Friday, June 14, 2019

FATF as in: Facebook As The Foe or Facebook As The Friend ?

Dear Mr Billingslea, dear Members of the FATF and dear civil servants in the room,

As you are nearing the end of a very productive year I wish to commend you on your very hard and wise work of the last year. If we look back on the objectives that the President laid out for 2018-2019 we can see the many accomplishments of this year. It has been a very productive year and one that will be remembered for many years to come. Because you will define what FATF truly stands for. 

Of course there are some commentators that challenge the legitimacy of your work on virtual assets. They outline that your so called open-ended mandate is by definition constrained by the boundaries set by Human RightTreaties, UN Resolutions, Fourth Amendments or rulings of the EU court ofJustice (Tele2) or the US Supreme Court (Carpenter). And they outline that effectively the FATF Standards are leading to a privacy infringement under those Human Rights agreements. I leave those comments aside for now. Historians and judges may be the judge for that.

For now, I wish to draw your attention to a practical dilemma that you will be facing the upcoming week. The dilemma is: does FATF stand for Facebook As The Foe or Facebook As The Friend? 

The answer depends on your own view: which society do you wish to leave behind for your kids?

FATF: Facebook As The Foe
While you were looking out of the frame of libertarian misuse of virtual currencies for all kinds of criminal purposes, you may have forgotten to look out the other window: at bigtech players such as Facebook and Google. Widening your view is of particular relevance now that you are about to endorse a virtual asset recommendation that obliges names of citizens to be sent along with virtual asset transfers (one way or the other).

Let's take a closer look at Facebook. They have thrown the privacy hundreds of million people under the bus. They opened up their systems to developers and allowed mass scale harvesting of personal data to other companies. They have come under severe criticism for this. And they changed a lot of operations, moved people out and such, all in other to counter the criticism about their harvesting of data. Bottom line: they need to remove personal data or ensure that they have proper consent from citizens that are properly informed on the whereabouts of their personal data.

Their latest project is a cryptocurrency / virtual asset programme, with the naam Libra. It leads to the creation of a world currency, backed by a combination of assets. And Facebook will cooperate with other bigtech and Fintech players to make it happen. As the Wall Street Journal outlines:

FATF-virtual asset rule: cryponite to send and harvest personal data without caring about consent 
I am wondering if you have thought trough your recommendation on standards for virtual assets sufficiently. Are you aware that Facebook itself will become a huge Virtual Asset Service Provider? Are you aware that it is now soliciting other big tech companies to become verification nodes in their virtual asset programme? And are you aware this means they don't have to ask any consent from the users who use their coins, to add name information in or with the transaction (whichever way they see fit, as long as they oblige). And this information must also be shared with counterparts (if any) meaning that if I operate a verification node, I am sitting on the information as well? 

The unintended consequence of what you are doing with the virtual asset rules is that, in times of personal data as the economic fuel for society, you are handing out cryptonite to all kinds of private sector players that want to have a free pass for passing on and harvesting personal information. All kind of other companies may follow suit as the FATF-rule is really an easy tool in the box of companies that actively seek to engage in regulatory arbitrage to avoid privacy rules as much as possible. 

Facebook as the Friend....?
The other alternative is that the FATF effectively sees Facebook as a friend. You are aware of the above consequence and view it as a necessary consequence that will be very helpful in capturing the criminals of the future. That would mean that with the FATF-rule you have deliberately chosen to marry with bigtechs.

Now if I Imagine the biggest data-harvesting company in the world marrying the world-wide law enforcers in the world I must say I am sort of afraid to imagine what their kids will look like. This would be too big a confluence of private and public sector roles and it will have a desastrous impact on the world. Some may argue that we were already living in Orwells 1984, but with this rule you will have definitely sealed the deal. 

What you may just do when agreeing to this virtual asset rule, is outlaw all the citizens of their world. Their data are free for all to harvest and in the process you will ride along to see if you capture a terrorist every now and then. 

Historic data does show, by the way, that all the virtual transaction data will not really help as evaluations of the impact of the travel rule indicate that the number of crooks preventively caught in 15 years of its use can be counted on one or two hands. It is always other law enforcement info that gets you to detect them beforehand, never the transaction data.  

What will FATF stand for: wich kind of society do you leave behind?
Will FATF stand for Facebook as the Foe and will you reconsider virtual asset article 7b?
Or will FATF stand for Facebook as the Friend and will you outlaw all personal data of world citizens?

Next week the choice is up to you. I have a hunch you will be going for the Facebook is my Friend model. Because in your groupthink you may be driven to annihilate all kinds of perceived criminal evil even when the tools for doing so are ineffective. Or just beause your are inclined to do as is told and answer to call of your bosses as they said to approve the virtual asset rules. 

Thereafter, you may end up seeing your choice annulled by judges. This may be the result of lengthy procedures or otherwise geopolitical incidents in which one of the kids of the marriage of FATF and Facebook will have turned evil. And then, each one of you in the room will have to answer towards its citizens, politicians, children and grandchildren: how did you not see this coming? 

Don't finalise the paragraph 7b text
I call upon you to consider the above with an open mind and an open heart.
Do the right thing: vote to re-consider or postpone finalisation of the pragraph 7b text. 

Postponing allows for more time to explore all impacts and consequences and have a further debate on what you wish the true acronym FATF to stand for.

Simon Lelieveldt

Sunday, June 09, 2019

G20 and FATF should not infringe on the human right to privacy by prescribing mass surveillance for virtual assets !

Over the past weeks, I have been sounding the alarm as to the envisaged FATF-recommendations in the area of virtual assets. Essentially they require the private sector to build in a privacy leaking front-door in all blockchain applications, so that law enforcement officials in the whole world will have useful information already available nearby (rather than having to ask for it when need arises).

While at first I merely looked at it technically, seeing it as a disproportional silly measure by regulators who don't understand blockchain technology, over the past weeks I have learnt that it could also be viewed as part of a larger debate on the human right to privacy. People sent me more information on this matter including this dissertation (link: M. Wesseling: mustread!).

The dissertation outlines how a similar measure in the banking domain (the travel rule) was first rejected in US congress, to be adopted within weeks after the 9/11 attack. The dissertation also shows the mechanism of depolitization: making something a technical 'thingy' in order to avoid the true political debate on public interests that need to be balanced.

State vs citizens: police versus privacy 
What is at stake here is a political debate on the degree of surveillance measures that a society needs to prevent criminality versus the degree of human privacy and freedom that people need to live a dignified live in which they can communicate freely and are innocent until proven guilty (and not the other around).

Let's have a close look at the two fundamental public policy issues at stake:

The human right to privacy in a digital age
Under UN Resolution RESOLUTION 28/16 (the right to privacy in the digital age), article 8.2 of the European Convention on Human Rights and the EU Court decision on data retention (ECLI:EU:C:2016:970) the EU understanding on mass surveillance of personal data of innocent persons is that it may very well constitute a violation of the right to privacy in cases where it is disproportional and no sufficient safeguards are in place.

However, the human right to privacy is often not taken into account when developing anti-terrorist policies. Scientific evaluations of the implementation of such policies outline that social side effects, such as excessive reporting of transactions and privacy of citizens, (often) remain underexposed in public discussions. Similarly a recent dissertation in the Netherlands clarifies that, when applying the EU Court of Justice criteria to the European Anti-Money Laundering Directive, 17 infringements of human rights can be identified.

Upcoming FATF-proposal to prevent fraud/crime/terrorism and apply broad rules to virtual assets
This is exactly what is at stake with a recommendation that is phrased in paragraph 7b of an interpretative note for Recommendation 15 of the FATF.It requires all private sector entities to register and submit the names of the parties participating in a virtual asset transfer to all counterparts in the value chain. This is not based on suspicion of criminal behaviour but required as a standard data export for all use cases and customers transferring virtual assets.

The virtual assets are defined as all non-regulated digital representations of value which may be transferred or held:
‘..countries should consider virtual assets as “property,” “proceeds,” “funds”, “funds or other assets,” or other “corresponding value”.

As such the rule effectively requires private sector market players to develop a messaging system (and adapt internal systems) to make sure future blockchain applications also functions as a structure of mass surveillance. However, any law enforcement official may obtain the relevant information on a case-by-case basis with a proper legal warrant at the individual organisation involved in a virtual asset transfer. The proposed rule constitutes an unnecessary measure that brings personal data of innocent people into the public domain, without any further proper guarantees for its treatment.

The rule has met with very heavy push back during a private sector consultation (in Spring 2019) due to its incompatibility with privacy laws and its unclear definition. The FATF members did not take this into account. Therefore, in the Netherlands, the NGO Privacy First joined the initiative of a group of virtual asset service providers (VBNL) to urgently request the Dutch Ministry of Finance to not approve the proposal. This has not lead to any further response.

What disturbs me in the process, is that the private sector has effectively formulated an adapted wording which would balance the two public policy interest more properly (see the redacted statement in the graphic below). But FATF-officials and governments appear to ignore it.

The public policy train moves on towards the G-20, without due process / democratic controls in place
Right now, the process underway is one in which we will see all kind of news reports about the G20 Ministers of Finance discussing and deciding on virtual assets. We will see the FATF adopting its rule in their 16-20 June meeting. And then the G-20 heads of state adopting it in Osaka. There will be many news bulletins and spins outlining how important and good these steps are. And the FATF will be complimented for their laudable work in this area. But don't be fooled by the spinning.

It is important to note that there has not been a sufficient and proper political debate on the balance between human rights and anti-terrorism measures. And as we already have Human Right Treaties in place outlining that mass surveillance and retaining of data of innocent people are a human right infringement, we can only conclude that our Ministries of Finance and Governments are about to make a historical and major mistake that violate their own commitments to privacy. There is no reason to boast about that.

Are all governments and private sector players benevolent forever?
What is lacking is the fundamental helicopter view on the relation between states and their people. For this I refer to yesterdays blog post, outlining the fundamental considerations that led Phil Zimmerman to develop encryption tool Pretty Good Privacy for the people:
"Zimmerman outlined one very significant theme during his speech. He noted that the assumption of a continuous benevolent government is not realistic. Governments come and go, some may be more democratic than others and even strong democracies may turn into dictatorships, depending on the circumstances. It is therefore important to design society, governments and the technologies that we use to manage society, guarantee that a balance exists between the powers of government and those of the public. The public, the people should always be allowed to remain digitally out of sight of government. Such a robust structure would be important to ensure a fair treatment of the people over a long period of time."

It is too bad, that our governments appear to be unable to properly balance the political interests at hand. Reality is that we do not live in paradise: both governments and market players may have ill intentions and we should be open to that fact of life. In this respect it is clear that a range of private sector players provided more than one elegant suggestion to help with the criminal perspective, while still protecting it. Why would there be a reason to ignore this?

I do understand the dynamics however. In the words of Ian Grigg:
'It's hard to have a serious discussion on terrorism.  It’s too much of a magic password that shuts down critical thinking.'

What's up next is, that we will need to resort to national and supranational courts to re-address this issue and correct our governments. Because like it or not, the future of our democracies is at stake.

And a video on this same topic here, for those who are more into the looking/listening mode:

Saturday, June 08, 2019

Zimmermans' relevance for discussions on human rights and ICT-security surveillance

If we look at economic and social risks of new technologies, outsiders will often immediately fall into the trap of considering this to be about the illegal use of peer-2-peer networks, applications such as bitcoin etc, for socially unwanted activities or even criminal activities. From there on it is a small step to forbid such activity, regulate it, overregulate it. But we should take a wider perspective here.

For me, Phil Zimmerman was the person who made a lasting impact, when he explained, somewhere in the late 1990s, during a speech at a digital money conference his considerations behind developing Pretty Good Privacy (see also his explainer himself: Why I Wrote PGP). His argument was mainly that the new digital society has to be built in such a way that it guarantees a situation in which a people are still able to communicate and act in way which is not invaded or controlled by government tools/techniques. Whereas the old analogue world would allow the people smart analogue ways of creating their own spaces for communicating and fooling government with fake analogue id's and such, it would be much harder to do this in a digital world. Hence the need for a peer-2-peer simple mechanism as Pretty Good Privacy.

Zimmerman outlined one very significant theme during his speech. He noted that the assumption of a continuous benevolent government is not realistic. Governments come and go, some may be more democratic than others and even strong democracies may turn into dictatorships, depending on the circumstances. It is therefore important to design society, governments and the technologies that we use to manage society, guarantee that a balance exists between the powers of government and those of the public. The public, the people should always be allowed to remain digitally out of sight of government. Such a robust structure would be important to ensure a fair treatment of the people over a long period of time.

It is clear that this requirement: to allow for and to actually create areas where the government cannot see what happens means that those areas are scary for regulators. Will they facilitate crime by doing so? Perhaps. Will they allow for huge pockets of creativity? Certainly ! But it will be the strong governments that are able to allow this. They will act from a position of strength and not be afraid. The weak governments, or the scary governments, or the ill-intending governments will seek to monitor everything and control all digital activities. This will certainly fail. But while doing so, they may instil tools that are very dangerous tools in the hand of governments when they turn from benevolent to evil. It will tilt the balance towards a situation that ill-intending governments can no longer be overturned by a social revolution.

There is no need for governments to be afraid of technological progress in the hands of the people. It is a good thing, to be cherished and to be allowed. The simple labelling of such activity as possibly criminal is the wrong frame. The reverse is also wrong: regulators with good intentions are not by definition tools in the hands of dictators. The right frame is: dictators exist just as criminals. Society should ensure that neither of these can become too powerful due to technological of legal measures and it is for this reason that we need to balance our human rights to privacy with the goal to prevent criminality.

Finding this balance is not easy but over the last weeks we have witnessed too many occasions where governments seem to go to far. German police wanting access to home devices. The FATF-ruleon surveillance for virtual assets. Ghost accounts into Whatsapp. Giving your social media handles when entering the US. We should not let ourselves be caught in this wrong direction over intrusive government behaviour.

There is a very legitimate reason to develop and create new technologies that safeguard the public and it is a pity that many policy makers in the world may not have been hearing the clear message that Phil Zimmerman sent them. They really could do with open their minds more. So for them I’m embedding this video. Just to be able to learn from history.