View PDF

Infrastructure Bill Ruling Puts Privacy at Risk

How a pernicious provision in Biden's Infrastructure Act threatens the financial privacy of all Americans.

On November 15, 2021, the Infrastructure Investment and Jobs Act (IIJA), enacted by President Biden, embedded a provision that expanded the scope of "cash" as defined in Section 6050I of the IRS Code. This expansion incorporated digital assets into the definition, creating serious implications for digital asset holders and privacy rights. With this alteration in place, after January 1, 2024 any person or entity that receives digital assets exceeding $10,000 must disclose this to the Internal Revenue Service (IRS) or face possible criminal penalties. This disclosure requirement applies whether the $10,000 threshold is met in a single or multiple related transactions, including trade or business operations.

While the history of governmental intervention in the digital asset sector is not new, with a notable example being the Financial Crimes Enforcement Network's (FinCEN) classification of cryptocurrency as a "convertible virtual currency" back in 2013, the IIJA provision signals the first imposition of mandatory reporting requirements on cryptocurrency transactions. This measure extends the breadth of government oversight into the domain of digital asset transactions in a significant way.

In the wake of these new rules, businesses and individuals who find themselves on the receiving end of digital assets valued at more than $10,000 in a trade or business transaction must document the sender's name, address, and taxpayer identification number (TIN). Alongside this, the details of the transaction and any other information stipulated by the IRS must also be logged.

Unlike traditional cash transactions, the majority of digital asset transactions are conducted on publicly-viewable blockchains, such as the Bitcoin or Ethereum network, and are thus accessible to anyone with an internet connection. The preservation of anonymity in these transactions hinges on the fact that the public addresses displayed on these ledgers are pseudonymous, rather than linked to personal identifying information. Yet, the breadth of information requested on Form 8300 potentially extends to a point where it can connect the public address of all participants in a digital asset transaction exceeding $10,000 to the participant's names, addresses, and social security numbers. Once a correlation has been established between a public address and personal identifying information, it grants the government a doorway to access the comprehensive financial history of a user on the public ledger. This includes transactions that don't meet the reporting threshold, meaning the government could potentially surveil a user's entire cryptocurrency activity, even if only a fraction of their transactions cross the $10,000 limit.

Moreover, the classification of digital assets under the new legislation is so broad that it includes digital assets that are clearly not intended to serve as a currency, and have highly subjective market value, such as Non-Fungible Tokens (NFTs). These, too, must be reported, pushing the legislation dangerously close to mandating government disclosure of specific acts of art sale that showcase political or otherwise protected speech.

On July 19th, the United States District Court for the Eastern District Court of Kentucky delivered its judgment on Coin Center's legal challenge against the Section 6050I amendment, dismissing the case on procedural grounds. Coin Center argued that the law overstepped constitutional boundaries, infringing upon the Fourth, First, and Fifth Amendments, and extending beyond the limits of Congress's enumerated powers. However, the court deemed these claims either 'not ripe' or insufficiently substantiated.

The Fourth Amendment claim was dismissed due to the potential for the regulation to evolve before its implementation on January 1, 2024, and a lack of concrete evidence that the government would misuse the public ledger to gather additional information. The First Amendment claim was discarded as speculative, with the court highlighting that the plaintiffs fell short of demonstrating an immediate risk of enforcement against them. The Fifth Amendment claim was perceived as not prepared for review due to an underdeveloped argument, and the claim alleging an overreach of Congress's enumerated powers was dismissed due to a deficiency of substantial allegations that the government had misused the plaintiffs' information.

Whether the claims made by Coin Center were prematurely argued in court remains debatable, but what they undeniably do is shed a light on the potential hazards posed by the newly enacted law. The threats are especially directed towards the foundational principles safeguarded by the Fourth Amendment. By allowing the government to have access to a vast trove of information, this law essentially hands over the keys to every single financial transaction carried out by millions of American citizens, without necessitating a warrant.

Furthermore, the implications of the law extend far beyond financial transactions alone. They cut through to the core of other civil liberties, such as the ability of digital asset users to make confidential donations. The right to make such contributions to political or charitable causes forms an integral part of the freedom of assembly, a right cherished under the First Amendment. The implications of the law, therefore, do not simply tread on the terrain of financial privacy; they impinge upon the constitutionally protected rights of assembly and expression.

In addition to these constitutional concerns, the law represents a deeply flawed judgment from a public policy perspective. Recent history is replete with instances that demonstrate the vulnerabilities of government databases to data breaches. Notorious examples include the infamous hacking of Office of Personnel Management records in 2013 and the more recent large-scale SolarWinds breach attributed to Russian hackers in 2020. These incidents emphasize a troubling reality: government databases are an exceedingly tempting target for hackers and nefarious foreign actors.

By potentially handing over to government servers information about millions of financial transactions along with the personal identifying information of parties to such transactions, the law knowingly places the safety of innocent Americans in jeopardy. These records can be used to facilitate crimes such as burglary, kidnapping, and various other forms of violent threats targeted at individuals. The accumulation and centralization of such data do not just infringe upon privacy, but also pose real-world risks to individuals' safety.

Furthermore, the law appears to fundamentally misunderstand the operational dynamics of wrongdoers such as hackers, drug dealers, and human traffickers who use cryptocurrencies to wash the proceeds of their illicit activities. Such individuals typically rely on entirely unregulated offshore decentralized entities known as "tumblers," not likely to comply with such regulations. Alternatively, they use borrowed, stolen, or fabricated identification documents that would comply with Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements, rendering them undetectable by these standard security measures. This further underscores the limitations of the law in addressing the very problems it purportedly aims to solve, while inadvertently exacerbating others.