Bitcoin just took a big step toward the mainstream, but whether that’s a good thing for the popular digital currency is becoming an increasingly contentious debate.
Influential financial regulators in New York just unveiled a formal proposal for what they’re calling a BitLicense, which is essentially a set of regulations virtual currency companies will have to adhere to if they want to do any kind of business in the state.
One of the stated goals of the regulations is to protect consumers, but many within the Bitcoin community are up in arms about the proposal. It’s not that they want to leave the door open for scammers. Rather, at the core idea of Bitcoin for them, is the belief that technology can regulate a currency in a way that’s far more pure and protective to users than any government agency.
This contrast between early Bitcoin adopters and regulators is especially apparent in the cybersecurity section of the BitLicense proposal, which is among the most-lengthy of the proposal’s 21 sections. It includes three pages of what, to a non-Bitcoin expert at least, may seem like rigorous security protocols to which businesses must adhere.
Benjamin Lawsky, the superintendent of financial services at the New York State Department of Financial Services (DFS), introduced the proposed regulations Thursday in a post to the Bitcoin forum on Reddit. Lawsky wrote that the recent massive collapse of Mt. Gox made “very clear” the need for cyber security requirements for Bitcoin companies. Mt. Gox, the former largest Bitcoin and a sort of symbol of Bitcoin’s rise, crumbled earlier this year under the weight of security breaches, both virtual and physical.
To hopefully prevent such problems in New York Bitcoin exchanges and other services, Lawsky’s proposal would require virtual currency companies to undergo quarterly vulnerability assessments, as well as a thorough annual audit that includes penetration testing and a source code review by a third party. In addition, companies would be required to appoint a chief information security officer to oversee all these processes and prepare a yearly report “identifying relevant cyber risks.”
On Reddit, Lawsky described these as “common sense rules of the road” that are “vital to the long-term future of the virtual currency industry, as well as the safety and soundness of customer assets.”
Bitcoin security researcher Kristov Atlas wasn’t quite so confident about the proposed cybersecurity regulations, which he described as “sufficiently vague that they serve no practical purpose.”
“Requiring BitLicensed exchanges to employ basic security practices is like the mid-west requiring wheat farmers to purchase equipment for grain harvesting,” Kristov told the Daily Dot in an email. “I doubt very much that Mt. Gox would have been unable to comply with the letter of this law despite their obviously inadequate security practices.”
Kristov even suggested regulators deserve some of the blame for Mt. Gox. His argument is that if U.S. regulators allowed a manageable path for would-be Bitcoin exchanges, consumers would have had far more alternatives to Gox, which had its share of security problems even before the mega-hack that let hundreds of millions of dollars worth of customers’ funds disappear.
Displaying some of the libertarian spirit that is prevalent among early Bitcoin advocates, Kristov said that consumers “should not look to government regulators” for protection from would-be hackers or for financial protection in general.
“In this cutting edge area of technology, regulators will always be months behind innovators when it comes to securing customer funds,” he said. “Bitcoin is showing us an opportunity to grow out of a legacy financial system burdened with debt, abysmal risk analysis, and regulatory baggage, and all NY DFS has to offer is chaining Bitcoin to yesteryear’s way of doing finances.”
Kristov is not the only one who is unimpressed with Lawsky’s proposed cybersecurity regulations. Dan Kaminsky, a noted security researcher who said he doesn’t own any Bitcoin specifically so he can objectively assess potential security risks, read through the New York DFS proposal at our request. His feeling was that the cybersecurity requirements are somewhat hard to evaluate because the way they’re written is vague.
“Yearly [penetration] tests and external code audits of any internal code—not bad,” he said in an email to the Daily Dot. “Everything else is ‘you figure it out and we’ll tell you if we don’t like it.’ That may actually be how this legal realm operates.”
The cybersecurity aspect of the proposal is far from the biggest point of contention. That would most certainly be privacy.
A main reason early Bitcoin advocates got behind the currency was because it allows people to make long distance transactions without necessarily revealing their identities, though the degree of this anonymity has often been called into question.
Regardless, as a byproduct of its quasi-anonymous nature, Bitcoin became the go-to currency for people to use in illicit transactions over the Internet. In attempt to snuff out Bitcoin’s money-laundering capabilities, Lawsky’s proposed regulations require both operators and customers of Bitcoin businesses to provide significant identifying information, including names and addresses. That’s a big no-no in the Bitcoin world.
Eric Voorhees, a thought-leader in the Bitcoin community, wrote in a blog post that Lawsky and company are trying to place Bitcoin users under “surveillance and control.” Also citing privacy concerns, Andreas Antonopoulos, another prominent Bitcoin security expert, expressed strong opposition to the proposal.
Privacy *is* consumer protection. If your “consumer protection” laws destroy privacy, you’re doing it wrong
— AndreasMAntonopoulos (@aantonop) July 18, 2014
Despite Kristov’s and others’ misgivings, not everyone in the Bitcoin world is categorically opposed to regulators stepping in. Jerry Brito, a Bitcoin a research fellow at George Mason University’s Mercatus Center, wrote a blog post expressing some concerns, but he concluded that the proposed regulations “are on the right track.”
Perhaps most notably, Bitcoin Investment Trust founder Barry Silbert, an extremely prominent Bitcoin entrepreneur with a stake in more than 30 virtual currency companies, expressed optimism about the New York DFS proposal.
Kudos to @BenLawsky and the rest of the DFS team on their thoughtful approach to bitcoin regulation. Proud to be a NYC company
— Barry Silbert (@barrysilbert) July 17, 2014
While entrepreneurs such as Silbert may benefit from attempting to find common ground with regulators, the feeling toward Lawsky’s proposal was largely negative among those who’ve been evangelizing Bitcoin for the past several years. And while one might expect Bitcoin advocates and regulators to clash on issues of privacy—Kaminsky described it as a “civil war” over whether Bitcoin should remain semi-anonymous to use or become increasingly subject to government regulation—the fact that these groups can’t even get on the same page about cybersecurity protections is a sign of deep division.
One thing that seems increasingly clear is that if Bitcoin does break through and achieve widespread mainstream adoption, it probably won’t be the same cryptocurrency’s anonymous creator Satoshi Nakamoto imagined.
Lawsky’s office did not reply to our request for comment.
If you’d like to dig deeper, a full copy of Lawsky’s proposed regulations is below.
NY BitLicense Proposal
Photo by BTC Keychain/Flickr (CC BY 2.0)