It has been quite a crime week in Canada.
At the beginning of the week, a cybercriminal hacked into a U.S. donation platform called GiveSendGo and knocked it offline in an attack targeting a campaign that raised over US$8 million for the Freedom Convoy demonstrations in Canada. This donation platform had become the main vehicle for Freedom Convoy donations after GoFundMe closed its fundraiser that raised $10 million.
The hack happened because four days earlier, the Ontario government obtained an order freezing funds raised on GiveSendGo for the Freedom Convoy. This was, in essence, a money laundering freeze. GiveSendGo then released a statement that Ontario courts lack jurisdiction over it, and it was not freezing the funds.
There was another problem. The Freedom Convoy is not a listed terrorist organization, and there were no economic sanctions imposed against it. The people who donated to GiveSendGo did not commit mischief or any other crime by donating. Their money sitting in the bank account on GiveSendGo was not the proceeds of crime at that time.
The fight against the Freedom Convoy then took another turn. Taking the law into their own hands, hackers decided that they would enforce the Ontario court order and took the GiveSendGo site offline.
That’s not all they did.
They then stole financial, transactional and personal information belonging to the GiveSendGo donors. The hackers then gave or sold the stolen data to another website that is distributing the data to the public and perhaps to law enforcement. There are theories circulating that the hacker was acting in concert with law enforcement, but that isn’t likely to be true because the government cannot use illegally obtained information from a hacker who acted in concert with law enforcement.
There were now three groups acting lawlessly: Freedom Convoy participants who were no longer demonstrating peacefully, cybercriminals in the digital shadows hacking financial services entities and others distributing the stolen data.
We all understand the goal of hacking a financial services company and stealing its data in this instance is to make this company and its clients answerable in the court of public opinion.
But the idea that anonymous hackers are engaged in the dark enforcement of court orders should be concerning to all of us in a democracy.
If we think this is OK, it means that financial services companies – from GiveSendGo to RBC Bank of Canada – become answerable to people who are not only anonymous, but also are engaged in serious criminality. People who don’t just make judgment calls about culpability – they act on them. We have an entire administration of justice system in Canada precisely for that purpose.
The Freedom Convoy activities didn’t abate, at least not in Ottawa, and the day after the hacking of GiveSendGo, the federal government proclaimed an emergency throughout all the land to end the Freedom Convoy.
The weapon of choice? Anti-money laundering law.
The Emergencies Act and its orders and regulations prohibit any person or company from funding the Freedom Convoy or similar assemblies determined to be unlawful. It also requires that, among others, banks, credit unions, casinos, notaries, securities brokers, payment processors, Bitcoin people and donation platforms cease dealing in funds of Freedom Convoy participants and transacting in their funds.
By mid-week, Bitcoin people registered with FINTRAC posted, on Twitter, a blacklist of wallet addresses used to receive donations as part of the Freedom Convoy that they say was sent to them by the government as part of a federal investigation.
A series of questions arises from that alone. Is there also a blacklist of the names of Canadians? Will the disclosure of blacklists affect the integrity of a federal investigation? Do Canadians have a right to know if they or their financial account numbers are on a blacklist, are part of a federal investigation or are posted on Twitter?
The new measures are developing and will continue to develop over time, and some of these questions will be answered. Overall, some of the measures do seem at first blush to be justified and even reasonable.
But not all of the measures are temporary, because in addition to pausing the banking of people connected to the Freedom Convoy, they require that banks de-risk Canadian citizens completely, which means to close their bank accounts and deny them access to a bank account in Canada.
There was a time when having a bank account was not a right, but this is not the case anymore. In today’s world, you need a bank account to receive essential services to survive. I don’t know of another instance anywhere in the world where a country has taken such a measure, enacting anti-financial inclusion legislation to completely remove citizens from the financial system and the digital economy. It is draconian; there are no two ways about it.
I think it’s safe to say that most of us want the Freedom Convoy to end peacefully, and we want the rule of law to prevail over demonstrators and hackers alike, but blacklists and exclusions from banking aren’t the way to go. Modern techniques to fight financial crime are all about visibility. De-risking sends the people we most want visibility over to underground banking or to Bitcoin-tumbling services in Vancouver, where there is no visibility. This places our financial system – and our society – more at risk.
Christine Duhaime is a financial crime expert with Fusion Intelligence.