Peter Van Valkenburg on Lightning & The Law

WBD049 - Peter Van Valkenburgh (Banner).png

Where to find the show

iTunes | Google | Spotify | Stitcher | SoundCloud | YouTube | Deezer | TuneIn | RSS Feed

Download Episode MP3 File
The file will open in a new window. Click down arrow to download the file.

There are a lot of people on Twitter who might be partisans of scaling on chain versus the lightning network, who think it is not complicated and that the government are just going to come after Lightning nodes.
— Peter Van Valkenburgh

Interview location: Skype
Interview date: Thursday 11th April, 2019
Company: Coin Center
Role: Research Director

The regulatory lens of Bitcoin is also now on the Lightning Network, and there are questions around how regulations might apply to node operators and custodial wallet providers. Should they require a money transmission license? Should they be subject to KYC/AML requirements?

While Bitcoin companies have adapted to the regulatory requirements and secured licenses as required, the requirements for the Lightning Network are a little less clear.

Coin Center is working with regulators to advocate those node operators should not require a money transmission license. In this interview, I talk with Coin Center’s Peter Van Valkenburgh about the work they are doing and how regulations might affect aspects of the Lightning Network.

TIMESTAMPS

00:04:16: Introductions
00:06:11: Issues that Coin Center are currently covering surrounding Lightning and licenses
00:08:14: The current status quo around money transmission and services license requirements
00:11:57: Exploring the license requirements of custodial wallets and international businesses
00:17:10: Delving into where Lightning sits within these regulations and licensing requirements
00:22:27: How does Lightning fit in with anti-money laundering laws and licensing, on a federal scale?
00:29:58: Background to the current rulemakings and guidances that are related to Bitcoin
00:33:59: How Lightning could complicate current rules and laws and render them unconstitutional
00:40:24: Should a Lightning node be regulated and would that be constitutional?
00:46:53: Discussing the practicalities of enforcing regulations on node operators
00:53:18: Exploring potential regulatory timelines, that would give clarity on some of these issues
00:55:31: Delving into the regulatory obligations that custodial wallets require
00:57:16: Discussing Coin Center’s partiality and advocacy on these regulatory issues
01:01:23: Final comments and how to stay in touch

 

SUPPORT THE SHOW

If you enjoy The What Bitcoin Did Podcast you can help support the show my doing the following:

If you are interested in sponsoring the show, you can read more about that here or please feel free to drop me an email to discuss options.

THANKS

A big thanks to my WBD Maximalist Patrons for helping support the show: JP Petit, Logan Shultz, Seb Walhain, Steve Foster, Tony, Gordon Gould, David Burlington, Jesse Powell and Wiel Menger.

TRANSCRIPTION

Peter McCormack: So how are you?

P. Van Valkenburgh: I'm good! It's been a good few months really. I don't know if you saw, we published another report. So now we've got three in the last three months. The most recent one is from James Foust, our senior research fellow who was from CFPB. We stuck him, because he's new guy, with writing a whole long thing about the IRS and tax law. So we just published that.

Peter McCormack: I haven't read that yet, so I will definitely check that out. I was talking to somebody about you recently. I was with Angela Walch.

P. Van Valkenburgh: Oh good! I remember the hullabaloo that happened on Twitter after you released that podcast, which I thought was kind of ridiculous. I think you handle it well!

Peter McCormack: To be honest, there's a hullabaloo about most of the things I seem to do these days!

P. Van Valkenburgh: Exactly! I think that's probably a good thing. If they're not shooting at you, you're not doing anything good.

Peter McCormack: Well maybe. I don't know! I think sometimes I'm my own worst enemy today. Today I'm trying to get Calvin Ayre and Craig Wright to sue me.

P. Van Valkenburgh: Nice!

Peter McCormack: So maybe not always the best ideas! But we had a good long conversation and I said to Angela, "actually I think if she had been the other side of the debate for you at the Senate testimony hearing, it might have been a more productive and healthier debate than say with Nouriel."

P. Van Valkenburgh: I've said the same thing to other people, so absolutely agree.

Peter McCormack: Well, so I'm going to put it to you and her that at some point we're going to re-do that hearing except it's going to be with me and you two together at some point. I'm hoping anyway!

P. Van Valkenburgh: I love do that. There is a slim chance or maybe it's a better than the slim chance now, that we'll be on a panel together at Consensus talking about this stuff, but what people are going to be on which panel, I have no idea what's going to happen.

Peter McCormack: It's good to speak to you again. It's good to get you back on the podcast. The last episode we did was really well received and as I mentioned to you in Boston, I'm doing a series now on Lightning and I'm covering various topics from the tech to retail and obviously it would be good to talk to a little bit about the law.

I don't know, this might not even be a particularly long episode, but it'd be good to talk to you about the legal side because I read an article that Neeraj wrote that went up on your blog discussing money transmission licensing and how it relates to Lightning. So before we start, is this the only issue related to Lightning that you guys are having to cover or is there anything else?

P. Van Valkenburgh: So this is the big one. But it's actually two issues and a lot of people I think miss that point. So money transmission licensing is something that the states do and it's about consumer protection. It's about like, "we don't want a company like Mt. Gox running away with a bunch of New Yorker's Bitcoins. So we want to license companies that do exchange." But then there's also running a money services business, of which a money transmitter is a certain type, creates federal rather than the state obligations for the proprietor with respect to anti money laundering laws, which are predominantly federal laws rather than state laws. 

Those obligations are, you don't need to get a license necessarily, you just need to register with FinCEN. You also need to have a risk calibrated anti money laundering program, know all your customers and file suspicious activity reports. So there's two questions that a lot of people just put together under the bracket of so called money transmission regulation. Do you need licenses at the state level for consumer protection purposes?

And do you need to register with FinCEN and develop a risk calibrated anti money laundering program? Those are two very different questions. With the Lightning network actually, they're more different than they normally are, which is kind of interesting.

Peter McCormack: So for a comparison, could you explain who currently has to have these licenses right now within the crypto space? And for what purposes? I'm guessing exchanges are one?

P. Van Valkenburgh: Yeah, the most obvious case here is centralized exchanges. So a company like Coinbase or Circle that holds a bunch of Bitcoin for the people that are trading on the platform. It may also just run a hosted wallet business in general. Maybe the users aren't doing exchange, they're just holding their Bitcoins there and transacting once in a while, like buying stuff with their Bitcoin or whatever, if anybody actually does that, which I hope they do.

So that business where you're basically like a Bitcoin bank, that's the kind of business that states, especially New York with its Bitlicense, but eventually Washington state gets its money transmission license and a bunch of other states, decided, "okay, that looks sufficiently similar to PayPal essentially or Western Union or Moneygram for that matter, that it makes sense to require them to get a license." So generally speaking, if you're operating in the US with US customers, you're going to have licenses in the 53 different states and territories that regulate this stuff.

Unless the state has said, "we don't think Bitcoin is money or monetary value, therefore Bitcoin companies don't need money transmission licenses. But an exchange that handles money as in dollars, would still need those licenses." So most of these big centralized exchanges have as many licenses as they've been able to get. The ones that they don't get are usually in states that have said, "we're not sure, so come back to us later", which is kind of alarming. But that's the way policy emerges in the space with highly disruptive technologies.

Peter McCormack: So do you have to have all 53? If so, do you have to apply for them all separately and you can't operate any business until all 53 have been secured?

P. Van Valkenburgh: Yes. And if that sounds like an ungodly hell of compliance people and regulators, it is! So there've been lots of attempts to get reciprocity provisions put into the State Statutes that require licensing. I'm pretty sure Alaska is the only state that honours other state's licenses. So if you get one in Iowa, you don't need one in Alaska, but you need one everywhere else, unless you're assuming you don't have customers in a certain state. If you have no customers in Florida, then I guess you don't need a license there. But if you're an internet business, you're going to have customers in every state.

Peter McCormack: Are there nuances between the different licenses?

P. Van Valkenburgh: Yeah, every license is different. Some of them have really robust consumer protections, like you've got to post a $10 million bond or something like that and some of them have almost no consumer protections like Alabama, where you only have to post a $5,000 bond. PayPal for example, or a company like it, probably is licensed in Alabama and has only posted like a bond in the range of a few thousand dollars despite the amount of money they process for people in Alabama.

So there's huge differences in the amount of protections and the cost of getting the license and every application tends to be different too. There is this effort underway to create a unified application, kind of like the unified college application for applying to colleges, that the CSPS is proposing, it's called the the NMLS. There's some success with that, I think there's now like 14 or 15, I could be wrong, maybe it's now more like 20 states where you can do a unified application. But your compliance obligations for each state will still be unique. This is a huge lift from a compliance standpoint.

Peter McCormack: Are there any examples of businesses that require money transmission licenses that I wouldn't have expected? So an exchange is kind of obvious, but maybe any forms of custodial wallet?

P. Van Valkenburgh: So yeah, a custodial wallet... I don't know too many businesses that only do posted wallets and don't do exchange, because why would you not? But if you are holding people's Bitcoins, as a policy matter, it's hard to argue that you're not creating the exact same kinds of custodial risks that PayPal or Western Union create, as you could lose the money. So it makes sense for states to require you to get a license.

Now every state has a different definition of what constitutes money transmission. So as a legal matter you may kind of fit into that or fall out of that, depending on how strange your business is. But as a policy matter, it's Coin Center's position, we're not big fans of licensing regimes because they put permission on innovation, but if we're going to have an even playing field with the rest of the financial world and not ask for special treatment, just equal treatment, then it makes sense that if PayPal or the Western Union need to get a license because they hold people's Dollars, if you hold people's Bitcoins or Ether or whatever, you also should get a license.

We've worked with the Uniform Law Commission to try and tighten up these legal definitions, so that we don't accidentally sweep in non-custodial entities like miners and full node operators into that licensing requirement. Because really the definition of who is a money transmitter should focus on whether you can lose people's Bitcoins or Ethereum or Dollars. But the definition is as I say... Sometimes they are as broad as money transmission is facilitating the transmission of money or monetary value, which is like an armoured car does that, AT&T does that when they provide Internet services that allow people to transmit the money, it can't be everything!

So the Uniform Law Commission created this model law and we had some input on the language for the definition of who needs a license under this model law. We said it should be limited to people who can unilaterally execute or indefinitely prevent a transaction using a customer's Bitcoin. That makes sense because that would cover the Coinbase's of the world, but it would not cover a company that's set up one of three multisig and only held one key, like BitGo used to do and I think still does for its customer wallets. It wouldn't cover of course a miner or full node who, I mean technically a miner who has 51% power on the network could prevent transactions for as long as they have 51%, but that's an extraordinary circumstance and maybe we even want them regulated if they were attacking the network in that way. I don't know.

One thing I should be clear about, that model law that the ULC promulgated represents what we think is the right policy choice for who needs a license and a correction of the broad legal language to enact that policy. But it's just a model law that then would need to be adopted by all the states in order to actually be the standard. Right now, the standard is still this complicated standard that every state has a different definition.

Peter McCormack: What about international businesses who have US customers? Are they excluded from these requirements?

P. Van Valkenburgh: No, not at all. So the US has for a while been sort of the world's policemen with respect to the flow of money in the financial system. So if you deal with any US customers, even 1 or if you purposefully avail yourself of any of the US' infrastructure if you will, financial institutions and things like that, you better be compliant with these same rules. I mean you could say, "well, I'm in Luxembourg, come and get me", and they will, potentially, if they want to! 

There's a long track record of success for the US getting extra territorial enforcement of their financial regulatory laws and getting extradition for people who are violating those laws, so that they can be tried here in the US. Now maybe if you were in a really friendly jurisdiction, you can, I don't know hide in an embassy for a while and not get extradited. But we happen to be recording this the other day that, somewhat unfortunately, Julian Assange has been pulled out of the embassy and is probably going to end up tried here in America for things that look a lot like free speech. Anyway, that's a sidebar conversation. But yeah, being overseas isn't a safe harbour for you.

Peter McCormack: Is that why companies like Bitmex essentially block you if you're a US customer?

P. Van Valkenburgh: So, yes, that's probably why Bitmex is blocking people. I was about to say the New York Department of Financial Services, which is my transmitter regulator in the state of New York, just issued a rejection of Bittrex's application to get a Bitlicense in New York, which means they're going to have to pull out of New York and somehow get the money back to their New York customers because the regulator is saying, "you just can't do this business in New York", which is pretty aggressive, but they may have had good cause, I don't know.

Peter McCormack: Okay. So when we look at the Lightning network then, I guess the things that you are looking at there are nodes and custodial wallets. There has been some suggestion that some of the more mega hub nodes, which are offering channels and capacity across the network, may have had to consider having a money transmission license, but you don't believe they do?

P. Van Valkenburgh: So again, to be really clear, I'm nobody's lawyer who's listening to this podcast.

Peter McCormack: Of course, yeah!

P. Van Valkenburgh: From a public policy perspective, we don't think the Lightning network, anybody operating a node on the Lightning network should be required to get a license. The reason for that is the question of custodial risk. The bottom line is because of the way the time-lock and the Multisig script is calibrated for what people are doing on the Bitcoin Lightning network, they really generally speaking under normal operation of the system, have no ability to run away with large amounts of money from the users of the Lightning network.

The funds are locked up in these channels and they're playing a functionary role, kind of like a minority party in a multisig agreement, and that's part of what they're doing, making those transactions go through. They're not actually taking the money from one person, holding it at their full discretion, which means they could lose it and send it to somebody else or steal it for themselves. They're not holding it and taking it and giving it to someone else. So because of that, they don't create the kind of trusted relationship and risk for users that a company like Coinbase or a Mt. Gox create of course, because we're trusting them 100% to not lose the funds.

Now a few people that talked about, what if the channel you've established is highly unbalanced and the transaction has been made that is below the dust limit on the lower Bitcoin network itself. Then the channel dissolves because the party you're working with walks away from it. Could you lose those funds, as that channel participant? Could you lose somebody else's funds if a transaction was below the dust limit? Maybe, because it'd be impossible to close the channel, because you couldn't write a transaction to the Bitcoin network that would be sufficiently large that it would get processed by miners. But there's a lot of contingent things here.

The dust limit in Bitcoin is just a policy rule that miners choose. So it's not part of the core protocols. So a miner might have a lower dust limit, which means you just have to wait longer until you find a miner willing to process that transaction. So are the funds really lost or have you just made a transaction so small, that the Bitcoin network can't process it as a whole. So that's a nuance. Another nuance here is these are De Minimis transactions. These are really small transactions.

Any large transaction, this is the whole point of the Lightning network, either you wait until the end lock expires, at which point you'll get the funds back through a transaction that Bitcoin network or you can close the channel and you don't have to worry about things like the dust limit, because the transaction is large enough that the Bitcoin network will put it in a block. So if it's really only small amounts of money that people can lose, is this something that money transmission licensing should concern itself with? If we're really only talking about fractions of a penny, is that the kind of custodial risk that should trigger this requirement as opposed to potentially million dollar bond or consumer protection purposes?

I think no, and that's why we work with the Uniform Law Commission to tighten up the definition of money transmission and the Uniform Law Commission's Model Act, which again is not law, but I think the best statement of what the law and policies should be in this space. That model law says if you're doing transactions that might otherwise fit the definition of money transmission with virtual currency and they're smaller than $5,000 per month, then you're not required to get a license. You're simply excluded.

It's sort of De Minimis exemption. So again, that model act is not law and different states have different opinions that somewhat surround that model acts policy. Some are more strict, some are less strict. But as a policy matter, it makes no sense to have Lightning nodes licensed for consumer protection purposes by the states. I don't think any states currently... I haven't talked to every state regulator recently, but I don't think any states currently are all that concerned about getting those people licensed.

I don't think in the long run they'll see it as a good policy choice to require licenses. Now that's just the state licensing issue. As I said, there's also federal anti money laundering law and that's a whole other conversation.

Peter McCormack: Hmm. So... go on!

P. Van Valkenburgh: So we've got 53 states and territories that license money transmitters for consumer protection purposes. I don't think as policy matter, they should be licensing Lightning nodes and I don't think any of them are or will necessarily try. Then you've got the federal anti money laundering laws in the Bank Secrecy Act and it's implemented in same regulations which are in 31 CFR 1010.100 if anyone wants to look at the definitions.

Those are enforced by FinCEN, which is a branch within main line treasury department in the federal government. So completely different regulator, federal not states, in treasury, completely different laws, not state money transmission laws, The Bank Secrecy Act, which was passed by Congress back in the 1970s and the implementing regulations which have been updated several times, including by the Patriot Act in the early 2000s. So what does this other regime look like with respect to, who needs to register with FinCEN, know all their customers, file suspicious activity reports, these are the kinds of compliance obligations you have to do if you fit their definition of money services business and these are the kinds of compliance obligations that it's hard to imagine a Lightning node being able to do.

The Lightning network passes around these signed Bitcoin transaction messages and holds them and then settles them to the Blockchain when you close the channel. Nowhere in that scheme is, "hi, my name is Peter Van Valkenburgh. Your name is Peter McCormack. I'd like to open a channel with you. Here's my home address. Here's your home address. Let's know each other, so that we can know if you're a criminal or not." You could not, I'm going to say this point blank, I think comply with the BSA as a Lightning node.

Now the question is should you have to and that's a really complicated question. So the definition of who has to comply with the BSA, is you are a financial institution. In the BSA there's a whole list of financial institutions. It used to just be banks and a couple of very similar businesses, but it's been expanded because the BSA also allows the regulator, the Department of Treasury, the Secretary of Treasury to add to the list of who is a financial institution. So since then we've seen this list expand from just banks and a few adjacent businesses, to all sorts of things like precious metal dealers, casinos and money transmitters.

So there's a definition of money transmitter that's different from the state definitions in the implementing regulations for the BSA. So that definition is pretty broad. It basically says you're a money transmitter if you accept and transmit from one location to another or from one person to another, currency or value that substitutes as currency. It says, if you do that by any means, even through an informal value transfer system, you're a money transmitter. So it's a really broad class of businesses

Now I think it's really clear that that doesn't cover miners and that doesn't cover someone who is just operating a normal Bitcoin full node, because you never accept and transmit anything. But there's this hard metaphysical question, if you're a Lightning node, do you accept money and transmit money or are you just a functionary that's basically co-signing these Bitcoin transactions, which ultimately gets settled by the Bitcoin Blockchain, not by you, in which case you're not really accepting and transmitting.

So that's a really complicated question in itself and the larger question here, we shouldn't be too much in the weeds about what is the metaphysical nature of a partially signed or assigned Bitcoin transaction message. It should be, is this really the kind of activity that we want to require financial surveillance obligations from? So obviously it makes sense that we have banks sort of surveil their customers. They have to know the names of their customers. They have to know who their customers are paying, in order to pay them. So a rule from the government that says, "okay, you already need to know all this information bank. Keep copies and share it with us, the government."

It's not as burdensome as it would be in a situation where your business is just validating transaction messages and co-signing transaction messages and keeping a node online, 24/7. Now the government says you need to know all the people who you are interacting with on a peer to peer network. That's much more onerous if you will. So there's a policy question there and then there's a bunch of other adjacent questions.

So let me just first say FinCEN which is the regulator that enforces these laws, I've spoken to folks there, we have a pretty good working relationship with them because they want to learn about the technology and we want to learn about how they are enforcing their laws. Now I haven't spoken to everyone at FinCEN of course, and the people I've spoken to, it may just be their personal opinion and not the opinion of the agency of course.

But to my knowledge, no-one at FinCEN sees the Lightning network as a high priority for enforcing anti money laundering policy. In addition, no-one denies to my knowledge that there are hard legal questions as to whether a Lightning node would or would not be in those definitions as they currently stand. So this is untested waters and you'll see people on Twitter saying, "oh, it's obviously clear that a Lightning node would be a money services business under federal anti money laundering laws", and that's just... Unless they worked for FinCEN, ignore that person, if they're really saying that it's obviously clear or it's certain because it's simply not.

Frankly a lot of those people I think are working on rival technologies and see a way to Red Sea from the government by sicking the government on their competition, which is really kind of childish if you think about it. It's like two kids that are supposed to share a toy in the sandbox and then one goes to mummy or daddy and says, "he's not sharing" and mummy or daddy comes over and takes the toy away from the other kid, even though they might've been doing nothing wrong and gives it to the kid that's a tattletale. This is not the way that innovation should work, running to the government for relief in an anti competitive way. Now that I got that off my chest...

Peter McCormack: It's very complicated though!

P. Van Valkenburgh: It is very complicated and this is my issue, is that there's a lot of people on Twitter who might be partisans of scaling on chain versus the Lightning network, who think it's not complicated and that the government is just going to come after Lightning nodes, which could happen one day. The government could have come after Bitcoin full nodes too, it could have come after everyone in this space. We're here to try and stop that from happening and educate government about why that would be a bad idea.

But it's all really unclear. It's not certain at all. So it's not something you should be leveraging to try and convince people to use your technology versus another. Technologies should be adopted because the market adopts them as they're efficient and they're good, not because government privileged one over the other. Anyway, I'm getting off my soapbox and getting back to the actual rules at stake here. So a few things. The beginning of Bitcoin businesses being covered by the federal laws, rather than the state laws was the 2013 virtual currency guidance that FinCEN released. They did it in guidance.

They didn't create a new rule that says, "now list of financial institutions that need to comply includes Bitcoin exchanges." They said, "oh, Bitcoin exchanges actually are already covered by this list because they're doing this money transmission thing." As I said, that's probably pretty fair, because also under the federal rules, a company like PayPal is a money transmitter and so if you're basically doing what PayPal does but holding Bitcoins instead of Dollars, it makes sense that you comply with the same rules, as the same definition via financial institution and therefore have to comply with the financial surveillance requirements, the know your customer requirements of the BSA.

Now a lot of people complained back then, "you shouldn't have done this through guidance. Sure they're really similar to a PayPal, but this is still a new category of financial institutions. So if you want it to comply, you should have had a rulemaking which would have put out a notice, "we're thinking of covering these businesses as financial institutions" and would have allowed for comment, which is the only way the rule of law and democracy enter the regulatory process", because the regulator can say basically anyone's a financial institution and the only way to check that authority, because surely not everyone needs to spy on their counterparties when they engage in commerce, the only way to check that authority is to have notice and comment rule making. But they didn't do that for Bitcoin.

Now Coin Center never challenged the guidance and said "you've got to go back and do a rulemaking. You can't do this through guidance", because it's a pretty fair argument that Coinbase is rather similar to PayPal. But here's the thing, if, and no one's talking about this except people on Twitter who don't actually know what they're talking about more often than not, if FinCEN said, "we want to regulate Lightning nodes as money services businesses and have them know their customers and file suspicious activity reports", could they do it through guidance, by saying, "our existing regulations cover you already," or should they do it through rule making?

My answer to that is absolutely! It should be done through a rule making. This is a serious diversion from the current list of financial institutions, which usually just includes people in a position of trust who hold other people's money and therefore know their names and know how to find them because they have to pay them. Therefore it may be reasonable to require them to share that information with governments.

This is something completely different. This is a sort of routinized task you perform by keeping a computer online and basically participating in an open source protocol for scaling Bitcoin. So if FinCEN wants to cover this, I don't think they can just do the easy thing and make guidance that says, "this is already covered." I think they have to do the somewhat harder thing and have a rulemaking that says, "we're thinking of covering these people as money transmitters, as money services businesses and requiring BSA compliance."

Then we would get a chance to comment and explain from Coin Center's perspective and everyone else in the community will get to comment as well, it's a public process and say, "we don't think this is a good idea because it will make the technology untenable and the technology's important for X, Y, and Z purposes because electronic cash matters because privacy matters etc." Now we could still lose that fight, but it would be probably a one to two year process and it would be reasonable and there'd be good discussions that need to happen before a bunch of people end up on the wrong side of a highly consequential law where they could end up in jail.

So first of all, I think that's what should happen. But then there's a secondary question here. Even if there was notice and comment rulemaking and in two years the rule was finished and money transmitters included or BSA regulated financial institutions to include Lightning nodes. Is that okay from a constitutional standpoint? This is what we recently wrote a lot about in a paper that we released last month about electronic cash and decentralized exchange and constitutional law.

Now in that paper, we don't mention the Lightning network and I'm working on another paper that will look at more questions. In that paper, we really just look at any attempt to directly regulate a software developer of any of these protocols, included the Lightning protocol for that matter and whether that would be constitutional. But we go deep into the fourth amendment. The fourth amendment is relevant here for pretty obvious reasons. So the BSA is a bulk electronic surveillance statute.

It's kind of like the NSA's Prism program where they were collecting tons of information from Internet intermediaries, except they're collecting all that information from banks. But just like Prism, they're doing it without a warrant. Now you might say, "okay, so you were just talking about the fourth amendment. As I remember, the fourth amendment is this requirement that if the government's going to seize or search information that's private to one of its citizens, they need to get a warrant from a judge in order to have permission to do that."

This is important because the judges is in theory, a neutral third party, who's going to say, "oh no, this is an abuse of your authority as law enforcement", or "no, this is fine. That guy's probably a criminal. Go ahead and search their house." So there's this really interesting question, why is the Bank Secrecy Act constitutional, if it allows regulators and law enforcement to go directly to a bank and collect all your private information, without ever going to a judge and getting a warrant?

Peter McCormack: Isn't this the issue that came up with Ross Ulbricht?

P. Van Valkenburgh: I'm not familiar with exactly how this issue would have come up with Ross Ulbricht. It might be. I haven't followed that. Is he making constitutional arguments?

Peter McCormack: Well, they did, I think it was on the fourth and the sixth amendment. But there was information collected on behalf of, I think it's his internet usage, IP records, but without the approval of a judge.

P. Van Valkenburgh: Well, I mean that's exactly the kind of warrantless search that there's been a lot of discussion about, not just in the Bitcoin world and in the Bank Secrecy Act world, but also just in the world of online consumer services. Like can a law enforcement agent just write their own subpoena and go to Google and get all of your Gmails, including the contents of the Gmail, not the email that you're sending and learn everything about you without ever going through a judge? 

Maybe, is the unfortunate answer to that question. That's why there's a lot of fight about whether the warrant requirement from the fourth amendment should apply to electronic data. So the question here with the BSA is, why is the BSA constitutional? Why can regulator law enforcement go to a bank and get all your bank records, without a warrant to search your private stuff? The answer which came around in the 1970s when the Bank Secrecy Act was new, is something that was named the Third Party Doctrine.

The Third Party Doctrine, which is an interpretation of constitutional law of the fourth amendment, says if you hand your information over to a third party, like I hand my emails over to Google when I use Gmail, I hand my transactions over to Bank of America when I use them for a checking account, you hand your information over to a third party, you lose your reasonable expectation of privacy over that information. Therefore you can no longer challenge a search of that information because basically a warrant isn't require because it's not reasonable for you to expect them to keep that secret anymore. So there's a little nuance to this under the Bank Secrecy Act cases that are important.

The courts back then said the reason why this is the case is because people voluntarily hand their information over to a bank when they're writing checks. The bank has a reasonable legitimate business purpose for collecting that information, because when they collect the checks, they need to see whose account they're debiting from and who they're crediting, somebody else in the world that that their customer has asked them to pay.

So they already have this information and they have a legitimate purpose for collecting this information as a business. If this information is voluntarily provided to them by their customer, then it's reasonable for government to get that information from the bank without a warrant. So that's the constitutional law here. Now what's interesting is, okay, take that and apply that to something like a Lightning network node. If there was a law that says Lightning network nodes need to collect customer information and file suspicious activity reports to us, if somebody's making a transaction through the Lightning network that suspicious and they need to know all their customers, this is very different than in the banking context.

That information would not be voluntarily provided to the Lightning node. Right now, no one's providing that information to Lightning nodes. If it was required and this is a little crazy because how would it even work, but stick with me, if it was required from the government, then it's not being voluntarily provided by the users of the Lightning network. It's being required by government. So maybe you need a search warrant then, because it's not being voluntarily provided anyway.

Then the other question aside from voluntarily provided information was, does the business that is doing the financial surveillance on the behest of the government, have a legitimate business purpose for collecting this information? So banks need to know the names on the cheques that they're paying and honouring. Telephone companies need to know the phone numbers that people are dialling.

A Lightning node does not need to know anything personal about the people who use the Lightning network. All they need to do is check an elliptical curve digital signature on a transaction message and keep doing that until the channel is exhausted and then send a message to the Bitcoin network. At no point did they have any legitimate business purpose to collect that information. So requiring them to search and seize their users or their counter-parties, is probably unconstitutional I think and I think it would require a warrant. You can't run a bulk surveillance regime with warrants because warrants have to be specific.

So you couldn't say, "well we've just got a warrant from a judge that allows us to collect information from every node," because that's a general warrant and this is actually the kind of thing that the British did, which triggered the American revolution along with other issues, some of them having to do with tea! They said, "here's a warrant from a judge that we can search every home in Boston." This is totalitarianism, this is a surveillance state, we can't have this and that's why it was written into our constitution that warrants need to be specific and you need judicial scrutiny for every specific request to search. So I don't think it's constitutional.

So we went through first the state stuff and then the FinCEN stuff and there's lots of reasons why, aside from the US constitution, I don't think Lightning nodes should be or will be regulated. But then there's also this sort of trump card, which is what the constitution is and I don't think it's constitutional, if any regulator wanted to regulate a node for financial surveillance purposes, for spying on the users of the network. I think that violates the fourth amendment and I think that's pretty clear.

You'll have to sort of trust me on my case a lot here, but there's a whole paper that we just wrote explaining all this case law. It's on our website, it's called "Electronic Cash, Decentralized Exchange and The Constitution." We published it last month. The courts are also trending in this direction. So there was a case from last year called "Carpenter" where government wanted to go...

Peter McCormack: I remember it.

P. Van Valkenburgh: Government wanted to go to cell phone service providers and collect location data for their customers because your phone is constantly querying all of these cell phone towers and you can easily triangulate the location of your user, if you're a cell phone provider and that data is really valuable to law enforcement. The Supreme Court said, "actually, in order to get that data from those cell phone providers, law enforcement needs a warrant." Why? Because that information wasn't voluntarily provided by the user for a legitimate business purpose.

So it's this exact same standard from the Bank Secrecy Act cases. They're basically saying that this should be a harder case than the Lightning network, because frankly you do voluntarily provide your location when you phone the cell phone tower. You don't know you're doing it, so maybe that's why it's not voluntary. Nontechnical people don't know that they're revealing their location whenever they're using a cell phone.

Peter McCormack: The Carpenter case was the one that was raised in relation to the Ross Ulbricht case.

P. Van Valkenburgh: Oh, was it really?

Peter McCormack: That's why I'm aware of it.

P. Van Valkenburgh: That makes total sense because they probably potentially found him by triangulating his location with cell phone data or through other means, which are similarly sort of suspicious from a constitutionality standpoint. Maybe you should have had a warrant in order to collect this information about Ross. Maybe you shouldn't have just been able to write your own subpoena as someone in law enforcement with basically unchecked investigatory powers. So just the one other thing that they mentioned in the Carpenter case that was really interesting.

They say, "does a cell phone provider have a legitimate business purpose to collect all this location data about their users?" And they said "no!" Which is funny because really they do, a cell phone provider has way more legitimate business purpose knowing the location of its users, so it can provide better service, than a Lightning network node would have knowing the location or the names of its users, there'd be no purpose for a Lightning node to know all that extra information. It wouldn't make their business better.

But it would make the cell phone providers service better to know where their customers are. But the court said, "yeah, but that's not core to your business purpose. The core of your business purpose is just providing communication services. It's not knowing where your customers are. So the fact that you collected that information means it's this kind of special information that even though you have it and the customer doesn't have it anymore, the customer still has a reasonable expectation of privacy over that extra information.

So if law enforcement comes to you and asks for your customer's locations, you say, "no, I can't give you that information unless you come to me with a warrant from a judge."" So that's the law with respect to cell phone location data and I can't imagine how you couldn't apply the same standard to the Lightning network, if it ever came to that and say, "I'm sorry, you can't just treat Lightning nodes as BSA regulated parties because you need a warrant every time you get this extra information about their customers, that you're trying to get, by treating them as a BSA regulator."

Peter McCormack: Right. So the other side of this. Even if they wanted to enforce this on node operators, it's practically almost impossible.

P. Van Valkenburgh: I would say impose, because enforce suggests that they already have the legal authority to do it. As I said, I think they should have a notice and comment rulemaking to give themselves that authority, so that there's a transparent process. Rather than just start enforcing as if they already have the authority.

Peter McCormack: But even to impose, the practicality of that is close to impossible I would have thought?

P. Van Valkenburgh: So you could make it a crime to run a node in the country, unless you are collecting this extra information. There's very handy maps right now, where you can see the relatively accurate location of Lightning nodes all over the US. There's a giant one in Herndon, I guess it's probably an Amazon data centre or maybe... I know some people who live out in Herndon who it might be as well, I don't know.

But you could make it a crime and then you get send people, literally to knock on doors, hopefully not with assault rifles, but I guess we could imagine this dystopian future and say, "you're doing something that's illegal unless you're collecting customer information", at which point the node operator's going to say, "I can't do that. That's not how the Lightning network works." At which point they're going to say, "okay, well then you're violating the law." So that's a nightmare scenario.

Now I think that scenario is unconstitutional because I think it is unconstitutional from the US to make those requirements of people who are just running software that checks transactions on the Lightning network and opens and closes channels. But it could happen. Would people still run nodes and maybe use Tor to mask their location more effectively? I know the Lightning network already has a Tor like system for making it harder to find intermediary nodes that don't publicly broadcast their location.

Could all the Lightning network nodes just end up being outside of the country and therefore even harder for the US to get hold of, although they'd have jurisdiction potentially if there were a US persons using the Lightning networks through those nodes. At the end of the day, this is sort of like a cypherpunk ultimate battle. This is one of the final bosses on the way to some sort of anarchic paradise that people who build these networks might imagine. I have a lot of sympathy with those anarchic divisions and I have a lot of concerns over that final battle.

I'm not saying I think government's going to disappear. I'm not saying government's going to win. I'm saying we shouldn't even get to that point. Government is people. Regulators are people. As I said, we've spoken to people at FinCEN, at other agencies about this stuff. They don't want to ruin people's lives and they don't want it to destroy the progress of science and technology, which by the way includes scaling and decentralized peer to peer electronic cash, in an effective way.

So I don't think we get to that end game, but yeah, you're right. That end game is ugly because it's basically, "fuck you, your laws don't apply. Come and get me copper. I'm going to use all my techniques of onion routing and encryption and whatever to stop you." We don't want that! We don't want that battle!

Peter McCormack: No. To be honest, I think it would be something... Well there's two things there. It will really just, again, push the innovation and opportunity outside of the US. Secondly, it would most likely be solved through some kind of next phase of development where the developers will focus on creating anonymity around nodes and products. So there's just no benefit to heading down that kind of route.

P. Van Valkenburgh: Absolutely. It's actually pretty impressive, the amount of work being done on the Lightning network here in the US. It's one of the coolest new interventions since Bitcoin and a lot of the developers are all here in the US, maybe contrast it with things like Ethereum, which seems to have sort of generally moved over to Europe, partially because of the securities law implications if you're here in the US and partially for other reasons. It'd be a real shame if we lost all of these brilliant technical people who are building awesome payment channels from the US economy.

Especially at a time where we're really concerned about job growth and the health of the economy anyway. It's hard to make that argument because unfortunately a lot of people who are really concerned about jobs and innovation and the health of the economy, still think of this technology as some kind of a joke. See my testimony in front of the Senate Banking Committee where I was up against Nouriel Roubini. But it's an important argument and I think it's one that's starting to really gain some traction.

There's the Blockchain caucus in the house of Representatives who are a group of some 20 or so members of the house who really actually care deeply about this technology. There's some great work that's been done on legislation already. In fact, representative Tom Emmer in the house has introduced a bill that would create a safe harbour for non-custodial entities, where it would say, "no state law or federal law can require licensing from people who are not holding other people's virtual currency. You can require a license from a Coinbase because they're holding people's virtual currency. But you can't require a license or registration with FinCEN, from a node on the Lightning network or a Bitcoin miner or a full node on the Bitcoin network." So that's active legislation.

That's a bill in Congress right now. Now is it likely to pass? No, it's still early days. We've got to get more of Congress on board with this kind of thing and get them excited about it. But it's actually happening a lot quicker than I imagined it would happen. There's people who get this as a jobs issue. They get that this as a competitive issue with the international economies and technologies and they're starting to actually, I think fall in love with the technology. A few of them! A few of them think it's just still garbage, but this is politics, it's fun or terrible!

Peter McCormack: How long do you think there'll be until there's regulatory clarity around this?

P. Van Valkenburgh: Yeah, it's going to be a little while. As I said, this is not right now, I believe a priority for FinCEN. They've still got centralized exchanges out there, that aren't doing any of their compliance. They recently went after BTC-E and got Alexander Vinnik when he was in Greece. But there are other exchanges just like BTC-E that they want to go after and I think they have good reason to go after them. They're centralized exchanges that hold people's money, have personal relationships with people because they need to know who to pay at the end of the day and therefore have good reasons to collect information about their customers and report that information to regulators who are trying to stop money laundering.

I think other priorities for FinCEN are things probably like the ICO boom. A lot of people might've been laundering money through ICO sales, I've heard this, I don't know if this is true. So that's probably another priority for them that I think would probably come before the Lightning network. We mentioned Bittrex earlier. So the Department of Financial Services and in New York said basically, "we think there have been anti money laundering violations", when they rejected their application. So I hope they're wrong because I don't like folks who seem to be trying to do the right thing, like apply for a Bitlicense, ending up on the wrong side of the legal fight.

But if that's true, the New York Department of Financial Services, just potentially sicked consent on Bittrex, which will be interesting to watch. I have no idea what's going to happen there. So there are all these priorities that FinCEN has, that are lower hanging fruit, then this complicated question of the Lightning network. So I don't think they're coming to it anytime soon. That means we have uncertainty for longer.

But it also means I don't think a Lightning node is an immediate danger of being found to be a money services business and in violation of US law, which carries certain penalties. I could be wrong about that. Don't rely on that statement. If you run a Lightning node, there's this big grey area and you're taking that risk. But frankly I think I'd be doing it for the right reasons because freedom and the fourth amendment etc.

Peter McCormack: But there are some custodial wallets now for Lightning. There are a few of them out there now and I guess they really need to consider what they're doing?

P. Van Valkenburgh: Any custodial wallet is pretty firmly within the already accepted interpretation of who needs to comply with the bank secrecy. If you're really running a customer facing business with a useful app and you're holding people's money, you probably are a money services business under the federal laws and you probably need to get a license under the state laws. So yeah.

Peter McCormack: So that's quite serious then?

P. Van Valkenburgh: I guess I don't know. I mean, I don't know if there are a lot of these custodial wallet providers who are not already considering their regulatory obligations. If that's true, then that's quite serious. From a technological standpoint, I don't see that as serious because if you're running a customer facing business, you are able to comply with these laws.

It's technologically serious, if somebody tries to say just a regular intermediary node on the Lightning network or for that matter a Bitcoin miner on the Bitcoin network or a full node operator, if someone says they are a money transmitter, they are a money services business and need to file suspicious activity reports and know their customers, then it's really serious from a technological standpoint because you can't do that role in that technological system and comply.

I don't think you should have to, because I think that would be an abusive interpretation of the regulations on the part of the overzealous regulator and also an unconstitutional interpretation.

Peter McCormack: Okay. So a lot to think about, but it seems like Coin Center are on top of things? Typically fighting for the industry! Actually there was something Angela brought up.

P. Van Valkenburgh: We don't fight for the industry though!

Peter McCormack: Well Angela said that you guys explain that you're impartial, but she said you're not really because you are advocating...

P. Van Valkenburgh: Yeah we're advocates.

Peter McCormack: But you can't be an impartial advocate right?

P. Van Valkenburgh: No, we're a very partial advocate. But we're partial to something very specific. We do not represent the industry or the industry's interests. We take donations from the "industry", like from companies like Kraken for example, which gave us a really generous donation last year, but we don't represent Kraken. If Kraken ended up on the wrong side of the laws, in a way that we didn't think we should defend them from a policy perspective, that's not our business. On the other hand, what we do advocate for, if we don't advocate for these companies in this industry, is for open source technology, is for basically the network as a whole. 

This might sound strange to people who didn't culturate themselves in the Internet from a young age, but there are a lot of other advocacy organizations. They're kind of like civil liberties organizations, that advocate for the freedom to use technology and the freedom for technology could grow with as little impediment as possible from inappropriate application of regulations. So hopefully a lot of your listeners know about the Electronic Frontier Foundation, which we've partnered with on things like this constitutional law paper. They read some early drafts that I wrote.

They've been around since the 90s, fighting regulations or laws that would make it impossible to run a server on the Internet because that used to be a battle and to some extent, it's still a battle to this day. The EFF doesn't represent Google or Apple or Amazon. They might take some donations from them and they might often represent ideas or advocate for legal changes that would benefit Google, Apple and Amazon. But at the end of the day, the EFF is advocating on behalf of the Internet as a peer to peer open source infrastructure that's just going to make the world better.

Hell, if Facebook or Google end up screwing up that peer to peer infrastructure, then the EFF would probably fight against them because that is a possible scenario, now that we have all these walled gardens that are trying to break up and destroy what was originally a nice peer to peer internet. I'm not saying that Google, Apple, Amazon or whoever have turned evil. This is an open question these days. So the same is true of Coin Center.

We want to defend people's rights to develop open source software that build networks for value transfer, networks for Blockchains and for obviating the need to trust people in order to keep records of important data. That's what excites us. That's what we think is going to make the world better. So we are very partial to certain positions. We believe that these things will ultimately be a benefit to human flourishing and human dignity. So if government wants to try and come and hurt these things, we're going to fight them. We're very partial.

But at the same, just like EFF might look askance at big Internet companies stepping into what was previously a peer to peer network. We would be concerned if a cartel of say, exchanges and this is not happening, but if it didn't happen, tried to replace Bitcoin with a centralized system. That would also be something we'd advocate against. So Angela's right, we're advocates and we're partial, but it's a very specific thing and it's definitely not advocating for "industry". It's advocating for freedom and human dignity and the right to use open source software.

Peter McCormack: Amazing. Well, as ever, thank you. This has been awesome, but I didn't think we'd get to an hour of material, but we have, so thank you so much again, Peter. So let people know how they can keep an eye on the work that you're doing and stay in touch with you.

P. Van Valkenburgh: Sure. So Coin Center is a public non-profit. So all of our advocacy materials are available online at coincenter.org and we also very much welcome any donations from the community because that's how non-profits continue to do the work they do. Thanks for having me!

Peter McCormack: All right. Take care and I expect I'll see you in New York.

P. Van Valkenburgh: Yes, definitely!

PodcastPeter McCormackComment