Crypto is dead or on life support, waiting for regulation to rid it of ‘crypto contagion.’ Meanwhile, blockchain technology – the virtual, public ledger technology that records crypto transactions – is very much alive, as evidenced by emerging applications in the healthcare, transportation, and real estate industries.1
Even crypto skeptics who mockingly blame “magical thinking” for infecting a generation of investors agree, at a minimum there is a potential legitimate use of crypto “as part of new payment systems using blockchain technology” for such things as “sending money internationally more efficiently and cheaply than current systems.”2
For these and related reasons, last week twenty-eight technology organizations, including various blockchain alliances, implored US Lawmakers “for the sake of freedom and democracy” to defend privacy for everyday people, asserting that software developers in the US are “being chilled by clumsy, misguided legislative and regulatory actions.”3
To be clear, it’s not as though lawmakers have been sitting on their hands. In 2021, at least 45 states introduced or considered more than 250 data privacy and security bills, and 36 states enacted such bills. In 2022, thirty-seven states addressed pending legislation regarding cryptocurrency, digital or virtual currencies and other digital assets.4
In their letter, however, open source and decentralized project leaders focused not only on the right to privacy but also “the right to code” and asked lawmakers to:
Oppose legislation that criminalizes writing code for privacy-preserving tools,
Support tools that give individuals and communities control of their data,
Allow for encryption and anonymity vs. pro-surveillance protections, and
Encourage tools that safeguard data privacy and security.
These are not new concerns. On March 9, 2022, some of these were emphasized in the Executive Order on Ensuring Responsible Development of Digital Assets, which sought to ensure “that digital asset technologies and the digital payments ecosystem are developed, designed, and implemented” with privacy and security in their architecture.5
The Executive Order also encouraged the heads of relevant agencies such as the Federal Trade Commission (FTC), “to ensure that digital assets do not pose undue risks to consumers, investors, or businesses, and to put in place protections as a part of efforts to expand access to safe and affordable financial services.”
On September 16, 2022, the White House went a step further, releasing a fact sheet titled First-Ever Comprehensive Framework for Responsible Development of Digital Assets which seeks to ensure similar rights to those being sought by the blockchain developers in their letter to lawmakers: “protect national security, respect human rights, and align with democratic values.”6
In addition, the White House asked the FTC again to pursue enforcement actions against unlawful practices and to redouble its efforts to monitor consumer complaints and enforce against unfair, deceptive, or abusive practices. Just over a month later, the FTC announced a decision it said would have a “100% chance of far-reaching” impact.7
On October 24, 2022, the FTC announced a settlement against online alcohol delivery platform, Drizly, and its CEO for a data breach that exposed the information of 2.5 million consumers. Drizly is relevant to the Executive Order and the Fact Sheet because it provides a roadmap for how to be bold about data privacy and security for open-source technology.
As highlighted in its press release, the FTC settlement with Drizly follows a recent FTC trend of “requiring a firm to minimize data collection” – to ensure companies only collect what they need – and a recent notice of proposed rules for commercial surveillance, “the business of collecting, analyzing, and profiting from information about people.”8
As in Drizly, US lawmakers and technology organizations should be bold by at least adopting the conditions deemed necessary to anticipate the ‘technological shifts’ that impact the ‘right to code’ by doing the following:
Implementing practices that reduce or prohibit the collection of consumer data that is not necessary for pre-specified business purposes;
Implementing a comprehensive security program that includes multifactor authentication and prevention mechanisms for unsecured data;
Implementing practices covered in past decisions which have emphasized conducting regular risk assessments and incident response planning; and
Creation of a public retention schedule for certain types of data, including timeframes for the eventual deletion of stored data.
At a minimum, organizations should adhere to the mandate included in recent FTC decisions that require organizations, “in light of any changes to operations or business arrangements” or “new or more efficient technological or operational methods,” to evaluate and adjust their security programs to address new and related risks.9
1 See, e.g., https://shelterzoom.com/, https://dimo.zone/, and https://www.revvy.tech/.
2 Cryptocurrency – Cryptoscam – Why Regulation, Deposit Insurance, and Stability Matter by George Sutton (https://www.utahbar.org/wp-content/uploads/2023/01/2023_FINAL_01_Jan_Feb.pdf (at pages 18-26).
© Polsinelli PC, Polsinelli LLP in CaliforniaNational Law Review, Volume XIII, Number 24