participating in the negotiations to push back against Article 93’s sweeping financial surveillance requirements in order to defend financial privacy worldwide.