In recent months, the digital asset industry has produced sensational headlines about JPEG rocks selling for millions of dollars, imploding Ponzi-schemes, and even Kardashian family securities law violations.[1] But beneath these headlines, there’s a battle being fought for the future of financial privacy. Governments around the world, including the United States’ government, have set their sights on the “shadowy super coders” pioneering new frontiers in cryptography and encryption-based technologies in order to prevent bad actors from using digital assets to facilitate crime.[2] Proponents of the technology, however, tout the potential for encryption-based technologies to preserve individual autonomy in a digital age.[3] At the heart of this battle lies the idea of encryption as a tool for maintaining privacy—“the power to selectively reveal oneself to the world.”[4]
Encryption-based technologies have become essential to the modern digital economy, enabling secure communications and safeguarding sensitive data from unauthorized access.[5] They are the building blocks of our increasingly interconnected and digitized world, powering everything from online shopping and messaging apps to online banking and financial transactions.[6]The emerging digital asset economy, in particular, has unearthed new use cases for encryption-based technologies, and innovators in the field are pioneering new encryption methods that will revolutionize our conceptions of financial privacy.
Bitcoin, the “original cryptocurrency,” established a peer-to-peer online payment system that eliminated the need for a third-party intermediary to authenticate information about the sender and receiver of a transaction.[7] Bitcoin’s revolutionary promise was to offer a method for exchanging value online without sharing personal, private information with financial intermediaries that are subject to the Bank Secrecy Act (“BSA”)—information that the government can readily access without a warrant under the Supreme Court’s Third-Party Doctrine.[8] Notwithstanding this innovation, Bitcoin failed to deliver a completely privacy-preserving medium of exchange for financial privacy advocates. Bitcoin’s shortfall, in their view, is the ease with which transactions can be viewed on Bitcoin’s public blockchain and the danger that a user’s complete transaction history could be linked to them if their pseudonymous public address is ever discovered.[9] Bolstering these concerns, the Fifth Circuit recently held that Bitcoin users have no reasonable expectation of privacy with respect to their on-chain activity.[10]
The privacy void left by Bitcoin was quickly filled by privacy coins and cryptocurrency mixers.[11] The most notable of these privacy solutions depend on Zero-Knowledge Proofs (“ZKPs”), an encryption technique that enable two parties to authenticate that an event, such as a funds transfer, has occurred without disclosing the underlying data.[12] Privacy coins operate similarly to Bitcoin, as they rely on blockchains maintained by anonymous validators.[13] However, they also provide additional privacy features in various ways. For instance, Zcash, one of the largest privacy coins by market share, employs ZKPs to validate transactions without publicly revealing information about the transaction parties or value transferred.[14] Cryptocurrency mixers offer an extra privacy layer for other digital assets lacking endogenous privacy solutions.[15] Specifically, mixers are used to aggregate user deposits into large pools of funds, thereby concealing the identities of transaction participants and allowing them to obfuscate the origin and movement of their digital assets.[16] For example, Ethereum users can use a ZKP-based virtual currency mixer called Tornado Cash to sever the link between the sender and recipient addresses of a transaction.[17]
In recent months, both foreign and domestic government actors have targeted privacy-enhancing technologies. For instance, the U.S. Office of Foreign Assets Control imposed sanctions on Tornado Cash, a series of smart contracts that can be used to conceal transaction participants, rendering it illegal for U.S citizens to use the mixer.[18] Furthermore, Senators Elizabeth Warren (D) and Roger Marshall (R) plan to reintroduce the Digital Asset Anti-Money Laundering Act of 2022, which would mandate the Department of the Treasury to implement regulations prohibiting financial institutions from transacting with cryptocurrency mixers, privacy coins, and “other anonymity-enhancing technologies.”[19] In other regions, numerous jurisdictions have chosen to ban privacy-enhancing virtual currencies outright, and Alexey Pertzev, a publisher of Tornado Cash’s open-source code, remains imprisoned without bail in the Netherlands.[20]
Some defend these measures under the auspices of national security and to combat the use of digital assets in illicit financial activities, such as ransomware extortion, terrorist financing, and sanctions evasion.[21] These aims are certainly laudable, and it is readily apparent that illicit actors have used privacy coins and cryptocurrency mixers to facilitate their crimes.[22] However, current efforts to address these issues have unduly targeted the technology itself rather than the individuals exploiting them. These efforts are unnecessarily over-inclusive and hinder the ability of law-abiding citizens to use privacy-enhancing technologies for lawful and constitutionally protected purposes. For instance, the same technology that allows the North Korean regime to launder stolen funds also enables U.S. citizens to exercise their constitutionally protected associational rights, including the ability for human rights activists and Russian nationals to make donations to the Ukrainian war effort.[23]
The present attack on privacy-enhancing technologies is not a new phenomenon, but rather a continuation of the U.S. government’s decades-long effort to limit and criminalize the use and distribution of such technologies by its citizens. This campaign, commonly known as the “Crypto Wars,” involved unsuccessful government attempts to constrain technologies facilitating privacy in personal communications.[24] Privacy advocates of that era sought legal recourse to defend their privacy rights.[25] Today’s financial privacy proponents must draw from these past experiences to secure a future that upholds privacy in digital payment technologies.
The U.S. government’s pursuit of a monopoly on encryption technology during the “Crypto War 1.0” aimed to maintain its surveillance superiority over its international counterparts and domestic industries. In the 1970s the National Security Agency (“NSA”) held a near monopoly on the most advanced cryptographic methods of the era, enabling it to intercept and decrypt almost all forms of electronic communication.[26] As the global use of electronic communications proliferated, the NSA’s unique capabilities provided the U.S. with surveillance superiority over its international counterparts; an advantage the U.S. government sought to vigorously defend, even at the expense of its citizens and domestic industries.[27]
In 1972, the NSA covertly influenced the National Bureau of Standards to adopt a weaker version of the Bureau’s proposed Data Encryption Standard (“DES”) to allow the NSA to retain its cryptographic advantage and intercept private communications more easily.[28] The DES aimed to create a nationalized encryption protocol that would safeguard sensitive data across various industries.[29] The original DES proposal relied on an encryption method that, at the time, was economically and practically infeasible to crack.[30] However, at the NSA’s urging, the Bureau adopted an exponentially weaker standard that allowed the NSA to retain its encryption superiority over U.S. domestic industries.[31]
Moving from industries to individuals, the United States Customs Service (“USCS”) pursued a criminal investigation against Phil Zimmerman for violating the Arms Export Control Act by publishing his Pretty Good Privacy (“PGP”) encryption program online, which was designed to enable secure email communications.[32] At the time, the government used the Arms Export Control Act to categorize encryption software “alongside bombs and flamethrowers, as a weapon to be regulated for national security purposes.”[33] Worth noting is the fact that PGP used the same underlying encryption method that the NSA and successfully prevented from becoming the DES.[34] USCS ultimately dropped its investigation shortly after Zimmerman published PGP’s source code as a book, presumptively protected by the First Amendment, before seeking an export license.[35]
Daniel Bernstein’s challenge to regulations prohibiting the publication of encryption software marked the end of Crypto War 1.0. Similarly to Zimmerman, Bernstein developed an encryption software to secure communications and sought to publish the code online to share with scientific and academic communities.[36] However, the State Department’s International Traffic and Arms regulations required a license before such code could be published online.[37] The Ninth Circuit ruled that encryption software source code is protected expressive speech under the First Amendment, and that regulations prohibiting publication are an unconstitutional prior restraint.[38] Shortly thereafter, President Bill Clinton signed an executive order removing encryption from the list of munitions regulated by export controls, securing a victory for digital privacy advocates.[39]
While Crypto War 1.0 targeted the dissemination of encryption software, Crypto War 2.0 targeted companies using encryption in their consumer products. Following the San Bernardino terror attack in 2015, the FBI was unable to unlock a suspect’s recovered iPhone, despite seeking the NSA’s assistance in breaking the iPhone’s encryption.[40] The FBI obtained a writ ordering Apple to create software to weaken the iPhone’s encryption to aid law enforcement, but Apple opposed the order.[41]Apple contended that the FBI’s request sought to create a “backdoor” that could be used to bypass security on any iPhone and cited Bernstein v. United States Dept. of Justice in arguing that the order violated the First Amendment by unconstitutionally compelling speech activity.[42] While the appeal was pending, the Department of Justice withdrew its request after reportedly paying “professional hackers” to bypass the iPhone’s encryption.[43] While Apple successfully resisted government attempts to weaken its product security, regulators and legislators continue to target consumer applications of encryption-based technologies.[44]
The tension between technological advancements in privacy and the government’s aim to restrict privacy in the interest of national security is a persistent theme exemplified by the Crypto Wars. The current efforts to limit privacy-enhanced financial transactions indicate that a “Crypto War 3.0” has already begun. Therefore, those concerned with maintaining financial privacy in a digital age must learn from the experiences of the past and remain watchful and willing to defend their rights in court. The digital asset economy, in particular, may serve as a venue for privacy advocates to raise such challenges, as is happening in the case of Tornado Cash.[45] Nevertheless, regulators and lawmakers must also consider the lessons of the Crypto Wars and work to formulate regulatory policies that penalize wrongdoers while safeguarding individual privacy for law-abiding citizens. In doing so, they should heed Justice Douglas’s warning that that in the absence of privacy “freedom as the Constitution envisages it will have vanished.”[46]
[1] See MacKenzie Sigalos, Somebody Just Paid $1.3 Million for a Picture of a Rock, CNBC (Aug. 23, 2021, 6:17 PM), https://www.cnbc.com/2021/08/23/people-are-paying-millions-of-dollars-for-digital-pictures-of-rocks.html; David Yaffe-Bellany et al., Prosecutors Say FTX Was Engaged in a ‘Massive, Yearslong Fraud’, N.Y. Times (Dec. 13, 2022), https://www.nytimes.com/2022/12/13/business/ftx-sam-bankman-fried-fraud-charges.html#:~:text=FTX’s%20collapse%20kicked%20off%20investigations,Bankman%2DFried%20had%20helped%20start; Press Release, Sec. & Exch. Comm’n, SEC Charges Kim Kardashian for Unlawfully Touting Crypto Security (Oct. 3, 2022), https://www.sec.gov/news/press-release/2022-183.
[2] See generally Dubai Virtual Assets Regul. Auth., Virtual Assets and Related Activities Regulations 2023 (2023), https://www.vara.ae/media/Virtual%20Assets%20and%20Related%20Activities%20Regulations%202023.pdf [hereinafter Dubai Regulation]; Jack Schickler, Privacy-Enhancing Crypto Coins Could be Banned Under Leaked EU Plans¸ CoinDesk (Nov. 15, 2022, 6:21 AM), https://www.coindesk.com/policy/2022/11/15/privacy-enhancing-crypto-coins-could-be-banned-under-leaked-eu-plans/.
[3] See Miller Whitehouse Levine & Lindsey Kelleher, Self-Hosted Wallets and the Future of Free Societies 31 (2020), https://theblockchainassociation.org/wp-content/uploads/2020/11/Self-Hosted-Wallets-and-the-Future-of-Free-Societies.pdf; Jerry Brito, The Case for Electronic Cash, Coin Ctr. (Feb. 2019), https://www.coincenter.org/the-case-for-electronic-cash/.
[4] Eric Hughes, A Cypherpunk’s Manifesto, Activism (Mar. 9, 1993), https://www.activism.net/cypherpunk/manifesto.html.
[5] IBM, What is End-to-End Encryption?, IBM: Topics, https://www.ibm.com/topics/end-to-end-encryption (last visited Mar. 3, 2023).
[6] Kirk McElearn, 10 Ways End-to-End Encryption Protects Your Data, Your Privacy, and Your Bank Balance¸ Intego (Jan. 20, 2022), https://www.intego.com/mac-security-blog/10-ways-end-to-encryption-protects-your-data-your-privacy-and-your-bank-balance/.
[7] See Satoshi Nakamoto, Bitcoin: A Peer-to-Peer Electronic Cash System, Bitcoin, https://bitcoin.org/bitcoin.pdf (last visited Mar. 10, 2023);Benedict George, The Genesis Block: The First Bitcoin Block, CoinDesk (Jan. 3, 2023, 11:03 AM), https://www.coindesk.com/tech/2023/01/03/the-genesis-block-the-first-bitcoin-block/.
[8] See generally United States v. Miller, 525 U.S. 435 (1976) (holding that bank customers have no reasonable expectation of privacy under the Fourth Amendment in their bank records); Peter Van Valkenburgh, Electronic Cash, Decentralized Exchange, and the Constitution, Coin Ctr. (Mar. 2019), https://www.coincenter.org/electronic-cash-decentralized-exchange-and-the-constitution/.
[9] See Matt Di Salvo, Bitcoin’s Privacy Problem – And What Cypherpunks Are Doing to Solve It, Decrypt (Aug. 12, 2022), https://decrypt.co/107376/bitcoin-privacy-problem-what-cypherpunks-are-doing.
[10] See United States v. Gratowski, No. 19-50492 (5th Cir. 2020); Mark Rasmussen et al., No Search Warrant Required for Records of Bitcoin Transactions, the Fifth Circuit Holds, Jones Day: Insights (July 2020), https://www.jonesday.com/en/insights/2020/07/no-search-warrant-required-for-records-of-bitcoin-transactions-the-fifth-circuit-holds#:~:text=The%20Result%3A%20The%20Fifth%20Circuit,turns%20over%20to%20third%20parties.%22 (“The Fifth Circuit ruled that no search warrant is required to obtain records of Bitcoin transactions under the well-established doctrine that “a person generally has no legitimate expectation of privacy in information he voluntarily turns over to third parties.”).
[11] See Andrea O’Sullivan, What are Mixers and “Privacy Coins”?, Coin Ctr. (July 7, 2020), https://www.coincenter.org/education/advanced-topics/what-are-mixers-and-privacy-coins/.
[12] Id.
[13] Id.
[14] Id.
[15] Alex Wade et al., How Does Tornado Cash Work?, Coin Center (Aug. 25, 2022), https://www.coincenter.org/education/advanced-topics/how-does-tornado-cash-work/.
[16] See Brad Bourque, OFAC’s Tornado Cash Sanctions and the Problem of Immutability, Fordham J. Corp. & Fin. L. Blog (Oct. 30, 2022), https://news.law.fordham.edu/jcfl/2022/10/30/ofacs-tornado-cash-sanctions-and-the-problem-of-immutability; Usman Chohan, The Cryptocurrency Tumblers: Risks, Legality and Oversight, Discussion Paper Series: Notes on the 21st Century (Nov. 30, 2017), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3080361.
[17] Id.
[18] See Press Release, Office of Foreign Assets Control, U.S. Treasury Sanctions Notorious Virtual Currency Mixer Tornado Cash (Aug. 8, 2022), https://home.treasury.gov/news/press-releases/jy0916; Press Release, Office of Foreign Assets Control, Treasury Designates DPRK Weapons Representatives (Nov. 8, 2022), https://home.treasury.gov/news/press-releases/jy1087.
[19] See Press Release, Sen. Elizabeth Warren, Warren, Marshall Introduce Bipartisan Legislation to Crack Down on Cryptocurrency Money Laundering, Financing of Terrorists and Rogue Nations (Dec. 14, 2022), https://www.warren.senate.gov/newsroom/press-releases/warren-marshall-introduce-bipartisan-legislation-to-crack-down-on-cryptocurrency-money-laundering-financing-of-terrorists-and-rogue-nations.
[20] See Dubai Regulation, supra note 2; Schickler, supra note 2; Jack Schickler, Tornado Cash Developer to Stay in Jail as Dutch Trial Continues, CoinDesk (Feb. 15, 2023, 12:02 PM), https://www.coindesk.com/policy/2023/02/15/tornado-cash-developer-to-stay-jailed-as-dutch-trial-continues/.
[21] See Warren, supra note 19; Financial Action Task Force, 12-Month Review of the Revised Standards on Virtual Assets and VASPs 2-3 (2020), https://www.fatf-gafi.org/media/fatf/documents/recommendations/12-Month-Review-Revised-FATF-Standards-Virtual-Assets-VASPS.pdf.
[22] See Press Release, supra note 18; Elliptic Intel, North Korea’s Lazarus Group Identified as Exploiters Behind $540 Million Ronin Bridge Heist, Elliptic (Apr. 14, 2022), https://www.elliptic.co/blog/540-million-stolen-from-the-ronin-defi-bridge.
[23] See Vitalik Buterin (@VitalikButerin), Twitter (Aug. 9, 2022, 4:49 AM), https://twitter.com/VitalikButerin/status/1556925602233569280; Jerry Brito & Peter Van Valkenburgh, Coin Center is Suing OFAC Over its Tornado Cash Sanction, Coin Ctr. (Oct. 12, 2022), https://www.coincenter.org/coin-center-is-suing-ofac-over-its-tornado-cash-sanction/.
[24] See Daniel Oberhaus, How the Government is Waging Crypto War 2.0, Vice (Aug. 10, 2016, 11:40 AM), https://www.vice.com/en/article/jpgvy3/encryption-debate-the-end-of-end-to-end.
[25] See, e.g., Bernstein v. United States Dept. of Justice, 176 F.3d 1132 (9th Cir. 1999).
[26] See Steven Levy, Crypto: How the Code Rebels Beat the Government – Saving Privacy in the Digital Age 56-63 (2001); Henry Corrigan-Gibbs, Keeping Secrets, Medium: Stan. Mag. (Nov. 7, 2014), https://stanfordmag.medium.com/keeping-secrets-84a7697bf89f.
[27] See Steven Levy, Crypto: How the Code Rebels Beat the Government – Saving Privacy in the Digital Age 56-63 (2001).
[28] Id.
[29] Id.
[30] Id.
[31] See id. The DES relied on an encryption key comprised of “bits” to secure the algorithm against brute force attacks. Id. The more bits in a key, the more secure the encryption protocol. See id. The proposed DES relied on a 128-bit key which, at the time, would have been financially and technologically infeasible to crack. Id. However, at the NSA’s urging, the Bureau adopted an exponentially weaker 56-bit key for DES. Id.
[32] See Ronald J. Stay, Cryptic Controversy: U.S. Government Restrictions on Cryptography Exports and the Plight of Philip Zimmerman, 13 Ga. St. U. L. Rev. 581 (2012), https://readingroom.law.gsu.edu/cgi/viewcontent.cgi?referer=&httpsredir=1&article=2264&context=gsulr.
[33] See Elec. Frontier Found., A History of Protecting Freedom Where Law and Technology Collide, EFF, https://www.eff.org/about/history (last visited Mar. 10, 2023).
[34] Both PGP and the DES Proposal utilize 128-bit public keys. See Levy supra note 27; CBR Staff Writer, Pretty Good Privacy Ships 128-Bit Encryption Package, Tech Monitor (June 17, 1997), https://techmonitor.ai/technology/pretty_good_privacy_ships_128_bit_encryption_package_1.
[35] See John Markoff, Data-Secrecy Export Case Dropped by U.S., N.Y. Times (Jan. 12, 1996), https://www.nytimes.com/1996/01/12/business/data-secrecy-export-case-dropped-by-us.html; Philip Zimmermann, Author’s Preface to the Book: “PGP Source Code and Internals, Philzimmerman.com (Nov. 1994), https://philzimmermann.com/EN/essays/BookPreface.html.
[36] See Elec. Frontier Found, Bernstein v. US Department of Justice, EFF, https://www.eff.org/cases/bernstein-v-us-dept-justice (last visited Mar. 10, 2023).
[37] Id.
[38] Id.; Bernstein v. United States Dept. of Justice, 176 F.3d 1132 (9th Cir. 1999).
[39] See Oberhaus supra note 24.
[40] See Jenna McLaughlin, NSA Looking to Exploit Internet of Things, Including Biomedical Devices, Official Says, Intercept (June 10, 2016), https://theintercept.com/2016/06/10/nsa-looking-to-exploit-internet-of-things-including-biomedical-devices-official-says/.
[41] See Josh Gerstein, Apple Files Appeal in San Bernardino iPhone Case, Politico (Mar. 2, 2016, 2:21 AM), https://www.politico.com/blogs/under-the-radar/2016/03/apple-files-appeal-in-san-bernardino-iphone-case-220109.
[42] See Tim Cook, A Message to Our Customers, Apple (Feb. 16, 2016), https://www.apple.com/customer-letter/; Kim Zetter & Brian Barrett, Apple to FBI: You Can’t Force Us to Hack the San Bernardino iPhone, Wired (Feb. 25, 2016, 3:47 PM), https://www.wired.com/2016/02/apple-brief-fbi-response-iphone/.
[43] Ellen Nakashima, FBI Paid Professional Hackers One-Time Fee to Crack San Bernardino iPhone, Wash. Post (Apr. 12, 2016), https://www.washingtonpost.com/world/national-security/fbi-paid-professional-hackers-one-time-fee-to-crack-san-bernardino-iphone/2016/04/12/5397814a-00de-11e6-9d36-33d198ea26c5_story.html.
[44] See Michael Riley & Jordan Robertson, Secret Memo Details U.S.’s Broader Strategy to Crack Phones, Bloomberg (Feb. 19, 2016, 5:00 AM), https://www.bloomberg.com/news/articles/2016-02-19/secret-memo-details-u-s-s-broader-strategy-to-crack-phones; Joe Mullin, It’s Back: Senators Want EARN IT Bill to Scan All Online Messages¸ Elec. Frontiers Found. (Feb. 3, 2022),
https://www.eff.org/deeplinks/2022/02/its-back-senators-want-earn-it-bill-scan-all-online-messages.
[45] See Brito & Van Valkenburgh, supra note 23.
[46] Osborn v. United States, 385 U.S. 323, 354 (1966) (Douglas, J., dissenting).
