NYU Law Federalist Society hosts a conference on Digital Currency. There were two panels, included below.
Legal and Policy Issues
Business and Economic Issues
NYU Law Federalist Society hosts a conference on Digital Currency. There were two panels, included below.
Legal and Policy Issues
Business and Economic Issues
For the past few years, people have been speculating as to when Amazon might begin accepting Bitcoin for payments. There are even some nifty work-a-rounds that allow you to make purchases from Amazon using bitcoins such as zinc or eGifter. However, these require a bit of effort and don’t offer the seamlessness of paying Amazon directly. Overstock.com, whose CEO recently made big news has even said Amazon will eventually start accepting bitcoin. It seems almost inevitable.
Let’s consider some numbers. Right now Overstock.com claims to be doing $20-$30k in Bitcoin based sales everyday. To put this in perspective, Amazon makes some $200 million in sales daily (though I’m unsure how much of this is for retail versus services). Even if Amazon were to garner a respectable $1 million in sales per day, it only represents 1/2 of 1 percent of Amazon’s entire sales. It certainly doable but not a big incentive for Amazon at this point unless they think they can garner additional sales volume by accepting bitcoin. That being said, I believe it is highly likely that within the next year, unless some catastrophic event occurs in the bitcoin community (no Mt Gox was not catostrophic), that Amazon will begin accepting bitcoin. It has to be on their radar at this point.
Two things are going to happen when Amazon does this
1) The banks and card associations are going to wake up. At this point many bankers are aware of bitcoin but do not view it as a threat. When Amazon starts accepting it, they will realize that this is serious and will move to counter it. Expect competition in transaction fees to drive down merchant rates.
2) Bitcoin will no longer be able to be regulated out of existence. Don’t get me wrong. The regulators will continue to push for more and better oversight but once Amazon is on board, any call for making bitcoin illegal won’t have a snowball chance in hell of passing. It will have reached enough mainstream acceptance and integration into the economy to warrant the “too big to fail” mentality. Shutting it down will create a crushing blow to the economy and no legislator will risk that.
Today I get to talk about two of my favorite topics: Bitcoin and the Zombie Apocalypse. Though both have entered popular culture, unfortunately only one is real. But there is a real phenomenon very closely related to the day of the dead that has relevance to the Bitcoin community.
That phenomenon is a pandemic.
A pandemic is an epidemic infectious disease that spreads far beyond a small localized population to infect whole countries, continents or even the globe. Why is this relevant to Bitcoin? Well Bitcoin is very well situated to survive a pandemic which affects large population. The decentralized and diverse nature of the ecosystem makes it extremely resilient to distribution. As long as the base network persists and at least one mining operation continues, Bitcoin will remain an effective value transfer system.
However, there are two Achilles heels. The first is that many Bitcoin users don’t interact directly with the Blockchain but rather go through a service which monitors to the blockchain for transactions. Whether it is a hybrid wallet or a payment service like BitPay or Coinbase, if these company’s servers go offline, it effectively cuts off their customers from the network. As we have seen to date (with the implosion of so many Bitcoin businesses), they are ill prepared for the significant risks they are undertaking.
Major financial institutions are subject to guidelines published by the FFIEC, including business continuity planning for pandemics. I would be willing to bet that even the most solid names in Bitcoin don’t have a good business continuity or disaster recovery plan.
The second issue Bitcoin has is the need for all transactions to occur online. While fully offline digital currency is not efficient nor realistic, a hybrid approach which has some offline capablities is important in a world that might have spotty internet service, electricity or intelligent devices. While a few people have tried to move Bitcoin offline by producing tokens with private keys embedded behind holograms, its a jerry-rigged and not very good method of creating offline money with Bitcoins. I do hope to change that.
Let’s engage in a little Gedanken (or thought) experiment. What if by virtue of law or just increasing regulatory burden, the exchange of bitcoin to USD in the United States were completely eliminated. Would this spell the end of bitcoin? I would like to suggest not.
Certainly, there would be a precipitous drop in “value” as many of the current business eliminated its acceptance (initially) because of it non-convertibility. But their are businesses that operate without USD and totally in bitcoin. As long as those employees of those firms and vendors of those firms continue to accept bitcoin the could continue to operate. Arguably, you would see a growth (similar to what we’re seeing now) of other companies willing to accept bitcoin as pent up demand from these employees and companies with bitcoin to spend engaged the market.
The only rub is the non-convertibility poses to the payment of taxes. How do you pay your taxes when you have no USD to pay them with? It also poses an interesting problem for authorities. They could sue for recovery but what are they going to get? bitcoin which has no convertible value? So therefore could a business continue to operate without paying taxes and with no recourse by the government?
This is clearly all wild speculation and not to be construed in any way shape or form as tax or legal advice.
Most of the regulatory discussion around “miners” (an unfortunate term not used in the Bitcoin whitepaper except as analogy) discusses their introduction of bitcoin value into the market and whether their acceptance of payment for that constitutes an exchanger (exchanging virtual currency value for fiat currency value).
FinCen recently said that “so long as the user is undertaking the transaction solely for the user’s own purposes and not as a business service performed for the benefit of another”, miners selling their newly minted bitcoin value need not register as MSBs.
However, little discussion has surround the other activity of “miners,” namely the signing of blocks of transactions thus officiating them into blockchain (the public ledger that identifies all transactions in the Bitcoin network).
§1010.100(ff)(5)B states that “Any other person engaged in the transfer of funds” is a money transmitter and therefore a money services business regulated as an MSB. Arguably, a miner who signs a set of transactions, in effect, facilitates the transfer of funds from one person (or location) to another. Without the activity of miners, the stored value contained in one bitcoin address could not be transferred to another. This begs the question as to whether an aggressive regulator could make the argument that all miners were in essence money transmitters subject to regulation. This could spell the end of mining in the affected jurisdiction.
One saving grace is that regulators don’t generally understand bitcoin, are not technically sophisticated and make not make the connection. Specifically because of the minomered “miner” they may only consider the initial bitcoin value creation and ignore the important transaction validation function.
FinCEN recently issued a letter in which they clarified some of the requirements for Bitcoin miners. The full text of the administrative ruling is available at http://cointext.com/fincen-issues-bitcoin-friendly-ruling-for-miners/ and concerns the activity of Atlantic City Bitcoin LLC. The Twitterverse has been very active but much of the pronouncements have been of the form “FinCEN says miners don’t need to register.” This is not what they said.
To be sure the ruling is clear as mud, as these things usually are. From the letter:
“The guidance makes clear that an administrator or exchanger of convertible virtual currencies that (1) accepts and transmits a convertible virtual currency or (2) buys or sells convertible virtual currency in exchange for currency of legal tender or another convertible virtual currency for any reason [Emphasis added] (including when intermediating between a user and a seller of goods or services the user is purchasing on the user’s behalf) is a money transmitter under FinCEN’s regulations, unless a limitation to or exemption from the definition applies to the person.”
In response to the letter, FinCEN said that it was okay to exchange convertible virtual currency (aka #bitcoin) into legal tender currency (aka USD) “so long as the user is undertaking the transaction solely for the user’s own purposes and not as a business service performed for the benefit of another.”
In other words, if you mine bitcoin and then sell it on an exchange to buy a Ferrari (because you can only buy a Lamborghini with bitcoin), then you’re golden. So, at what point are you performing a business service and not selling the bitcoin for your “own purpose?” After all, any business has expenses to pay and dividends to distribute to the owners of the business. Would selling all your bitcoin and then paying all your vendors and owners in USD mean your performing a business service or mean your doing it for your own purposes?” I would take this to mean that if you mine bitcoin and turn around and regularly sell those bitcoin to a third party or parties for legal tender currency, you’re probably operating it as a business service. Clear right?
Again from the guidance it says “By contrast, a person that creates units of convertible virtual currency and sells those units to another person for real currency or its equivalent is engaged in transmission to another location and is a money transmitter.”
The bottom line is the hobbyist miner who spends his bitcoin for goods or services is probably in the clear, whereas a large enterprise (as most mining operations are moving towards) that is earning so much bitcoin every day that it has to sell them wholesale is probably an MSB.
Interestingly enough, FinCEN has NOT addressed the other function of miners and something that will be prevalent after 2140 when the last bitcoin is mine and that is signing transactions on the blockchain. In essence they are vouching that the transaction from address 1 to address 2 is a valid transaction and should be acknowledge in the collective bitcoin blockchain. They are (potentially) facilitating the transfer of value from one person (or location) to another. I don’t think this falls within the letter of the regulatory structure, but it is certainly something that will receive closer scrutiny and could be addressed in future changes to the laws and regulations.
Bitcoin has had a meteoric rise in the last few weeks following intensive press coverage and activity from investors and startups in the Bitcoin space. However, most of this activity is fueled by speculative actions on the value of Bitcoin. Practically none of it is by virtue of the actual use of Bitcoin as a medium of exchange. As I’ve written before, the primary beneficial use of Bitcoin is as a medium of exchange, not a store of value. The recent activity is reminiscent of the Dutch tulip mania of the early to mid 1600’s.
The easy of exchanging Bitcoin for fiat currency is the cause of this. As long as people can transfer in and out of the currency with ease, the tendency will be for people to hoard it because it’s value against other currencies will be more than it’s value as a medium of exchange. If the exchanges were shut down (voluntarily or by government action) then Bitcoin will shine and people will actually spend it and use it as it is meant to be used. Then it’s true “value” will be determined, not by some mythical exchange rate but by what people are actually willing to accept it for in exchange for the goods and services they produce.
Wired.com reported today that the owner of Casascius received a letter from the FinCen (the United States Financial Crimes Enforcement Network) that essentially stated that the service he operated was a Money Services Business (MSB), specifically a money transmitter, and he had failed to register as required of MSBs. Images of Casascius’s coins have become to the visual representation of Bitcoin, owing to the otherwise difficult situation in visualizing the virtual currency. Casascius’s decision to shutdown the service in light of the letter represents a high profile shuttering of a Bitcoin based business.
Title 31 Section 1010.0100(ff)(5) defines a money transmitter as:
(5) Money transmitter—(i) In general. (A) A person that provides money transmission services. The term “money transmission services” means the acceptance of currency, funds, or other value that substitutes for currency from one person and the transmission of currency, funds, or other value that substitutes for currency to another location or person by any means. “Any means” includes, but is not limited to, through a financial agency or institution; a Federal Reserve Bank or other facility of one or more Federal Reserve Banks, the Board of Governors of the Federal Reserve System, or both; an electronic funds transfer network; or an informal value transfer system; or
(B) Any other person engaged in the transfer of funds.
(ii) Facts and circumstances; Limitations. Whether a person is a money transmitter as described in this section is a matter of facts and circumstances. The term “money transmitter” shall not include a person that only:
(A) Provides the delivery, communication, or network access services used by a money transmitter to support money transmission services;
(B) Acts as a payment processor to facilitate the purchase of, or payment of a bill for, a good or service through a clearance and settlement system by agreement with the creditor or seller;
(C) Operates a clearance and settlement system or otherwise acts as an intermediary solely between BSA regulated institutions. This includes but is not limited to the Fedwire system, electronic funds transfer networks, certain registered clearing agencies regulated by the Securities and Exchange Commission (“SEC”), and derivatives clearing organizations, or other clearinghouse arrangements established by a financial agency or institution;
(D) Physically transports currency, other monetary instruments, other commercial paper, or other value that substitutes for currency as a person primarily engaged in such business, such as an armored car, from one person to the same person at another location or to an account belonging to the same person at a financial institution, provided that the person engaged in physical transportation has no more than a custodial interest in the currency, other monetary instruments, other commercial paper, or other value at any point during the transportation;
(E) Provides prepaid access; or
(F) Accepts and transmits funds only integral to the sale of goods or the provision of services, other than money transmission services, by the person who is accepting and transmitting the funds.
The key provision is in bold. The way I understand Casascius to have worked was the you would send a unit of Bitcoin (plus a fee) to Casascius and they would generate a new public/private key pair. Your unit of Bitcoin value would be transferred into the public address of the key pair. The private key would then be placed on a newly minted physical coin and a tamper resistant hologram would be place over the privacy key. Therefore any attempt to remove the hologram and defund the address of it’s value would be visible on the physical coin. Users were encouraged not to accept tampered with coins.
The governments argument appears to be (from the article) that the sender who originated the transaction could induce Casascius to create a new Bitcoin address and have that address (via the physical coin) be sent to another person. Casascius’s action as an intermediary in the transaction places it squarely in the ambit of the money services business regulation. In order to avoid such a position, Casascius would need to very that they sender of the original Bitcoin is in fact the recipient of the physical coin.
[As an aside, I’ve never been too fond of a physical representation of the virtual currency. As noted in the Wired article, someone seems to have produced counterfeit holograms which would allow a thief to retrieve the value in the hidden private key and replace the hologram, allowing future purchasers to think they are getting something with stored value when they are not. Also, the system requires that you trust Casascius to not have kept backups of the private keys which either puts holders of the coins at risk that Casascius absconds with them or that they private keys aren’t stolen by a third party which does the same. Finally, the benefits of virtual currency (ease of transmission, etc) are destroyed by embodying them in a physical representation.]
Many Bitcoin adherents may be scratching their heads. After all, if I wanted to send someone some Bitcoin value, I could just initiate a transfer from my address to the recipient address. Why should Casascius’s position as an intermediary require a lot of regulatory compliance issues on their part? The FinCen regulations (and the laws they implement) were written in a day when it was impossible/difficult to transfer large sums of money around from one person to another. You needed an intermediary. Look at the continuing brisk business done by Western Union or any of its contemporaries who facilitate the transfer of some store of value from one person to another. Now, can one person give another cash without having to jump through regulatory hoops? Sure. But other than cash, which most people are smart enough not to mail, all the other methods require an intermediary, some financial or quasi-financial institution. And while you can ship cash, most carriers prohibit it. The laws were written for this situation, where transmitting money over a distance required a company to facilitate the transfer. Bitcoin obviates the need for those intermediaries. Unfortunately, even though it seems “obvious” that transfers between individuals can happen without an intermediary, those companies that find themselves offering services that do just that will have to contend with laws written in a world before Bitcoin was conceived.
Disclaimer: This post is not meant as legal advice and I’m thinking about working up a full legal brief/article on the subject. This post is meant to point out a potential concern over Bitcoin and it’s fungibility.
Many of the legal discussions around Bitcoin concern the potential impact that regulation may have on the emerging digital currency. There are, though, other legal issues afoot. I’d like to address one that recently came to my attention. Two of the appealing characteristics of Bitcoin are the irreversibility of the transactions and the fungible nature of the currency.This makes Bitcoin much more cash-like. It also makes it more susceptible to theft and the continuing problem of stolen addresses plagues Bitcoin. Proposals to blacklist wallets identified as holding Bitcoins stolen or otherwise the result of criminal proceeds has caused division in the Bitcoin community. The concern is that by blacklisting Bitcoin wallets from the blockchain could cause forking and introduce additional regulatory oversight of the currency. Seeing as how many of the early adopters of Bitcoin did so because they wanted a monetary system free from government manipulation, such a proposal runs counter to the original raison d^etre for Bitcoin.
So what happens when the owner of a Bitcoin address follows the blockchain and finally identifies a wallet containing the stolen balance? In other words, the proceeds of theft are transferred to a known merchant dealing in Bitcoin. [What follows is applicable to US law, clearly Bitcoin is international so such analysis may be limited] Under common law, a seller can not convey more ownership in property than they possess. Since a thief has no rights to property his conveyance of possession conveys no rights to the purchaser and thus the purchaser has no rights to convey to future purchasers (“nemo dat quod non habe”). There are some exceptions:
Under the law of good faith purchase as it is embodied in the Uniform Commercial Code (U.C.C.), the nemo dat rule is subject to only two exceptions. First, under the “voidable title” rule, if the original owner is induced-say, by fraud or deceit-to transfer goods under a transaction of purchase, the transferee acquires the power to transfer a good title to a good faith purchaser for value. Second, under the “entrustment” rule, if the original owner entrusts goods to a merchant who deals in goods of the kind, the merchant has the power to transfer the owner’s title to a buyer in the ordinary course of business.
The other common limitation on replevin actions against purchasers is a statute of limitations and requirement that the original owner demand and the purchaser refuse to return the goods within a certain period of time.
The current common law rule places the burden of proof on the receiver of goods, because ultimately they are going to be the one losing the value if the original owner comes to them. The thief is probably long gone. The put the recipient in the awkward position of wanting to know if the good they receive have been stolen and investigating to see if the title is clean. If the original owner is actively publishing that these goods are stolen in a way that the purchaser is on notice, it behooves them not to take possession of the goods. What does this all mean for Bitcoin?
Characteristics when support original owners of Bitcoin coming after recipients
Characteristics which may make it hard for original owners to recover
There has been a lot of discussion regarding the over reach of the Computer Fraud and Abuse Act (aka CFAA) and prosecutorial misuse. The discussion only intensified after the suicide of Aaron Schwartz. Broadly, the CFAA criminalizes access to computer services that exceeds authorization. The question is what exceeds authorization is especially thorny in the case of a publicly accessible website.
Consider the current case against Andrew “weev” Auernheimer. He is being prosecuted for unauthorized access to 100k+ emails of AT&T customers who owned Ipads. Seems pretty bad doesn’t it…..but lets consider what he did from a technical standpoint.
It turns out AT&T was trying to make it easy for Ipad customers to log into their AT&T account. When a customer would access AT&T’s website, the Ipad had be preprogrammed to call a specific webpage. I don’t know the exact URL but it looked something like this
That number at the end was the serial number of the Ipad. AT&T then used this number to pull the person’s email address from their records and pre-populate the login page so the customer didn’t have to enter their email every time they wanted to log in.
What Auernheimer did was go to the URL and alter the serial number sequentially upwards, thus revealing thousands of customer’s emails. This is a common problem and is easily fixed by what is referred to as page level security. In other words, you should only display information on a page if the user is authorized to access it. I’ve found this problem in many website, including my law school which displayed the roster of every class in the school and a popular retailer which allowed me to view every order placed on the website.
While AT&T certainly didn’t want Auernheimer to get that information, they put it out there for the world to see and ignored basic security practices. Auernheimer simply pointed this out as I and others have done so in the past.
It seems almost silly that if I set my computer to access a web page by typing a url, essentially instructing ATT’s server to send me some information (http://www.att.com/home.php?ipad=00033333) and get information PROVIDED by AT&T’s web server I’m now a Federal felon for unauthorized access.
If you, dear blog reader, agree with me so far, let’s make the question a bit more complicated. Suppose instead I enter the following in my url
http://www.att.com/home.php?ipad='; select * from dbo.customers;
and now the webserver returns the entire database of customer information. This technique is called a sql injection attack and provides me a way of injecting a sql statement into their code. Here I have similarly sent instructions to AT&T’s server but this time I’ve gotten information they never intended to share. But wait, the never intended to share that one customer’s email with ME in the previous URL.
The fact is, without exposure by people such as Auernheimer, ATT and other companies lack incentive to secure their software. Then the only people using these attacks will be the criminals who use them for nefarious purposes. This shouldn’t be illegal under the CFAA. If anything, AT&T should be liable for failure to exhibit best security practices.