Governments often tell their subjects that they must submit to surveillance programs to stay safe. Whether the boogeyman is terrorism, hate, or even health, government snooping on private data often violates our rights to privacy.
But surveillance programs are unsafe on their own. Securing major sets of sensitive personal data is a tall order that few can fulfill. What do you know: Government agencies that want more access to your data all too often get hacked and risk exposing your private information to the world.
A case in point: on the same week that we learned the Treasury Department succumbed to a huge hack, it proposed a major expansion of their quiet yet pervasive financial surveillance programs to so-called “self-hosted wallet” (AKA privately controlled) cryptocurrency transactions.
Last week, it was revealed that agencies such as the U.S. Departments of Commerce, Treasury, Energy and National Nuclear Security Administration (!), and Homeland Security had succumbed to a sophisticated cyber-attack where a likely nation-backed actor had infiltrated government systems. This hack was just one part of a larger offensive against the major IT infrastructure company SolarWinds, who counted some of the largest players in commerce, media, government, and academia among its clients. Specifically, hackers compromised an old version of SolarWinds’ Orion software that was used by some 18,000 customers.
Security analysts are still probing the extent of the hack and likely fallout. It appears that systems had been infiltrated for months since around March; perhaps attackers still have access to certain networks. And this particular operation might not have been limited to just the SolarWinds Orion product. We might not know the full contours of this problem for quite some time.
Government leaders are already beating the drums of cyberwar. They can’t help themselves, but it’s certainly too early for such threat escalation. But it’s always worth thinking through government surveillance practices that put our data at risk of such inevitable offenses. Creating massive government databases of personal information creates an unavoidable breach liability.
When it comes to the Treasury Department, the hacking risk is especially acute. Few people know that Treasury has operated a massive financial surveillance program made possible through the Bank Secrecy Act, which is kind of like the “PATRIOT Act for money,” for decades. Under the guise of fighting money-laundering and crime, the Treasury Department forces financial institutions to collect and share personal information on innocent people every day. Unsurprisingly, Treasury would like to expand these programs to ensnare more cryptocurrency transactions in its dragnet.
The proposed “self-hosted wallet” rules would make it much harder for privacy-minded individuals who run manage their own private keys for cryptocurrency to make transactions with people who outsource key management to third parties.
Right now, customers of third party-managed wallets and exchanges must submit to certain “anti-money laundering/know your customer” (AML/KYC) government data reporting rules when making transactions greater than $10,000 dollars. The proposed change would require that the recipients of such transactions also submit to personal data collection even when they manage their own keys before the regulated company may send the funds. Furthermore, the limit for such “self-hosted wallet” recipients would be lowered to $3,000 for certain data recording requirements—a new and unjustifiable roadblock for privately managed wallets to engage with the rest of the crypto economy.