Defining More Terms

Today, I am borrowing heavily from Andreas M. Antonopoulos’ book Mastering Bitcoin for more term definitions.

Address

Coindesk says:

A bitcoin address is used to receive and send transactions on the bitcoin network. It contains a string of alphanumeric characters, but can also be represented as a scannable QR code. A bitcoin address is also the public key in the pair of keys used by bitcoin holders to digitally sign transactions (see Public key).

Antonopoulos adds:

A bitcoin address look like 1DSrfJdB2AnWaFNgSbv3MZC2m74996JafV. It consists of a a string of letters and numbers starting with a “1” (number one). Just like you ask others to send an email to your email address, you would ask others to send you bitcoin to your bitcoin address.

This explanation gives a peek into a much deeper topic. While I am tempted to discuss public and private keys here, I’ll discuss those later. For now, I’ll just offer a warning: Addresses are not account numbers. They are more like a serial number for a check. You can write any amount you want on the check. It can be one bitcoin or a thousand. But the check can’t be reused. Every time a transaction occurs in bitcoin, a new address is created.

BIP

Antonopoulos says:

Bitcoin Improvement Proposals. A set of proposals that members of the bitcoin community have submitted to improve bitcoin. For example, BIP0021 is a proposal to improve the bitcoin uniform resource identifier (URI) scheme.

Block

Antonopoulos says:

A grouping of transactions, marked with a timestamp, and a fingerprint of the previous block. The block header is hashed to produce a proof of work, thereby validating the transactions. Valid blocks are added to the main blockchain by network consensus.

 

Blockchain

Coindesk says:

The full list of blocks that have been mined since the beginning of the bitcoin cryptocurrency. The blockchain is designed so that each block contains a hash drawing on the blocks that came before it. This is designed to make it more tamperproof.

To add further confusion, there is a company called Blockchain, which has a very popular blockchain explorer and bitcoin wallet.

Antonopoulos says:

A list of validated blocks, each linking to its predecessor all the way to the genesis block.

Confirmations

Antonopoulos says:

Once a transaction is included in a block, it has one confirmation. As soon as another block is mined on the same blockchain, the transaction has two confirmations, as so one. Six or more confirmations is considered sufficient proof that a transaction cannot be reversed.

Blockchain Technology Applied to the Stock Market

The opinion in In re Dole Food Co. Inc Stockholder Litigation, CA 8703-VCL (Del. Ch. Feb. 15 2017) offers an interesting window into places where blockchain technology could substantially improve current systems. In November 2013, Dole Food Co. went private. Some shareholders filed a lawsuit, seeking additional consideration (more money per share) for the going-private transaction.

The shareholders and the company eventually settled. A price was agreed upon, the class size was defined as 36,793,758 shares, and the settlement was approved. Only one problem: When the claim forms came back, there appeared to be 49,164,415 shares.

Turns out that no one had accounted for a few different quirks of the current system. The Court pointed to at least two problems:  (1) the T+3 day clearing rule for trades and (2) the accounting for short sales (technically both the owner of the shares and the short seller hold the shares). The Court ultimately throws up its hands and approves distributing the additional settlement consideration to the same people who received the merger consideration in the first place, which was a known, well-defined list.

But in its frustration with the current system, the Court notes that distributed ledger technology would likely have prevented these issues:

This problem is an unintended consequence of the top-down federal solution to the paperwork crisis that threatened Wall Street in the 1970s. Through the policy of share immobilization, Congress and the Securities and Exchange Commission addressed the crisis using the 1970s-era technologies of depository institutions, jumbo paper certificates, and a centralized ledger. See generally In re Appraisal of Dell Inc. (Dell Ownership), 2015 WL 4313206, at *3–7 (Del. Ch. July 30, 2015).

It was an incomplete solution at the time. Since then, despite laudable and largely successful efforts by the incumbent intermediaries to keep the system working, the problems have grown. See, e.g., In re Appraisal of Dell Inc., 143 A.3d 20, 59 (Del. Ch. 2016) (holding that under current Delaware law, beneficial owners forfeited their appraisal rights by inadvertently voting in favor of the merger due to complexities created by depository system); Dell Ownership, 2015 WL 4313206, at *9–10 (holding that under current Delaware law, beneficial owners forfeited their appraisal rights due to administrative change in the name of the nominee on the share certificate necessitated by depository system).

Distributed ledger technology offers a potential technological solution by maintaining multiple, current copies of a single and comprehensive stock ownership ledger. The State of Delaware has announced its support for distributed ledger initiatives. See Marco A. Santori, Governor Jack Markell Announces Delaware Blockchain Initiative, global       Delaware       Blog        (June      10,     2016),      http://global.blogs. delaware.gov/2016/06/10/delaware-to-create-distributed-ledger-based-share-ownership-

Where Are Digital Assets Located?

This seems like a silly question until you realize that it’s actually critical for determining jurisdiction. In other words, what court can order me to hand over cryptocurrency? What court can order me to pay taxes on that cryptocurrency? Where do I owe taxes on it? These are all important and open questions, and they apply to all intangible digital assets. Recently, the Second Circuit decided a case that many are watching as a bellwether for these issues.

In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, 829 F.3d 197 (2d Cir. 2016) [Link] [Denial of En Banc Review]

Summary: Stored Communications Act authorizes government subpoenas for e-mail communications, but does not reach extraterritorial communications. E-mails stored on a Microsoft server in Ireland are located extraterritorially and beyond the reach of an SCA Warrant, even though a Microsoft employee could retrieve the e-mails from terminals in the United States.

Facts:

Microsoft Corporation appeals from orders of the United States District Court for the Southern District of New York denying its motion to quash a warrant (“Warrant”) issued under § 2703 of the Stored Communications Act (“SCA” or the “Act”), 18 U.S.C. §§ 2701 et seq., and holding Microsoft in contempt of court for refusing to execute the Warrant on the government’s behalf. The Warrant directed Microsoft to seize and produce the contents of an e-mail account that it maintains for a customer who uses the company’s electronic communications services. . . .

Microsoft produced its customer’s non-content information to the government, as directed. That data was stored in the United States. But Microsoft ascertained that, to comply fully with the Warrant, it would need to access customer content that it stores and maintains in Ireland and to import that data into the United States for delivery to federal authorities. It declined to do so. Instead, it moved to quash the Warrant. The magistrate judge, affirmed by the District Court (Preska, C.J.), denied the motion to quash and, in due course, the District Court held Microsoft in civil contempt for its failure.

. . . .

One of Microsoft’s datacenters is located in Dublin, Ireland . . . . According to Microsoft, when its system automatically determines, “based on [the user’s] country code,” that storage for an e-mail account “should be migrated to the Dublin datacenter,” it transfers the data associated with the account to that location. . . .

. . . .

Microsoft asserts that, after the migration is complete, the “only way to access” user data stored in Dublin and associated with one of its customer’s web-based e-mail accounts is “from the Dublin datacenter.” Id. at 37. Although the assertion might be read to imply that a Microsoft employee must be physically present in Ireland to access the user data stored there, this is not so. Microsoftacknowledges that, by using a database management program that can be accessed at some of its offices in the United States, it can “collect” account data that is stored on any of its servers globally and bring that data into the United States. Id. at 39-40.

Issues, Holdings, and Discussion:

  1. Do the warrant provisions of the Stored Communications Act contemplate extraterritorial application? No:

We dispose of the first question with relative ease. The government conceded at oral argument that the warrant provisions of the SCA do not contemplate or permit extraterritorial application.

. . . .

When Congress intends a law to apply extraterritorially, it gives an “affirmative indication” of that intent. Morrison, 561 U.S. at 265, 130 S.Ct. 2869. . . . We see no such indication in the SCA.

. . . .

The government asserts that “[n]othing in the SCA’s text, structure, purpose, or legislative history indicates that compelled production of records is limited to those stored domestically.” Gov’t Br. at 26 (formatting altered and emphasis added). . . . We find this argument unpersuasive: It stands the presumption against extraterritoriality on its head. It further reads into the Act an extraterritorial awareness and intention that strike us as anachronistic, and for which we see, and the government points to, no textual or documentary support.

Congress’s use of the term of art “warrant” also emphasizes the domestic boundaries of the Act in these circumstances.

. . . .

The term is endowed with a legal lineage that is centuries old.

. . . .

As the term is used in the Constitution, a warrant is traditionally moored to privacy concepts applied within the territory of the United States: “What we know of the history of the drafting of the Fourth Amendment … suggests that its purpose was to restrict searches and seizures which might be conducted by the United States in domestic matters.” In re Terrorist Bombings of U.S. Embassies in East Africa, 552 F.3d 157, 169 (2d Cir. 2008) (alteration omitted and ellipses in original) (quoting United States v. Verdugo-Urquidez, 494 U.S. 259, 266, 110 S.Ct. 1056, 108 L.Ed.2d 222 (1990)). Indeed, “if U.S. judicial officers were to issue search warrants intended to have extraterritorial effect, such warrants would have dubious legal significance, if any, in a foreign nation.” Id. at 171. Accordingly, a warrant protects privacy in a distinctly territorial way.

2. By requiring Microsoft personnel in the United States to retrieve data located in a Dublin datacenter, would the warrant reach extraterritorially? Yes:

Because the content subject to the Warrant is located in, and would be seized from, the Dublin datacenter, the conduct that falls within the focus of the SCA would occur outside the United States, regardless of the customer’s location and regardless of Microsoft’s home in the United States. Cf. Riley v. California, ___ U.S. ___, 134 S.Ct. 2473, 2491, 189 L.Ed.2d 430 (2014) (noting privacy concern triggered by possibility that search of arrestee’s cell phone may inadvertently access data stored on the “cloud,” thus extending “well beyond papers and effects in the physical proximity” of the arrestee).

The magistrate judge suggested that the proposed execution of the Warrant is not extraterritorial because “an SCA Warrant does not criminalize conduct taking place in a foreign country; it does not involve the deployment of American law enforcement personnel abroad; it does not require even the physical presence of service provider employees at the location where data are stored…. [I]t places obligations only on the service provider to act within the United States.” In re Warrant, 15 F.Supp.3d at 475-76. . . . [T]he magistrate judge’s observations overlook the SCA’s formal recognition of the special role of the service provider vis-à-vis the content that its customers entrust to it. In that respect, Microsoft is unlike the defendant in Marc Rich and other subpoena recipients who are asked to turn over records in which only they have a protectable privacy interest.

The government voices concerns that, as the magistrate judge found, preventing SCA warrants from reaching data stored abroad would place a “substantial” burden on the government and would “seriously impede[]” law enforcement efforts. Id. at 474. The magistrate judge noted the ease with which a wrongdoer can mislead a service provider that has overseas storage facilities into storing content outside the United States. He further noted that the current process for obtaining foreign-stored data is cumbersome. That process is governed by a series of Mutual Legal Assistance Treaties (“MLATs”) between the United States and other countries, which allow signatory states to request one another’s assistance with ongoing criminal investigations, including issuance and execution of search warrants. See U.S. Dep’t of State, 7 Foreign Affairs Manual (FAM) § 962.1 (2013), available at fam.state.gov/FAM/07FAM/07FAM0960.html (last visited May 12, 2016) (discussing and listing MLATs). And he observed that, for countries with which it has not signed an MLAT, the United States has no formal tools with which to obtain assistance in conducting law enforcement searches abroad.

These practical considerations cannot, however, overcome the powerful clues in the text of the statute, its other aspects, legislative history, and use of the term of art “warrant,” all of which lead us to conclude that an SCA warrant may reach only data stored within United States boundaries. Our conclusion today also serves the interests of comity that, as the MLAT process reflects, ordinarily govern the conduct of cross-boundary criminal investigations. . . .

Thus, to enforce the Warrant, insofar as it directs Microsoft to seize the contents of its customer’s communications stored in Ireland, constitutes an unlawful extraterritorial application of the Act.

Comments:

Exchanges Blocking Bitcoin Withdrawals

Big news broke today that two major Chinese exchanges are blocking Bitcoin withdrawals: http://www.coindesk.com/two-chinas-biggest-exchanges-stop-bitcoin-withdrawals/

What does that mean, and should it affect how people are managing their Bitcoin assets?

What does that mean? The answer is that I’m not sure. But it’s important to understand that exchanges often don’t provide you with the tools needed to directly manage your bitcoins. Take Coinbase as an example. It’s a well-known, reliable U.S. exchange. I would happily use it to exchange fiat to bitcoins and vice versa. And I would happily use it to store a small amount of bitcoins.

But it’s important to understand that Coinbase can deny you the ability to withdraw your bitcoins at any time. Coinbase provide “wallet addresses” to which bitcoins can be sent. Behind the scenes, Coinbase will (usually) make sure that bitcoins sent to these addresses get credited to your account. But these are not always public keys on the blockchain. More importantly, you do not have your private key. You cannot sign transactions or withdraw bitcoins if Coinbase doesn’t want you to do it.

 

Should it affect how people are managing their Bitcoin assets? It depends. There are advantages to exchanges. But I think most Bitcoin assets should be in hardware wallets. For corporate assets, they should be in hardware multi-sig wallets, which I’ll discuss in a future post.

Could My Business Be Laundering Money Even if It Doesn’t Engage in Any Fiat Currency Transactions?

United States v. Budovsky, No. 13-cr-368 (S.D.N.Y. Sept. 23, 2015) [Link]

Summary: Even if a company structures their business to exclude fiat currency transactions, if they are a “financial institution” as defined by U.S. law, then they have an obligation to register. If they don’t register, they can be held criminally liable.

Facts:

Liberty Reserve, a company incorporated in Costa Rica in 2006, operated one of the world’s most widely used digital currencies. Through its website, Liberty Reserve provided access to “instant, real-time currency for international commerce,” which could be used to “send and receive payments from anyone, anywhere on the globe.” …

Budovsky and his co-defendants are alleged to have intentionally created, structured, and operated Liberty Reserve as a business venture designed to help criminals conduct illegal transactions and launder the proceeds of their crimes. According to the Indictment, Liberty Reserve emerged as the “financial hub of the cyber-crime world, facilitating a broad range of online criminal activity, including credit card fraud, identity theft, investment fraud, computer hacking, child pornography, and narcotics trafficking.” Liberty Reserve’s user base was global, with more than one million users worldwide, including more than 200,000 users in the United States. The Indictment further alleges that from 2006 to 2013, Liberty Reserve processed an estimated 55 million separate financial transactions and laundered more than $6 billion in criminal proceeds. At no point did Liberty Reserve register with the United States Department of the Treasury as a money transmitting business.

… To add additional layers of anonymity, Liberty Reserve prohibited users from depositing or withdrawing funds directly. Rather, users were required to exchange real currency for LR and vice-versa through third-party exchangers, a number of whom were pre-approved on the Liberty Reserve website.

….

The Indictment charges Budovsky in three counts with (1) conspiracy to commit money laundering in violation of 18 U.S.C § 1956(h); (2) conspiracy to operate an unlicensed money transmission business in violation of 18 U.S.C. § 371; and (3) operation of an unlicensed money transmission business in violation of 18 U.S.C. § 1960.

Issues, Holdings, and Discussion:

  1. Can a financial institution outside the United States be held liable for operating an unlicensed money transmission business even if it doesn’t handle fiat currency? Yes:

A “financial institution” is defined in that same section to include entities engaged in many different categories of activities, among them a person “who engages as a business in the transmission of funds, including any person who engages as a business in an informal money transfer system or any network of people who engage as a business in facilitating the transfer of money domestically or internationally outside of the conventional financial institutions system.” 31 U.S.C. § 5312(a)(2)(R) (emphasis added).

….

Section 5313 requires a report “when a financial institution is involved in a transaction” involving coins or currency. 31 U.S.C. § 5313(a) (emphasis added). Because a domestic financial institution has a duty to file reports if it engages in coin or currency transactions, it also has a duty to register. This registration obligation exists whether or not the financial institution engages in such transactions. Thus, if the Government proves that Liberty Reserve was a “domestic financial institution,” then it was subject to the § 5313 reporting requirements, and was also required to register with the Department of the Treasury, assuming all other statutory requirements are shown, even if it never engaged in any real currency transactions. See, e.g., United States v. E-Gold, Ltd., 550 F. Supp. 2d 82, 94-97 (D.D.C. 2008) (holding that virtual currency services are subject to FinCEN regulations under §§ 5330 and 5313).

Securing Your Client’s Bitcoins (Part 2)

In Part 1 of this series, we looked at paper wallets. Today I’ll discuss hardware wallets.

Hardware Wallets

Hardware wallets are a very significant upgrade from paper wallets. As I mentioned yesterday, paper wallets are actual sheets of paper with printed public and private keys. Each key pair corresponds to a particular Bitcoin “account,” and the private key allows access to all the bitcoins within that account. There are several significant problems with paper wallets:

  1. Anyone with access to the paper wallet has access to the bitcoins. (You can BIP-encrypt the wallet, but that’s a whole other post.)
  2. You never really know whether a copy has been made from a paper wallet at some point.
  3. To do anything with the bitcoins, you need to load them into an online wallet.

Hardware wallets fix these problems. These wallets are actual, physical devices with the sole purpose to store keys and sign cryptocurrency transactions. Several different manufacturers offer reputable devices, including:

Trezor

trezor

KeepKey

keepkey

Ledger Nano S

ledger

Hardware wallets address the issues with paper wallets in the following ways:

  1. Anyone with access to the paper wallet has access to the bitcoins. (You can BIP-encrypt the wallet, but that’s a whole other post.)  — Hardware wallets use a PIN, so only an authorized user can instruct the wallet to sign a transaction.
  2. You never really know whether a copy has been made from a paper wallet at some point. — Hardware wallets don’t show your private key. They take a transaction, sign it with the private key within their own internal hardware, then export the signed transaction. There’s nothing to copy.
  3. To do anything with the bitcoins, you need to load them into an online wallet.   Because hardware wallets have a connection to your computer (albeit carefully limited to prevent hacking), they can sign transactions without loading your private key to an online wallet.

Securing Your Client’s Bitcoins (Part 1)

In this post, I’m going to talk about how businesses can secure any bitcoins or other cryptocurrency they might have. Lawyers need to understand how their clients’ businesses work, both for litigation and compliance purposes. Not to mention that law firms themselves should probably consider keeping at least some funds in Bitcoin for flexibility.

Private Keys

First, we need to discuss some basic concepts: Any bitcoins you have (and this is generally true for other cryptocurrencies) will be assigned a specific public/private key pair. The public key is also the address that people use to send you bitcoins. The private key lets you send those bitcoins to someone else. If a malicious actor has the private key, your bitcoins are gone, period. So the entire goal of Bitcoin security is to keep that key secure. (Really, it’s keys, plural, but we don’t have to get into that right now.)

Paper Wallet

Paper wallets put the public and private keys on a physical sheet of paper. By their very nature, they can’t be hacked. But except for sole proprietorships or very closely held companies, they are not suitable for business use. Why?

  • They can be destroyed in a fire or similar incident and the bitcoins would be lost forever.
  • It’s impossible to know whether a paper wallet had been copied at some point along the way.
  • There is no audit trail for a paper wallet.
  • Whenever the company wants to use funds in a paper wallet, the private key needs to be transferred into an online wallet.
  • It’s difficult to transfer responsibility for a paper wallet when someone is fired or moved to a new position. The easiest way to do it would be for the newly responsible employee to create a new paper wallet and transfer all the funds from the old paper wallet into it. But then any new funds transferred into the old wallet would be lost.

If you want to use a paper wallet:

  • bitaddress.org provides a wallet generator for Bitcoin
  • liteaddress.org provides a wallet generator for Litecoin
  • ethaddress.org provides a wallet generator for Ethereum

Later Posts

In later posts, I’ll talk about more enterprise-friendly methods, like hardware wallets, multi-sig, and other ideas that businesses could implement.