Not Legal Advice 11/9/19 – Dai hits $100 million; Crime doesn’t pay; FBI Director Wray speaks to Congress

Welcome back to this week’s edition of Not Legal Advice!

Once again, I’ve been remiss in typing up my weekly newsletter on a weekly basis due to travel – one of the downsides of solo practice is that one has no minions to dispatch to the far sides of the world – and this time, to San Francisco, where I did a panel with the inimitable Josh Stein of next-gen digital securities firm Harbor, among others, at SF Blockchain Week. Well done to the organizers for putting on a great conference.

This week’s a short one, as there really hasn’t been a whole lot in the last 14 days that I’ve found particularly interesting:

  • Dai hits $100 million in outstanding CDP contracts; crypto bros still don’t understand risk
  • Crime doesn’t pay: an update on the Brian Haney arrest
  • FBI Director Christopher Wray talks crypto to Congress.

1) Dai hits $100 million in outstanding CDP contracts; crypto bros still don’t understand risk

The Block reports:

The number of outstanding Dai has reached the protocol’s built-in “debt ceiling” of 100 million— an all-time-high for the nearly two-year-old stablecoin project. CDP 15336 minted the Dai that boosted the outstanding supply to its limit.

MakerDAO, the issuance platform behind Dai, had an original Dai debt ceiling of 50 million, which was raised to 100 million in July 2018. The MakerDAO team and community members plan to execute a governance vote this Friday to raise the debt ceiling by an additional 10-20 million.

Yes, a “decentralized stablecoin protocol” has “governance votes.” I’m not sure either.

The Block continues:

Early last week, the Maker Foundation announced that it will be rebranding its Collateralized Debt Position (CDP) in preparation for its November 2019 Multi-Collateral Dai (MCD) release. The new user interface of the Maker Protocol after the release of MCD will label CDPs as “Vault.”

What is “Dai,” I hear you ask? Dai is a so-called “stablecoin,” a cryptographic token which is designed to always hold a peg to a fixed, external unit of account – in Dai’s case, the U.S. dollar.

Dai accomplishes this, we are told, through a series of smart contracts on the Ethereum blockchain which issue the Dai coins and lock up an amount of Ether in excess of the Dai as collateral to back the “loan” which has been issued. This was known as a “collateralized debt position” but, perhaps because the organizers of the scheme have some dim awareness of the regulatory consequences of issuing securities which are backed by collateral pools and making them available for public sale, the Dai people are now changing the terminology of these smart contracts to “vaults.”

CDPs/Vaults expire in one of two ways. First, someone can pay back the Dai debt plus interest, which the scheme promoters misleadingly refer to as a “stability fee,” at which point the CDP dies and the locked Ether in collateral is returned. “Stability fees” can only be paid in MKR, another shitcoin which was issued by the original scheme organizers. In the alternative, if e.g. the value of the collateral pool is impaired, the CDP may be liquidated and the collateral used to repurchase Dai from the marketplace to ensure all Dai are backed by a quantity of Ether with a dollar value that is greater than or equal to the dollar value of all Dai in circulation.

How this works is a little complicated, but the team over at Reserve summarizes it well:

The process by which this happens is somewhat complicated. It involves two different on-chain auctions that try to raise enough capital to make the CDP debt free. To fully understand the process, you may have to spend some time thinking it through after reading it. If you don’t fully get it, don’t sweat it: full understanding is not necessary for following the rest of the analysis.

Here is how it works: first, a “debt auction” tries to repay the CDP’s debt through MKR dilution. The debt auction buys Dai, paying with newly minted MKR. The Dai is burned, to cancel the CDP’s outstanding Dai debt. The purpose of the debt auction is to ensure that the debt is repaid even if there is insufficient collateral in the CDP to repay the debt.

Simultaneously, a “collateral auction” buys MKR with the CDP’s collateral. The collateral auction sells enough collateral to cover the debt, accumulated interest (called the “stability fee”) and a liquidation fee. In Single-Collateral Dai, the liquidation fee is 13% of the collateral in the CDP — that is, they take 13% of the user’s locked up collateral capital when a user’s CDP gets auto-liquidated. The smart contract finally returns the remaining collateral to the CDP holder and burns all purchased MKR.

This is all, ultimately, just a complicated and extremely long winded procedure to repackage exposure to Ether in such a way as to drive demand for the MKR token. It is really only useful if you either (a) have a bunch of Ether and want to lever up and go long on more Ether or (b) you want to use a smart contract to obfuscate the source of your funds, which is something you really should not do.

The entire system is vulnerable to adverse movements in both ecosystems. As Dai is now expanding with “multi-collateral Dai” which is backed by many different kinds of coins, soon it will be vulnerable to adverse movements among a range of different cryptocurrencies.

The risk has not gone away. It has merely changed form. DeFi Bros have difficulty understanding this. e.g.

Current mood:

Long have I had suspicions about whether Dai is for real. My skepticism about the scheme before it launched was reinforced when the loss of one bot on one sketchy overseas exchange operated by an unnamed “third party market maker” resulted in the Dai dollar peg not just breaking, but shattering, until the bot was restored. Put another way, the brilliance of the Dai stablecoin system – at least back then – wasn’t the reason Dai held its dollar peg. A bot was.

And this isn’t me saying this. It’s the founder of MakerDAO, Rune Christensen.

poss_manipulation.png

Put another way: back in 2018, the volume on busiest market in Dai by far, on a $1 million trading day, dropped to $300 when a single bot went down.

DeFi Bros struggle to understand why this is also problematic.

“In reality Dai remained stable on all other exchanges” is a worthless argument in that context. The context being that we just discovered that a huge chunk of the market was not bona fide trading. If most of the volume of the coin can be traded by one bot, were we wrong to trust the numbers before the bot was discovered? What reason do I have to trust the numbers now? What reason is there to trust the rest of that volume on other exchanges? How do I know they’re legit?

I’m not saying here that the MakerDAO team knows anything about these bot operations. Far from it. Indeed, Rune refers to a “third party market making bot.” A third party with whom I should greatly like to speak who, apparently, never decided to reveal him or herself to the world.

I don’t know who operated the bot. I also don’t know how the bot operator communicated this information about bots on Bibox (the exchange) to the wider world. I don’t know why they were spending all that time wash trading on Bibox or what they stood to gain from it. I don’t know why the wider crypto community and stablecoin bros alike were not the least bit distressed by this event. All I know is that it happened, and I have never seen an explanation for why the scheme should have worked when that bot was up yet it broke catastrophically when that bot was down, as occurred in January of 2018. In the last two years, journalists haven’t followed up.

What I do know is that there’s no magic or innovation in wash trading around a fixed price point to make a market look real, on the off chance that is indeed what’s going on.

Charts of derivatives that are repackaged exposures to Ether should look like they are repackaged exposure to Ether. Dai does not. In the eyes of a dispassionate observer this should raise questions about market integrity. When Dai first broke its peg in early 2018, daily trading volume was around $1 million and the total market cap was around $3 million. Now, daily trading volume has reached highs of up to $50 million. All of which is to say that to the extent that bot training wheels first put in place back in the day are still in place, those training wheels are being asked to hold up an increasingly large rider and will be placed under greater degree of stress.

I stand by my prediction, first made in 2017, that Dai will eventually implode. But for the bots, after it fell on its face in 2018 it would have stayed down, just like previous collateralized stablecoin schemes such as BitUSD and NuBits, both of which failed (in BitUSD’s case, it failed after five days). The bigger the scheme becomes, the more difficult it will be for Dai’s training wheels providers – mysterious figures in the shadows, operating bots that generate volume for fun and profit – to hold back adverse market movements.

If we learned anything about risk-obfuscating schemes from the global financial crisis, we know this: the bigger they get, the harder they fall.

2) Crime doesn’t pay: Silk Road trafficker pleads guilty

Breaking the law is bad and dumb. Breaking the law with cryptocurrency is exceedingly dumb. Hugh Brian Haney was arrested in July of 2019 in relation to Silk Road activity dating back to 2012; this week he pleaded guilty to two charges and now faces a maximum of 30 years in prison.

3) FBI Director Christopher Wray talks crypto to Congress.

Which brings us to our next news item. An interesting fusion of the crypto-means-cryptography universe and the crypto-means-cryptocurrency universe happened in Congress this week. As reported in CoinDesk:

Wray noted encryption is touching every aspect of emerging tech such as instant communications:

“Whether its cryptocurrency, whether it’s default encryption on devices and messaging platforms; we are moving as a country and world in a direction where if we don’t get our act together money, people, communication, evidence, facts, all the bread and butter for all of us to do our work will be essentially walled off from the men and women we represent.”

First, to clear something up: most cryptocurrencies DO NOT encrypt communications. Bitcoin is chief among these crypto-critters-that-don’t-encrypt-transactional-data. Bitcoin really only shields one bit of data – the private keys of the users – from government surveillance. But it doesn’t stop the government from tracking what different keyholders do and how funds on the Bitcoin blockchain move around.

Some privacy coins, such as Monero or ZCash, do encrypt transactional information. Opinions as to which method of encryption is superior and e.g. the merits of ZCash doing a weird international math druid ritual to generate the coin’s SNARK public parameters are legion and do not bear repeating here. What does bear repeating here is that it would be very foolish to presume that these encryption methods will be secure forever.

Second, we should be cautious before we throw encryption out the window. Crypto that can be defeated by the FBI can be defeated by anyone (which isn’t a dig at the FBI, it’s just reality – Fort Knox wouldn’t be safe if it had a secret, unguarded, publicly-accessible back-door, and neither is code under the same circumstances).

I have yet to watch the entire hearing (and will likely do so tomorrow) but from this little, brief tidbit, what’s interesting from my point of view is how cryptocurrency and cryptography are starting to crop up in the same breath. And, unlike the 2010s where the interesting tech was about sharing cat pictures, virtually all of the interesting tech I can think of operates in this weird zone of enabling dissenters, since platforms like Twitter and Facebook are essentially tools of the hard-left anti-Trump #resistance establishment now.

As my friend and Israeli secret agent Maya Zehavi observed:

And I added:

What a time to be alive.

Here’s a picture of some marmots, licensed under the Pixabay license.

marmot-3465220_1280.jpg

Not Legal Advice, 10/13/19 – Ethereum has a good week; Facebook has a bad week; Bitfinex has a worse week; Telegram has a terrible, horrible, no good, very bad week

Welcome back to Not Legal Advice, my weekly crypto and crypto-adjacent technology law newsletter-blog-series-thing! Subscribe via e-mail, WordPress, or RSS at the bottom of my homepage.

This week:

  1. SEC, CFTC and FinCEN remind everyone that money laundering is bad.
  2. Ethereum has a good week.
  3. Facebook has a bad week (Libra on the ropes, with withdrawals by Mastercard, Visa, eBay and Stripe adding to last week’s departure of PayPal).
  4. Bitfinex has a worse week (getting sued for $1.2 Trillion (with a T)).
  5. Telegram has a terrible, horrible, no good, very bad week (gets sued by the SEC in federal court).

1) SEC, CFTC and FinCEN remind everyone that money laundering with cryptocurrency is bad

Read their joint statement here.

I doubt that Jay Clayton, Heath Tarbert and Kenneth Blanco (head honchos of the SEC, CFTC, and FinCEN, respectively) would issue a statement just because they were hanging out drinking beer one afternoon and said, “hey, you know what would be cool? An announcement. That’s nearly as fun as interagency softball.”

What seems more likely is that this statement is framing a narrative that will be relevant for future enforcement. Keep your eyes open for what comes next.

2) Ethereum has a good week

The CFTC’s comments that Ethereum is to be treated as a commodity seemingly confirm that, despite robust securities enforcement by the SEC against Telegram, Eos, Sia, Paragon, and dozens of other projects, Ethereum is getting a free pass.

Read my write up where I argue that if Ethereum were launched today, it would be a security.

3) Facebook has a bad week (Libra on the ropes, with withdrawals by Mastercard, Visa, eBay and Stripe adding to last week’s departure of PayPal)

This was inevitable. As I wrote back when Libra broke cover in July:

If Facebook raised an army, this would be only slightly more hostile to the people of the United States than what is currently proposed. Big Tech doesn’t share American values and doesn’t care about American users. It doesn’t care about the unbanked. It cares about money. It cares about building defensive moats, i.e., monopolies. And Libra – the tech industry monopolization of global finance – is a phenomenal way to get both free money (the token represents, after all, an interest-free loan from Libra’s users) and a very deep, wide moat, not just for Facebook, but also for every other major category leader/tech monopolist on the planet.

After tumultuous Congressional hearings, regulatory pressure from the Europeans, the straw that appears to have broken the camel’s back was a letter from two U.S. Senators, Sherrod Brown (D-OH) and Brian Schatz (D-HI), to a number of payments infrastructure companies advising them that teaming up with Facebook would not be in their interests.

Sen. Brown of course has been a vocal opponent of Facebook’s forays into crypto from the start:

Here’s an excerpt from the 1.25-page letter the two senators sent to the CEOs of Mastercard, Visa, and Stripe. Salient passages include:

Facebook is currently struggling to tackle massive issues, such as privacy violations, disinformation, election interference, discrimination and fraud, and it has not demonstrated an ability to bring those failures under control. You should be concerned that any weaknesses in Facebook’s risk management systems will become weaknesses in your systems…

Your companies should be extremely cautious about moving ahead with a project that will foreseeably fuel the growth in global criminal activity.

Yikes. In other words, “Facebook is sailing into some rough seas. You sure you want to get into bed with that?”

The letter then concluded:

Facebook appears to want the benefits of engaging in financial activities without the responsibility of being regulated as a financial services company. Facebook is attempting to accomplish that objective by shifting the risks and the need to design new compliance regimes on to regulated members of the Libra Association like your companies. If you take this on, you can expect a high level of scrutiny from regulators not only on Libra-related payment activities, but on all payment activities.

This is government-ese for “check yourself before you wreck yourself.”

Visa, Mastercard, and Stripe promptly withdrew from the consortium on the 10th of October, as did eBay, joining PayPal, which withdrew the previous week.

Although as your correspondent put it on October 4th:

4) Bitfinex has a worse week (gets sued for more than $1 Trillion).

Bitfinex has been sued for $1.2 trillion (that’s “trillion” with a T) dollars in a lawsuit that alleges the company engineered the multibillion dollar 2017-18 cryptocurrency bubble and crash by printing fake Tether dollars. Read my write up.

5) Telegram has a terrible, horrible, no good, very bad week (gets sued by the SEC in federal court).

(With apologies to Judith Viorst.)

Telegram is a popular encrypted messaging app, not just among crypto-nerds, but among people everywhere. It is used by well north of 300 million DAUs (daily active users) who

  • are looking to encrypt their communications and think they’re too cool for WhatsApp, but
  • don’t know that they should be using Signal or Keybase.

In late 2017/early 2018, as Telegram blew past the 200 million DAU mark, the company decided to raise money in an ICO, or initial coin offering. The offering raised an astounding $1.7 billion (with a B) for a pre-product, pre-revenue blockchain system known as the “Telegram Open Network,” to have the ticker symbol “TON,” with tokens known as “Grams.”

Silicon Valley’s most storied investment firms practically fell over themselves to participate.

lol.png
LOL, rekt. From the Financial Times

The hiccup: in the TON investment documents, Telegram promised to launch the network by 31 October 2019 or, failing which, Telegram investors would have the option to recoup their investment, less expenses.

Telegram was, understandably, in a hurry to get the network live and the tokens issued before the end of this month (as it is, as of this writing, the 12th of October). Unfortunately for Telegram, on October 11th, the Securities and Exchange Commission filed an emergency action and obtained a temporary restraining order against Telegram preventing them from doing so, all but assuring that the company will fail to meet the deadline – and ensuring protracted litigation will interfere with the launch of the network for some time to come.

The structure of the offering was that (a) Telegram would pre-sell $1.7 billion of Grams to investors under Regulation D and S exemptions to registration (b) Telegram would retain $billions of dollars worth of Grams for itself and (c) after launching the network, those investors and Telegram itself would flood the U.S. markets with tokens.

The issue with this is that (a) apparently Telegram didn’t adhere to the strict requirements of Regulation D during the sale, (b) the SEC considered that not only the investment agreements to purchase Grams but also the Gram tokens themselves would constitute investment contracts, and (c) that Telegram was making efforts to sell, and planned to sell, these tokens direct into the U.S. markets through U.S. platforms e.g. Coinbase Pro et al.

And apparently Telegram then refused to accept service of a subpoena the SEC served on it overseas.

So the SEC sued Telegram and slapped it with a temporary restraining order ordering Telegram to appear in the New York federal district court on October 24th to explain itself.

Points to note? Despite what the SEC paints as a pretty open-and-shut case, Telegram’s counsel is Skadden, Arps, which is a little strange seeing as – to the extent Skadden advised on the original deal, as reported in the New York Times – one would think a firm as expensive as Skadden might have seen this coming or, at the very least, wouldn’t have advised Telegram to evade service of a subpoena. It’s of course impossible to know what was said behind closed doors, but now that I and others are starting to look at the Telegram sale more closely that’s one of the first questions that crossed my mind.

Equally, Skadden may be expected to mount a robust defense now that its client has been sued.

Furthermore, this paints the US as a thoroughly hostile environment for ICOs, despite the SEC’s repeated insistence on not enforcing against Ethereum in the past or the recent 60 basis point slap on the wrist given to the $4 billion Eos ICO. The overwhelming theme of the recent SEC enforcement, including Telegram, means that the best move for an ICO issuer not using the Regulation A+ issuance pathway trailblazed by Blockstack may be to avoid the United States entirely.

Obviously your mileage may vary and this column is called Not Legal Advice for a reason, but if there’s a takeaway point from this it’s to expect ICO activity in the U.S. to diminish going forward rather than increase.

This also calls into question the exchanges’ listing decisions to date, noting that the so-called Crypto Ratings Council classified both Eos and Grams as not being securities. Meaning that their ratings of anything that isn’t Bitcoin or Ethereum are, so far, 0-2.

And expect more enforcement.

And with that out of the way, time for your weekly Moment of Marmot:

groundhog-4289456_1280.jpg
Land shark

Leibowitz et al. v. iFinex et al.: Fear and Loathing on the Blockchain

This is a cross-post. An earlier draft of this post was first published as a guest post in The Block on Tuesday, 8 October 2019. 

Leibowitz et al. v. iFinex et al., case 1:19-cv-09236, U.S. District Court, S.D.N.Y. [PDF]

TL;DR

  • Whether facts are true or not isn’t necessarily relevant for purposes of an initial motion to dismiss in the new Bitfinex class action
  • The strategy here may be to require the defendants to deny the claims, to answer and provide discovery, using a political tactic Hunter S. Thompson describes in his classic Fear and Loathing on the Campaign Trail
  • Each of the factual allegations in the complaint will need to be denied and refuted if an expected motion to dismiss isn’t granted, and the standards will be different than in state or federal regulatory enforcement proceedings

LONG VERSION:

There’s a passage in Hunter S. Thompson’s Fear & Loathing on the Campaign Trail where Thompson describes then-congressional candidate (and later U.S. President) Lyndon Johnson using a tactic Thompson referred to as “one of the oldest and most effective tricks in politics” to deep-six a competitor in a close race.

“The race was close and Johnson was getting worried,” Thompson writes, so Johnson “told his campaign manager to start a massive rumor campaign about his opponent’s life-long habit of enjoying carnal knowledge of his own barnyard sows.”

“‘Christ, we can’t get away calling him a pig-fucker,’ the campaign manager protested. ‘Nobody’s going to believe a thing like that.'”

“‘I know,’ Johnson replied. ‘But let’s make the sonofabitch deny it.'”

I was reminded of this passage when I read the filings in Leibowitz et al. v. iFinex Inc., et al., the new case against Bitfinex, Tether, and others filed by Roche Freedman LLP which alleges, among other things, that Bitfinex has engaged in massive market manipulation and was primarily responsible for the cryptocurrency bubble. This is not, mind you, because I think that the plaintiffs’ claims are (or are not) meritorious; one must be careful, at the early stages of any litigation, to not arrive at premature conclusions on the subject or the probable outcome based on one’s own biases, conjecture or rumor.

Rather, it strikes me that this tactic – make the sonofabitch deny it – is, for the purposes of cryptocurrency observers, traders, and others, the one relevant aspect of this litigation, at an early stage, which is actionable, by which I mean a data point around which one may make plans, measure risks, and direct one’s attention to future developments.

The claims made by the plaintiffs are spectacular. The plaintiffs allege unlawful market manipulation, principal-agent liability for market manipulation, aiding and abetting market manipulation, unlawful competition contrary to the Sherman Act, racketeering constituted by, among other things, operating an unlicensed money transmitting business, money laundering, and bank and wire fraud. Also named as co-defendants are Bitfinex senior executives and entities and persons implicated in the Department of Justice investigation into Crypto Capital Corp, an alleged international money laundering scheme which appears to have been truly immense in size.

Whether these claims are true or not is a matter for a New York jury to decide. What matters from our perspective, here and now, is (a) whether the claims are pleaded well enough to survive dismissal and (b) how disclosures made in this case will shed light on Bitfinex/Tether’s operations, and other investigations of those operations, as the discovery process progresses.

Now that the complaint has been filed, assuming it will be properly served on all defendants, the next step in this litigation is for Bitfinex et al. to either file an answer or immediately file a motion to dismiss. In particular, we should look for Bitfinex et al. to challenge these pleadings under FRCP Rule 12(b)(6) (as this case was filed in federal court), failure to state a claim upon which relief can be granted, as “a plaintiff’s obligation to provide the ‘grounds’ of his ‘entitle[ment] to relief’ requires more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do.” Bell Atlantic v. Twombly, 550 U.S. 544 (2007). In other words, you gotta provide some factual specificity, particularly when fraud is alleged (FRCP Rule 9(b)).

Plaintiffs have set out extensive background information in order to jump the hurdle of Rule 12(b)(6)

It is highly likely that Bitfinex et al. will challenge these pleadings under Rule 12(b)(6). Perhaps anticipating this, the allegations set out in the (95-page) complaint are given together with an unusually thorough factual background. They tell the story of the entire 2017-18 cryptocurrency bubble and collapse through the lens of a keen-eyed detective who needs to get the court from zero to pro on all things cryptocurrency in a matter of pages.

This is done expertly. After setting out a high-level, attention-grabbing summary that explains that “Tether’s mass issuance of USDT created the largest bubble in human history” and that “[i]n a brash display of lawlessness, Tether and Bitfinex continue to defraud the market,” the complaint details Bitfinex’s operations and structure, Tether, and the history of Tether’s representations that it is constantly backed by U.S. dollars.

The complaint then digs into ancient Bitcoin history to explain how the cryptocurrency markets are uniquely susceptible to manipulation “[underscoring how control over an exchange and the opportunity to make trades with non-existent money allowed a single individual to dramatically influence cryptocurrency prices,” before embarking on a detailed treatment of how “Bitfinex and Tether [allegedly] leveraged USDT and their control of the Bitfinex exchange to inflate one of the largest bubbles in history.”

The complaint continues by exploring Bitfinex/Tether’s issues with access to the banking system, pointing out that while “access to the U.S. financial system was an essential component” of the scheme, “conventional banks began shutting Tether and Bitfinex accounts down for money laundering and other compliance issues and “Tether and Bitfinex [allegedly] became even more enmeshed with Crypto Capital,” a firm which has been shut down by the U.S. Department of Justice, and allegedly began “a complicated shell game of money laundering” despite the fact that “[s]tatements made by Bitfinex and Tether in that lawsuit underscore just how essential U.S. correspondent access was to their operations, and how losing it should have stopped their ability to operate and issue USDT.”

“Bitfinex and Tether were so desperate to access the U.S. financial system and U.S. dollars,” the plaintiffs allege, “that they were directing funds to Crypto Capital despite its clear connection to money laundering, account seizures, and an inability to move funds out.” Despite these banking issues, the plaintiffs further allege that “[i]n the short span of less than one month after Bitfinex and Tether closed the door to potential new market entrants, Tether issued more than 1 billion new USDT, all of which was supposed to be backed by U.S. dollars in bank accounts the Tether refused to disclose or audit.”

The complaint continues by providing the Court with notice of the ongoing investigation into Bitfinex’s operations by the Attorney General of the State of New York, in relation to which the plaintiffs further allege that disclosures arising in that investigation, “[I]f were was (sic) any doubt before, it’s now absolutely clear that Tether no longer has cash reserves to back USDT at a 1:1 ratio.”

As a result of the facts laid out, the plaintiffs allege that Bitfinex is civilly liable to them for losses suffered in the cryptocurrency markets as a result of Bitfinex’s “Bank Fraud[,] Money Laundering[,] Monetary Transactions Derived from Specified Unlawful Activities[,] Operating an Unlicensed Money Transmitting Business[,] and Wire Fraud[.]”

Legally relevant conclusions

So what do we take away from this?

To start, it is entirely possible that these allegations are untrue and Bitfinex and co. are veritable paragons of compliance and moral virtue. In the alternative, it’s possible that every word of the complaint is true.

We just don’t know.

What we do know is that the Bitfinex operation is under investigation from several angles and this new one is yet another straw on the proverbial camel’s back. From my review of the pleadings, it seems to me that the plaintiffs’ claims are backed by a sufficient factual basis that they will survive a 12(b)(6) motion to dismiss.

After that, who knows: it may settle, it may go to trial, it may get dropped. For now, however, I think this action is going to get over the first hurdle without too much difficulty.

The case cannot be ignored by Bitfinex; seeing as the plaintiffs allege an astonishing $1.4 trillion in damages, defaulting should be financially catastrophic.

Being a civil case, protections Bitfinex might be able to rely on in other contexts, such as the Fourth Amendment in any criminal action, arguing that the Martin Act doesn’t confer jurisdiction over Bitfinex’s activities, or arguing that an administrative subpoena served on it by the New York Attorney General is overbroad, won’t apply here. Discovery has the potential to be broader and deeper than Bitfinex has shown, to date, that it is comfortable with. The burden of proof is lower, too, than it would be with a criminal case (balance of probabilities rather than beyond a reasonable doubt).

Put another way, this is a very different ball game than what Bitfinex et al. have been playing to date. We may expect Bitfinex et al. to fight the case. But the case puts Bitfinex et al. on the spot: they have to have some basis to deny the factual allegations and the plaintiffs need only prove, on a preponderance of the evidence, that their allegations are true. The discovery process will go some way to revealing whether rumors of manipulation, money laundering and fraud are true, and the short-term future of the cryptocurrency markets may be greatly affected by the outcome of the exercise, and of this litigation more generally.

The thing for everyone to do, then, is watch this case. Very closely.

Will the UK-US data sharing agreement *really* not result in forced decryption of American communications?

Adapted from this tweet thread.

I will start this blog post by stating that, to be perfectly clear, there is nothing in the CLOUD Act that mandates forced decryption or could be construed to allow it. 

However, people who say that forced decryption of U.S. communications disclosed under the Cloud Act is impossible may be wrong. If you bear with me, I’ll explain why. 

Tim Cushing, writing for the inimitable online paper of record Techdirt, reports in this article, titled “No, The New Agreement To Share Data Between US And UK Law Enforcement Does Not Require Encryption Backdoors,” that

The reporting here is borderline atrocious. The article insinuates that this agreement will force Facebook and WhatsApp to turn over decrypted communications or install a backdoor. It won’t. The platforms may be compelled to turn over encrypted messages but all UK law enforcement will get is encrypted messages. The reporting here makes it appear as though social media platforms are being compelled to provide plaintext. They aren’t.

Correct. Not in the CLOUD Act, they’re not. TechDirt concludes:

What the UK government has in the works now won’t mandate backdoors, but it appears to be a way to get its foot in the (back)door with the assistance of the US government.

If we’re only looking at the CLOUD Act and any data sharing agreement entered into pursuant to the CLOUD Act, this view is absolutely, 100% correct. The CLOUD Act indeed prohibits the inclusion of provisions regarding forced decryption in any data sharing agreement. 

The issue is that America is not the only country in the world, the CLOUD Act is not the only law in the world and any US-UK data sharing agreement entered into pursuant to the CLOUD Act, currently in draft, will not be the only law in that applies to data disclosures in the UK. 

The UK already has plenty of its own laws – passed in 2000, 2016, and 2018 – that will fall outside of the four corners of any data sharing agreement and which currently allow the UK to either secretly force companies to backdoor their encryption, or force individuals or companies to disclose their private keys (so-called rubber-hose cryptanalysis).

These laws are, primarily, the Regulation of Investigatory Powers Act 2000, Section 49; the Investigatory Powers Act 2016, Section 253; and Schedule 1 to the Investigatory Powers (Technical Capability) Regulations 2018.

This pre-existing legislation  plus the CLOUD Act, working in tandem, could result in the US companies being compelled to provide US-based data in readable form to the UK without the UK obtaining a US warrant, even if the CLOUD Act itself is silent on decryption.

Allow me to explain.

If the US-UK data sharing agreement becomes law, UK police can ask US firms to provide the content of communications data and the US firms will be able to provide it without worrying that they’re violating 18 U.S.C 2702(a)(1).

The consequence of this will be twofold. If the current reporting is wrong (as I suspect), US companies with no UK presence will be able to more or less tell the UK to pound sand when the UK asks for the content of communications on their servers, as I expand on in considerable detail here.

US companies with a UK nexus, however (practically all major web companies and SaaS providers) will have a choice: either leave the UK or obey the UK court orders they will get served with under the CLOUD Act data agreement.

Again, these are disclosure rather than forced decryption orders.

A problem arises, however, when we consider how the CLOUD Act disclosure rules might interact with pre-existing forced decryption laws in the United Kingdom.  Namely, once your telecommunications service is under the UK’s jurisdiction, the UK government has a domestic power under Section 253 of the Investigatory Powers Act 2016 to promulgate regulations that would allow the UK government to, among other things, order firms to remove “electronic protection” from communications and maintain the ability to do so.

Screen Shot 2019-10-01 at 12.06.52 PM.png

Oh, and once they serve a company with one of these notices, the company is subject to a nondisclosure obligation, so nobody will know the notice has been given. See Section 255(8) of the Investigatory Powers Act.

Screen Shot 2019-10-01 at 1.03.30 PM.png

And sure enough, in 2018, the UK eventually adopted a statutory instrument that gave the UK government the power to impose these conditions on telecommunications providers operating or controlling all or part of their operations from within the United Kingdom:

Screen Shot 2019-10-01 at 12.11.13 PM.png

Conclusions

In all probability, what the CLOUD Act data sharing agreement will do is make it nearly impossible for global tech firms that store data in the United States to refuse UK warrants on Stored Communications Act grounds if they wish to continue doing business in the UK. 

The data sharing agreement to be entered into with the UK under the CLOUD Act

  • will not, in all probability,  allow UK police to forcibly pry open encrypted communications in the US; and
  • will not, in all probability, tell us anything about how the rumored data sharing agreement will interface, if at all, with existing UK forcible decryption laws or key disclosure laws which pre-date both the CLOUD Act and the data sharing agreement.

All that the meat of the CLOUD Act in 18 USC 2523  says on the subject of forced decryption is 

the terms of the agreement shall not create any obligation that providers be capable of decrypting data or limitation that prevents providers from decrypting data[.]

This doesn’t disqualify the UK’s existing forced decryption or key disclosure regimes or prevent the UK from enacting new ones. All it says is that forced decryption can’t be part of the terms of the data sharing agreement. There is nothing in the CLOUD Act that prevents the UK from serving a technical capability notice (i.e., forced decryption) on a US firm that provides encrypted data to the UK under a CLOUD Act order. I am guessing there will be nothing in the data sharing agreement either. Which means that the UK will probably remain free to serve technical capability notices on companies upon which it also serves CLOUD Act orders. 

Much, of course, will depend on the final agreement. What it will say is anybody’s guess, but I am not hopeful that it will be a particularly libertarian document, and my hunch is that the US won’t be keen to draw attention to the UK’s forced decryption laws by mentioning them in the data sharing agreement.

Which is course is the point. To the extent the data sharing agreement is silent on forced decryption, that, my friends, is your back door. Even if the CLOUD Act agreement doesn’t mandate the forced decryption of data, there are plenty of existing UK statutes that do. This means that the CLOUD Act could still result in forced decryption of data obtained from (and possibly about) US citizens and US companies on US servers by UK police, in secret, without anyone in America knowing about it or having any constitutional recourse.

Forced decryption that could probably not happen – or if it did, it would happen far less frequently – if the U.S. declined to enter into this executive agreement and (ideally) repealed the CLOUD Act.

Thoughts welcome on Twitter or in the comments.

wyoming-yellow-bellied-marmot-4058316_960_720.jpg
A marmot.

Not Legal Advice, 9/22/19 – self-proclaimed architect of the “Zug Defence” arrested, ICOBox sued, Section 230 limited by the 9th Circuit

Welcome back to this week’s edition of Not Legal Advice! Because legal advice costs money, and this blog is free.

Between delivering the keynote at blockchain day of Stamford Innovation Week and getting ready for a speaking gig at Crypto Springs, I’ve been pretty busy, so this week’s newsletter is going to be on the short side (a mere 1,800 words). This week:

  1. Self-proclaimed architect of the “Zug Defence” (or “Defense” for Americans) arrested
  2. ICOBox sued for selling unregistered securities, fraud, and operating as an unregistered broker-dealer; Paragoncoin resurfacts
  3.  Enigma v. Malwarebytes: 9th Circuit says Section 230 doesn’t apply to deliberately anticompetitive conduct

1. Self-proclaimed architect of the “Zug Defence” arrested

Last week brought us the news that Steven Nerayoff – early Ethereum advisor, sometimes Ethereum co-founder, and current one-of-those-guys-who-is-on-twelve-different-token-boards, was arrested and charged in the Eastern District of New York with extortion.

Although of course Nerayoff and his alleged co-conspirator, a fellow named Michael Hlady who previously was convicted of defrauding a group of nuns in Worcester, Mass (no, really), are innocent until proven guilty, it suffices to say that the allegations contained in the indictment do not portray either defendant in an especially flattering light.

Of wider significance here from the observer’s viewpoint is the fact that Nerayoff claims to have been the architect of – and is therefore someone with intimate knowledge of – the Ethereum Foundation’s early legal strategy. In particular, Nerayoff is likely to be aware of the contents of a legal opinion which, according to CoinDesk, is said to have cost $200,000, payment of which Nerayoff reportedly guaranteed with his own money. This person is now in federal custody.

The issuance of this legal opinion is worth re-examination, at the very least for historical purposes if nothing else. Apart from the obvious fact that $200,000 is rather a lot of money to pay for a legal opinion, the issuance of that opinion – which I presume authorized the sale, otherwise why pay $200k for it – arguably set off the ICO boom as we know it. The fact that Ethereum proceeded with legal air cover and was such a wild, runaway success encouraged other law firms, large and small, to then take a view on subsequent offerings in order to gain market share and marquee clients.

Ethereum was the first of many coin issuers to set up shop in Zug, Switzerland, known now as “crypto valley,” presumably under the theory that Swiss residence and legal structures would immunize them from U.S. law. This tactic, referred to in jest by cryptolawyer OGs as the “Zug Defence,” is rumored to involve establishing a Swiss Stiftung, or foundation, obtaining tax opinions from a Swiss law firm that the token-product is to be treated as a software product for tax purposes, and, in Ethereum’s case, obtaining a second, supplemental opinion which presumably set out the U.S. legal position (if the rumors are true). Although I have not read it, to the extent that opinion authorized the Ethereum pre-sale to occur in the U.S. without requiring the Ethereum Foundation to register the tokens or avail itself of an exemption, it would have been, in my professional opinion, legally incorrect. This conclusion is based on the SEC’s 2018 Paragon and AirFox settlements, which we may presume form the template for all enforcement actions which will follow, and in relation to which the Ethereum pre-sale, in hindsight, does not appear to have been materially different.

Generally speaking, a practitioner who possesses even one whit of conservatism in their bones will tell you that the so-called “Zug Defence” is not much of a defence at all, to the extent that the transaction or scheme touches the U.S.  or captures the U.S.’ attention. Although the statute of limitations for the Ethereum Foundation qua token issuer under the Securities Act of 1933 has run, their operations continue. When a supposed non-profit in Switzerland magically creates $20+ billion out of thin air, you can be sure this does not go unnoticed.

This is accordingly a story to watch.

marmot_2.jpg
This marmot is on Mt. Rainier, not in Switzerland. This marmot follows U.S. securities laws.

2. SEC sues ICOBox for selling unregistered securities, fraud, and operating as an unregistered broker-dealer; Paragoncoin resurfaces

In other federal-agencies-on-the-warpath news, the U.S. Securities and Exchange Commission sued ICOBox and its founder last week for allegedly conducting an unregistered coin offering, engaging in fraud in relation to that coin offering, and operating as an unregistered broker-dealer in relation to other coin offerings launched using its platform.

Attorneys can spot plausibly deniable sarcasm from 1,000 yards, and the complaint does not disappoint:

ICOBox proclaims to be a “Blockchain Growth Promoter and Business Facilitator for companies seeking to sell their products via ICO crowdsales” —in other words, an incubator for digital asset startups. A self-described blockchain expert, Evdokimov, has acted as the company’s co-founder, CEO, and “vision director,” among other titles.

The facts of the coin offering and the alleged fraud do not bear repeating here. More interesting from my perspective is how the SEC has built up its claim that ICOBox was acting as an unregistered broker-dealer:

The token sale conducted by at least one of these clients, Paragon Coin, Inc. (“Paragon”), constituted a securities offering under Howey… By actively soliciting and attracting investors to ICOBox’s clients’securities offerings in exchange for transaction-based compensation without registering as or associating with a registered broker-dealer, Defendants engaged in unregistered broker activities that violated the federal securities laws.

SEC v. Paragon Coin, we may remember, was the first major settlement announced between the SEC and an ICO issuer, back in November 2018. Around the same time, the SEC announced settlements with AirFox (unregistered securities offering) and the founder of EtherDelta (for operating an unregistered securities exchange). About 30 days prior to that, the SEC announced its settlement with ICO Superstore, a similar business to ICOBox, for operating as an unregistered broker-dealer.

So we should not be surprised that the SEC is going after ICOBox, nor should we be surprised if the SEC decides to go after other token mills in the future. Interestingly, the SEC appears to have used the cooperation and disclosure obtained in the Paragon exercise to build the case against ICOBox:

ICOBox’s team members highlighted on social media during the offering that ICOBOX had started to work with certain clients including Paragon (referring to it as ICOBox’s “child”), but did not disclose that no ICOBox clients had yet completed any ICOs using its services.

Tl;dr? The SEC is good at a lot of things, but they’re particularly good at playing follow-the-money, and their inquiries will not end with token issuers. They will use what they learn at issuer level to move up the chain to promoters and service providers. It will be interesting to learn what is revealed as they undergo that process.

3. Enigma v. Malwarebytes: 9th Circuit says Section 230 doesn’t apply to deliberately anticompetitive conduct

If you don’t know what Section 230 of the Communications Decency Act is, start here. If you do, recall that Section 230 has two main operative provisions:

  • Section 230(c)(1), which says that publishing platforms and users of publishing platforms are not liable for content created by someone else; and
  • Section 230(c)(2), which basically says that companies can’t be sued for good-faith moderation calls, so if e.g. you’re Milo Yiannopoulos and one of your posts is moderated off of Facebook, if you sue Facebook for it, you will lose.

With regard to each of those provisions, however, these above shorthand definitions are just that, shorthand, and what they gain in comprehension for the layman they lose in terms of the stripping away of the actual, technical language they use. Section 230(c)(2) reads as follows:

No provider or user of an interactive computer service shall be held liable on account of (A) any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected; or (B) any action taken to enable or make available to information content providers or others the technical means to restrict access to material described in [sub-]paragraph ([A]).

The facts of Enigma v Malwarebytes are as follows.

Enigma Software Group USA, LLC, and Malwarebytes, Inc., were providers of software that helped internet users to filter unwanted content from their computers. Enigma alleged that Malwarebytes configured its software to block users from accessing Enigma’s software in order to divert Enigma’s customers.

Malwarebytes and Enigma have been direct competitors since 2008, the year of Malwarebytes’s inception. In their first eight years as competitors, neither Enigma nor Malwarebytes flagged the other’s software as threatening or unwanted. In late 2016, however, Malwarebytes revised its PUP-detection criteria to include any program that, according to Malwarebytes, users did not seem to like.

After the revision, Malwarebytes’s software immediately began flagging Enigma’s most popular programs— RegHunter and SpyHunter— as PUPs. Thereafter, anytime a user with Malwarebytes’s software tried to download those Enigma programs, the user was alerted of a security risk and, according to Enigma’s complaint, the download was prohibited[.]

As a former startup guy, don’t I know that startup competition in the software industry is a fight to the death.

Fortunately, commerce is not a free for all and there are rules and certain standards of fair dealing that companies are expected to follow as they compete. Enigma brought a number of claims under state and federal law, ranging from unfair and deceptive trade practices to a Lanham Act violation of making a “false or misleading representation of fact” regarding another person’s goods. Malwarebytes argued it was immune from the action due to the effect of Section 230(c)(2).

Malwarebytes won at first instance. The 9th Circuit reversed:

The legal question before us is whether § 230(c)(2) immunizes blocking and filtering decisions that are driven by anticompetitive animus.

In relation to which the court found:

Enigma points to Judge Fisher’s concurrence in Zango warning against an overly expansive interpretation of the provision that could lead to anticompetitive results. We heed that warning and reverse the district court’s decision that read Zango to require such an interpretation. We hold that the phrase “otherwise objectionable” does not include software that the provider finds objectionable for anticompetitive reasons…
…if a provider’s basis for objecting to and seeking to block materials is because those materials benefit a competitor, the objection would not fall within any category listed in the statute and the immunity would not apply.

Pretty clear cut ratio there.

Eric Goldman’s treatment of the subject is much more detailed than my own. I recommend it to anyone looking to read further in this case; suffice it to say that I agree with the 9th Circuit, and disagree with Goldman, in that anti-competitive conduct by large tech companies is a growing problem, it cannot have been the intention of Congress to enable unlawful anticompetitive conduct with Section 230 and, at least as far as I am concerned, the natural meaning of “otherwise objectionable,” while extremely broad, does have limits, and, much as one would have a difficult time finding a motorcycle or a plant objectionable, it is conceivable that anti-malware software that is not itself malware might fall outside of those limits.

The opening that is created here is narrow and appears to be strictly limited to anti-competitive conduct, although there is a risk this ruling could be distinguished by new categories of litigants whose user-generated content is excluded without apparent justification from online platforms. I struggle to think whence these claims might arise, given that users of online platforms customarily contract away most of their rights and acquiesce to the platform’s discretion to filter content as it pleases in accordance with their policies (as opposed to the situation in Enigma, where Enigma’s rights vis-a-vis Malwarebytes originated in statute which Enigma did not waive). This of course naturally invites the question of whether states themselves will also try to create new statutory protections for constitutionally protected opinions which, of course, is exactly the thing that Section 230 of the the Communications Decency Act was enacted to prevent. Between Enigma and the EFF’s First Amendment challenge to FOSTA/SESTA, Section 230 jurisprudence over the next few years looks to be anything but boring.

See you next week!