The Electronic Frontier Foundation (EFF) and UK Open Rights Group have responded to an HM Treasury consultation on money laundering legislation, in particular to the suggestion that publishing open-source software should be subject to customer due diligence requirements.
The Transposition of the Fifth Money Laundering Directive (5MLD) was published (PDF) for consultation in April. 5MLD is an EU directive which the UK is obliged to put into law by January 2020 – presuming that the UK is either still in the EU or in transitional arrangements.
One of the key issues is cryptoasset exchange, widely used by criminals (there is a reason why ransomware extortionists invariably ask for payment in cryptocurrency such as Bitcoin) and which governments are keen to regulate.
HM Treasury is therefore interested in regulating "the publication of open-source software (which includes, but is not limited to, non-custodian wallet software and other types of cryptoassetrelated software)" (clause 2.38).
This leads on to the questions posed in Box 2 (C) clause 19:
The government would welcome views on whether the publication of open-source software should be subject to CDD [Customer Due Diligence] requirements. If so, under which circumstances should these activities be subject to these requirements? If so, in what circumstances should the legislation deem software users be deemed a customer, or to be entering into a business relationship, with the publisher?
CDD is about verifying the identity of a customer and whether they qualify for a proposed transaction.
Leaving aside the practical difficulties of regulating open-source software distribution, the EFF along with the Open Rights Group is seeing red. "We've seen these kind of attacks on the publication of open-source software before," it said. "These regulatory proposals could have large and unpredictable consequences not only for the emerging technology of the blockchain ecosystem, but also for the FLOSS [free, libre, and open-source software] software ecosystem at large."
Although the idea of regulating cryptocurrency software sounds reasonable, there could be unintended consequences, the organisations argued. "Such regulations would burden multiple industries to attempt to guarantee that their software could not be considered part of the infrastructure of a cryptographic money-laundering scheme."
In the detailed response (PDF), the groups suggest that regulating open-source software would be better done separately than within 5MLD legislation.
Any regulation must be sensitive to the fact that FOSS software underlies a considerable proportion of the modern digital economy — including critical Internet infrastructure, modern financial services, the mobile smartphone ecology, government digital services, and the public and private cyber-security sectors. And, if HM Treasury is intent on broadening its regulatory remit to cover all of these areas, it should separate out this endeavour from 5MLD transposition, into a longer, co-operative initiative with stakeholders across all of these fields.
The groups are also opposed to regulation of privacy coins. With traditional cryptocurrencies all transactions are publicly recorded, even though the identity of the parties is hidden. Privacy coins are non-traceable. HM government is worried.
"What is the scale and extent of the risks posed by privacy coins? Are they a high-risk factor in all cases? How should CDD obligations apply when a privacy coin is involved?" asked the paper.
The EFF and Open Rights Group said that such coins are a good thing:
We urge HM Treasury to ensure that regulations do not undermine important innovation in the area of "privacy coins". "Privacy coins" refer to a range of blockchain-based technologies that are using cryptography to enhance individual privacy. "Privacy coins" have the potential to enhance human rights by importing some of the protections that citizens enjoy offline into the digital world. Furthermore, any attempt to distinguish between "privacy coins" and non-privacy coins would be problematic.
The rights groups, then, are not only opposed to the wider open-source ecosystem being regulated as a side effect of cryptocurrency scrutiny. They also defend cryptocurrency more generally.
In May, the EFF published another paper arguing that cryptocurrencies should not be banned. Reasons given included the legal uses for cryptocurrencies, innovations such as smart contracts, and "the fact that a technology could be used to violate the law does not mean we should ban it".
HM Government, the groups said, is going beyond the requirements of the EU directive. "The UK implementation, if broadened in this way, will cause profound economic disruption in fields entirely unrelated to lawful and unlawful financial transactions."
The EU directive is here. It does not directly discuss open-source software, though it does state: "To combat the risks related to the anonymity, national Financial Intelligence Units (FIUs) should be able to obtain information allowing them to associate virtual currency addresses to the identity of the owner of virtual currency."
The 5MLD proposals say that "the government will only 'gold-plate' [go further than] the provisions in 5MLD where there is good evidence that a material ML/TF [Money Laundering/Terrorist Finance] risk exists that must be addressed".
The closing date for comments was 10 June so the government now has the task of drafting legislation based on the EU directive, its own further ideas, and taking into account comments received. Few are likely to be happy with the results.®