Case Wallet: A Possible Case Study in Unintended Consequences
The Case Wallet is remarkable for consumer protection. However, it may be subject to state licensing like New York’s BitLicense—something regulators should want to avoid.
Your bitcoin wallet has three keys and two of them are needed to complete a transaction. One key is embedded on the device so it is secured by the possession factor. No one can gain access to this key without having possession of the device. However, this key isn’t enough to complete a transaction. A second key is stored on our servers and transactions are only signed by the server key if the fingerprint scan is a match so this key is secured by a biometric factor. That means even if your device is lost or our servers are compromised, your bitcoins are safe. A third key sits in an offline vault and is only used if you ever lose your Case to help you recover your bitcoins.It’s that last sentence that will raise questions in the mind of regulators. The third key may be in a vault, but if it is under Case’s control then it can be argued that Case has custody of the consumer’s funds--even if they never intend to use the third key for anything other than disaster recovery. As a result, Case would be in a position of trust and thus are subject to licensing. In practice, Case does not hold on to the third key. They have contracted with Andreas Antonopoulos’s Third Key Solutions (TKS) to securely store customer disaster recovery keys. But that may not save them from licensing, however. Even if it does not have physical possession of the third key, if Case’s agreement with TKS allows it to retrieve stored keys on demand, then it can still be argued to (functionally) have two out of three keys and thus the ability to move customer funds on its own. TKS, on the other hand, should never be subject to licensing because they only ever hold one key, and because they will hopefully fall under a business-to-business exemption for which we’ve advocated (see page 4 here). What this shows us is how a small, innovative startup, whose sole mission is to improve the security of consumer bitcoin wallets--to prevent another Mt. Gox--may find itself subject to complicated and expensive licensing. And it’s not just the BitLicense. A company like Case my find that it has to get a license in every state. Something that costs millions and takes years. This prospect could really squelch the development of positive innovative technologies like Case. This is why licensing schemes like New York’s BitLicense must include an on-ramp for startups. This is something we’ve advocated for again and again and again and again. A company like Case should be able to get off the ground without having to worry about licensing until they are of a sufficient size to pose a real risk to consumers. Licensing them from day zero is only going to discourage the development of security technologies like the one Case is trying to bring to market. There’s no regulator that should want this. Update: Case has published a blog post explaining their multisig key model. Interesting to note that you can choose to store the disaster recovery key yourself.