The blockchain revolution might unveil some legal implications from the usage of a technology that could get out of control.
As part of the working group named “Legal Evolution 4.0” that I run for the German-Italian Chamber of Commerce, I gave a presentation on the legal implications of blockchain. And I thought it would be interesting to share my findings with you.
A common statement is that
blockchain is the biggest innovation since the Internet!
I am a bit sceptical about this statement since I have not yet seen many usages of blockchain where it has provided such a value-added solution that could not be achieved using any other means. But let’s start from the beginning.
What are the unique features of blockchain?
The major elements of blockchain are commonly identified:
- It cannot be corrupted and altered – every node on the network has a copy of the digital ledger and, to add a transaction, the other nodes need to validate it, according to the so-called consensus mechanism. If there is no validation by the majority of the nodes, the transaction is not added to the ledger.
- It is decentralized – there is no central authority that has control of it, but – as outlined below – there are different types of blockchains with various features.
- It is secure – since it is not under the control of any authority/body and because all the information on the chain is encrypted and linked to the previous ones, in order to hack the blockchain an attacker should decrypt the majority of the nodes on the blockchain, which ensures an extremely high level of security.
- It relies on distributed ledgers – all users maintain the ledger, and therefore the computational power is distributed across them and is extremely transparent since the information is visible to any third party and participant.
- It ensures a faster settlement – since there is no intermediary in transactions, settlements are more rapid than traditional transactions operated by banks, but cannot be instantaneous, given the complicated procedure outlined above.
The DAO attack and how things can go wrong with blockchain
A DAO is a Decentralized Autonomous Organization. Its goal is to codify, through a so-called smart contract, the rules and decision-making apparatus of an organization, eliminating the need for documents and people in governing roles, thus creating a structure with decentralized control.
The DAO is the name of a particular DAO launched in 2016 on the Ethereum blockchain. This DAO quickly became the largest crowdfunding in history, having raised over $ 150 million from more than 11,000 members.
However, a few days after the launch of The DAO, an unknown hacker identified a loophole in the DAO smart contract allowing them to “ask” the smart contract to give the ether back multiple times before the smart contract could update its balance through a so-called recursive call. Such solution enabled the attacker to drain more than 3.6 million ether into a “child DAO” that had the same structure as the DAO, with the price of ether that quickly dropped from USD20 to USD13.
Eventually, to refund the lost money, a technical solution was found. Ethereum “hard forked” to send the hacked funds to an account available to the original owners. The token owners were given an exchange rate of 1 ether to 100 DAO tokens, the same rate as the initial offering. But the scenario led to significant legal issues, including the issuance of a report from the United States Securities and Exchange Commission (SEC) that challenged the legality of The DAO as an unregistered offering of securities.
As with traditional agreements that might not cover all the scenarios that can arise from the contract execution, the same happened with the DAO smart contract.
The peculiarity of smart contracts is that their rules are on a string of code. And in this case, a hacker exploited a coding loophole in the smart contract. Had the code of the smart contract been drafted correctly, the hack could have been avoided.
Who is liable for the blockchain?
The situation is quite different between:
- a permissioned blockchain where there is an access control layer that limits access to the blockchain; and
- a permissionless blockchain that is a traditional blockchain accessible to anyone with no restriction.
It is argued that since in a permissioned blockchain a provider can be identified, there would be a centralized liability on such provider for the events occurring on the blockchain. On the contrary; in the case of a permissionless blockchain, there would be a disseminated contributory liability of all the participants to the blockchain.
But this theory is quite weak in my view since access control in a permissioned blockchain might not mean that there is full control on any event occurring on it and because in a permissionless blockchain each user cannot be deemed liable for the actions of the whole blockchain that is out of its control. In any case, not every blockchain is the same as others and the matter shall be addressed on the basis of the peculiarities of the case.
What is a smart contract?
I found quite a clear definition of a smart contract under which it is described as:
a computer code running on top of a blockchain containing a set of rules under which the parties to that smart contract agree to interact with each other. If and when the pre-defined rules are met, the agreement is automatically enforced. The smart contract code facilitates, verifies, and enforces the negotiation or performance of an agreement or transaction. It is the simplest form of decentralized automation.
The consequence of the above is that while a standard agreement outlines the terms of a relationship, a smart contract enforces a relationship with cryptographic code. Basically,
- the smart contract sets pre-defined rules, how and when they have to take place, and such rules are written down in the code;
- on the occurrence of the predefined events, the smart contract is enforced;
- under the terms of the smart contract, the transaction takes place; and
- the settlement is completed either in full, as in the case of digital assets, or instruction is sent to a third party (e.g. a bank) to perform a specific activity.
The legal issues that derive from the above relate to the presence of an actual agreement between the parties since the smart contract is more the execution of an agreement and the need to meet the statutory requirements of the form of the contract. Italy tried to solve this second problem with a law that considers – under specific conditions – smart contracts equal to written documents.
You need to fill the “gaps” of a smart contract
Given the current uncertainty as to the legal implications of blockchain, the proper drafting of a smart contract becomes even more crucial. In particular:
Governing law and forum selection
Due to the ubiquity of blockchain, a smart contract needs to regulate the law applicable to its and the competent court, in case of disputes.
Besides, as with the internet, there is an issue of compliance with local laws which shall be addressed in the smart contract, also considering to limit the possibility to enter into it to entities/individuals located only in jurisdictions where a prior assessment of the legal implications of the blockchain based model of business has been performed.
Liability and Service Levels
Issues around liability and service level agreements are complex with smart contracts since, as occurred for the DAO, the operation of the blockchain can get out of control.
At the same time, the level of performance might be linked to factors that cannot be foreseen by the supplier. Indeed, the consensus mechanism gives control of the validation of the transaction to third parties.
The solution could be to put in place a quite broad liability limitation clause. However, this solution would not work for agreements with consumers, where such a provision might be deemed unfair.
The risk is more limited for a permissioned blockchain. But, as with the internet where some clauses in the T&Cs are often hardly enforceable, it is necessary to identify the right balance between the advantages of exploiting the ledger and the mechanics of the blockchain and the potential legal risks.
Intellectual property rights in/on the blockchain
Blockchain technology can be both heaven and hell for intellectual property rights because of its many potential usages:
- What IP rights apply to the technology? Depending on the usage of the blockchain, patent rights or copyrights might be the proper protection. But an in-depth assessment is also necessary because there would be a proprietary technology on a public ledger. At the same time, the limitations to the protection of models of doing business shall be taken into account.
- What IP rights apply on the content of the blockchain? As is often the case when it comes to the protectability of data, can a large database of data recorded on a blockchain be protected? Is the solution an intellectual creation under copyright laws? Was there an effort that qualifies for a database sui generis right?
- What intellectual property rights be recorded and tracked? If an intellectual property protected work is recorded on the blockchain, this technology can become very valuable in proving the relevant ownership in case of challenges, identify potential breaches, but also handling transfers or licenses of such rights to third parties.
- What happens in case of termination of exit? One of the main features of the blockchain is that information cannot be deleted once recorded. This means that any data or work recorded on it will remain. A solution might be to block access to data by encrypting the information and getting rid of the decryption key.
- What are the issues in terms of due diligence? The lack of a clear understanding of what rights can be owned on blockchain-based technologies requires an in-depth review in the case of M&A transactions to assess the protectability of the technology, the type of exploitation rights that can be enjoyed and the scope of ownership rights that can be acquired.
A properly drafted smart contract might help to identify and secure property rights on the blockchain and ensure control of its legal implications. The lack of court precedents on the usage of such technology leads to potential issues but represents, at the same time an opportunity to be exploited.
Privacy compliance issues of blockchain
The issue is very complex, and there is uncertainty as to:
- What kind of data recorded on a blockchain is personal data?
- What are the roles and responsibilities of the parties involved? Who is the data controller, and who are the data processors?
- How can privacy compliance principles, such as the principle of data minimization, be complied with?
- How can privacy rights, such as the right to be forgotten to be enforced?
- What security measures shall be put in place?
Top 3 best practices in choosing between a permissioned vs. permissionless blockchain
The dilemma is to decide between a permissioned and a permissionless blockchain. The factors to be evaluated are:
- a permissioned blockchain isfaster than a permissionless blockchain since it is smaller;
- but the size of the blockchain impacts on its level of security and therefore a permissionless blockchain is more securethan a permissioned blockchain;
- that, however, is controllable and as such its legality and compliance can be better ensured, but
- a higher level of control impacts on the transparency of public ledgers on the blockchain, which is deemed to be one of the main features of this technology.
There is no right or wrong choice. The decision has to be made considering the type of usage of the blockchain and the feature of the blockchain that is more relevant to achieve such a goal.