Saturday, June 22, 2019

Perspectives on Ca-Libra # 1. Getting rid of three smokescreens

This week the world has witnessed the announcement by Facebook of Calibra, a digital currency wallet and company. The wallet holds Libra, a virtual currency, with the idea to be used globally. Its distribution and use will be further promoted, organised and executed via an association of partners, called the Libra-association. The information pack (download here) also outlines more technical details on programming languages, future plans and committment to regulatory compliance.

Immediately thereafter, a storm of analysis emerged in order to understand the initiative. Quite some politicians and regulators are eager to quickly respond and that is completely understandable.

Facebook is not just the grocery shop around the corner, dabbling about with some new technology. It has allocated significant resources to the development of Libra. With a customer base of at least 2 billion (close to 25% of the worlds population) it is an entity that in itself acts as a world-wide platform and does not need others to achieve a network effect.

Perspectives as the approach for this series of blogs
As the Libra-initiative can be viewed from many angles, I plan to write this series of blogs and label them as perspectives. It's always helpful to view things from a couple of angles and that is precisely what I intend to do. This means we will be looking into definitions, regulatory regimes, business case and previous historical analogies. And as we go along I will take stock of developments and responses.

As you may notice, I will be judging Facebook by a very high standard. The reason for that is simple. If an organisation has so many resources available, I expect them to come up with careful, consistent and accurate thinking, wording and technology. And as a sneak preview: this is not what we got over the last week.

While the maturity of the exercise may look impressive to some observers, the huge inconsistencies and home-brewed interpretations of what a blockchain is cannot be a coincidence. We can see an announcement that Calibra will become available in 2020, while the state of thinking mid 2019 is 'early in the process'. This is accompanied by a PR-smokescreen on cryptocurrencies, that doesn't help our understanding the effort.

So the very first challenge that exists, when discussing the Ca-Libra virtual currency initiative, is to separate fact from fiction and to be precise in terminology. That is why this first blog seeks to get rid of the three biggest smokescreens that we were facing this week.

Smokescreen #1: libra association is not an ecosytem but a payment association with added functionalities
If we start with the source of payments revenue for Facebook, this originally all boiled down to payments related to Flash games (in 2015). But technical problems in Flash would hit their revenue. So they quickly understood the need to be more flexible and to be able to operate different business propositions and solutions. Therefore they moved towards licenses in the US (cash via messenger) and in Europe. They also moved the US e-cash system to France and UK, but announced 2 months ago that they would drop it in Europe per June 15, 2019.

And now, per June 18, 2019 Facebook essentially announce to re-up their game, but not with electronic euro's but with a self-invented world currency, backed by other currencies and liquid financial instruments. To blow away the first smokescreen, let's analyse the difference between the old Facebook e-cash or e-money with fiat currencies and the new Facebook libra, as distributed by Libra Association.

What we can see is that Facebook seeks to move the fiat-currency of its e-money system out of its direct control and responsibility as an issuer. Facebook Payments Inc is currenlty the entity that is responsible and guards all the relevant rules with respect to working with the e-currency. But in the new construct Facebook Calibra is merely one validator that can use the Libra-system under open source rules. So we see the fiat-e-currency companies of Facebook stepping aside and a new Libra association entering the playing field. At the same time, the technology shifts from in-house proprietary systems to an open-source codebase in the hands of no one in particular.

Top organisation
Facebook Inc
Facebook Inc
Type of asset
Virtual Currency
E-money
Denomination
Libra (self-invented)
Pound, Dollar
Issuer / Currency creation
Libra ‘association’
Facebook Ireland
Nature of issuing
No direct issuance to customers.
Direct issuance to validators.
Direct issuance to customers
Direct redemption at issuer
Secondary market
Secondary/tertiary market with reselling - disbursement via
exchanges/other institutions
No reselling of e-money.
Fee structure for
Reselling
Unknown, but most likely the price for validators is unequal to that for exchanges or customers.
Issuance at par and redemption
Of full amount minus some cost
Issuing without
Customer demand
Currency base may change
without actual demand of customers.
Issuance as part of buy-transaction of the customer
Reserve pool
100% reserve in
basket of currencies
100 % reserve in
Denominated fiat currency
Technology
Open Source community
Proprietary
Control and use of technology
Unknown contractual arrangements and safeguards for entities in the value chain
All usage governed by contract with issuer and financial law

Bringing the currency to the public or ducking the issuance responsibilities?
Of course one could frame the above shift of roles as bringing a currency to the public. Facebook is however dumping its core-responsibilities with respect to shaping and operating a currency-system and moving a lot of activities to an ill-equipped new Libra association with no track record at all.

While Calibra states that it will comply with all relevant legislation, we can see that the actual information of the Libra Association in this respect is pretty thin. They issue a currency-like digital token/record but do not explain which legal regimes would apply. Also their actual claim as whether they are a not-for-profit organisation does not align fully with this twitter thread outlines that it is a regular company with wider statutes.

If it looks/talks/qucks like a payments scheme, it is a ...?
In payment terms - which is what Facebook says to be aiming for - the Libra Association is essentially a payment scheme. Such a scheme defines the rules for an ecosystem that wishes to transact electronically. Examples are Visa and Mastercard, organisations that need to abide with a lot of rules in order to avoid them becoming a place of illegal cartel-agreements on price and illegitimate contract terms to end users.

With payment schemes we have huge and long discussions and deliberations of price levels. There is the obligation to ensure that there is no obligation to buy processing power from the scheme itself. There are policy views and obligations that schemes should be interoperable and open. And then there is a mountain of rules that specifies how to use the brand and which technical criteria must be complied with in order to be allowed to connect to the system.We find very little of this in the current papers on the association.

What makes this payment scheme special, a payment-scheme-plus ?
What sets Libra apart from Visa and Mastercard is that the association is effectively an issuer of the currency. This means a blurring of operational roles and scheme responsibilities, which is generally considered as a bad practice in governance terms. But what is most striking is that the membership rules are not geared towards controlling/monitoring and creating a safe and sound currency. We find no mention of specific prudential licenses or governance/quality certifications required for different roles under the scheme and as a member (or shareholder).

The only thing we read is: we seek to expand, we want to incentivise the use of the token and for this we don't want the small players in the market. We aim for the big players with market power. We separate the wholesale participants from the retail participants (allowing for price upticks). And then - the devil is in the details - the customer pricing format is based on a FOMO-principle (do you want your transaction processed: please throw in some more gas).

I am curious what reasoning Facebook and its founding members have had in this respect. The whole association setup is ostensibly aimed at market dominance, without proper governance safeguards and without any guarantees as to operational security and safety and soundness of the system. If I were a competition regulator I would jump at the opportunity to wait for the founders to sign the participation agreement and deliver a letter to their doorstep, next day, to start investigating the market abuse that might be at play here.

Governance claims and reality: a scheme is a supertanker without effective governance
I have been reading all the statements on the public structure of the association with a lot of amusement. Facebook is claiming that it will bring the intellectual property into the public domain and of course all the members of the association have a voice. So this seems to be well arranged with room for consultation, discussion and changing course.

The reality is completely different, as everybody in the banking sector knows. There is sufficient experience with clearing houses and associations (even with a relatively small number of shareholders) that are unable to essentially change course, once set up. Large associations like EPC, Visa, Mastercard, are effectively orphans without parents. Stakeholders are always irritated about the fact that these associations set their own course and associations always claim their shareholders have no vision. Bottom line: if you transfer your Libra-currency design into this domain, it is quite likely to be persistent. So don't expect any radical changes after this one is live; it will be gradual evolution from here onwards.

Not just a scheme for the payment instrument, but the unit of account (and a security as well)
There is another difference between Libra and Mastercard and Visa that I would like to highlight. The regular payment schemes seek to transact efficiently, taking existing currencies/structures as a basis. But this scheme introduces a new currency itself and regulates this currency via the management of reserve assets. It demonstrates that the aim of Facebook is to design its own Facebook buck, push it into the public domain and then profit from the benefits of having their own unit of account in place, while hiding behind the members and the open source philosophy when things go wrong.

A specific element in the scheme is that the unit of account is backed by a basket of currencies and financial instruments. Effectively this means that if you buy one Libra, you buy a couple of foreign currencies. Or put differently: you participate in an open ended money market / investment fund. And you use the digital representation of your participation in this fund as a means of payment.

This is a bit of double work as this means the association and the scheme are not just subject to payments legislation but also to investments/securities legislation. But it is legally possible: the payment would legally not be a discharge of obligations via a financial payment, but via a payment in kind (currency basket).

So what do we see here?

The Libra association is a mere manager of the governance and operational arrangements and activities that come with using the virtual currency Libra and participating in the Libra scheme. This Libra scheme is a private and commercial arrangement which:
- defines a unit of account for a new virtual currency: the Libra,
- defines the asset mix that backs one currency unit,
- lays out the distribution and management rules of the currency units and reserve funds,
- lays out commercial rules and does a private placement to further promote the use of the Libra by giving them away (for free or at a discount).

The Libra association itself will be steering future technical development and is charged with the project goal to move the whole infrastructure towards a permissionless setup. This is completely impossible (as these associations act with oil-tanker dynamics) but that brings us to the next smokescreen.

Smokescreen #2: Libra is not a blockchain, not a cryptocurrency but a digital virtual currency /financial instrument
It was fascinating to see that the carefully crafted and prepared introduction of the Libra sought to position it as blockchain and as a cryptocurrency. This creates a lot of noise. Also, the use of similar words for different concepts and organisations is confusing.

We should distinguish between:
1- Calibra, the organisation, a 100 % subsidiary of Facebook, acting as a validator node,
2- Calibra, the branded digital wallet developed by Calibra to carry the Libra virtual currency,
3- Libra, the digital currency that will be in the Calibra wallet
4- Libra, the reserve pool of assets that backs the digital currency,
5- Libra Core, the Network or 'blockchain' that forms the core operating technology for clients and validators,
6- Move, the programming language developed for the Libra Network.
7- Libra, the association governing, promoting and executing the virtual currency system,
8- Libra members, big commercial players that may join the Libra association, provided that they are a validator.

What struck me in the communication is the flagrant re-definitioning by Facebook of the concepts blockchain and cryptocurrency. Facebook really wants to be seen as doing some cryptocurrency stuff. But they don't. Just for fun I will be comparing the Facebook FAQ with the wisdom of the Wiki-crowd.

Libra is not a blockchain
Facebook succeeds in not mentioning the facts that blockchains are, by definition and terminology, a chain of blocks, linked together. Wiki has it right.


What is a cryptocurrency exactly: native currency of an open blockchain
Wiki states, that the decentralized control of cryptocurrencies works through distributed ledger technologies, typically a blockchain. Personally I would not have mentioned those ledgers as the blockchain is not so much a ledger as a journal (log roll of transaction entries). And apps are creating the ledger feeling for blockchains. But let's look at the wording in the image.


The wording of Facebook is interesting. It speaks of using cryptocurrency due to the use of strong crypto. This leaves out the issue that cryptocurrencies may be native to blockchains (as in chains of blocks). And then Facebook moves on to cryptocurrencies being built on blockchain technologies.

Which is true of course, but if I use all the parts of an air plane to build a firmly grounded restaurant, this doesn't mean that my restaurant is still an operational air plane. It is built on air plane technology, but the wording matters. Facebook puts up a smoke screen here to position itself in the blockchain community.

Libra is not a cryptocurrency
The funniest part of the Facebook FAQ was the mere statement that the Libra is a new cryptocurrency designed to have a stable and reliable value. Coming from a perspective where cryptocurrencies are inherent elements of open, truly decentralised permissionless blockchains, this is an interesting statement. It demonstrates that Facebook wishes to be a cryptocurrency but it isn't.


The text above also shows that Facebook has its eyes on the stablecoins that are around. These stablecoin are, in my view, privately issued currencies, with the goal of a fiat peg. The stable-'coin' is used a lot in the cryptoworld to facilitate fiat/crypto exchanges in times when the financial system is not online. The fact that this currency is used a lot in the cryptoworld, does however not make it a cryptocurrency in the terms of an inherent currency of an open permissionless blockchain.

Libra, what is it then, in regulatory terms?
My conclusion, after quite some pondering and tweeting is the following.
Libra is a privately issued and distributed digital  and virtual ‘currency’, that is intended to function as a means of payment. It is not a true currency because its actual composition/counter value is a basket of fiat-currencies and financial instruments. It is not e-money as the Libra is not ‘monetary value’. The digital value qualifies as a financial instrument (a mini-participation in an open ended investment fund) and is used in an open source payment instrument, to be used for payment and acquiring. Both payments and securities legislation apply, as well as the relevant competition and consumer protection rules. 
The Libra association is the scheme owner and scheme operator of the Libra virtual currency. This currency/investment can only be bought directly by members of the Libra association. Other entities or customers must revert to second tier players, exchanges or peer-2-peer applications. Technical development of applications is encouraged and rules to secure the application by contract or licensing seem to be absent.

Due to the blending of scheme and operations, the Libra association cannot really be viewed as the beginning of a proper payment scheme. Functionality, pricing and membership rules make Libra and the Libra association an easy target for consumer/data protection and competition supervisors, bank supervisors and securities supervisors.

Smokescreen #3: Libra is not a charity exercise that seeks to operate a public good but a commercial enterprise
A huge amount of effort has gone into convincing the public this week that Libra is all about helping the rest of the world. Getting more inclusive finance. Making payments faster, easier and such. It is striking that these statements mirror the claims that originally come from the Bitcoin community or from the Fintech community.

Of course those claims strike a chord. People may well be fed up with their banks and the perception of banks with slow procedures and expensive fees for foreign payments are an easy target for PR-people who want to position their initiative in a friendly way to the public. Who doesn't want to take on the banks and improve the world.

Commercially, the thinking of Facebook is most likely to be that it needs to counter the We-chat Pay dangers and all other Fintech movements that lead to easy in-app payments. Payments will increasingly be an afterthought and harvesting the data in those payments will allow for even higher ad revenues, as Facebook will see what works and what doesn't. Interestingly Facebook did not increase the speed of its current developments; it chose to move up the value chain, towards setting up its own currency and hoping that it will work as a unit of account (and may stay in the system for long).

Of course, the move by Facebook is a big signal. But we must note that there are still also other players that could make the same move. Which would lead to some form of a duopoly (as with Mastercard and Visa) and the need to agree on interoperability or on open access to infrastructures of the big techs involved. I did not come across this notion a lot, so far.

The public good narrative: unbelievable coming from Facebook
What struck me most, coming from Facebook as a centralised company that is not interested in respecting democracies and laws written by those democracies, is the sketch of opportunities in the White Paper. And do have a look at the phrasing on public good.
Given that by now I hope to have convinced you that the design of the Libra association and its constituency is far below the usual standards to be expected from payment schemes, you can imagine that I was unable to reconcile these laudable beliefs with the actual proposition.

If you truly wish to create a new public good, a new worldwide currency, it is not impossible to deliver this with private sector entities. There is a whole range of public policy theories (delivery of universal services or service of general interest) that can help out here. But putting the richest, biggest enterprises of the world in one room, to distribute a world currency/investment proposition without proper safeguards or recognition and qualification of the activities of the issuing association is not the way I would go about.

Facebook cloaking its plans in cryptoterms,but why? 
Let's face it. This whole complex open source, cryptocurrency story that Facebook has published is not necessary. If Facebook Payments Inc or Facebook Ireland wishes to change its currency mechanism towards a different setup it could do so itself. Why is there a need to involve other stakeholders with a trendy and hip storyboard on decentralisation, blockchains, cryptocurrencies and such?

It can't be a money issue. Facebook has sufficient resources to fund the whole exercise itself. And the quality of the exercise could then convince other commercial partners to join. So why the need to step out of its digital currency issuing role itself?

To me it is pretty clear that Facebook seeks to move up in our lives. Doing our financial business is not enough. It is all about entering our mind at a deep level. At the fiat currency level. We should think prices in terms of Libra, not in terms of fiat currency. And there is a good power reason for it. Because as long as Facebook uses digital fiat currencies it can be under the rule of the government that issues it. Now, by having a basket of currencies, Facebook can kick out currencies/countries if need be. State regulators and supervisors lose their power.

In addition, Facebook chooses to limit its own role and hide behind am Swiss association, to cover the fact that they don't want to take the responsibilities that come with issuing a worldwide association. They are suckering/forcing partners into joining this programme, without alerting them to the obvious violations of competition rules that may arise. They leave out all mentions of safeguards and contractual arrangements that can aid in ensuring operational integrity for this worldwide currency. Rather they throw the technology in the public domain, knowing well that this means that it's use cannot be fully controlled.

It is no surprise why politicians and regulators were keen to act. Their immediate response was that this was a further extension of an a-moral company that stops at nothing. As Maxine Walters outlined in the US, when asking Facebook to stop further development:

Reversing the statements to see what's hidden in plain sight: ruthless selfishness
As a thought exercise I was wondering. If they claim that it is a blockchain and cryptocurrency, while essentially it isn't, shouldn't we also reverse the other statements to see what is truly happening here.

I leave the result for you to ponder and thank you for bearing with me in this ultralong blog.
Up next I expect blog 2 to be about EU-definitions and legislation.

THE THREAT
As we, as Facebook are in it strictly for our own goals, we intend to hide our true intentions and motivations so we can fool the community and our partners in the ecosystem to go along. 
We believe that many more people should buy financial and identity services from our company specifically, even when doing so will come at a higher cost than the available alternatives. 
We don't believe that people have an inherent right to control the fruit of their legal labour. 
We believe that global, open, instant, and low-cost movement of money will create immense economic opportunity and more commerce for us in particular. 
We believe that people will increasingly trust centralized forms of governance. 
We believe that a global currency and financial infrastructure should not be designed and governed as a public good. 
We believe that we don't bear a final responsibility ourselves to help advance financial inclusion, support ethical actors, and continuously uphold the integrity of the ecosystem.


PS. I have changed the definition on June-24, to reflect that the currency is a mini-investment fund which is used in an app/ecosystem that would qualify as a payment instrument. Definition blog will follow.

Friday, June 14, 2019

FATF as in: Facebook As The Foe or Facebook As The Friend ?

Dear Mr Billingslea, dear Members of the FATF and dear civil servants in the room,

As you are nearing the end of a very productive year I wish to commend you on your very hard and wise work of the last year. If we look back on the objectives that the President laid out for 2018-2019 we can see the many accomplishments of this year. It has been a very productive year and one that will be remembered for many years to come. Because you will define what FATF truly stands for. 

Of course there are some commentators that challenge the legitimacy of your work on virtual assets. They outline that your so called open-ended mandate is by definition constrained by the boundaries set by Human RightTreaties, UN Resolutions, Fourth Amendments or rulings of the EU court ofJustice (Tele2) or the US Supreme Court (Carpenter). And they outline that effectively the FATF Standards are leading to a privacy infringement under those Human Rights agreements. I leave those comments aside for now. Historians and judges may be the judge for that.

For now, I wish to draw your attention to a practical dilemma that you will be facing the upcoming week. The dilemma is: does FATF stand for Facebook As The Foe or Facebook As The Friend? 

The answer depends on your own view: which society do you wish to leave behind for your kids?

FATF: Facebook As The Foe
While you were looking out of the frame of libertarian misuse of virtual currencies for all kinds of criminal purposes, you may have forgotten to look out the other window: at bigtech players such as Facebook and Google. Widening your view is of particular relevance now that you are about to endorse a virtual asset recommendation that obliges names of citizens to be sent along with virtual asset transfers (one way or the other).

Let's take a closer look at Facebook. They have thrown the privacy hundreds of million people under the bus. They opened up their systems to developers and allowed mass scale harvesting of personal data to other companies. They have come under severe criticism for this. And they changed a lot of operations, moved people out and such, all in other to counter the criticism about their harvesting of data. Bottom line: they need to remove personal data or ensure that they have proper consent from citizens that are properly informed on the whereabouts of their personal data.

Their latest project is a cryptocurrency / virtual asset programme, with the naam Libra. It leads to the creation of a world currency, backed by a combination of assets. And Facebook will cooperate with other bigtech and Fintech players to make it happen. As the Wall Street Journal outlines:


FATF-virtual asset rule: cryponite to send and harvest personal data without caring about consent 
I am wondering if you have thought trough your recommendation on standards for virtual assets sufficiently. Are you aware that Facebook itself will become a huge Virtual Asset Service Provider? Are you aware that it is now soliciting other big tech companies to become verification nodes in their virtual asset programme? And are you aware this means they don't have to ask any consent from the users who use their coins, to add name information in or with the transaction (whichever way they see fit, as long as they oblige). And this information must also be shared with counterparts (if any) meaning that if I operate a verification node, I am sitting on the information as well? 

The unintended consequence of what you are doing with the virtual asset rules is that, in times of personal data as the economic fuel for society, you are handing out cryptonite to all kinds of private sector players that want to have a free pass for passing on and harvesting personal information. All kind of other companies may follow suit as the FATF-rule is really an easy tool in the box of companies that actively seek to engage in regulatory arbitrage to avoid privacy rules as much as possible. 

Facebook as the Friend....?
The other alternative is that the FATF effectively sees Facebook as a friend. You are aware of the above consequence and view it as a necessary consequence that will be very helpful in capturing the criminals of the future. That would mean that with the FATF-rule you have deliberately chosen to marry with bigtechs.

Now if I Imagine the biggest data-harvesting company in the world marrying the world-wide law enforcers in the world I must say I am sort of afraid to imagine what their kids will look like. This would be too big a confluence of private and public sector roles and it will have a desastrous impact on the world. Some may argue that we were already living in Orwells 1984, but with this rule you will have definitely sealed the deal. 

What you may just do when agreeing to this virtual asset rule, is outlaw all the citizens of their world. Their data are free for all to harvest and in the process you will ride along to see if you capture a terrorist every now and then. 

Historic data does show, by the way, that all the virtual transaction data will not really help as evaluations of the impact of the travel rule indicate that the number of crooks preventively caught in 15 years of its use can be counted on one or two hands. It is always other law enforcement info that gets you to detect them beforehand, never the transaction data.  

What will FATF stand for: wich kind of society do you leave behind?
Will FATF stand for Facebook as the Foe and will you reconsider virtual asset article 7b?
Or will FATF stand for Facebook as the Friend and will you outlaw all personal data of world citizens?

Next week the choice is up to you. I have a hunch you will be going for the Facebook is my Friend model. Because in your groupthink you may be driven to annihilate all kinds of perceived criminal evil even when the tools for doing so are ineffective. Or just beause your are inclined to do as is told and answer to call of your bosses as they said to approve the virtual asset rules. 

Thereafter, you may end up seeing your choice annulled by judges. This may be the result of lengthy procedures or otherwise geopolitical incidents in which one of the kids of the marriage of FATF and Facebook will have turned evil. And then, each one of you in the room will have to answer towards its citizens, politicians, children and grandchildren: how did you not see this coming? 

Don't finalise the paragraph 7b text
I call upon you to consider the above with an open mind and an open heart.
Do the right thing: vote to re-consider or postpone finalisation of the pragraph 7b text. 

Postponing allows for more time to explore all impacts and consequences and have a further debate on what you wish the true acronym FATF to stand for.

Simon Lelieveldt

Sunday, June 09, 2019

G20 and FATF should not infringe on the human right to privacy by prescribing mass surveillance for virtual assets !

Over the past weeks, I have been sounding the alarm as to the envisaged FATF-recommendations in the area of virtual assets. Essentially they require the private sector to build in a privacy leaking front-door in all blockchain applications, so that law enforcement officials in the whole world will have useful information already available nearby (rather than having to ask for it when need arises).

While at first I merely looked at it technically, seeing it as a disproportional silly measure by regulators who don't understand blockchain technology, over the past weeks I have learnt that it could also be viewed as part of a larger debate on the human right to privacy. People sent me more information on this matter including this dissertation (link: M. Wesseling: mustread!).

The dissertation outlines how a similar measure in the banking domain (the travel rule) was first rejected in US congress, to be adopted within weeks after the 9/11 attack. The dissertation also shows the mechanism of depolitization: making something a technical 'thingy' in order to avoid the true political debate on public interests that need to be balanced.

State vs citizens: police versus privacy 
What is at stake here is a political debate on the degree of surveillance measures that a society needs to prevent criminality versus the degree of human privacy and freedom that people need to live a dignified live in which they can communicate freely and are innocent until proven guilty (and not the other around).

Let's have a close look at the two fundamental public policy issues at stake:

The human right to privacy in a digital age
Under UN Resolution RESOLUTION 28/16 (the right to privacy in the digital age), article 8.2 of the European Convention on Human Rights and the EU Court decision on data retention (ECLI:EU:C:2016:970) the EU understanding on mass surveillance of personal data of innocent persons is that it may very well constitute a violation of the right to privacy in cases where it is disproportional and no sufficient safeguards are in place.

However, the human right to privacy is often not taken into account when developing anti-terrorist policies. Scientific evaluations of the implementation of such policies outline that social side effects, such as excessive reporting of transactions and privacy of citizens, (often) remain underexposed in public discussions. Similarly a recent dissertation in the Netherlands clarifies that, when applying the EU Court of Justice criteria to the European Anti-Money Laundering Directive, 17 infringements of human rights can be identified.

Upcoming FATF-proposal to prevent fraud/crime/terrorism and apply broad rules to virtual assets
This is exactly what is at stake with a recommendation that is phrased in paragraph 7b of an interpretative note for Recommendation 15 of the FATF.It requires all private sector entities to register and submit the names of the parties participating in a virtual asset transfer to all counterparts in the value chain. This is not based on suspicion of criminal behaviour but required as a standard data export for all use cases and customers transferring virtual assets.

The virtual assets are defined as all non-regulated digital representations of value which may be transferred or held:
‘..countries should consider virtual assets as “property,” “proceeds,” “funds”, “funds or other assets,” or other “corresponding value”.

As such the rule effectively requires private sector market players to develop a messaging system (and adapt internal systems) to make sure future blockchain applications also functions as a structure of mass surveillance. However, any law enforcement official may obtain the relevant information on a case-by-case basis with a proper legal warrant at the individual organisation involved in a virtual asset transfer. The proposed rule constitutes an unnecessary measure that brings personal data of innocent people into the public domain, without any further proper guarantees for its treatment.

The rule has met with very heavy push back during a private sector consultation (in Spring 2019) due to its incompatibility with privacy laws and its unclear definition. The FATF members did not take this into account. Therefore, in the Netherlands, the NGO Privacy First joined the initiative of a group of virtual asset service providers (VBNL) to urgently request the Dutch Ministry of Finance to not approve the proposal. This has not lead to any further response.

What disturbs me in the process, is that the private sector has effectively formulated an adapted wording which would balance the two public policy interest more properly (see the redacted statement in the graphic below). But FATF-officials and governments appear to ignore it.



The public policy train moves on towards the G-20, without due process / democratic controls in place
Right now, the process underway is one in which we will see all kind of news reports about the G20 Ministers of Finance discussing and deciding on virtual assets. We will see the FATF adopting its rule in their 16-20 June meeting. And then the G-20 heads of state adopting it in Osaka. There will be many news bulletins and spins outlining how important and good these steps are. And the FATF will be complimented for their laudable work in this area. But don't be fooled by the spinning.

It is important to note that there has not been a sufficient and proper political debate on the balance between human rights and anti-terrorism measures. And as we already have Human Right Treaties in place outlining that mass surveillance and retaining of data of innocent people are a human right infringement, we can only conclude that our Ministries of Finance and Governments are about to make a historical and major mistake that violate their own commitments to privacy. There is no reason to boast about that.

Are all governments and private sector players benevolent forever?
What is lacking is the fundamental helicopter view on the relation between states and their people. For this I refer to yesterdays blog post, outlining the fundamental considerations that led Phil Zimmerman to develop encryption tool Pretty Good Privacy for the people:
"Zimmerman outlined one very significant theme during his speech. He noted that the assumption of a continuous benevolent government is not realistic. Governments come and go, some may be more democratic than others and even strong democracies may turn into dictatorships, depending on the circumstances. It is therefore important to design society, governments and the technologies that we use to manage society, guarantee that a balance exists between the powers of government and those of the public. The public, the people should always be allowed to remain digitally out of sight of government. Such a robust structure would be important to ensure a fair treatment of the people over a long period of time."

It is too bad, that our governments appear to be unable to properly balance the political interests at hand. Reality is that we do not live in paradise: both governments and market players may have ill intentions and we should be open to that fact of life. In this respect it is clear that a range of private sector players provided more than one elegant suggestion to help with the criminal perspective, while still protecting it. Why would there be a reason to ignore this?

I do understand the dynamics however. In the words of Ian Grigg:
'It's hard to have a serious discussion on terrorism.  It’s too much of a magic password that shuts down critical thinking.'

What's up next is, that we will need to resort to national and supranational courts to re-address this issue and correct our governments. Because like it or not, the future of our democracies is at stake.


------
And a video on this same topic here, for those who are more into the looking/listening mode:



Saturday, June 08, 2019

Zimmermans' relevance for discussions on human rights and ICT-security surveillance


If we look at economic and social risks of new technologies, outsiders will often immediately fall into the trap of considering this to be about the illegal use of peer-2-peer networks, applications such as bitcoin etc, for socially unwanted activities or even criminal activities. From there on it is a small step to forbid such activity, regulate it, overregulate it. But we should take a wider perspective here.

For me, Phil Zimmerman was the person who made a lasting impact, when he explained, somewhere in the late 1990s, during a speech at a digital money conference his considerations behind developing Pretty Good Privacy (see also his explainer himself: Why I Wrote PGP). His argument was mainly that the new digital society has to be built in such a way that it guarantees a situation in which a people are still able to communicate and act in way which is not invaded or controlled by government tools/techniques. Whereas the old analogue world would allow the people smart analogue ways of creating their own spaces for communicating and fooling government with fake analogue id's and such, it would be much harder to do this in a digital world. Hence the need for a peer-2-peer simple mechanism as Pretty Good Privacy.

Zimmerman outlined one very significant theme during his speech. He noted that the assumption of a continuous benevolent government is not realistic. Governments come and go, some may be more democratic than others and even strong democracies may turn into dictatorships, depending on the circumstances. It is therefore important to design society, governments and the technologies that we use to manage society, guarantee that a balance exists between the powers of government and those of the public. The public, the people should always be allowed to remain digitally out of sight of government. Such a robust structure would be important to ensure a fair treatment of the people over a long period of time.

It is clear that this requirement: to allow for and to actually create areas where the government cannot see what happens means that those areas are scary for regulators. Will they facilitate crime by doing so? Perhaps. Will they allow for huge pockets of creativity? Certainly ! But it will be the strong governments that are able to allow this. They will act from a position of strength and not be afraid. The weak governments, or the scary governments, or the ill-intending governments will seek to monitor everything and control all digital activities. This will certainly fail. But while doing so, they may instil tools that are very dangerous tools in the hand of governments when they turn from benevolent to evil. It will tilt the balance towards a situation that ill-intending governments can no longer be overturned by a social revolution.

There is no need for governments to be afraid of technological progress in the hands of the people. It is a good thing, to be cherished and to be allowed. The simple labelling of such activity as possibly criminal is the wrong frame. The reverse is also wrong: regulators with good intentions are not by definition tools in the hands of dictators. The right frame is: dictators exist just as criminals. Society should ensure that neither of these can become too powerful due to technological of legal measures and it is for this reason that we need to balance our human rights to privacy with the goal to prevent criminality.

Finding this balance is not easy but over the last weeks we have witnessed too many occasions where governments seem to go to far. German police wanting access to home devices. The FATF-ruleon surveillance for virtual assets. Ghost accounts into Whatsapp. Giving your social media handles when entering the US. We should not let ourselves be caught in this wrong direction over intrusive government behaviour.

There is a very legitimate reason to develop and create new technologies that safeguard the public and it is a pity that many policy makers in the world may not have been hearing the clear message that Phil Zimmerman sent them. They really could do with open their minds more. So for them I’m embedding this video. Just to be able to learn from history.



Thursday, May 09, 2019

FATF and EU need to fundamentally rethink their approach to virtual assets/currencies...

Virtual currencies are on the radar of regulators for quite some time. Yet it is clear that they still struggle with definitions (which always happens when new technologies arise). The FATF is a key example now that they are seeking to harmonise international guidelines for applying FATF-rules to the crypto-world.

In this post I will look at some of the issues at stake and explain why the FATF-exercise requires a lot more time and thinking before the FATF (or EU) move forward. Do note that this is a longread, more geared to specialists in the field, than the general public.

For the public it boils down to this. The US is pushing all countries in the world to a situation where with each virtual or crypto transaction, your information needs to be distributed (by definition) to other players in the value chain.

But as the crypto definitions in countries diverge (and the FATF-definition is ill defined, potentially covering everything in the world), the only sensible thing to do is to stick with the local definitions of crypto-assets and to demand transaction information to be stored locally at the point of transaction. Any law enforcer wishing access to that information should thus approach the relevant local authority for that information.

Apart from this legal argument, we must acknowledge the recent regime changes in the world. It is by no means clear that countries that used to obey the law and follow the rule of law, will do so in the future. Thus, foreign law enforcers may become tools in the hands of local undemocratic rulers.

That is an additional argument that requires the EU (but also the FATF itself) to avoid the situation that a local law enforcer in an undemocratic country can get EU data by harvesting its home companies data for the EU-info, without having an appropriate legal warrant under EU-rules.

And now for the longread part of it...

Definitions: always tough
Back in 2012, the ECB had a hard time grasping the concept of cryptocurrencies. They used the fact whether or not virtual currencies were regulated as their guiding principle:
A virtual currency can be defined as a type of unregulated, digital money, which is issued and usually controlled by its developers, and used and accepted among the members of a specific virtual community.

The US regulator (FINCEN) chose the following approach in 2013:
In contrast to real currency, “virtual” currency is a medium of exchange that operates like a currency in some environments, but does not have all the attributes of real currency. In particular, virtual currency does not have legal tender status in any jurisdiction. This guidance addresses “convertible” virtual currency. This type of virtual currency either has an equivalent value in real currency, or acts as a substitute for real currency. 

FINCEN then applied the money transmitter laws in an extensive way to bring exchanges of virtual currencies into their supervisory remit.

Later on, the ECB changed its definition to:
For the purpose of this report, it is defined as a digital representation of value, not issued by a central bank, credit institution or e-money institution, which in some circumstances can be used as an alternative to money. 
The EU stance remained that cryptocurrencies did not conform with definitions of funds and such in the EU legislation, hence their exchange and use was not regulated as such. Of course the integrity and consumer risks were identified and warned for.

In the FATF-context (2015) we read:
Virtual currency is a digital representation of value that can be digitally traded and functions as (1) a medium of exchange; and/or (2) a unit of account; and/or (3) a store of value, but does not have legal tender status (i.e., when tendered to a creditor, is a valid and legal offer of payment)6 in any jurisdiction. It is not issued nor guaranteed by any jurisdiction, and fulfills the above functions only by agreement within the community of users of the virtual currency. 

While these definitions may seem to work at first sight, we still need some creativity to determine the boundaries of these virtual currencies. Essentially it is possible to bring any loyalty point scheme under these definitions, as they do not use a subject based qualification to determine what exactly virtual currencies are.

At that point in time, where the focus was mostly on payments and such, using the experience we had with e-money definitions, I suggested a framework based on objects of the digital values at hand:


User cannot buy tokens at all (loyalty-type)
User earns tokens and can buy additional (hybrid of loyalty/payment)
User buys and sells tokens
(payment-type)
Tokens used in digital issuer-domain only

World of Warcraft
World of Warcraft
Lynden Dollar
Tokens used in digital or physical issuer-domain only
Starbucks
Nintendo Points
-Digital Payment loyalty schemes for single retailers

Tokens used at other entities than the issuer
Frequent Flyer Programmes
Frequent Flyer Programmes
Bitcoin,
e-money on mobile phone's


I think it would be fair to say that, while we pretend to have solved the application of crypto-legislation to the payment-type currencies, we actually haven't truly done so. There are still classification issues pending, but they may have appeared to be too irrelevant to matter,

Enter: ICO's and token frameworks
The next stage however was the widening of the blockchain concept, the application of crypto to generic tokens and the use of tokens as a form of share, security or other representation of objects, value, cash flows. This leads to a big confusion all around the world whether or not to view some tokens as security tokens, utility tokens and such. So, while our first definition already had flaws, we chose a new wording to cover this brave new world: crypto-assets or virtual assets.

As ESMA noted in their warning on ICO's at the time:
Where ICOs qualify as financial instruments, it is likely that firms involved in ICOs conduct regulated investment activities, in which case they need to comply with the relevant legislation.
So the essential discussion of application of financial law was left to local supervisors interpretations and definition of financial instruments.

The definition-side remained quite weak, with crypto-assets being loosely described as:
Crypto-assets are a type of private asset that depends primarily on cryptography and Distributed Ledger Technology (DLT). There are a wide variety of crypto-assets. Examples of crypto-assets range from so-called cryptocurrencies or virtual currencies, like Bitcoin, to so-called digital tokens issued through Initial Coin Offerings (ICOs). Some crypto-assets have attached profit or governance rights while others provide some consumption value. Still others are meant to be used as a means of exchange. Many have hybrid features. 

ESMA noted then that there were many variations and that it was not necessary to regulate all forms of crypto-assets. In 2019 they published an updated analysis with still a very weak definition of crypto-assets:
Crypto-assets are a type of private asset that depend primarily on cryptography and distributed ledger technology as part of their perceived or inherent value. A wide range of crypto-assets exist, including payment/exchange-type tokens (for example, the so-called virtual currencies (VCs)), investment-type tokens, and tokens applied to access a good or service (so-called ‘utility’ tokens).

In their report they distinguish between payment, investment and utility token, to immediately outline that this distinction does not cover everything. So the definition issue remains as well as the question: which type of digital token falls under which type of regulation. Hence the EU is in need of more EU clarity on the subject.

On the other side of the ocean, the SEC has further fleshed out how to interpret generic financial sector rules to digital asset issuance/use. In a long awaited guidance note the answer ends up being: it depends on the way you structure the functionality of the token/asset and the use between investors and issuer. So depending on those features, it may well be a regular financial instrument and facilitating trading may constitute a regulated business of operating an exchange.

The FATF-approach: hammering financial services law into hardly defined virtual assets
In essence, the idea of the FATF is now to make sure all crypto-related business is covered in a layer of regulation that at the least ensures proper KYC and AML/CTF rules. As such, this can be appreciated and understood as a recognition of the fact that cryptocurrencies and crypto-assets are here to stay. If we bring the sale of high-value items such as diamonds or gold watches under the FATF-KYC/AML remit, it makes sense to also do so for digital goods/assets/cryptocurrencies (whichever legal status they have).

We do have a problem however, which is that the definition used by FATF, since October 2018, is still shaky:
A virtual asset is a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities and other financial assets that are already covered elsewhere in the FATF Recommendations. 

This definition is so wide, that the FATF needs to explain:
The FATF emphasises that virtual assets are distinct from fiat currency (a.k.a. “real currency,” “real money,” or “national currency”), which is the money of a country that is designated as its legal tender.

The further definitions of virtual asset service provider clarify the intent of the FATF-definition: they wish to cover both former virtual currencies and the ICO area and use a very broad definition to describe virtual asset service providers. These are companies that for a business conduct:
i. exchange between virtual assets and fiat currencies; 
ii. exchange between one or more forms of virtual assets; 
iii. transfer of virtual assets; 
iv. safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; 
v. participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset

These definitions are very shaky grounds to use. One particular troublesome issue is that the virtual asset definition has a negative part: it does not cover currencies, securities and other financial assets that are already covered elsewhere in the FATF-recommendations. It is a catch all phrase that brings all loyalty points in the world under the FATF-remit. Now, the FATF will of course outline that that was not their intent, but as soon as you devise a crypto-based loyalty scheme, who is going to decide?

And taking it one step further: if I convert my multilevel marketing scheme into digitally represented agreements on a blockchain, do these new tokens qualify as a contract (not covered) or as their value and virtual assets? And how does this interpretation play out in the US vs the EU legislative context?

I am certain there is a host of applications/use cases where we will find the FATF definitions being not suitable for use. How about CO2-emission rights. World of Warcraft-tools. Shared ownership of my house or my bycicle. I would urge the FATF to do some more thinking in that respect. The negative catch-all in a definition (it is a virtual asset when all other definitions in our recommendations fail) is just not good enough.

I can only commend the FATF on one point however. The positive thing about the definition is that it speaks of representation of value. This implies a monetary or self-invented value/currency. It does not state that it is about the representation of physical assets or objects (such as real estate). Or that value can also be understood to consist of anything in the real world, to which value can be attributed (ie. everything).

Applying FATF-money transmission rules to crypto-assets: technicalities!
Right now the FATF has closed its public consultation on applying the money transmission rules to crypto-assets. They are hammering a payments-network idea onto cryptocurrencies and crypto-assets alike to not just demand identification and transaction monitoring. The idea is to also apply the addition of originator and beneficiary into crypto-transactions:
(b) R.16 – Countries should ensure that originating VASPs obtain and hold required and accurate originator information and required beneficiary information2 on virtual asset transfers, submit the above information to beneficiary VASPs and counterparts (if any), and make it available on request to appropriate authorities. It is not necessary for this information to be attached directly to virtual asset transfers. Countries should ensure that beneficiary VASPs obtain and hold required originator information and required and accurate beneficiary information on virtual asset transfers, and make it available on request to appropriate authorities. Other requirements of R.16 (including monitoring of the availability of information, and taking freezing action and prohibiting transactions with designated persons and entities) apply on the same basis as set out in R.16

Where the approach worked in 2001 in a world where a payment was a payment, funds are funds and wire transfers are wire transfers how can it work in a world where fundamentally the core definition of virtual asset or crypto-asset is as vague as it is in EU and the US?

The whole exercises strikes me as a hasty effort, given that the authors have not noticed that also the interpretative note for Recommendation 16 should be changed to include virtual assets (exempting intra-VASP payments and e-commerce virtual currency payments from the scope). And it is clear that the US is driving the FATF to adopt the above change hastily - and without solid analysis - by June 2019.

To me, there is only one logical conclusion: in the decentralised world of virtual assets, with jurisdictions each applying different boundaries to crypto-stuff, there is no sufficiently harmonised basis to enforce the attachment of data to each transaction. Requiring service providers to hold the info and make it available by request is not a problem, but sending it out as we did with the former FATF7-rules is impossible due to the patchwork of diverging definitions.

In my response to the FATF-consultation I have outlined this problem:

In addition I would like to note that the divergent legal status of virtual assets (considering its wide definition) in different countries may have the consequence that under some local laws the transfer is not financial in nature and will not be covered under the financial legislation and AML/TF frameworks. It is possible that a sufficient legal basis is lacking in some jurisdictions to apply the crossborder wire transfer regime to such non-financial transactions and that data protection regulations take prevalence. This could be solved by applying the domestic wire transfer regime to transfers of virtual assets, regardless of their potential cross-border nature. The further application of this regime on the domestic level can then be geared to the specific legal qualifications for virtual assets in that specific jurisdiction.

My proposal is to follow the most efficiĆ«nt way. Strike out the part that says: submit the above information to beneficiary VASPs and counterparts (if any).  It is simply not proportional and economically sensible to demand as the FATF to include privacy-sensitive information in crypto-transactions. Officers can can have access by asking and demonstrating lawfulness of the request via international channels. But the day and age of using local tricks and harvesting local companies for EU-data should be over.

The area of digital assets, virtual assets is so ill-defined that the FATF cannot claim a full competency, as the legal basis in a number of jurisdictions will not be there. We should also keep in mind that the catch all definition - not elsewhere regulated under these FATF-rules - is still written under from the FATF role of being Financial Action Task Force, focusing on financial industry and financial services as the main objective. So if my home country defines certain digital goods as digital goods and not in scope of crypto legislation, that to me would be the end of the remit for the FATF (and it would remain out of scope of the catch-all clause as well).

So much for the technicalities.

Applying FATF-money transmission rules to crypto-assets: geopolitics
We should recognize that we are in a different moment in time than in 2001, when the FATF-7 rules were introduced. At that point in time the US was a beacon for democracy and rule of law. But it isn't any more.

It's role became fuzzy when it turned out that US law enforcers had used US based servers of EU companies (Swift) to get hold of EU-data. And this made the EU sensitive to the protection of its citizens against unwarranted overly ambitious law enforcing in other countries.

We should again be sensitive. The EU, but also the FATF, also have an obligation to protect their citizens from unduly harassment and intrusion by law enforcement authorities. And creating tons of data outside the consent-scope of the citizen does not sound like a good protection at all.

Right now, we can witness around the world, an increase in countries with all kinds of 'strong leaders' that violate human rights agreements, do not obey the rule of law, that are involved in money laundering schemes, do not listen to lawful requests of their constituents and ignore climate agreements.

I think the EU has a duty to not cooperate with implementation of so-called FATF-requirements when it is clear they are increasingly unable to protect the privacy and guarantuee the lawfulness of the data exchange. Requesting other states to go get the data (and ensure that it is proportional) is a better way forward.

In sum: improve definitions and reconsider the worldwide distribution of transaction data for virtual assets/currencies
While I think that FATF should fully reconsider its definitions and redo its homework, this virtual-asset momentum and this train that is being pushed by the US may be rolling too fast to stop it. So as a stop-gap one could propose to eliminat 7b or at least strike out the distribution line:
(b) R.16 – Countries should ensure that originating VASPs obtain and hold required and accurate originator information and required beneficiary information2 on virtual asset transfers, submit the above information to beneficiary VASPs and counterparts (if any), and make it available on request to appropriate authorities. It is not necessary for this information to be attached directly to virtual asset transfers. Countries should ensure that beneficiary VASPs obtain and hold required originator information and required and accurate beneficiary information on virtual asset transfers, and make it available on request to appropriate authorities. Other requirements of R.16 (including monitoring of the availability of information, and taking freezing action and prohibiting transactions with designated persons and entities) apply on the same basis as set out in R.16
The FATF-proposal is disproportional, technically unsound and uneconomic. We'd better store the citizens data locally and ensure distribution on piecemeal basis, based on solid legal grounds, only when there is a true virtual asset under local definitions.

To the EU I ask to protect my reasonable concerns as a private citizen and not implement the proposal that comes out, until it ensures that my data stay local where they are and are not distributed at large to possibly evil states, dubious countries and their law enforcers.

The latter holds particularly true when we can observe that the chair of the FATF, the US Treasury Secretary, is not living up to his national constitutional obligations to comply with the US law himself.


PS. I noted that the interpretative note to recommendation actually also holds an additional new definition, apart from the main text:
1. For the purposes of applying the FATF Recommendations, countries should consider virtual assets as “property,” “proceeds,” “funds”, “funds or other assets,” or other “corresponding value”. Countries should apply the relevant measures under the FATF Recommendations to virtual assets and virtual asset service providers (VASPs).