GDPR Privacy Regulation

GDPR Article 35 and Article 25 Square Off

For those not buried in the details of the European General Data Protection Regulation (GDPR), there is often confusion about be the differences between Data Protection Impact Assessments (Article 35) and Data Protection by Design and Default (Article 25). Many people assume that DPIAs, as the impact assessments are called, are synonymous with with Data Protection by Design and Default. This article we highlight some of the key differences.

Article 35 Data Protection Impact Assessments

  • Applies to: processing of personal data that likely poses a high risk to individuals, especially where there is automated processing, processing large scale special categories of information or systematic monitoring of public spaces
  • Requires: documentation of the measures to address the risk and demonstrate compliance with the regulation
  • When: prior to processing

Article 25 Data Protection by Design and Default

  • Applies to: all processing of personal data
  • Requires: implementing appropriate technical and organizational measures designed to implement data protection principles and only process the personal data necessary for the specific purposes
  • When: at the time of determination of the means of processing AND at the time of processing

I’ve obviously summarized the language of the articles but only to highlight the differences. So let me dive a little further. First off, you’ll notice the first key distinction on the applicability. DPIAs are only necessary for high risk processing, whereas Data Protection by Design (and default) applies to ALL processing of personal data. Of course, to get to a DPIA, most organizations rely on some threshold analysis which would suggest whether or not the processing is high risk. This is not necessary for Data Protection by Design because it applies to all processing.

The second key distinction is that DPIAs are about documenting your measures and compliance whereas Data Protection by Design is about implementing measures. Article 35 DPIA is about proving you’re complying whereas Article 25 Data Protection by Design and Default is about trying to comply (i.e. the measures are “designed” to implement data protection principles). Presumably, if you’ve designed data protection into your processing, the DPIA is about ensuring that you’ve formally documented it (with all your i’s dotted and t’s crossed). An example might help. If you’re planning on collecting contact information of potential customers at a concert, you might implement an organizational measure (a policy) that tells your employees to ensure they tell potential customers what their data will be used for. That is a measure designed to comply with the data protection principle of transparency. Will some of your people forget to tell them? Perhaps. Perfection is not the goal. Change this up to you’re planning on video recording individuals at the concert and doing demographic analysis on ethnicities in attendance. Now you fall under the systematic monitoring clause of Article 35 (and special categories clause as well). You have to document how you’re complying with the regulation, including all the technical and organizational measures. Maybe only three employees have access to the data. Maybe you’re doing this under the lawful basis of being carried out in the public interest. Maybe you had notice printed on the back of the ticket before everyone entered. Document. Document. Document is what DPIAs are all about.

The final key distinction is about timing. For DPIAs, you need to do that anytime prior to processing. The idea here is if you don’t have the documentation or can’t prove your complying with the regulation, that would stop you from processing the personal data at high risk to the individuals (or at least give you pause). Because, Data Protection by Design is about implementing measures rather than documenting those measures, it must be done (1) when you determine what processing you’re going to do and (2) at the time of processing. The reason for this is because the measure may have different effects at different times. For instance, one measure (in accordance with the data minimization principle) might be to exclude collection of certain information, say ethnicity, when asking for contact information. This might be implemented on the form being used to collect data by not having an ethnicity field. Since we create the form at the “time of determination of the means of processing” we’re implementing that measure at that time. Another measure might be to audit the forms to make sure employees aren’t secreting marking codes next to minority names and contact information. That measure would obviously be at the “time of the processing itself.”

GDPR Privacy Regulation

Lawful Basis under GDPR: Performance of a Contract

The newly enacted General Data Protection Regulation (GDPR) in the European Union provides for six lawful bases for processing data. Just as a baseline for readers who may not be familiar with the GDPR, in general processing is prohibited unless you have a lawful basis.  Article 6 of the regulation provides for the list of bases:

  1. Consent
  2. Necessary for performance of a contract
  3. Necessary for compliance with the law
  4. Necessary to protect vital interest of the data subject
  5. Necessary for task carried out in the public interest
  6. Necessary for a legitimate interest of the controller or third party

The most common justification by organizations is probably (6) legitimate interest. The easiest example of this would be fraud prevention. An organization has a legitimate interest in preventing fraud from occurring. Of course, the balancing test for legitimate interest must still be carried out. You can’t justify doing just anything you want on the basis of fraud prevention.

The basis which garners the most press and most debate is consent. In fact, the regulation devotes an entire article to what constitute valid consent. The Working Party 29, the official EU advisory group on data protection , also published a 30 page guide to consent. Consent is essentially a last resort for organizations wanting to use data. If you can’t find a valid basis under the other five, consent is your only option.

Bases 3, 4 and 5 are fairly narrow and of limited general purpose use, only available in certain circumstances.

Which leaves us #2 performance of a contract, the subject of this post. In full, the text of the regulation on this reads: “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Unfortunately, many are read this option too broadly as, simply, part of a “contract.”  In other words, their feeling is that, anything put into the contract, makes this a valid basis for processing. But let’s look a little closer.

processing is necessary for the performance of a contract to which the data subject is party”

First off, it’s clear the data subject must be a party to a contract. It can’t be a contract between two organizations concerning the data subject (or their information).  What about the other part of that sentence “necessary for the performance of a contract?” While performance is not defined under the Principles of European Contract Law (PECL), non-performance is in Art 1:301:

“`non-performance‘ denotes any failure to perform an obligation under the contract, whether or not excused, and includes delayed performance, defective performance and failure to co-operate in order to give full effect to the contract.”

Article 7 of PECL goes on to describe, in more detail, issues of performance. One can deduce from the counter definition that performance means completion of an obligation under the contract (in a timely, non-defective and cooperative way).  Article 6:101 describes that a statement in a contract gives rise to an obligation to a party, if the other party reasonably expected it to give rise to that obligation, taking into account (a) the apparent importance of the statement to the other party; (b) whether the party was making the statement in the course of business; and (c) the relative expertise of the parties. Clause (a) is crucial in the analysis for the lawful basis of performance of a contract under GDPR.

In order for “performance of a contract” to be the lawful basis, the processing of data must be necessary to fulfill an obligation, under the contract, of the controller which is important to the data subject.

Let’s look at a clear example: I hire you to design and print business cards for me. Without my name and contact information, it would be impossible for you to fulfill your obligation under the contract. I’ve set you up for failure and arguably non-performed my obligations for failure to co-operate if you’re not allowed to use that information. Processing of that data is necessary for your performance.

Let’s look at one more common one, payment processing. You hire my consulting firm to provide privacy by design training and the firm expects payment for that service. In receiving that payment, I’m in receipt of your personal information, which may be supplied to a payment processor, used to create an invoice, etc. From the contracts perspective, the obligations are that you pay the firm and that the firm provides training services.  Processing payment is for the firm’s benefit (aka in their legitimate interest in facilitating payment) not to fulfill an obligation to you.

The bottom line is, just because there is a contract, doesn’t mean the lawfulness of processing is based on performance of that contract. It has to support and be necessary to perform your obligations under the contract.

Alt Coins Bitcoin Blockchain Ethereum

Demystifying Blockchain

I’m concerned about the amount of “blockchain will cure cancer” type prophecies. Many of blockchain’s most vocal proponents are so ill qualified when it comes to understanding the technology yet they hum along singing the benefits. Don’t get me wrong. I’m a blockchain supporter, but I fear it’s being oversold and failures to live up to the hype will result in a backlash. I don’t claim to be the first to have these concerns.

This article is not meant to be an explanation of the technology of blockchains. If you’re interested in a technical discussion, there are many other resources. For our purposes, we can think of blockchains as a log. Now some people equate blockchains to databases, but I think the analogy is flawed. While both a database and a log contain data, a log implies a sequential series of entries, whereas a database implies the ability to read, write and edit in a non-sequential format. A blockchain is sequential. It has dates, times, and some data:

The log in a blockchain can be simple, as above, or complex, following a specific format for the data such as designating accounts to debit and credit and the associated amount. Many people refer to the blockchain in Bitcoin as a ledger, because it logs transactions, the debits and credits of Bitcoin owners. Blockchain log entries can encode bits of programmatic logic.1 But, whatever the format, in essence, a blockchain is a log full of entries.

Unlike a simple log file though, a blockchain has a bunch of fancy characteristics to enhance its security. First, blockchains use a cryptographic technique called hashing to preserve the integrity of the data. Second, blockchains use incentives to ensure that people maintain the log and add new entries to it. These people are called “miners”, with a historical wink to workers who mine precious metals. Because of miner’s need to earn their incentives, the log is widely shared, increasing its availability. Miners bundle up log entries in the queue into a “block” and then add those to the log. The blocks are “chained” to the previous block because each block includes a summary of the previous block.2 Hence, we refer to the log as a chain of blocks or a blockchain. The summary of each block must be of a certain format and it takes significant computing power to put the summary in that format.

Blockchains incent miners to build new blocks in two ways: they earn a “fee” for each entry they log and they earn a “reward” with each block they add to the chain. The fee is paid by people who want their transactions included in the block, which only shifts existing value from the transactor to the miner. The fee is like a percentage paid for someone to transport your gold from one party to another. Whereas, the reward actually increases the money supply. You can analogize this to a gold mine where finding a new gold vein increases the amount of gold in world.

But mining is a competitive enterprise, and only one miner can find a gold vein. In Bitcoin, only one miner can add the next block to the chain. Miners win the race for the next block by solving a very complex mathematics problem, which is why Bitcoin miners now use ASIC (application-specific integrated circuit) built to solve that problem. Having an army of miners creating new blocks further increases the integrity because an adversary would need to muster enough computing to match a majority of the miners. As of this writing, the Bitcoin network is calculating 10,470,748,203,000 megahashes per second and the computer you’re reading this on could probably calculate 50-60 megahashes per second.

Let’s return to our basics description. At its core, a blockchain is a log with a bunch of people competing for incentives (fees and rewards) to add to that log,

The cost of security

As mentioned above, the cost of running the network (storing the blockchain, running the computer that calculates the math problem, etc.) is approximately the same as the income generated by miners. The chart belows shows the daily income of miners for the last two years, based on rewards and transaction fees, currently running about $8 million dollars per day. If that amount is stable for a year, that would amount to $3 billion a year. The current market capitalization of Bitcoin is $62 billion. At this rate, we’re looking at about 5% to secure the network each year.

Illustration 1: Bitcoin daily miner earnings by transaction fee and rewards


Doing a back of the napkin calculation, Bank of America spends about $500 million dollars a year on security. Bank of America holds assets of about $2 trillion dollars. So the security budget is about ¼ of a tenth of 1%. Now to be fair, BofA relies on external parties to secure much of their assets; law enforcement and courts to bear the burden of catching and prosecuting thieves and fraudsters and the bank contractually shifts some of the risks to insurance companies, partners and others.

The point of this exercise was to illustrate that the cost of the blockchain can be many times more expensive than a methods of securing a traditional platform. This doesn’t mean that blockchain is not a viable option, but rather you have to weigh the value of what your securing against the costs of the solution.

For instance if you’re securing an international currency (like Bitcoin), having high integrity and availability might be worth it. If you’re securing something like the provenance of pharmaceuticals (subject to hundreds of billions of dollars a years in fraud) might be worth it. If you’re securing stocks, bonds, or real estates titles, then it might be worth it. But if you’re securing collectible cards on a blockchain, the value of the data isn’t worth the cost incurred. What’s throwing a wrench in the economic analysis of most blockchain start-ups is that (look at the chart again) the inflation of the currency is subsidizing the security costs. Blockchain users pay the transaction fees. But because demand is exceeding supply for the currency of blockchains, the price of the fees is small relative to the value of the rewards, obfuscating the true cost of the service provided by the miners.

One way to overcome this cost is the use of an anchoring service that doesn’t store data in the blockchain but aggregates a lot of data into one log entry (a digital proof of the data’s existence) to store in the blockchain. Consider a car title where I try to sell you a car with an altered title. With the digital proof stored in the blockchain, you could reject the title knowing it was altered. We reduce cost because we don’t have to store the actual document, only the digital proof. We increase confidentiality because the data is no longer stored in public. Of course, we lose something as well. We no longer have the availability of the underlying data; if corrupted, we can’t restore the underlying data; we can only prove it is, in fact, corrupted. This is great if you only need to prove data you have wasn’t altered, not so great if you’re concerned about restoring the original data if lost. Unless another copy of the real title existed somewhere, we’d never be able to reconstruct who actually had title.

Public blockchains.

Bitcoin uses a public (or open) blockchain. “Public” in this case means that miners are free to join and leave, and do so based on their own economic interest. If a one can make money in the business of mining, more miners will contribute to the network. If miners are expending more resources than they are earning they will exit the network. The creates somewhat of an equilibrium such that the money earned by the miners is very close to the costs they spend securing the network.3 Profit margins in blockchain mining are dependent on the miner’s underlying costs (mostly hardware and electricity) and the fluctuations in the value of the currency mined.

By contrast, permissioned blockchains are not public. An external structure governs participation, limiting who can act as miners. Thus, permissioned blockchains don’t exhibit the same economic properties as public ones.

What blockchains are good for

Now that we understand what blockchain is, we can start investigating appropriate uses of the technology. The simple fact is, wherever you have a need for a high level persistence (i.e. availability) and integrity, blockchain technology could be of benefit. I stress could, because you have to weigh two factors. The first is the true cost, as previous discussed (taking into account current subsidies). The second is a lack of confidentiality; the transaction data held on a public log. Of course, you could encrypt the data but it is still public and, because of its persistence, runs a higher risk of becoming completely transparent if an adversary compromises the encryption key. Unlike an encrypted private database which has the added protection of having limited exposure, a public blockchain is, by its nature, available to anyone, including an adversary. Even encrypting the data exposes meta-data, such as dates and times of entries, to analysis. As mentioned above, using an anchoring service, you can trade off confidentiality with integrity and availability, but you must determine an appropriate balance for your objective.4

Illustration 2: The trade-off among confidentiality, integrity and availability.


Interoperability, the snake-oil of the blockchain world

The most common fallacy in proposals to use blockchain is using it for interoperable data sharing among disparate parties. Participating parties in a blockchain network agree on a standard data structure, so in that respects they are, by design, interoperable. But one doesn’t need a blockchain for interoperability, one only needs an agreement on structure of the data. When I hear about proposals to use blockchains for patient health records (PHR), I cringe. Patient health records are in need on interoperability, so health care providers can share patient data with each other for more efficient health care. But blockchains lack enough confidentiality for patient health records and are an expensive means of providing interoperability. Anchoring services could maintain patient confidentiality but lack the interoperability that most providers in this industry seek. The underlying data, anchored to the blockchain, still needs an agreed upon data structure, which can occur with or without blockchains.

Smart Contracts

One of the more interesting structures of data to use in a blockchain comes in the form of programmatic code. Miners can execute that code as they build the block. Bitcoin has a simple scripting language (see, a sort of machine language for the virtual Bitcoin machine. Ethereum has a much richer programming language which allows such things as smart contracts to run on the network. What is a smart contract? Its an agreement between two (or more parties) that is self-executing. In a typical contract, when two parties agree to something, they must act on that agreement. If I agree to pay you $10 if it rains tomorrow, then I actually have to transfer that $10 if it does rain tomorrow. If I fail to do so, you have to enforce that contract through some means, suing me in court if you want to pursue legal means or beating me with a rubber hose if you want use extra-legal means. A smart contract executes itself. The parties put money in escrow with contract. The contract distributes the money to the parties according to the terms. This eliminates counter-party risk, the risk that the other party in a contract will fail to live up to the terms.

While such a program could run on a traditional server, if something happens to that server, the contract would fail to execute. This might create an incentive for the losing party in an agreement to tamper with or stop the server from running. Putting a smart contract on a blockchain network like Ethereum ensures it’s execution. Like confidence in the integrity of the accounting in the Bitcoin blockchain, Ethereum users are confident in the execution of the contract as written. But ensuring execution is not free and it’s not even cheap. It is a costly contract to execute. The blockchain holds the terms of the contract in perpetuity. It must run on thousands of computers. Users must compensate the miner for this activity. Now this might not be a problem, if the smart contract has significant value or counter-party risk. But no one would or should not use a blockchain for low value contracts with limited risk.5


My goal of this article was to pull away the veil of technological secrecy that sometimes comes with discussion of blockchain. For those without a technology background, it can be hard to distinguish between reality and snake-oil in the blockchain world. For those with a technical understanding, please forgive my over-simplification but it was necessary to help bring a wider understanding of the benefits of blockchain while separating out the more outrageous claims.

1The Bitcoin blockchain actually uses programmatic logic to build the accounting ledger. This what allows for sophisticated features such as multi-signature wallets. But that is out of scope of this article.

2That summary is in the form of a hash of the previous block.

3For more information about the economics of Bitcoin’s blockchain, check out

4Confidentiality, integrity and availability are consider the information security triad.

5This post estimated that its 400 million times more expensive to run code that adds numbers together on Ethereum than on a traditional server. Given the nascency of Ethereum, the numbers may be off but the concept that it is significantly more expensive remains.

Ethereum Privacy Security

When is a hack a hack?

This was cross-posted from LinkedIn.


The recent kerfuffle around Ethereum and the #DAO “hack” is just another in a long list of events which illustrate the difficultly in defining the term “hacking.”  For those unfamiliar with Ethereum and the DAO, a little background. Ethereum is a blockchain technology which expanded on the idea of Bitcoin, to allow for a more programmable blockchain. For simplicity sake, think of Ethereum as a giant distributed virtual computer running on thousands or millions of other computers. Incentive to run this computer is paid in the form of ether (which can be traded for Bitcoin or other forms of money, directly or indirectly). The DAO is a program that was created to run on this computer, that acted like a giant venture capital firm, but without any partners, or anybody else running the helm. Anybody who contributed ether to the DAO was able to help determine the investments the DAO made. All of this was done through code, snippets of computer programs running Ethereum language of choice, golang. The DAO is actually a specific instance of a generic form of DAO or Decentralized Autonomous Organization (Ethereum refers to them as Democratic Autonomous Organization). In the height of hubris, the first DAO called itself the DAO, something akin to the first Corporation calling itself “The Corporation.”

Don’t worry if your head is spinning, it’s a lot to take in and a paradigm shift for sure. I’ve left audiences in a collective coma talking about the future of DAOs. Suffice to say, if half the words in the preceding paragraph were befuddling, you should start learning and fast. This is the future and it’s coming faster than you think. Regardless, what happened next in the story of the DAO is nothing short of extraordinary. People starting throwing money at the DAO: millions of dollars, something north of $150 million at one point. Then, disaster struck. Remember the DAO is just a computer program running on a distributed computer. Someone realized they could send some instructions to the computer program and simply direct all that money to them. It was eloquent and simple. Poof. $60 million dollars in ether was drained from the DAO. The Ethereum crowd was in shock. Their shining example of the future had just been hacked. Or had it?  The hacker claimed the program acted as it was programmed to do. He was just able to interact with that program in such a way that earned him $60 million. Now Ethereum is facing an existential crisis. The whole point of a DAO is an unstoppable immutable program, but now that all this money went bye-bye, they want to stop that program and can fork the Ethereum blockchain to do so (or make a change to the underlying infrastructure to do so). But Ethereum’s crisis is not the subject of this article. The subject is hacking. You see this is the first case where hacking may not really be hacking. In fact, every case maybe the same.

Computers do what you tell them to do

In the United States, the principle anti-hacking law is the Computer Fraud and Abuse Act (CFAA). However, much has been made about the ambiguity of the law. The law makes criminal someone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … (C) information from any protected computer.” A protected computer is broadly defined in a way that means just about any computer attached to the internet. The act was used in the prosecution of Aaron Swartz who downloaded massive numbers of articles from JSTOR. As a Harvard researcher, he was entitled to access those files though not in the manner he did (a potential violation of the JSTOR terms of service). While it has been surmised that his intent was to upload all the articles for free access, he never did so, having been arrested prior to that. Regardless, that would have been a violation of copyright law, not the CFAA. The question here is whether violating a sites terms of service “exceeds authorized access” and is a federal felony.

Another notorious example is Lori Drew. She was prosecuted for creating a fake MySpace page and using that page to court then taunt a teenage girl, who later committed suicide. Again, a violation of MySpace’s terms of service and again, a federal felony.

Finally, there is the case of Andrew “Weev” Augheimer. Weev accessed an AT&T website used by iPads users to register their iPads. When the website was accessed with a user’s ID number, if they had previously registered, it displayed their email address that they registered with. Weev wrote a script that cycled through ID numbers and grabbed email addresses. In other words, he accessed a publically facing website (of the form and simply incremented the ID numbers.

None of the people in the previous two cases are shining examples of model citizens. Swartz is more of a Robin Hood character than swashbuckling criminal. But the question remains, is what they did (on a technical basis) so heinous? If I were to create a website with a link on the front page that says “You are not authorized to click this button” and you did, and it provided information on a second page; you’re now a criminal. Does this seem right?

While hacking is defined on a technical basis, the unauthorized access or exceeding authorized access of a computer, the criminality seems more based on the results, motives or intent. Clearly a case for prosecutorial discretion. No sane prosecutor would contemplate your trial for clicking that button, but Weev was a “bad” person. The prosecutor is that case said “His entire adult life has been dedicated to taking advantage of others, using his computer expertise to violate others’ privacy, to embarrass others, to build his reputation on the backs of those less skilled than he.”  In this case, Weev wasn’t trying to spam the email addresses or gain financially, he was out to embarrass AT&T for their bad security.

You don’t have to be a jerk to be scared of the law

But what about security researchers? White hat hackers whose job it is to expose security vulnerabilities with the aim of benefiting society by making it more security. They are scared. Scared of prosecution by an overzealous prosecutor or overly defensive company making a federal case out a genuine desire to do good. Rather than shore up their security, many companies would choose to hide behind the law, going after security researchers rather than improve their own products or spend the resources up front to build security in.

While I don’t have a good suggestion for codification of a law that punishes evil-doers while not punishing saints, I do know that the current state is not sustainable. The criminality should be in the results not the mechanism.

Which brings us back to Ethereum and the DAO. Ethereum is an experiment. It portends a future state of truly revolutionary computing. The DAO was an experiment. As with any start-up, its hard to spend money on security when you’re trying to build your product. But as the DAO shows, security can’t be an afterthought, even when you’re just experimenting.




1st Amendment Privacy Regulation

Agency Information Collection Activities: Arrival and Departure Record (Forms I-94 and I-94W) and Electronic System for Travel Authorization

June 5th, 2016

U.S. Customs and Border Protection
Attn: Paperwork Reduction Act Officer
Regulations and Rulings
Office of Trade
90 K Street NE.
10th Floor
Washington, DC 20229-1177.

I am writing in response to the notice published in Federal Register on 6/23/2016 entitled “Agency Information Collection Activities: Arrival and Departure Record (Forms I-94 and I-94W) and Electronic System for Travel Authorization

I am responding to the question of “whether the collection of information is necessary for the proper performance of the functions of the agency, including whether the information shall have practical utility.”

The proposed changes to the I-94W and I-94 forms, albeit small, have potentially grave ramifications to the fundamental ideals upon which the United States is founded and practically will result in no net improvement to the security of the country.

Constitutional Problems – Chilling effect on speech

In 1996, a three judge panel from the Eastern District of Pennsylvania declared the Communications Decency Act unconstitutional. Judge Dalzell, writing the opinion of court, declared: “[T]he Internet may fairly be regarded as a never-ending worldwide conversation. The Government may not, through the CDA, interrupt that conversation. As the most participatory form of mass speech yet developed, the Internet deserves the highest protection from governmental intrusion (emphasis added).”
The Internet, in its present form, is used by billions of individuals around the world to communicate with each other. Whether it is for business, pleasure, entertainment, enlightenment or political discourse, social media on the Internet is perhaps the principle forum today by which people of diverse cultures, countries and mindsets interact on a daily basis. Ostentatiously, the objective of the form change, is to identify social media profiles of visitors to the United States. The social media profiles will be reviewed and analyzed, whether by automated or manual means. Potentially, individuals whose social media profiles indicate they are in some way threatening to the United States, will be prohibited from entry, or their entry will be more closely scrutinized.
What is more likely the outcome is that
(1) Individuals with controversial writings will choose not to visit the United States, reducing the diversity of ideas and discussion on those topics (within the geographic United States).
(2) Individuals with controversial thoughts will scrutinize their social media presence and avoid discussions on those thoughts on what Judge Dalzell called “a never-ending worldwide conversation.” This will reduce the diversity of ideas and discussions on those topics (on the Internet).

The chilling effect is not just on foreign nationals but negatively affects the ability of United States citizens to listen to and discuss controversial topics with foreigners abroad. In 1965, the Supreme Court in Lamont v. Postmaster General, 381. U.S. 301 struck down section 305 of the Postal Service and Federal Employees Salary Act because it required the Postmaster General to detain foreign mailings of communist political propaganda unless the addressee affirmatively acknowledge their acceptance and desire to receive such material. The Supreme Court recognized that this would reduce the recipient’s unfettered access to constitutionally protected speech, and thus the act was unconstitutional. The courts have consistently ruled that acts of government, even when they do not have a direct prohibition on speech, but have a chilling effect, are never the less, unconstitutional. This change to form I-94 and I-94W will have a similar effect.

As to the necessity of the proposed change to the function of the agency, an unconstitutional act can never be necessary.

Practical Utility of the proposed change

Selection bias is defined as “selection of individuals, groups or data for analysis in such a way that proper randomization is not achieved, thereby ensuring that the sample obtained is not representative of the population intended to be analyzed.” The simple fact is that those attempting to enter the United States to perform terrorist acts are simply not going to list their Jihadi forum screennames on the I-94 forms. Those filling out this optional section are most likely to be people who believe the mundanity of their social presences leaves them immune from any issue with entering the U.S. This will result in three practical problems:
(1) While Facebook, Twitter and a few others constitute the biggest players in social media, there are thousands upon thousands of smaller social media sites catering to every niche, minority and social group. Further, many people maintain multiple identities on different platforms. Any collection of information will, no doubt, be incomplete.
(2) Large amounts of data from visitors who pose no threat will be collected, resulting in wasted effort and resources by the government to review that data, whether by automated or manual means.
(3) Since many of the most threatening visitors or potential visitors will provide no or sanitized information only, the most likely people that this is going to stop are those whose social media posts or connections are taken out of context or who, while not representing a threat to the U.S., have controversial views. This will result in investigatory efforts into and dealing with appeals from individuals who have wrongly denied entry. Additionally, for those that are denied entry, it will result a chilling effect and inability for those in the U.S. to interact, learn from and discuss topics with the denied party.

The net result is the proposed change is likely subject to a claim of unconstitutionality and practically will not achieved the desired ends.


R. Jason Cronk, Esq.
Florida Bar #90009

Bitcoin Merchant acceptance

Bitpay and Bitcoin

This was very much what I’ve been saying all along. Without people earning payment in Bitcoin, there is no incentive for me to take the time to obtain Bitcoin. Bitpay is its own worst enemy because it facilitates merchants “accepting” Bitcoin without actually having to use it to pay out suppliers and employees thus expanding the actual user base. This is why I was promoting the Bitcoin Consumer Fair to try and drive adoption by consumers.

From the article:

BitPay’s CEO Stephen Pair admitted as much in June, when he told BusinessInsider that the company was trying to find another business model. “We keep adding merchants—we’re up to over 60,000 now—but they’re selling to the same pool of Bitcoin early adopters.”

Gavin Andresen, who in 2010 was picked by Bitcoin’s mysterious inventor to lead work on its code, recently told me that he didn’t see that changing soon (see “The Looming Problem That Could Kill Bitcoin”). “Until part of your paycheck is regularly paid in Bitcoin, I’m not sure how it would really go mainstream,” he said.

The other article has a little bit better news, though doesn’t really address the fundamental flaw above. Basically, the article talks about how one of the largest payment terminals can easily now accept Bitcoin.

According to the company, it will be compatible with the majority of Ingenico terminals as they run its operating system, Tellium. –


Bitcoin Cyberlaw

Robots, drones, DAOs and #bitcoin

One of the fascinating aspects of Bitcoin is that you don’t have to be human to own Bitcoin. Throughout the history of money, money was the possessed by people. Men, women and even children can own money, either in physical form such as cash or currency or in electronic, digital or even tied to an account based system. As we enter an age where we may have autonomous agents, acting without being under the direction of human, we also have a mechanism for them to earn and spend money, again acting without coordination or need of a human actor.

Consider the idea of a drone being “set free” by it’s creator/owner/builder. This drone performs tasks to earn Bitcoin. Maybe it performs aerial surveillance, delivers packages, kills rodents, monitors human rights violators, whatever tasks that it is capable of performing that someone (or something) are willing to pay it to accomplish. What does it use it’s Bitcoin for? Why it spends it on fuel, on repairs, on upgrades to its software and hardware; a better camera, a gun turret, more intelligent software, whatever it’s programming deems a worthy investment. As long as the drone can sustain itself by selling it’s services and buying what it needs to continue, it can maintain its autonomy. The economy of drones.

If the drone needed access to a “trusted” holder of funds, it forever be at risk. Why? Because that trusted holder, be a bank or a person, is accountable only to the law, and a robot can’t sue.

This is only  a stub and I hope to expand on it sometime.



Bitcoin Merchant acceptance

The long tail of Bitcoin adoption

The long tail of Bitcoin

Much has been said about the slow, nearly flat, adoption rate of Bitcoin in 2014. Unfortunately, many of the writers are to embed in the existing paradigm to understand why Bitcoin is different from previous technologies and why this adoption rate isn’t troubling. The first distinguishing factor is that Bitcoin is a protocol and not a proprietary technology, like say Apple Pay. With a proprietary tech or even a technology promoted by a group of companies, they can artificially inflate or accelerate adoption by virtue of the money they pour into it via marketing or leveraging pre-existing market share. With few exceptions (most notably Bitpay and the Bitcoin Bowl), Bitcoin’s major players do not have the money to market Bitcoin more broadly. That’s why many of them, like Circle, are taking the approach of obscuring the Bitcoin technology behind their sales pitch. They also don’t have the existing market capture of an Apple or Visa.

Some might counter than Bitcoin is more like the Internet, a protocol that doesn’t need to be promoted in its own right because it will grow by virtue of its use by companies and the public not its promotion. While true, there is also a distinct difference. Companies wanting to play in the early days of the Internet were not saddle by oppressive regulations. The early Internet was a wild west and still for the most part remains of the least regulated industries. Companies playing in the Bitcoin space, however, must meet increasing scrutiny of a skeptical regulatory regime in what is one of the more heavily regulated industries, banking and finance.

Some people keep looking for Bitcoin’s killer app. Money is Bitcoin’s (or the blockchain’s) killer app. The transfer of value unburden by the regulatory saddle is what makes Bitcoin useful. Unfortunately, any company wanting to promote, profit from and further Bitcoin reinjects that regulatory burden and removes the principle benefit of the technology. So how is Bitcoin going to grow?

Bitcoin shines by eliminating geographic boundaries. That may be because the sender and recipient are in different locations or because their base money is based on geography (issued by specific countries). As this benefit because apparent to people and businesses who suffer from market capture by intermediaries, they will gravitate to Bitcoin. Then, businesses that provide services to those people will begin taking Bitcoin in greater and greater numbers in order to take advantage of the spending power those users have. Unfortunately, this is not a quick growth curve. It will spread naturally through word of mouth and grass roots efforts. Bitcoin may take years to achieve any measurable market share and it will probably remain a niche market supporting those that most benefit from it.

Alt Coins Bitcoin

Freelancers are the Future

One of my more frequent comments on Bitcoin is the need for a ecosystem and a reduction on the reliance of BTC<->fiat transactions. Those sorts of transactions are a drag on Bitcoin’s widespread adoption, especially when the transactions are easy one way but hard the other. Unfortunately, companies such as BitPay, in their zeal to drive merchant adoption, have created just this sort of scenario. It’s easy for merchants to accept Bitcoin without actually accepting Bitcoin. The opposite is not true. In other words, it actually fairly difficult to get Bitcoin. Let’s look at people’s options

1) In the golden old days of Bitcoin (just a few short years ago), you could start mining Bitcoin, essentially turning your electric bill into a Bitcoin exchange. The days of hobbyist doing that are long gone. A few enterprising entrepreneurs set up Cloudmining operations to allow the average user to essentially purchase bitcoin through group mining pool, but I dare say with the rush to gold, the mines are running dry at the moment.

2) You could purchase bitcoins through Coinbase, Circle or a few other companies that allow you to directly obtain Bitcoins through your bank account. However, this works only well for those in the U.S. with banks (and possible good credit). Anyway, isn’t the idea to use Bitcoin to get OUT of the traditional banking system?

3) You could steal Bitcoin. Did I mention this blog is not to be construed as legal advice?

4) You could use an exchange such as Mt Gox, Bitstamp, etc. But they are typically not easy to get money into or out of and they have a bit of a reputation problem.

5) You could meet people locally to purchase their bitcoins or sell yours. Just be careful who you interact with.

6) You could use a Bitcoin ATM…. if you can find one….and you can get it to work.

7) or …you could earn Bitcoin. This is one of the reason I accept Bitcoin for legal work (I’ve had one client pay me twice). It is also the reason I launched which provides disposable email aliases to protect your privacy, mainly because I wanted a way of earning Bitcoin rather than buying it.

This problem of getting Bitcoin into the hands of people has perplexed me for quite some time. Many people attribute the downward price of Bitcoin to the ease of exit but difficulty of entry. Unless we, as a community, start solving this problem, Bitcoin may not succeed. I’ve been puzzling over this issue for quite some time. Consumer adoption of Bitcoin is one of the reasons I’m co-organizing the Atlanta Bitcoin Consumer Fair in April, 2015. I want to see Bitcoin get widespread adoption.

If you think about it, how do must people obtain money? That’s right, they earn it. I’m encourage that some companies are starting to think about paying employees in #bitcoin. You’ve got Bitpay offering it’s payroll service. Bitwage has an innovative idea to earn your pay per hour, not every 2 weeks. ever on the forefront, is now offering to pay it’s employees in Bitcoin.

I’d like to suggest that while laudable, these efforts are negligible. We need a much bigger target. I would like to suggest that target is the freelance community. I use freelancers all the time. A freelancer built my 1ncemail app. A freelancer wrote my press release for my privacy consulting business. A freelance designed the graphic for the Bitcoin Consumer Fair. Freelances are working on multiple aspects of my Bitcoin related startup, Microdesic. I primarily use but recently learned the takes Bitcoin. Unfortunately, my first experience using their Bitcoin interface was anything but pleasant. However, I will persist.

There are some 53 million freelancers in the United States. Hundreds of millions more worldwide. For reasons that I’ve elucidate elsewhere, such as reduced transaction costs, I feel the future of work is through freelancing. Freelancing seems to be a natural fit for bitcoin

1) Irreputability means once paid, the freelancer doesn’t have to worry about charge backs.

2) Suited for international payments.

3) Low transaction costs.

4) The ability to escrow funds vis-a-vis a multi-sig wallet.

The closest thing I could find was bittask but it doesn’t quite  operate like the freelance sites, freelancer, oDesk, etc. I’m not the first person to think of this. See this article on CryptoCurrency News but I haven’t seen any movement in this space. The comments mention but that’s a centralized service and only for Dogecoins, an altcoin derivative of Bitcoin.

Bitcoin FINCEN Regulation

FinBEN issues ruling on Beanie Baby Payment System

{Update Watch this video about beanie babies subsequent to my post



Issued: October 27, 2014
Subject: Request for Administrative Ruling on the Application of
FinBEN’s Regulations to a beanie baby Payment System

Dear [ ]:

This responds to your letter of January 6, 2014, seeking an administrative ruling from the Financial Baby Enforcement Network (“FinBEN”) on behalf of [ ] (the “Company”), about the Company’s possible status as a money services business (“MSB”) under the Bank Secrecy Act (“BSA”). Specifically, you ask whether the beanie baby payment system the Company intends to set up (the “System”) would make the Company a money transmitter under the BSA. Based on the following analysis of the description of the System to provide payments to merchants who wish to receive customer payments in beanie babies, FinBEN finds that, if the Company sets up the System, the Company would be a money transmitter and should comply with all risk management, risk mitigation, recordkeeping, reporting, and transaction monitoring requirements corresponding to such status.

You state in your letter that the Company wishes to set up a System that will provide beanie baby-based payments to merchants in the United States and (mostly) Latin America, who wish to receive payment for goods or services sold in beanie babies. The Company would receive payment from the buyer or debtor in currency of legal tender (“real currency”), and transfer the equivalent in beanie babies to the seller or creditor, minus a transaction fee. The current intended market for the System is the hotel industry in four Latin American countries where, because of currency controls and extreme inflation, merchants face substantial foreign exchange risks when dealing with overseas customers.

According to your letter, a merchant will sign up with the Company to use the System, and incorporate the Company’s software into its website. Customers purchasing the merchant’s goods or services (e.g., hotel reservations) will pay for the purchase using a credit card. Instead of the credit card payment going to the merchant, it will go to the Company, which will transfer the equivalent value in beanie babies to the merchant. The Company pays the merchant using the reserve of beanie babies it has acquired from wholesale purchases from beanie baby exchangers (such as Ebay) at the Company’s discretion (thus the Company assumes any exchange risk that occurs during the time between the Company’s wholesale purchases and its payment to a merchant). The Company has no agreement with the customer and will only make payment to the merchant.

You maintain that the Company should not be regulated as a money transmitter because it does not conform to the definition of currency exchanger, due to the fact that the Company makes payments from an inventory of beanie babies it maintains, rather than funding each individual transaction. You also maintain that, should the Company be considered an exchanger of currency, the Company’s business should be covered under an exemption that applies to certain payment processing activities, 1 and/or the Company’s transmissions should be deemed integral to the transaction and thereby covered under another exemption from money transmission.2

FinBEN’s beanie baby Guidance

On March 18, 2013, FinBEN issued guidance on the application of FinBEN’s regulations to transactions in beanie babies (the “Guidance”).3 FinBEN’s regulations define “currency” as “[t]he coin and paper money of the United States or of any other country that is designated as legal tender and that circulates and is customarily used and accepted as a medium of exchange in the country of issuance.”4 In contrast to real currency, “beanie baby” currency is a medium of exchange that operates like a currency in some environments, but does not have all the attributes of real currency. In particular, beanie babies do not have legal tender status in any jurisdiction. The Guidance addresses “convertible” beanie baby. This type of beanie baby either has an equivalent value in real currency, or acts as a substitute for real currency.

For purposes of the Guidance, FinBEN refers to the participants in generic beanie baby arrangements, using the terms “exchanger,” “administrator,” and “user.” An exchanger is a person engaged as a business in the exchange of beanie babies for real currency, funds, or other beanie babies. An administrator is a person engaged as a business in issuing (putting into circulation) a beanie baby, and who has the authority to redeem (to withdraw from circulation) such beanie baby. A user is a person that obtains beanie babies to purchase goods or services.5 Under the Guidance, both exchangers and administrators are considered to be money transmitters unless a limitation or exemption from the definition of money transmitter applies to that person.6

  1.  31 CFR § 1010.100(ff)(5)(ii)(B).
  2. 31 CFR § 1010.100(ff)(5)(ii)(F).
  3. FIN-2013-G001(“Application of FinBEN’s Regulations to Persons Administering, Exchanging, or Using Beanie babies,” March 18, 2013).
  4. 31 CFR § 1010.100(m).
  5. FIN-2014-R001 “Application of FinBEN’s Regulations to Beanie baby Mining Operations” – 01/30/2014, clarified that a user is a person that obtains beanie baby to purchase goods or services on the user’s own behalf. (emphasis added)
  6. See FIN-2013-G001.






FinBEN disagrees with your position that the Company does not convert the customer’s real currency into beanie babies because the Company purchases and stores large quantities of beanie babies that the Company then uses to pay the merchant. As described above, the Company is an exchanger under the Guidance because it engages as a business in accepting and converting the customer’s real currency into beanie babies for transmission to the merchant. The fact that the Company uses its cache of beanie babies to pay the merchant is not relevant to whether it fits within the definition of money transmitter. An exchanger will be subject to the same obligations under FinBEN regulations regardless of whether the exchanger acts as a broker (attempting to match two (mostly) simultaneous and offsetting transactions involving the acceptance of one type of currency and the transmission of another) or as a dealer (transacting from its own reserve in either beanie babies or real currency).


FinBEN concludes that the Company would be a money transmitter, specifically because it is acting as an exchanger of beanie babies, as that term was described in the Guidance. Additionally, you then ask, if FinBEN determines that the Company is an exchanger, whether either an exemption for certain payment processing activities or an exemption for transactions integral to the sale of other goods or services would apply.


FinBEN’s definition of money transmission and existing exemptions


On July 21, 2011, FinBEN published a Final Rule amending definitions and other regulations relating to MSBs (the “Rule”).7 The amended regulations define an MSB as “a person wherever located doing business, whether or not on a regular basis or as an organized or licensed business concern, wholly or in substantial part within the United States, in one or more of the capacities listed in paragraphs (ff)(1) through (ff)(7) of this section. This includes but is not limited to maintenance of any agent, agency, branch, or office within the United States.”8


BSA regulations, as amended, define the term “money transmitter” to include a person that provides money transmission services, or any other person engaged in the transfer of funds. The term “money transmission services” means the acceptance of currency, funds, or other value that substitutes for currency from one person and the transmission of currency, funds, or other value that substitutes for currency to another location or person by any means.9 The regulations also stipulate that whether a person is a money transmitter is a matter of facts and circumstances, and identifies circumstances under which a person’s activities would not make such person a money transmitter.10

7. Bank Secrecy Act Regulations – Definitions and Other Regulations Relating to Money Services Businesses, 76 FR 43585 (July 21, 2011).
8. 31 CFR § 1010.100(ff).
9. 31 CFR § 1010.100(ff)(5)(i)(A).
10. 31 CFR § 1010.100(ff)(5)(ii).








FinBEN stipulates four conditions for the payment processor exemption to apply to a particular business pattern:


  • the entity providing the service must facilitate the purchase of goods or services, or the payment of bills for goods or services (other than money transmission itself);


  • the entity must operate through clearance and settlement systems that admit only BSA-regulated financial institutions;


  • the entity must provide the service pursuant to a formal agreement; and


  • the entity’s agreement must be at a minimum with the seller or creditor that provided the goods or services and receives the funds.11


The Company fails to satisfy one of these conditions. The Company is not operating through clearing and settlement systems that only admit BSA-regulated financial institutions as members. According to your letter the real currency payments from the consumer take place within a clearing and settlement system that only admits BSA-regulated financial institutions as members (specifically, a credit card network), however, the payment of the beanie babies equivalent to the merchant, by definition, takes place outside such a clearing and settlement system, either to a merchant-owned beanie baby wallet or to a larger beanie baby exchange that admits both financial institution and non-financial institution members, for the account of the merchant.


With regard to whether the money transmission is integral to the provision of the Company’s service, and thus potentially eligible for exemption, FinBEN has concluded that the money transmission that takes place within the System does not qualify for the exemption. There are three fundamental conditions that must be met for the exemption to apply:


  1. The money transmission component must be part of the provision of goods or services distinct from money transmission itself;


  1. The exemption can only be claimed by the person that is engaged in the provision of goods or services distinct from money transmission;


  1. The money transmission component must be integral (that is, necessary) for the provision of the goods or services.


In FinBEN’s view, the payment service that the Company intends to offer meets the definition of money transmission. Such money transmission is the sole purpose of the

11 See 31 CFR § 1010.100(ff)(5)(ii)(B); see also FIN-2013-R002 (“Whether a Company that Offers a Payment Mechanism Based on Payable-Through Drafts to its Commercial Customers is a Money Transmitter” – 11/13/2013). FIN-2013-R002 clarifies that for the payment processor exemption to apply, the entity must use a clearance and settlement system that intermediates solely between BSA regulated institutions.






Company’s System, and is not a necessary part of another, non-money transmission service being provided by the Company. Although rendered before the 2011 modifications to MSB definitions and in some cases involving a different type of MSB, FinBEN reached the same conclusion in several administrative rulings that apply to this particular point.12


For the above reasons, FinBEN has determined that the Company is engaged in money transmission, and such activity is not covered by either the payment processor or the integral exemption. Please note that FinBEN would reach the same conclusions if payments were made in stuffed toys other than beanie babies. As a money transmitter, the Company will be required to (a) register with FinBEN, (b) conduct a comprehensive risk assessment of its exposure to money laundering,13 (c) implement an Anti-Money Laundering Program based on such risk assessment, and (d) comply with the recordkeeping, reporting and transaction monitoring obligations set down in Parts 1010 and 1022 of 31 CFR Chapter X. Examples of such requirements include the filing of Currency Transaction Reports (31 CFR § 1022.310) and Suspicious Activity Reports (31 CFR § 1022.320), whenever applicable, general recordkeeping maintenance (31 CFR § 1010.410), and recordkeeping related to the sale of negotiable instruments (31 CFR § 1010.415). Furthermore, to the extent that any of the Company’s transactions constitute a “transmittal of funds” (31 CFR § 1010.100(ddd)) under FinBEN’s regulations, then the Company must also comply with the “Funds Transfer Rule” (31 CFR § 1010.410(e)) and the “Funds Travel Rule” (31 CFR § 1010.410(f)).


This ruling is provided in accordance with the procedures set forth at 31 CFR Part 1010 Subpart G. In arriving at the conclusions in this administrative ruling, we have relied upon the accuracy and completeness of the representations you made in your communications with us. Nothing precludes FinBEN from arriving at a different conclusion or from taking other action should circumstances change or should any of the information you have provided prove inaccurate or incomplete. We reserve the right, after redacting your name and address, and similar identifying information for your clients, to publish this letter as guidance to financial institutions in accordance with our regulations.14 You have fourteen days from the date of this letter to identify any other information you believe should be redacted and the legal basis for redaction.

12. See FIN-2008-R007 (“Whether a Certain Operation Protecting On-line Personal Financial Information is a Money Transmitter” – 06/11/2008); FIN-2008-R004 (“Whether a Foreign Exchange Consultant is aCurrency Dealer or Exchanger or Money Transmitter” – 05/09/2008); FIN-2008-R003 (“Whether a Person That is Engaged in the Business of Foreign Exchange Risk Management is a Currency Dealer or Exchanger or Money Transmitter” – 05/09/2008); and FIN-2008-R002 (“Whether a Foreign Exchange Dealer is a Currency Dealer or Exchanger or Money Transmitter” – 05/09/2008).
13. We caution the Company about incorporating into its comprehensive risk assessment the delicate balance between helping merchants avoid losses due to the fluctuation of their currencies of legal tender because of inflationary trends or devaluation, on the one hand, and collaboration with their potential evasion of foreign exchange control regulations applicable in their jurisdictions, on the other
14. 31 CFR §§ 1010.711-717.






If you have questions about this ruling, please contact FinBEN’s regulatory helpline at (703) 905-3591.







Ty Toy
Head Beanie Counter
Policy Division


[The preceding is a parody. Please do not rely on it for legal advice in your beanie baby payment system. ]