The Internal Revenue Service has filed a "John Doe" summons seeking to require U.S. Bitcoin exchange Coinbase to turn over records about every transaction of every user from 2013 to 2015. That demand is shocking in sweep, and it includes: "complete user profile, history of changes to user profile from account inception, complete user preferences, complete user security settings and history (including confirmed devices and account activity), complete user payment methods, and any other information related to the funding sources for the account/wallet/vault, regardless of date." And every single transaction:
All records of account/wallet/vault activity including transaction logs or other records identifying the date, amount, and type of transaction (purchase/sale/exchange), the post transaction balance, the names or other identifiers of counterparties to the transaction; requests or instructions to send or receive bitcoin; and, where counterparties transact through their own Coinbase accounts/wallets/vaults, all available information identifying the users of such accounts and their contact information.
The demand is not limited to owners of large amounts of Bitcoin or to those who have transacted in large amounts. Everything about everyone.
Equally shocking is the weak foundation for making this demand. In a declaration submitted to the court, an IRS agent recounts having learned of tax evasion on the part of one Bitcoin user and two companies. On this basis, he and the IRS claim "a reasonable basis for believing" that all U.S. Coinbase users "may fail or may have failed to comply" with the internal revenue laws.
If that evidence is enough to create a reasonable basis to believe that all Bitcoin users evade taxes, the IRS is entitled to access the records of everyone who uses paper money.
Anecdotes and online bragodaccio about tax avoidance are not a reasonable basis to believe that all Coinbase users are tax cheats whose financial lives should be opened to IRS investigators and the hackers looking over their shoulders. There must be some specific information about particular users, or else the IRS is seeking a general warrant, which the Fourth Amendment denies it the power to do.
Speaking of the Fourth Amendment, that rock-bottom "reasonable basis" standard is probably insufficient. Americans should and probably do have Fourth Amendment rights in information they entrust to financial services providers required by contract to keep it confidential. Observers of Fourth Amendment law know full-well that the "third-party doctrine," which cancels Fourth Amendment interests in shared information, is in retreat.
The IRS's effort to strip away the privacy of all Coinbase users is more broad than the government's effort in recent cases dealing with cell site location information. In the CSLI cases, the government has sought data about particular suspects, using a standard below the probable cause standard required by the Fourth Amendment ("specific and articulable facts showing that there are reasonable grounds to believe").
In United States v. Benbow, we argued to the D.C. Circuit that people retain a property right in information they share with service providers under contractual privacy obligations. This information is a "paper or effect" for purposes of the Fourth Amendment. Accordingly, a probable cause standard should apply to accessing that data.
Again, the government in the CSLI cases sought information about the cell phone use of particular suspects, and that is controversial enough given the low standard of the Stored Communications Act. Here, the IRS is seeking data about every user of Bitcoin, using a standard that's even lower.
Coinbase's privacy policy only permits it to share user information with law enforcement when it is "compelled to do so." That implies putting up a reasonable fight for the interests of its users. Given the low standard and the vastly overbroad demand, Coinbase seems obligated to put up that fight.