Despite evidence that only a small fraction of cryptocurrency activity is associated with illicit activity and that cryptocurrency was not a chief source of sanctions evasion when the war in Ukraine started, a group of senators introduced the Crypto Asset National Security Enhancement (CANSEE) Act. Among other problems, this bill would continue the erosion of financial privacy that has occurred in the United States over time. The bill broadly defines terms to create sweeping surveillance, potentially violates the First Amendment, and gives the Treasury the authority to effectively prohibit cryptocurrency use in the United States.
Although the senators based some of their concerns on a money laundering risk assessment from the Department of the Treasury (Treasury), Sarah Roth‐Gaudette, executive director at Fight for the Future, was quick to point out that the senators seemingly “missed where [the report] says that ‘the use of virtual assets for money laundering remains far below that of fiat currency and more traditional methods’”—an issue my colleague Jack Solowey pointed out as well. In fact, the Treasury has stressed this finding in other reports too. Rather than double down on the existing financial surveillance regime, policymakers should be working to craft a better future based on protecting financial privacy.
With that said, let’s consider some of the worst parts of the CANSEE Act to understand why it is the wrong approach.
Walking Through the Bill
The bill begins by recognizing that the decentralized nature of cryptocurrency poses an interesting challenge for lawmakers seeking broad surveillance. For in the absence of a third‐party intermediary, officials cannot invoke the third‐party doctrine as an end run around the Fourth Amendment. Unfortunately, however, the senators respond to this challenge by simply defining the term “control” as broadly as possible to essentially create third parties where they do not exist.
The term “control”, with respect to a digital asset protocol, includes the power, directly or indirectly, to direct a change in the computer code or other terms governing the operation of the protocol, as determined by the Secretary of the Treasury. Such power may be exercised through ownership of governance tokens, administrator privileges, ability to alter or upgrade computer code, or otherwise. [Emphasis added.]
Jerry Brito, executive director of Coin Center, described the problem well shortly after the bill’s introduction when he explained that “The bill gives virtually unbounded discretion to the Treasury Secretary to decide what it would take to designate one as having “control” of a protocol. … Indeed, the Senators’ deference to the executive branch is breathtaking, allowing the Secretary to define the scope of their power without any public process whatsoever.”
It gets worse.
Turning to sanctions violations, the bill would amend existing penalties to also include violations with cryptocurrency. A key problem here is that these penalties would apply to “digital asset protocol backers” and “digital asset transaction facilitators.” A “digital asset protocol backer” is defined as someone that invests over $25 million in a project. In their press release, the senators said that this definition is an attempt to effectively centralize decentralized services: “If nobody controls a DeFi service, then—as a backstop—anyone who invests more than $25 million in developing the project will be responsible for [facilitating a sanctions violation.]”
A “digital asset transaction facilitator,” however, is any person that “makes available an application designed to facilitate transactions using a digital asset protocol.” In other words, the bill would apply these sanctions penalties to anyone that merely publishes software code if that code is later used to violate sanctions by someone else. Given the arguments that publishing software code is a form of protected expression, Brito wrote that the CANSEE Act “would clearly violate the First Amendment” and Roth‐Gaudette echoed the same.
The bill then seeks to make a relatively subtle change by amending 31 U.S.C. Section 5312 to include “digital asset protocol backers” and “digital asset transaction facilitators” as “financial institutions.” While not exactly eye catching at first glance, this change would effectively force said backers and facilitators to comply with the reporting requirements of the Bank Secrecy Act (e.g., currency transaction reports, suspicious activity reports, know your customer rules, etc.)—essentially doubling down on the mistakes of the Infrastructure Investment and Jobs Act of 2021.
Speaking of mistakes from the past, the bill also includes a familiar attempt to expand the Treasury’s special measures authority (31 U.S.C. Section 5318A) to allow the Treasury to prohibit transactions involving anyone outside the United States if there is a “money laundering concern.” To give context, the government considers anyone that moves more than $10,000 in one day to be a money laundering concern. As I warned last year, the Treasury could use this authority to prohibit U.S. banks from being involved with cryptocurrency since the borderless technology allows transactions to be validated by miners located outside of the United States.
The bill closes with a section on cryptocurrency ATMs that closely mirrors what Senator Warren proposed last year in the Digital Asset Anti‐Money Laundering Act of 2022. Unfortunately, perhaps in the pursuit of brevity, the section proposed here is worse because it defines a cryptocurrency ATM as “a stand‐alone machine that facilitates a virtual currency transfer.” Taken plainly, this could mean anything from a cryptocurrency ATM you might see in a convenience store to someone’s smartphone that has a cryptocurrency wallet app downloaded. This broad definition is so troubling because the bill would have operators of these “machines” verify and record the name and physical address of both parties before a transfer can take place.
It is unfortunate that policymakers seem to be gearing up to expand U.S. financial surveillance. There is much to say against this approach, but it might be best to simply remind policymakers of a community letter organized by Fight for the Future at the start of the 118th Congress. The letter warned: “Should cybercriminals successfully tempt the United States to abandon the human right to privacy and the U.S. Constitution, everyone will lose.”