The crypto winter has pumped new life into the adage “Not your keys, not your coins,” particularly after the collapse of some high-profile enterprises like the Celsius Network, whose funds were frozen in June. Just last week, Ledger CEO Pascal Gauthier hammered home the point further, warning: “Don’t trust your coins and your private keys to anyone because you don’t know what they’re going to do with it.”
The basic idea behind the adage, familiar to many crypto veterans, is that if you don’t personally hold your private keys (i.e., passwords) in an offline “cold wallet,” then you don’t really control your digital assets. But, Gauthier was also framing the issue in a larger context as the world moves from Web2 to Web3:
“A lot of people are still in Web2 [...] because they want to stay in the matrix where they’re being controlled, because it’s easier, it’s you know just click yes yes yes and then someone else is going to deal with your problems.”
But, giving away control won’t set you free. “Taking responsibility is how you become free.”
Admittedly, Gauthier has a self-interest here — Ledger is one of the world’s largest cold-wallet providers. Then, too, he may have been stating the obvious. In May, Coinbase acknowledged in an SEC 10-Q filing that if it ever went bankrupt, customers that entrusted their digital assets to the exchange “could be treated as our general unsecured creditors,” i.e., could find themselves standing at the back of the creditors’ line in bankruptcy proceedings.
“It doesn’t matter that the exchange’s contract with you says you ‘own’ the currency,” Georgetown University law professor Adam Levitin told Barron's at the time, “That’s not determinative of what will happen in bankruptcy.”
But, Gauthier’s statement raises other questions, too. This notion of seizing “control” of one’s keys and coins could become more complicated given recent regulatory proposals in Europe, as well as a key government agency interpretation in the United States. Moreover, as the world transitions from Web2 to Web3, is it really so certain that centralized solutions like Coinbase and others might still not have an important role to play with regard to custody and, yes, even privacy?
Learning the hard way
Generally speaking, it appears that consumers still do not understand the potential risks when they turn their crypto private keys over to centralized platforms and exchanges.
“It’s been made abundantly clear that even the most seemingly trustworthy custodians can still make grave missteps with user funds,” Nick Saponaro, CEO at the Divi Project, told Cointelegraph. “The promise of self-sovereign ownership of your money is immediately obliterated when users hand over their private keys to any third-party, regardless of that third-party's genuine intent.”
“All crypto users should learn and be responsible for the security of their own coins by storing them securely on hardware wallets,” Bobby Ong, co-founder and chief operating officer at CoinGecko, told Cointelegraph.“However, this is not a popular move because for most crypto users, it is probably more convenient to store them on centralized exchanges.”
Still, a centralized exchange (CEX) can be useful at times and maybe we should expect to live in a hybrid cryptoverse for a while, with both cold and hot wallets, centralized and decentralized exchanges (DEXs).
“There is a case for using centralized exchanges for sending funds to others to not doxx your crypto addresses,” said Ong. “This is because when you send a transaction to someone else, they will know your address and can see your balance, historical transactions, and all future transactions.”
Indeed, Ong tweeted recently: “The basic advice now is to have multiple wallets for various purposes and to fund these wallets using centralized exchanges. This works well but it’s not good enough. If you use FTX or Binance, Uncle Sam and Changpeng Zao will know all your wallets and they can profile you instead.”
Continued Ong, “To get full privacy for your new wallet, a service like Tornado Cash is needed. Granted, it’s probably more expensive, slow and tedious,” but having such an option would ensure privacy and make crypto behave more like cash, he added.
Justin d’Anethan, institutional sales director at Amber Group, agreed that trade-offs remain. “You can’t do as many sophisticated trades from a private wallet as you can on a centralized platform, or at least not as easily and efficiently,” he told Cointelegraph. Large, sophisticated traders will always need to have some of their holdings on exchanges to optimize returns. In his personal case:
“I hold a chunk of my core holdings in private wallets, but I definitely hold some assets on centralized platforms for yield generation, some rebalancing, etc.”
Corporate entities, especially, may not want to handle the operational side of a trade, including investment and custody, and they may also want to interact with a recognized and established centralized entity that can perform due diligence. Also, corporations may want to have an identifiable and liquid entity to sue “in the event of an error,” added d’Anethan.
On the retail side, setting up a private wallet can still be daunting, which may explain why so many entrust private keys to CEXs and the like, even if it isn’t always the best way. As d’Anethan told Cointelegraph:
“You might not know how — or have the motivation — to buy a private wallet, set it up to hold your private key and bear the risk of losing it. So, the path of least resistance wins.”
Do regulators still not “get it?”
Elsewhere, self-hosted wallet providers may soon face tough regulations in Europe if and when the EU’s Transfer of Funds Regulation (TFR) proposal takes hold. It could overturn this whole notion about taking control of one’s private keys and coins.
“Effectively, it would amount to a ‘de facto’ ban on self-hosted wallets by enforcing to connect personal identities with self-hosted wallets,” wrote Philipp Sandner and Agata Ferreira.
Mikolaj Barczentewicz, associate professor at the United Kingdom’s University of Surrey, told Cointelegraph:
“The TFR proposal doesn’t ban self-custodied wallets, but it does incentivize service providers to treat them as ‘high risk’ for money laundering.[…] It may become practically very difficult to transact using self-hosted wallets.”
Defenders of the TFR might respond that it’s not regulators’ fault that businesses are not better at risk-based analysis and at distinguishing situations of genuinely high risk of criminality, but “I don’t think that answer works,” continued Barczentewicz. “It shows a lack of understanding — or care — for the fact that regulations need to be designed to be workable in the real world. The EU is basically saying to businesses: ‘You figure it out.’”
However, the biggest threat to self-custodied wallets in Barczentewicz’s view “is something like the scenario we’ve been watching in reaction to Tornado Cash being sanctioned by the U.S.: Businesses are afraid and engaging in over-compliance, doing more than the law requires.”
As reported, on Aug. 8, the United States Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued legal sanctions against digital currency mixer Tornado Cash for its role in laundering over $455 million worth of cryptocurrency stolen by the North Korean-linked hacking organization Lazarus Group.
According to data analytics firm Chainalysis, the obligations of non-custodial crypto wallet providers are now unclear under OFAC’s recent designation: “An extreme interpretation could mean that non-custodial wallet providers might also need to block transfers to the sanctioned addresses, though this would be unprecedented.”
At a minimum, government actions like these suggest that cold-wallet solutions to help crypto users take control of their private keys could become more problematic — not less — at least in the immediate future.
An education imperative?
Overall, does the crypto industry face an education challenge here i.e., to explain the importance of cold storage and individual “responsibility” to both individuals and policymakers?
“I think we have to be honest with ourselves,” answered Saponaro. “Yes, education can help some individuals avoid the pitfalls we’ve witnessed in recent months, but most people will not read every article, watch every video or take the time to educate themselves.” Developers have a responsibility to develop products that guide users “into learning by doing.”
“The crypto community, including in the EU, can still do much more to educate policymakers,” added Barczentewicz. “But this education cannot be limited to just explaining how crypto works. It is a mistake to think that once policymakers ‘get it,’ they will come up with sensible rules on their own.”
The crypto community needs to be proactive in proposing detailed technical and regulatory notions of how to fight crime and malfeasance without giving up key benefits of crypto, like self-custody, he said. “It is not enough just to mention buzzwords like ‘zero knowledge proofs’ and then expect the policymakers to do the hard work.”
Is taking “control” really important?
What about Gauthier’s larger point that people simply have to learn to take "responsibility" for their assets — digital and otherwise — because “taking responsibility is how you become free?”
“Crypto is a game-changer because we now have full control of our money without the need to trust any third-party,” said Ong. That said, some people “may choose to pass on the responsibility and trust a third-party custodian who may be better equipped to store their coins safely — and that is acceptable too,” he told Cointelegraph.
“In the crypto space, you typically have very binary opinions about how things can grow from here. I think the truth is somewhat in the middle,” said d’Anethan, adding:
“One is delusional if one thinks every individual and corporate is going full DeFi tomorrow. But, one would also be delusional if one thinks the growing digital world will forever stay within the Web2 infrastructure.”
What may be best is to have both centralized and decentralized platforms, “so that the user base can gradually shift where it sees the most value — however long that takes,” he said.
