Congress urged to defend privacy and security in light of crypto
Crypto is dead or alive, waiting for regulation to get rid of the ‘crypto contagion’. Meanwhile, blockchain technology – the virtual public ledger technology that records crypto transactions – is very much alive and well, as evidenced by new applications in healthcare, transportation and real estate.1
Even crypto-skeptics who derisively blame “magical thinking” for infecting a generation of investors agree that there is at least a potential legitimate use for crypto “as part of new payment systems using blockchain technology” for things like “sending money internationally more effectively’. and cheaper than today’s systems.”2
For these and related reasons, twenty-eight technology organizations, including various blockchain alliances, last week called on US lawmakers “for the sake of freedom and democracy” to defend the privacy of ordinary people, arguing that software developers in the US are “being chilled by clumsy, misguided laws and regulatory actions.”3
To be clear, it’s not as if lawmakers have been sitting on their hands. In 2021, at least 45 states introduced or considered more than 250 privacy and security laws, and 36 states passed such bills. In 2022, thirty-seven states considered pending legislation regarding cryptocurrency, digital or virtual currencies, and other digital assets.4
In their letter, however, open source and decentralized project leaders focused not only on the right to privacy but also the “right to code” and called on lawmakers to:
Oppose legislation that criminalizes writing code for privacy-preserving tools,
Support tools that give individuals and communities control over their data,
Allow encryption and anonymity vs. pro surveillance protection, and
Encourage tools that safeguard data privacy and security.
These are not new concerns. On 9 March 2022, some of these were highlighted in the announcement on ensuring responsible development of digital assets, which sought to ensure “that digital asset technologies and the digital payment ecosystem are developed, designed and implemented” with privacy and security in their architecture.5
The Executive Order also called on the heads of relevant agencies such as the Federal Trade Commission (FTC), “to ensure that digital assets do not pose undue risk to consumers, investors or businesses, and to put safeguards in place as part of efforts to expand access to safe and affordable financial services.”
On September 16, 2022, the White House went a step further and released a fact sheet titled Always the first comprehensive framework for the responsible development of digital assets which seeks to secure similar rights to those requested by the blockchain developers in their letter to lawmakers: “protect national security, respect human rights and align with democratic values.”6
In addition, the White House asked the FTC again to pursue enforcement actions against illegal practices and redouble efforts to monitor consumer complaints and enforce unfair, deceptive or abusive practices. Just over a month later, the FTC announced a decision it said would have a “100% chance of far-reaching” impact.7
On October 24, 2022, the FTC announced a settlement against online alcohol delivery platform Drizly and its CEO for a data breach that exposed the information of 2.5 million consumers. Drizzly is relevant to the announcement and fact sheet because it provides a roadmap for how to be bold about data protection and security for open source technology.
As highlighted in the press release, the FTC settlement with Drizly follows a recent FTC trend of “requiring a firm to minimize its data collection” — to ensure companies only collect what they need — and a recent notice of proposed commercial surveillance rules, “the business of collecting, analyzing and profiting from information about people.”8
As in DrizzlyUS lawmakers and technology organizations should be bold in at least adopting the conditions deemed necessary to anticipate the “technological changes” affecting the “right to code” by doing the following:
Implement practices that reduce or prohibit the collection of consumer data that is not necessary for pre-specified business purposes;
Implementation of a comprehensive security program that includes multi-factor authentication and prevention mechanisms for unsecured data;
Implement practices covered in previous decisions that have emphasized conducting regular risk assessments and incident response planning; and
Creation of a public retention plan for certain types of data, including timeframes for possible deletion of stored data.
At a minimum, organizations should comply with the mandate included in recent FTC rulings that require organizations, “in light of any changes in operations or business arrangements” or “new or more effective technological or operational methods,” to evaluate and adjust their security programs. to manage new and related risks.9
1 See e.g. and
2 Cryptocurrency – Cryptoscam – Why Regulation, Deposit Insurance and Stability Matter by George Sutton (pages 18-26).
© Polsinelli PC, Polsinelli LLP of CaliforniaNational Law Review, Volume XIII, Number 24