The United Nations has commenced the penultimate round of negotiations for a new international treaty on cybercrime. The latest draft includes Article 93, which if adopted, would enforce extensive surveillance requirements on cryptocurrency and pose a threat to financial privacy worldwide. The proposed financial surveillance laws would apply to any organization involved in the circulation of digital financial assets and digital currency, including software developers, custodial and self-hosted wallet providers, miners, validators, nodes, non-fungible token trading platforms, and even users.
These organizations would be required to implement intrusive mass surveillance systems and automatically turn over their users’ sensitive financial information to the government. They would need to collect identity information for all users engaging in transactions, maintain that sensitive data, monitor for “suspicious” activities, and automatically report certain transactions to the government. In addition, when any person is suspected of “possible involvement” in a cybercrime, these organizations would have to give the government not only the financial records of the suspect but also the financial records of the suspect’s “associates” and family members. This provision is a shocking overreach.
Moreover, those organizations could be required to “apply enhanced scrutiny” to any individual identified by any government that is a signatory to the treaty. This provision raises concerns because it allows countries to designate people in other jurisdictions as targets for “enhanced scrutiny” for dubious reasons. For blockchain network participants like developers and miners, compliance is not only onerous but in many cases impossible. For example, software developers have no idea who the end-user of their software may be, and cryptocurrency miners and validators have no way of knowing the identity of the people whose transactions they are facilitating.
The draft Article 93 also attempts to eliminate any “banks that have no physical presence and that are not affiliated with a regulated financial group.” While “bank” is not yet defined in the treaty, this could be interpreted to encompass some decentralized finance projects, even if they’re otherwise lawful. Nations signing the treaty would be required to prevent such “banks” from being established in their own countries.
The negotiations have been ongoing for over a year, with language expected to be finalized in the fall. More than 130 human rights organizations and academics from around the world have already raised concerns about the adequacy of the treaty’s human rights protections, and tech policy experts have questioned its effectiveness against cybercrime. While protecting against ransomware, malware, and other attacks from cybercriminals is a noble goal, laws designed to enhance police powers in the name of crime prevention can too often lead to civil liberties violations.
Many leaders from civil society are taking part in the negotiations and working to make sure that the treaty respects human rights. However, the proposed Article 93’s sweeping financial surveillance requirements must be pushed back against by all those participating in the negotiations to defend financial privacy worldwide.