Published in Asian-mena Counsel: Cyber Crime & Data Protection Special Report 2018
By Ronald Yu
Counsel need to be aware of the potential legal and other limitations of this rapidly evolving technology.
There is much talk about blockchains, with billions of dollars being invested in the technology and many organisations looking to apply it in some fashion to their respective operations. But there are important questions counsel should ask before jumping in.
A blockchain can be thought of as a cryptographically secure database of digital transactions (ie, a ledger) shared across a network of participants (nodes) over public or private networks, where each participant holds a copy so all the information on the database is potentially available to all participants at any moment in time.
Blockchains are distributed and incorporate a public/private key infrastructure (ie, you need a public and private key for access). Proponents of blockchain talk of its immutability; meaning that once data is stored it cannot be altered (at least not easily).
These characteristics raise several very significant managerial and legal issues.
Is distributed best in all cases?
If you need centralised control (for example, to manage corporate confidential information), a transparent distributed system may be problematic. In a public blockchain, the audit history is publicly viewable, which means:
- One might be able to indirectly derive identifying information based on transaction patterns, timing, volumes, etc.
- It may not be private. Web trackers and cookies have been used in investigations to track down identities of blockchain users. Critics decried the UK Department of Work and Pensions’ trial of a blockchain application to track how welfare claimants spend their benefits in 2016 as a waste of public funds and a violation of users’ privacy.
- There are associated cybersecurity risks. Blockchains are potentially at risk from cyber attacks.
Moreover, while distributed blockchain ledgers may well be more secure than traditional centralised ledgers, cyber risks remain and recent events call for analysis as to who bears the loss and responsibility for damages in connection with a blockchain including:
- the Mt. Gox hack that resulted in the loss of hundreds of thousands of bitcoin;
- the January 2015 attack on Luxembourg- and London-based Bitstamp, that led to the loss of 19,000 bitcoin, valued at about US$5.1 million;
- the 2016 attack on Hong Kong-based Bitfinex resulting in a loss of nearly 120,000 bitcoin; and
- the September 2018 hack on the Japanese cryptocurrency exchange Zaif, with losses of bitcoin and two other digital currencies estimated at about US$59.67 million.
As blockchains require a set of keys for access and amendment to the ledger, who holds the keys and what happens should these persons leave the organisation for whatever reason is a problem. Loss of keys potentially means loss of access, thus their management is a serious thing. Also, there is a risk that a malicious user may attempt to compromise or steal keys to gain access to the digital assets on the blockchain.
Environment and security
Organisations concerned about their environmental footprint — or energy costs — need to know that blockchain systems can consume large quantities of energy. In 2017 it was claimed that the bitcoin network consumed as much energy as was used by 159 of the world’s nations. This prodigious consumption is mostly a consequence of proof-of-work (PoW) algorithms employed by many blockchain applications such as bitcoin.
Proof-of-stake systems attempt to address this issue but raise new security concerns (PoW systems are also theoretically vulnerable but this is beyond the scope of this article).
As with many new technologies, the law is struggling to catch up and as a result, there exist several potential legal issues surrounding blockchains and blockchain applications.
Being network based, blockchain systems can cross jurisdictional boundaries as the nodes on a blockchain can be located anywhere in the world. This can pose a number of complex jurisdictional and legal issues.
Few jurisdictions have adopted a blockchain law, while some jurisdictions have simply banned certain blockchain-related applications. (For example, in September 2017, the People’s Bank of China issued a ban on ICOs totally, declaring them to be illegal and disruptive to economic and financial stability).
The law relating to and the acceptability of blockchain-related contracts (ie, smart contracts) is not settled and there are partnership/joint venture questions as well.
Cooperation in a blockchain environment
Blockchain nodes work cooperatively, resulting in several as yet unanswered questions:
- Does a group of entities participating on a blockchain constitute a ‘partnership’ or ‘joint venture’ (with all the associated legal implications)? The answer is not clear owing to different standards for what constitute a ‘partnership’ or ‘joint venture’ between civil and common law jurisdictions.
- Are individual transactions executed via a distributed ledger are likely to be considered contracts? This is important because contractual liability results in joint liability where the causes of actions are not distinct and the defendants acted in furtherance of a common objective (ie, blockchain). So, if nodes and developers cooperate in developing and managing a blockchain, could they be liable in relation to third parties?
- Is an entity operating in the blockchain potentially liable in tort if its negligent act, omission or misstatement causes loss or damage including loss, for example, due to a security breach or a coding error?
Garbage in, garbage out
Blockchains do not check the data that go into them, they only check whether or not the individuals writing to the blockchain have the right to do so.
Thus, information going into the database needs to be of high quality as data stored on a blockchain is not inherently trustworthy. Moreover, once you store data on a blockchain this data cannot easily be altered.
An inaccurate record on the system may cause losses to those relying on it. Such entity’s liability in negligence will depend on whether it owes a duty of care and has breached that duty, whether the breach caused loss or damage, and whether it has effectively contractually excluded liability for this type of loss or damage.
This also raises privacy issues — how can the immutability of a blockchain be reconciled with existing privacy legislation (eg, the EU’s General Data Protection Regulation) that give individuals the right to rectify or delete any data, especially incorrect data, that affects them or has been posted or uploaded without their consent?
And as if all this were not enough, there are also unanswered IP-related questions surrounding blockchains and blockchain applications, as well as ownership of the information in the database.
In particular, counsel must not be lured into thinking, as some blockchain pundits might have people believe, that a piece of content attached to a blockchain is equivalent to or can replace a registered IP right; it is not, as it lacks the same legal effect and rights as, say, a patent.
It’s still developing
Finally, blockchain is still evolving as a technology, which means that several technical problems have not been settled in addition to the aforementioned legal ones and that multiple standards have emerged.
- Interoperability risks — blockchains employing different standards may be unable to interact with one another.
- Technological risks — choosing a standard that is later superseded is potentially costly given the high initial capital costs or subsequently discovering serious flaws in the technology.
All this does not mean that companies should not employ blockchain technologies, indeed there are many worthwhile applications for blockchain in supply chains, food safety, asset tracking, etc. But counsel need to be aware of the potential legal and other limitations of this rapidly evolving technology.