G20 and FATF should not infringe on the human right to privacy by prescribing mass surveillance for virtual assets !

Over the past weeks, I have been sounding the alarm as to the envisaged FATF-recommendations in the area of virtual assets. Essentially they require the private sector to build in a privacy leaking front-door in all blockchain applications, so that law enforcement officials in the whole world will have useful information already available nearby (rather than having to ask for it when need arises).

While at first I merely looked at it technically, seeing it as a disproportional silly measure by regulators who don't understand blockchain technology, over the past weeks I have learnt that it could also be viewed as part of a larger debate on the human right to privacy. People sent me more information on this matter including this dissertation (link: M. Wesseling: mustread!).

The dissertation outlines how a similar measure in the banking domain (the travel rule) was first rejected in US congress, to be adopted within weeks after the 9/11 attack. The dissertation also shows the mechanism of depolitization: making something a technical 'thingy' in order to avoid the true political debate on public interests that need to be balanced.

State vs citizens: police versus privacy 
What is at stake here is a political debate on the degree of surveillance measures that a society needs to prevent criminality versus the degree of human privacy and freedom that people need to live a dignified live in which they can communicate freely and are innocent until proven guilty (and not the other around).

Let's have a close look at the two fundamental public policy issues at stake:

The human right to privacy in a digital age
Under UN Resolution RESOLUTION 28/16 (the right to privacy in the digital age), article 8.2 of the European Convention on Human Rights and the EU Court decision on data retention (ECLI:EU:C:2016:970) the EU understanding on mass surveillance of personal data of innocent persons is that it may very well constitute a violation of the right to privacy in cases where it is disproportional and no sufficient safeguards are in place.

However, the human right to privacy is often not taken into account when developing anti-terrorist policies. Scientific evaluations of the implementation of such policies outline that social side effects, such as excessive reporting of transactions and privacy of citizens, (often) remain underexposed in public discussions. Similarly a recent dissertation in the Netherlands clarifies that, when applying the EU Court of Justice criteria to the European Anti-Money Laundering Directive, 17 infringements of human rights can be identified.

Upcoming FATF-proposal to prevent fraud/crime/terrorism and apply broad rules to virtual assets
This is exactly what is at stake with a recommendation that is phrased in paragraph 7b of an interpretative note for Recommendation 15 of the FATF.It requires all private sector entities to register and submit the names of the parties participating in a virtual asset transfer to all counterparts in the value chain. This is not based on suspicion of criminal behaviour but required as a standard data export for all use cases and customers transferring virtual assets.

The virtual assets are defined as all non-regulated digital representations of value which may be transferred or held:

‘..countries should consider virtual assets as “property,” “proceeds,” “funds”, “funds or other assets,” or other “corresponding value”.

As such the rule effectively requires private sector market players to develop a messaging system (and adapt internal systems) to make sure future blockchain applications also functions as a structure of mass surveillance. However, any law enforcement official may obtain the relevant information on a case-by-case basis with a proper legal warrant at the individual organisation involved in a virtual asset transfer. The proposed rule constitutes an unnecessary measure that brings personal data of innocent people into the public domain, without any further proper guarantees for its treatment.

The rule has met with very heavy push back during a private sector consultation (in Spring 2019) due to its incompatibility with privacy laws and its unclear definition. The FATF members did not take this into account. Therefore, in the Netherlands, the NGO Privacy First joined the initiative of a group of virtual asset service providers (VBNL) to urgently request the Dutch Ministry of Finance to not approve the proposal. This has not lead to any further response.

What disturbs me in the process, is that the private sector has effectively formulated an adapted wording which would balance the two public policy interest more properly (see the redacted statement in the graphic below). But FATF-officials and governments appear to ignore it.



The public policy train moves on towards the G-20, without due process / democratic controls in place
Right now, the process underway is one in which we will see all kind of news reports about the G20 Ministers of Finance discussing and deciding on virtual assets. We will see the FATF adopting its rule in their 16-20 June meeting. And then the G-20 heads of state adopting it in Osaka. There will be many news bulletins and spins outlining how important and good these steps are. And the FATF will be complimented for their laudable work in this area. But don't be fooled by the spinning.

It is important to note that there has not been a sufficient and proper political debate on the balance between human rights and anti-terrorism measures. And as we already have Human Right Treaties in place outlining that mass surveillance and retaining of data of innocent people are a human right infringement, we can only conclude that our Ministries of Finance and Governments are about to make a historical and major mistake that violate their own commitments to privacy. There is no reason to boast about that.

Are all governments and private sector players benevolent forever?
What is lacking is the fundamental helicopter view on the relation between states and their people. For this I refer to yesterdays blog post, outlining the fundamental considerations that led Phil Zimmerman to develop encryption tool Pretty Good Privacy for the people:

"Zimmerman outlined one very significant theme during his speech. He noted that the assumption of a continuous benevolent government is not realistic. Governments come and go, some may be more democratic than others and even strong democracies may turn into dictatorships, depending on the circumstances. It is therefore important to design society, governments and the technologies that we use to manage society, guarantee that a balance exists between the powers of government and those of the public. The public, the people should always be allowed to remain digitally out of sight of government. Such a robust structure would be important to ensure a fair treatment of the people over a long period of time."

It is too bad, that our governments appear to be unable to properly balance the political interests at hand. Reality is that we do not live in paradise: both governments and market players may have ill intentions and we should be open to that fact of life. In this respect it is clear that a range of private sector players provided more than one elegant suggestion to help with the criminal perspective, while still protecting it. Why would there be a reason to ignore this?

I do understand the dynamics however. In the words of Ian Grigg:

'It's hard to have a serious discussion on terrorism.  It’s too much of a magic password that shuts down critical thinking.'

What's up next is, that we will need to resort to national and supranational courts to re-address this issue and correct our governments. Because like it or not, the future of our democracies is at stake.


------
And a video on this same topic here, for those who are more into the looking/listening mode:

Dutch central bank can further encourage innovation for payment institutions with a quick win

Article 18.2 in PSD2 (Article 15 in PSD1) on the nature of funds
 in a payment account of a payment institution

It's a logical thing. As the bakery provides bread, banks provide loans and allow savings, e-money institutions offer e-money, payment institutions are allowed to provide payment accounts to their customers. These accounts would neither be redeemable deposits or repayable funds, nor e-money, as the article in the PSD(2) states.

Stricter interpretation by De Nederlandsche Bank 
De Nederlandsche Bank, our local supervisor, however does not appear to allow the above flavour in the Netherlands easily. Companies that have business models in which payment accounts (whether with or without IBAN) are offered, should not be surprised if they are told that the funds would qualify either as redeemable deposits or e-money, with little inbetween.

 As a result, one will not encounter a lot of payment-account issuing by payment institutions in the Netherlands. And this is in spite of the fact that even the Explanatory Memorandum of our Financial Supervision Act explicitly mentioned this possibility.

Other supervisors follow the EU-approach 
Thus we can see issuers from other countries, such as Pocopay from Estonia, offer payment services and payment accounts to students where these can't be offered by local players. On their website, we see this issuer outlining (USING CAPITALS) in the terms and conditions that the funds are not redeemable, to be used for payments and not covered by deposit insurance of any kind.

Other instances can be found in German or French markets, leading to the situation that Dutch payment institutions are restrained in product innovation and less able to compete with PIs from other countries, which may offer a broader solution range to their customers.

Quick win to facilitate innovation in payments in the Netherlands 
There is a clear quick win here in the Netherlands in terms of payment regulation. Instead of claiming that funds are either deposits or e-money, De Nederlandsche Bank should more easily allow payment institutions to also offer the third flavour: non-redeemable funds on payment accounts, used for payment purposes.

Of course, one could raise the question whether it is possible to make such a business model work, but it should be the market that decides rather than the supervisor.

This article is a translation of a contribution to the Financieel Dagblad of July 29, 2017.

From DNB Coin to ECB Coin...?

About a year ago, it became clear that the Dutch central bank, much like other central banks, was actively experimenting with blockchain technology to further establish pros and cons of distributed ledger technology. It had developed a so-called DNB-coin - a private fork of the bitcoin blockchain - which further reinforced a whole discussion on central bank issued bitcoin-like currencies (Fedcoin as outlined by the blog of JP Koning).

Fast forward to the EU parliament, where last week, rapporteur Cora van Nieuwenhuizen presented a draft Fintech report, that calls on the European Commission to draw up a Fintech Action Plan. And in this plan, under item number 6, the ECB is recommended to launch experimentations with a 'virtual Euro'. I think we may dub this as the call for an ECB-coin.

One can only guess what exactly would be meant here, but my best guess would be that this means the ECB can now freely choose to experiment with methods for distributing digital euro's using advanced blockchain or distributed ledger technology. So would they design it themselves, or involve themselves into market initiatives such as R3, Hyperledger?

Anonymous ECB-coins or not? 
Time will undoubtedly tell how this experiment with ECB-coins will evolve. We should note however that, there is also a European legislative initiative to limit the use of cash. So it appears logical that the cash-limiting initiative could reinforce the development of central bank issued virtual currencies (i.e. euro's on a blockchain).

Those will not be truly anonymous ECB-coins, if you ask me. Close reading of this last legislative proposal, I noticed that anonymous digital currencies (such as the good old digicash) are not truly desired:

In view of the development of cryptocurrencies and the existence of other means of payments ensuring anonymity, an option could be to extend the restrictions to cash payments to all payments ensuring anonymity (cryptocurrencies, payment in kinds, etc.) 

The end of anonimity and begin of pseudonimity 
In sum we will be watching the end of anonimity, but this may not be its true end. I think it would be fairly easy to device new business and payment models where one slices off the good-reputation of a payer/payee (not blacklisted, no terrorist etc) into a pseudonomous, tokenised system that allows payer, payee and all involved financial institutions not to know each other but still transact securely and within the legal parameters as set by society.

Which most likely brings us back to square one: the blockchain.

'DNBcoin': the Dutch central bank experiment with a blockchain-based coin

Today, the Dutch central bank published its Annual Report. This coincided with the death of our most famous soccer player, Johan Cruyff, so it's clear that there is not so much undivided attention to their whole report.

 Scanning through the report, I noticed an interesting paragraph in the sustainability-part of the report (p. 208), under the header of inclusion and accessibility of payments. It stated that DNB aims to develop a working prototype DNBcoin based on blockchain technology.

So, there we have it: central banks are entering the market of digital cash once again. After the announcements on RSCoin, the blockchain based electronic cash proposed for the UK central bank, the Dutch central bank is following suit.

So is this new and revolutionary?

No and yes.

No, because I recall that twenty years earlier, the Danish central bank sold its electronic cash solution (Danmont) to the market (withdrawn as a micropayment tool in 2005), as did the Canadian central bank (selling of its Mintchip). So there is not much news in central banks setting up electronic cash. 

What is new however is the environment in which this development occurs. Previously, central banks were keen on getting rid of cash as an inefficient payment method. As this starts to be succesfull (in Sweden and the Netherlands for example) the central banks adapt their position. The policy line now is that for availability and financial inclusion reasons cash still needs to be around as a payment mechanism.

So when we now see central banks moving forward in the electronic cash domain (now conveniently labelled: blockchain/fintech, instead of bitcoin) it might be to no longer spin it off to the market, but to create a permanent digital replacement of cash.

Therefore, this time it might be different.