November 10, 2024

In recent years, blockchain surveillance (BS) companies have become increasingly important players in the cryptocurrency industry. Their business model consists in developing proprietary software that collects and interprets public data available on public blockchains and in selling their services to governments, banks, exchanges, and others that need access to this data. Usually, governments are interested in collecting information about financial crimes, while other institutional players use BS companies for compliance, especially with regard to customer due diligence. This article argues that BS companies can be understood as governmentalities.

Michael Rectenwald deploys this term to “refer to corporations and other non-state actors who actively undertake state functions.” The partnership between the state and BS companies threatens cryptocurrency users’ privacy and their ability to transact freely, away from the prying eyes of unwanted third parties.

Guilty until Proven Innocent

BS companies help institutional players and law enforcement implement the risk-based approach (RBA) developed by the Financial Action Task Force (FATF). According to the RBA, customers of regulated intermediaries such as cryptocurrency exchanges are first and foremost considered to be risks to the stability of the financial system; they are considered to be customers secondarily. Consequently, all customers are categorized based on the level of risk they pose to the ability of intermediaries to comply with regulations. Different BS firms may implement the RBA differently, but the classification of risk remains more or less constant: Severe risk is usually tied to indicators of child abuse, terrorist financing, and sanctions. Ties to dark-net markets and ransomware; use of ATMs; protocol privacy; peer-to-peer activity; use of cryptocurrency mixers, and indicators of gambling are normally classified as high or medium risk factors. The use of decentralized exchanges and smart contracts poses medium to no risk by default.

If customers are a risk, it follows that the burden of proof is on them to demonstrate their innocence by providing all the required information. When BS companies flag activity as suspicious, exchanges eventually start asking questions of their customers, and if the answers are unsatisfactory, customers’ funds are blocked. As is clear from the list provided above, an activity is considered risky not only when it is an obvious crime like child abuse but also when it is a legitimate and legal action such as exchanging cryptocurrencies peer to peer, using a crypto ATM, or taking advantage of protocol privacy.

It is important to not overstate what BS companies can do. Thanks to pseudonymity, personal identities are not part of the bitcoin blockchain: only public addresses that control some funds show up in the blocks. The very purpose of customer due diligence procedures is to attach real-world identities to addresses and to follow their trails. When users’ money is not in the custody of third parties, heuristic rules can be used to guess where the funds went; however, these rules can at best provide good approximations, not infallible results.

For example, according to the common input heuristic, if more than one input appears in a bitcoin transaction, then the same entity owns them. A similar assumption usually works in everyday life: if a payment consists of a ten-dollar bill and a five-dollar bill, it is reasonable to assume that the two bills are owned by the same person. However, this is not always true. In bitcoin, CoinJoin is a transaction scheme designed to break the common input heuristic with “an anonymization strategy that protects the privacy of Bitcoin users when they conduct transactions with each other, obscuring the sources and destinations of BTC used in transactions.”

The fact that the ambiguity of well-constructed CoinJoin transactions cannot be eliminated explains why BS companies classify them as medium risk, even if there is nothing illegal about them. It cannot be stressed enough that even the most basic transactions are interpretable in many equally legitimate ways and that every heuristic rule can be broken. Still, regulated entities and law enforcement often regard transactions as risky when they are flagged by BS company software, not understanding the inner workings of cryptocurrencies and of that software.

Comparing the FATF’s travel rule with BS companies’ know-your-transaction (KYT) platforms shows the arbitrariness of blockchain surveillance practices. On the one hand, the travel rule requires intermediaries such as exchanges that transact on behalf of their customers to share information about the sender, the receiver, and the amount of any transaction with each other, and, upon request, with law enforcement. While the travel rule harms privacy and pseudonymity significantly, it at least leaves no room for discretion—intermediaries must transmit and store only objective and definite data.

On the other hand, KYT software is developed by BS companies to help crypto institutions comply with regulations and to assist law enforcement in tracking criminals. KYT platforms analyze on-chain data and data from other sources through proprietary algorithms to follow funds and flag suspicious behavior. Differently from the travel rule, KYT software is developed behind closed doors, which means that the public does not know how it works or what kind of hidden heuristic assumptions it adopts. This is morally and legally problematic because closed-source software that is sold for profit and that implements arbitrary heuristic rules can be used to charge users with criminal behavior. Moreover, while most legislation treats crypto users as risks by default, it is not clear what legal tools are available to hold BS companies accountable when their obscure and arbitrary KYT software leads to judicial errors.

Unsubstantiated claims by BS companies can do great harm. The case of Roman Sterlingov is significant in this regard. US prosecutors accuse him of operating Bitcoin Fog, a centralized mixer that was used to launder money; because of this, he has been jailed since 2021 while awaiting his trial. However, according to his attorney, Tor Ekeland,

all the accusations are based on shoddy Blockchain forensics at desks 6,000 miles away from Roman’s home in Sweden. . . . The Government’s speculative accusations have no corroborating evidence. No eyewitnesses, no evidence at all of Roman operating a BitCoin tumbling onion site with a staff for a decade. No Admin logins, notes, communications, emails, nothing. After an extensive and expensive Government investigation spanning seven years that involved surveillance, wire taps, and pen traps on Roman.

This case shows how easy it is for an advanced legal system to ruin people’s lives using spurious blockchain surveillance tools.

Scamming the Scammer Who Longs to Be Scammed

As explained by Lysander Spooner, the state fears no rivals when it comes to scams: it is the only institution that is able to survive by taking other people’s property while presenting its actions as morally and legally legitimate. To tax property, the state needs to locate it by violating privacy and making the property visible to authorities. Therefore, it is not surprising that with cryptocurrencies the most important objective of regulations is to break pseudonymity as defined in the “Privacy” section of the bitcoin white paper. For example, know-your-customer (KYC) legislation requires regulated intermediaries to tie identifiers to cryptocurrency addresses: KYC-verified coins are more easily taxable than those that are not KYC verified.

BS companies are governmentalities whose main function is to help the state fight financial privacy. Their business model is unscrupulous because they sell closed-source software, based on shaky heuristic assumptions, to regulated intermediaries and to law enforcement; the latter may even use it to put people on trial, mostly for nonviolent “crimes” such as money laundering or tax evasion; moreover, given that BS is based on guessing, the risk of false accusations is astonishing, as shown by the case of Roman Sterlingov.

BS firms do not provide sound forensic tools; still, governments pay for their services with taxpayer money and deploy them in court. One cannot help but suspect that, from the perspective of law enforcement, the obscurity of surveillance software is a feature, not a bug, because it disproportionately favors the prosecution to the detriment of the defense.

For their part, these new governmentalities are happy to profit from the exploitation of the judicial system in favor of the state. BS companies present financial privacy in the domain of cryptocurrency as suspicious by default, and they profit by helping the state gain more control over white “markets” and reduce the scope of black (free) markets. This is a remarkable convergence of scheming interests.