We’re back with another installment of IF:Then, the hottest newsletter about legal strategy at the intersection of law and technology that all the kids are talking about. If you want to be in the know, make sure you go ahead and subscribe.
Gary Gensler is on a warpath! Janet Yellen is comin’ for your coins! It’s regulation szn in the world of crypto, and here in the US a clear trend is emerging. Subponeas. Are. Flying. Speaking at a crypto conference? You might get served on stage. Thems the breaks.
Technically, this trend of extreme service isn’t limited to subpoenas exclusively. We’ve got C&Ds, OSCs, MP3s . . . it’s hard to keep track. I don’t think Oprah is moonlighting as a federal regulator, but don’t ever tell me she wouldn’t kill it if she did. The point is, people are getting served, and apparently it can happen anywhere. Let’s dig into it!
It feels like ages ago we were talking about crypto-lender BlockFi getting tripped up by New Jersey, Texas, and Alabama, throwing a wrench into their perpetual fundraising machine. Not to be outdone, BlockFi competitor Celsius is now in the regulatory cross-hairs, having received regulatory missives from those same three states. And lest we point our fingers and laugh at the centralized platforms, decentralized exchange Uniswap is getting a look of their own, with news that the SEC has opened an investigation.
But perhaps the most interesting battle in this securities supermarket sweep spilled onto the mean streets of social media earlier this month with leading cryptocurrency exchange Coinbase getting served with Wells Notice (basically a “hey we’re going to sue you” letter) from the SEC. In response, Coinbase Chief Legal Officer Paul Grewal, LinkedIn’s last hero this side of Dan Price, teamed up with CEO and "mission-focus" aficionado Brian Armstrong to let loose an early-festivus airing of grievances. Grewal took the pen on the Coinbase Blog with a post titled, “The SEC has told us it wants to sue us over Lend. We don’t know why.” Armstrong, on the other hand, took to twitter with a thread calling out the SEC’s “sketchy behavior”, including Armstrong personally getting snubbed by the regulators on a trip to DC.
Coinbase wanted to engage with the regulator on their planned “Lend” product, a Blockfi-esque yield account for their users, but instead were notified that they would be sued if they launched Lend. While the “how can lending be a security?” posture is playing dumb at best, Gary Gensler’s SEC has clearly been far less collaborative than many in the media initially assumed when he was appointed given Gensler’s recent history teaching blockchain/crypto classes at MIT. What gives Gensler? We thought you were cool.
Things are moving so fast, that while I was typing the preceding paragraph, Coinbase announced that they are in fact bailing on the Lend product. So much for the social media strategy. Sad. Collaboration by twitter is great #content.
Even though Coinbase ultimately wasn’t willing to go to the mat (i.e. court) with the SEC, bold moves are a necessary part of any holistic strategy for the industry writ-large to define crypto’s legal standing. But one government request that Grewal pointed out raised a lot of eyebrows:
They also asked for the name and contact information of every single person on our Lend waitlist. We have not agreed to provide that because we take a very cautious approach to requests for customers’ personal information. We also don’t believe it is relevant to any particular questions the SEC might have about Lend involving a security, especially when the SEC won’t share any of those questions with us.
It’s not difficult to view an overreaching request for consumer data as the machinations of a surveillance-state power grab, especially in light of what appears to be a multi-faceted government swarm. But hey, why not ask? Some companies might just turn it over.
Coinbase is certainly no stranger to working with law enforcement and/or regulators - they’ve executed enough government contracts to make Palantir thinks its starting to seem a bit nefarious. Even so, declining to provide this level of user information was probably a pretty easy call. But for all you folks out there who haven’t yet reached that $50B market cap (stay on the grind, you’ll get there) there are a few things to make sure you have in place when it comes to handling an over-eager Uncle Sam.
Enjoying IF:Then? Why not spread the love? Think of just one like-minded individual and spread the joys the legal strategy and meme-based humor.
There are a few ways you might interact with a law enforcement whether or not you’ve actually been served. Depending on your business you might want to start with something proactive. An opportunity for education, putting a face to a name, and making sure you’re not seen as a bad actor. Even if you’re “moving fast and breaking things” it always helps to try to reach some common ground.
Hmmm. Ok bad example. What I mean is, it’s alway best if a regulator understands what you’re doing, why you’re doing it, and of course how it helps them and their goals.
On perhaps the other end of the spectrum, you might receive a notice that you’re being actively investigated. In that situation, well you should probably stop reading this newsletter and get a white-collar/investigations attorney who works well with prosecutors. Or, depending on the situation, one who doesn’t. Either way get your litigation hold procedures in order and if you’re not a skillful enough grifter to fake a deep voice for a decade, resist the urge to destroy any documents. But anyway, I’m digressing…
Setting Expectations
Outside of those aforementioned extreme ends of the spectrum, companies do have some leeway to push back, especially when it comes to consumer privacy. It’s easy to see why Grewal mentioned it in his public appeal. Apple didn’t exactly face a ton of public backlash by spent years fighting with the FBI over unlocking iPhones in connection with high-profile criminal investigations.
“The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers — including tens of millions of American citizens — from sophisticated hackers and cybercriminals,” the company said at the time. “The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe.”
Taking a stand like that requires a well thought out point of view, and its helpful to set those expectations - both with the government and with your customers - publicly, and from the beginning. Most companies map this out somewhere in their privacy policy setting the expectation that they will generally only reveal consumer information to law enforcement if “required to by law” or if necessary to protect someone or something from harm. Going back to Coinbase, for example, they have a fairly standard provision.
With law enforcement, officials, or other third parties when we are compelled to do so by a subpoena, court order, or similar legal procedure, or when we believe in good faith that the disclosure of personal information is necessary to prevent physical harm or financial loss, to report suspected illegal activity, or to investigate violations of our User Agreement or any other applicable policies.
There is a lot of wriggle room by design in those type of statements - they call out discrete but broad parameters that allow them to essentially do what they think is right. Whether or not you’ve been subpoena’d, there is a big difference between complying with AML reporting requirements, actively helping to prevent crime, and handing over the names of some folks who clicked “yes” on a waitlist. At some point, the company needs to make a value-judgment and stand behind it, and while government compulsion is certainly one of the determining factors, there are times to push back against that as well.
Keeping it Simple
But overall, for most companies and most situations, interactions with law enforcement eventually becomes a standard part of doing business. Most of the time law enforcement asks for more specific pieces of information, and its much easier to make an assessment of a narrow request than some categorical sweep. For those circumstances, an established internal policy along with some workflows and process can take you pretty far.
Some simply create a dedicated email for law enforcement requests. If Trust and Safety is a bigger part of the business, a dedicated workflow or portal makes more sense. For example, Airbnb and Uber provision logins to law enforcement agencies, who are generally happy to follow a company-defined process if it makes their jobs easier and makes the company more willing to give information.
Both Uber and Airbnb are of course marketplaces that involving in-person interactions where users may have disputes with each other, and in unfortunate circumstances need to file claims with the police revolving around their use of the service. There are plenty of circumstances where it makes perfect sense for the company to reveal as much information about a particular user as possible.
Ultimately, most would do well to recall a tried and true concept in constitutional law: the “reasonable expectation of privacy.” The evolution of Fourth Amendment jurisprudence is largely based on that concept and its fairly fitting for companies to use as a rubric for their own internal compass. While the internet has a very, very long way to go in terms of privacy, businesses should have the awareness to gauge how they position their own users expectations of privacy. Apple has set the expectation that it will not break into users’ phones for the government and has been willing to stick by that principle. Coinbase correctly recognizes that users credibly accused of crimes or exhibiting suspicious behavior do not have the same expectation of privacy as those clicking on a waitlist button for a yield product. It’s much easier to make that determination if you’ve drawn out the line for yourself in advance, and set your own expectations.
Until next time friends - David Ikenna Adams
Twitter | LinkedIn | Email | ifthen.vc
If you’re interested in joining the IF:Then Syndicate, or are an early-stage founder looking for strategic partners, please reach out to david@ifthen.vc