Center for Technology and Innovation

The Mass⁠i⁠ve SolarW⁠i⁠nds Hack Won’⁠t⁠ S⁠t⁠op ⁠t⁠he Feds from Wan⁠t⁠⁠i⁠ng All Your Da⁠t⁠a

By: Andrea O’Sullivan / 2020

Governments often tell their subjects that they must submit to surveillance programs to stay safe. Whether the boogeyman is terrorism, hate, or even health, government snooping on private data often violates our rights to privacy.

But surveillance programs are unsafe on their own. Securing major sets of sensitive personal data is a tall order that few can fulfill. What do you know: Government agencies that want more access to your data all too often get hacked and risk exposing your private information to the world.

A case in point: on the same week that we learned the Treasury Department succumbed to a huge hack, it proposed a major expansion of their quiet yet pervasive financial surveillance programs to so-called “self-hosted wallet” (AKA privately controlled) cryptocurrency transactions.

Last week, it was revealed that agencies such as the U.S. Departments of Commerce, TreasuryEnergy and National Nuclear Security Administration (!), and Homeland Security had succumbed to a sophisticated cyber-attack where a likely nation-backed actor had infiltrated government systems. This hack was just one part of a larger offensive against the major IT infrastructure company SolarWinds, who counted some of the largest players in commerce, media, government, and academia among its clients. Specifically, hackers compromised an old version of SolarWinds’ Orion software that was used by some 18,000 customers.

Security analysts are still probing the extent of the hack and likely fallout. It appears that systems had been infiltrated for months since around March; perhaps attackers still have access to certain networks. And this particular operation might not have been limited to just the SolarWinds Orion product. We might not know the full contours of this problem for quite some time.

Government leaders are already beating the drums of cyberwar. They can’t help themselves, but it’s certainly too early for such threat escalation. But it’s always worth thinking through government surveillance practices that put our data at risk of such inevitable offenses. Creating massive government databases of personal information creates an unavoidable breach liability.

When it comes to the Treasury Department, the hacking risk is especially acute. Few people know that Treasury has operated a massive financial surveillance program made possible through the Bank Secrecy Act, which is kind of like the “PATRIOT Act for money,” for decades. Under the guise of fighting money-laundering and crime, the Treasury Department forces financial institutions to collect and share personal information on innocent people every day. Unsurprisingly, Treasury would like to expand these programs to ensnare more cryptocurrency transactions in its dragnet.

The proposed “self-hosted wallet” rules would make it much harder for privacy-minded individuals who run manage their own private keys for cryptocurrency to make transactions with people who outsource key management to third parties.

Right now, customers of third party-managed wallets and exchanges must submit to certain “anti-money laundering/know your customer” (AML/KYC) government data reporting rules when making transactions greater than $10,000 dollars. The proposed change would require that the recipients of such transactions also submit to personal data collection even when they manage their own keys before the regulated company may send the funds. Furthermore, the limit for such “self-hosted wallet” recipients would be lowered to $3,000 for certain data recording requirements—a new and unjustifiable roadblock for privately managed wallets to engage with the rest of the crypto economy.

There are a lot of problems with this rule. It would make it harder for privacy- and security-minded individuals who manage their own keys to interact with other users. It would create a huge hacking risk for those who decide to submit to the new AML/KYC rules.

And it would seem to make a whole category of cryptocurrency transactions legally unworkable. For example, with a multisignature transaction or smart contract where no one party controls a transaction, there is not a straightforward way to collect AML/KYC data—in the case of a smart contract, there might not be a “person” involved at all. Would these transactions simply be illegal?

Frustratingly, the proposal doesn’t give the public a lot of time to respond—as a “midnight regulation,” it affords a measly 15 days over the holidays to suggest improvements in comparison to the typical one to three months.

Unfortunately, this program would be only one of the many problematic data extraction schemes the Treasury Department has cooked up over the years.

For example, the Financial Crime Enforcement Network (FinCEN) has partnered up with the Federal Reserve to force banks to keep dossiers on anyone who wants to send an international transfer of at least $250 (called the “travel rule”).

Fancy cyberattacks are far from the only risk. FinCEN suffered another recent breach where thousands of so-called “Suspicious Activity Reports” (SARs) that banks are required to file with the government on transactions that the government wishes to flag were leaked to journalists. The media covered the leaks mostly to criticize banks for allowing these government flagged transactions to go through. Yet the bigger story about why the government collects this data and how insecure those reports apparently are went basically unmentioned.

By forcing major platforms to collect and share personal data on self-hosted wallets before allowing transactions to go through, the government would not only access (and probably expose) private data, it would majorly cut down on self-hosted wallet activities by making it that much harder for privacy-minded users. Now that we see the Treasury Department is apparently riddled with cybersecurity holes, we have even greater reason to resist the expansion of its financial surveillance programs.

Mandating that companies keep sensitive data on innocent transactors so that governments can review them “when needed” inevitably creates a security risk. Now banks and agencies must not only collect or review the data, they must make sure that it doesn’t get exposed to the wrong parties. We shouldn’t be surprised when they fail. Instead, we should not give these groups more access to personal data and wind down the data collections programs that do exist.

The Treasury Department routinely does not even consider privacy costs when weighing the costs and benefits of a new proposed rule. They really should go farther: government agencies that propose collecting more private data should be required to consider the security and hacking liabilities of collecting and storing this data. My guess is that a lot of these programs would suddenly appear too costly to justify. We need to weigh these very real security risks along with the threats to our abstract rights to privacy.

It’s a bit mind-blowing that a hacked government agency would propose such sweeping expansions to financial surveillance on the same week that we learned their systems suffered a major intrusion. It’s yet another data point on the extreme security risks of such collection in the first place.

Read more here: