A few thoughts - Friday, July 18, 2014
Posted: Fri Jul 18, 2014 5:18 pm
Good afternoon! Yesterday was the darkest day in at least the recent history of bitcoin, perhaps ever. I'll get into why yesterday was more significant than Mt. Gox and China later, but the end point of this post is going to be that these proposed regulations are a breathtaking expansion of government power into areas of commerce that have never traditionally been regulated. If this passes, we may well find ourselves fighting against bitcoin acceptance.
Some basic truth about The Law
First, it's important to eliminate a common misunderstanding in /r/bitcoinmarkets. Some users are arguing that this law (lowercase letters) isn't that bad because while it covers a broad range of activity, it is only *intended* as a tool to fight money laundering (or some other goal, depending on the user). People need to understand that the long arm of The Law (capital letters) does not care what laws were actually intended to do. You either violate them, or you do not. A judge isn't going to allow a business to operate based on the argument that this law was intended for a different purpose.
As you make your evaluation of the effects of this law, you need to consider every possible activity that could be illegal under it. You can't write off certain activities because they were unintentionally added to the law. The Law is not compassionate and does not allow people to get away with things because the creators were trying to prevent some other behavior. There are many examples of poorly-designed laws that have had devastating unintended consequences.
Some examples
Now that we are clear that the intent of the law doesn't matter, I thought it would be worth sharing how a few examples of bitcoin-related activities in New York will work. This section includes three rows each. The first is the activity, the second is an example of what I would consider some reasonable regulations, and the third is the actions needed for compliance under this law. Since there are an absurd number of requirements for each case, I only listed one or two of the most ridiculous for each.
Activity: Operating a tipping bot that sends $0.25 tips to residents of New York that holds balances
Reasonable: Require the tips to be backed with 100% reserve in the tipped currency
Lawsky: Collect personally identifiable information about all people ever tipped, retain it for 10 years, and submit paperwork to the department when tips qualifying as "suspicious activity" are sent
Activity: Changing a variable in the bitcoin code and creating a new blockchain for testing a proposed feature
Reasonable: No regulation
Lawsky: Register with the NYDFS, payi thousands of dollars, wait 90 days, and undergo a background check with the FBI
Activity: Operating the Elgius mining pool, which adds PPLNS payouts to its own blocks, so that users never have outstanding balances
Reasonable: Allow people to take civil action if their payouts don't match what they are owed
Lawsky: Register as a money transmission service, develop compliance programs, and conduct "intrusion prevention" tests against the nonexistent wallets
Activity: Running a business like blockchain.info, which does not hold any balances whatsoever in dollars and pays all employees and vendors in bitcoins
Reasonable: Require recordkeeping of profits and expenses similar to current laws
Lawsky: This business model is expressly prohibited; no business is allowed to take profits in bitcoins
Activity: Operating an altcoin exchange, which takes untraceable litecoins and exchanges them for untraceable nanotokens
Reasonable: Prohibit fractional reserve banking and require that reserves be kept in the currencies they are backing
Lawsky: Requires altcoin exchanges to back its reserves in dollars and to associate every altcoin address with a username. If there is a bubble, the business goes under because it is no longer able to back customers' deposits.
Activity: Being a one-time arbitrator, where two parties trade something and use a multisignature transaction with you as the decider in the case something goes wrong
Reasonable: At most, require background checks on the arbitrator to verify his integrity
Lawsky: File paperwork with security plans, a list of anyone who might help you with collecting evidence to make the decision (even if you are never called upon to do so), and obtain background checks and fingerprints for all of them; pay thousands of dollars to register, wait 90 days to be approved, file suspicious activity report if the transaction is over $3k regardless of whether you are called upon to arbitrate or not
Activity: Modify your mining pool's pay-per-share algorithm to prevent block withholding attacks, or introduce a new algorithm like PPLNS, without branching out into other business areas
Reasonable: No paperwork necessary
Lawsky: File new request with the Department and wait 90 days for the new model to be approved before rolling out the feature, while competitors in other states launch immediately
Businesses no logner possible to be served to New York residents
In addition to the regulation requirements, there are also some types of business models that simply cannot overcome the regulations at all. Here are some of those types of businesses:
* Mining pools, because the profit margin is too low to justify compliance with all the regulations (and also because there could end up being fewer altcoins)
* Open source software developers on the bitcoin protocol or other protocols like Ethereum, which requires a license when no profit is being taken to fund them
The greatest problem with these regulations is simply that there is no clause for the amount of money the company has to control. While we plan to take all possible security measures, our pool's greatest security measure is that we automatically pay out balances that are too large, so that we will never owe more than $10k in customer funds. If there were to be a hack, then we would simply eat the cost of less than $10k from personal funds because it is a small amount. The reason this works is because it would cost more than $100k to provide the sort of professional infrastructure that Lawsky is requiring, so even if the site were hacked ten times, and even if we never fixed the security holes, we would still be ahead.
That's why this legislation is irreparably flawed and cannot be salvaged. It makes sense for people holding a billion dollars to be subject to strict regulations. It is nonsensical to require people who hold $5k in customer funds to spend $200k/yr in compliance measures, given that taking 40 hacks are still preferable to such ridiculous regulations.
The likely outcome of these regulations is less protection
Now that we know the local effects on certain types of businesses, we should ask what the end result is going to be a year from now, should these regulations not be completely overhauled. I propose that the end outcome of these regulations is going to be less consumer protection and more crime. The only businesses able to operate in New York will be huge banks and hedge funds. While the banks charge excessive fees and rip customers off, they already are far more trustworthy than Mark Karpeles ever was. They already practice good security anyway because they understand (unlike Mt Gox) that customer service is important. The law isn't going to have much impact on them. Furthermore, these guys aren't even into the bitcoin business yet, so (at least at first), the only people the law effects are the small guys.
Meanwhile, everyone else other than the banks is going to do exactly what we may be forced to do: milk the system by applying for licenses and waiting as long as possible, and then, on the day before compliance is required, ban New York residents from our service and avoid doing business with anyone in New York. However, it will be impossible for us, or anyone else, to eliminate every single New York resident from our system no matter how hard we try or how good our intentions are. Because there is no minimum funds limit, New York residents are going to find that they are excluded from the use of nearly every altcoin, mining pool, exchange, open source project, wallet service, auction site, escrow system, and so on.
They key here is that by making the regulations too hard to comply with, every site is going to be equalized. If the cost of compliance were low, then honest businesses would have no problem complying. When the cost of compliance is high, there is no distinction between honest and scam businesses because New York residents will have to do business illegally. This leads to more scams and losses of money. Whereas now a New York resident who uses a service available in New York can sue the provider of a scam, they have no recourse in this proposed new world. After all, the New York resident was engaging in illegal activity by using a non-licensed business. This allows scammers to directly target people who live in New York because they have fewer legal protections than do people who live in other states.
I'm very glad that I do not live in New York right now, and I actually feel sorry for what those who have been in bitcoins since the beginning and who live in New York are going to be unable to take part in the future.
About money laundering
One of the reasons we got into this mess is because the Federal government ignored consumer protection. While they were issuing regulations about money laundering, people like Mark Karpeles were able to take advantage of a complete lack of attention to consumer protection. The Federal government wasted millions of dollars in its cases against /u/bitcoin_charlie, who is not accused of stealing any money or participating in any violent behavior, while ignoring real consumers who were being ripped off by exchanges operating as fractional reserves like Mt Gox and Vircurex. /u/BenLawsky is now able to seize upon the Federal government's inaction and make himself look like a hero of consumer protection because New York will do what the Feds didn't do.
Proponents of anti-money laundering regulations argue that terrorists have been significantly hindered by restrictions in moving money. Terrorism is a great excuse for many things. Consider the case of airport x-ray screening devices. Every time a person goes through one of those devices, he has a 1 in 30 million chance of developing cancer as a direct result of the x-ray exposure pushing that person over the cumulative radiation exposure threshold at which cancer would develop. The risk of dying in a terrorist attack on the plane before the machines were installed was also about 1 in 30 million. Therefore, we spent hundreds of millions of dollars on machines that kill as many people as the terrorists do. Not only that, but anyone would rather die in a terrorist attack than go through chemotherapy and years of pain in a long, excruciating death.
People seem to accept that money laundering rules are necessary, and are pushing the bar of regulation lower and lower every day. How much would your risk of death really increase if money laundering regulations were loosened? If you have a 1 in 1 million greater chance of death but vastly more freedom in your finances, wouldn't you take that? In a perfect world where people didn't die, that would be an unacceptable compromise. In our world, however, people do die. It is ludicrous that people allow themselves to become obese and then live in fear of a terrorist attack.
The creation of a new kind of criminality?
There were some shameful comments from people like the Winklevoss twins yesterday about how they appreciate regulation of the industry. For those guys, it's all about getting rich, which isn't surprising given how their wealth is largely based on winning lawsuits rather than actually creating stuff. Few people seem to be reading the text of the document and understanding how this goes beyond bitcoins. This is a breathtaking expansion of government power that has never been seen before in the financial world. The regulations in this document expand the scope of financial oversight into industries far removed from anything that is covered by existing financial regulations, like open source development. For the first time, they dictate how businesses may pay out profits and promote inefficiency by requiring a bitcoin -> dollar -> bitcoin conversion, widening the pockets of Coinbase. They signal the creation of a huge bureaucracy that will require ever more taxpayer dollars to process millions of "suspicious activity reports," licenses, and minute software changes.
But most importantly, they require recordkeeping and information gathering of unprecedented scope, and trust so many entities to gather these records that they will be leaked to everyone. People running small mining pools that pay out $0.30 per day will be retaining passport numbers. Some people are viewing this as the "government" collecting information on people, but the government already has all this information. What will happen is that these records will be so prevalent because so many people are mandated to collect them that every hacker in the world will have a copy. In what other area of business are so many people required to keep huge databases of passport photos, utility bills, and other documentation that enables all sorts of criminal activity? These records will exist for at least 10 years, be copied in mergers and acquisitions, and leaked to the media and to the criminals, who will pay record sums for them.
The criminals and rogue insiders can use the data not only to perform identity theft, but to learn everything you ever bought, who your contacts are, where you live, how much you earn, what time of day you are away from your house, and what sites you use. They can phish for passwords at just the sites you use, arrange a theft when they recognize you are on vacation, threaten to phone your employer with false allegations of rape unless you pay up, use stolen wallets to frame you by purchasing child pornography with them, and contact repressive governments to have you arrested for associating with a known dissident.
That brings me back to the opening sentence in these thoughts for today. If these regulations pass and spread to other jurisdictions, we may actually find ourselves opposing the uptake of bitcoins. If more states adopt these regulations and people start adopting, then the stage will be set for an increase in government power to track everything about everyone, and a corresponding increase in criminal activity.
I said in the past that bans on bitcoins would not have an impact on the technology because people would go somewhere else, so they were not a change to the fundamentals. Few anticipated such a dramatic expansion of government power like we saw yesterday. Using the technology to procure unprecedented amounts of data would be a change to the fundamentals which even Nakamoto probably didn't intend.
Other
Some basic truth about The Law
First, it's important to eliminate a common misunderstanding in /r/bitcoinmarkets. Some users are arguing that this law (lowercase letters) isn't that bad because while it covers a broad range of activity, it is only *intended* as a tool to fight money laundering (or some other goal, depending on the user). People need to understand that the long arm of The Law (capital letters) does not care what laws were actually intended to do. You either violate them, or you do not. A judge isn't going to allow a business to operate based on the argument that this law was intended for a different purpose.
As you make your evaluation of the effects of this law, you need to consider every possible activity that could be illegal under it. You can't write off certain activities because they were unintentionally added to the law. The Law is not compassionate and does not allow people to get away with things because the creators were trying to prevent some other behavior. There are many examples of poorly-designed laws that have had devastating unintended consequences.
Some examples
Now that we are clear that the intent of the law doesn't matter, I thought it would be worth sharing how a few examples of bitcoin-related activities in New York will work. This section includes three rows each. The first is the activity, the second is an example of what I would consider some reasonable regulations, and the third is the actions needed for compliance under this law. Since there are an absurd number of requirements for each case, I only listed one or two of the most ridiculous for each.
Activity: Operating a tipping bot that sends $0.25 tips to residents of New York that holds balances
Reasonable: Require the tips to be backed with 100% reserve in the tipped currency
Lawsky: Collect personally identifiable information about all people ever tipped, retain it for 10 years, and submit paperwork to the department when tips qualifying as "suspicious activity" are sent
Activity: Changing a variable in the bitcoin code and creating a new blockchain for testing a proposed feature
Reasonable: No regulation
Lawsky: Register with the NYDFS, payi thousands of dollars, wait 90 days, and undergo a background check with the FBI
Activity: Operating the Elgius mining pool, which adds PPLNS payouts to its own blocks, so that users never have outstanding balances
Reasonable: Allow people to take civil action if their payouts don't match what they are owed
Lawsky: Register as a money transmission service, develop compliance programs, and conduct "intrusion prevention" tests against the nonexistent wallets
Activity: Running a business like blockchain.info, which does not hold any balances whatsoever in dollars and pays all employees and vendors in bitcoins
Reasonable: Require recordkeeping of profits and expenses similar to current laws
Lawsky: This business model is expressly prohibited; no business is allowed to take profits in bitcoins
Activity: Operating an altcoin exchange, which takes untraceable litecoins and exchanges them for untraceable nanotokens
Reasonable: Prohibit fractional reserve banking and require that reserves be kept in the currencies they are backing
Lawsky: Requires altcoin exchanges to back its reserves in dollars and to associate every altcoin address with a username. If there is a bubble, the business goes under because it is no longer able to back customers' deposits.
Activity: Being a one-time arbitrator, where two parties trade something and use a multisignature transaction with you as the decider in the case something goes wrong
Reasonable: At most, require background checks on the arbitrator to verify his integrity
Lawsky: File paperwork with security plans, a list of anyone who might help you with collecting evidence to make the decision (even if you are never called upon to do so), and obtain background checks and fingerprints for all of them; pay thousands of dollars to register, wait 90 days to be approved, file suspicious activity report if the transaction is over $3k regardless of whether you are called upon to arbitrate or not
Activity: Modify your mining pool's pay-per-share algorithm to prevent block withholding attacks, or introduce a new algorithm like PPLNS, without branching out into other business areas
Reasonable: No paperwork necessary
Lawsky: File new request with the Department and wait 90 days for the new model to be approved before rolling out the feature, while competitors in other states launch immediately
Businesses no logner possible to be served to New York residents
In addition to the regulation requirements, there are also some types of business models that simply cannot overcome the regulations at all. Here are some of those types of businesses:
- Any sort of mixing service that allows businesses to conceal from their competitors which vendor they are obtaining inventory from
- Altcoin exchanges, because all altcoins are highly volatile and these businesses are required to have reserves backing altcoins in US dollars. The risk of an altcoin bubble is too high and would destroy any profit potential if one happened
- Blockchain.info, which does not hold any accounts in dollars
* Mining pools, because the profit margin is too low to justify compliance with all the regulations (and also because there could end up being fewer altcoins)
* Open source software developers on the bitcoin protocol or other protocols like Ethereum, which requires a license when no profit is being taken to fund them
The greatest problem with these regulations is simply that there is no clause for the amount of money the company has to control. While we plan to take all possible security measures, our pool's greatest security measure is that we automatically pay out balances that are too large, so that we will never owe more than $10k in customer funds. If there were to be a hack, then we would simply eat the cost of less than $10k from personal funds because it is a small amount. The reason this works is because it would cost more than $100k to provide the sort of professional infrastructure that Lawsky is requiring, so even if the site were hacked ten times, and even if we never fixed the security holes, we would still be ahead.
That's why this legislation is irreparably flawed and cannot be salvaged. It makes sense for people holding a billion dollars to be subject to strict regulations. It is nonsensical to require people who hold $5k in customer funds to spend $200k/yr in compliance measures, given that taking 40 hacks are still preferable to such ridiculous regulations.
The likely outcome of these regulations is less protection
Now that we know the local effects on certain types of businesses, we should ask what the end result is going to be a year from now, should these regulations not be completely overhauled. I propose that the end outcome of these regulations is going to be less consumer protection and more crime. The only businesses able to operate in New York will be huge banks and hedge funds. While the banks charge excessive fees and rip customers off, they already are far more trustworthy than Mark Karpeles ever was. They already practice good security anyway because they understand (unlike Mt Gox) that customer service is important. The law isn't going to have much impact on them. Furthermore, these guys aren't even into the bitcoin business yet, so (at least at first), the only people the law effects are the small guys.
Meanwhile, everyone else other than the banks is going to do exactly what we may be forced to do: milk the system by applying for licenses and waiting as long as possible, and then, on the day before compliance is required, ban New York residents from our service and avoid doing business with anyone in New York. However, it will be impossible for us, or anyone else, to eliminate every single New York resident from our system no matter how hard we try or how good our intentions are. Because there is no minimum funds limit, New York residents are going to find that they are excluded from the use of nearly every altcoin, mining pool, exchange, open source project, wallet service, auction site, escrow system, and so on.
They key here is that by making the regulations too hard to comply with, every site is going to be equalized. If the cost of compliance were low, then honest businesses would have no problem complying. When the cost of compliance is high, there is no distinction between honest and scam businesses because New York residents will have to do business illegally. This leads to more scams and losses of money. Whereas now a New York resident who uses a service available in New York can sue the provider of a scam, they have no recourse in this proposed new world. After all, the New York resident was engaging in illegal activity by using a non-licensed business. This allows scammers to directly target people who live in New York because they have fewer legal protections than do people who live in other states.
I'm very glad that I do not live in New York right now, and I actually feel sorry for what those who have been in bitcoins since the beginning and who live in New York are going to be unable to take part in the future.
About money laundering
One of the reasons we got into this mess is because the Federal government ignored consumer protection. While they were issuing regulations about money laundering, people like Mark Karpeles were able to take advantage of a complete lack of attention to consumer protection. The Federal government wasted millions of dollars in its cases against /u/bitcoin_charlie, who is not accused of stealing any money or participating in any violent behavior, while ignoring real consumers who were being ripped off by exchanges operating as fractional reserves like Mt Gox and Vircurex. /u/BenLawsky is now able to seize upon the Federal government's inaction and make himself look like a hero of consumer protection because New York will do what the Feds didn't do.
Proponents of anti-money laundering regulations argue that terrorists have been significantly hindered by restrictions in moving money. Terrorism is a great excuse for many things. Consider the case of airport x-ray screening devices. Every time a person goes through one of those devices, he has a 1 in 30 million chance of developing cancer as a direct result of the x-ray exposure pushing that person over the cumulative radiation exposure threshold at which cancer would develop. The risk of dying in a terrorist attack on the plane before the machines were installed was also about 1 in 30 million. Therefore, we spent hundreds of millions of dollars on machines that kill as many people as the terrorists do. Not only that, but anyone would rather die in a terrorist attack than go through chemotherapy and years of pain in a long, excruciating death.
People seem to accept that money laundering rules are necessary, and are pushing the bar of regulation lower and lower every day. How much would your risk of death really increase if money laundering regulations were loosened? If you have a 1 in 1 million greater chance of death but vastly more freedom in your finances, wouldn't you take that? In a perfect world where people didn't die, that would be an unacceptable compromise. In our world, however, people do die. It is ludicrous that people allow themselves to become obese and then live in fear of a terrorist attack.
The creation of a new kind of criminality?
There were some shameful comments from people like the Winklevoss twins yesterday about how they appreciate regulation of the industry. For those guys, it's all about getting rich, which isn't surprising given how their wealth is largely based on winning lawsuits rather than actually creating stuff. Few people seem to be reading the text of the document and understanding how this goes beyond bitcoins. This is a breathtaking expansion of government power that has never been seen before in the financial world. The regulations in this document expand the scope of financial oversight into industries far removed from anything that is covered by existing financial regulations, like open source development. For the first time, they dictate how businesses may pay out profits and promote inefficiency by requiring a bitcoin -> dollar -> bitcoin conversion, widening the pockets of Coinbase. They signal the creation of a huge bureaucracy that will require ever more taxpayer dollars to process millions of "suspicious activity reports," licenses, and minute software changes.
But most importantly, they require recordkeeping and information gathering of unprecedented scope, and trust so many entities to gather these records that they will be leaked to everyone. People running small mining pools that pay out $0.30 per day will be retaining passport numbers. Some people are viewing this as the "government" collecting information on people, but the government already has all this information. What will happen is that these records will be so prevalent because so many people are mandated to collect them that every hacker in the world will have a copy. In what other area of business are so many people required to keep huge databases of passport photos, utility bills, and other documentation that enables all sorts of criminal activity? These records will exist for at least 10 years, be copied in mergers and acquisitions, and leaked to the media and to the criminals, who will pay record sums for them.
The criminals and rogue insiders can use the data not only to perform identity theft, but to learn everything you ever bought, who your contacts are, where you live, how much you earn, what time of day you are away from your house, and what sites you use. They can phish for passwords at just the sites you use, arrange a theft when they recognize you are on vacation, threaten to phone your employer with false allegations of rape unless you pay up, use stolen wallets to frame you by purchasing child pornography with them, and contact repressive governments to have you arrested for associating with a known dissident.
That brings me back to the opening sentence in these thoughts for today. If these regulations pass and spread to other jurisdictions, we may actually find ourselves opposing the uptake of bitcoins. If more states adopt these regulations and people start adopting, then the stage will be set for an increase in government power to track everything about everyone, and a corresponding increase in criminal activity.
I said in the past that bans on bitcoins would not have an impact on the technology because people would go somewhere else, so they were not a change to the fundamentals. Few anticipated such a dramatic expansion of government power like we saw yesterday. Using the technology to procure unprecedented amounts of data would be a change to the fundamentals which even Nakamoto probably didn't intend.
Other
- I apologize to those who I said I would reply to today. I'll address their comments later.