Book Review: Privacy and Identity Issues in Financial Transactions, by Carolin Kaiser

I am reading this excellent 2018 dissertation on a well deserved recommendation by Simon Lelieveldt. It is an extensive discussion of money laundering and data protection human rights standards. The main thesis of the book is that anti money laundering law is not compatible with basic human rights standards. I approve. For the very least, there is an urgent need to draw some red lines to limit the system to something reasonable.

Also there is a need to stop it from growing uncontrolled. I will not discuss recent Commission proposals on reforming the system with a view to Bitcoin here. But if it is true that the present system is already overreaching, one would of course need to oppose any extension of the mass surveillance.

The book discusses some of the history of the system, which started with the 1970 Bank Secrecy Act in the United States. I could not find a discussion of the 1974 Supreme Court case California Bankers Assn. v Shultz in the relevant section (chapter 2 d. i.). I think it is important in this context for its dissenting opinions. The reasons stated there seem still valid, and much more so in the present context. I did learn that the administrative law provisions were in force much earlier than any criminal law, which came only in 1986.

I also think mentioning the 1998 United States v. Bajakajian case might have been of interest, since the Supreme Court ruled that the government may not confiscate undeclared cash a traveler carries in his luggage for failure to report it. This is in direct contrast to what happened in the 2017 CJEU El Dakkak case, where failure to fill out a form resulted in the French government seizing $1,607650 held by a traveler only in transit with no intention to actually enter the EU.

The whole system is a relatively new idea, having only about 50 years of history. Even patent law and antitrust have a longer history than that.

I also could not find any pointers to the fabulous successes in crime solution and prevention in those 50 years of history in this book. To be fair, the author discusses this and could not find any either. She writes in the introduction (and later in chapter 2 on page 112) that “the continually increasing extent of anti-money laundering measures, both in scope and severity, is so far not rewarded by any measurable success”. If someone writes a 667 page book about money laundering and can’t find any “measurable success”, I for one am inclined to think that is because there is nothing to find there. The whole thing is based on thin air.

Chapter 2 contains an interesting analysis of the data protection rules of the EU AML directive. Again, those rules don’t exist. The only provision is in Article 41 (4), which says that contrary to usual standards of data protection law, data subjects have no right to know what is known about them.

The reason given for that is that if they knew, the fight against money laundering would get less effective. That reason is not convincing. For one, the rules are not effective in the first place, as noted above. And of course all criminals know exactly that the banks store all their transactions. Telling them about individual data sets does not change anything.

Chapter three discusses Bitcoin and starts badly with calling it “underground banking”, “shadow banking” and saying that “virtual currencies easily elude attempts at regulation”. What is the point of discussing Bitcoin regulation if it is impossible to begin with? And how is Bitcoin “banking”, shadow or underground, if by design there is no bank involved?

The author then states (at footnote 441) that Bitcoin is not a currency at all since it is not issued by a central bank and no jurisdiction guarantees it value. That changed recently, with El Salvador the first in line. Any old definitions of currency that rely on the status of legal tender became dubious at that point.

The author then asserts (page 138) that Satoshi Nakamoto disappeared “several months” after releasing Bitcoin. In fact that happened after April 26th, 2011, which is “several months” after January 2009 if you count the number 16 as several.

On page 147, the author quotes the price of one bitcoin as $15,048 on January 3, 2018. That was only three years ago now.

As the author explains correctly, Bitcoin is not anonymous, but pseudonymous. It requires some thought and expertise to make sure that transactions are not traced to any individual. That makes the use of Bitcoin much less attractive for criminals than cash. All Bitcoin transactions come with records stored forever in the public blockchain. No transactions in cash come with any records.

When discussing proposals for the 5th AML Directive (which was not yet enacted at the time of the writing) the author states that the idea of a voluntary register of self-identified users is “likely to fail”. I am not sure why. Citizens are asked to declare income for tax purposes every year. Not all of those declarations are incomplete or false. In the same way, one could imagine imposing self-reporting requirements for Bitcoin balances. It may be open to some more discussion if that is a good idea and if that would actually work.

The following chapter 5 gives a good overview of present European data protection law. One thing that stood out to me: The technical possibilities to defeat privacy are increasing all the time. You can take a picture of someone in public and search the Internet to reach their social media presence, making it possible to learn their name from their face.

Again, this chapter finds that there are no meaningful measures against mass surveillance in EU data protection law. So we have mass surveillance set up with no measurable success and no limits in data protection law.

The discussion of anonymity in Bitcoin in Chapter 6 suffers from talking about “wallets” when speaking about addresses. A wallet is a piece of software designed to interact with private and public keys (addresses) on the blockchain. An address is the result of a transaction, also called UTXO (unspent transaction output). The blockchain only contains addresses, not wallets.

The discussion of virtual currencies in Chapter 7 is especially valuable. As the author notes, it is quite possible to identify holders of Bitcoin addresses by several methods, one of them being looking at the IP address a transaction originated from. Others may be having the other party of the transaction cooperate, or having law enforcement infiltrate a criminal organization. Once the link between a name and an address is established, the transaction can be traced completely.

One thing I want to add: When using a bank, a criminal would know exactly that his transactions are watched. When using Bitcoin, they might assume to be not watched, while they actually are. That may be a decisive advantage for law enforcement in some situation. And said advantage is impossible with banks.

Chapter 8 brings a useful overview on relevant European case law as a basis for asserting that the money laundering Directive is in violation of the principle of proportionality in the following chapter.

That chapter has a discussion of the shaky legal basis for the EU legislating on what is clearly law of criminal procedure by pretending to be regulating the internal market. Of course any measures obliging financial institutions to collect and share data about their costumers has some influence on the competition between these institutions. But that is not the point of the system. The point of the system is to catch more criminals, and therefore the reliance on the internal market general clause is misguided. That was even more true when the Directive was first enacted in 1991, at which point in time the power of the EU to make criminal law was even less clear.

The author then elaborates some more on the lack of effectiveness. Citing the reports of the German FIU (the agency in charge of receiving the information from banks), she finds that there are very few convictions resulting from these reports and that there is no measurable impact on the predicate offenses (the crime the whole thing is supposed to decrease). The picture is even clearer with anti-terrorist financing, where there was no conviction resulting and the FIU was reduced to celebrating it as a success that one suspect was prevented from receiving insurance for a car.

Again, if there is no measurable success in preventing crime, the answer if that interest trumps the public interest in not having every one watched all the time is self-evident.

That becomes even more evident if one remembers that the Directive is supposed to be enacted for internal market purposes, avoiding differences in costs for banks. Taking that at its face value instead of the excuse for a otherwise not existing power to regulate would mean that the question is if that objective is achieved.

One would probably need to concede that an uniform standard for all banks actually will achieve the aim of achieving uniform compliance cost for the sector. But obviously the analysis in the next step (is it worth all of the effort if you disregard crime prevention) becomes a very different one.

That next step is central to the book. The author notes 17 different reasons why the result is not worth the effort.

That seems a bit one-sided. I share the idea that AML law is running amok (alliteration intended) and that there needs to be some kind of limit. But does the other side really lose 17 to zero? Is there nothing one could reasonably state for their position?

Theoretically speaking, it seems to make sense that investigation authorities can solve more crime if they have access to more data. If every citizen had a chip implanted in their skull recording their movements and everything they saw and heard, police work would get easier. So if the state could see every movement of funds (cash included), one would expect this to be useful for police work.

To deal with that idea, it is important that the whole AML thing is a new invention. Humans have used cash for thousands of years. All crime before 1970 was solved without recourse to AML instruments, and most of it is still solved without such recourse.

While it is certainly true that there may be some theoretical usefulness in addressing crime deriving from AML regulation, that is not enough. One would need to show a drastic difference in crime levels compared to the absence of AML measures to justify all that effort. As mentioned before, this has not been shown.

While there clearly is a need for limits of AML, the reverse is true as well. I for one would not like to see a financial system where people are free to run dark web assassination markets and it is completely impossible for anyone to do anything about that. Fortunately with Bitcoin, that is not true. While cash is not traceable, Bitcoin payments are stored forever in a public blockchain.

Anyway, if you think as I do and the author does, that current AML law has gone too far, it would be necessary to point out what exactly the legislator may be allowed to do without violating basic human rights. It appears the message of this book is only negative.

The first concern the author has with the current legislation is that it is a form of mass surveillance. Bruce Schneier called that “wholesale surveillance”, made possible by the declining cost of data storage. That is also what motivates me personally the most to disagree with telecommunication data storage and the AML legislation.

There are no exceptions. The state wants all the data, all the time.

Another concern raised by the author that impressed me was number four. The fact that the central concept of “suspicious transactions” is lacking a definition and is left to the authors of the software automatically issuing reports. That software is not open to the public but rather treated as a business secret. Such lack of transparency makes the transaction reports itself suspicious under human rights standards.

The following number five points out that there is a complete lack of protection for sensitive data in the money laundering Directive, in contrast to Article 10 of the Police and Criminal Justice Authorities Directive on data protection. The money laundering Directive completely ignores the need for special protection on sensitive data.

The concern number seven the author raises is the cost of the whole exercise to financial institutions. This point is not very convincing; but this is a good occasion to recall that the basis for this legislation is being worried about these costs might differ between Member States, which would in turn distort competition in the internal market.

So how high exactly are these costs? And how much did this Directive contribute to leveling the playing field? More important, how much electricity is wasted watching all citizens all the time and producing all these suspicious reports? How much CO2 is emitted because of that energy waste? The recent “European Green Deal” policy calls for more attention to these matters. Can we really afford to waste all that energy on a system without any measurable success?

Readers aware of the current discussion on Bitcoin will understand that I am alluding to assertions that Bitcoin mining uses too much energy. And turning that talking point right back at the supporters of the present system.

Concern number fifteen is about the retention period of relevant data, which is set to five years, calculated from the end of the business relation with a customer. Business relations with banks often last for a lifetime, which means effectively storage forever in most cases. In contrast, when talking about telecommunications data retention mandates even six months was regarded as being too long.

I have left out a couple of the seventeen concerns. The author then sums up and concludes that the AML Directive should be ruled invalid by the CJEU, as the data retention Directive was before. That would be in conflict with positions of the FATF, but said positions would need to be adapted accordingly.

I agree with that conclusion.

And I would like to turn around the argument a bit. One can ask if this mass surveillance is necessary in a democratic society. But one can also ask if one would be comfortable with the state having these powers if it is not sure that standards of democracy are kept up.

The United States came close to a coup ending democratic elections of leaders in January of this year. Some EU Member States are under review for deficient rule of law values.

Democracy is fragile. Mass surveillance installed in Germany in 1921 (if there was the technology at the time) would of course have been used by the Gestapo to find Jews in 1937. Don’t install harmful and useless mass surveillance systems assuming the government stays benevolent.

Published by kflenz

Professor at Aoyama Gakuin University, Tokyo. Author of Lenz Blog (since 2003, lenzblog.com).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: