“Privacy is necessary for an open society in the electronic age. Privacy is not secrecy. A private matter is something one doesn’t want the whole world to know, but a secret matter is something one doesn’t want anybody to know. Privacy is the power to selectively reveal oneself to the world.” These lines are taken from the Cypherpunk manifesto written in 1993 by Eric Hughes.

This imperative need for an alternative to the electronic payment system mentioned by Eric Hughes was addressed by Satoshi Nakamoto, the creator of Bitcoin, who offered the world a whole — the computer code to create a peer-to-peer payment system. This system allows users to maintain their anonymity while using distributed ledger technology.

The philosophy of crypto-assets and the right to privacy are closely linked.

With the growing adoption of crypto-assets, legislators worldwide have had to legislate to regulate the practices of certain actors. All legislation applicable to the sector has two objectives: on one hand, consumer protection, and on the other, the fight against money laundering and terrorist financing.

Tirelessly, these objectives are put forward to justify all measures and all interferences with the fundamental rights of individuals.

However, fundamental rights are guaranteed by national and international texts, and the conditions under which a State may interfere with these rights are strict and must be respected.

It is this second objective that will hold my attention.

Indeed, the rules that apply or will apply in the medium term through the MiCA Regulation or the regulation on transfer of funds, aim to impose identification measures on the parties involved in a transaction.

For those familiar with the subject, this is the set of measures and means taken as part of KYC, know your customer.

This fight against money laundering and terrorist financing is invoked at every turn to justify interferences in individuals’ privacy.

The right to privacy: a fundamental freedom protected by the European Union

In a span of 6 months, the Court of Justice of the European Union issued three decisions on the respect of the right to privacy.

The lessons from these decisions are useful and must be taken into account by actors in the crypto-asset sector and the authorities of each State.

First, it should be recalled that there is a Charter of Fundamental Rights of the European Union adopted by the European Union on December 7, 2000. This charter supplements other texts protecting individual freedoms.

Among the protected rights, Article 7 of the Charter provides that “every person has the right to respect for his or her private and family life, home and communications.”

Article 52 of the Charter indicates, however, that “any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.”

This fundamental freedom was at the center of three decisions by the Court of Justice of the European Union handed down during 2022.

On three occasions, the Court held that the interference, although motivated by objectives of general interest, was disproportionate.

In case C-817/19 of June 21, 2022, the facts concerned Belgian legislation regarding the transposition of the Passenger Name Record directive.

Belgian law went far beyond what was provided for in the directive regarding the data retention period and the cross-referencing of PNR data with other databases. Belgian law did not limit collection to real and current terrorist threats and serious crime connected with air transport of passengers. The offenses covered actually fall under ordinary crime given the specificities of the national criminal system, and even went so far as to provide for processing “for the purpose of improving controls on persons at external borders and for the purpose of combating illegal immigration.” Moreover, the general 5-year retention period, while the directive provides for an initial retention period of six months, does not appear to be limited to what is strictly necessary with regard to air passengers.[1]

In joined cases C-37/20 and C-601/20 of November 22, 2022, it was Luxembourg legislation on the register of beneficial owners that was struck down. This law gave the general public access to information on beneficial owners. The information made available to the public concerned the identity of the beneficial owner as well as the nature and extent of their beneficial interests held in companies or other legal entities. According to the Court, this information is likely to enable the drawing up of a profile concerning certain personal identification data of a more or less extensive nature, the financial situation of the person concerned, as well as the economic sectors, countries, and specific companies in which that person has invested. Added to this is the fact that it is inherent in such making available to the general public that this information is then accessible to a potentially unlimited number of persons, so that such processing of personal data may also enable persons who, for reasons unrelated to the objective pursued by that measure, seek information on the material and financial situation of a beneficial owner, to freely access that information.

Finally, in case C-694/20 of December 8, 2022, it was the transposition of a European directive by the Flemish Region (Belgium) that was sanctioned. In this case, Flemish lawyers were subject to information disclosure obligations to the authorities. According to the Flemish Bar Association, it is impossible to comply with this disclosure obligation without violating the professional secrecy to which lawyers are bound. Furthermore, this disclosure obligation would not be necessary for the purpose of ensuring that cross-border arrangements are declared, since the client, whether or not assisted by a lawyer, can themselves inform other intermediaries and ask them to fulfill their reporting obligation. The Court confirmed that this legal obligation is contrary to the right to respect for communications between a lawyer and their client, guaranteed by Article 7 of the Charter, insofar as it provides, in essence, that the lawyer intermediary, subject to professional secrecy, is required to notify any other intermediary who is not their client of the reporting obligations incumbent upon them.

All of these decisions recall the importance of fundamental freedoms and that the unfortunate tendency of States to freely interfere with these freedoms to combat this or that behavior is not absolute.

Know your customer and the implementation of white lists: the false good idea?

Black or white lists are used in several sectors. Dangerous or harmful products, companies, or types of clauses can be blacklisted, for example.

Here, I will focus solely on the question of lists containing crypto-asset wallet addresses and therefore, in fine, a list containing natural or legal persons.

The black list

By principle, a black list includes persons who have been considered or judged as having (had) behavior contrary to a rule. This blacklisting can be preventive or punitive.

Preventive listing covers the case where suspicions exist about a person’s behavior who may have contravened a rule.

Punitive listing covers the case where a person is convicted and, as a sanction or in order to enforce the sanction imposed, is placed on this list.

This black list is generally managed by a centralized authority to prevent arbitrary or deliberately harmful listings.

Imagine a distributed/shared black list where anyone could preventively list the name of a person they suspect of having committed illegal behavior: one can easily imagine the abusive nature of such listings, besides the lack of legitimacy such a list would have under those conditions.

Punitive black lists are, to my knowledge, much more common than preventive black lists for the reasons I will examine below.

The white list

For a white list, I would define it as a list where a person is registered if they meet certain conditions determined by a centralized authority. This registration allows obtaining a right of access to certain goods or services, for example.

In the world of crypto-assets, the white list system is regularly used by new projects.

Only persons registered on the white list will have access to this new project before it becomes accessible to the public.

The Tornado Cash case: listing by OFAC

The debate on the use of this type of list arises in the area of anti-money laundering and more particularly in the context of discussions relating to the European regulation on the transfer of information. This regulation, currently applicable to the banking sector, should see its scope extended to the crypto-asset sector.

The draft regulation notably provides for the implementation of the “travel rule” (see below).

In August 2022, the question arose again concerning the Tornado Cash protocol (more info on Tornado Cash here)

The latter was placed on a (black) list maintained by OFAC, a financial control body under the U.S. Department of the Treasury (on the illegality of this listing, see here).

This listing has the consequence, among others, that all persons who have had connections with transactions that passed through Tornado Cash must be blocked.[2]

Violation of this obligation is subject to sanctions, and a number of actors in the crypto-asset world have seen their funds frozen following this listing, without having been tried or convicted of any wrongdoing or offense.

Merely using a tool was therefore sufficient to be sanctioned.

No trial and a presumption of guilt… We are far from the democratic values defended by our elected officials.

The travel rule applied to crypto-assets

The “travel rule,” which currently applies to bank transfers, would be extended to require crypto-asset service providers to collect and make available similarly detailed information about the identity of the parties involved in crypto-asset transfers.

This rule proposed by the FATF (FATF) concerns crypto-asset service providers (CASPs, see below). It requires the collection of personal data of the parties involved in crypto-asset transfers starting from an exchange of more than EUR 1,000.

The data to be collected is that which identifies both parties to a crypto-asset transfer (the names of the parties, as well as the address, country, official identity document number, customer identification number, or date and place of birth of the sender) and links their identity to the account number (payment or crypto-asset) or to the crypto-asset wallet address.[3]

According to the latest version of the text available, this regulation would therefore not concern “transfers that constitute person-to-person crypto-asset transfers made without the involvement of a crypto-asset service provider.” In other words, the regulation does not apply to crypto-asset transfers between decentralized wallets (unhosted or non-custodial).

The crypto-asset service provider (CASP)

If we follow the reasoning of the authorities, the legislation will apply to everyone on the grounds that some individuals have used the blockchain for criminal purposes.

The reality is that today identification is facilitated due to the KYC requirements imposed at various entry points into the crypto-asset world. Indeed, again under the impetus of the FATF, a licensing regime has been suggested for virtual asset service providers (VASPs).

This regime concerns crypto-asset service providers and more particularly providers that offer a conversion service between fiat currency and crypto-assets or that provide a crypto-asset custody service for their clients.

Each European country has implemented this regulation following the amendment of the directive on combating money laundering and terrorist financing. France created the PSAN (digital asset service provider) while Belgium implemented this legislation by creating the VASP (more info on the Belgian regime).

It should also be noted that the European MiCA regulation also targets this type of provider under the designation CASP (crypto-asset services provider).

These entities are now subject to anti-money laundering legislation which notably requires precise and complete identification of all their clients.

How far will this go?

Faced with this regulatory flood, a legitimate fear may arise among crypto-asset users. There is indeed a more or less significant encroachment by the State on the world of crypto-assets.

One could be perfectly legitimate, but since the history of our transactions is known to all, one could be “identifiable” by tracing back through the transactions linked to a wallet. For example, by spotting this or that transaction, which when linked together or not, one could know and/or determine who used that wallet.

The demagogic argument is “no big deal because I have nothing to hide.”

Let’s not fall into this trap… The right to privacy has existed for decades and it was not created for criminals. Let’s keep that in mind… Privacy is a fundamental right guaranteed by international conventions, I remind you.

Moreover, I like to use the example of a restaurant outing with friends. It often happens that, for convenience, one person in the group pays for everyone and then each person reimburses their share. Applications like Tricount were created to help with the accounting (good accounts make good friends, as the saying goes :)). So, in principle, nothing iconoclastic or outlandish. This situation happens regularly.

With a system like Tornado Cash, you can pay your share without having to reveal the entire history of your transactions to your friend.

One could have a main wallet where “all our funds” are and use Tornado to create a “sub-wallet” for peer-to-peer payment.

So, are you a criminal for doing this, Mr. Lawyer? In my opinion, no.

And the presumption of innocence?

Although the travel rule will not apply to all wallets, the idea of a future extension of the regime to other transfers is not far-fetched given the growing appetite of authorities to control this sector.

From a purely intellectual standpoint, I asked myself how the crypto-asset world would function if all wallets had to be subject to the travel rule and therefore, in fine, to a permanent identification requirement.

It is within the framework of this purely fictional reflection that white lists or black lists make their reappearance in the reasoning.

If we start from the premise that all owners of centralized wallets are identified by the CASP, only owners of unhosted wallets will need to provide their personal data to continue interacting.

The implementation of such an obligation can be done in different ways.

The one that seems most “probable” will be based on the creation of a white list and a black list.

1.  Create a white list of identified unhosted wallets
   

Each owner of an unhosted wallet, to continue interacting, will then have to provide their information to a centralized third party who can then register the address on a white list. The idea here is obviously not to have the data disclosed to anyone, but rather to know whether the address owner has identified themselves. I will surely write another post on the subject because the use, for example, of ZK proofs could allow an elegant implementation of these obligations.

This registration will then allow the owner of the identified unhosted wallet to use their crypto-assets in “full legality.”

2.  Create a black list of unhosted and unidentified wallets
   

Conversely, owners of unhosted wallets who do not identify themselves will be listed on a “black” list cataloging all owners of unhosted and unidentified wallets.

As everyone knows, it is not possible to block a transaction on a blockchain. If an owner of an unhosted and unidentified wallet wishes to send crypto-assets to a hosted and identified wallet, they can do so, but the recipient of the crypto-assets will be subject to sanctions or suspension of services for “violation” of a CASP policy.

It will therefore be necessary to identify oneself to continue using one’s crypto-assets.

This obligation to identify oneself is, let us recall, linked to the implementation of provisions for combating money laundering and terrorist financing.

Under the guise of fighting criminal offenses, each person will have to identify themselves.

This obligation is, in a way, in direct opposition to the principle of presumption of innocence since, de facto, the absence of identification will place the wallet owner on a “black list” and any transaction made by the wallet owner will be viewed with suspicion due to the lack of identification.

Do you think this measure would withstand scrutiny by the Court of Justice of the European Union in light of the last three decisions handed down?

In my opinion, there is room for debate and it does not seem obvious to me that this type of measure would be considered suitable and necessary for achieving the objective of combating money laundering and terrorist financing.

In conclusion

To conclude, I think it is necessary to propose a solution. Criticism must be constructive.

The solution is simple: there must be a check at the entry and exit of the crypto-asset world.

At entry, it must be ensured that the funds used to acquire crypto-assets have a demonstrated lawful origin.

At exit, it must be ensured that the crypto-assets sold for fiat currency were acquired using funds whose lawful origin has been demonstrated. Either by having purchased them with lawful funds or by mining crypto-assets with machines that were themselves purchased with funds whose lawful origin has been demonstrated.

There is no need to provide for more than these measures since the traceability offered by the blockchain will ensure the veracity of the information given by the user.

Let us also recall that protocols like Tornado Cash offered a technical means to demonstrate the lawful origin of “mixed” funds, in order to comply with provisions implemented to combat money laundering and terrorist financing.

To go further: cryptomonnaie.be — The Belgian cryptocurrency blog | Newsletter CryptoBelgique — Stay informed of news and updates