EU's 'Going Dark' Takes Aim At Self-Custody, Mixers And The Lightning Network – But Lacks Data To Prove Its Claims

The EU Innovation Hub for Internal Security has issued its first report on encryption, describing Layer Twos, zero-knowledge proofs and self-custody as 'problematic' for law enforcement. The report is issued in correspondence with the EU's strategies of attempting to combat 'Going Dark', which calls for the backdooring of encryption in attempts to fight law enforcement's increasing difficulties to monitor online activities due to the growing adoption of end-to-end encryption and other privacy technologies.

The report states that "cryptocurrencies are widely used for laundering criminal proceeds and there are concerns that tracing funds will become more complicated if zero-knowledge proofs and layer 2 applications are more widely deployed in the blockchain. On the other hand, the use of custodial wallets, where the user does not hold their own private key, create opportunities for cooperation between law enforcement authorities, exchanges and service providers to seize crypto assets that are suspected to be of criminal nature."

In the section Data Obfuscation of Cryptocurrency Transactions, the report states that "zero-knowledge proofs and layer 2 solutions [...] allow for transactions to take place without showing (some of the) transactional data publicly," highlighting that "this significantly complicates tracing the origins of (illicit) cryptocurrency for law enforcement."

The report finds that "Layer 2 solutions [...] might cause additional problems for law enforcement investigations," and appears particularly concerned with privacy coins such as Monero and ZCash, so-called mixing software leveraging zero-knowledge proofs such as Tornado Cash, as well as onion routed networks, such as the Lightning Network.

Under the section Implications for Law Enforcement, the report states that "Mixers and privacy coins have been complicating tracing for years, but Mimblewimble and zero-knowledge proofs are relatively new developments that can also obscure the visibility of cryptocurrency addresses, balances and transactions. Furthermore, layer 2 solutions such as the lightning network might also be abused by criminals. This can be used, for example, to make payments to each other without making times and amounts of these payments visible. Similarly, new wallet encryption schemes may also complicate lawful access by law enforcement."

In regards to self-custody, the report finds that custodial ownership "can be beneficial as they [law enforcement] can request exchanges and custodian wallet providers to freeze or seize cryptocurrency assets." The report describes mnemonic seeds to be seizable, but highlights the use of passphrases and Shamir secret sharing as problematic.

In Ongoing Attempts at Mass Surveillance, the EU Continues to Lack Data

"Cryptocurrencies continue to be popular with criminals for hiding their transactions and laundering criminal proceeds."

Under the guise of 'Going Dark', the EU has setup an expert group on Access to Data for Effective Law Enforcement. The expert group recommends regulation to be built around "lawful access by design" essentially looking to mandate the installment of backdoors in soft- and hardware, from encrypted messaging services to internet connected cars.

The expert group herein recommends the mandating of far-reaching data retention strategies such as the bulk collection of IP addresses and the ensuring of "access to intelligible data" such as meta data and subscriber data, obligations for service providers to "decrypt the data if encrypted at any time," the establishment of legal frameworks to "access data in transit," and the building of mechanisms for "the transfer in real time of large data sets."

Regulations proposed in accordance with the EU's Going Dark strategies are widely known as Chat Control. Chat Control has long been argued to violate fundamental rights due to its de facto implementation of mass surveillance of EU citizens without due cause, yet the regulation is set to be greenlit by the European Council as early as next week. Proposed measures by the Commission include the scanning of email, messenger, chat (including as part of games and dating apps), and video conferencing services.

A big hurdle for the implementation of Chat Control has been the significant lack of data to prove that increased surveillance would result in increased prosecution. As the European Commission and the General Secretary for Migration and Internal Affairs have found, "there is no evidence that the industry-driven mass surveillance of our private communications [...] makes a significant contribution to saving abused children or convicting abusers. To the contrary, it criminalises thousands of minors, overburdens law enforcement and opens the door to arbitrary private justice by big tech."

The EU's apparent regulatory strategy of "we'll just say things and hope no one notices" now seems to continue to manifest in its evaluation of financial privacy services.

Assumptions made in the EU's Encryption Report, such as that "Cryptocurrencies continue to be popular with criminals for hiding their transactions and laundering criminal proceeds" are in line with statements made by MONEYVAL – the EU's Committee of Experts on the Evaluation of Anti-Money Laundering and the Financing of Terrorism –, such as that "It is well known that money launderers have been abusing cryptocurrencies from their inception a decade ago, initially to transfer and conceal proceeds from drug trafficking."

Unfortunately for MONEYVAL and the EU's Innovation Hub for Internal Security, no data exists to support such claims. In fact, the evaluation of illicit transaction volumes on the Bitcoin Network remains disputed in terms of applied heuristics, with reports ranging from "one-quarter of bitcoin users are involved in illegal activity" in 2019 to 0.34% of all on-chain activity across currencies in 2023 (interestingly estimated by Chainalysis, which began partnering with EUROPOL as early as 2016 and the Report itself cites twice).

The EU's Encryption Report cannot help but be remind us of FinCEN's recent attempts to enhance transparency in "Convertible Virtual Currency Mixing", which were argued to include Lightning Network activity due to its overly broad terminologies.

While the amount of work the EU's Innovation Hub for Internal Security has placed in understanding Bitcoin transactions in its Encryption Report sure is admirable – from multi-signature scheme evaluations to the citing of BIPs – it may arguably have been more goal oriented to place the same amount of scrutiny in providing data to support its underlying assumptions that Bitcoin is, in fact, popular for use in crimes.

When so-called experts fail to even cite a catch-phrase correctly - turning "not your keys, not your coins" into "not your keys, not your crypto" – we may do best in not placing our trust in their opinions.

Independent journalism doesn't finance itself. Please consider donating via Lightning L0laL33tz@ln.tips or Silent Payments

sp1qqwhn0hsr6hk5u7z5qr6w5gt3fa6ap4t96a6v7zmsqvrk9exv9atgqqjxmw55ds97axmwewfac8srgxvhmyw9lye0peln7swsgcp8dscm9smgx7rj