The revolution of the blockchain might unveil some legal implications deriving from the usage of a technology that can get out of control.
As part of the working group named “Legal Evolution 4.0” that I run for the German-Italian Chamber of Commerce, I gave a presentation on the legal implications of the blockchain. And, I thought it would be interesting to share my findings with you.
A frequent statement is that
the blockchain is the biggest innovation since the Internet!
I am a bit skeptic about such statement since I have not seen so far many usages of the blockchain where this technology gave such a value-added that it could not be achieved using any other solution. But let’s start from the beginning.
What are the unique features of the blockchain?
The major elements of the blockchain are commonly identified in the following:
- It cannot be corrupted and altered – every node on the network has a copy of the digital ledger and, to add a transaction, the other nodes need to validate it, according to the so-called consensus mechanism. If there is no validation by the majority of the nodes, the transaction is not added to the ledger;
- It is decentralized – there is no central authority that has control of it, but – as outlined below – there are different types of blockchain with various features;
- It is secure – since it is not under the control of any authority/body and because all the information on the chain is encrypted and linked to the previous ones, in order to hack the blockchain an attacker should decrypt the majority of the nodes on the blockchain which ensures a level of security extremely high;
- It relies on distributed ledgers – all the users maintain the ledger, and therefore the computational power is distributed across them and is extremely transparent since the information is visible to any third party and participant; and
- It ensures a faster settlement – since there is no intermediary in transactions, settlements are more rapid than traditional transactions operated by banks, but cannot be instantaneous, given the complicated mechanic outlined above.
The DAO attack and how things can go wrong with the blockchain
A DAO is a Decentralized Autonomous Organization. Its goal is to codify, through a so-called smart contract, the rules and decisionmaking apparatus of an organization, eliminating the need for documents and people in governing, creating a structure with decentralized control.
“The DAO” is the name of a particular DAO launched in 2016 on the etherum blockchain. This DAO quickly became the largest crowdfunding in history, having raised over $ 150 million from more than 11,000 members.
However, a few days after the launch of The DAO, an unknown hacker identified a loophole in The DAO smart contract allowing to “ask” the smart contract to give the ether back multiple times before the smart contract could update its balance through a so-called recursive call. Such solution enabled the attacker to drain more than 3.6 million ether into a “child DAO” that had the same structure as The DAO with the price of ether that quickly dropped from $ 20 to $ 13.
Eventually, to refund the lost money, a technical solution was found. Ethereum “hard forked” to send the hacked funds to an account available to the original owners. The token owners were given an exchange rate of 1 ether to 100 DAO tokens, the same rate as the initial offering. But the scenario led to significant legal issues, including the issuance of a report from the United States Securities and Exchange Commission (SEC) that challenged the legality of The DAO as an unregistered offering of securities.
As it happens with traditional agreements that might not cover all the scenarios that can arise from the contract execution, the same happened with The DAO smart contract.
The peculiarity of smart contracts is that their rules are on a string of code. And in this case, a smart hacker had exploited a coding loophole in the smart contract. Had the code of the smart contract been drafted correctly, the hack could have been avoided.
Who is liable for the blockchain?
The scenario is quite different between
- a permissioned blockchain where there is an access control layer that limits the access to the blockchain; and
- a permissionless blockchain that is the traditional blockchain accessible to anyone with no restriction.
Someone argues that since in a permissioned blockchain, a provider can be identified, there would be a centralized liability on such provider for the events occurring on the blockchain. On the contrary, in the case of a permissionless blockchain, there would be a disseminated contributory liability of all the participants to the blockchain.
But this theory is quite weak in my view since access control in a permissioned blockchain might not mean that there is full control on any event occurring on it and because in a permissionless blockchain each user cannot be deemed liable for the actions of the whole blockchain that is out of its control. In any case, not every blockchain is the same as others and the matter shall be addressed on the basis of the peculiarities of the case.
What is a smart contract?
I found quite a clear definition of a smart contract under which it is
a computer code running on top of a blockchain containing a set of rules under which the parties to that smart contract agree to interact with each other. If and when the pre-defined rules are met, the agreement is automatically enforced. The smart contract code facilitates, verifies, and enforces the negotiation or performance of an agreement or transaction. It is the simplest form of decentralized automation.
The consequence of the above is that while a standard agreement outlines the terms of a relationship, a smart contract enforces a relationship with cryptographic code. Basically,
- The smart contract sets pre-defined rules, how and when they have to take place, and such rules are written down in the code;
- On the occurrence of the predefined events, the smart contract is enforced;
- Under the terms of the smart contract, the transaction takes place and
- The settlement is completed either in full as in the case of digital assets or instruction is sent to a third party (e.g., a bank) to perform a specific activity.
The legal issues that derive from the above relate as to the presence of an actual agreement between the parties since the smart contract is more the execution of an agreement and the need to meet the statutory requirements of the form of the contract. Italy tried to solve this second problem with a law that considers – under specific conditions – smart contracts equal to written documents.
You need to fill the “gaps” of a smart contract
Given the current uncertainty as to the legal implications of the blockchain, the proper drafting of a smart contract becomes even more crucial. In particular,
1. Governing law and forum selection
Due to the ubiquity of the blockchain, a smart contract needs to regulate the law applicable to its and the competent court, in case of disputes.
Besides, as it happens with the Internet, there is an issue of compliance with local laws which shall be addressed in the smart contract, also considering to limit the possibility to enter into it to entities/individuals located only in jurisdictions where a prior assessment of the legal implications of the blockchain based model of business has been performed.
2. Liability and Service Levels
Issues around liability and SLAs are complex with smart contracts since, as occurred for The DAO, the operation of the blockchain can go out of control.
At the same time, the level of performance might be linked to factors that cannot be foreseen by the supplier. Indeed, the consensus mechanism gives control of the validation of the transaction to third parties.
The solution could be to put in place a quite broad liability limitation clause. However, this solution would not work for agreements with consumers where such a provision might be deemed unfair.
The risk is more limited for a permissioned blockchain. But, as happens with the Internet where some clauses of the Ts&Cs are often hardly enforceable, it is necessary to identify the right balance between the advantages of exploiting the ledger and mechanic of the blockchain and the potential legal risks.
3. Intellectual property rights in/on the blockchain
The blockchain can be both the “heaven” and the “hell” for intellectual property rights because of its many potential usages:
- What IP rights on the technology? Depending on the usage of the blockchain, patent rights or copyrights might be the proper protection. But an in-depth assessment is necessary also because there would be a proprietary technology on a public ledger. At the same time, the limitations to the protection of models of doing business shall be taken into account;
- What IP rights on the contents of the blockchain? As it often happens when it comes to the protectability of data, can just a large database of data recorded on a blockchain be protected? Is the solution an intellectual creation under copyright laws? Was there an effort that qualifies for a database sui generis right?
- What can intellectual property rights be recorded and tracked? If an intellectual property protected work is recorded on the blockchain, this technology can become very valuable in proving the relevant ownership in case of challenges, identify potential breaches, but also handling transfers or licenses of such rights to third parties;
- What happens in case of termination of exit? One of the main features of the blockchain is that information cannot be deleted, once recorded. This circumstance means that any data or worked recorded therein will remain. A solution might be to block access to them by just encrypting the information and getting rid of the decryption key;
- What issues in case of due diligence? The lack of a clear understanding of what rights can be owned on blockchain based technologies requires an in-depth review in case of M&A transactions to assess the protectability of the technology, the type of exploitation rights that can be enjoyed and the scope of ownership rights that can be acquired.
A properly drafted smart contract might help to identify and secure property rights on the blockchain and ensure control of its legal implications. The lack of court precedents on the usage of such technology leads to potential issues but represents, at the same time an opportunity to be exploited.
What privacy compliance issues for the blockchain?
The issue is very complex, and there is uncertainty as to
- What kind of data recorded on a blockchain is personal data?
- What are the roles and responsibilities of the parties involved? Who is the data controller, and who are the data processors?
- How can privacy compliance principles, such as the principle of data minimization, be complied with?
- How can privacy rights, such as the right to be forgotten to be enforced?
- What security measures shall be put in place?
Top 3 best practices in choosing between a permissioned vs. Permissionless blockchain
The dilemma is to decide between a permissioned and a permissionless blockchain. The factors to be evaluated are
- A permissioned blockchain is faster than a permissionless blockchain since it is smaller,
- but the size of the blockchain impacts on its level of security and therefore a permissionless blockchain is more secure than a permissioned blockchain,
- that, however, is controllable and as such its legality and compliance can be better ensured, but
- a higher level of control impacts on the transparency of public ledger of the blockchain that is deemed to be one of the main features of this technology.
There is no right or wrong choice. The decision has to consider the aimed type of usage of the blockchain and the feature of the blockchain that is more relevant to achieve such a goal.