In the late afternoon on the Friday before Christmas, the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) proposed a regulation introducing data collection and reporting requirements for cryptocurrency. FinCEN gave the public only 15 days to comment, over the holidays, instead of the usual 60 days. This was a clear attempt to push through a midnight regulation without giving the public time to respond, and it backfired. Despite the short timeline, roughly 7,500 people and entities submitted comments decrying the proposal, the most FinCEN has received on any proposed rulemaking. The comments on this proposal constitute nearly 70% of all comments FinCEN has received on all rule-makings since 2008 combined.
So many people spoke up about this proposed regulation because it is a blatant violation of civil liberties. The proposal would require certain businesses like cryptocurrency exchanges to collect identity data not just about their own customers but also about non-customers who transact with their customers, and to keep that data and hand it over to the federal government when the transactions exceed a certain amount. This would give the government access to troves of sensitive financial data, going well beyond FinCEN’s requirements for non-cryptocurrency transactions.
In addition, the regulation would give the government far more data than what the regulation itself even contemplates. The proposed regulation would give the government the identities associated with cryptocurrency wallet addresses. Because of the nature of public blockchains, that means the government would know the identity associated with all transactions for those wallet addresses, even when the amounts of those transactions are far below the reporting threshold.
In the Electronic Frontier Foundation’s comment on FinCEN’s proposal, Rainey Reitman, Danny O’Brien, Aaron Mackey and I argue that the proposed regulation violates the Fourth Amendment of the U.S. Constitution.
The Fourth Amendment requires that law enforcement obtain a warrant supported by probable cause before conducting a search or seizure. So why is it that, in the traditional financial system, law enforcement can engage in mass surveillance of bank customers without a warrant? The answer is the third-party doctrine – the idea that people do not have a reasonable expectation of privacy in the data that they share with a third party like a bank. In 1976, the U.S. Supreme Court held in U.S. v. Miller that the Bank Secrecy Act (as it was implemented at the time) did not violate the Fourth Amendment because of this third-party doctrine.
But I believe the Court would come to a different decision if faced with FinCEN’s proposed regulation – or, indeed, the mass surveillance that we have come to accept as normal in today’s banking system. Even in the 1970s, the Supreme Court justice who authored Miller wrote in another case that “financial transactions can reveal much about a person’s activities, associations and beliefs. At some point, governmental intrusion upon these areas would implicate legitimate expectations of privacy.” Since Miller, the government has greatly expanded the Bank Secrecy Act’s reach – and the 1976 decision was an as-applied challenge of the law as it was implemented at the time. FinCEN’s proposed regulation goes even beyond FinCEN’s other activities in non-cryptocurrency contexts.