Peanut Butter & Watermelon: Financial Privacy in the Digital Age
Thank you, Dan [Boneh] for that introduction. And thank you to IC3, the Center on Responsible Decentralized Intelligence, and the Stanford Center for Blockchain Research for hosting this conference. Being part of the Science of Blockchain Conference is an honor, although even the titles of most of the talks are intimidating for this non-scientist. Before I begin, I must remind you that my views are my own as a Commissioner and not necessarily those of the SEC or my fellow Commissioners.
The summer on the East Coast has been hot—so hot that, much to my surprise, I find myself craving watermelon, the quintessential summer fruit, but one for which I have a general aversion. I inherited my distaste for watermelon from my grandfather. To make it palatable, he slathered peanut butter on it—a culinary combination that attracted the attention of the neighborhood children at summer picnics. Years later, the telephone operator connecting my grandfather’s call asked, “Are you the Mr. Peirce who puts peanut butter on his watermelon?” The telephone operator had been one of the kids dismayed by my grandfather’s unconventional efforts to make watermelon edible.
That story reminds me of the value of disintermediation—not because of the watermelon and peanut butter combination—but because of the telephone operator. My grandfather’s telephone operator must have been one of the last of a dying profession; at the time he made the call in question, automated switching systems had replaced most human telephone operators. Customers could dial on their own, a task some large phone companies insisted was too hard.[1] The smaller independents, which were first to adopt the technology, noted that automation offered greater confidentiality.[2] My grandfather’s story illustrates that telephone operators sometimes were friends or neighbors of the people for whom they were placing calls. Imagine how awkward sensitive calls must have been when an operator you knew was doing the dialing. We now take for granted being able to call someone without another human in the loop.
Technology enables disintermediation to our benefit in other areas too, and the promise of additional disintermediation beckons. Cryptography, zero-knowledge proofs, smart contracts, and public blockchains facilitate the disintermediated transmission of value and information and the disintermediated coordination of human behavior. Actions that once could not be performed without centralized intermediaries now can be accomplished permissionlessly without them. A bank that might not want to lend to certain types of people gives way to a DeFi protocol through which everybody can borrow on the same, publicly transparent terms. A social media platform run by a company that might censor of its own accord or at the government’s behest is replaced by a decentralized platform that allows everybody to post content according to a universally applicable set of transparent guidelines that is known in advance and not subject to alteration or disparate application based on user content. A high-priced remittance service is exchanged for a public blockchain that allows people to move money directly and more discreetly to the intended recipient, including people disfavored by their repressive governments.
Technologies that cut out intermediaries shake up the status quo and thus sometimes inspire fear. Firms that serve as intermediaries might fear losing customers. Agencies like the SEC might fear that a disintermediated world is not regulatable because so many rules assume the presence of intermediaries whose conduct can be directed and held to account. Law-enforcement agencies that rely on centralized intermediaries for information about their customers’ involvement in potential crimes might fear that they will not be able to protect the public in a disintermediated world.
Each of these fears is understandable, but none warrants limiting the use of disintermediating technologies. Although new technology will displace some incumbents, resilient firms will use the technologies to serve their customers. Traditional financial firms, for example, might use public blockchains to make settlements and borrowing more seamless or to perform back-end functions—the so-called DeFi mullet. Disintermediating technologies can perform functions that regulations now perform, such as mitigating the risk that an entity holding a customer’s assets will steal or mismanage them, ensuring that certain conditions are met, or increasing the transparency and accessibility of services for the public. As disintermediating technologies proliferate, law-enforcement agencies will continue to prevent and prosecute crime with their sophisticated use of a wide range of technologies and information sources.
Let me pause on this last point for a few minutes. An increase in disintermediation may seem particularly daunting to law-enforcement agencies because many have come to rely heavily on the third-party doctrine, which gives them easy access to information people provide to third parties. Under current Supreme Court precedent, Fourth Amendment protections—the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures[3]—might not apply when a person’s information is housed at a third party: law enforcement authorities can obtain the information without a warrant or notice to the affected individual. The theory underpinning this doctrine is that when a person gives information to a third party, she is indicating that she does not have an expectation of privacy with respect to the information.
A person dialing a phone himself—without a human operator—was at the center of a foundational case for the third-party doctrine. The Supreme Court, over a curt dissent,[4] affirmed its view “that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.”[5] It elaborated: “The switching equipment that processed those numbers is merely the modern counterpart of the operator who, in an earlier day, personally completed calls for the subscriber. . . . Petitioner concedes that if he had placed his calls through an operator, he could claim no legitimate expectation of privacy. . . . We are not inclined to hold that a different constitutional result is required because the telephone company has decided to automate.”[6] So the lack of human operators might save you from conversations about watermelons and peanut butter, but it does not save you from government surveillance. More recently, in Carpenter v. United States, the Court declined to apply the third-party doctrine to cell phone site location information,[7] but the third-party doctrine is still alive and well.[8]
The third-party doctrine is a key pillar of financial surveillance in this country, much of which occurs under the Bank Secrecy Act (“BSA”). The BSA is a nearly 55-year old law that Congress has supplemented over the years. It seeks to assist law enforcement in combatting criminal activity, including tax evasion, terrorism financing, and money laundering; protect the U.S. financial system; and safeguard the national security of the United States.[9] Under the BSA, financial institutions have to establish “reasonably designed risk-based programs” to combat money laundering and the financing of terrorism and “to facilitate the tracking of money that has been sourced through criminal activity or is intended to promote criminal or terrorist activity.”[10] The BSA defines “financial institution” expansively—the statute enumerates many entities such as banks, brokers, dealers, investment companies, insurance companies, auto and gold dealers, casinos, pawnbrokers, and travel agencies, and it authorizes Treasury to pull in additional entities.[11] Among other requirements, financial institutions must submit Suspicious Activity Reports (“SARs”) “to report any suspicious transaction relevant to a possible violation of law or regulation,”[12] and Currency Transaction Reports (“CTRs”) to report customers’ currency transactions over $10,000 individually or in the aggregate.[13] Many financial institutions also must verify their customers’ identities at account opening.[14] In fiscal year 2024, approximately 324,000 financial institutions submitted more than 25 million transactions reports, including 4.7 million SARs and 20.5 million CTRs.[15] As one observer put it, “the Bank Secrecy Act deputized American financial institutions as de facto law enforcement investigators.”[16]
Despite the profound implications of deputized financial institutions handing sensitive customer information over to government without a warrant, the BSA has withstood constitutional challenges. The Supreme Court upheld the BSA against a constitutional challenge in 1974,[17] and then again in 1976.[18] In the 1976 case, the Court explicitly embraced the third-party doctrine, and explained that the Fourth Amendment does not prohibit the government from obtaining information from a third party “even if the information is revealed [by the customer to that third party] on the assumption that it will be used only for a limited purpose and the confidence placed in this third party will not be betrayed.”[19] In both cases, strong dissents raised concerns about the third-party doctrine in the financial context. Justice Marshall proclaimed the Act “unconstitutional,”[20] and Justice Douglas observed that “[s]ince the banking transactions of an individual give a fairly accurate account of his religion, ideology, opinions, and interests, a regulation impounding them and making them automatically available to all federal investigative agencies is a sledge-hammer approach to a problem that only a delicate scalpel can manage.”[21]
The sledgehammer has become the tool of choice for monitoring for financial crimes. Banks’ ability to encrypt data gave rise to the growth of online financial services by ensuring that financial institutions could protect customer data. But as customers use online financial services, they transmit, and thereby necessarily disclose, more information to their financial institutions, which, under the third-party doctrine, is construed as acceptance by the customer that she has no expectation of privacy in the data and the data is thus outside the scope of Fourth Amendment protection. The paradox then is that banks can use encryption to protect private customer data from theft or public disclosure, but the customer nonetheless has no expectation of privacy in the encrypted data under the third-party doctrine. Financial institutions, as I noted earlier, file millions of SARs. The government has created a when-in-doubt-file dynamic. Entities the SEC regulates, for example, routinely face enforcement actions for failing to file enough SARs. As my colleague Commissioner Uyeda and I wrote in dissent to one such enforcement action in which the SEC faulted a broker for not flagging a series of transactions as suspicious, encouraging financial institutions to “see red in every flag and file unnecessary SARs . . . imposes extra costs on firms, and adds unhelpful clutter to the reporting data, making it less useful in the end.”[22]
Just as cell phone technology caused the Supreme Court to grapple anew with the third-party doctrine in Carpenter, new technology can serve as a catalyst to rethink our financial surveillance regime in the United States. A diversity of voices inside and outside government are calling for fresh thinking on the third-party doctrine, generally, and the BSA, specifically.[23] Many commentators have pointed to the ugly clash between the third-party doctrine and digital modernity. Justice Sonia Sotomayor, for example, has said that “the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties . . . is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.”[24] Another commentary pointed out: “The combination of first equating ‘exposure’ with sharing in a public way and then further equating sharing with an automated third party as sharing with an individual is particularly dangerous.”[25] Stories of innocent people suffering harm because of the elaborate financial surveillance infrastructure have added to calls for rethinking the government’s approach.[26] While people appreciate the intention of the BSA, they worry about how it works in practice. Katie Haun, noting that “[e]very purchase, deposit, and transaction, from the smallest Venmo payment for a coffee to a large hospital bill, creates a data point in a system that watches you—even if you’ve done nothing wrong,” has called for a “narrow[ing]” of the BSA.[27]
Questions about the cost, usefulness, and privacy implications of the BSA make reforming the BSA a timely topic. Earlier this summer, Deputy Secretary of the Treasury Michael Faulkender, in discussing guiding principles of BSA modernization reforms, highlighted the Administration’s focus on finding the “optimal fulcrum for balancing the somewhat opposing forces of costs and benefits.”[28] In line with this commitment, the Department of Treasury recently announced its intention to delay the effective date and “revisit the substance” of a recently adopted anti-money laundering rule for investment advisers.[29] A helpful input to reform discussions would be good data about how useful information collected under the BSA is; the number of SARs and CTRs filed does not tell us whether or how they were used.[30] A recent Government Accountability Office Report suggested that the number of CTRs could be reduced without impairing law enforcement since most CTRs are not used.[31] The benefits generated by financial surveillance may not be worth the jaw dropping costs to financial institutions, their customers, and the government.[32]
But we need to ask questions that go beyond the cost to financial institutions of preparing the reports and the cost to government agencies of sifting through them. We should consider with fresh eyes whether these measures are proportionate to the threats we face and whether they diminish the liberties that make the United States a beacon for the rest of the world. Has monitoring in our financial markets placed Americans in a fishbowl that exposes private decisions about sensitive matters to public view? Has the BSA infrastructure added damaging frictions to the financial system’s ability to serve people who are not involved in criminal activity, particularly people who are not wealthy or are associated with politically or socially disfavored activities?[33] Have we forgotten the need, in the words of Supreme Court Justice Brandeis, “to be most on our guard to protect liberty when the government’s purposes are beneficent”?[34] Should we be curtailing, rather than expanding, the government’s enlistment of financial institutions to surveil their customers? Do technologies exist that can both help this country defend itself from threats at a reasonable cost and better protect Americans’ privacy?
The BSA is not the only area in need of a scalpel, instead of a sledgehammer. The government has established other programs for monitoring Americans’ financial transactions.[35] One close-to-home example is the SEC’s Consolidated Audit Trail (“CAT”), which captures customer and order event information for equities and options, across all markets, from the time of order inception through routing, cancellation, modification, or execution. Brokers must collect and send data about their customers’ activity to the CAT, where thousands of employees of the SEC and private self-regulatory organizations (“SROs”) can use it to review every person’s trading activity, without any suspicion of wrongdoing. The CAT takes the place of a more tailored system that allowed the SEC and SROs to get information on an as-needed basis. In addition to being costly,[36] the CAT disregards everyday investors’ privacy interests. Commissioner Uyeda and I consider this to be a tool “one would expect to find in a dystopian surveillance state.”[37] Other voices have raised similar concerns about the program’s implications for Americans’ privacy.[38] The CAT may be facing some long overdue rethinking. Earlier this year, the SEC stopped requiring that brokers send customers’ names, addresses, and birth years to the CAT,[39] and Chairman Atkins has called for a review of the CAT, including taking “a hard look at the reporting requirements and scope of what is collected.”[40]
As policymakers and legal scholars consider how longstanding, historic rights embodied in the Fourth Amendment apply when people interact with modern technologies operated by third parties, technologists are simultaneously working on protecting people’s privacy. Just as old technologies expanded the reach of the third-party doctrine, new technologies that eliminate intermediaries may make it less powerful. New and improved technology can diminish the need for us to rely on third parties and thus to hand our information over to them. Where, by design or deficiency, the law will not protect us, technology might. Encrypted networks and cryptographic protocols are such tools. Zero-knowledge proofs allow a person to prove who she is or something about her (such as her age) without requiring her to share her private information. Privacy pools and mixers enable a person to keep private her compensation, her donations to charity, her associations with political or religious organizations,[41] and her purchases. Decentralized physical infrastructure networks remove the centralized party from the provision of essential services and so make it harder for a repressive government to track its citizens’ movements. Some public blockchains include privacy-protection and thus enable people to do what the introduction of private phone lines did—shield sensitive information from public exposure.[42]
For these and other new technologies to be able to play a role in protecting Americans’ privacy, government must guard jealously the ability of Americans to use them freely. Such protective measures may run counter to regulatory instincts, but overcoming those instincts is crucial to maintaining the freedom and prosperity of the American people. Indeed, a series of recent events reminds us that limitations on the use of privacy-protecting tools can expose people to threats to their physical safety too.[43] Rather than something to be feared, we should embrace these tools’ ability to help humanity live freer lives without unwarranted financial surveillance. People use these tools for bad purposes too, but treating technology as the villain will impinge on legitimate users’ privacy.[44] Going after the real villains is important, but we can do so while still ensuring widespread access to fundamental American rights.
Most public servants engaged in law enforcement have dedicated their lives to protecting this country precisely because of the values this country embodies. While not perfect and not always perfectly aligned with one another, we constantly strive as a people to make this country better and to deepen our nation’s commitment to the dignity of each person. Key to a person’s dignity is her ability to decide to whom she will reveal information about herself. The people who have devoted their careers to our country’s security are well situated to appreciate the importance of their fellow Americans’ right to private, fulfilling lives. They are thus well-suited to advocate for their fellow Americans’ ability to use technologies that help them to live private, fulfilling lives.
The past offers us an important lesson. In the 1990s, governments, for national security reasons, wanted to keep strong cryptography out of private hands. The internet could not have succeeded without strong cryptography, so a determined set of cryptographers pushed back and convinced the government that cryptography in private hands was a net positive.[45] Because of their hard-fought victory in the courts and the court of public opinion, we daily rely on encryption to send email, engage in online banking, buy from online merchants, communicate with one another through voice and video, and conduct many other daily tasks. One of those cryptographers, Phil Zimmermann—developer of Pretty Good Privacy (PGP) encryption software—recently made the case for a renewed effort to protect individuals’ right to use end-to-end encryption in their communications, in light of vastly expanded accessibility of these tools to the general population.[46] He argues that for personal privacy and national security reasons, protection of strong, backdoorless end-to-end encryption is essential, and governments of free people should defend the right of private citizens to use it so they can protect themselves in a world replete with bad actors.[47]
We should take concrete steps to protect people’s ability not only to communicate privately, but to transfer value privately, as they could have done with physical coins in the days in which the Fourth Amendment was crafted. A recent President’s Working Group included the following pertinent recommendation: “American citizens and businesses should be able to own digital assets and use blockchain technologies for lawful purposes without fear of prosecution. Likewise, American entrepreneurs and software developers should have the liberty, and regulatory certainty, to upgrade all sectors of our economy using these technologies.”[48] As that recommendation suggests, we should welcome privacy-protecting technologies and safeguard the right of individuals to self-custody their crypto assets. And developers of open-source privacy software should not have to answer for the actions that other people take using the software they wrote. Although a centralized intermediary or even a DAO deploying a DeFi application could build in restrictions on its use, an immutable, open-source protocol is available for anyone’s use in perpetuity, so requiring that it comply with financial surveillance measures is fruitless. [49] We should not ask peers transacting with one another, where no intermediary exists, to collect and report information on each other.[50] Doing so would deputize us to surveil our neighbors—a practice antithetical to a free society. Nor should we require an intermediary to step in the middle of peer-to-peer transactions. SEC Chairman Atkins urged in a recent speech that we need to create a regulatory “path for software developers to unleash on-chain software systems that do not require operation by any central intermediary” and avoid “interpos[ing] intermediaries for the sake of forcing intermediation where the markets can function without them.”[51] As with the internet, technologies that have legitimate uses are better left in the permissionless, available-for-all-to-use category, even though doing so enables people to use them for bad purposes, because taking any other course would impinge fundamental liberties.
Restoring Americans’ privacy in their financial transactions will be an uphill battle. Eric Hughes, who studied mathematics here at Berkeley and wrote A Cypherpunk’s Manifesto observed, “We cannot expect governments, corporations, or other large, faceless organizations to grant us privacy out of their beneficence.”[52] And sometimes We the People are pretty stingy, too, when it comes to privacy. Whenever I publicly raise concerns about the expansion of financial surveillance, someone says something along these lines, “I have nothing to hide. It is wonderful that law enforcement is watching everyone’s financial transactions so that it can get the bad guys.” They often suspiciously follow that statement with: “Why are you, a regulator, advocating less surveillance?” Privacy scholar Daniel Solove has explained, the “nothing-to-hide” argument “represents a singular and narrow way of conceiving of privacy, and it wins by excluding consideration of the other problems often raised in government surveillance and data mining programs.”[53] The surveillance-is-fine-with-me attitude may reflect a “condition[ing]” of the American people by “influences alien to well-recognized Fourth Amendment freedoms.”[54] People may have gotten so used to a world swallowed by the third-party doctrine and the financial surveillance apparatus that has grown out of it that they have no expectation of freedom from government surveillance of their financial lives. On the other hand, according to one survey, 83 percent of respondents agreed that the government should need a warrant to access financial records, and 79 percent thought it unreasonable for a bank to share a customer’s records with the government.[55] Those statistics give me hope that even deep-rooted policies and common practices can change.
Most fears of financial privacy and the technology that enables it flow from a genuine desire to protect this nation from enemies and criminals. Safeguarding our families, communities, and country from harm is extremely important, but curtailing financial privacy and impeding disintermediating technologies are the wrong approach. Denying people financial privacy—whether through sweeping surveillance programs or restrictions on privacy-protecting technologies—undermines the fabric and freedoms of our families, communities, and nation. The American people and their government should guard zealously people’s right to live private lives and to use technologies that enable them to do so.
I will close by wishing you a belated Happy Watermelon Day. If you forgot to celebrate yesterday, have a slice today, but make sure you have a jar of peanut butter close at hand.
[1] David Price, Goodbye, Operator, Federal Reserve Bank of Richmond: Econ Focus (2019), https://www.richmondfed.org/publications/research/econ_focus/2019/q4/economic_history.
[2] Id.
[3] U.S. Const. amend. IV. The Fourth Amendment reads in full: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”
[4] Smith v. Maryland, 442 U.S. 735, 749 (1979) (Marshall and Brennan, JJ. dissenting) (pushing back on the idea that the Petitioner should have expected that information provided “for a limited business purpose” would “be made available to the public in general or the government in particular”).
[5] Smith at 743.
[6] Smith at 744-45.
[7] Carpenter v. U.S., 585 U.S. 296 (2018).
[8] See U.S. v. Chatrie, 107 F.4th 319, 330 (4th Cir. 2024), affirmed en banc, 136 F.4th 100 (4th Cir. 2025) “Relying onCarpenter, Chatrie argues that the government conducted a search when it obtained his Location History data from Google.We disagree.Carpenteridentified two rationales that justify applying thethird-partydoctrine: the limited degree to which the information sought implicates privacy concerns and the voluntary exposure of that information tothirdparties. Both rationales apply here.”).
[9] Currency and Foreign Transactions Reporting Act of 1970, 31 USC 5311 et seq. (1970). The BSA generally refers to certain parts of the Currency and Foreign Transactions Reporting Act, its amendments, and the other statutes relating to the subject matter of that Act. The BSA is codified at 12 U.S.C. 1829b, 12 U.S.C. 1951-1960, and 31 U.S.C. 310, 5311-5314, 5316-5336, and including notes thereto, with implementing regulations at 31 CFR Chapter X.
[10] 31 U.S.C. 5311(2) and (3).
[11] 31 U.S.C. 5312(a)(2). One commentator has pointed out that the language of the statute is so broad that “all persons engaged in business and being paid or paying others may be, so defined, financial institutions. Therefore, a plain reading of the Bank Secrecy Act may mandate that every American who pays or is paid must register with the Treasury Department and regularly report the details of her monetary transactions as if she were a bank or other financial institution, and as if the people she paid or took payment from were her bank customers.” Peter Van Valkenburgh, Broad, Ambiguous, or Delegated: Constitutional Infirmities of the Bank Secrecy Act, Coin Center Report (Nov. 2023), https://www.coincenter.org/broad-ambiguous-or-delegated-constitutional-infirmities-of-the-bank-secrecy-act/.
[12] 31 U.S.C. 5318(g)(1); see also 12 CFR 21.11.
[13] 31 CFR 1010.311.
[14] Section 326 of the USA PATRIOT Act, Pub. L. No. 107-56, 115 Stat. 272 (2001), amended the BSA to require financial institutions to implement a customer identification program (CIP) to verify the identities of individuals and entities seeking to open new accounts. The CIP requirement applies to certain banks (31 CFR 1020.220), broker- dealers (31 CFR 1023.220), mutual funds (31 CFR 1024.220), and futures commission merchants and introducing brokers (31 CFR 1026.220). A proposed rule requiring certain SEC-registered investment advisers to adopt CIPs has been paused for reconsideration. Press Release, Treasury Announces Postponement and Reopening of Investment Adviser Rule, Treasury Department (July 21, 2025), https://home.treasury.gov/news/press-releases/sb0201.
[15] Financial Crimes Enforcement Network, Year in Review for Fiscal Year 2024 at 3 (June 18, 2025), https://www.fincen.gov/sites/default/files/shared/FinCEN-Infographic-Public-2025-508.pdf.
[16] Nicholas Anthony, The Right to Financial Privacy, CATO Institute (May 2, 2023), https://www.cato.org/policy-analysis/right-financial-privacy#trouble-wake-bank-secrecy-act.
[17] California Bankers Association v. Shultz, 416 U.S. 21 (1974).
[18] U.S. v. Miller, 425 U.S. 435 (1976).
[19] Id. at 443.
[20] Id. at 456 (Marshall, J., dissenting). (“Because the recordkeeping requirements of the Act order the seizure of customers’ bank records without a warrant and probable cause, I believe the Act is unconstitutional . . . .”).
[21] California Bankers Association v. Shultz, 416 U.S. 21, 85 (1974) (Douglas, J., dissenting). See also California Bankers Association v. Shultz, 416 U.S. 21, 95-96 (1974) (Marshall, J., dissenting) (“The fact that one has disclosed private papers to the bank, for a limited purpose, within the context of a confidential customer-bank relationship, does not mean that one has waived all right to the privacy of the papers.”); California Bankers Association v. Shultz, 416 U.S. at 78-79 (Powell, J., concurring) (noting that a “significant extension of the regulations’ reporting requirements . . . would pose substantial and difficult constitutional questions . . . At some point, governmental intrusion upon these areas would implicate legitimate expectations of privacy”).
[22] Commissioner Hester Peirce & Commissioner Mark Uyeda, Caught in a SAR Trap: Statement on In the Matter of Pierre Economacos, Securities and Exchange Commission, (Sept. 18, 2023), https://www.sec.gov/newsroom/speeches-statements/peirce-uyeda-statement-pierre-economacos-091823.
[23] See, e.g., Brian Knight, Avoiding Misuse of Americans’ Financial Records, Mercatus Center (Mar. 7, 2024), https://www.mercatus.org/research/federal-testimonies/avoiding-misuse-americans-financial-records (recommending, among other things, delayed notification to SAR subjects, more latitude for financial institutions to push back against unreasonable government information demands, “a reasonableness requirement for all transfers of information,” a prohibition on “dragnet style mass requests as well as reports based solely or primarily on constitutionally protected activity,” a prohibition on the use of “classifying criteria that directly relate to, or seek to identify, constitutionally protected activities . . . such as the purchase of firearms, …. political, religious, or other core constitutional rights . . . and other highly sensitive issues such as healthcare,” and the creation of a privacy advocacy body); Press Release, Lee Introduces the Saving Privacy Act for 119th Congress, Office of Senator Mike Lee (Feb. 27, 2025), https://www.lee.senate.gov/2025/2/lee-introduces-the-saving-privacy-act-for-119th-congress (repealing, among other changes, the transaction reporting requirements of the Bank Secrecy Act); Anthony, supra note 16 (recommending revamping the Right to Financial Privacy Act); Tonja Jacobi & Dustin Stonecipher, A Solution for the Third-Party Doctrine in a Time of Data Sharing, Contact Tracing, and Mass Surveillance, 97 Notre Dame L. Rev. 823 (2022) available at https://scholarlycommons.law.emory.edu/cgi/viewcontent.cgi?article=1011&context=faculty-articles (arguing that a correct reading of Katz could lead to “a coherent and well-grounded” solution to the third-party problem); Press Release, Rep. Rose Introduces the Bank Privacy Reform Act to Stop the Government from Warrantless Surveillance of the American People¸ Office of Rep. John Rose (Oct. 11, 2022), https://johnrose.house.gov/media/press-releases/rep-rose-introduces-bank-privacy-reform-act-stop-government-warrantless (introducing bill to require warrant for government to access personal, private information); Norbert Michel and & Nicholas Anthony, Comment Letter to FinCen regarding Review of Bank Secrecy Act Regulations and Guidance, CATO Institute (Feb. 7, 2022), https://www.cato.org/sites/cato.org/files/2022-02/michel-anthony-public-comment-2-7-2022.pdf (recommending, among other things, better information regarding “how many reports lead to secondary investigation, legal action, or conviction”; “[a]djusting BSA reporting and recordkeeping thresholds to adjust for inflation”; and revoking regulations requiring reporting of transactions in which “two private parties are involved in an exchange of goods or services”); Norbert Michel and David Burton, Financial Privacy in a Free Society, Heritage Foundation, (Sep. 23, 2016), https://www.heritage.org/markets-and-finance/report/financial-privacy-free-society#_ftn90 (recommending, among other things, annual reporting of “the number of AML referrals, prosecutions, and convictions”; “a rigorous data-driven cost-benefit analysis of the current BSA/AML regime”; and “a well-considered, integrated international convention that ensures robust information sharing for the purposes of preventing terrorism, crime, and fraud, but also provides enforceable legal protections for the financial and other privacy interests of member states’ citizens and the legitimate commercial interests of their businesses”); Virginia O’Neill, Letter to FinCEN on Information Collection Requirements relating to Currency Transaction Reports, American Bankers Association (Apr. 5, 2025), https://www.aba.com/advocacy/policy-analysis/letter-to-fincen-on-ctr-pra-2024 (advocating for changes to CTR reporting thresholds and noting that original $10,000 reporting threshold for cash transactions would be $170,000 if adjusted for inflation); Angelena Bradfield, Letter to FinCEN regarding Request for Information and Comment Regarding Review of Bank Secrecy Act Regulations and Guidance, Bank Policy Institute (Feb. 14, 2022), https://bpi.com/wp-content/uploads/2022/02/BPI-Comments-on-FinCEN-Review-of-Bank-Secrecy-Act-Regulations-and-Guidance.pdf (recommending “updat[ing] AML program rules so that the rules expressly authorize financial institutions to implement programs that are risk-based—that is, programs that are effective and reasonably designed in light of an institution’s specific activities and risk profile” and “encourag[ing] and expressly permit[ting] innovative approaches to AML compliance)”.
[24] United States v. Jones, 565 U.S. 400, 417 (Sotomayor, J., concurring) (citations omitted).
[25] Tonja, supra note 23 at 836; see also Michael Dreeben et al., Resolving Carpenter’s Third-Party Paradox (Part I – The Paradox), Just Security (Sep. 21, 2023), https://www.justsecurity.org/88413/resolving-carpenters-third-party-paradox-part-i-the-paradox/ (identifying a “third party paradox” where lack of notice to consumers of government searches and data platforms’ lack of standing to challenge government demands prevents citizens from exercising their Fourth Amendment rights).
[26] See, e.g., Brian Doherty, How Vexatious Government Demands Can Lead Your Bank to Refuse to Do Business with You, Reason (Nov. 6, 2023), https://reason.com/2023/11/06/how-vexatious-government-demands-can-lead-your-bank-to-refuse-to-do-business-with-you/ (documenting numerous examples where law-abiding citizens were harmed by financial surveillance practices); Grant Rabenn, End the era of mass financial surveillance, a16zcrypto (Feb. 4, 2025), https://a16zcrypto.com/posts/article/end-era-mass-financial-surveillance/ (“[H]igh compliance costs also pose formidable barriers to entry for smaller financial service providers — including fintech startups — who need to build a business before establishing million-dollar compliance programs.”); Washington Examiner, Civil asset forfeiture cries out for reform, (Feb. 22, 2016), https://www.washingtonexaminer.com/opinion/1777376/civil-asset-forfeiture-cries-out-for-reform/ (“in 2014, the Internal Revenue Service seized Quran’s entire bank account, worth more than $150,000, under civil asset forfeiture laws. Quran was accused of making bank deposits of smaller than $10,000, which the IRS saw as violating “structuring” laws. Such laws are designed to capture individuals and businesses that try to evade bank-reporting laws.”).
[27] Katie Haun, The Bank Secrecy Act is failing everyone, It’s time to rethink financial surveillance, MIT Technology Review (June 25, 2025), https://www.technologyreview.com/2025/06/25/1119324/katie-haun-bank-secrecy-act-oped/.
[28] Michael Faulkender, Deputy Secretary Faulkender Lays out Guiding Principles for Bank Secrecy Act Modernization, Treasury Department (June 18, 2025), https://home.treasury.gov/news/press-releases/sb0173.
[29] Press Release, supra note 14.
[30] See, e.g., Nicholas Anthony, Reporting FinCEN’s Suspicious Activity, Again, CATO At Liberty (July 9, 2025) https://www.cato.org/blog/reporting-fincens-suspicious-activity-again (arguing that statistics released by FinCEN do not provide sufficient context to judge the effectiveness of the BSA).
[31] Government Accountability Office, GAO-25-106500, Currency Transaction Reports: Improvements Could Reduce Filer Burden While Still Providing Useful Information to Law Enforcement 57 (Dec. 11, 2024) available at https://www.gao.gov/products/gao-25-106500 (“By taking steps to reduce the number of unused CTRs, such as by raising the reporting threshold or expanding exemptions, FinCEN has opportunities to reduce reporting burdens without compromising the value of CTRs to law enforcement.”).
[32] See, e.g., Austin Anton, BPI Survey Finds FinCEN Significantly Underestimates SAR Filing Demands, Bank Policy Institute (Apr. 17, 2024), https://bpi.com/bpi-survey-finds-fincen-significantly-underestimates-sar-filing-demands/ (reporting that a survey of members “found that banks spend 21.41 hours for every SAR filed”); Government Accountability Office, GAO-20-574, Anti-Money Laundering: Opportunities Exist to Increase Law Enforcement Use of Bank Secrecy Act Reports, and Banks’ Costs to Comply with the Act Varied 43-51 (Sep. 22, 2020), https://www.gao.gov/products/gao-20-574 available at (finding banks spent an average of $15 per new account in BSA/AML due diligence and noting that total BSA compliance costs totaled about 2% of operating expenses for the smallest banks surveyed, but less than 1% for the largest banks); Drew Dahl et al., Compliance Costs, Economies of Scale and Compliance Performance, Federal Reserve Bank of St. Louis: Community Bank Research and Outreach (Apr. 2018), https://www.communitybanking.org/-/media/files/communitybanking/compliance-costs-economies-of-scale-and-compliance-performance.pdf?sc_lang=en.
[33] See, e.g., Aaron Klein, Investigating the Real Impacts of Debanking in America: Hearing before S. Comm. on Banking, Housing, & Urban Affairs, 119th Cong. (2025), https://www.banking.senate.gov/imo/media/doc/klein_testimony_2-5-25.pdf (noting that AML costs can make banks reluctant to serve low-income consumers and certain businesses, like cannabis businesses); Staff of the H. Comm. On the Judiciary and Select Subcomm. On the Weaponization of the Federal Government, 118th Cong., Financial Surveillance in the United States: How Federal Law Enforcement Commandeered Financial Institutions to Spy on Americans (Mar. 6, 2024), https://judiciary.house.gov/sites/evo-subsites/republicans-judiciary.house.gov/files/evo-media-document/How-Federal-Law-Enforcement-Commandeered-Financial-Institutions-to-Spy.pdf (alleging, among other things, that the government worked with financial institutions after January 6 to flag purchases of items such as firearms and religious texts); Michael J. Casey, A Reckoning Looms for America’s 50-Year Financial Surveillance System, CATO Journal (Spring/Summer 2021), https://www.cato.org/cato-journal/spring/summer-2021/reckoning-looms-americas-50-year-financial-surveillance-system#it-all-worth-it (“[B]anks’ strict application of KYC-AML rules across all customer and interbank relationships has fostered widespread risk aversion among bankers. Engaging with the poor is just not worth the risk for them. This has left billions of people in the world’s informal economies as bystanders to the global economy and unable to break free of poverty.”); U.S. Government Accountability Office, GAO‐18‐263, Bank Secrecy Act: Derisking Along the Southwest Border Highlights Need for Regulators to Enhance Retrospective Reviews 18-30 (Feb. 26, 2018) available at https://www.gao.gov/assets/gao-18-263.pdf (finding that banks in the Southwest border region were declining to serve some communities and certain types of businesses to avoid burdens associated with monitoring for money laundering).
[34] Olmstead v. United States, 278 U.S. 438, 479 (1928) (Brandeis, J., dissenting).
[35] Other measures include section 311 of the USA PATRIOT Act and subsequent measures, which restrict American’s transacting with foreign entities, and 26 U.S.C. 6050I, which requires reporting of transactions over $10,000 in cash (and more recently, digital assets) to the IRS.
[36] See, e.g., Consolidated Audit Trail, LLC, 2025 Financial and Operating Budget, (May 19, 2025), https://catnmsplan.com/cat-financial-and-operating-budget (projecting $211.6 million in “cloud hosting services” and other technology expenditures for the CAT system in 2025); see also American Securities Association. v. SEC, No. 23-13396, 2025 WL 2092054 (11th Cir. July 25, 2025) (“The costs of building and funding the CAT have far exceeded the Commission’s expectations. By the end of 2022, $518 million had been spent to build the (incomplete) CAT—nearly eight times more than the top Commission estimate. . . . And by 2023, operating costs had climbed to nearly $200 million per year—nearly four times greater than the high-end Commission estimate.”).
[37] Commissioner Hester Peirce & Commissioner Mark Uyeda, Dissenting Statement on Electronic Submission of Certain Materials Under the Securities Exchange Act of 1934 and Amendments Regarding the FOCUS Report, Securities and Exchange Commission (Dec. 16, 2024), https://www.sec.gov/newsroom/speeches-statements/peirce-uyeda-statement-focus-report-121624.
[38] See, e.g., Ronald Newman & Kate Ruane, ACLU Letter to SEC on the Consolidated Audit Trail, ACLU (Dec. 16, 2019) at 1, https://www.aclu.org/documents/aclu-letter-sec-consolidated-audit-trail (“We are concerned that the CAT will pose significant risks to the privacy of millions of investors and write to urge the [SEC] to take additional steps to protect the privacy and security of the information that the CAT will collect, store, and disclose as CAT implementation continues.”); Jerry Markham, The SEC’s Consolidated Audit Trail (CAT): A Case Study of Financial Privacy and U.S. Government Surveillance, Florida International University Legal Studies Research Paper No. 5012274 at 67 (Nov. 5, 2024), https://ssrn.com/abstract=5012274 (“CAT, BSA, and other surveillance programs of financial services regulators pose a threat to the financial security and liberty of Americans. The government’s unsuccessful effort to stop all crime and terrorism through financial surveillance ignores the costs of freedom that must be paid to obtain a utopian crime free society.”); Robert Cook, CAT Should Be Modified to Cease Collecting Personal Information on Retail Investors, FINRA (Jan. 17, 2025), https://www.finra.org/media-center/blog/cat-should-be-modified-to-cease-collecting-personal-information-on-retail-investors (“Requirements for the customer database were conceived by the SEC 15 years ago. A lot has changed since then, including the risks associated with such a database. For example, cybersecurity events are increasing, raising concerns about consolidating investors’ personal information in a centralized database. There are also concerns about the privacy implications of an SEC-mandated system to collect and store personal information about investors simply because they participate in our securities markets, without having first established some specific need for that information.”); Clyde Crews, The social significance of the Consolidated Audit Trail, Competitive Enterprise Institute (Aug. 19, 2024), https://cei.org/blog/the-social-significance-of-the-consolidated-audit-trail/ (describing the CAT as an “intrusion” and noting that “the erosion of financial privacy has a deep relation to the erosion of the freedom to hold and express dissenting political views”).
[39] Press Release, Exemption From Requirement to Report Certain Personally Identifiable Information to the Consolidated Audit Trail, Securities and Exchange Commission (Feb. 10, 2025), https://www.sec.gov/newsroom/press-releases/2025-38.
[40] Chairman Paul Atkins, Prepared Remarks Before SEC Speaks, Securities and Exchange Commission (May 19, 2025), https://www.sec.gov/newsroom/speeches-statements/atkins-prepared-remarks-sec-speaks-051925.
[41] See e.g., NAACP v. Alabama ex rel. Patterson, 357 U.S. 449, 462 (1958) (“Inviolability of privacy in group association may in many circumstances be indispensable to preservation of freedom of association.”).
[42] Many public blockchains allow everyone to see what others are doing onchain and thus function as did the party lines of my grandfather’s era—neighbors sharing a phone line could listen in on one another’s conversations.
[43] Alan Suderman, Why ‘wrench attacks’ on wealthy crypto holders are on the rise, Associated Press (May 28, 2025), https://apnews.com/article/crypto-bitcoin-kidnapping-wrench-attack-ddc7263c25ba590f85648e1682576971.
[44] See, e.g., Rachel Rettig, Michael Mosier & Katja Gilman, Genuine DeFi as Critical Infrastructure: A Conceptual Framework for Combating Illicit Finance Activity in Decentralized Finance, Polygon Labs and Arktouros PLLC (Feb. 2, 2024) at 24, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4607332 (“Privacy technologies and practices — whether VPNs, holding companies, mixers or encryption — are purpose-agnostic, allowing both legitimate/licit and illicit uses. Law-abiding individuals, corporations and even governments, such as the U.S. government, use privacy technology in furtherance of completely lawful, legitimate ends.”).
[45] See generally Craig Jarvis, Crypto Wars: The Fight for Privacy in the Digital Age (2020).
[46] See, e.g., Bitcoin Magazine, Digital Privacy & Public Policy: The History & The Future w/ Phil Zimmerman, (YouTube, Aug. 29, 2024), https://www.youtube.com/watch?v=gc9OVCor-Ic; Supply Shock: PGP Creator: Bitcoin Is Not the Revolution You Think (Apple Podcasts, May 13, 2025).
[47] Id.
[48] The President’s Working Group on Digital Asset Markets, Strengthening American Leadership in Digital Financial Technology, The White House (July 30, 2025), https://www.whitehouse.gov/crypto/.
[49] Gavin Zavastone & Henry Michaelson, The Bank Secrecy Act is Broken, DeFi Education Fund (Feb. 2025), https://www.defieducationfund.org/post/examining-the-burdens-costs-and-failures-of-the-bank-secrecy-act-bsa-and-the-potentially-disast (“DeFi software providers and operators neither accept nor transmit funds on behalf of their users; thus, subjecting them to the BSA framework would effectively impose a de facto ban on noncustodial software, as compliance with BSA obligations for money transmitters (e.g., CTR and SAR filings) is functionally impossible.”). `Rettig, Mosier, and Gilman have suggested a substitute framework that preserves the disintermediated nature of true DeFi, yet still provides a hook for government oversight. Rettig, supra note 44. Before such a measure is implemented, careful consideration, as the paper calls for, is necessary.
[50] Some existing measures take such an approach. See e.g., 26 U.S.C. 6050I; Abraham Sutherland, Tax code section 6050I and ‘digital assets’: This Overlooked Surveillance and Reporting Mandate Should Be Struck from the [2021] Infrastructure Bill, Proof of Stake Alliance Research Report (Sep. 17, 2021), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4137761.
[51] Chairman Paul Atkins, American Leadership in Digital Finance Revolution, Securities and Exchange Commission (July 31, 2025), https://www.sec.gov/newsroom/speeches-statements/atkins-digital-finance-revolution-073125.
[52] Eric Hughes, A Cypherpunk’s Manifesto, Activism.net (Mar. 9, 1993), https://www.activism.net/cypherpunk/manifesto.html.
[53] Daniel Solove, “I’ve Got Nothing to Hide” and Other Misunderstandings of Privacy, 44 San Diego L. Rev. 745, 772 (2007) available at https://scholarship.law.gwu.edu/cgi/viewcontent.cgi?article=1159&context=faculty_publications. See also Daniel Solove, Nothing to Hide: The False Tradeoff Between Privacy and Security (2011).
[54] In Smith v. Maryland, Justice Blackmun, writing for the Court, remarked that “a normative inquiry” as to the scope of Fourth Amendment protections is appropriate when “an individuals subjective [privacy] expectations had been ‘conditioned’ by influences alien to well recognized Fourth Amendment freedoms” such as those held if “the government were suddenly to announce on nationwide television that all homes henceforth would be subject to warrantless entry” or by “a refugee from a totalitarian country, [who] unaware of this nation’s traditions, erroneously assumed that police were continuously monitoring his telephone conversations.” 442 U.S. 735, 740-41, fn. 5 (1979).
[55] Anthony, supra note 16, Figure 3.
Last Reviewed or Updated: Aug. 5, 2025