Virtual currencies (VCs) are gaining the attention of regulatory bodies worldwide because they're growing in acceptance by retailers and consumers both. The U.S. Internal Revenue Service, which subjects VC transactions to income tax liability for gains in value, just like property, is one of those regulatory bodies. But it's at the state, national and supra-national levels where authorities are starting to set out rules. One of those emerging rules, and the responses its generated by VC companies and industry forums, will impact the privacy and data protection of VC users. 

What Are VCs? 

There are very specific privacy and data protection concerns related to using this kind of “currency” instead of the familiar fiat (government-issued legal tender) currencies, like the dollar, euro, yen, pound and renminbi. The U.S. government defines a VC as a “digital representation of value that functions as a medium of exchange, a unit of account and/or a store of value” that may have an equivalent value in real world currency and may be convertible into that currency as legal tender, while the European Banking Authority (EBA) defines VCs as “a digital representation of value that is neither issued by a central bank or public authority nor necessarily attached to a fiat currency, but is used by natural or legal persons as a means of exchange and can be transferred, stored or traded electronically.”

Because they are digital instead of physical representations, it's essential that VC-based privacy, security and authentication techniques are extremely robust. These techniques are founded upon the well-established public key infrastructure’s (PKI) use of public and private key pairs. PKI provides a transactional basis for use of a VC like Bitcoin, which through a hash of all previous transactions (in a digital ledger called a blockchain) signed with a buyer’s private key demonstrates that there are sufficient Bitcoins owned for a buyer and seller to engage in a transaction. 

Authentication is done by matching the private key signature with the related public key. No names have to be attached to the transaction, providing a degree of privacy not available in traditional financial transactions. The third-party authentication of parties also eliminates the traditional financial institution middleman and allows use of peer-to-peer networking of the transaction, lowering costs and timeframes but also raising the risk for regulators looking for criminal activity or transactions, which occurs more easily within a regulated financial market.

Risks

The privacy and data protection risks of VCs were outlined by the EBA in its July 2014 opinion. The 70 risks identified in this opinion were categorized as risks to users, other market participants, financial integrity, payment systems and regulators. The privacy and data protection risks identified were the loss to users of VC units when their “e-wallet” (holding their VC) is stolen; is hacked; if the e-wallet hardware or software malfunctions; if the VC exchange itself is hacked; if users’ identities are stolen from ID credentials provided during the authentication process; users lose the password or keys to their e-wallet, or the e-wallet provider loses an individual’s wallet.    

In a May 2014 investor alert, the SEC had warned that there were security concerns with VC exchanges, such as when exchanges discontinue operations, temporarily or permanently, due to “fraud, technical glitches, hackers or malware. Bitcoins also may be stolen by hackers.”

In March 2015, the UK Treasury’s Digital Currencies: Response to the Call for Information report included user security issues arising when transferring, obtaining or holding VC units. Beyond hacking, fraud and insolvency, “users have forgotten or misplaced their payment credentials or hackers have compromised their device and gained access to their digital currency funds.” The report suggested that technical standards were required for VC storage and cybersecurity.

Statutes/Regulation

In passing statutes and rules to regulate (or not) VCs, lawmakers and regulators are primarily concerned with criminality such as fraud or compliance with anti-money-laundering provisions under money transmitter laws or unregulated transactions under securities law but have added privacy and data protection requirements, sometimes expressly or more often implicitly.

In April 2014, the Texas Banking Commissioner required that all VC license applicants handling VCs “in the course of their money transmission activities,” such as exchanging VC for fiat currency through a third-party exchanger, had to submit a third-party security audit of their relevant computer systems. As the use of VCs creates new consumer risks, VC license applicants were required to show the VC under their control was appropriately secured.

The July 2014 EBA opinion proposed that there be evidence of secure IT systems. This requires documentation by the entity responsible for the transaction ledger and protocol for “the integrity of the transaction ledger, the protocol, the IT infrastructure and any other relevant components.” VC exchanges and e-wallet providers may have similar responsibilities.

In December 2014, the Conference of State Banking Supervisors published Draft Model Regulatory Framework for VCs, including these requirements for cybersecurity:

• Cybersecurity program and policies and procedures;
• Customer notification and reporting for cybersecurity events, and
• Third-party cybersecurity audits.

In February, the New York Department of Financial Services issued revised regulations, requiring licensing of businesses involved in the transmission, storage, data protection, buying, selling, converting or issuing of VCs but not merchants accepting VCs for purchases. The regulations require licensees to “maintain and enforce written compliance policies, including policies with respect to anti-fraud, anti-money-laundering, cybersecurity, privacy and information security.” The cybersecurity program must identify internal and external cyber risks, protect against unauthorized access and detect, respond to and recover from cybersecurity events. It requires a cybersecurity policy, security officer reporting to the department, business continuity plans, audits including network penetration testing and assessments of procedures and standards used for the security of internally developed software programs.

In February, the California Assembly introduced legislation, AB 1326, that would require licensure for those in the VC business. The provisions of this bill as it moved through the legislature in late May do not specify additional privacy or security requirements but do allow for the retention of records as directed by the commissioner, the requirements for audits and certain consumer protection disclosures. By bringing VC businesses within the state’s existing Money Transmission Act, the VCs businesses would also be prohibited from engaging in any “unsafe or unsound practice,” which could include appropriate privacy and data protection controls. VC businesses could also be considered online services collecting consumer PII requiring the posting of a privacy policy under the state’s Business and Professions Code.

In May, the Financial Crimes Enforcement Network (FinCEN) of the Treasury Department reached a settlement with Ripple Labs, the second largest capitalized VC business after Bitcoin. The action was brought because, contrary to previously issued regulations under the Bank Secrecy Act, Ripple Labs had not registered with FinCEN as a Money Services Business (MSB). While primarily focused on anti-money-laundering restrictions, MSBs are required to undergo periodic reviews, including the examination of internal controls.  Any such review could cover privacy and data protection controls for VC businesses such as VC administrators (issuers/redeemers of VCs) or exchangers of VCs (into other VCs or into fiat currency). Applicable references could range from GLBA’s Privacy and Safeguards Rules to the NIST Cybersecurity Framework and the April 2015 publications from the DOJ on cybersecurity incident best practices and the SEC on cybersecurity guidance.

Industry Initiatives

In October 2014, the VC industry tried to set a direction for privacy. Twenty-one VC companies and MIT’s Media Labs spin-off Institute for Data Driven Design agreed to the Windhover Principles for Digital Identity, Trust and Data. The key principles are to be implemented through various systems on an open-source platform.

• Individuals and groups should have control of their digital personal identities, identity credentials and personal data;
• Proportionate enforcement and risk-based regulation should enhance/improve personal privacy while promoting effective governance and accommodating legitimate auditing and enforcement needs, and
• Ensuring innovation in trust and privacy through an effective, autonomous identity system reiteratively furthers trust, security, governance, accountability and privacy.

In May, the Open Bitcoin Privacy Project, whose goal is to improve financial privacy within the Bitcoin ecosystem, released a report on the privacy of 10 e-wallet providers. It used 38 different privacy tests in the categories of receiving and change address generation and backup, receiver privacy and privacy from blockchain and network observers. Information reviewed included who holds the private keys, address re-use, possible data leakages, use of anonymizing networks and the use of mixing methodologies to reduce the likelihood of party tracking.  

The privacy and data protection direction for VCs is still emerging and bears close monitoring in the next 12 to 18 months. If the VC cybersecurity rules from New York become the standard in the U.S., if Europe uses the EBA’s suggested direction, and if the VC industry follows through on its own principles and protocols, then rigorous privacy and data protection safeguards will be available to provide a secure foundation for the growth of VCs worldwide.

photo credit: Bitcoin Litecoin Keychains IMG_3478 via photopin (license)