When is a hack a hack?

This was cross-posted from LinkedIn.

HACKING

 

The recent kerfuffle around Ethereum and the #DAO “hack” is just another in a long list of events which illustrate the difficultly in defining the term “hacking.”  For those unfamiliar with Ethereum and the DAO, a little background. Ethereum is a blockchain technology which expanded on the idea of Bitcoin, to allow for a more programmable blockchain. For simplicity sake, think of Ethereum as a giant distributed virtual computer running on thousands or millions of other computers. Incentive to run this computer is paid in the form of ether (which can be traded for Bitcoin or other forms of money, directly or indirectly). The DAO is a program that was created to run on this computer, that acted like a giant venture capital firm, but without any partners, or anybody else running the helm. Anybody who contributed ether to the DAO was able to help determine the investments the DAO made. All of this was done through code, snippets of computer programs running Ethereum language of choice, golang. The DAO is actually a specific instance of a generic form of DAO or Decentralized Autonomous Organization (Ethereum refers to them as Democratic Autonomous Organization). In the height of hubris, the first DAO called itself the DAO, something akin to the first Corporation calling itself “The Corporation.”

Don’t worry if your head is spinning, it’s a lot to take in and a paradigm shift for sure. I’ve left audiences in a collective coma talking about the future of DAOs. Suffice to say, if half the words in the preceding paragraph were befuddling, you should start learning and fast. This is the future and it’s coming faster than you think. Regardless, what happened next in the story of the DAO is nothing short of extraordinary. People starting throwing money at the DAO: millions of dollars, something north of $150 million at one point. Then, disaster struck. Remember the DAO is just a computer program running on a distributed computer. Someone realized they could send some instructions to the computer program and simply direct all that money to them. It was eloquent and simple. Poof. $60 million dollars in ether was drained from the DAO. The Ethereum crowd was in shock. Their shining example of the future had just been hacked. Or had it?  The hacker claimed the program acted as it was programmed to do. He was just able to interact with that program in such a way that earned him $60 million. Now Ethereum is facing an existential crisis. The whole point of a DAO is an unstoppable immutable program, but now that all this money went bye-bye, they want to stop that program and can fork the Ethereum blockchain to do so (or make a change to the underlying infrastructure to do so). But Ethereum’s crisis is not the subject of this article. The subject is hacking. You see this is the first case where hacking may not really be hacking. In fact, every case maybe the same.

Computers do what you tell them to do

In the United States, the principle anti-hacking law is the Computer Fraud and Abuse Act (CFAA). However, much has been made about the ambiguity of the law. The law makes criminal someone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … (C) information from any protected computer.” A protected computer is broadly defined in a way that means just about any computer attached to the internet. The act was used in the prosecution of Aaron Swartz who downloaded massive numbers of articles from JSTOR. As a Harvard researcher, he was entitled to access those files though not in the manner he did (a potential violation of the JSTOR terms of service). While it has been surmised that his intent was to upload all the articles for free access, he never did so, having been arrested prior to that. Regardless, that would have been a violation of copyright law, not the CFAA. The question here is whether violating a sites terms of service “exceeds authorized access” and is a federal felony.

Another notorious example is Lori Drew. She was prosecuted for creating a fake MySpace page and using that page to court then taunt a teenage girl, who later committed suicide. Again, a violation of MySpace’s terms of service and again, a federal felony.

Finally, there is the case of Andrew “Weev” Augheimer. Weev accessed an AT&T website used by iPads users to register their iPads. When the website was accessed with a user’s ID number, if they had previously registered, it displayed their email address that they registered with. Weev wrote a script that cycled through ID numbers and grabbed email addresses. In other words, he accessed a publically facing website (of the form http://att.com/ipad?id=1) and simply incremented the ID numbers.

None of the people in the previous two cases are shining examples of model citizens. Swartz is more of a Robin Hood character than swashbuckling criminal. But the question remains, is what they did (on a technical basis) so heinous? If I were to create a website with a link on the front page that says “You are not authorized to click this button” and you did, and it provided information on a second page; you’re now a criminal. Does this seem right?

While hacking is defined on a technical basis, the unauthorized access or exceeding authorized access of a computer, the criminality seems more based on the results, motives or intent. Clearly a case for prosecutorial discretion. No sane prosecutor would contemplate your trial for clicking that button, but Weev was a “bad” person. The prosecutor is that case said “His entire adult life has been dedicated to taking advantage of others, using his computer expertise to violate others’ privacy, to embarrass others, to build his reputation on the backs of those less skilled than he.”  In this case, Weev wasn’t trying to spam the email addresses or gain financially, he was out to embarrass AT&T for their bad security.

You don’t have to be a jerk to be scared of the law

But what about security researchers? White hat hackers whose job it is to expose security vulnerabilities with the aim of benefiting society by making it more security. They are scared. Scared of prosecution by an overzealous prosecutor or overly defensive company making a federal case out a genuine desire to do good. Rather than shore up their security, many companies would choose to hide behind the law, going after security researchers rather than improve their own products or spend the resources up front to build security in.

While I don’t have a good suggestion for codification of a law that punishes evil-doers while not punishing saints, I do know that the current state is not sustainable. The criminality should be in the results not the mechanism.

Which brings us back to Ethereum and the DAO. Ethereum is an experiment. It portends a future state of truly revolutionary computing. The DAO was an experiment. As with any start-up, its hard to spend money on security when you’re trying to build your product. But as the DAO shows, security can’t be an afterthought, even when you’re just experimenting.

 

 

 

Agency Information Collection Activities: Arrival and Departure Record (Forms I-94 and I-94W) and Electronic System for Travel Authorization

June 5th, 2016

U.S. Customs and Border Protection
Attn: Paperwork Reduction Act Officer
Regulations and Rulings
Office of Trade
90 K Street NE.
10th Floor
Washington, DC 20229-1177.

I am writing in response to the notice published in Federal Register on 6/23/2016 entitled “Agency Information Collection Activities: Arrival and Departure Record (Forms I-94 and I-94W) and Electronic System for Travel Authorization

I am responding to the question of “whether the collection of information is necessary for the proper performance of the functions of the agency, including whether the information shall have practical utility.”

The proposed changes to the I-94W and I-94 forms, albeit small, have potentially grave ramifications to the fundamental ideals upon which the United States is founded and practically will result in no net improvement to the security of the country.

Constitutional Problems – Chilling effect on speech

In 1996, a three judge panel from the Eastern District of Pennsylvania declared the Communications Decency Act unconstitutional. Judge Dalzell, writing the opinion of court, declared: “[T]he Internet may fairly be regarded as a never-ending worldwide conversation. The Government may not, through the CDA, interrupt that conversation. As the most participatory form of mass speech yet developed, the Internet deserves the highest protection from governmental intrusion (emphasis added).”
The Internet, in its present form, is used by billions of individuals around the world to communicate with each other. Whether it is for business, pleasure, entertainment, enlightenment or political discourse, social media on the Internet is perhaps the principle forum today by which people of diverse cultures, countries and mindsets interact on a daily basis. Ostentatiously, the objective of the form change, is to identify social media profiles of visitors to the United States. The social media profiles will be reviewed and analyzed, whether by automated or manual means. Potentially, individuals whose social media profiles indicate they are in some way threatening to the United States, will be prohibited from entry, or their entry will be more closely scrutinized.
What is more likely the outcome is that
(1) Individuals with controversial writings will choose not to visit the United States, reducing the diversity of ideas and discussion on those topics (within the geographic United States).
(2) Individuals with controversial thoughts will scrutinize their social media presence and avoid discussions on those thoughts on what Judge Dalzell called “a never-ending worldwide conversation.” This will reduce the diversity of ideas and discussions on those topics (on the Internet).

The chilling effect is not just on foreign nationals but negatively affects the ability of United States citizens to listen to and discuss controversial topics with foreigners abroad. In 1965, the Supreme Court in Lamont v. Postmaster General, 381. U.S. 301 struck down section 305 of the Postal Service and Federal Employees Salary Act because it required the Postmaster General to detain foreign mailings of communist political propaganda unless the addressee affirmatively acknowledge their acceptance and desire to receive such material. The Supreme Court recognized that this would reduce the recipient’s unfettered access to constitutionally protected speech, and thus the act was unconstitutional. The courts have consistently ruled that acts of government, even when they do not have a direct prohibition on speech, but have a chilling effect, are never the less, unconstitutional. This change to form I-94 and I-94W will have a similar effect.

As to the necessity of the proposed change to the function of the agency, an unconstitutional act can never be necessary.

Practical Utility of the proposed change

Selection bias is defined as “selection of individuals, groups or data for analysis in such a way that proper randomization is not achieved, thereby ensuring that the sample obtained is not representative of the population intended to be analyzed.” The simple fact is that those attempting to enter the United States to perform terrorist acts are simply not going to list their Jihadi forum screennames on the I-94 forms. Those filling out this optional section are most likely to be people who believe the mundanity of their social presences leaves them immune from any issue with entering the U.S. This will result in three practical problems:
(1) While Facebook, Twitter and a few others constitute the biggest players in social media, there are thousands upon thousands of smaller social media sites catering to every niche, minority and social group. Further, many people maintain multiple identities on different platforms. Any collection of information will, no doubt, be incomplete.
(2) Large amounts of data from visitors who pose no threat will be collected, resulting in wasted effort and resources by the government to review that data, whether by automated or manual means.
(3) Since many of the most threatening visitors or potential visitors will provide no or sanitized information only, the most likely people that this is going to stop are those whose social media posts or connections are taken out of context or who, while not representing a threat to the U.S., have controversial views. This will result in investigatory efforts into and dealing with appeals from individuals who have wrongly denied entry. Additionally, for those that are denied entry, it will result a chilling effect and inability for those in the U.S. to interact, learn from and discuss topics with the denied party.

The net result is the proposed change is likely subject to a claim of unconstitutionality and practically will not achieved the desired ends.

Sincerely,

R. Jason Cronk, Esq.
Florida Bar #90009

Bitpay and Bitcoin

This was very much what I’ve been saying all along. Without people earning payment in Bitcoin, there is no incentive for me to take the time to obtain Bitcoin. Bitpay is its own worst enemy because it facilitates merchants “accepting” Bitcoin without actually having to use it to pay out suppliers and employees thus expanding the actual user base. This is why I was promoting the Bitcoin Consumer Fair to try and drive adoption by consumers.

From the article:

BitPay’s CEO Stephen Pair admitted as much in June, when he told BusinessInsider that the company was trying to find another business model. “We keep adding merchants—we’re up to over 60,000 now—but they’re selling to the same pool of Bitcoin early adopters.”

Gavin Andresen, who in 2010 was picked by Bitcoin’s mysterious inventor to lead work on its code, recently told me that he didn’t see that changing soon (see “The Looming Problem That Could Kill Bitcoin”). “Until part of your paycheck is regularly paid in Bitcoin, I’m not sure how it would really go mainstream,” he said.

The other article has a little bit better news, though doesn’t really address the fundamental flaw above. http://www.coindesk.com/ingenico-adds-bitcoin-option-to-pos-terminals/ Basically, the article talks about how one of the largest payment terminals can easily now accept Bitcoin.

According to the company, it will be compatible with the majority of Ingenico terminals as they run its operating system, Tellium. –
http://www.coindesk.com/point-of-sale-giant-ingenico-rolls-out-worldwide-bitcoin-payment/

 

Robots, drones, DAOs and #bitcoin

One of the fascinating aspects of Bitcoin is that you don’t have to be human to own Bitcoin. Throughout the history of money, money was the possessed by people. Men, women and even children can own money, either in physical form such as cash or currency or in electronic, digital or even tied to an account based system. As we enter an age where we may have autonomous agents, acting without being under the direction of human, we also have a mechanism for them to earn and spend money, again acting without coordination or need of a human actor.

Consider the idea of a drone being “set free” by it’s creator/owner/builder. This drone performs tasks to earn Bitcoin. Maybe it performs aerial surveillance, delivers packages, kills rodents, monitors human rights violators, whatever tasks that it is capable of performing that someone (or something) are willing to pay it to accomplish. What does it use it’s Bitcoin for? Why it spends it on fuel, on repairs, on upgrades to its software and hardware; a better camera, a gun turret, more intelligent software, whatever it’s programming deems a worthy investment. As long as the drone can sustain itself by selling it’s services and buying what it needs to continue, it can maintain its autonomy. The economy of drones.

If the drone needed access to a “trusted” holder of funds, it forever be at risk. Why? Because that trusted holder, be a bank or a person, is accountable only to the law, and a robot can’t sue.

This is only  a stub and I hope to expand on it sometime.

 

 

The long tail of Bitcoin adoption

The long tail of Bitcoin

Much has been said about the slow, nearly flat, adoption rate of Bitcoin in 2014. Unfortunately, many of the writers are to embed in the existing paradigm to understand why Bitcoin is different from previous technologies and why this adoption rate isn’t troubling. The first distinguishing factor is that Bitcoin is a protocol and not a proprietary technology, like say Apple Pay. With a proprietary tech or even a technology promoted by a group of companies, they can artificially inflate or accelerate adoption by virtue of the money they pour into it via marketing or leveraging pre-existing market share. With few exceptions (most notably Bitpay and the Bitcoin Bowl), Bitcoin’s major players do not have the money to market Bitcoin more broadly. That’s why many of them, like Circle, are taking the approach of obscuring the Bitcoin technology behind their sales pitch. They also don’t have the existing market capture of an Apple or Visa.

Some might counter than Bitcoin is more like the Internet, a protocol that doesn’t need to be promoted in its own right because it will grow by virtue of its use by companies and the public not its promotion. While true, there is also a distinct difference. Companies wanting to play in the early days of the Internet were not saddle by oppressive regulations. The early Internet was a wild west and still for the most part remains of the least regulated industries. Companies playing in the Bitcoin space, however, must meet increasing scrutiny of a skeptical regulatory regime in what is one of the more heavily regulated industries, banking and finance.

Some people keep looking for Bitcoin’s killer app. Money is Bitcoin’s (or the blockchain’s) killer app. The transfer of value unburden by the regulatory saddle is what makes Bitcoin useful. Unfortunately, any company wanting to promote, profit from and further Bitcoin reinjects that regulatory burden and removes the principle benefit of the technology. So how is Bitcoin going to grow?

Bitcoin shines by eliminating geographic boundaries. That may be because the sender and recipient are in different locations or because their base money is based on geography (issued by specific countries). As this benefit because apparent to people and businesses who suffer from market capture by intermediaries, they will gravitate to Bitcoin. Then, businesses that provide services to those people will begin taking Bitcoin in greater and greater numbers in order to take advantage of the spending power those users have. Unfortunately, this is not a quick growth curve. It will spread naturally through word of mouth and grass roots efforts. Bitcoin may take years to achieve any measurable market share and it will probably remain a niche market supporting those that most benefit from it.

Freelancers are the Future

One of my more frequent comments on Bitcoin is the need for a ecosystem and a reduction on the reliance of BTC<->fiat transactions. Those sorts of transactions are a drag on Bitcoin’s widespread adoption, especially when the transactions are easy one way but hard the other. Unfortunately, companies such as BitPay, in their zeal to drive merchant adoption, have created just this sort of scenario. It’s easy for merchants to accept Bitcoin without actually accepting Bitcoin. The opposite is not true. In other words, it actually fairly difficult to get Bitcoin. Let’s look at people’s options

1) In the golden old days of Bitcoin (just a few short years ago), you could start mining Bitcoin, essentially turning your electric bill into a Bitcoin exchange. The days of hobbyist doing that are long gone. A few enterprising entrepreneurs set up Cloudmining operations to allow the average user to essentially purchase bitcoin through group mining pool, but I dare say with the rush to gold, the mines are running dry at the moment.

2) You could purchase bitcoins through Coinbase, Circle or a few other companies that allow you to directly obtain Bitcoins through your bank account. However, this works only well for those in the U.S. with banks (and possible good credit). Anyway, isn’t the idea to use Bitcoin to get OUT of the traditional banking system?

3) You could steal Bitcoin. Did I mention this blog is not to be construed as legal advice?

4) You could use an exchange such as Mt Gox, Bitstamp, etc. But they are typically not easy to get money into or out of and they have a bit of a reputation problem.

5) You could meet people locally to purchase their bitcoins or sell yours. Just be careful who you interact with.

6) You could use a Bitcoin ATM…. if you can find one….and you can get it to work.

7) or …you could earn Bitcoin. This is one of the reason I accept Bitcoin for legal work (I’ve had one client pay me twice). It is also the reason I launched 1ncemail.com which provides disposable email aliases to protect your privacy, mainly because I wanted a way of earning Bitcoin rather than buying it.

This problem of getting Bitcoin into the hands of people has perplexed me for quite some time. Many people attribute the downward price of Bitcoin to the ease of exit but difficulty of entry. Unless we, as a community, start solving this problem, Bitcoin may not succeed. I’ve been puzzling over this issue for quite some time. Consumer adoption of Bitcoin is one of the reasons I’m co-organizing the Atlanta Bitcoin Consumer Fair in April, 2015. I want to see Bitcoin get widespread adoption.

If you think about it, how do must people obtain money? That’s right, they earn it. I’m encourage that some companies are starting to think about paying employees in #bitcoin. You’ve got Bitpay offering it’s payroll service. Bitwage has an innovative idea to earn your pay per hour, not every 2 weeks. Overstock.com ever on the forefront, is now offering to pay it’s employees in Bitcoin.

I’d like to suggest that while laudable, these efforts are negligible. We need a much bigger target. I would like to suggest that target is the freelance community. I use freelancers all the time. A freelancer built my 1ncemail app. A freelancer wrote my press release for my privacy consulting business. A freelance designed the graphic for the Bitcoin Consumer Fair. Freelances are working on multiple aspects of my Bitcoin related startup, Microdesic. I primarily use elance.com but recently learned the fivver.com takes Bitcoin. Unfortunately, my first experience using their Bitcoin interface was anything but pleasant. However, I will persist.

There are some 53 million freelancers in the United States. Hundreds of millions more worldwide. For reasons that I’ve elucidate elsewhere, such as reduced transaction costs, I feel the future of work is through freelancing. Freelancing seems to be a natural fit for bitcoin

1) Irreputability means once paid, the freelancer doesn’t have to worry about charge backs.

2) Suited for international payments.

3) Low transaction costs.

4) The ability to escrow funds vis-a-vis a multi-sig wallet.

The closest thing I could find was bittask but it doesn’t quite  operate like the freelance sites elance.com, freelancer, oDesk, etc. I’m not the first person to think of this. See this article on CryptoCurrency News but I haven’t seen any movement in this space. The comments mention dogerr.com but that’s a centralized service and only for Dogecoins, an altcoin derivative of Bitcoin.

FinBEN issues ruling on Beanie Baby Payment System

{Update Watch this video about beanie babies subsequent to my post

}

 

FIN-2014-R012
Issued: October 27, 2014
Subject: Request for Administrative Ruling on the Application of
FinBEN’s Regulations to a beanie baby Payment System

Dear [ ]:

This responds to your letter of January 6, 2014, seeking an administrative ruling from the Financial Baby Enforcement Network (“FinBEN”) on behalf of [ ] (the “Company”), about the Company’s possible status as a money services business (“MSB”) under the Bank Secrecy Act (“BSA”). Specifically, you ask whether the beanie baby payment system the Company intends to set up (the “System”) would make the Company a money transmitter under the BSA. Based on the following analysis of the description of the System to provide payments to merchants who wish to receive customer payments in beanie babies, FinBEN finds that, if the Company sets up the System, the Company would be a money transmitter and should comply with all risk management, risk mitigation, recordkeeping, reporting, and transaction monitoring requirements corresponding to such status.

You state in your letter that the Company wishes to set up a System that will provide beanie baby-based payments to merchants in the United States and (mostly) Latin America, who wish to receive payment for goods or services sold in beanie babies. The Company would receive payment from the buyer or debtor in currency of legal tender (“real currency”), and transfer the equivalent in beanie babies to the seller or creditor, minus a transaction fee. The current intended market for the System is the hotel industry in four Latin American countries where, because of currency controls and extreme inflation, merchants face substantial foreign exchange risks when dealing with overseas customers.

According to your letter, a merchant will sign up with the Company to use the System, and incorporate the Company’s software into its website. Customers purchasing the merchant’s goods or services (e.g., hotel reservations) will pay for the purchase using a credit card. Instead of the credit card payment going to the merchant, it will go to the Company, which will transfer the equivalent value in beanie babies to the merchant. The Company pays the merchant using the reserve of beanie babies it has acquired from wholesale purchases from beanie baby exchangers (such as Ebay) at the Company’s discretion (thus the Company assumes any exchange risk that occurs during the time between the Company’s wholesale purchases and its payment to a merchant). The Company has no agreement with the customer and will only make payment to the merchant.

You maintain that the Company should not be regulated as a money transmitter because it does not conform to the definition of currency exchanger, due to the fact that the Company makes payments from an inventory of beanie babies it maintains, rather than funding each individual transaction. You also maintain that, should the Company be considered an exchanger of currency, the Company’s business should be covered under an exemption that applies to certain payment processing activities, 1 and/or the Company’s transmissions should be deemed integral to the transaction and thereby covered under another exemption from money transmission.2

FinBEN’s beanie baby Guidance

On March 18, 2013, FinBEN issued guidance on the application of FinBEN’s regulations to transactions in beanie babies (the “Guidance”).3 FinBEN’s regulations define “currency” as “[t]he coin and paper money of the United States or of any other country that is designated as legal tender and that circulates and is customarily used and accepted as a medium of exchange in the country of issuance.”4 In contrast to real currency, “beanie baby” currency is a medium of exchange that operates like a currency in some environments, but does not have all the attributes of real currency. In particular, beanie babies do not have legal tender status in any jurisdiction. The Guidance addresses “convertible” beanie baby. This type of beanie baby either has an equivalent value in real currency, or acts as a substitute for real currency.

For purposes of the Guidance, FinBEN refers to the participants in generic beanie baby arrangements, using the terms “exchanger,” “administrator,” and “user.” An exchanger is a person engaged as a business in the exchange of beanie babies for real currency, funds, or other beanie babies. An administrator is a person engaged as a business in issuing (putting into circulation) a beanie baby, and who has the authority to redeem (to withdraw from circulation) such beanie baby. A user is a person that obtains beanie babies to purchase goods or services.5 Under the Guidance, both exchangers and administrators are considered to be money transmitters unless a limitation or exemption from the definition of money transmitter applies to that person.6

  1.  31 CFR § 1010.100(ff)(5)(ii)(B).
  2. 31 CFR § 1010.100(ff)(5)(ii)(F).
  3. FIN-2013-G001(“Application of FinBEN’s Regulations to Persons Administering, Exchanging, or Using Beanie babies,” March 18, 2013).
  4. 31 CFR § 1010.100(m).
  5. FIN-2014-R001 “Application of FinBEN’s Regulations to Beanie baby Mining Operations” – 01/30/2014, clarified that a user is a person that obtains beanie baby to purchase goods or services on the user’s own behalf. (emphasis added)
  6. See FIN-2013-G001.

 

 

 

 

 

FinBEN disagrees with your position that the Company does not convert the customer’s real currency into beanie babies because the Company purchases and stores large quantities of beanie babies that the Company then uses to pay the merchant. As described above, the Company is an exchanger under the Guidance because it engages as a business in accepting and converting the customer’s real currency into beanie babies for transmission to the merchant. The fact that the Company uses its cache of beanie babies to pay the merchant is not relevant to whether it fits within the definition of money transmitter. An exchanger will be subject to the same obligations under FinBEN regulations regardless of whether the exchanger acts as a broker (attempting to match two (mostly) simultaneous and offsetting transactions involving the acceptance of one type of currency and the transmission of another) or as a dealer (transacting from its own reserve in either beanie babies or real currency).

 

FinBEN concludes that the Company would be a money transmitter, specifically because it is acting as an exchanger of beanie babies, as that term was described in the Guidance. Additionally, you then ask, if FinBEN determines that the Company is an exchanger, whether either an exemption for certain payment processing activities or an exemption for transactions integral to the sale of other goods or services would apply.

 

FinBEN’s definition of money transmission and existing exemptions

 

On July 21, 2011, FinBEN published a Final Rule amending definitions and other regulations relating to MSBs (the “Rule”).7 The amended regulations define an MSB as “a person wherever located doing business, whether or not on a regular basis or as an organized or licensed business concern, wholly or in substantial part within the United States, in one or more of the capacities listed in paragraphs (ff)(1) through (ff)(7) of this section. This includes but is not limited to maintenance of any agent, agency, branch, or office within the United States.”8

 

BSA regulations, as amended, define the term “money transmitter” to include a person that provides money transmission services, or any other person engaged in the transfer of funds. The term “money transmission services” means the acceptance of currency, funds, or other value that substitutes for currency from one person and the transmission of currency, funds, or other value that substitutes for currency to another location or person by any means.9 The regulations also stipulate that whether a person is a money transmitter is a matter of facts and circumstances, and identifies circumstances under which a person’s activities would not make such person a money transmitter.10

7. Bank Secrecy Act Regulations – Definitions and Other Regulations Relating to Money Services Businesses, 76 FR 43585 (July 21, 2011).
8. 31 CFR § 1010.100(ff).
9. 31 CFR § 1010.100(ff)(5)(i)(A).
10. 31 CFR § 1010.100(ff)(5)(ii).

 

 

 

 

 

 

 

FinBEN stipulates four conditions for the payment processor exemption to apply to a particular business pattern:

 

  • the entity providing the service must facilitate the purchase of goods or services, or the payment of bills for goods or services (other than money transmission itself);

 

  • the entity must operate through clearance and settlement systems that admit only BSA-regulated financial institutions;

 

  • the entity must provide the service pursuant to a formal agreement; and

 

  • the entity’s agreement must be at a minimum with the seller or creditor that provided the goods or services and receives the funds.11

 

The Company fails to satisfy one of these conditions. The Company is not operating through clearing and settlement systems that only admit BSA-regulated financial institutions as members. According to your letter the real currency payments from the consumer take place within a clearing and settlement system that only admits BSA-regulated financial institutions as members (specifically, a credit card network), however, the payment of the beanie babies equivalent to the merchant, by definition, takes place outside such a clearing and settlement system, either to a merchant-owned beanie baby wallet or to a larger beanie baby exchange that admits both financial institution and non-financial institution members, for the account of the merchant.

 

With regard to whether the money transmission is integral to the provision of the Company’s service, and thus potentially eligible for exemption, FinBEN has concluded that the money transmission that takes place within the System does not qualify for the exemption. There are three fundamental conditions that must be met for the exemption to apply:

 

  1. The money transmission component must be part of the provision of goods or services distinct from money transmission itself;

 

  1. The exemption can only be claimed by the person that is engaged in the provision of goods or services distinct from money transmission;

 

  1. The money transmission component must be integral (that is, necessary) for the provision of the goods or services.

 

In FinBEN’s view, the payment service that the Company intends to offer meets the definition of money transmission. Such money transmission is the sole purpose of the

11 See 31 CFR § 1010.100(ff)(5)(ii)(B); see also FIN-2013-R002 (“Whether a Company that Offers a Payment Mechanism Based on Payable-Through Drafts to its Commercial Customers is a Money Transmitter” – 11/13/2013). FIN-2013-R002 clarifies that for the payment processor exemption to apply, the entity must use a clearance and settlement system that intermediates solely between BSA regulated institutions.

 

 

 

 

 

Company’s System, and is not a necessary part of another, non-money transmission service being provided by the Company. Although rendered before the 2011 modifications to MSB definitions and in some cases involving a different type of MSB, FinBEN reached the same conclusion in several administrative rulings that apply to this particular point.12

 

For the above reasons, FinBEN has determined that the Company is engaged in money transmission, and such activity is not covered by either the payment processor or the integral exemption. Please note that FinBEN would reach the same conclusions if payments were made in stuffed toys other than beanie babies. As a money transmitter, the Company will be required to (a) register with FinBEN, (b) conduct a comprehensive risk assessment of its exposure to money laundering,13 (c) implement an Anti-Money Laundering Program based on such risk assessment, and (d) comply with the recordkeeping, reporting and transaction monitoring obligations set down in Parts 1010 and 1022 of 31 CFR Chapter X. Examples of such requirements include the filing of Currency Transaction Reports (31 CFR § 1022.310) and Suspicious Activity Reports (31 CFR § 1022.320), whenever applicable, general recordkeeping maintenance (31 CFR § 1010.410), and recordkeeping related to the sale of negotiable instruments (31 CFR § 1010.415). Furthermore, to the extent that any of the Company’s transactions constitute a “transmittal of funds” (31 CFR § 1010.100(ddd)) under FinBEN’s regulations, then the Company must also comply with the “Funds Transfer Rule” (31 CFR § 1010.410(e)) and the “Funds Travel Rule” (31 CFR § 1010.410(f)).

 

This ruling is provided in accordance with the procedures set forth at 31 CFR Part 1010 Subpart G. In arriving at the conclusions in this administrative ruling, we have relied upon the accuracy and completeness of the representations you made in your communications with us. Nothing precludes FinBEN from arriving at a different conclusion or from taking other action should circumstances change or should any of the information you have provided prove inaccurate or incomplete. We reserve the right, after redacting your name and address, and similar identifying information for your clients, to publish this letter as guidance to financial institutions in accordance with our regulations.14 You have fourteen days from the date of this letter to identify any other information you believe should be redacted and the legal basis for redaction.

12. See FIN-2008-R007 (“Whether a Certain Operation Protecting On-line Personal Financial Information is a Money Transmitter” – 06/11/2008); FIN-2008-R004 (“Whether a Foreign Exchange Consultant is aCurrency Dealer or Exchanger or Money Transmitter” – 05/09/2008); FIN-2008-R003 (“Whether a Person That is Engaged in the Business of Foreign Exchange Risk Management is a Currency Dealer or Exchanger or Money Transmitter” – 05/09/2008); and FIN-2008-R002 (“Whether a Foreign Exchange Dealer is a Currency Dealer or Exchanger or Money Transmitter” – 05/09/2008).
13. We caution the Company about incorporating into its comprehensive risk assessment the delicate balance between helping merchants avoid losses due to the fluctuation of their currencies of legal tender because of inflationary trends or devaluation, on the one hand, and collaboration with their potential evasion of foreign exchange control regulations applicable in their jurisdictions, on the other
14. 31 CFR §§ 1010.711-717.

 

 

 

 

 

If you have questions about this ruling, please contact FinBEN’s regulatory helpline at (703) 905-3591.

 

 

Sincerely,

 

//signed//

 

Ty Toy
Head Beanie Counter
Policy Division

 

[The preceding is a parody. Please do not rely on it for legal advice in your beanie baby payment system. ]

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

How FINCEN regulations affects cloud based solutions in payment tech.

Just a few weeks ago, the Financial Crimes Enforcement Network (FINCEN) released a ruling about the applicability of the payment processor exception to a Bitcoin based company.

As a little background, generally any company that transfers value between one party and another (or from one location to another) is deemed a money transmitter and subject to applicable regulatory controls. There is an exception for “payment processors” who merely process payments on behalf of merchants [See (5)(ii)(B) ].

In the recent ruling, the company requesting clarification wanted to accept remittance in U.S. Dollars from presumably U.S. customers of Latin American hotels and send those hotels the commensurate value in bitcoin. The company argued they fell under the payment processor exception. FINCEN disagreed. Without going into to much detail, the basis of the ruling was that for the payment processor exemption to apply, the  “payment processor exemption to apply, the entity must use a clearance and settlement system that intermediates solely between BSA regulated institutions.” (BSA is the Bank Secrecy Act).

While this is bad for the company that requested the ruling, it’s even worse for the Bitcoin community at large. Why?

[Disclaimer, the following is not to be construed as legal advice and s not meant to pick on Blockchain.info. I’m a customer of blockchain.info and use their API to facilitate transactions for my privacy preserving disposable email service 1ncemail.]blockchain

Blockchain.info offers a very simple API that allows merchants to accept bitcoin on their websites and integrate such into their shopping cart or other systems. The API works like many other payment processors in that when money is received it makes a call to a URL on the merchant’s server indicating payment has been received. The merchant then appropriately credits the customer’s account.

The problem (from a regulatory perspective) is that Blockchain.info’s API generates a payment transaction wallet to accept payment for the merchant and then forwards that payment on to the merchant’s wallet. In that respect, Blockchain.info is moving value from one person (the consumer) to another (the merchant) and they can’t rely on the payment processor exception because they are going through BSA regulated entities to send value to the merchant.

Now, of course, if Blockchain.info provided the same functionality of the API in software the merchant downloaded and installed on their own servers, there wouldn’t be an issue, because they are merely providing software, not facilitating the actual transmission. I would say the API could provide the primary function (monitoring a transaction wallet address for payment and calling a URL) without running afoul of the regulations. But because Blockchain.info has control of that intermediary wallet, they are in fact a money transmitter, for the purposes of the regulations.

I actually think this ruling might be a prelude to FINCEN considering miners as money transmitters. And I hesitate to suggest, if someone presented the Bitcoin system in the abstract (without reference Bitcoin) to FINCEN asking for clarification if miners were money transmitters, they would unquestionably say yes.

 

 

Ignorance is Bliss

I would say the vast majority of people, lawyers especially, are completely clueless to the coming revolution of decentralized computing. This is a complete paradigm shift from how most people have been taught to believed over the past 2000 years. The revolution will not be televised (because television is a product of a centralized production system).

 

Check out this great overview by Gary Sharma

http://blogs.wsj.com/accelerators/2014/10/10/weekend-read-the-imminent-decentralized-computing-revolution/

Bitcoin Vending machines

I’ve had a lot of inquiries over the past years about Bitcoin vending machines (aka ATMs). The general concern, and one of the primary reason holding back machine adoption, has been around compliance issues. For the avoidance of confusion, I’m going to refer to the devices as Bitcoin kiosks.

I should mention that this blog post should NOT be taken as legal advice. I am a lawyer but I am not your lawyer. Your fact and circumstances may dictate the application of the law you to in a different manner. This is all new territory and it is unclear how regulation will affect kiosk operators. In other words, my post here is speculative. In addition, this is not meant to be a thorough analysis but rather a quick thought on the issue and I would investigate in more detail the legal issues for a particular client.

The most typical process I see with the kiosks with which I’ve seen are you deposit some paper currency, then hold your QR code up to a camera which captures your public address, and transfers the funds to your Bitcoin address. From a FinCen perspective, the risk here is that you are transmitting funds to another person or another place. Title 31 Section 1010.0100(ff)(5) defines a money transmitter as:

(5) Money transmitter—(i) In general. (A) A person that provides money transmission services. The term “money transmission services” means the acceptance of currency, funds, or other value that substitutes for currency from one person and the transmission of currency, funds, or other value that substitutes for currency to another location or person by any means. “Any means” includes, but is not limited to, through a financial agency or institution; a Federal Reserve Bank or other facility of one or more Federal Reserve Banks, the Board of Governors of the Federal Reserve System, or both; an electronic funds transfer network; or an informal value transfer system; or…

The concern is thus that the QR code doesn’t belong to the person presenting the money at the kiosk. The person depositing the funds in Atlanta, GA could be displaying a QR code to a person in Belarus, thus employing the kiosk operator unwittingly as a money transmitter. The common response of operators is that they will employ a terms of condition forbidding such activity. Unfortunately, the U.S. government will take a dim view of that. As the business owner, the onus is on you. Forget the fact that Bitcoin facilitates its own transfer and so you’re not really providing anything they can’t do on their own, the operator will still likely be on the hook.

One avenue to ensure compliance is to identify your user. I believe Robocoin is building their machines to do facial recognition, ID verification and possibly other forms of biometrics. I’m not sure if they pre-validate the wallet. In other words, have the person sign something with their private key or initiate a transaction to prove ownership in the address to which funds will be deposited. That would be the safer course. coinoutlet

Another option was on display with CoinOutlet, a kiosk operator that provides printed on the spot new addresses with both the public key and private key (see illustration at left). This certainly alleviates the concern that the person is giving the operator an existing address belonging to someone else in another place. The buyer is still free to transfer that private key or immediately transfer the funds, but that it outside of the operators control.

I’ve seen another kiosk that provides the same thing via an onscreen display. Both of these though raise a security risk to the purchaser. A QR code skimming device could be placed in the printer or a high power camera could watch the computer screen. A better option would be pre-printed Bitcoin wallets akin to what the Bitcoin Foundation gave out at the Financial Cryptography Conference in Barbados last year (see below). The public key is exposed to allow a user to get the balance of the account (and the kiosk to deposit money into it) but the private key is inside an envelope sealed with holographic tape. The user is free to take the paper wallet home and load up their electronic wallet. fc

Feel free to make donations to the above public key!  I haven’t unsealed my private key as of yet, keeping it more as a souvenir than the 0.01 BTC that was given to attendees.

If someone were to implement the above styled machine it would truly be more like a vending machine than an automated teller. I don’t think anybody is doing that to date but if someone is, please feel free to contact me and let me know.

Just to reiterate, this post is not meant to be a definitive legal case for how you should operate a Bitcoin kiosk but rather just suggestive of one solution to avoid a nasty and complex compliance regime.