ANALYSIS

The last few weeks have been tense for those who take privacy issues seriously. First, there was Edward Snowden with yet another massive NSA leak, substantiating the suspicions, already thick in the air, that intelligence services are really after Bitcoin users’ personal information. Then, in the midst of the fallout from the news that Facebook had casually handed the private data of its 87 mln users to an unsavory electioneer firm, US Congress sneaked in a major piece of online privacy legislation, known as the Clarifying Lawful Overseas Use of Data (CLOUD) Act.

The document was tagged onto the coattails of a trillion-something-dollar omnibus spending bill, and therefore had no chance for any earnest legislative review of its own. Despite the initial uproar that it stirred among both online privacy activists and some prominent figures in the crypto community, the immediate public concern for the issue appears to be fading. Let’s not dismiss it as quickly, though: while the CLOUD Act’s implications on privacy regulation are already kicking in profoundly, it is worthwhile to take a thorough look at what’s inside the law and what it holds for cryptocurrency users.

Who is behind, for, and against the CLOUD Act

Sponsored by a soon-to-be-retired Republican Senator Orrin Hatch, the bill found few outspoken opponents on the Capitol Hill. The notable yet unsurprising exception was the libertarian Rand Paul, who unleashed a series of fiery tweets on the Act in the days building up to the vote. The most prominent public opposition came from a lineup of advocacy groups: a coalition led by The American Civil Liberties Union (ACLU), which in a lettercalled the Act nothing but “a grave threat to civil liberties,” as well as from the aforementioned Electronic Frontier Foundation, the group that voiced concerns about the CLOUD Act’s potential to enable the government to circumvent the Fourth Amendment.

For an outside observer, it might seem counter-intuitive that the united front of the tech’s big guns, including Apple, Google, Facebook, Microsoft and Oath, had earlier pledged unanimous support for the initiative that is designed to urge them to share users’ data with the government. Yet, it starts to make much more sense if you factor in the years-long courtroom thriller that came to be known as United States v. Microsoft Corp. A now-Supreme Court case, it deals with exactly the same issue as the one the CLOUD Act addresses. That is, whether an American tech company can refuse to comply with a court-ordered search warrant that seeks access to user data stored on a server outside of the United States.

The case emerged with regard to a 2013 federal government’s warrant ordering Microsoft to turn over to law enforcement an email stored at its Irish data center. Supreme Court should have made its decision this summer; by all projections, Microsoft’s chances to emerge victorious were slim. The Supreme Court’s likely reversal of the circuit decision (which was in favor of Microsoft) would have created a clear precedent for all similar cases to come — the one that big tech wouldn’t like at all.

The CLOUD Act presents a more palatable way out of this gridlock for communication platforms. Not only it lays down a nonambiguous legal framework to go by in similar cases but also provides the US companies with a firmer vantage point when handling such requests vis-à-vis foreign governments. The Department of Justice has already initiated the process of nullifying the case, while both Supreme Court justices and Microsoft representatives seemed anything but disappointed with the United States v. Microsoft Corp. going moot.

What exactly is in the CLOUD Act?

Essentially, the Act does two things with the data that American tech companies store. First of all, it extends the US government’s jurisdictional reach over them, regardless of the hosting data center physical location. Furthermore, it redefines the rules of the US international cooperation over data matters, simplifying the procedure and almost entirely relieving it of judicial review.

The first clause is quite straightforward. From the day the CLOUD Act is signed into law, all data hosted by any American provider anywhere in the world is a fair game for the US law enforcement, from local police to feds. If there is a court-ordered warrant, it has to be honored. However, it is the international cooperation part that appears to be the most contentious. The Act compels the US providers of electronic communication services (ECS) or remote computing services (RCS) to honor the same requests from foreign governments who have signed bilateral agreements with the United States.

The CLOUD Act amends the 1986 Stored Communications Act, from where it also draws the antiquated language of the ECS’s and RCS’s. Under the old law, the international procedure included signing Mutual Legal Assistance Treaties (MLATs), agreements that required Congressional approval. The new legislation eliminates the legislative review and vests the power to approve bilateral agreements in the executive, namely the attorney general and the secretary of state.

In effect, this means that the executive branch gets to unilaterally decide which governments are granted access to Facebook and Google users’ data. The law contains the language compelling the US officials to ensure that the partner nation’s legal system has robust enough protections for citizens’ privacy, and the requests do not serve to abridge free speech. Yet privacy advocates cite the vagueness of these formulations and lack of concrete criteria that the executive is to apply. Another big concern is that under the CLOUD Act, unlike the law it had amended, foreign governments’ requests for data can be approved without going to a US court.

While privacy advocates complain about all the discretion that the Act endows the executive with, along with the general lack of procedural transparency and oversight, some legal minds suggest that the new system might actually prove more efficient than the MLATs-based one. The ongoing requests will be settled quickly without the need to wait for months and months for a Congressional approval.

Overall, the experts envision a world where the United States would form a “club” of like-minded nations with similar legal systems. Members of this club, bound by bilateral agreements with the US, will cooperate extensively in sharing user data for law enforcement purposes. The data stored in non-member countries will still be accessible to the US officials on court order, but the hosting countries’ national laws will become irrelevant in such cases.

What’s in all that for crypto

The major problem that any government has with cryptocurrencies is that they allow for anonymous transactions. Now, the catch is that most of the cryptocurrencies are not anonymous, as the popular line goes, but rather pseudonymous. Once it becomes possible to link, say, a Bitcoin address to its owner’s identity, the public ledger is wide open to track down all the transactions that have ever gone through the person.

Governments have an obvious interest in establishing such links. Forensic analysis of Blockchains has grown into a lucrative industry, with leading enterprises such as Chainalysis and Elliptic cooperating with law enforcement agencies globally. We have learned well that the IRS is eager to know crypto traders’ identities for the sake of taxing their gains, while the NSA wants to trace every satoshi that had ever possibly gone through terrorist supply chains. The incentives and the tools are both in place. Now, the CLOUD Act comes in.

Who is targeted?

The first question is the scope of the law. Which companies will be compelled to turn users’ private details over to the US and foreign governments? As in the Stored Communications Act of 1986, the language is still all about good old providers of “electronic communication services” and “remote computing services”– the spirits from the early days of the internet. But who are those? Over more than three decades of rulings, courts have applied these labels to all sorts of entities, from a city providing pager services to its police officers, to an airline that ran a centralized electronic booking system. The good news is that in all these cases organizations deemed ECSP’s were actually allowing for exchange and storage of messages; simply keeping user’s personal data did not automatically make a website qualify as an ECSP. Under this logic, online exchanges such as Coinbase or Kraken, which do not allow for users to exchange messages, would be out of the scope of the Act. Then again, we all remember too well that IRS has its own means of compelling crypto exchanges to turn over user’s data.

Within the scope of the CLOUD Act, though, there are companies that directly facilitate communication: email services, social networking platforms, and messengers. It might seem not that big of a deal on the face — after all, who shares their BTC wallet addresses on Facebook? We don’t have surveys on that one, but common sense suggests that not so few. Before a crypto transaction can take place, the parties should somehow communicate all the necessary details to each other, and not everyone uses encrypted messengers for that end. Personal communications are therefore potentially rife with details that are at least indirectly related to people’s crypto identities.

What information can law enforcement obtain?

Under the Fourth Amendment, the government can only look for the evidence that the court-ordered search warrant authorizes it to look for. If, say, the police is inside someone’s house looking for a dead body, the pack of weed that they happen to spot under the kitchen sink cannot be used in court as the evidence of an unrelated crime that the deputies had occasionally discovered along the way. Well, at least that is how it is supposed to work. Similarly, when the NSA sifts through a suspect’s email for terrorist propaganda and comes across the BTC wallet addresses of all presumptively innocent people with whom the suspect had ever transacted for unrelated ends, they should leave this information alone. However, the temptation is there not to. And with lack of oversight, the temptation gets even greater.

The software that the “Blockchain detective” startups rely on performs network analysis to identify clusters of associated wallets. The efficiency of this kind of inference is proportional to the amount of data that is the input to the model. Thus, there is a clear incentive for investigators to have the most complete data even on those who are not directly involved in crimes, so that they can better chart the Blockchain network. Recent Snowden revelations illustrated how intelligence services are ready to go to great lengths in obtaining crypto users’ data, and how unscrupulous they may be in choosing the means of doing so. Of course, where there are tools like tapping into raw backbone traffic and creating whole bogus VPN services at play, unauthorized collection of incidental user data while searching under legitimate warrants might seem not a big deal. However, it is still a feasible scenario under which law-abiding citizens, which the vast majority of crypto users are, can lose control over their personal data.

If that is what the US intelligence agencies routinely do already, the passage of the CLOUD Act is unlikely to make a whole lot of difference beyond granting them potential access to even more data stored by domestic telecoms. What makes the Act profoundly consequential on the global scale, though, is that it could provide as wide latitude to other countries’ law enforcement. For sure, these governments will not be among the most oppressive ones, but the lack of due process in approving bilateral agreements, as well as the lack of judicial oversight in handling individual requests for data, might produce an environment where the power of law enforcement to request and use personal information of Facebook, Twitter, and Gmail users around the world goes almost entirely unchecked.

Intimidating as it sounds, there is also another possibility that privacy advocates tend to consider less frequently: that the new rules for data use could prove efficient in helping law enforcement do their job. While this remains quite possible, it is also true that very soon more people, in raw numbers, will be getting access to more sensitive data, among which your wallet address and crypto transactions may accidentally come across. If this thought makes you uncomfortable, following Andreas Antonopoulos’ advice and “going dark” remains a good option.

By Kirill Bryanov