Taxing Bitcoin? IRS gets involved

Once again: is bitcoin a currency, and do currency rules apply? Or is it a capital asset and do those rules apply?

The Wall Street Journal is reporting that a large Bitcoin exchange Coinbase has been served with a so-called “John Doe” warrant in search of those people attempting to evade taxes.  A number of privacy advocates are upset at the breadth of the warrant, because it demands access for an entire broad class of people, and not specific people.

Bitcoin is used for all sorts of nefarious purposes, including online ransoming.  Tax evasion would be the least of its problems.  Were Coinbase a bank, they would be required to inform the federal government of transactions greater than $10,000 or of those individuals believed to be structuring transactions to avoid the $10,000 filing requirement.  These are anti-money laundering provisions that go hand in hand with tax enforcement.

And so my question: if it is wrong for the federal government to make such a demand of Coinbase, is it also wrong of them to make the same demand of banks?  If it is not, then why should Coinbase be treated differently?  And if Coinbase is not treated as a bank, is Bitcoin then not a currency?  If it’s not a currency, should it be treated as a capital asset for taxing purposes?  If that is the case, how would the IRS be able to enforce the reporting requirements associated with assets?

The alternative seems to be to trust people to not launder through Bitcoin.  If history, including recent history, is any measure, that’s a bad idea.  Either way, Bitcoin has already shown that privacy has its downsides.

Finding REAL News as Opposed to Fake News

Here are three simple tests to determine whether a site is a trustworthy news outlet. Are there multiple sections? Does it have multiple news bureaus? Does the site post corrections?

The great New York Senator Daniel Patrick Moynihan famously said that everyone is entitled to his own opinion, but not his own facts.  Unfortunately, our democracy is being undermined by a combination of an epidemic of fake news and people being willing to believe the drivel.

What, then, are trustworthy news outlets?  To start with, they have to have paid reporters.  Determining the truth requires investigation with feet on the ground.  It requires document searches, interviews, and research.  That costs money.

Still, a well funded propaganda outfit could pay (or claim to pay) for “reporters”.  How to tell the difference?  Be suspicious of any site is primarily focused on national politics or any single issue.

Here are a three tests to guide someone as to whether a news outlet is likely legitimate for daily consumption.  The tests themselves aren’t perfect, but they’re pretty good.

1. Does the outlet have many news bureaus?

A real newspaper will have at least one regional bureau for the region they are covering, and will often have an additional bureau for a state capital or for Washington.  Fake news sources may not have any bureaus.  A simple test is to type the name of the site and then “news bureaus” into a search engine and examine the results.  Note that a regional paper will tend to have only a few bureaus outside their region.  That’s okay, so long as they stick to news where they have those bureaus and more importantly reporters.

2. Does the outlet have multiple unrelated sections?

Real news sources will have sections such as weather, sports, obituaries, arts, finance, and region, as opposed to just politics.  They may not have all of these sections: for instance, the Wall Street Journal doesn’t have a weather section, but their finance section is unparalleled.

3. Does the outlet ever publish corrections?

Even if the answer to the first two questions is “yes”, no one is perfect.  But a good news outlet will recognize their imperfections and always seek to report the truth, no matter how embarrassing it may be.  A good measure of an outlet’s trustworthiness is how regularly they correct themselves.

Let’s Test

Given these parameters let’s see whether a web site is a good source for news.

Source Multiple Bureaus? Unrelated Sections? Corrections?
The New York Times Multiple, throughout New York, US, and the world NY region, sports, weather, obits, arts Regularly at the bottom of an article online, or in a section in paper.
Fox News Multiple affiliates Sports, weather, numerous regions Not too often.
Breitbart Four bureaus no Very rarely
Wikipedia No Yes (vast) Entries are continually edited
The Daily Caller No No Never
NPR Many regional affiliates along with international bureaus Numerous Regularly online and on radio
The Wall Street Journal Strong presence in financial capitals Finance, Travel, even some Sport Regularly at the bottom of articles
Politico Primarily national, with a few state and international bureaus No Very Rarely

Trust, of course, is not a binary.  That’s why it’s important to get information from multiple sources, maybe not every day, but regularly.  Also, just because something is not marked as a trustworthy news outlet doesn’t mean their lying.  It does however, mean, that they’re something other than a trustworthy news outlet.  A blog, perhaps, or an analysis site.  Wikipedia is an interesting case because nobody gets paid, but the information tends to be reasonably trustworthy (or at least transparent).

All of this doesn’t get people off the hook from using their common sense.  RT would easily pass the above tests, and yet they are a well known and well funded propaganda arm of Vladimir Putin.  Probably not a good news source.  Most blogs aren’t so well funded.

Should Uber require a permit for testing?

The Wall Street Journal and others are reporting on the ongoing battle between Uber and state and local governments.  This time it’s their self-driving car.  Uber announced last week that they would not bother to seek a permit to test their car, claiming that the law did not require one.  The conflict took on a new dimension last week when one of Uber’s test vehicles ran a red light.

Is Uber right in not wanting to seek a permit?  Both production and operation of vehicles in the nearly all markets are highly regulated.  That’s because  auto accidents are a leading cause of death in the United States and elsewhere.  The good news is that number is falling.  In part that’s due to regulation, and in part it’s due to civil liability laws.  I’m confident that Uber doesn’t want to hurt people, and that their interest is undoubtedly to put out a safe service so that their reputation doesn’t suffer and their business thrives.  But the rush to market is sometimes too alluring.  With the pace of technology being what it is, Uber and others would be in a position to flood the streets with unsafe vehicles, possibly well beyond their ability to pay out damages.  That’s when regulations are required.

There are a few hidden points in all of this:

  • As governments consider what to do about regulating the Internet of Things, they should recognize that much of the Internet of Things is already regulated.  California did the right thing by incrementally extending the California Vehicle Code to cover self-driving vehicles, rather than come up with sweeping new regulations.  Regulations already exist for many other industries, including trains, planes, automobiles, healthcare, electrical plants.
  • We do not yet have a full understanding of the risks involved with self-driving cars.  There are probably many parts of the vehicle code that require revision.  By taking the incremental approach, we’ve learned, for instance, that there are places where the vehicle code might need a freshening up.  For instance, self-driving cars seem to be following the law, and yet causing problems for some bicyclists.
  • IoT regulation is today based on traditionally regulated markets.  This doesn’t take into account the full nature of the Internet, and what externalities people are exposed to as new products rapidly hit the markets.  This means, to me, that we will likely need some form of regulation over time.  There is not yet a regulation that would have prevented the Mirai attack.  Rather than fight all regulation as Uber does, it may be better to articulate the right principles to apply.  One of those is that there has to be a best practice.  In the case of automobiles, the usual test for the roads is this is whether the feature will make things more or less safe than the status quo.  California’s approach is to let developers experiment under limited conditions in order to determine an answer.

None of this gets to my favorite part, which is whether Uber’s service can be hacked to cause chaos on the roads.  Should that be tested in advance?  And if so how?  What are the best practices Uber should be following in this context?  Some exist.

More on this over time.

Will New NY Banking Regulations Actually Tighten Cybersecurity?

Proposed New York banking regulations might not help that much.

New York is proposing new cybersecurity rules that would raise the bar for banks over which they have jurisdiction (wouldn’t that be just about all of them?).  On their face, the new regulations would seem to improve overall bank posture, but digging a bit deeper leads me to conclude that these regulations require a bit of work.

A few key new aspects of the new rules are as follows:

  1. Banks must perform annual risk assessments and penetration tests;
  2. New York’s Department of Financial Services (DFS) must be notified within 72 hours of an incident (there are currently numerous timeframes);
  3. Banks must use 2-factor authentication for employee access; and
  4. All non-public data must be encrypted, both in flight and at rest.

The first item on that list is what Chief Information Security Officers (CISOs) already get paid to do.  Risk assessment is in particular the most important task on this list, because as banks evolve their service offerings, they must ascertain both evolving threats and potential losses.  For example, as banks added iPhone apps, the risk of an iPhone being stolen became relevant, thus impacting app design.

Notification laws exist already in just about all jurisdictions.  The proposed banking regulation does not say what the regulator will do with the information or how it will be safeguarded.  A premature release can harm ongoing investigations.

Most modern banks outside the United States already use two-factor authentication for employee access, and many require two-factor authentication for customer access.

That last one is a big deal.  Encrypting data in flight (e.g., transmissions from one computer to another) protects against eavesdroppers.  At the same time, absent other controls, encryption can obscure data exfiltration (information theft). Banks currently have many tools that rely on certain transmissions being “in the clear”, and it may require some redesign of communication paths to address both the encryption in flight requirement and auditing needs.  Some information is simply impractical today to encrypt in flight.  This includes discovery protocols such as DHCP, name service exchanges (DNS), and certain other network functions.  To encrypt much of this information would require yet lower layer protection such as IEEE 802.1AE (MACSEC) hop-by-hop encryption.  The regulation is, again, vague on precisely what is necessary.  One thing is clear, however: their definition of non-public information is quite broad.

To meet the “data at rest” requirement banks will either have to employ low level disk encryption or higher level object-level encryption.  Low level encryption protects against someone stealing a disk or taking it from the trash and reading it, but provides very little protection against someone breaking into a computer when the disk is still spinning.  Moreover, banks generally have rules about crushing disks before they can leave a data center.  Requiring data at rest to be encrypted in data centers may not provide much risk mitigation.  While missing laptops have repeatedly been a source data breaches, how often has a missing data center disk caused a breach?

Object-level encryption, or the encryption of groups of information elements (think Email messages) can provide strong protection should devices be broken into.  Object-level encryption is particularly interesting because if done right, it can address both data in flight and data at rest.  The challenge with object-level encryption is that the tools for it are quite limited.  While there are some tools such as email message encryption, and while there are various ways one can use existing general purpose mechanisms such as OpenSSL to encrypt objects at rest, on object-level encryption remains a challenge because it must be implemented at the application level across all applications.  Banks may have tens of thousands of applications running at any one time.

This is an instance where the financial industry could be a technology leader.  However, all such development must be grounded in a proper risk assessment.  Otherwise we end up in a situation where banks will have expended enormous amounts of resources without having substantially improved security.

Comey and Adult Conversations About Encryption

What does an adult conversation over encryption look like? To start we need to understand what Mr. Comey is seeking. Then we can talk about the risks.

AP and others are reporting that FBI director James Comey has asked for “an adult conversation about encryption.” As I’ve previously opined, we need just such a dialog between policy makers, the technical community, and the law enforcement community, so that the technical community has a clear understanding of what it is that investigators really want, and policy makers and law enforcement have a clear understanding of the limits of technology.  At the moment, however, it cannot be about give and take.  Just as no one cannot legislate that π = 3, no one can legislate that lawful intercept can be done in a perfectly secure way.  Mr. Comey’s comments do not quite seem to grasp that notion.  At the same time, some in the technical community do not want to give policy makers to even evaluate the risks for themselves.  We have recently seen stories of the government stockpiling malware kits.  This should not be too surprising, given that at the moment there are few alternatives to accomplish their goals (whatever they are).

So where to start?  It would be helpful to have from Mr. Comey and friends a concise statement as to what access they believe they need, and what problem they think they are solving with that access.  Throughout All of This, such a statement has been conspicuous in its absence.  In its place we have seen sweeping assertions about grand bargains involving the Fourth Amendment.  We need to be specific about what the actual demand from the LI community is before we can have those sorts of debates.  Does Mr. Comey want to be able to crack traffic on the wire?  Does he want access to end user devices?  Does he want access to data that has been encrypted in the cloud?  It would be helpful for him to clarify.

Once we have such a statement, the technical community can provide a view as to what the risks of various mechanisms to accomplish policy goals are.  We’ve assuredly been around the block on this a few times.  The law enforcement community will never obtain a perfect solution.  They may not need perfection.  So what’s good enough for them and what is safe enough for the Internet?  How can we implement such a mechanism in a global context?  And how would the mechanism be abused by adversaries?

The devil is assuredly in the details.