Saturday, June 22, 2019

Perspectives on Ca-Libra # 1. Getting rid of three smokescreens

This week the world has witnessed the announcement by Facebook of Calibra, a digital currency wallet and company. The wallet holds Libra, a virtual currency, with the idea to be used globally. Its distribution and use will be further promoted, organised and executed via an association of partners, called the Libra-association. The information pack (download here) also outlines more technical details on programming languages, future plans and committment to regulatory compliance.

Immediately thereafter, a storm of analysis emerged in order to understand the initiative. Quite some politicians and regulators are eager to quickly respond and that is completely understandable.

Facebook is not just the grocery shop around the corner, dabbling about with some new technology. It has allocated significant resources to the development of Libra. With a customer base of at least 2 billion (close to 25% of the worlds population) it is an entity that in itself acts as a world-wide platform and does not need others to achieve a network effect.

Perspectives as the approach for this series of blogs
As the Libra-initiative can be viewed from many angles, I plan to write this series of blogs and label them as perspectives. It's always helpful to view things from a couple of angles and that is precisely what I intend to do. This means we will be looking into definitions, regulatory regimes, business case and previous historical analogies. And as we go along I will take stock of developments and responses.

As you may notice, I will be judging Facebook by a very high standard. The reason for that is simple. If an organisation has so many resources available, I expect them to come up with careful, consistent and accurate thinking, wording and technology. And as a sneak preview: this is not what we got over the last week.

While the maturity of the exercise may look impressive to some observers, the huge inconsistencies and home-brewed interpretations of what a blockchain is cannot be a coincidence. We can see an announcement that Calibra will become available in 2020, while the state of thinking mid 2019 is 'early in the process'. This is accompanied by a PR-smokescreen on cryptocurrencies, that doesn't help our understanding the effort.

So the very first challenge that exists, when discussing the Ca-Libra virtual currency initiative, is to separate fact from fiction and to be precise in terminology. That is why this first blog seeks to get rid of the three biggest smokescreens that we were facing this week.

Smokescreen #1: libra association is not an ecosytem but a payment association with added functionalities
If we start with the source of payments revenue for Facebook, this originally all boiled down to payments related to Flash games (in 2015). But technical problems in Flash would hit their revenue. So they quickly understood the need to be more flexible and to be able to operate different business propositions and solutions. Therefore they moved towards licenses in the US (cash via messenger) and in Europe. They also moved the US e-cash system to France and UK, but announced 2 months ago that they would drop it in Europe per June 15, 2019.

And now, per June 18, 2019 Facebook essentially announce to re-up their game, but not with electronic euro's but with a self-invented world currency, backed by other currencies and liquid financial instruments. To blow away the first smokescreen, let's analyse the difference between the old Facebook e-cash or e-money with fiat currencies and the new Facebook libra, as distributed by Libra Association.

What we can see is that Facebook seeks to move the fiat-currency of its e-money system out of its direct control and responsibility as an issuer. Facebook Payments Inc is currenlty the entity that is responsible and guards all the relevant rules with respect to working with the e-currency. But in the new construct Facebook Calibra is merely one validator that can use the Libra-system under open source rules. So we see the fiat-e-currency companies of Facebook stepping aside and a new Libra association entering the playing field. At the same time, the technology shifts from in-house proprietary systems to an open-source codebase in the hands of no one in particular.

Top organisation
Facebook Inc
Facebook Inc
Type of asset
Virtual Currency
Libra (self-invented)
Pound, Dollar
Issuer / Currency creation
Libra ‘association’
Facebook Ireland
Nature of issuing
No direct issuance to customers.
Direct issuance to validators.
Direct issuance to customers
Direct redemption at issuer
Secondary market
Secondary/tertiary market with reselling - disbursement via
exchanges/other institutions
No reselling of e-money.
Fee structure for
Unknown, but most likely the price for validators is unequal to that for exchanges or customers.
Issuance at par and redemption
Of full amount minus some cost
Issuing without
Customer demand
Currency base may change
without actual demand of customers.
Issuance as part of buy-transaction of the customer
Reserve pool
100% reserve in
basket of currencies
100 % reserve in
Denominated fiat currency
Open Source community
Control and use of technology
Unknown contractual arrangements and safeguards for entities in the value chain
All usage governed by contract with issuer and financial law

Bringing the currency to the public or ducking the issuance responsibilities?
Of course one could frame the above shift of roles as bringing a currency to the public. Facebook is however dumping its core-responsibilities with respect to shaping and operating a currency-system and moving a lot of activities to an ill-equipped new Libra association with no track record at all.

While Calibra states that it will comply with all relevant legislation, we can see that the actual information of the Libra Association in this respect is pretty thin. They issue a currency-like digital token/record but do not explain which legal regimes would apply. Also their actual claim as whether they are a not-for-profit organisation does not align fully with this twitter thread outlines that it is a regular company with wider statutes.

If it looks/talks/qucks like a payments scheme, it is a ...?
In payment terms - which is what Facebook says to be aiming for - the Libra Association is essentially a payment scheme. Such a scheme defines the rules for an ecosystem that wishes to transact electronically. Examples are Visa and Mastercard, organisations that need to abide with a lot of rules in order to avoid them becoming a place of illegal cartel-agreements on price and illegitimate contract terms to end users.

With payment schemes we have huge and long discussions and deliberations of price levels. There is the obligation to ensure that there is no obligation to buy processing power from the scheme itself. There are policy views and obligations that schemes should be interoperable and open. And then there is a mountain of rules that specifies how to use the brand and which technical criteria must be complied with in order to be allowed to connect to the system.We find very little of this in the current papers on the association.

What makes this payment scheme special, a payment-scheme-plus ?
What sets Libra apart from Visa and Mastercard is that the association is effectively an issuer of the currency. This means a blurring of operational roles and scheme responsibilities, which is generally considered as a bad practice in governance terms. But what is most striking is that the membership rules are not geared towards controlling/monitoring and creating a safe and sound currency. We find no mention of specific prudential licenses or governance/quality certifications required for different roles under the scheme and as a member (or shareholder).

The only thing we read is: we seek to expand, we want to incentivise the use of the token and for this we don't want the small players in the market. We aim for the big players with market power. We separate the wholesale participants from the retail participants (allowing for price upticks). And then - the devil is in the details - the customer pricing format is based on a FOMO-principle (do you want your transaction processed: please throw in some more gas).

I am curious what reasoning Facebook and its founding members have had in this respect. The whole association setup is ostensibly aimed at market dominance, without proper governance safeguards and without any guarantees as to operational security and safety and soundness of the system. If I were a competition regulator I would jump at the opportunity to wait for the founders to sign the participation agreement and deliver a letter to their doorstep, next day, to start investigating the market abuse that might be at play here.

Governance claims and reality: a scheme is a supertanker without effective governance
I have been reading all the statements on the public structure of the association with a lot of amusement. Facebook is claiming that it will bring the intellectual property into the public domain and of course all the members of the association have a voice. So this seems to be well arranged with room for consultation, discussion and changing course.

The reality is completely different, as everybody in the banking sector knows. There is sufficient experience with clearing houses and associations (even with a relatively small number of shareholders) that are unable to essentially change course, once set up. Large associations like EPC, Visa, Mastercard, are effectively orphans without parents. Stakeholders are always irritated about the fact that these associations set their own course and associations always claim their shareholders have no vision. Bottom line: if you transfer your Libra-currency design into this domain, it is quite likely to be persistent. So don't expect any radical changes after this one is live; it will be gradual evolution from here onwards.

Not just a scheme for the payment instrument, but the unit of account (and a security as well)
There is another difference between Libra and Mastercard and Visa that I would like to highlight. The regular payment schemes seek to transact efficiently, taking existing currencies/structures as a basis. But this scheme introduces a new currency itself and regulates this currency via the management of reserve assets. It demonstrates that the aim of Facebook is to design its own Facebook buck, push it into the public domain and then profit from the benefits of having their own unit of account in place, while hiding behind the members and the open source philosophy when things go wrong.

A specific element in the scheme is that the unit of account is backed by a basket of currencies and financial instruments. Effectively this means that if you buy one Libra, you buy a couple of foreign currencies. Or put differently: you participate in an open ended money market / investment fund. And you use the digital representation of your participation in this fund as a means of payment.

This is a bit of double work as this means the association and the scheme are not just subject to payments legislation but also to investments/securities legislation. But it is legally possible: the payment would legally not be a discharge of obligations via a financial payment, but via a payment in kind (currency basket).

So what do we see here?

The Libra association is a mere manager of the governance and operational arrangements and activities that come with using the virtual currency Libra and participating in the Libra scheme. This Libra scheme is a private and commercial arrangement which:
- defines a unit of account for a new virtual currency: the Libra,
- defines the asset mix that backs one currency unit,
- lays out the distribution and management rules of the currency units and reserve funds,
- lays out commercial rules and does a private placement to further promote the use of the Libra by giving them away (for free or at a discount).

The Libra association itself will be steering future technical development and is charged with the project goal to move the whole infrastructure towards a permissionless setup. This is completely impossible (as these associations act with oil-tanker dynamics) but that brings us to the next smokescreen.

Smokescreen #2: Libra is not a blockchain, not a cryptocurrency but a digital virtual currency /financial instrument
It was fascinating to see that the carefully crafted and prepared introduction of the Libra sought to position it as blockchain and as a cryptocurrency. This creates a lot of noise. Also, the use of similar words for different concepts and organisations is confusing.

We should distinguish between:
1- Calibra, the organisation, a 100 % subsidiary of Facebook, acting as a validator node,
2- Calibra, the branded digital wallet developed by Calibra to carry the Libra virtual currency,
3- Libra, the digital currency that will be in the Calibra wallet
4- Libra, the reserve pool of assets that backs the digital currency,
5- Libra Core, the Network or 'blockchain' that forms the core operating technology for clients and validators,
6- Move, the programming language developed for the Libra Network.
7- Libra, the association governing, promoting and executing the virtual currency system,
8- Libra members, big commercial players that may join the Libra association, provided that they are a validator.

What struck me in the communication is the flagrant re-definitioning by Facebook of the concepts blockchain and cryptocurrency. Facebook really wants to be seen as doing some cryptocurrency stuff. But they don't. Just for fun I will be comparing the Facebook FAQ with the wisdom of the Wiki-crowd.

Libra is not a blockchain
Facebook succeeds in not mentioning the facts that blockchains are, by definition and terminology, a chain of blocks, linked together. Wiki has it right.

What is a cryptocurrency exactly: native currency of an open blockchain
Wiki states, that the decentralized control of cryptocurrencies works through distributed ledger technologies, typically a blockchain. Personally I would not have mentioned those ledgers as the blockchain is not so much a ledger as a journal (log roll of transaction entries). And apps are creating the ledger feeling for blockchains. But let's look at the wording in the image.

The wording of Facebook is interesting. It speaks of using cryptocurrency due to the use of strong crypto. This leaves out the issue that cryptocurrencies may be native to blockchains (as in chains of blocks). And then Facebook moves on to cryptocurrencies being built on blockchain technologies.

Which is true of course, but if I use all the parts of an air plane to build a firmly grounded restaurant, this doesn't mean that my restaurant is still an operational air plane. It is built on air plane technology, but the wording matters. Facebook puts up a smoke screen here to position itself in the blockchain community.

Libra is not a cryptocurrency
The funniest part of the Facebook FAQ was the mere statement that the Libra is a new cryptocurrency designed to have a stable and reliable value. Coming from a perspective where cryptocurrencies are inherent elements of open, truly decentralised permissionless blockchains, this is an interesting statement. It demonstrates that Facebook wishes to be a cryptocurrency but it isn't.

The text above also shows that Facebook has its eyes on the stablecoins that are around. These stablecoin are, in my view, privately issued currencies, with the goal of a fiat peg. The stable-'coin' is used a lot in the cryptoworld to facilitate fiat/crypto exchanges in times when the financial system is not online. The fact that this currency is used a lot in the cryptoworld, does however not make it a cryptocurrency in the terms of an inherent currency of an open permissionless blockchain.

Libra, what is it then, in regulatory terms?
My conclusion, after quite some pondering and tweeting is the following.
Libra is a privately issued and distributed digital  and virtual ‘currency’, that is intended to function as a means of payment. It is not a true currency because its actual composition/counter value is a basket of fiat-currencies and financial instruments. It is not e-money as the Libra is not ‘monetary value’. The digital value qualifies as a financial instrument (a mini-participation in an open ended investment fund) and is used in an open source payment instrument, to be used for payment and acquiring. Both payments and securities legislation apply, as well as the relevant competition and consumer protection rules. 
The Libra association is the scheme owner and scheme operator of the Libra virtual currency. This currency/investment can only be bought directly by members of the Libra association. Other entities or customers must revert to second tier players, exchanges or peer-2-peer applications. Technical development of applications is encouraged and rules to secure the application by contract or licensing seem to be absent.

Due to the blending of scheme and operations, the Libra association cannot really be viewed as the beginning of a proper payment scheme. Functionality, pricing and membership rules make Libra and the Libra association an easy target for consumer/data protection and competition supervisors, bank supervisors and securities supervisors.

Smokescreen #3: Libra is not a charity exercise that seeks to operate a public good but a commercial enterprise
A huge amount of effort has gone into convincing the public this week that Libra is all about helping the rest of the world. Getting more inclusive finance. Making payments faster, easier and such. It is striking that these statements mirror the claims that originally come from the Bitcoin community or from the Fintech community.

Of course those claims strike a chord. People may well be fed up with their banks and the perception of banks with slow procedures and expensive fees for foreign payments are an easy target for PR-people who want to position their initiative in a friendly way to the public. Who doesn't want to take on the banks and improve the world.

Commercially, the thinking of Facebook is most likely to be that it needs to counter the We-chat Pay dangers and all other Fintech movements that lead to easy in-app payments. Payments will increasingly be an afterthought and harvesting the data in those payments will allow for even higher ad revenues, as Facebook will see what works and what doesn't. Interestingly Facebook did not increase the speed of its current developments; it chose to move up the value chain, towards setting up its own currency and hoping that it will work as a unit of account (and may stay in the system for long).

Of course, the move by Facebook is a big signal. But we must note that there are still also other players that could make the same move. Which would lead to some form of a duopoly (as with Mastercard and Visa) and the need to agree on interoperability or on open access to infrastructures of the big techs involved. I did not come across this notion a lot, so far.

The public good narrative: unbelievable coming from Facebook
What struck me most, coming from Facebook as a centralised company that is not interested in respecting democracies and laws written by those democracies, is the sketch of opportunities in the White Paper. And do have a look at the phrasing on public good.
Given that by now I hope to have convinced you that the design of the Libra association and its constituency is far below the usual standards to be expected from payment schemes, you can imagine that I was unable to reconcile these laudable beliefs with the actual proposition.

If you truly wish to create a new public good, a new worldwide currency, it is not impossible to deliver this with private sector entities. There is a whole range of public policy theories (delivery of universal services or service of general interest) that can help out here. But putting the richest, biggest enterprises of the world in one room, to distribute a world currency/investment proposition without proper safeguards or recognition and qualification of the activities of the issuing association is not the way I would go about.

Facebook cloaking its plans in cryptoterms,but why? 
Let's face it. This whole complex open source, cryptocurrency story that Facebook has published is not necessary. If Facebook Payments Inc or Facebook Ireland wishes to change its currency mechanism towards a different setup it could do so itself. Why is there a need to involve other stakeholders with a trendy and hip storyboard on decentralisation, blockchains, cryptocurrencies and such?

It can't be a money issue. Facebook has sufficient resources to fund the whole exercise itself. And the quality of the exercise could then convince other commercial partners to join. So why the need to step out of its digital currency issuing role itself?

To me it is pretty clear that Facebook seeks to move up in our lives. Doing our financial business is not enough. It is all about entering our mind at a deep level. At the fiat currency level. We should think prices in terms of Libra, not in terms of fiat currency. And there is a good power reason for it. Because as long as Facebook uses digital fiat currencies it can be under the rule of the government that issues it. Now, by having a basket of currencies, Facebook can kick out currencies/countries if need be. State regulators and supervisors lose their power.

In addition, Facebook chooses to limit its own role and hide behind am Swiss association, to cover the fact that they don't want to take the responsibilities that come with issuing a worldwide association. They are suckering/forcing partners into joining this programme, without alerting them to the obvious violations of competition rules that may arise. They leave out all mentions of safeguards and contractual arrangements that can aid in ensuring operational integrity for this worldwide currency. Rather they throw the technology in the public domain, knowing well that this means that it's use cannot be fully controlled.

It is no surprise why politicians and regulators were keen to act. Their immediate response was that this was a further extension of an a-moral company that stops at nothing. As Maxine Walters outlined in the US, when asking Facebook to stop further development:

Reversing the statements to see what's hidden in plain sight: ruthless selfishness
As a thought exercise I was wondering. If they claim that it is a blockchain and cryptocurrency, while essentially it isn't, shouldn't we also reverse the other statements to see what is truly happening here.

I leave the result for you to ponder and thank you for bearing with me in this ultralong blog.
Up next I expect blog 2 to be about EU-definitions and legislation.

As we, as Facebook are in it strictly for our own goals, we intend to hide our true intentions and motivations so we can fool the community and our partners in the ecosystem to go along. 
We believe that many more people should buy financial and identity services from our company specifically, even when doing so will come at a higher cost than the available alternatives. 
We don't believe that people have an inherent right to control the fruit of their legal labour. 
We believe that global, open, instant, and low-cost movement of money will create immense economic opportunity and more commerce for us in particular. 
We believe that people will increasingly trust centralized forms of governance. 
We believe that a global currency and financial infrastructure should not be designed and governed as a public good. 
We believe that we don't bear a final responsibility ourselves to help advance financial inclusion, support ethical actors, and continuously uphold the integrity of the ecosystem.

PS. I have changed the definition on June-24, to reflect that the currency is a mini-investment fund which is used in an app/ecosystem that would qualify as a payment instrument. Definition blog will follow.

Friday, June 14, 2019

FATF as in: Facebook As The Foe or Facebook As The Friend ?

Dear Mr Billingslea, dear Members of the FATF and dear civil servants in the room,

As you are nearing the end of a very productive year I wish to commend you on your very hard and wise work of the last year. If we look back on the objectives that the President laid out for 2018-2019 we can see the many accomplishments of this year. It has been a very productive year and one that will be remembered for many years to come. Because you will define what FATF truly stands for. 

Of course there are some commentators that challenge the legitimacy of your work on virtual assets. They outline that your so called open-ended mandate is by definition constrained by the boundaries set by Human RightTreaties, UN Resolutions, Fourth Amendments or rulings of the EU court ofJustice (Tele2) or the US Supreme Court (Carpenter). And they outline that effectively the FATF Standards are leading to a privacy infringement under those Human Rights agreements. I leave those comments aside for now. Historians and judges may be the judge for that.

For now, I wish to draw your attention to a practical dilemma that you will be facing the upcoming week. The dilemma is: does FATF stand for Facebook As The Foe or Facebook As The Friend? 

The answer depends on your own view: which society do you wish to leave behind for your kids?

FATF: Facebook As The Foe
While you were looking out of the frame of libertarian misuse of virtual currencies for all kinds of criminal purposes, you may have forgotten to look out the other window: at bigtech players such as Facebook and Google. Widening your view is of particular relevance now that you are about to endorse a virtual asset recommendation that obliges names of citizens to be sent along with virtual asset transfers (one way or the other).

Let's take a closer look at Facebook. They have thrown the privacy hundreds of million people under the bus. They opened up their systems to developers and allowed mass scale harvesting of personal data to other companies. They have come under severe criticism for this. And they changed a lot of operations, moved people out and such, all in other to counter the criticism about their harvesting of data. Bottom line: they need to remove personal data or ensure that they have proper consent from citizens that are properly informed on the whereabouts of their personal data.

Their latest project is a cryptocurrency / virtual asset programme, with the naam Libra. It leads to the creation of a world currency, backed by a combination of assets. And Facebook will cooperate with other bigtech and Fintech players to make it happen. As the Wall Street Journal outlines:

FATF-virtual asset rule: cryponite to send and harvest personal data without caring about consent 
I am wondering if you have thought trough your recommendation on standards for virtual assets sufficiently. Are you aware that Facebook itself will become a huge Virtual Asset Service Provider? Are you aware that it is now soliciting other big tech companies to become verification nodes in their virtual asset programme? And are you aware this means they don't have to ask any consent from the users who use their coins, to add name information in or with the transaction (whichever way they see fit, as long as they oblige). And this information must also be shared with counterparts (if any) meaning that if I operate a verification node, I am sitting on the information as well? 

The unintended consequence of what you are doing with the virtual asset rules is that, in times of personal data as the economic fuel for society, you are handing out cryptonite to all kinds of private sector players that want to have a free pass for passing on and harvesting personal information. All kind of other companies may follow suit as the FATF-rule is really an easy tool in the box of companies that actively seek to engage in regulatory arbitrage to avoid privacy rules as much as possible. 

Facebook as the Friend....?
The other alternative is that the FATF effectively sees Facebook as a friend. You are aware of the above consequence and view it as a necessary consequence that will be very helpful in capturing the criminals of the future. That would mean that with the FATF-rule you have deliberately chosen to marry with bigtechs.

Now if I Imagine the biggest data-harvesting company in the world marrying the world-wide law enforcers in the world I must say I am sort of afraid to imagine what their kids will look like. This would be too big a confluence of private and public sector roles and it will have a desastrous impact on the world. Some may argue that we were already living in Orwells 1984, but with this rule you will have definitely sealed the deal. 

What you may just do when agreeing to this virtual asset rule, is outlaw all the citizens of their world. Their data are free for all to harvest and in the process you will ride along to see if you capture a terrorist every now and then. 

Historic data does show, by the way, that all the virtual transaction data will not really help as evaluations of the impact of the travel rule indicate that the number of crooks preventively caught in 15 years of its use can be counted on one or two hands. It is always other law enforcement info that gets you to detect them beforehand, never the transaction data.  

What will FATF stand for: wich kind of society do you leave behind?
Will FATF stand for Facebook as the Foe and will you reconsider virtual asset article 7b?
Or will FATF stand for Facebook as the Friend and will you outlaw all personal data of world citizens?

Next week the choice is up to you. I have a hunch you will be going for the Facebook is my Friend model. Because in your groupthink you may be driven to annihilate all kinds of perceived criminal evil even when the tools for doing so are ineffective. Or just beause your are inclined to do as is told and answer to call of your bosses as they said to approve the virtual asset rules. 

Thereafter, you may end up seeing your choice annulled by judges. This may be the result of lengthy procedures or otherwise geopolitical incidents in which one of the kids of the marriage of FATF and Facebook will have turned evil. And then, each one of you in the room will have to answer towards its citizens, politicians, children and grandchildren: how did you not see this coming? 

Don't finalise the paragraph 7b text
I call upon you to consider the above with an open mind and an open heart.
Do the right thing: vote to re-consider or postpone finalisation of the pragraph 7b text. 

Postponing allows for more time to explore all impacts and consequences and have a further debate on what you wish the true acronym FATF to stand for.

Simon Lelieveldt

Sunday, June 09, 2019

G20 and FATF should not infringe on the human right to privacy by prescribing mass surveillance for virtual assets !

Over the past weeks, I have been sounding the alarm as to the envisaged FATF-recommendations in the area of virtual assets. Essentially they require the private sector to build in a privacy leaking front-door in all blockchain applications, so that law enforcement officials in the whole world will have useful information already available nearby (rather than having to ask for it when need arises).

While at first I merely looked at it technically, seeing it as a disproportional silly measure by regulators who don't understand blockchain technology, over the past weeks I have learnt that it could also be viewed as part of a larger debate on the human right to privacy. People sent me more information on this matter including this dissertation (link: M. Wesseling: mustread!).

The dissertation outlines how a similar measure in the banking domain (the travel rule) was first rejected in US congress, to be adopted within weeks after the 9/11 attack. The dissertation also shows the mechanism of depolitization: making something a technical 'thingy' in order to avoid the true political debate on public interests that need to be balanced.

State vs citizens: police versus privacy 
What is at stake here is a political debate on the degree of surveillance measures that a society needs to prevent criminality versus the degree of human privacy and freedom that people need to live a dignified live in which they can communicate freely and are innocent until proven guilty (and not the other around).

Let's have a close look at the two fundamental public policy issues at stake:

The human right to privacy in a digital age
Under UN Resolution RESOLUTION 28/16 (the right to privacy in the digital age), article 8.2 of the European Convention on Human Rights and the EU Court decision on data retention (ECLI:EU:C:2016:970) the EU understanding on mass surveillance of personal data of innocent persons is that it may very well constitute a violation of the right to privacy in cases where it is disproportional and no sufficient safeguards are in place.

However, the human right to privacy is often not taken into account when developing anti-terrorist policies. Scientific evaluations of the implementation of such policies outline that social side effects, such as excessive reporting of transactions and privacy of citizens, (often) remain underexposed in public discussions. Similarly a recent dissertation in the Netherlands clarifies that, when applying the EU Court of Justice criteria to the European Anti-Money Laundering Directive, 17 infringements of human rights can be identified.

Upcoming FATF-proposal to prevent fraud/crime/terrorism and apply broad rules to virtual assets
This is exactly what is at stake with a recommendation that is phrased in paragraph 7b of an interpretative note for Recommendation 15 of the FATF.It requires all private sector entities to register and submit the names of the parties participating in a virtual asset transfer to all counterparts in the value chain. This is not based on suspicion of criminal behaviour but required as a standard data export for all use cases and customers transferring virtual assets.

The virtual assets are defined as all non-regulated digital representations of value which may be transferred or held:
‘..countries should consider virtual assets as “property,” “proceeds,” “funds”, “funds or other assets,” or other “corresponding value”.

As such the rule effectively requires private sector market players to develop a messaging system (and adapt internal systems) to make sure future blockchain applications also functions as a structure of mass surveillance. However, any law enforcement official may obtain the relevant information on a case-by-case basis with a proper legal warrant at the individual organisation involved in a virtual asset transfer. The proposed rule constitutes an unnecessary measure that brings personal data of innocent people into the public domain, without any further proper guarantees for its treatment.

The rule has met with very heavy push back during a private sector consultation (in Spring 2019) due to its incompatibility with privacy laws and its unclear definition. The FATF members did not take this into account. Therefore, in the Netherlands, the NGO Privacy First joined the initiative of a group of virtual asset service providers (VBNL) to urgently request the Dutch Ministry of Finance to not approve the proposal. This has not lead to any further response.

What disturbs me in the process, is that the private sector has effectively formulated an adapted wording which would balance the two public policy interest more properly (see the redacted statement in the graphic below). But FATF-officials and governments appear to ignore it.

The public policy train moves on towards the G-20, without due process / democratic controls in place
Right now, the process underway is one in which we will see all kind of news reports about the G20 Ministers of Finance discussing and deciding on virtual assets. We will see the FATF adopting its rule in their 16-20 June meeting. And then the G-20 heads of state adopting it in Osaka. There will be many news bulletins and spins outlining how important and good these steps are. And the FATF will be complimented for their laudable work in this area. But don't be fooled by the spinning.

It is important to note that there has not been a sufficient and proper political debate on the balance between human rights and anti-terrorism measures. And as we already have Human Right Treaties in place outlining that mass surveillance and retaining of data of innocent people are a human right infringement, we can only conclude that our Ministries of Finance and Governments are about to make a historical and major mistake that violate their own commitments to privacy. There is no reason to boast about that.

Are all governments and private sector players benevolent forever?
What is lacking is the fundamental helicopter view on the relation between states and their people. For this I refer to yesterdays blog post, outlining the fundamental considerations that led Phil Zimmerman to develop encryption tool Pretty Good Privacy for the people:
"Zimmerman outlined one very significant theme during his speech. He noted that the assumption of a continuous benevolent government is not realistic. Governments come and go, some may be more democratic than others and even strong democracies may turn into dictatorships, depending on the circumstances. It is therefore important to design society, governments and the technologies that we use to manage society, guarantee that a balance exists between the powers of government and those of the public. The public, the people should always be allowed to remain digitally out of sight of government. Such a robust structure would be important to ensure a fair treatment of the people over a long period of time."

It is too bad, that our governments appear to be unable to properly balance the political interests at hand. Reality is that we do not live in paradise: both governments and market players may have ill intentions and we should be open to that fact of life. In this respect it is clear that a range of private sector players provided more than one elegant suggestion to help with the criminal perspective, while still protecting it. Why would there be a reason to ignore this?

I do understand the dynamics however. In the words of Ian Grigg:
'It's hard to have a serious discussion on terrorism.  It’s too much of a magic password that shuts down critical thinking.'

What's up next is, that we will need to resort to national and supranational courts to re-address this issue and correct our governments. Because like it or not, the future of our democracies is at stake.

And a video on this same topic here, for those who are more into the looking/listening mode:

Saturday, June 08, 2019

Zimmermans' relevance for discussions on human rights and ICT-security surveillance

If we look at economic and social risks of new technologies, outsiders will often immediately fall into the trap of considering this to be about the illegal use of peer-2-peer networks, applications such as bitcoin etc, for socially unwanted activities or even criminal activities. From there on it is a small step to forbid such activity, regulate it, overregulate it. But we should take a wider perspective here.

For me, Phil Zimmerman was the person who made a lasting impact, when he explained, somewhere in the late 1990s, during a speech at a digital money conference his considerations behind developing Pretty Good Privacy (see also his explainer himself: Why I Wrote PGP). His argument was mainly that the new digital society has to be built in such a way that it guarantees a situation in which a people are still able to communicate and act in way which is not invaded or controlled by government tools/techniques. Whereas the old analogue world would allow the people smart analogue ways of creating their own spaces for communicating and fooling government with fake analogue id's and such, it would be much harder to do this in a digital world. Hence the need for a peer-2-peer simple mechanism as Pretty Good Privacy.

Zimmerman outlined one very significant theme during his speech. He noted that the assumption of a continuous benevolent government is not realistic. Governments come and go, some may be more democratic than others and even strong democracies may turn into dictatorships, depending on the circumstances. It is therefore important to design society, governments and the technologies that we use to manage society, guarantee that a balance exists between the powers of government and those of the public. The public, the people should always be allowed to remain digitally out of sight of government. Such a robust structure would be important to ensure a fair treatment of the people over a long period of time.

It is clear that this requirement: to allow for and to actually create areas where the government cannot see what happens means that those areas are scary for regulators. Will they facilitate crime by doing so? Perhaps. Will they allow for huge pockets of creativity? Certainly ! But it will be the strong governments that are able to allow this. They will act from a position of strength and not be afraid. The weak governments, or the scary governments, or the ill-intending governments will seek to monitor everything and control all digital activities. This will certainly fail. But while doing so, they may instil tools that are very dangerous tools in the hand of governments when they turn from benevolent to evil. It will tilt the balance towards a situation that ill-intending governments can no longer be overturned by a social revolution.

There is no need for governments to be afraid of technological progress in the hands of the people. It is a good thing, to be cherished and to be allowed. The simple labelling of such activity as possibly criminal is the wrong frame. The reverse is also wrong: regulators with good intentions are not by definition tools in the hands of dictators. The right frame is: dictators exist just as criminals. Society should ensure that neither of these can become too powerful due to technological of legal measures and it is for this reason that we need to balance our human rights to privacy with the goal to prevent criminality.

Finding this balance is not easy but over the last weeks we have witnessed too many occasions where governments seem to go to far. German police wanting access to home devices. The FATF-ruleon surveillance for virtual assets. Ghost accounts into Whatsapp. Giving your social media handles when entering the US. We should not let ourselves be caught in this wrong direction over intrusive government behaviour.

There is a very legitimate reason to develop and create new technologies that safeguard the public and it is a pity that many policy makers in the world may not have been hearing the clear message that Phil Zimmerman sent them. They really could do with open their minds more. So for them I’m embedding this video. Just to be able to learn from history.