EU's New Crypto Rulings
EU's New Crypto Rulings
On Wednesday, the EU made a decision on AML (anti-money laundering) rules for the crypto sector:
KYC will be required for crypto transactions of any amount between hosted wallets
For transfers over 1000€ between a hosted and non-hosted wallet, verification of the owner of the unhosted wallet will be mandatory
Crypto-Asset Services Providers (CASPs) will be required to collect information on all transfers involving unhosted wallets, on a risk basis
Within 18 months of these rules being applied, further regulation may be added to further mitigate the risk of unhosted wallets
Along with the collection of all of this information of course comes the issue of safely storing that information — the new regulation claims to ensure “robust safeguards for data protection”:
Information will only be available to CASPs executing the transfers and competent authorities
(Thank goodness for that stipulation in the new regulation. It will almost surely keep us safe from hackers targeting these treasure troves of data, as these stipulations always have done in the past.)
(See: Capital One Data Hack, JPM Data Hack, Robinhood Data Hack)
CASPs will also be required to adopt internal procedures to ensure compliance with sanctions, and will require enhanced due diligence when doing businesses with a CASP in a third country.
Earlier this year, Coinbase pointed out in their blog that when it comes to this due diligence and compliance:
“MiCA should ensure that CASPs [Crypto Asset Service Providers] are only liable for events that are in their control. Current texts imply much broader liability for events that are outside the CASP’s control, such as cyber attacks. Moreover, the burden of proof should not fall on the CASP to show the event occurred independently of their operations. Legal clarification is needed to enable CASPs to offer investors the best protection available, with appropriate liability”.
Ernest Urtasun, European Greens party VP, celebrated via Twitter the new regulatory decisions:
“We are putting an end to the wild west of unregulated crypto, closing major loopholes in the European anti-money laundering rules.”
While some see crypto as the “wild west” and filled with people skirting the law, others see crypto as an escape from the financial totalitarianism that has engulfed the world. Erik Voorhees responded to Ernest’s tweet:
“Here's a photo of a bunch of politicians congratulating themselves for imposing Orwellian surveillance on hundreds of millions of people. Looking forward to seeing the pull requests on open source unhosted wallets”
Intermediaries are easier to regulate, but decentralized technology itself is difficult to control. Indeed, it will be interesting to see if these new regulations further push crypto down the decentralized path as people choose empowerment over surveillance.
SEC says “NO” to Regulation… Wait, What?
Grayscale, the world’s largest digital currency asset manager, is suing the SEC. This week the SEC denied Grayscale’s application to convert their bitcoin trust into a spot-based ETF. Last fall several futures-based ETFs were approved by the SEC, yet the SEC has been unwilling to allow any EFT based on the spot-price of the asset. Greyscale has launched a lawsuit in response, saying that it is inconsistent to approve futures-based ETFs for bitcoin, yet continue to deny any based on the underlying asset. Grayscale Senior Legal Strategist and former U.S. Solicitor General, Donald B. Verrilli Jr stated in an official response:
“...the SEC is failing to apply consistent treatment to similar investment vehicles, and is therefore acting arbitrarily and capriciously in violation of the Administrative Procedure Act and Securities Exchange Act of 1934. There is a compelling, common-sense argument here, and we look forward to resolving this matter productively and expeditiously.”
The SEC argues that Grayscale has failed to prove how they would avoid and deter market manipulation. (We’re still unsure of the definition of market manipulation. If something’s market value is the combined result of all actions from the market’s participants, isn’t everything market manipulation? Or is manipulation just what we call it when someone we don’t like is involved?)
Michael Sonnenshein, Greyscale CEO, told Squawkbox:
"The fact that a US regulator is shunning the opportunity to bring this further into the regulatory perimeter and give investors more disclosure, more protections, this is an unbelievably missed opportunity on their part.”
This Week’s Privacy Tip:
WiFi Probe Requests and Beacons
This week NBTV released an interview with IT security research associate at the University of Hamburg, Johanna Ansohn McDougall, who talked to us about the privacy issues of WiFi. So this week’s privacy tip is about WiFi.
How WiFi Connections Work (in very broad strokes!)
In order for your phone or computer to automatically connect to WiFi every time you return home, to the office, or to your favorite coffee shop, your device and the WiFi router need to somehow discover each other. This can either be done passively or actively:
Passive discovery involves the phone listening passively, and the router sending out beacons letting nearby devices know that the router’s wireless network is there.
Active discovery involves the device actively sending out WiFi probe requests, letting nearby wireless networks know that the device is there and actively scanning for networks.
When you automatically connect to a network, it’s because during either passive or active discovery, a name in your PNL (preferred network list) was recognized. Every device has a PNL, and it’s basically a list of all the SSIDs (wireless network names, like “Naomi’s WiFi”, “Starbucks”, “Airport WiFi” etc.) that the device has ever connected to and remembered.
In passive discovery, the router beacon will broadcast its SSID, and your device will cross check that SSID against all the SSIDs in its list of trusted networks. If the name matches, the device will connect to the network.
In active discovery, a couple of things could be happening, depending on the make and model of the device and the OS it’s running:
a) Newer devices will send out WiFi probe requests every few seconds that are blank. These are basically little data packets asking “are any WiFi networks around?” Any nearby router will respond with its SSID, and the phone will check that SSID against those listed in its PNL. If there’s a match with an SSID the device recognizes, it will try to automatically connect to it.
b) Alternatively, the phone might actually be broadcasting its PNL in every WiFi probe request. This is basically the device’s way of asking “Hey, are any of these networks around?” This means that the entire history of WiFi networks that your phone has ever connected to and remembered might be being publicly broadcast every few seconds. Usually this happens with older devices or OSs, but if a newer device thinks that a network is a hidden network, it will also be constantly broadcasting its SSID in order to make a connection.
Problems with this system
An SSID isn’t really a unique identifier, you can use any name for your SSID: I could call my home WiFi “Starbucks”, or “CIA Van”, or anything that I wanted. The device is just looking for an SSID, and if it recognizes it, it will automatically try to connect with that network. This makes it incredibly easy to spoof a network, and trick a device into connecting to it, and that is exactly what devices like the WiFi pineapple are designed to do.
Further, a PNL is like a unique fingerprint for your device. Think about it, you’re probably the only person in the world who has your exactly list of remembered networks. If your phone is going around broadcasting this list every few seconds, it’s an easy way to track someone (and this is exactly what shopping malls, airports, and trade fairs do).
Even if your phone isn’t broadcasting your PNL, other information is being revealed in WiFi probe requests that can also be a unique fingerprint for your device, such as the “information elements” that are broadcast to advertise various attributes of a phone.
Finally, SSIDs themselves can have revealing names that, if broadcast, can expose who your employer is, who your internet service provider is, where you go out dancing, even where your holiday home is located. And you may not realize that this information is even being broadcast.
How to Protect Yourself
Turn your WiFi off — If you use Android, you also have to switch off “WiFi scanning, otherwise your phone will still be sending out WiFi probe requests.
Forget networks. On Android, you can access your entire list and delete its contents. On iPhone you can only see remembered networks when you are in range of that network. However there is a way to completely reset your PNL:
Settings / General / (scroll all the way down) Transfer or Reset / Reset / Reset Network Settings. This will scrub all previous WiFi networks previously saved. (H/T Eric for this tip!)Keep your devices and their software up to date.
Assange once said, “A mobile phone is a tracking device that also makes calls”. He’s not wrong. There are countless ways that phones track our movements, but there are ways that we can make these devices more private. One small step is understanding that probe requests are plainly observable, and can contain sensitive data. Given this reality, it’s important we are more mindful when using WiFi, and do so carefully with privacy in mind.
By Will Sandoval, NBTV Associate Producer, and Naomi Brockwell.