Blockchain and the Law

SEC Flexes Funny Bone in Fictional Token Offering

The Securities and Exchange Commission (the “SEC”) has taken to using humor and sarcasm to educate retail investors about the potential risks of purchasing tokens in initial coin offerings (“ICOs”).

This week, the SEC issued a press release presenting “a hot investment opportunity.”  The release pointed to a website touting the HoweyCoin—a fictional crypto token intending to disrupt the luxury travel industry—as “one of the largest cryptocurrency platforms ever built” and promising that it would provide potential investors with “excitement and guaranteed returns.” The website closely mimics common components of ICO issuer websites, including offers for tiered pre-sale purchaser discounts and an invitation to review a whitepaper, and contains egregious claims that the tokens are SEC-compliant, images of opulence, and fake celebrity endorsements for good measure.

For those of you who are not securities lawyers, the name “Howeycoin” is a reference to the seminal Supreme Court decision in SEC v. W.J. Howey Co., which first set forth the test for what constitutes an “investment contract” (and thus, a security) under the U.S. federal securities laws.

HoweyCoin is marketed as a token directly redeemable for travel services or merchandise, in addition to being an investment vehicle. Presenting HoweyCoin as a token with purported functionality highlights the SEC’s position that even tokens with “utility”(e.g., eligibility to be exchanged for goods or services) remain subject to SEC scrutiny.

Clicking on “Buy Coins Now!” takes the visitor to a SEC information page that warns retail investors as to the risks of ICOs.

This education effort comes as the SEC, along with various state securities commissions, remain vigilant in shutting down fraudulent, unregistered and non-exempt ICOs.

Blockchain as a Content Distribution Technology: Copyright Issues Abound

Content owners and their attorneys have been enthusiastically anticipating the use of blockchain as a mechanism for royalty accounting, recording the chain of title of intellectual property interests, and protecting, tracking and administering IP.

The enthusiasm is a little less vigorous, however, when the topic turns to the use of blockchain as a vehicle for content distribution.  Some of those discussions are still appealing to content owners and their counsel as they focus on the use of blockchain as a means of effectuating a decentralized digital rights management-type system to allow distribution of content to authorized users in a secure way. Copyright anxiety arises, however, with the recognition that the technology can also be used to facilitate the distribution of infringing content, notably in the form of anonymous transactions that are embodied in a block in a permanent and immutable manner. Continue Reading

Cryptoasset Exchanges Respond to New York Attorney General’s Virtual Markets Integrity Initiative

On April 17, 2018, the New York Attorney General’s Office (“OAG”) launched a Virtual Markets Integrity Initiative and sent letters to thirteen cryptoasset trading platforms requesting, through a questionnaire, disclosures on their operations, internal controls, and safeguards to protect customer assets.  The questionnaire focused on six major topic areas, including: 1) Ownership and Control, 2) Basic Operation and Fees, 3) Trading Policies and Procedures, 4) Outages and Other Suspensions of Trading, 5) Internal Controls, and 6) Privacy and Money Laundering.  The OAG characterized the initiative as a mechanism to “increase transparency and accountability” on “platforms used by consumers to trade virtual or ‘crypto’ currencies like bitcoin and ether.”  Notably, the thirteen trading platforms were only given two weeks to respond to the questionnaire.

While cryptoasset exchanges already face regulatory scrutiny from the SEC, the CFTC, and certain state regulators (including other agencies within New York), among others, the OAG determined  that their mandate to protect customers/ investors and ensure the fairness of New York’s financial markets necessitated further action.  Two of the targeted trading platforms –  Coinbase and Kraken – publicized markedly different responses to the OAG’s inquiries, the content of which sheds light on how some of the industry’s key players are approaching regulation; and perhaps, how regulators should be approaching some of the industry’s key players. Continue Reading

Regulatory Scrutiny of the ICO Market – What Fund Managers Should Know

Last week, former CFTC Chairman Gary Gensler explained in remarks at M.I.T. that he believes the second and third most widely used virtual currencies—Ether and Ripple—may have been issued and traded in violation of securities regulations.  This comes on the heels of a crackdown on cryptocurrency-related securities by the SEC, which is particularly focused on initial coin offerings (ICOs).  For fund managers, we believe the increased regulatory pressure will be felt in some expected, and some not-so-expected, ways.

ICO enforcement is trending: The SEC’s Cyber Unit has ramped up enforcement pressure, issuing dozens of subpoenas and information requests to technology companies and advisers involved in the ICO market.  The requests have sought information about the structure for sales and pre-sales of ICOs.  This uptick in enforcement pressure isn’t surprising, especially given Chairman Clayton’s repeated warnings that participants in the ICO space are not complying with the required securities laws (for example, notably stating that he has yet to see an ICO that “doesn’t have a sufficient number of hallmarks of a security.”)  There are no signs the SEC will slow down its scrutiny of crypto-related assets.  The SEC has already indicated that it will devote significant resources to policing the ICO market.  Continue Reading

Smart Contract Bug Leads Exchanges to Halt ERC-20 Token Trading

When a smart contract coding vulnerability resulted in the Parity wallet “freeze” that compromised over $150 million worth of user funds, we discussed the pitfalls of unsecure code in the context of cryptoassets and the extent to which software developers might be held liable to their users for losses arising from mistakes in, or the exploitation of, the open source software they release into the world.

On Thursday, yet another possible coding vulnerability emerged – this time with the protocol underlying certain tokens themselves – as various exchanges suspended trading in ERC-20 tokens due to a discovery by security researchers of a smart contract bug known as batchOverflow.

According to researchers, attackers taking advantage of batchOverflow could generate a large amount of tokens from a vulnerable ERC-20 contract, then seek to deposit those tokens into a normal Ethereum address.

Such an attack raises issues of potential theft, unjust enrichment, fraud and market manipulation for the attackers. Furthermore, there is the question of whether liability could attach to developers who overlooked the batchOverflow bug in the first place (notably, the vulnerable function is not part of the official ERC-20 standard and was only implemented for a limited number of tokens).

As affected cryptoasset organizations, customers and exchanges continue to investigate, it remains to be seen whether and how any unauthorized transactions will be remedied. The questions abound:

Will victims and community members advocate for a remedial fork? (Parity, for their part, has recently pronounced that they have no intention to utilize a fork to rescue their wallets’ frozen funds.)

How will industry standards in the U.S. and other jurisdictions evolve to reflect the role of secure software in the “Internet of Value”?

Finally, will legal institutions be mobilized?

FTC Freezes Assets and Operations of Four Promoters of Cryptocurrency Investment Schemes

The Federal Trade Commission (FTC) recently sought and received a temporary restraining order (TRO) against four promoters of alleged pyramid schemes involving cryptocurrencies. The promoters were charged with violating the FTC Act’s prohibition on unfair or deceptive acts or practices in or affecting commerce.

The FTC’s complaint (filed under seal in the U.S. District Court for the Southern District of Florida on February 20, and released on March 16) targets the promoters of three cryptocurrency-related referral programs  – My7Network, Bitcoin Funding Team and Jetcoin  – that used online videos, social media, and robocalls to promise potential participants outsized returns on small initial investments of  Bitcoin and Litecoin. According to the FTC, the promoters cited complicated financial models and used flowery language to explain the source of these returns, while in actuality the funds came from enrollment and other payments made by subsequent investors.


The TRO imposes a freeze on all assets (including cryptocurrencies) of the named defendants and bars them from continuing to promote any of their businesses. Quite notably, in making the determination that the issuance of a TRO was suitable to the case, the court focused heavily on the particular characteristics of cryptocurrencies. Specifically, the court stated that:

  • “The use of cryptocurrency in the programs promoted by Defendants poses a heightened risk of asset dissipation. Bitcoin and other cryptocurrencies are circulated through a decentralized computer network, without relying on traditional banking institutions or other clearinghouses. This independence from traditional custodians makes it difficult for law enforcement to trace or freeze cryptocurrencies in the event of fraud or theft;” and
  • “Defendants claim that the schemes they have promoted have expanded into dozens of countries. If Defendants were provided notice of this action, it would be a simple matter for them to transfer their bitcoin or other cryptocurrency to unidentified recipients outside the traditional banking system, including contacts in foreign countries, and effectively put it beyond the reach of this Court.”

Looking ahead, such considerations may raise critical questions – both practical and legal – as to the appropriateness of certain forms of remedial relief across a wide swath of cryptocurrency-related cases. In particular it remains to be seen what limitations, if any, can constrain a court’s ability to issue injunctions and compel specific performance in the cryptocurrency context.

FTC joins the fray

While the present case is one of the first times the FTC has waded into the regulation of cryptocurrencies, it is unlikely to be the last we hear from the United States’ primary federal general consumer protection agency. To that effect, also on March 16, the FTC announced it has created a Blockchain Working Group to investigate cryptocurrency and Blockchain-related activities.

Blockchain, Personal Data and the GDPR Right to be Forgotten

The effective date of the EU’s General Data Protection Regulation (GDPR) is fast approaching (May 25, 2018), and its impacts are already being felt across various industries. Specifically, the conflicts between the GDPR and the technical realities of blockchains raise important legal considerations for companies seeking to implement blockchain solutions that involve the personal data of EU data subjects.

One of the key features of blockchain technology is the general immutability of its data, and many applications of the technology thus far are built on publicly available data trails. Among other data, a blockchain can house the information of those who have engaged in transactions along the life of the blockchain, whether it is their name or social security number or, more often, simply a code which could make an individual identifiable. Personal data in an immutable data trail is problematic when considered against the new requirements of the GDPR.

One issue that will have to be considered is the GDPR’s “erasure” right.  Article 17 of the GDPR demands that companies erase the personal data of individuals when they request to be “forgotten”. The GDPR does not define what “erasure of data” means, which suggests that, to comply with this requirement, actual physical and logical deletion (a literal reading of the word “erase”) is required. As simply conducting a blockchain transaction to make personal information inaccessible does not erase any data, it is not clear whether and how one can store personal data on a blockchain and comply with a literal reading of this GDPR obligation. Further complicating the matter is the fact that Article 4 of the GDPR defines “personal data” very broadly as any information relating to an identified or identifiable natural person, with “identifiable natural person” being defined to mean an individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Some practitioners and scholars believe that even an individual’s publicly available cryptocurrency wallet address would be considered personal data under the GDPR.

One potential solution to this conundrum might be to store all personal data off of the blockchain in separate “off-chain” databases, but to do so would sacrifice many of the benefits of using a blockchain in the first place.

Until we have some clarification on the interpretation of the obligation to “erase” data, or until the GDPR is amended to account for the unique technical structure of blockchains, companies should be aware of the risk in developing blockchains that will include personal data of EU based individuals. While clearly an issue, as with much of the GDPR, a practical approach to compliance is recommended, and this is not likely to be the issue that is immediately put into play by complainants under the GDPR.

For general insights on the GDPR’s various privacy and data security implications, please visit our Privacy Law Blog.