Part III - Sleepwalking into Mass Surveillance: Europe’s Last Chance to Be the Beacon of Privacy and Innovation
In this last part, we summarize the key arguments brought by the crypto industry against the proposed new crypto regime in Europe and add some arguments of our own. We conclude with a call to action.
A. Key objections to the proposed crypto rules in Europe
Since the European Parliament’s vote, there have been a number of standalone submissions gathering ammunition and support for changes to the proposed rules, such as the recent open letter by unstoppable.fi, a tweet tread by Coinbase’s Brian Armstrong, and a long-form submission titled “How Can Europe Lead Innovation And Win Web3?” by Seth Hertlein, VP Global Head of Policy at Ledger1.
The objections can be grouped into fundamental rights and privacy arguments, technology concerns, and economic grounds.
1. Fundamental rights
The Ledger paper referred to above is the most articulated about the dangers of including unhosted wallets in the TFR’s transfer rule (see Part II).
Its starting point is that the current global Anti Money Laundering (AML) regime has failed: more is actually being spent every year on compliance around the world than what is being generated from crime.2
For those who counter-argue that crime is lower because more is being spent in fighting crime under the existing AML regime, a second stat is even more sobering: only an estimated 1.1% of criminal proceeds are traced and confiscated.
In Europe for instance, for every 1 EUR in criminal proceeds recovered, businesses spend EUR 600 to comply with AML rules, a ratio of 600/1.
In addition, whilst money laundering is undeniably a problem, it is not a crypto problem: According to a recent study by Chainalysis, only 0.15% of cryptocurrency transactions in 2021 involved some element of criminality.
The study estimated that money laundering accounted for just 0.05% of all cryptocurrency transaction volumes in 2021. In US$ terms, Chainalysis reports that $8.6 billion worth of cryptocurrency was laundered in 2021, which equates to 0.009% of global GDP.3
TradFin, rather than crypto, remains any crook’s preferred syphon for financial proceeds, with criminals beating law enforcement an estimated 99.95% of the time, despite the immense AML compliance burdens on the financial industry and the corresponding cost to consumers.
Speak to any practitioner, be it a lawyer or an accountant or a compliance officer within a bank or fintech company, and they will all confirm what the numbers show: the current AML burdens are absurd and simply don’t work.
The FATF dogma and its 37 unelected priests
As the Ledger submission puts it in the context of the TFR proposals:
The approach of the TFR is to take an already broken system and ask it to do more.
In essence, we are asked to sacrifice fundamental rights to privacy and financial freedom on the altar of 37 priests in an unelected body called the Financial Action Task Force4 who dogmatically stick to an AML orthodoxy that has an abysmal record of preventing and recovering criminal proceeds that flow through the fiat banking system.
As seen in Parts I and II, Europe’s crypto proposals now expand on FATF’s non-binding recommendations in the following ways:
by making its definition of who is considered a Crypto Asset Service Provider (the equivalent to FATF’s “Virtual Asset Service Provider or VASP) significantly broader than FATF’s definition;
by sticking to an unworkably low automatic reporting threshold for all crypto transactions which involve a CASP - suspicious or not - over EUR 1,000
by introducing a right for national AML authorities to request a report even for transactions under the EUR 1,000 threshold.
A real-time X-ray of your entire financial life
TFR transaction reports would effectively enable authorities to trace all transactions of its citizens and get a real-time X-ray of each citizen’s entire financial activity, past and future, at all times and in perpetuity.
Not only would such reporting include financial information on CASP’s users themselves but also, under current proposals, all unhosted wallets that send or receive crypto to a CASP user.
In contrast to the legacy financial system which limits reporting to a specific transaction and keeps user information siloed on its central servers, reporting on one blockchain wallet essentially creates a map of all transactions linked to it.
Put differently: as a user who receives a transaction from a given CASP, without your consent to the collection and disclosure of your private information, you would have your identity and entire wallet history and future transactions exposed to both that CASP and the government in perpetuity as a result of the reporting requirements TFR puts on the originator of the transaction.
Such regime applied to crypto transactions immensely exceeds the amount of information governments currently have the right or ability to obtain in respect of fiat transactions.
E.U. jurisprudence has established that any limitation on the exercise of fundamental rights must be provided for by law, respect the essence of those rights and freedoms, satisfy the principle of what in the E.U is known as proportionality, and may only be made if necessary and genuinely meets objectives of general interest recognized by the Union or the need to protect the rights and freedoms of others.5
Specifically in relation to data gathering, on April 8, 2014, the European Court of Justice (ECJ) struck down EU Directive 2006/24 requiring the collection, retention, and disclosure to competent government authorities of all telecommunications traffic (phone, email, internet) in order to facilitate the prevention and prosecution of crime.6.
We believe the proposed rules as they stand would be struck down on similar grounds.
More generally, the proposals contradict the genuine concern Europe has historically shown for people’s privacy and individual rights, and creates a deeply concerning regime of mass-surveillance of its citizens that will bring Europe closer to China-style Orwellianism.
Not only would TFR put people’s private lives under constant surveillance, we believe it offends a fundamental right to human dignity which kicks in every time governments start distrusting their own citizens and feel the need to spy on them.
2. Technology concerns: All the honey in the world
There are also technology-specific reasons why the TFR proposals represent a cybersecurity and even physical harm risk.
As a result of blockchain’s transparency, linking real-world identities to unhosted wallets will, if such information were to be abused or doxxed, publicly expose an individual’s entire financial life and transaction history, and allow for all future transactions to be traced.
There is plenty precedent that both public and private organizations have not been able to safeguard the sensitive information they are required to store, and we should be wary of proposals that ask them to store more.
For hackers, the reporting requirements under TFR are the ultimate honeypots: they will do everything to access the giant troves of valuable data across both government agencies and CASPs, which is likely to intensify both the frequency and severity of hacks, data breaches, and leaks.
Criminals would have everything they need to attack citizens virtually and even physically, since the TFR would require CASPs and government agencies to collect and retain Personal Identifiable Information (PII) including CASP users’ (and non-users’ !) physical addresses and blockchain transaction data including asset amounts and wallet addresses.
Any criminal who is able to link a blockchain address and a home address could see exactly how much crypto someone owns and choose either to attack them virtually, through hacking, phishing or other online frauds, or physically, by means of robbery, kidnapping, and extortion.
Ironically, the transparency and openness of a new technology that originated from a desire to liberate and enhance citizens’ sovereignty could, under the wrong set of rules, become more dangerous than the legacy technology it seeks to replace.
3. The economic case: The dead knell for DeFi in Europe
Thirdly, there is an obvious economic argument against the proposed rules.
In our assessment, the proposed regulations, if adopted as they stand, may effectively be the dead knell for DeFi in Europe by bringing the open-source development of software within the regulatory net applicable to financial intermediaries.
Self-executing smart contract code is typically pushed by open, self-organized networks known as Decentralized Autonomous Organizations (DAOs) that are coordinated by crypto-economic incentives to achieve common goals, often not for profit.
Freedom of speech and assembly
It has been argued that if software is free speech, then the limitations imposed on software protocols deployed by DAOs is a fundamental restriction of the freedom of speech (and potentially, a breach of the right to assembly). Speech will ultimately flow to places where it can be free, and if Europe restricts it, the open-source software movement will no longer manifest itself in Europe.
In addition, it is quite difficult to geographically pinpoint where most of the work on a DeFi projects is done from, since projects leads are generally scattered all over the world.
Therefore, any requirement for a DAO to incorporate somewhere within the E.U. is moot. To the extent the DAO performs actions that need a body corporate to provide it with a locus of potential liabilities and enforcement, its stakeholders should have the choice to organize themselves in the way and location they think is most appropriate.
We believe that applying the CASP definition to DAOs, which forces them to incorporate and be regulated as corporations, will lead to a flight by DeFi projects from Europe.
CASPs cast the net too wide
Finally, the initial leads behind DeFi projects typically do not operate any services once the smart contracts are deployed.
It is hard to imagine how truly decentralized DeFi projects and blockchain protocols would be able to comply with the MiCA if they are seen as CASPs.
The key criterion to determine whether an interaction is peer-to-peer or has a CASP as intermediary should be who controls a user’s private key: If users remain in control of their private key, a service cannot be seen as centralized and provided on a professional basis, as per the CASP definition proposed by MiCA (see Part I).
As a result, there is no service to third parties, rather a mere peer-to-peer interaction between unhosted wallets.
Such approach would exempt most DeFi projects, developers, miners and other infrastructure providers from the scope of the CASP definition.
Let’s skip Europe
Under the guise if creating a level-playing field between TradFin and DeFi, and using consumer protection as a fig leaf to cover up for the political promiscuities of the traditional finance lobby, the E.U. does what it does best: regulating innovation out of existence.
It is clear that the intent of the proposed MiCA regulation (see Part I) is to include decentralized exchanges, decentralized marketplaces and other open-source blockchain dApps and infrastructure under its definition of a CASP.
The argument goes that leaving them unregulated would put TradFin at a strategic disadvantage and consumers supposedly unprotected.
As a result, there is a real risk that the innovation and economic activity from Web3 revolution will just skip Europe.
If the E.U’s vision for Europe is to become (some will say remain…) some historical Disneyland where people from abroad come to spend their money and eat well, it should adopt its crypto regs as they stand and just give up any claim to relevance in technology innovation.
Job creation will then probably be coming from state-employed curators of Europe as an open air museum rather than from a groundswell of Web3 entrepreneurial energies tinkering away on DeFi projects.
B. Beyond rescue?
From the above, it is clear we rather despair about the proposed E.U. crypto regs and the danger of sleepwalking into mass surveillance.
However, strategically nor tactically, indignation and fulmination don't work.
What may yield better results is (1) clearly stating the benefits of DeFi, (2) lobbying to get this case heard, and (3) litigating against unlawful legislation once it is on the books.
1. The case for DeFi
There are five provable benefits of DeFi over TradFin:
Inefficiency of TradFin
Size doesn’t matter
DeFi can handle much larger volumes of financial transactions by moving digital assets by way of dApps: reusable smart contract code designed to execute a specific financial operation.
Such code deployment can be done regardless of the size of the transaction: a user can largely self-serve within the parameters of the smart contract and the underlying blockchain, for a flat gas fee in the case of Ethereum.
Once deployed, the smart contracts continually perform with near-zero organizational overhead.
Contrast this with TradFin which for each transactions has a high organizational burden, which typically increases as the size of the transaction increases, whilst smart contracts are entirely indifferent to the size of the transactions.
A tale of keepers and forkers
Smart contracts also uniquely draw in participants called keepers who are directly incentivized to provide a services to DeFi protocols. e.g. monitoring positions to safeguard that they are sufficiently collateralized, or triggering state updates for various functions. Often, such incentives are structured as auctions to ensure that a dApp benefits from optimal pricing.
As a result, DeFi platforms can guarantee that users pay market price for the services they need, in contrast with TradFin which is maximally rent-extracting.
Forks, or copies of a smart contract code base for re-use with upgrades and enhancements, also incentivize efficiency: since they create competition at the protocol level, they will ultimately lead to the best possible smart contract platform.
As a result of the open-source nature of DeFi and blockchains generally, should inefficient or suboptimal defy applications exist, the code can be easily copied, improved, and redeployed through forking.
Whilst this may lead to vampirism, this selection process should eventually give rise to a more robust financial infrastructure with optimal efficiency.
Limited access is the second major flaw of TradFin: there are large groups such as the global unbanked population, small businesses, and minorities left underserved or unserved by the legacy financial system and even FinTech.
In addition, even for those consumers who do have access to traditional financial services such as bank accounts, mortgages and credit cards, they may not get products with the most competitive pricing and most favorable terms because the offering is monopolized by large financial institutions.
DeFi by contrast gives everybody direct access to the entire financial infrastructure, regardless of wealth, geographical location or ethnicity.
DeFi primitives such as yield farming or Initial DeFi Offerings (IDOs) are simply unimaginable in TradFin: they put financial power back in users’ hands and are therefore radically democratizing.
Lack of transparency of TradFin
The third major drawback of TradFin is its opacity. DeFi solves this by its open and contractual nature of agreements. Smart contracts are entirely transparent: all parties are aware of the capitalisation of the counterparties and, to the extent required, can see how funds will be deployed.
All participants can read the contract, agree on the terms, and eliminate any ambiguity. This transparency substantially eases the legal burdens and brings peace of mind to smaller players who could otherwise be abused by powerful TradFin counterparts seeking to delay or even withhold their end of the financial agreement.
By contrast, in DeFi, compliance with the terms of the contract is automatically enforced through code, e.g. in the case of staking, in which a crypto assets is escrowed into a contract and released to the appropriate counterparty only after the terms are met, or otherwise returned to the original holder.
Centralized nature of TradFin
A fourth flaw of TradFin is the strong control exerted by governments and large institutions that hold a virtual monopoly over elements such as the money supply, rate of inflation, and access to the best investment opportunities.
DeFi radically upends this centralized power by relinquishing control to open protocols with transparent and immutable properties.
A DAO, via the issuance of a governance token which creates guaranteed participation rights on behalf of its community of stakeholders, or even a predetermined algorithm, can control all of the parameters of a DeFi dApp.
No portability in TradFin
Perhaps the one overriding benefit DeFi has over TradFin is that DeFi is portable. This means that assets on blockchain, once tokenized using a chosen standard (such as the ERC20 token standard on Ethereum), can be plugged in by users to any DeFi dApp.
This contrasts with the siloed, walled-off nature of TradFin services where assets are custodied by a centralized player (e.g. deposits in your chequing account), and portability involves at the very least a wire transfer between separate financial institutions plus a whole fresh onboarding and client due diligence process.
As a result of this portability, DeFi dApps are interoperable (they work between dApps using the same token standard) and composable, resulting in genuine financial Lego blocks that allow users and developers to combine and recombine existing protocols into new dApps.
Combined with self-hosted wallets, this leads to powerful financial freedoms which the gated nature of DeFi simply cannot match.
This is not contentious
In our mind, the above benefits are so clear and universal that they could not possibly be contentious.
Therefore, any opposition to the above can only come from reactionary special interest groups who perceive the freedom tools DeFi builds as a threat, including factions of the political establishment - both on the left and on the right! - who see in DeFi a lessening of their control over the very citizens they have been elected to represent.
To make legislators aware of the clear benefits of DeFi and prevent new laws from denying citizens access to its emancipatory powers, lobbying and ultimately litigation may be required, which is what we will talk about next.
2. Uncoordinated lobbying in Brussels
In an ideal world, lobbying should not exist. For many in the crypto community, the idea that we would exploit regulatory capture is rather repulsive.
Pragmatists however recognize that crypto needs to enter the regulatory arena with the same tools and weapons as its adversaries.
Americans do: their crypto lobbying spent has gone up to an estimated US$ 9MM in 2021, up from US$ 2.2MM in 2020, with Coinbase, Ripple and the Blockchain Association the biggest spenders.7
Europe’s lobbying spend is still only a fraction of this, despite the bigger overall market of its combined 27 Member States. The E.U.’s Transparency Register, a database that lists lobbying organizations in Brussels, indicates that EUR 650,000 was spent by the nascent European crypto lobby.
The European lobbying efforts also seem less coordinated compared the U.S.
There are also a handful of nascent European industry groups such as the European Crypto Initiative, Blockchain4Europe and the Brussels-based International Association of Trusted Blockchain Applications.
However to our knowledge, there is yet no umbrella European industry organization and perhaps that is what will be required to get the voice of the crypto industry heard.
Our position is that when it comes to defending fundamental rights, we cannot afford to be choosy about the means.
Crypto lobbying efforts in Brussels have to become more coordinated and better funded.
As a community, we need to hire top legal talent in the form of the specialized lobbying firms clustered around the European Union headquarters, and crowdsource funding to pay their bills.
3. Litigation funding
In addition to seeking to influence the process, we should prepare for litigation.
We believe litigation DAOs will a big thing in the next years. We’ve already seen a first glimpse of how this could look like in the PoolTogether lawsuit in the U.S. which, whilst nominally focused on winning a potentially large pot of financial damages, is also a deliberate effort to put some of the DeFi community’s core doctrines to the test.
Irrespective of the merits of this particular case, it may set a precedent for a mechanism by which the community pools funding towards litigation.
When it comes to fundamental rights such as the right to privacy, financial freedom and freedom of speech, we should be prepared to mount similar campaigns to hear a court pronounce on the legality of the E.U.’s proposed crypto regulations.
Despite the self-proclaimed commitment to innovation in its preambles, we believe the proposed crypto regulations will regulate DeFi in Europe into oblivion.
The proposals as they stand are wrong on so many levels, but our best defense is a well-argued case showing the benefits of DeFi and decentralized technology generally.
It will be up to us, as a community, to make policymakers see the fundamental inequity of denying the broadest group of citizens access to DeFi’s emancipatory power.
As part of this effort, we should crowdsource a coordinated lobbying effort in Brussels and raise funds by way of a Litigation DAO to ultimately fight the proposals on fundamental rights, technology and economic grounds in court.
> To help increase awareness of what is at stake and kick-start a campaign against the MiCA and TFR rules as they stand, we created an “E.U. Action DAO” Telegram group.
In its document, Ledger includes 4 actionable recommendations for EU policymakers:
Never exceed the FATF recommendations.
Redesign the TFR to make better use of blockchain analytics.
Start over on MiCA with an emphasis on enhancing EU competitiveness and with healthy input from technical experts.
Invest in public/private partnerships to develop and be first-to-market with a self-sovereign identity solution for Europe.
Ronald F. Pol, Anti-money laundering: The world's least effective policy experiment? Together, we can fix it, Policy Design and Practice, 3:1, 73-94, at § 7 (2020).
Article 52(1), Charter of Fundamental Rights of the European Union.
See Judgment of the European Court of Justice (Grand Chamber), Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others (April 8, 2014), Joined Cases C‐293/12 and C‐594/12.