Guidelines for Third-Party Information Requests
Last Updated: September 13, 2022
Introduction
Violet takes data protection incredibly seriously, and it is fundamental to our DNA that people and businesses own their information, not Violet. We are a limited third-party infrastructure provider allowing our users to demonstrate credibility and send a compliance signal about their off-chain identity in the context of an on-chain, peer-to-peer transaction. Our privacy practices are laid out in our Privacy Policy, but a few points bear repeating:
Violet helps users show that they are a safe transaction partner without compromising their right to engage in anonymous, on-chain transactions.
If you have a Violet credential in your wallet, no one has access to any of the encrypted data underlying that credential except (1) you, and (2) in limited and clearly defined circumstances, Violet and our compliance partners.
Violet will not access your encrypted data outside of the registration and compliance check processes explained in our Privacy Policy unless we receive a lawful government demand that has been issued consistent with applicable laws and regulations. If we receive such a demand, we will follow the process described here.
Violet’s Principled Approach
Sad truth is there are bad actors. Under certain circumstances, whether we like it or not, governments do have the legal right to demand information about who is behind certain transactions or wallets connected to suspected bad acts. Everyone is better off with fewer bad actors misusing anonymity in web3, but only rarely should governments demand personal identifying information from a third-party company. Consistent with that view, we’ve built our product and our approach to legal requests around the following principles:
It is our belief that government demands and any resulting disclosures should be rare and narrowly tailored to concrete, identified illicit activity. We believe fishing expeditions are fundamentally inconsistent with data protection and a person’s reasonable expectation of privacy.
Violet’s onboarding and continuous compliance checks are intended to reduce the need for a user to worry about government requests as much as possible, thereby increasing user privacy. If you can get and maintain a Violet credential, our expectation is that you aren’t one of the bad actors. That’s why we demand clear justification and explanation whenever the government contacts us seeking sensitive, encrypted data about your identity.
We will not access any encrypted data we hold without telling you first and giving you a chance to object to disclosure unless we are completely prohibited from doing so. In some cases, governments have the legal authority to require secrecy by Violet – for example, a judicial officer has signed off on a “gag” or nondisclosure order. Our hands are often tied when we receive these requests, but we will always push for maximum disclosure and transparency.
Requirements for Legal Requests
Let’s assume that you’re a government official who has clear and specific evidence of criminal activity, and you believe Violet may have relevant information. In every case, we will first ask if you have attempted to contact the wallet address holder directly. (For example: have you considered airdropping a copy of a subpoena or your contact information to them directly via NFT?) Since you’re seeking that wallet user’s personal information, it is very important to include them in the process.
Assuming there’s a legitimate basis for contacting Violet and the user is not responsive, the core information we require to process your request is below:
*Your request must be tied to a specific wallet address that actively holds a Violet credential. Violet cannot locate information without a wallet address that holds a Violet credential. All requests about specific individuals or other data points without a wallet address will be returned as not applicable.
*Violet does not retain personal data after a credential has been revoked in the ordinary course of business unless required by law.
*Your request must clearly identify (1) who you are, (2) what regulator or law enforcement agency you are affiliated with, (3) how to contact you, (4) the specific personal information you’re seeking, (5) your legal authority for demanding the information, and (6) the deadline for responding to the request.
*For security and data protection reasons, we require a badge, identification, or other form of credential demonstrating that you are in fact affiliated with the government entity submitting the information demand.
We take jurisdiction very seriously, and we are a German company
For German authorities: you have general jurisdiction over Violet, and we will respond to requests for information as appropriate under German law.
For all non-German authorities: Your request must identify the basis on which you believe the user of the wallet address is subject to your authority’s jurisdiction. We evaluate jurisdiction from a physical location perspective – we do not agree that using the internet subjects us or our users’ personal data to the jurisdiction of any government actor in the world. We will not voluntarily comply with unenforceable subpoenas, and we will ask you to pursue relief through the appropriate Mutual Legal Treaty Assistance process (see Chapter 5 of the UNODC Data Disclosure Framework).
For requests from the United States government: Violet is not subject to general jurisdiction in the United States as a German company, and we will require specific information linking the wallet to a US-based individual in order to establish specific personal jurisdiction over the user.
For requests from State authorities in the United States: Violet is not subject to general jurisdiction in the United States as a German company, and we will require specific information tying the wallet to a US-based individual in your specific State in order to establish specific personal jurisdiction over the user.
If your request is legally required to be kept secret, you must include a specific statement with legal citation or attach an order demonstrating that the legal demand must be kept confidential from the user holding Violet’s credential.
Violet’s default is to always promptly and immediately disclose the subpoena to our user
To obtain confidentiality, you must serve a binding nondisclosure order authorized by a court of competent jurisdiction or specifically reference the law mandating confidentiality.
Violet reserves the right to seek judicial relief in order to disclose any confidential information request if we believe it to be in the public interest.
After receiving a properly issued legal access request, Violet requires at least two weeks to respond to allow sufficient time for disclosure to, and any objection by, our user.
How to Submit a Request
Assuming this is the rare case where there’s clear evidence of suspected illicit activity tied to a wallet holding a Violet credential and the wallet holder cannot be reached independent of Violet’s involvement, legal demands for information and all supporting materials should be sent to legal@violet.co.