Blockchain and the Law

Smart Contract Bug Leads Exchanges to Halt ERC-20 Token Trading

When a smart contract coding vulnerability resulted in the Parity wallet “freeze” that compromised over $150 million worth of user funds, we discussed the pitfalls of unsecure code in the context of cryptoassets and the extent to which software developers might be held liable to their users for losses arising from mistakes in, or the exploitation of, the open source software they release into the world.

On Thursday, yet another possible coding vulnerability emerged – this time with the protocol underlying certain tokens themselves – as various exchanges suspended trading in ERC-20 tokens due to a discovery by security researchers of a smart contract bug known as batchOverflow.

According to researchers, attackers taking advantage of batchOverflow could generate a large amount of tokens from a vulnerable ERC-20 contract, then seek to deposit those tokens into a normal Ethereum address.

Such an attack raises issues of potential theft, unjust enrichment, fraud and market manipulation for the attackers. Furthermore, there is the question of whether liability could attach to developers who overlooked the batchOverflow bug in the first place (notably, the vulnerable function is not part of the official ERC-20 standard and was only implemented for a limited number of tokens).

As affected cryptoasset organizations, customers and exchanges continue to investigate, it remains to be seen whether and how any unauthorized transactions will be remedied. The questions abound:

Will victims and community members advocate for a remedial fork? (Parity, for their part, has recently pronounced that they have no intention to utilize a fork to rescue their wallets’ frozen funds.)

How will industry standards in the U.S. and other jurisdictions evolve to reflect the role of secure software in the “Internet of Value”?

Finally, will legal institutions be mobilized?

FTC Freezes Assets and Operations of Four Promoters of Cryptocurrency Investment Schemes

The Federal Trade Commission (FTC) recently sought and received a temporary restraining order (TRO) against four promoters of alleged pyramid schemes involving cryptocurrencies. The promoters were charged with violating the FTC Act’s prohibition on unfair or deceptive acts or practices in or affecting commerce.

The FTC’s complaint (filed under seal in the U.S. District Court for the Southern District of Florida on February 20, and released on March 16) targets the promoters of three cryptocurrency-related referral programs  – My7Network, Bitcoin Funding Team and Jetcoin  – that used online videos, social media, and robocalls to promise potential participants outsized returns on small initial investments of  Bitcoin and Litecoin. According to the FTC, the promoters cited complicated financial models and used flowery language to explain the source of these returns, while in actuality the funds came from enrollment and other payments made by subsequent investors.

Crypto-remedies  

The TRO imposes a freeze on all assets (including cryptocurrencies) of the named defendants and bars them from continuing to promote any of their businesses. Quite notably, in making the determination that the issuance of a TRO was suitable to the case, the court focused heavily on the particular characteristics of cryptocurrencies. Specifically, the court stated that:

  • “The use of cryptocurrency in the programs promoted by Defendants poses a heightened risk of asset dissipation. Bitcoin and other cryptocurrencies are circulated through a decentralized computer network, without relying on traditional banking institutions or other clearinghouses. This independence from traditional custodians makes it difficult for law enforcement to trace or freeze cryptocurrencies in the event of fraud or theft;” and
  • “Defendants claim that the schemes they have promoted have expanded into dozens of countries. If Defendants were provided notice of this action, it would be a simple matter for them to transfer their bitcoin or other cryptocurrency to unidentified recipients outside the traditional banking system, including contacts in foreign countries, and effectively put it beyond the reach of this Court.”

Looking ahead, such considerations may raise critical questions – both practical and legal – as to the appropriateness of certain forms of remedial relief across a wide swath of cryptocurrency-related cases. In particular it remains to be seen what limitations, if any, can constrain a court’s ability to issue injunctions and compel specific performance in the cryptocurrency context.

FTC joins the fray

While the present case is one of the first times the FTC has waded into the regulation of cryptocurrencies, it is unlikely to be the last we hear from the United States’ primary federal general consumer protection agency. To that effect, also on March 16, the FTC announced it has created a Blockchain Working Group to investigate cryptocurrency and Blockchain-related activities.

Blockchain, Personal Data and the GDPR Right to be Forgotten

The effective date of the EU’s General Data Protection Regulation (GDPR) is fast approaching (May 25, 2018), and its impacts are already being felt across various industries. Specifically, the conflicts between the GDPR and the technical realities of blockchains raise important legal considerations for companies seeking to implement blockchain solutions that involve the personal data of EU data subjects.

One of the key features of blockchain technology is the general immutability of its data, and many applications of the technology thus far are built on publicly available data trails. Among other data, a blockchain can house the information of those who have engaged in transactions along the life of the blockchain, whether it is their name or social security number or, more often, simply a code which could make an individual identifiable. Personal data in an immutable data trail is problematic when considered against the new requirements of the GDPR.

One issue that will have to be considered is the GDPR’s “erasure” right.  Article 17 of the GDPR demands that companies erase the personal data of individuals when they request to be “forgotten”. The GDPR does not define what “erasure of data” means, which suggests that, to comply with this requirement, actual physical and logical deletion (a literal reading of the word “erase”) is required. As simply conducting a blockchain transaction to make personal information inaccessible does not erase any data, it is not clear whether and how one can store personal data on a blockchain and comply with a literal reading of this GDPR obligation. Further complicating the matter is the fact that Article 4 of the GDPR defines “personal data” very broadly as any information relating to an identified or identifiable natural person, with “identifiable natural person” being defined to mean an individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Some practitioners and scholars believe that even an individual’s publicly available cryptocurrency wallet address would be considered personal data under the GDPR.

One potential solution to this conundrum might be to store all personal data off of the blockchain in separate “off-chain” databases, but to do so would sacrifice many of the benefits of using a blockchain in the first place.

Until we have some clarification on the interpretation of the obligation to “erase” data, or until the GDPR is amended to account for the unique technical structure of blockchains, companies should be aware of the risk in developing blockchains that will include personal data of EU based individuals. While clearly an issue, as with much of the GDPR, a practical approach to compliance is recommended, and this is not likely to be the issue that is immediately put into play by complainants under the GDPR.

For general insights on the GDPR’s various privacy and data security implications, please visit our Privacy Law Blog.

A Proposed Statutory Framework for State Regulation of Virtual Currency Businesses: The Uniform Law Commission’s “Uniform Regulation of Virtual-Currency Businesses Act”

Last July, the Uniform Law Commission completed a uniform model state law, known as the Uniform Regulation of Virtual-Currency Businesses Act (“URVCBA” or the “Act”) (Steve Weise participated in the preparation of the Act).  Currently, state regulation in the virtual currency space is carried out under a patchwork of laws that typically do not directly contemplate virtual currency and blockchain technology. Attempting to bring clarity as to which types of entities require state licensure and also to encourage responsible innovation in this emerging area, the URVCBA provides a statutory framework for the regulation of companies engaging in “virtual-currency business activity.”  After carefully defining which activities fall under the Act’s purview, the uniform law requires covered entities to make the typical financial and business disclosures in its application, and also contains numerous user and consumer protections, including certain enforcement powers by the relevant state authority.

The mission of the Uniform Law Commission is to draft state laws on topics where standardized regulation across state lines is practical (e.g., the Uniform Commercial Code (the “UCC”)). Gaining final approval in 2017, the Act has so far been introduced in Connecticut, Hawaii, and NebraskaContinue Reading

When Filing Taxes, Don’t Forget Virtual Currency Income

In a March 23 news release, the IRS reminded taxpayers that income from virtual currency transactions must be reported on income tax returns, and that certain virtual currency transactions are taxable like any other property transactions. Taxpayers should note that despite the pseudo-anonymity of virtual currencies, the IRS has been able to successfully subpoena a major exchange for the accounts and information of thousands of holders.

As the IRS news release highlighted, the consequences for non-compliance are significant. Taxpayers who do not report income from virtual currency transactions can be audited for those transactions and potentially liable for penalties and interest. More egregious violations could subject taxpayers to criminal prosecution for charges including tax evasion and filing a false tax return. Convictions for tax evasion and filing a false tax return could lead to a prison term of up to three to five years, respectively, and monetary fines of up to $250,000.

The release also directed taxpayers to IRS Notice 2014-21 (which provides guidance on how existing general tax principles apply to certain virtual currency transactions) and noted that, among other things:

  • payments made using virtual currency are subject to information reporting to the same extent as any other payment made in property;
  • virtual currency payments to independent contractors and other service providers are taxable, and normally the payer must issue Form 1099-MISC;
  • wages paid to employees using virtual currency are taxable to the employee and must be reported on a Form W-2 by the employer;
  • certain third parties who settled virtual currency payments on behalf of merchants that accept virtual currency from customers must report payments to those merchants on Form 1099-K, Payment Card and Third Party Network Transactions; and
  • the character of gain or loss from the sale or exchange of virtual currency depends on whether the virtual currency is a capital asset in the hands of the taxpayer.

The release makes it clear that income from virtual currency transactions must be reported on income tax returns. However, the guidance in the March 23 release and IRS Notice 2014-21 does not apply to all virtual currencies and it is unclear how income from virtual currency transactions not covered by this guidance should be treated and reported for tax purposes. Furthermore, the application of this guidance to any specific taxpayer depends on the taxpayer’s particular situation. Taxation of virtual currencies is complex and there remains a great deal of uncertainty regarding the application of the tax law and a taxpayer’s compliance obligations. We will continue to follow developments in this area.

Blockchain Digital Assets in Virtual Reality, Video Games and eSports – Ready Lawyer One?

Virtual worlds similar to the OASIS in Steven Spielberg’s upcoming film Ready Player One may be closer than we think – and provably scarce, blockchain-based digital assets could provide the leap forward that gets us there. Already, developers are testing early implementations.

Since CryptoKitties launched at the end of 2017, promptly causing a traffic jam on the Ethereum network and proving that crypto-collectible “games” leveraging blockchains can be a hot commodity, a number of copycats have sprung up.

While interesting, this first generation of blockchain games has been a relatively simple series of experiments. Meanwhile, developers have taken note of the potential synergies between blockchain-based digital assets and the mass-market video game and virtual/augmented reality space. As they explore potential ways of using blockchain technology to make virtual worlds and interactions more immersive and to build better bridges between in-game and real-world commerce, there are a number of legal issues to consider. Continue Reading

Federal Court Grants Preliminary Injunction, Affirms CFTC Jurisdiction over Virtual Currencies

Earlier this month, Judge Jack B. Weinstein of the U.S. District Court for the Eastern District of New York entered a preliminary injunction order against Patrick McDonnell and his company, CabbageTech, Corp. (together, the “Defendants”). In a landmark ruling, the order upheld the CFTC’s position that “virtual currencies” are commodities subject to CFTC jurisdiction under the Commodities Exchange Act.

The preliminary injunction was issued in response to a CFTC complaint from late-January (discussed here),which alleged that the Defendants defrauded and misappropriated funds from customers in connection with the purported provision of virtual currency investment and trading services involving Bitcoin and Litecoin. According to the CFTC, the Defendants promised as much as 300% return on an investment in less than a week, then shut down all communications once they received funds from numerous customers.

While the CFTC has brought several actions against allegedly fraudulent cryptocurrency-based schemes, their authority to do so had never been ruled upon by a federal court— until now.

In ordering the preliminary injunction, Judge Weinstein found that, “[u]ntil Congress clarifies the matter, the CFTC has concurrent authority, along with other state and federal administrative agencies, and civil and criminal courts, over dealings in virtual currency.” Furthermore, Judge Weinstein affirmed that the CFTC’s jurisdiction over virtual currencies extends beyond transactions involving futures or derivatives thereon; and that, as in the case of CabbageTech, the CFTC possesses anti-fraud and anti-manipulation enforcement authority over interstate contracts of sale for virtual currency itself.

LexBlog