FinCEN Spying Plan Invites Privacy Workarounds

Tue, Mar 26, 2013 - 8:20am

Originally posted at American Banker

The dangers to financial privacy are monumental. Consider an Obama administration plan to give spy agencies unfettered access to data on American citizens and others who bank in the U.S.

Suspicious Activity Reports, filed by financial institutions that operate in the U.S., are the primary documents that the Financial Crimes Enforcement Network intends to share. The reports cover all personal cash transactions exceeding $10,000, suspected incidents of money laundering, loan fraud, computer hacking and counterfeiting.

The Treasury Department proposal, revealed by Reuters last week, aims to consolidate financial data banks, criminal records and military intelligence. This initiative will put intelligence agencies, such as the Central Intelligence Agency and the National Security Agency, on the same footing as the Federal Bureau of Investigation, which currently does not have to make case-by-case informational requests to Fincen.

Also under the new proposal, Fincen's database would be linked to the Joint Worldwide Intelligence Communications System, which U.S. defense and law enforcement agencies use to share classified information.

Money was never meant to be a method of supranational identity tracking. Its use in that way could signal some level of law enforcement desperation. When all other enforcement tactics fail, surveil the finances.

More than 25,000 financial firms, including banks, securities dealers, casinos, and money transfer agencies, routinely file "suspicious activity reports" to Fincen, according to the Reuters article. Banks and other firms tend to over-report some financial details of ordinary citizens since the requirements for filing are so strict they don't want to be accused of failing to disclose activity that later proves questionable.

Increasing encroachment against financial privacy like this Fincen move "raises concerns as to whether people could find their information in a file as a potential terrorist suspect without having the appropriate predicate for that and find themselves potentially falsely accused," Sharon Bradford Franklin, senior counsel for the Rule of Law Program at the Constitution Project, told Reuters.

One protection from becoming scooped up in a fishing expedition and being falsely accused is the use of virtual or alternative currencies. But this week, Fincen issued guidance on virtual currencies and regulatory responsibilities.

Clarifying circumstances where the "money transmitter" definition applies under the law, Fincen classified de-centralized virtual currency as a convertible virtual currency that has no central repository and no single administrator, and that persons may obtain by their own computing or manufacturing effort. Although bitcoin was not singled out by name, the guidance appears directed at cryptocurrencies that operate in a peer-to-peer, distributed fashion such as Bitcoin.

The primary impact of the likely tighter compliance will be felt by the bitcoin-to-fiat exchanges operating in the U.S. and this will lead to jurisdictional competition, as seen in online casino gambling where the more entrepreneurial jurisdictions rose to dominance by embracing the technology early and not overregulating.

Almost serendipitously, discussions about adding privacy extensions to the Bitcoin cryptographic money protocol have been increasing lately.

Bitcoin is nonpolitical money and it falls outside the scope of reporting financial institutions. Since bitcoin does not provide user and transactional privacy by default, multiple bitcoin wallets and Tor, a client software and volunteer server network that enables online anonymity, can enhance privacy without modification to the core Bitcoin code. Nonetheless, code-modifying proposals for augmenting Bitcoin privacy have been introduced. One idea calls for automatic mixing techniques, which would periodically give all users the opportunity to shuffle coins among one another, making the money harder to trace without implicating individuals. Another concept is "coin control," a method for users to select which of their wallet’s multiple addresses to use as the "from address" (currently picked somewhat randomly by the client software).

Various proposals for improving bitcoin privacy include "Patching The Bitcoin Client" (2011), "Automatic Coin Mixing" (2012), "Coin Control" (2012), and "Yet Another Coin Control Release" (2013).

Also, a recent cryptographic bitcoin privacy extension submitted by researchers from The Johns Hopkins University was accepted for presentation to the IEEE Symposium on Security & Privacy in Oakland, Calif. The paper Zerocoin: Anonymous Distributed E-Cash from Bitcoin will be introduced on day two of the May conference.

Having received a preliminary copy of the academic paper, I interviewed Hopkins research professor Matthew Green about some of the details of Zerocoin.

Operating as a decentralized layer of anonymous cash on top of the existing Bitcoin network, "Zerocoin creates an 'escrow pool' of bitcoins, which users can contribute to and then later redeem from," Green explained. Users receive different coins than they put in (though the same amount) and there is no entity that can trace your transactions or steal your money. "Unlike previous e-cash schemes, this whole process requires no trusted party. As long as all the nodes in the network support the Zerocoin protocol, the system works in a fully distributed fashion," added Green.

Zerocoin developers are working on improved efficiency because implementation is impractical today given the space constraints of the “blocks” that make up the Bitcoin public ledger. "For one thing, the transactions are very large (40kb to spend a coin)," Green said. "While this isn't the end of the world – and bandwidth is always increasing – supporting these would put quite a strain on the block chain."

When I asked Green about the possibility of a "back door" for law enforcement that had been floated recently, he clarified, "The back door isn't part of Zerocoin. There's absolutely no need for it, and building one in would take significant additional effort. In fact, we only mentioned it as a brief note in the conclusion of our paper, mostly to motivate future research work."

If someone did try to build a back door for any reason, the open source Zerocoin would quickly become Zero-adoption.

About the Author

e-Money Researcher