Crypto’s Latest Privacy Battle
At the end of May the U.S. Security and Exchange Commission’s (SEC) newest mass surveillance tool – the Consolidated Audit Trail (CAT) – went “fully operational.” SEC registered broker-dealers, exchanges and alternative trading systems now have to collect and report trade information related to every U.S. trade as well as the personal information of every U.S. retail brokerage customer.
While this obviously impacts customers of traditional financial institutions, the personal privacy of participants in the digital asset economy may be seriously compromised as well.
Marisa Coppel is the head of legal for the Blockchain Association. Amanda Tuminelli serves as the DeFi Education Fund’s chief legal officer where she leads the organization’s impact litigation and policy efforts.
Note: The views expressed in this column are those of the author and do not necessarily reflect those of CoinDesk, Inc. or its owners and affiliates.
Designed to collect and store detailed customer data across U.S. financial markets, the CAT will be the largest database of securities transactions ever built. Even if built under the guise to “allow regulators to efficiently and accurately track all activity throughout the U.S. markets,” CAT threatens to make massive unchecked government surveillance a reality.
Under the SEC’s CAT-related requirements, regulated entities will be forced to collect a multitude of data points about trades, traders and retail customers, including customer names, addresses and account details. As for digital asset market participants, this information could end up including transaction identifiers and wallet addresses, giving those with access to the database insight into users’ forward- and backward-looking transaction information for all time.
The implications for the digital asset industry are worrying, especially given the recent finalization of the Dealer rule-making, which the Blockchain Association and others are challenging in federal court, and even more so if the SEC finalizes the proposed rule that would vastly expand the definition of what constitutes an “exchange.”
If these new rules are allowed to stand, the newly-minted “dealers” and “exchanges” will be required to report digital asset users’ information to the CAT.
This means unprecedented amounts of crypto trading data and personal customer information will be caught in the SEC’s surveillance dragnet. To make matters worse, CAT data is not available only to the SEC and its thousands of staff. Individually identifiable data in CAT is accessible to a web of related government agencies and private self-regulated organizations, without a warrant or reasonable suspicion of wrongdoing. This vastly expands the universe of who could potentially gain access to Americans’ personal financial lives and trading activities, all in the name of making the SEC’s job a little easier.
Former Attorney General William Barr recently expressed concerns over the potential violations of constitutional rights that will occur because of CAT: “The Constitution prohibits mass surveillance of private activities based merely on the possibility that someone might commit a crime … Even when the government seeks information about a citizen … it must normally show that it is investigating specific suspected wrongdoing.”
Yet, one searches in vain for any statement by the SEC concerning how it will respect individual constitutional rights.
In fact, SEC Commissioner Hester Peirce has sounded the alarm on CAT’s unchecked surveillance state implications for years, explaining that the cost “to liberty and privacy is not worth the purported benefit. After all, tracking our trading behavior won’t stop bad events from happening in the markets, it will just make it a bit easier to understand what happened after the fact.”
In addition to privacy concerns, this database represents the ultimate “honeypot” of information, making it particularly attractive to hackers. While the SEC recognized this dramatic security risk in a 2020 proposal to enhance security of the database, it has yet to implement amendments to CAT that would increase cybersecurity, despite organizations like the Securities Industry and Financial Markets Association (SIFMA) sounding the alarm.
It is not surprising then that the SEC has already been sued twice over their implementation of the CAT database. The American Securities Association and Citadel jointly petitioned the 11th Circuit in October 2023 and the New Civil Liberties Alliance filed a complaint in the Western District of Texas in April 2024 to challenge CAT’s release. Although these two lawsuits are perfect examples of why the judiciary is so important in curbing grave government overreach, the crypto world must recognize how antithetical CAT is to its core ethos, and to expectations of privacy presumed by all Americans.
Remember, privacy is normal. We should not regress into a societal norm where privacy equates to wrongdoing, especially in personal financial matters, lest we get closer to the Washington D.C., featured in Minority Report. One shouldn’t feel like their government is looking over their shoulder as they complete every personal financial transaction, especially when those transactions may include revealing sensitive information such as through donations to political causes or paying for medical procedures.
In addition to taking the opportunities to help educate the court as amici in the ongoing lawsuits mentioned above, the crypto community should make our opposition known on this latest regulatory overreach by voicing concern to elected representatives about CAT. Excessively broad financial surveillance regimes like CAT are a significant threat to Americans’ constitutional rights and cannot be allowed to quietly become law.
Edited by Daniel Kuhn.