Self-custody and the balance between regulation, privacy and innovation

The need for a broad and in-depth debate

Image credits: Freepick

The need for a broad and in-depth debate

Today, there is no way to carry out the regulation of a given sector or market, without first an in-depth discussion on the technology involved, the infrastructure and architecture of the internet — current and in development [1] -, and the possible impacts on economic, legal, political and social aspects of the country itself, and in relation to the rest of the world.

To understand this better, let’s use two examples: the first related to encryption — one of the technologies that enabled the emergence of blockchain technology and bitcoin -, and the second related to the structure and architecture of the Internet — current and the one being developed.

All media, universities, international organizations, legislators and monetary authorities of the countries are discussing cryptocurrencies, stablecoins, DeFi and CBDCs, as well as what money is, because the evolution of technology has made possible the emergence of Bitcoin.

And the origin of cryptoassets was given by the improvement of three technologies: distributed networks (peer-to-peer), consensus [2]algorithms [3] [4] and a branch of mathematics, cryptography [5].

The importance of encryption

Encryption studies how to ensure security in communications — masking information so that it can be hidden from everyone’s sight, and verifying a part of the source of information [6].
Here, it is important to note that encryption currently supports many of the systems around us [7]. I say this because it is so powerful that governments have already considered it as an enemy weapon of national security [8].
During World War II, using encryption systems such as “Enigma” [9].

Military Model Enigma I, in use from 1930. Source: Wikipedia

was fundamental to decoding enemy transmissions and turning the tide of war in favor of the allies. Today, anyone with a modern browser is running a sophisticated encryption system to protect their interactions on the internet.
It is the encryption that makes it safe to enter our password and send financial information to websites, make payments on the internet and make the Web Economy a reality.
Can you imagine the repercussions on society if a country decided to ban tools that used encryption in the early days of the development of this technology?
In addition to encryption, another example — to understand the “why” it is not possible to regulate a certain market or sector without a broad and in-depth debate [10] on the technologies involved, and possible impacts on political, economic and legal aspects in the country and globally — concerns the Internet infrastructure.

The Internet Architecture — current and in development

In today’s internet architecture, traditional trusted validators control people’s identity and manage their assets and property for decades. But the centralization of these validators has inherent risks.
When a lot of information is concentrated in a digital medium, this point becomes a target of cyber criminals [11].

World’s Biggest Data Breaches & Hacks.

Also, in the current centralized architecture of the internet, there are not a few concerns about privacy — as was evident, for example, in the Cambridge Analytica scandal that revealed to us how far some organizations can go to monetize and exploit personal information of third parties [12].

Therefore, internet builders [13] are revolutionizing the way we interact online, creating a more fluid version, focusing on decentralization [14], privacy, self-sovereign identity [15], end of data storage in silos [16], direct monetization, and a significant transfer of power from centralized services to the human being.

In this line, protocols of the next stage of Web [17] are being built — such as pex., Akash Network [18], Arweave [19], Bittensor [20], Livepeer [21] and Render Network [22] -, ending the management and storage of data by third parties, and in full alignment with the development of privacy software, self-custody tools, identity management [23] and digital assets by users themselves.

The pros and cons of banning or restricting hardwallets

Criticisms of the “attempt” to restrict or “legal” ban self-custody wallets — and I say attempt, because it is difficult to realize this in practice — range from the absence of judicial supervision and excessive data sharing to insufficient links with criminal investigations, and are related to privacy and financial independence, innovation, competition, fundamental rights, decentralization and security.

The prohibition of self-custody compromises financial privacy and economic independence [24].

In addition, self-custody is considered essential to decentralization [25], which together with privacy form the pillars of the next stage of Web [26]. By enabling people to maintain full control over their digital assets, private key self-custody allows direct interaction, significantly reduces counterparty risk and eliminates the need to entrust funds to third parties, which is a fundamental principle of decentralization.

Also, self-custody is a prerequisite for using DeFi [27] and Web3 [28] itself. This is because the related protocols work on Peer-to-Peer (P2P) [29] networks, which requires the individual to keep their private keys with them. Note that private keys are the only way to access tokens and cryptocurrencies on a public blockchain network such as Bitcoin, Ethereum [30], Polygon [31] and Solana networks — giving you full ownership and control over your assets.

Also, self-custody is crucial to the health of public blockchain networks [32] — which is where the innovation of blockchain technology really is [33].
In this line, it is worth mentioning the words of Vitalik Buterin — creator of the Ethereum blockchain protocol — who, in response to those who explicitly defend a regulatory capture approach to protect crypto, said that “such an approach is not aligned with the basic principles of cryptocurrencies” [34].

In summary, direct access to protocols, without intermediaries, is the essence of decentralization, a pillar of public blockchain networks, the DeFi ecosystem and protocols related to the next stage of the Web.

Therefore, a country that prohibits the use of hardwallets or imposes legislation that creates obstacles, or seeks to restrict their use, slows down innovation.

No wonder, the American State of Oklahoma recently approved a bill to guarantee the right to self-custody to its citizens [35].

Collision between AML and CFT standards with the right to financial privacy

Generally, regulations to combat money laundering and terrorist financing require CASPs to collect comprehensive customer data related to transactions involving “non custodial” wallets, including transfers sent to and received from these wallets (peer-to-peer transfers).

However, this includes, among other things, the names and addresses of the originator and the beneficiary of the transaction, as well as the addresses of their hardwallets.

Thus, at the request of the authorities of the member states responsible for combating money laundering and terrorist financing, providers of products and services related to cryptoassets (exchanges and financial institutions) are obliged to disclose this data.

However, the granting of such access to financial data, depending on the way it is carried out, may constitute an unacceptable interference in the customer’s right to financial privacy, a fundamental right enshrined in international legal structures.

Conditions for legal interference in the fundamental right to financial privacy

The Universal Declaration of Human Rights, presented by the United Nations in 1948, also lists privacy as a fundamental human right in art. 12:

“No one will be subjected to arbitrary interference in their private life, family, home or correspondence, or to attacks on their honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

In this step, any interference in the right to privacy [36], according to art. 52 of the Charter of Fundamental Rights, is only allowed if it meets strict conditions:

• It must be based on law,
• It must respect the essence of the right to privacy,
• It must be proportional to the desired objective and
• It must be necessary and genuinely meet general interest objectives recognized by the jurisdiction or the need to protect the rights and freedoms of third parties.

Add to this is the fact that normally, democratic countries still require the fulfillment of more cumulative conditions:

• That the interference in the right to privacy is related to specific individuals suspected of planning, committing or having committed serious crimes in the context of ongoing proceedings.
• Access must be subject to the prior authorization of an independent body, such as a court, based on a justified request from a public authority in a criminal investigation.

However, if AML and CFT regulations generally do not define detailed procedural requirements for access to customers’ financial data, it is up to countries to assume their responsibility through prior judicial or independent supervision.

It is in this context that the justified criticisms of the defenders of the fundamental right to financial privacy arise regarding the insufficient independence of supervisory bodies, the excessive scope of data sharing and the absence of a requirement for ongoing legal procedures related to the requested data.

After all, if privacy needs to be violated by legitimate authorities, as the Declaration of Rights and the Declaration of Human Rights suggest, this should not be arbitrary or universal, but with some degree of probable cause, for a specific reason and within the limits of the rule of law.

The absence of unified and accurate procedural safeguards and the risk of inadequate implementation of AML and CFT regulations by countries increase the likelihood of violations and misuse of data for purposes not related to crime prevention, such as political objectives, for example.

AML and CFT legislation is implicitly based on the premise that everyone must cede most or all of their privacy to the central authorities to ensure that nothing bad happens [37].

Naturally, we want terrorists, human traffickers, violent street criminals, mafia members, killers, thieves, fraudsters and other dangerous individuals to be captured and prosecuted, and therefore most people provide resources for law enforcement to achieve these goals [38].

However, the procedures and technologies used by law enforcement authorities to catch dangerous criminals can also be used by governments to suppress speech, watch over human rights activists, pro-democracy activists and political opponents, and maintain control over their citizens — which is why it is important to have limitations in their powers [39].

Final considerations

The current restrictive approach of some countries towards tools that increase privacy in financial transactions, such as self-hosted wallets, presents significant challenges, both technical and legal, political and social.

These restrictions limit the individual freedoms and financial privacy of nationals, civil entities and third countries, especially those already marginalized or financially excluded.

Added to this is the fact that such measures may unintentionally allow non-liberal regimes to exercise financial repression by restricting access to secure and private financial tools.

On the other hand, although cryptoassets are relatively new, the search for the difficult balance between regulation, privacy and innovation is not, as we can extract from the war between the US government and privacy defenders in the 1990s.

At that time, encrypted communications were a new technology, and the government sought to require that private keys be held by “guardians” (third party). The American government argued that indecipherable digital messages were too dangerous to be used by ordinary citizens, who could theoretically use private communications to harm national security.

Looking in the rearview mirror, it is clear that the American government’s arguments were poorly founded and ultimately incompatible with a free society that values privacy and freedom of expression. So much so that today, daily we all use encrypted communications to communicate with other people on WhatsApp, Signal, iMessage and similar applications.

Therefore, it is essential that in legislative discussions on self-custody, individual freedoms and the fundamental right to privacy are duly considered, along with the possible impacts on effective financial instruments in support of civil society organizations, and on the country’s competitiveness on the global scene.

1 Available here.
2 “A peer-to-peer network is one in which two or more computers share files and access devices without the need for a server or server software” (Revoredo, Tatiana. In: Blockchain: Tudo o que você precisa saber, Amazon, 2019, p. 123).
3 Available here.
4 Available here.
5 Available here.
6 Available here.
7 Although some treat encryption, mistakenly, with an illicit sense.
8 Not very different from how some legislators see the private keys protected by hardwallets, and which are essential to the “Public Key Cryptography” used in blockchain technology.
9 Available here.
10 That goes beyond economic aspects such as monetary stability and tax legislation.
11 Available here.
12 Available here.
13 Revoredo, Tatiana. In: "Web5 vs. Web3: The future is a process, not a destination", Cointelegraph, 2022. Available here.
14 Available here.
15 Available here.
16 Available here.
17 Ditto Note 13.
18 Akach.Network, available here.
19 Arweave, available here.
20 Bittensor, available here.
21 Livepeer, Available here.
22 Ditto Note 17.
23 Available here.
24 Why Self Custody Matters, Available here.
25 “In decentralization, instead of traditional trust validators, control is distributed among network participants, which achieves collective control by employing a consensus mechanism (algorithm)". (Revoredo, Tatiana. In: Blockchain: Tudo o que você precisa saber, Amazon, 2019, page 112).
26 Available here.
27 Decentralized Finance. Available here.
28 Available here.
29 “A peer-to-peer network is one in which two or more computers share files and access devices without the need for a server or server software” (Revoredo, 2019, p. 123).
30 Available here.
31 Available here.
32 Permissionless public blockchain networks, such as Bitcoin and Ethereum, are based on consensus protocols, which use their native tokens (cryptocurrencies) as a determining factor to ensure the cybersecurity of the network, either via staking or via mining.
33 One of the disruptive aspects of blockchain technology is that it was designed to, through consensus mechanisms (algorithms), replace a central authority.
34 Available here.
35 Available here.
36 In Brazil, the right to privacy is supported by art. 5º, item X, of the Federal Constitution, which guarantees inviolability to private life and considers it a right of personality.
37, 38, 39 Available here.