Help! The government’s at the door and they’re asking me for data… what do I do?

I preface this blog post – part of my Not Legal Advice series – by stating that it is absolutely not legal advice and I am not your attorney. See disclaimer. If you have an engagement letter that is signed by both of us and you have put a retainer on account, then and only then am I your attorney and then and only then am I giving you legal advice.

The below is provided for general informational purposes only.

Earlier today, Kraken published its annual transparency summary:

Screen Shot 2020-01-06 at 11.21.31 PM.png
Credit: Payward, Inc (d/b/a Kraken).

They received 710 requests impacting roughly 1,222 accounts. That’s just a hair under two requests per day, or, as Kraken CEO Jesse Powell put it on Twitter, “3 if you don’t count weekends!”

ShapeShift CEO Erik Voorhees took a rather dim view of Kraken’s situation:

That’s a lot of requests, but not a crushing amount; I would imagine Google and Microsoft get more. EDIT: Although I had thought one full-time paralegal should be enough to handle that kind of workflow, at least in terms of triaging the requests and initiating exports of user data, Kraken CEO Jesse Powell chimed in to indicate that the costs of servicing these requests was considerably higher:

Clearly, government inbound creates significant overheads – although practically every major company (Google, Microsoft, Facebook, Uber) each has a team dedicated to precisely that task, in many cases headed up by a former law enforcement officer or prosecutor. The greater the volume of requests, the more expensive that business function becomes.

Before I go further, I should add: I’m a libertarian. That means that, in my heart of hearts, I don’t like government overreach or state surveillance, or state power for that matter. But I’m also an attorney (in the US) and a solicitor (in England), which means that I have to live in the real world where government has these powers and businesses large and small are obliged to respect them.

If you run a small to medium-size enterprise in crypto that deals with the public, you will get hit with a subpoena or a search warrant at some point. It’s inevitable. For folks who haven’t been served with one of these before, it can be unnerving to leaf through a court order that says YOU ARE COMMANDED TO APPEAR and IT IS HEREBY ORDERED in bold font.

So what do you do?

1) Don’t panic. It’s (probably) not about you.

Yes, it’s entirely possible that you’re the target of this legal process. But if you’ve never been served with government process before, chances are good that if the subpoena is asking for disclosure about one of your users, customers, or subscribers rather than your business operations, it’s not about you. Your lawyer will tell you what the score is.

If it is about you, you will need to respond. However, for businesses that do a lot of transactions (data or financial) with the public, it’s much more likely that preservation letters, subpoenas, warrants, or other forms of request for information aren’t about the recipient but rather are about a user of the recipient’s service, e.g., someone who sets up an account to buy Bitcoin on a Bitcoin exchange.

2) Even though it’s (probably) not about you, don’t talk to the government without the assistance of counsel.

Your lawyers should be doing the talking if any talking is to happen at all. If you really feel the need to talk with the government about the data request, go talk to your lawyers, and we will talk with the government. We deal with this stuff for a living. You don’t.

Also in the don’t-talk-to-the-government column is that when you do communicate with the government you should be exceedingly polite. Do not do something like this or its written equivalent:

When you’re served with a data disclosure request by law enforcement your job is not to make a point, even if you’re a libertarian. Your job is, at minimum, to respond to the document request as completely as you can while also protecting your interests and the interests of your business. If you’re feeling particularly civic-minded, you could also say that by being responsive to law enforcement you’re helping to keep your fellow citizens safe.

It is possible to do this without acting like a jerk. If you get an e-mail containing legal process, you don’t have to respond right away (although generally it’s courteous to let the other side know it has been received, you can let your lawyer do that – more on that below). If a federal agent calls you on the phone, get his name, phone number, and e-mail address, thank him for calling, and let him know your lawyer will call him back.

3) Preserve all documents and data.

Don’t destroy or delete anything the request could have conceivably asked for. Back it up immediately.

4) Things to be aware of before you call your attorney

4A) There (probably) isn’t a rush to respond.

There (probably) isn’t a rush to respond; look on the face of the subpoena and it should have a deadline for production on it, and that date is likely to be several weeks or even a month from the date on which the subpoena has been served.

The primary exception to this is where the government is asking for disclosure of user/customer data on an emergency basis, due to the existence of a life threatening emergency, which the government can ask for under the federal Stored Communications Act.

America is a free country, so you aren’t required to comply with any information request that is unaccompanied by legal process; however, refusing such a request when the police have advised you that there’s a life-threatening emergency (a) isn’t a good look, (b) is going to really piss the government off and (c) means the government is likely to come back later with a subpoena or search warrant compelling the disclosure anyway, and they’re not going to be particularly friendly when they do.

If you run a large business, you already have a legal department that deals with these things. If you run a small business, you don’t, so make sure you have an attorney or member of in-house staff who is responsive. By this I mean when it’s 10:30 PM on a Saturday night and you get an e-mail from the FBI’s National Threat Operations Center requesting emergency disclosure of subscriber data, your attorney or staffer is willing to drop whatever he is doing to make himself available to field that request.

The law doesn’t sleep and neither can your compliance function.

4B) You (probably) don’t have to appear anywhere.

If you’re dealing with a grand jury subpoena, I know the document says in bold and all caps “YOU ARE COMMANDED to appear at the Marmot J. Squirrelstein Federal Courthouse on [date] blah blah.” There’s also (probably) another line, which is not in all caps, further down which says “In lieu of appearance you can provide documents” and that’s (probably) what the government wants. But you will want to confirm that with your lawyer.

4C) Don’t tell any third parties about the information request. In-house, ensure knowledge of government requests is kept on a need-to-know basis.

Document preservation requests, subpoenas and search warrants are often paired with non-disclosure orders that prohibit the recipient from discussing it with anyone except need-to-know staff and the company’s lawyers. Unless you have successfully challenged those orders, you must obey them.

Which brings us to the next step:

5) Call your attorney immediately after you’ve been served.

If you want to fight the order or object to the scope of disclosure, you can, but it’s not going to be cheap. If you’re a startup in the US without a sophisticated legal department with a big budget challenging a domestic US order will not be easy.

I know plenty of seasoned litigators who are experienced in this area and will be happy to refer you to them. In the alternative, call up the ACLU or the EFF, as Signal recently did to get a gag order lifted.

If you’ve never received a request for information, document preservation letter, national security letter, grand jury subpoena, administrative subpoena, search warrant, or emergency disclosure request before, call your attorney and he or she will help understand what kind of document you’ve received and what that document requires you to do – not all government data requests are the same, and not all are mandatory. Different agencies have different powers to ask for different kinds of information (and to prevent you from talking about the matter). Depending on what type of business you run, different statutory powers will authorize these requests and govern what your obligations are in relation to them.

If you’re based in the U.S., and the request comes from outside the U.S., you may have the option of refusing the request. Or you might not, if the request was validly made under a Mutual Legal Assistance Treaty, or “MLAT”, agreement. Your lawyer will help you parse your options.

If you have received a data request before, you should already have a protocol in place for dealing with them. Which brings me to my next point…

6) Plan ahead.

With any online business it’s possible to almost fully automate data production. You will need to balance the ease of automation with the requirement for data security. Err on the side of security.

The bulk of the U.S-source requests you will get will be subpoenas. Subpoenas issued under a particular statutory authority tend to request the same type of information as every other subpoena issued under that authority, and businesses tend to focus on particular types of commercial activity, so you should have a pretty good idea ahead of time what sort of information you’re going to be asked to provide.

Make sure you have a system in place where a small number of highly trusted staff have the ability to securely pull the requested data and provide it to law enforcement on short notice.

7) Your company can have a productive dialogue with law enforcement, but you have to let your lawyers do the talking.

In my experience, law enforcement officers and state prosecutors are courteous, highly professional people. However, they have a job to do. The mission comes first.

There’s no reason why you and your business can’t be on good terms with law enforcement or even helpful to law enforcement. However, your first concern should be to ensure that, in all your dealings with law enforcement, your interests are protected. The best way to do that is to run communications with law enforcement through your attorney and in writing.

For example. Suppose that one day, a few weeks after your lawyer provided a response to a subpoena, a friendly FBI agent calls you up and asks to have a casual sit-down over coffee to trade notes. She’s a nice person with a friendly demeanor, is just passing through town and is interested in Bitcoin and all things crypto.

You will think having that sit-down is a good idea, because you want to be helpful, don’t want to be rude and hey, it’s always nice to meet new people operating in your space.

Always decline these requests. At the very least, let your lawyers know that you’ve been contacted. If you want to be of assistance to law enforcement, be of assistance – through your attorneys. Ethereum dev Virgil Griffith had several such sit-downs and he has had to hire the best criminal defense lawyer in Bitcoinland, Brian Klein, to clean up the mess. Even if you are completely innocent of any offense, as most people are, let your lawyers do the talking.

Law enforcement will understand completely if you refer them to your counsel. They won’t think of you as rude. If they were in the same position, it’s what they would do.

And that’s it!

In conclusion

Summing up, if you run a business in crypto, and that business has users from the general public, it’s a virtual certainty that, at some point, the government is going to ask you to provide information in connection with an investigation.

Generally, these requests pertain to the commission of serious crime. Generally these requests are neither capricious nor unreasonable.

Dealing with these requests, and dealing with law enforcement generally, can be easy or hard. Regardless of one’s politics, keeping your business on good terms with the state is, generally speaking, the better business decision, if for no other reason than the fact that the U.S. government is bigger than you and has unlimited money and time.

Lawyers, Guns and Bitcoin

I was on the Guns & Bitcoin podcast with Ragnar Lifthrasir this week talking about financial censorship, mob-driven extrajudicial denial of service attacks (MEDOS, like DDoS) and how to legally circumvent it.

Listen at any of the following links (links to slide deck in show notes):

With apologies to Warren Zevon.



Not Legal Advice, 1 December 2019 – Stablecoins, North Korea, and Guns

Welcome back to Not Legal AdviceIt’s been two weeks since the last update, so there’s no point wasting time with a long preamble – let’s get right down to it. This week:

  1. FinCEN issues stark warning to stablecoin administrators.
  2. Ethereum Foundation Head of Special Projects, former Enterprise Ethereum Alliance Mainnet Working Group Chair accused of assisting North Korea to evade sanctions
  3. Supreme Court denies cert in a Section 230 Communications Decency Act case,  Daniel v. Armslist, No. 2017AP344 (Wis. Ct. App. Apr. 19, 2018)

1) FinCEN issues stark warning to Stablecoin administrators

Not much to say here except that FinCEN has fired a shot across the bow of MakerDAO or similar schemes which hold themselves out as decentralized protocols, but also carry out money transmission-like functions. From FinCEN Chairman Kenneth Blanco:

“Because we are technology-neutral, we can say with complete clarity that for AML/CFT purposes, it should be understood that transactions in stablecoins, like any other value that substitutes for currency, are covered by our definition of ‘money transmission services’,” Blanco said.

“This means that accepting and transmitting activity denominated in stablecoins makes you a money transmitter under the [Bank Secrecy Act]. It does not matter if the stablecoin is backed by a currency, a commodity, or even an algorithm – the rules are the same. To that point, administrators of stablecoins have to register as [money services business] with FinCEN.”

Pretty stark. However, seeing as no regulatory action has been brought against a stablecoin to date (apart, perhaps/unconfirmed, from Basis, which shuttered its doors rather than launch) whether any particular unlicensed stablecoin is determined to be money transmission, and on whom the liability for operating it will fall, remains to be seen. Although FinCEN will have a lot of options if they choose to wade into the paddling pool. As I put it on Twitter:

2) Ethereum Foundation Head of Special Projects, former Enterprise Ethereum Alliance Mainnet Working Group Chair accused of assisting North Korea to evade sanctions

From the DOJ:

[Virgil Griffith is accused of violating the] International Emergency Economic Powers Act (“IEEPA”) by traveling to the Democratic People’s Republic of Korea (“DPRK” or “North Korea”) in order deliver a presentation and technical advice on using cryptocurrency and blockchain technology to evade sanctions. GRIFFITH was arrested at Los Angeles International Airport yesterday and will be presented in federal court in Los Angeles later today…

…As alleged, Virgil Griffith provided highly technical information to North Korea, knowing that this information could be used to help North Korea launder money and evade sanctions. In allegedly doing so, Griffith jeopardized the sanctions that both Congress and the president have enacted to place maximum pressure on North Korea’s dangerous regime.

…Despite receiving warnings not to go, Griffith allegedly traveled to one of the United States’ foremost adversaries, North Korea, where he taught his audience how to use blockchain technology to evade sanctions. By this complaint, we begin the process of seeking justice for such conduct.

Whilst Griffith is innocent until proven guilty, the complaint doesn’t look great. Griffith apparently posted about his visa application process and intent to travel to North Korea publicly on his Twitter account. Other members of the Ethereum community failed to challenge and, in some cases, encouraged Griffith to make the trip. Griffith voluntarily consented to not one, but two interviews with the FBI, presumably without the assistance of counsel, in which he, among other things, admitted the conduct, admitted he intended the conduct and admitted he wanted to renounce his U.S. citizenship.

A photograph of brave U.S. Marines fighting to save democracy in Korea, in case Ethereum people need a reminder of which side they’re supposed to be on.

There are really only three things I have to add to this.

First: anyone who made a lot of money in Ether should understand that just because you made one good investment back in 2014, and haven’t had to do any real work since, doesn’t mean you are a polymath. More likely (but certainly not in all cases), you’re a dumbass and you got lucky. Somewhere, out there, your doppelgänger mortgaged his house twice to invest in Algorand shortly after it listed on Binance. He was ruined. You were not.

This is not to begrudge your legal if not moral entitlement to your wealth, which you won with a roll of the dice, fair and square. It is simply to say that however clever you may think you are, you are not clever enough to go toe-to-toe with the FBI without the assistance of counsel. No one is.

Second, this is an appalling governance failure by the Ethereum Foundation and the Enterprise Ethereum Alliance, two organizations principally concerned with promoting the adoption of the Ethereum cryptocurrency, and in which Griffith apparently held senior positions.

From what I can glean from the indictment, the purpose of the trip was principally to market Ethereum to the North Koreans as a sanctions-evading tool. Yes, North Korea using your coin will drive up demand for that coin. But it’s North Korea. Someone should have prevented Griffith from making this trip. Someone should have told him his position would be untenable if he went. The Ethereum community, its organizational bodies, and its leadership should have, when faced with the choice between the United States and North Korea, unapologetically and emphatically chosen the United States.

That’s not what happened.

There are things more important in this world than getting your favorite coin to the moon. Crypto is a high risk business as it is and private companies, consortia and nonprofit foundations alike need to be mindful of increased exposure arising due to the actions of rogue senior employees who wander off the reservation.  If someone in your organization is going to do something like this, no matter how much crypto he might hold, no matter how much of an OG he might be, tell him “no.” If for whatever reason he insists on continuing, fire him.

Third and finally, all that remains, as with other federal criminal proceedings against early Ethereum participants such as Stephen Nerayoff, is to watch this play out.

3) Supreme Court denies cert in a Section 230 Communications Decency Act case, Daniel v. Armslist, No. 2017AP344 (Wis. Ct. App. Apr. 19, 2018)

Armslist was a big Section 230 case in which a gun marketplace website which is basically “Craigslist for Guns,”,  was sued by the survivors of a victim of a shooting that involved the use of a gun purchased through the site.

Plaintiff Daniels lost at first instance, won on appeal, and lost again at the Wisconsin Supreme Court. Last week SCOTUS denied cert, ending the case.

As told by the plaintiff’s cert petition, the plaintiff alleged that:

after years of threats and violent abuse, Zina Daniel Haughton (“Zina”) obtained a domestic abuse restraining order against her estranged husband, Radcliffe Haughton (“Haughton”). The order, issued by the Milwaukee County Circuit Court to protect Zina, prohibited Haughton from possessing a gun, and made him a “prohibited” firearms purchaser under federal and state criminal laws. But Haughton knew how to easily circumvent the law and the order. He went on the Internet and visited is an online gun marketplace specifically designed to facilitate the illegal purchase of firearms by people like Haughton, who the law forbids from buying guns.

Note: the contention that Armslist is intentionally designed to facilitate unlawful firearms transfers is both material and disputed. Assume for the moment what the Wisconsin Supreme Court found, which is that Armslist is intended to be used for lawful commerce in arms, even if site users are able use it for unlawful purposes.

But I digress. The plaintiff continues:

As intended by’s negligent and intentional design features, Haughton found a person willing to sell him a gun, Devin Linn (“Linn”), and quickly and easily obtained a handgun and three high-capacity magazines in an all cash deal consummated in a McDonald’s parking lot three days after the restraining order was issued. The next day, Haughton used the gun he purchased via to murder Zina and two of her coworkers and wound four others before killing himself.

For this, the plaintiff sued Armslist, alleging numerous tort claims “including, inter alia, negligence, negligence per se – based on the violation of firearms laws – negligent infliction of emotional distress, civil conspiracy, aiding and abetting tortious conduct, public nuisance and wrongful death.”

Background: the law relating to buying a gun

There’s a lot to unpack here, particularly for my overseas readers, so let’s provide a bit of background before we continue. I preface this with the warning that this column is called Not Legal Advice for a reason, so the following is definitely, 100% not legal advice, as indeed nothing on this site is legal advice. I charge for that, and if I haven’t charged you, it’s not advice.

America is well known for being one of the few countries in the world which has very strong legal protections for civil rights as envisioned in the Enlightenment, including free speech, the right to be free from unreasonable searches and seizures, and the right to civilian firearms ownership.

The primary legal rule which protects firearms ownership in the United States is the Second Amendment to the U.S. Constitution, ratified in December 1791, which states that “a well-regulated militia, being necessary for the security of a free state, the right of the people to keep and bear arms shall not be infringed.” Much ink, digital and otherwise, has been spilled over the centuries about this legal provision; the law, as stated in District of Columbia v. Heller 554 U.S. 570 (2008), is that this provision generally protects an individual right to own firearms in common use. The “militia” language which many a commentator foreign and domestic get hung up on has been ruled prefatory, not operative, and does not operate to restrict what the Court has deemed to be an individual, and not a collective, right.

This does not, however, mean that firearms ownership in the U.S. is a legal free-for-all where any man can own any weapon and use it in any manner he pleases. In fact, firearms ownership and use are very tightly regulated, although regulations can be more or less stringent depending on what state (and in some exceptional cases, such as New York or San Francisco, what city) one finds oneself in.

Generally speaking there are two layers of regulation, mirroring America’s two layers of sovereignty: federal, which primarily concerns itself with interstate transactions in firearms, and state-level, which must apply the federal rules for transactions in interstate commerce, but are free to adopt less stringent regulations for transactions which occur entirely within their own borders.

The principal federal rule on firearms transfers that one encounters in daily life is found at 18 U.S. Code § 922(a)(1), which states in relevant part that

“It shall be unlawful— (1)for any person— (A) except a licensed importer, licensed manufacturer, or licensed dealer, to engage in the business of importing, manufacturing, or dealing in firearms, or in the course of such business to ship, transport, or receive any firearm in interstate or foreign commerce”.

The short version of 922(a)(1) is this:

  • if you sell a gun across a state line, you do so as a regular business or trade, and you don’t have a federal firearms license (an “FFL”, which acronym is used to refer to both the license and licensees interchangeably) you’re going to jail.

Then there’s 922(a)(5), which states it is a crime:

(5) for any person (other than a licensed importer, licensed manufacturer, licensed dealer, or licensed collector) to transfer, sell, trade, give, transport, or deliver any firearm to any person (other than a licensed importer, licensed manufacturer, licensed dealer, or licensed collector) who the transferor knows or has reasonable cause to believe does not reside in (or if the person is a corporation or other business entity, does not maintain a place of business in) the State in which the transferor resides; except that this paragraph shall not apply to (A) the transfer, transportation, or delivery of a firearm made to carry out a bequest of a firearm to, or an acquisition by intestate succession of a firearm by, a person who is permitted to acquire or possess a firearm under the laws of the State of his residence, and (B) the loan or rental of a firearm to any person for temporary use for lawful sporting purposes;

Short version:

  • If you’re a private seller you can’t transfer a gun to someone who isn’t a resident of your state, unless it’s part of a decedent’s estate and the transfer is being effectuated pursuant to a will or intestate succession.

Then there’s also 922(b)(3), which states

(b)It shall be unlawful for any licensed importer, licensed manufacturer, licensed dealer, or licensed collector to sell or deliver—
(1)any firearm or ammunition to any individual who the licensee knows or has reasonable cause to believe is less than eighteen years of age, and, if the firearm, or ammunition is other than a shotgun or rifle, or ammunition for a shotgun or rifle, to any individual who the licensee knows or has reasonable cause to believe is less than twenty-one years of age;
(2)any firearm to any person in any State where the purchase or possession by such person of such firearm would be in violation of any State law or any published ordinance applicable at the place of sale, delivery or other disposition, unless the licensee knows or has reasonable cause to believe that the purchase or possession would not be in violation of such State law or such published ordinance;
(3)any firearm to any person who the licensee knows or has reasonable cause to believe does not reside in (or if the person is a corporation or other business entity, does not maintain a place of business in) the State in which the licensee’s place of business is located, except that this paragraph (A) shall not apply to the sale or delivery of any rifle or shotgun to a resident of a State other than a State in which the licensee’s place of business is located if the transferee meets in person with the transferor to accomplish the transfer, and the sale, delivery, and receipt fully comply with the legal conditions of sale in both such States.

Short version:

  • An FFL can’t sell a handgun to anyone under 21 or a rifle to anyone under 18.
  • An FFL can’t sell someone a firearm to a resident of another state if they’re not allowed to have it pursuant to the laws of that state, i.e. a resident of Connecticut cannot drive to New Hampshire and buy an AR-15 from an FFL.
  • An FFL can’t sell a handgun to someone who doesn’t reside in their state, although they can sell a rifle or shotgun if (a) the buyer meets with the FFL in person and (b) the sale would be kosher in both states.

All these rules mean the process of selling guns across state lines can be a little clunky. By way of worked example, Alice Atlanta is a hobbyist collector of firearms. If Alice Atlanta wants to sell a handgun – let’s say a Glock 19, arguendo – to Bob Birmingham, Alice would need to

  • transfer the firearm to an FFL in Georgia,
  • the Georgia FFL would need to ship the firearm to an FFL in Alabama, and
  • Bob would need to acquire the firearm directly from the Alabama FFL.

Ordering from an online store similarly requires the online store to transfer to an in-state FFL of the recipient, rather than shipping direct to the recipient, and the in-state FFL will then customarily charge a handling fee to the ultimate purchaser on top of the purchase price.  If Alice transferred the firearm to Bob on the sly in a parking lot in Gadsden, Alice would be breaking the law. If Alice were actually running a business out of the back of her car, and not just a mere hobbyist, she’d be breaking two laws.

Another federal rule involves background checks. Specifically, 18 U.S. Code § 922(t), which states in relevant part that 

a licensed importer, licensed manufacturer, or licensed dealer shall not transfer a firearm to any other person who is not licensed under this chapter, unless— (A)before the completion of the transfer, the licensee contacts the national instant criminal background check system [note: known as “NICS”] established under section 103 of that Act; (B) (i) the system provides the licensee with a unique identification number; or (ii) 3 business days (meaning a day on which State offices are open) have elapsed since the licensee contacted the system, and the system has not notified the licensee that the receipt of a firearm by such other person would violate subsection (g) or (n) of this section; and (C)the transferor has verified the identity of the transferee by examining a valid identification document (as defined in section 1028(d) of this title) of the transferee containing a photograph of the transferee.

Short version:

  • if you are the recipient of a transfer of a firearm from an FFL you need to present photo ID and you either need to (a) pass an instant background check through NICS, the national criminal database, or (b) NICS needs to fail to come back with an answer within three business days of asking NICS whether you’re legally allowed to own a gun, before you can take possession of that gun.

Acting in concert, what these provisions do is require any interstate transfer to go through an FFL and pass a background check.

When a gun doesn’t cross a state line, however, this is not currently the province of the federal government, but rather it is a matter for the states. Even if the federal government could constitutionally assert jurisdiction over intrastate transactions (which, given the historically overbroad application of the Commerce Clause, it probably could) there simply hasn’t been the political will to do it for over 50 years. As a consequence, states have different and highly varied rules around firearms transactions that occur within their own borders.

I am not a Wisconsin lawyer, but Wisconsin’s rules, according to the Giffords Law Center, allow private sellers to transfer firearms between one another without performing a background check, which is completely legal federally as long as a state line isn’t crossed.

Armslist is, for the purposes of these transactions, like Craigslist, a classifieds site, which doesn’t perform diligence on the postings made on it. It matches the buyers and sellers, but does not perform any diligence or enforce specific compliance rules for each transaction. It is conceivable that all of the transactions on Armslist are legal; it is up to the users to actually put in the work to comply with local and federal laws, which they often do not, with attendant state and federal consequences.

Back to Daniels’ (failed) attempt to disapply Section 230 in Armslist

But Armslist is being sued here, not its users. Daniel argued that Armslist should be held liable for users’ misdeeds as it was providing its services in bad faith, in that

Armslist designed the site to easily facilitate firearms sales for otherwise prohibited possessors, like Zina’s husband. For example, she alleged that Armslist allows a prospective purchaser to filter sellers to find “private sellers” that are not required to perform background checks before selling firearms. Nor does the website require users to create accounts but instead allows them to operate anonymously. She also alleged that Armslist does not take action to delete illegal or unlawful posts.

Based on all these features and omissions, Daniel’s complaint alleges that Armslist knew or should have known that its website would put firearms in the hands of dangerous, prohibited purchasers, and that Armslist specifically designed its website to facilitate illegal transactions.

Armslist invoked Section 230 of the Communications Decency Act (“Section 230”) in its defense.

I have written about Section 230 before. Section 230 is a provision of federal law that says, broadly, two things:

  • In Section 230(c)(1), platforms and users of those platforms are not liable for content created by other users (known in the statute as “Information Content Providers”).
  • In Section 230(c)(2), platforms are immune from liability for making good-faith moderation calls that result in material being removed from the platform.

Armslist is principally a Section 230(c)(1) action.

Those of you new to Section 230 should note that the immunity is very specific. It does not confer legal immunity upon a website simply because they are websites, as politicians like Sen. Josh Hawley falsely claim to push ill-conceived laws through Congress. Rather, it confers civil immunity and immunity from state laws for user-generated speech that  is posted on their platforms but which the website did not itself make. So, by way of example:  

  • Let us stipulate that rap megastar Dr Dre was born to human parents in Compton, Los Angeles County, USA, on 18 February, 1965.
  • Dre protégé and fellow rap superstar Snopp Dogg, also born and raised in L.A. County, maliciously accuses Dr Dre of being a Martian – i.e., an alien from the planet Mars – in a Facebook post, despite knowing that Dre was born in L.A. County. Dr Dre sues Snoop Dogg and Facebook for defamation. Facebook would be immune from Dre’s suit, thanks to Section 230.
  • Snoop Dogg accuses Dr Dre of being a Martian in a post on Facebook. Facebook issued a press release saying that it believed Dr Dre is in fact from the planet Mars, which is untrue, as Dr Dre is from Compton. Dre sues Snoop Dogg and Facebook for defamation. Facebook would not be immune from Dre’s defamation suit for the press release.

Those are extreme/clear cut examples. But what happens, for example, when:

  • Snoop Dogg takes out an ad on Facebook saying “Dr Dre is a Martian.” and Facebook  Ads representatives respond that referring to someone as a Martian is hate speech and suggest using the term “extraterrestrial” instead. Dre sues Snoop Dogg and Facebook for defamation.


  • Snoop Dogg takes out an ad on Facebook saying “Dr Dre is…” and Facebook has a pre-populated group of personal characteristics including “tall,” “a good rapper,” “a regular reader of the Financial Times” and “a Martian.” Snoop selects the “Martian” option and Facebook runs the ad. Dre sues Snoop Dogg and Facebook for defamation.

Tricky, right? In each case Snoop Dogg initiated the ad buy, Dre was defamed, and Facebook contributed to the content, even though it did so at the behest of the user and the user was responsible for the final sign-off of the published messaging. Under the right circumstances, this might be enough for Facebook to become an “information content provider” with respect to the statement – “information content provider” being defined as, per Section 230(f)(3),

any person or entity that is responsible, in whole or in part, for the creation or development of information provided through the Internet or any other interactive computer service. (emphasis added)

…and if Facebook is an information content provider, the Section 230 shield falls away. See e.g. FTC v. LeadClick Media, LLC, 838 F. 3d 158 (2016). In Leadclick an affiliate-marketing business which displayed deceptive advertisements was found liable for statements made in those fake advertisements because they provided feedback on the content of the advertisements. For example, “[making] a false advertisement [for a dietary supplement] appear ‘more realistic’ by lowering the amount of falsely claimed weight loss.” Even if a site isn’t the principal author, affirmatively developing user generated content created by someone else can be enough to make the Section 230 immunity fall away.

This principle extends to a website’s UI, even if the website isn’t affirmatively “saying” anything in the way that one might commonly understand the term. See Fair Housing Council of San Fernando Valley v., LLC, 521 F.3d 1157 (9th Cir. 2008). is a website which advertises room rentals. At one time, Roommates required users to “disclose their sex, race, sexual orientation, and whether they will bring children to the household in order to use the site” in drop down menus. Roommates also provided an “additional comments” box where providers of housing could specify their preferences for renters (e.g. “black males only,” “no children”).

Racial discrimination in housing is, of course, hugely illegal. When the Fair Housing Council sued Roommates, the case worked its way up through the courts until the 9th Circuit, sitting en banc, definitively disapplied the Section 230(c)(1) immunity for one aspect of the UI but upheld it for another. The court held that while Roommates was not liable for the (entirely user-generated) comments in the “additional comments” box, they were liable for the display of the protected characteristics of prospective renters from the mandatory drop-down menus and the discrimination that this information enabled. Put another way, when the website pre-populated the choices users could complete in the drop-down menus, the website, not the user, was doing the talking. And if that speech had legal consequences, Roommates could be sued for it. As Judge Kozinski put it in his majority opinion:

Roommate created the questions and choice of answers, and designed its website registration process around them. Therefore, Roommate is undoubtedly the ‘information content provider’ as to the questions and can claim no immunity for posting them on its website, or for forcing subscribers to answer them as a condition of using its services.

Armslist qua speaker: a business that walks right up to the line, but stays on the right side of it

There are two problems with going after Armslist, then. First is that nothing about what Armslist qua Gun Craigslist does is illegal under federal law. It is also entirely feasible that every single one of its users could use the site to engage in lawful transactions. As the Wisconsin Supreme Court put it,’s provision of an advertising forum and the related search functions are all “neutral tools” that can be used for lawful purposes. Sales of firearms by private sellers are lawful in Wisconsin. Further, private sellers in Wisconsin are not required to conduct background checks, and private sales are not subject to any mandatory waiting period. Accordingly, the option to search for offers from private sellers is a tool that may be used for lawful purposes…

Second and furthermore, Armslist didn’t “develop” the content users posted on the site, legal, illegal, or otherwise.

Despite the plaintiff’s assertions that Armslist was “specifically designed to facilitate” illegal arms transfers, the Communications Decency Act is specific: per the Wisconsin Supreme Court, “an interactive computer service provider will not be liable for providing neutral tools ‘even if a service provider knows that third parties are using such tools to create illegal content.'” Intent or knowledge are irrelevant since Armslist isn’t itself an information content provider, said the Wisconsin Supreme Court. The question when inquiring about Section 230(c)(1) is limited to “whether Armslist materially contributed to the unlawfulness of the third party content” such that Armslist itself became the information content provider.

The downfall of websites from Backpage to LeadClick is that site operators, keen to ensure that goods and services marketed on them appeal to users no matter how illegal those services might be, have been lured into messing with user-generated content in order to “improve” the user experience. In doing so they lower their Section 230 shield and expose themselves to civil and criminal penalties.

Armslist appears to have successfully resisted this temptation. If it hadn’t, Daniels might have been able to penetrate the Section 230 shield. But Armslist didn’t get involved with the post in question. Armslist was not an information content provider and could not therefore be civilly liable for the torts of the user, per the Wisconsin Supreme Court. Last week SCOTUS declined to overturn that decision.

A denial of cert doesn’t necessarily mean that SCOTUS agrees or disagrees with the Wisconsin court’s ruling. But it might suggest that the high court is aware of the strength of Section 230 to protect websites from litigation initiated by persons unhappy with the conduct of the sites’ users, and is in no mood – or finds no grounds – to overturn it. Entrepreneurs running their own websites should be aware, however, that Section 230 has limits and Armslist – a business that operates in an exceedingly high risk area – only escaped by not exceeding those limits.

How might have Armslist have gotten itself into trouble? Well if, like Roommates, its user interface made specific provision for illegal content, that might have been enough. For example: “Search for sellers willing to sell to prohibited possessors.” (For avoidance of doubt, Armslist has no such search function.) Or, like LeadClick, Armslist might have suggested changes to the wording of advertisements. Or Armslist might have developed an in-house seller ranking system that was not purely user-generated.

Long story short, if you’re running an interactive computer services business and some of your users are breaking the law, (a) discourage lawbreaking as much as you can, (b) cooperate with law enforcement, (c) make sure you don’t violate federal law and (d) let your users do the talking – resist the temptation to tweak user-generated content to make it look pretty. You’re a platform provider, not a seller. And, once again, this is not legal advice. If you need advice of this nature, you need to discuss your specific facts and circumstances with a licensed attorney in your jurisdiction.

Not Legal Advice, 18/11/2019 – The federal government needs to stop using the word “decentralization”

Welcome back to another edition of Not Legal Advice

One of the issues with a weekly blog series is that it is easy to get out of the habit of writing it if you miss one or two. Last week I was slammed traveling all over the East Coast so I didn’t have a ton of time to read or write – although running a solo practice is great, arguably the biggest downside is that you can’t delegate – meaning that clawing back time to write can be a challenge.

But dammit, I’m going to do this every week. This week, I have only one thing to talk about. And that’s the fact that the federal government can’t make up its mind about how to deal with Ethereum.

For those of you just joining the conversation, Ethereum is a cryptocurrency that was created following a $20 million initial coin offering, or ICO, in 2014, in which approximately 70% of the outstanding supply of the coin was sold.

Despite the fact that Ethereum was run in exactly the same way as every ICO the SEC has enforced against, in 2018 the SEC punted on regulating Ethereum following an intense lobbying campaign by Coin Center and other industry participants.

This year, the new Chairman of the CFTC Heath Tarbert has said the Ethereum-where-70%-of-the-tokens-were-sold-in-an-ICO-scheme is also not a security but a commodity falling under his jurisdiction. This was only last month.

Now, we are told, the planned migration of the scheme from proof of work to proof of stake will render the scheme, potentially, a security. CFTC Chief Heath Tarbert:

“Mining is, by its very nature, more decentralized as compared to a stake which reduces energy costs by giving it just one validator or a line of validators,” Tarbert said in response to a question whether ether 2.0 will be classified as securities.

This led to the somewhat unsatisfactory position that, in the eyes of the SEC and CFTC, something could start life as a security, transmogrify into a non-security, and then transmogrify back again after a code fork.

Where is the government coming up with this? Probably from the decentralization bros with a lot of money to spend on lobbying, such as Coin Center.

Ethereum bros of course, not to be outdone, swiftly retorted that mining was in fact the more centralized scheme because it costs money to… buy mining equipment?

“In ethereum’s PoS, the capital that you need to acquire to participate is much more readily available. … Converting capital into an asset that allows you to stake in the protocol is much cleaner.”

*silent screaming*

Where to begin with this. To start, there is no agreed-upon definition of “decentralization” anywhere. Anyone who says that there is such a definition has an agenda to push. And to the extent that the term means anything it’s a relative definition rather than a description of an irreversible, apotheotic end-state.

Mining may be accurately described as decentralized, if there are a wide range of validators distributed geographically widely, and there’s something to compare it against. So, e.g., we might say “the Bitcoin network’s mining is more decentralized than the Ripple Network’s validator nodes.” But Ripple might retort by arguing that “more than 50% of the Bitcoin network’s hashppower is controlled by 3 mining pools, whereas our UNL is more widely distributed.” I wouldn’t buy that argument, but it’s one that could be made. Which argument is correct or not depends on what your assumptions are.

Similarly, a network where stake is widely distributed and which requires a 7-out-of-10 vote to append a new block, such as a Tendermint node, might well be more decentralized than either if enough small validators band together to run the network on their own. What if we start out with four thousand stakers and gradually a handful, say one hundred, buy up most of the outstanding stake? Well then it might have fewer validators than Bitcoin and more than Ripple, but more “pools” than Bitcoin and fewer independent operators than Ripple.

All of these statements are correct in their own way. They’re all contradictory in their own way, too. Which indicates, at least to me, that using “decentralization” as a metric to determine whether something is or is not an investment contract – as the much-vaunted Hinman Test seeks to do – really is not a good idea, because nobody knows what the word means. Yet our regulators keep using this word, and coin bros keep encouraging them to, because asking whether a system is truly decentralized or not is like asking how many angels can fit on the head of a pin. Decentralization is a relative measurement, not a platonic ideal.

Now perhaps – and bear with me here – a better measure of determining whether a scheme is or isn’t an investment contract is to look at how the scheme began and, where there’s a premine which is pre-sold, a view is taken as to the nature of the instrument arising therefrom. Schemes like Bitcoin which arise from work and boot-strapping fall outside of the regulatory perimeter and schemes that do otherwise do not.

Such an approach would be consistent with most of the enforcement which has occurred to date. It would not be consistent with the treatment of Ethereum, for indeed nothing is consistent where Ethereum is concerned, and that confuses the hell out of everyone.

The “decentralization” test confuses the market and is not fit for purpose. Nobody knows what “decentralization” means. Even if we did, as I mentioned, decentralization is a relative rather than absolute measure.

Absolute measures create certainty in the marketplace. And although Howey is not absolute, I can think of one absolute measure which would be entirely consistent with the SEC’s enforcement and coin schemes’ compliance attempts to date – entirely consistent, that is, if Ethereum had been brought into the regulatory perimeter instead of being treated as some kind of outlier. Treat presales of coins (not coupons) as dispositive and abandon the idea that something can start life as a security, transmute into a non-security and then, as a consequence of a code fork, revert back again – which is the current view of the regulators.

As I always say when this issue comes up, I know of no precedent for this anywhere in American law and have yet to have anyone point one out to me in six years of asking this question.

And here is a picture of a marmot.


Not Legal Advice 11/9/19 – Dai hits $100 million; Crime doesn’t pay; FBI Director Wray speaks to Congress

Welcome back to this week’s edition of Not Legal Advice!

Once again, I’ve been remiss in typing up my weekly newsletter on a weekly basis due to travel – one of the downsides of solo practice is that one has no minions to dispatch to the far sides of the world – and this time, to San Francisco, where I did a panel with the inimitable Josh Stein of next-gen digital securities firm Harbor, among others, at SF Blockchain Week. Well done to the organizers for putting on a great conference.

This week’s a short one, as there really hasn’t been a whole lot in the last 14 days that I’ve found particularly interesting:

  • Dai hits $100 million in outstanding CDP contracts; crypto bros still don’t understand risk
  • Crime doesn’t pay: an update on the Brian Haney arrest
  • FBI Director Christopher Wray talks crypto to Congress.

1) Dai hits $100 million in outstanding CDP contracts; crypto bros still don’t understand risk

The Block reports:

The number of outstanding Dai has reached the protocol’s built-in “debt ceiling” of 100 million— an all-time-high for the nearly two-year-old stablecoin project. CDP 15336 minted the Dai that boosted the outstanding supply to its limit.

MakerDAO, the issuance platform behind Dai, had an original Dai debt ceiling of 50 million, which was raised to 100 million in July 2018. The MakerDAO team and community members plan to execute a governance vote this Friday to raise the debt ceiling by an additional 10-20 million.

Yes, a “decentralized stablecoin protocol” has “governance votes.” I’m not sure either.

The Block continues:

Early last week, the Maker Foundation announced that it will be rebranding its Collateralized Debt Position (CDP) in preparation for its November 2019 Multi-Collateral Dai (MCD) release. The new user interface of the Maker Protocol after the release of MCD will label CDPs as “Vault.”

What is “Dai,” I hear you ask? Dai is a so-called “stablecoin,” a cryptographic token which is designed to always hold a peg to a fixed, external unit of account – in Dai’s case, the U.S. dollar.

Dai accomplishes this, we are told, through a series of smart contracts on the Ethereum blockchain which issue the Dai coins and lock up an amount of Ether in excess of the Dai as collateral to back the “loan” which has been issued. This was known as a “collateralized debt position” but, perhaps because the organizers of the scheme have some dim awareness of the regulatory consequences of issuing securities which are backed by collateral pools and making them available for public sale, the Dai people are now changing the terminology of these smart contracts to “vaults.”

CDPs/Vaults expire in one of two ways. First, someone can pay back the Dai debt plus interest, which the scheme promoters misleadingly refer to as a “stability fee,” at which point the CDP dies and the locked Ether in collateral is returned. “Stability fees” can only be paid in MKR, another shitcoin which was issued by the original scheme organizers. In the alternative, if e.g. the value of the collateral pool is impaired, the CDP may be liquidated and the collateral used to repurchase Dai from the marketplace to ensure all Dai are backed by a quantity of Ether with a dollar value that is greater than or equal to the dollar value of all Dai in circulation.

How this works is a little complicated, but the team over at Reserve summarizes it well:

The process by which this happens is somewhat complicated. It involves two different on-chain auctions that try to raise enough capital to make the CDP debt free. To fully understand the process, you may have to spend some time thinking it through after reading it. If you don’t fully get it, don’t sweat it: full understanding is not necessary for following the rest of the analysis.

Here is how it works: first, a “debt auction” tries to repay the CDP’s debt through MKR dilution. The debt auction buys Dai, paying with newly minted MKR. The Dai is burned, to cancel the CDP’s outstanding Dai debt. The purpose of the debt auction is to ensure that the debt is repaid even if there is insufficient collateral in the CDP to repay the debt.

Simultaneously, a “collateral auction” buys MKR with the CDP’s collateral. The collateral auction sells enough collateral to cover the debt, accumulated interest (called the “stability fee”) and a liquidation fee. In Single-Collateral Dai, the liquidation fee is 13% of the collateral in the CDP — that is, they take 13% of the user’s locked up collateral capital when a user’s CDP gets auto-liquidated. The smart contract finally returns the remaining collateral to the CDP holder and burns all purchased MKR.

This is all, ultimately, just a complicated and extremely long winded procedure to repackage exposure to Ether in such a way as to drive demand for the MKR token. It is really only useful if you either (a) have a bunch of Ether and want to lever up and go long on more Ether or (b) you want to use a smart contract to obfuscate the source of your funds, which is something you really should not do.

The entire system is vulnerable to adverse movements in both ecosystems. As Dai is now expanding with “multi-collateral Dai” which is backed by many different kinds of coins, soon it will be vulnerable to adverse movements among a range of different cryptocurrencies.

The risk has not gone away. It has merely changed form. DeFi Bros have difficulty understanding this. e.g.

Current mood:

Long have I had suspicions about whether Dai is for real. My skepticism about the scheme before it launched was reinforced when the loss of one bot on one sketchy overseas exchange operated by an unnamed “third party market maker” resulted in the Dai dollar peg not just breaking, but shattering, until the bot was restored. Put another way, the brilliance of the Dai stablecoin system – at least back then – wasn’t the reason Dai held its dollar peg. A bot was.

And this isn’t me saying this. It’s the founder of MakerDAO, Rune Christensen.


Put another way: back in 2018, the volume on busiest market in Dai by far, on a $1 million trading day, dropped to $300 when a single bot went down.

DeFi Bros struggle to understand why this is also problematic.

“In reality Dai remained stable on all other exchanges” is a worthless argument in that context. The context being that we just discovered that a huge chunk of the market was not bona fide trading. If most of the volume of the coin can be traded by one bot, were we wrong to trust the numbers before the bot was discovered? What reason do I have to trust the numbers now? What reason is there to trust the rest of that volume on other exchanges? How do I know they’re legit?

I’m not saying here that the MakerDAO team knows anything about these bot operations. Far from it. Indeed, Rune refers to a “third party market making bot.” A third party with whom I should greatly like to speak who, apparently, never decided to reveal him or herself to the world.

I don’t know who operated the bot. I also don’t know how the bot operator communicated this information about bots on Bibox (the exchange) to the wider world. I don’t know why they were spending all that time wash trading on Bibox or what they stood to gain from it. I don’t know why the wider crypto community and stablecoin bros alike were not the least bit distressed by this event. All I know is that it happened, and I have never seen an explanation for why the scheme should have worked when that bot was up yet it broke catastrophically when that bot was down, as occurred in January of 2018. In the last two years, journalists haven’t followed up.

What I do know is that there’s no magic or innovation in wash trading around a fixed price point to make a market look real, on the off chance that is indeed what’s going on.

Charts of derivatives that are repackaged exposures to Ether should look like they are repackaged exposure to Ether. Dai does not. In the eyes of a dispassionate observer this should raise questions about market integrity. When Dai first broke its peg in early 2018, daily trading volume was around $1 million and the total market cap was around $3 million. Now, daily trading volume has reached highs of up to $50 million. All of which is to say that to the extent that bot training wheels first put in place back in the day are still in place, those training wheels are being asked to hold up an increasingly large rider and will be placed under greater degree of stress.

I stand by my prediction, first made in 2017, that Dai will eventually implode. But for the bots, after it fell on its face in 2018 it would have stayed down, just like previous collateralized stablecoin schemes such as BitUSD and NuBits, both of which failed (in BitUSD’s case, it failed after five days). The bigger the scheme becomes, the more difficult it will be for Dai’s training wheels providers – mysterious figures in the shadows, operating bots that generate volume for fun and profit – to hold back adverse market movements.

If we learned anything about risk-obfuscating schemes from the global financial crisis, we know this: the bigger they get, the harder they fall.

2) Crime doesn’t pay: Silk Road trafficker pleads guilty

Breaking the law is bad and dumb. Breaking the law with cryptocurrency is exceedingly dumb. Hugh Brian Haney was arrested in July of 2019 in relation to Silk Road activity dating back to 2012; this week he pleaded guilty to two charges and now faces a maximum of 30 years in prison.

3) FBI Director Christopher Wray talks crypto to Congress.

Which brings us to our next news item. An interesting fusion of the crypto-means-cryptography universe and the crypto-means-cryptocurrency universe happened in Congress this week. As reported in CoinDesk:

Wray noted encryption is touching every aspect of emerging tech such as instant communications:

“Whether its cryptocurrency, whether it’s default encryption on devices and messaging platforms; we are moving as a country and world in a direction where if we don’t get our act together money, people, communication, evidence, facts, all the bread and butter for all of us to do our work will be essentially walled off from the men and women we represent.”

First, to clear something up: most cryptocurrencies DO NOT encrypt communications. Bitcoin is chief among these crypto-critters-that-don’t-encrypt-transactional-data. Bitcoin really only shields one bit of data – the private keys of the users – from government surveillance. But it doesn’t stop the government from tracking what different keyholders do and how funds on the Bitcoin blockchain move around.

Some privacy coins, such as Monero or ZCash, do encrypt transactional information. Opinions as to which method of encryption is superior and e.g. the merits of ZCash doing a weird international math druid ritual to generate the coin’s SNARK public parameters are legion and do not bear repeating here. What does bear repeating here is that it would be very foolish to presume that these encryption methods will be secure forever.

Second, we should be cautious before we throw encryption out the window. Crypto that can be defeated by the FBI can be defeated by anyone (which isn’t a dig at the FBI, it’s just reality – Fort Knox wouldn’t be safe if it had a secret, unguarded, publicly-accessible back-door, and neither is code under the same circumstances).

I have yet to watch the entire hearing (and will likely do so tomorrow) but from this little, brief tidbit, what’s interesting from my point of view is how cryptocurrency and cryptography are starting to crop up in the same breath. And, unlike the 2010s where the interesting tech was about sharing cat pictures, virtually all of the interesting tech I can think of operates in this weird zone of enabling dissenters, since platforms like Twitter and Facebook are essentially tools of the hard-left anti-Trump #resistance establishment now.

As my friend and Israeli secret agent Maya Zehavi observed:

And I added:

What a time to be alive.

Here’s a picture of some marmots, licensed under the Pixabay license.