I preface this blog post – part of my Not Legal Advice series – by stating that it is absolutely not legal advice and I am not your attorney. See disclaimer. If you have an engagement letter that is signed by both of us and you have put a retainer on account, then and only then am I your attorney and then and only then am I giving you legal advice.
The below is provided for general informational purposes only.
Earlier today, Kraken published its annual transparency summary:
They received 710 requests impacting roughly 1,222 accounts. That’s just a hair under two requests per day, or, as Kraken CEO Jesse Powell put it on Twitter, “3 if you don’t count weekends!”
ShapeShift CEO Erik Voorhees took a rather dim view of Kraken’s situation:
That’s a lot of requests, but not a crushing amount; I would imagine Google and Microsoft get more. EDIT: Although I had thought one full-time paralegal should be enough to handle that kind of workflow, at least in terms of triaging the requests and initiating exports of user data, Kraken CEO Jesse Powell chimed in to indicate that the costs of servicing these requests was considerably higher:
Clearly, government inbound creates significant overheads – although practically every major company (Google, Microsoft, Facebook, Uber) each has a team dedicated to precisely that task, in many cases headed up by a former law enforcement officer or prosecutor. The greater the volume of requests, the more expensive that business function becomes.
Before I go further, I should add: I’m a libertarian. That means that, in my heart of hearts, I don’t like government overreach or state surveillance, or state power for that matter. But I’m also an attorney (in the US) and a solicitor (in England), which means that I have to live in the real world where government has these powers and businesses large and small are obliged to respect them.
If you run a small to medium-size enterprise in crypto that deals with the public, you will get hit with a subpoena or a search warrant at some point. It’s inevitable. For folks who haven’t been served with one of these before, it can be unnerving to leaf through a court order that says YOU ARE COMMANDED TO APPEAR and IT IS HEREBY ORDERED in bold font.
So what do you do?
1) Don’t panic. It’s (probably) not about you.
Yes, it’s entirely possible that you’re the target of this legal process. But if you’ve never been served with government process before, chances are good that if the subpoena is asking for disclosure about one of your users, customers, or subscribers rather than your business operations, it’s not about you. Your lawyer will tell you what the score is.
If it is about you, you will need to respond. However, for businesses that do a lot of transactions (data or financial) with the public, it’s much more likely that preservation letters, subpoenas, warrants, or other forms of request for information aren’t about the recipient but rather are about a user of the recipient’s service, e.g., someone who sets up an account to buy Bitcoin on a Bitcoin exchange.
2) Even though it’s (probably) not about you, don’t talk to the government without the assistance of counsel.
Your lawyers should be doing the talking if any talking is to happen at all. If you really feel the need to talk with the government about the data request, go talk to your lawyers, and we will talk with the government. We deal with this stuff for a living. You don’t.
Also in the don’t-talk-to-the-government column is that when you do communicate with the government you should be exceedingly polite. Do not do something like this or its written equivalent:
When you’re served with a data disclosure request by law enforcement your job is not to make a point, even if you’re a libertarian. Your job is, at minimum, to respond to the document request as completely as you can while also protecting your interests and the interests of your business. If you’re feeling particularly civic-minded, you could also say that by being responsive to law enforcement you’re helping to keep your fellow citizens safe.
It is possible to do this without acting like a jerk. If you get an e-mail containing legal process, you don’t have to respond right away (although generally it’s courteous to let the other side know it has been received, you can let your lawyer do that – more on that below). If a federal agent calls you on the phone, get his name, phone number, and e-mail address, thank him for calling, and let him know your lawyer will call him back.
3) Preserve all documents and data.
Don’t destroy or delete anything the request could have conceivably asked for. Back it up immediately.
4) Things to be aware of before you call your attorney
4A) There (probably) isn’t a rush to respond.
There (probably) isn’t a rush to respond; look on the face of the subpoena and it should have a deadline for production on it, and that date is likely to be several weeks or even a month from the date on which the subpoena has been served.
The primary exception to this is where the government is asking for disclosure of user/customer data on an emergency basis, due to the existence of a life threatening emergency, which the government can ask for under the federal Stored Communications Act.
America is a free country, so you aren’t required to comply with any information request that is unaccompanied by legal process; however, refusing such a request when the police have advised you that there’s a life-threatening emergency (a) isn’t a good look, (b) is going to really piss the government off and (c) means the government is likely to come back later with a subpoena or search warrant compelling the disclosure anyway, and they’re not going to be particularly friendly when they do.
If you run a large business, you already have a legal department that deals with these things. If you run a small business, you don’t, so make sure you have an attorney or member of in-house staff who is responsive. By this I mean when it’s 10:30 PM on a Saturday night and you get an e-mail from the FBI’s National Threat Operations Center requesting emergency disclosure of subscriber data, your attorney or staffer is willing to drop whatever he is doing to make himself available to field that request.
The law doesn’t sleep and neither can your compliance function.
4B) You (probably) don’t have to appear anywhere.
If you’re dealing with a grand jury subpoena, I know the document says in bold and all caps “YOU ARE COMMANDED to appear at the Marmot J. Squirrelstein Federal Courthouse on [date] blah blah.” There’s also (probably) another line, which is not in all caps, further down which says “In lieu of appearance you can provide documents” and that’s (probably) what the government wants. But you will want to confirm that with your lawyer.
4C) Don’t tell any third parties about the information request. In-house, ensure knowledge of government requests is kept on a need-to-know basis.
Document preservation requests, subpoenas and search warrants are often paired with non-disclosure orders that prohibit the recipient from discussing it with anyone except need-to-know staff and the company’s lawyers. Unless you have successfully challenged those orders, you must obey them.
Which brings us to the next step:
5) Call your attorney immediately after you’ve been served.
If you want to fight the order or object to the scope of disclosure, you can, but it’s not going to be cheap. If you’re a startup in the US without a sophisticated legal department with a big budget challenging a domestic US order will not be easy.
I know plenty of seasoned litigators who are experienced in this area and will be happy to refer you to them. In the alternative, call up the ACLU or the EFF, as Signal recently did to get a gag order lifted.
If you’ve never received a request for information, document preservation letter, national security letter, grand jury subpoena, administrative subpoena, search warrant, or emergency disclosure request before, call your attorney and he or she will help understand what kind of document you’ve received and what that document requires you to do – not all government data requests are the same, and not all are mandatory. Different agencies have different powers to ask for different kinds of information (and to prevent you from talking about the matter). Depending on what type of business you run, different statutory powers will authorize these requests and govern what your obligations are in relation to them.
If you’re based in the U.S., and the request comes from outside the U.S., you may have the option of refusing the request. Or you might not, if the request was validly made under a Mutual Legal Assistance Treaty, or “MLAT”, agreement. Your lawyer will help you parse your options.
If you have received a data request before, you should already have a protocol in place for dealing with them. Which brings me to my next point…
6) Plan ahead.
With any online business it’s possible to almost fully automate data production. You will need to balance the ease of automation with the requirement for data security. Err on the side of security.
The bulk of the U.S-source requests you will get will be subpoenas. Subpoenas issued under a particular statutory authority tend to request the same type of information as every other subpoena issued under that authority, and businesses tend to focus on particular types of commercial activity, so you should have a pretty good idea ahead of time what sort of information you’re going to be asked to provide.
Make sure you have a system in place where a small number of highly trusted staff have the ability to securely pull the requested data and provide it to law enforcement on short notice.
7) Your company can have a productive dialogue with law enforcement, but you have to let your lawyers do the talking.
In my experience, law enforcement officers and state prosecutors are courteous, highly professional people. However, they have a job to do. The mission comes first.
There’s no reason why you and your business can’t be on good terms with law enforcement or even helpful to law enforcement. However, your first concern should be to ensure that, in all your dealings with law enforcement, your interests are protected. The best way to do that is to run communications with law enforcement through your attorney and in writing.
For example. Suppose that one day, a few weeks after your lawyer provided a response to a subpoena, a friendly FBI agent calls you up and asks to have a casual sit-down over coffee to trade notes. She’s a nice person with a friendly demeanor, is just passing through town and is interested in Bitcoin and all things crypto.
You will think having that sit-down is a good idea, because you want to be helpful, don’t want to be rude and hey, it’s always nice to meet new people operating in your space.
Always decline these requests. At the very least, let your lawyers know that you’ve been contacted. If you want to be of assistance to law enforcement, be of assistance – through your attorneys. Ethereum dev Virgil Griffith had several such sit-downs and he has had to hire the best criminal defense lawyer in Bitcoinland, Brian Klein, to clean up the mess. Even if you are completely innocent of any offense, as most people are, let your lawyers do the talking.
Law enforcement will understand completely if you refer them to your counsel. They won’t think of you as rude. If they were in the same position, it’s what they would do.
And that’s it!
In conclusion
Summing up, if you run a business in crypto, and that business has users from the general public, it’s a virtual certainty that, at some point, the government is going to ask you to provide information in connection with an investigation.
Generally, these requests pertain to the commission of serious crime. Generally these requests are neither capricious nor unreasonable.
Dealing with these requests, and dealing with law enforcement generally, can be easy or hard. Regardless of one’s politics, keeping your business on good terms with the state is, generally speaking, the better business decision, if for no other reason than the fact that the U.S. government is bigger than you and has unlimited money and time.
