Privacy, cybercrime and blockchain
05 October 2022 11:00 by Nicolene Schoeman-Louw
The very nature of blockchain technology lends itself to risks which need to be considered and observed by software developers. They include lack of third party protection, the lack of privacy, jurisdictional issues, and governance.
Written by Nicolene Schoeman-Louw, Managing Director SchoemanLaw Inc, for LexisNexis South Africa.
IntroductionIt is common cause that the legal framework around blockchain technology in most countries around the world is in its infancy. In most jurisdictions, the debate centres around the taxation of the assets as opposed to the regulating standards to limit user risk.
Blockchain technology has a lot of potential, which excites me. They would limit issues and risks, but as with most things are a double-edged sword. For example, the records are uneditable – the days of selective memory to avoid liability are over. Moreover, the security it offers is better than its equivalents.
In a recent article by Reid Blackman, he explains the nature of blockchain as follows:
“…If I send you bitcoin, that transaction is simultaneously recorded on the more than 12,000 computers, servers, and other devices that Bitcoin runs on. Everyone on the chain can see the transaction, and no one can alter or delete it. Or you can send me a non-fungible token (NFT) on the Ethereum blockchain, and that transaction is simultaneously recorded across all the computers (also known as “nodes”) that Ethereum runs on.These two examples explain, roughly, what blockchain technology is: a way to keep unalterable records of transactions on multiple computers such that a new transaction cannot be recorded on one computer without simultaneously recording it on all the others….”
The very nature of the technology, therefore, lends itself to some risks, which need to be considered and observed.
1. Lack of Third-Party Protection
Third-party intermediaries (like banks) have sophisticated ways of detecting activity by malicious users, and consumers can challenge fraudulent transactions. Thus, users need to understand the risk of not having those safeguards in the blockchain environment. In addition, there must be transparency around the dangers and meaningful informed consent must be obtained from users.
2. The Lack of Privacy
The most popular blockchains, Bitcoin and Ethereum, are public. Thus, anyone can view, add to, and audit the entirety of the chain. This in certain contexts could lead to a threat or breach of users' privacy. Therefore, users need to understand the implications of public blockchains and associated transparency.
3. Jurisdictional Issues and Zero-State Problem
According to Reid Blackman, the zero-state problem occurs when the accuracy of the data contained in the first, or "genesis block," of a blockchain is in question. This happens if due diligence is not adequately performed on the data or if those entering it make a mistake. Therefore, blockchain users should vet how the genesis block was created and where the data was sourced.
A recent case in the Supreme Court of the State of New York illustrated the gravity of the jurisdictional issue in the matter of LCX AG versus John Doe Nos. 1-25:
“This is an action for the unauthorised access to and theft of nearly $8 million worth of various virtual assets held by Plaintiff, a virtual asset service provider in Liechtenstein. All of the virtual assets were based on the Ethereum blockchain.
The theft was perpetrated by Defendants, unknown persons who took numerous measures to obscure the resulting transaction trail left behind on the Ethereum blockchain, including exchanging the stolen assets for other forms of virtual assets and the use of virtual asset services tailor-made to foil virtual asset tracing investigations.
3. Plaintiff's investigation has led it to initiate recovery actions in Liechtenstein, Ireland, and now in the United States-wherever recovery of the stolen assets may be effected.”
This case illustrates the challenges faced not so much in identifying the parties due to the fact that this happened in a public blockchain. The wallet address of the owner and the person in control thereof is easy enough to establish. The difficulty lies in finding and recovering the assets. Although this problem is not unique to blockchain.
In South Africa, the Electronic Communications and Transactions Act 25 of 2002 or “ECTA” provides that Suppliers (not users) of “cryptography” services or products must register their names and addresses and the names of their products with a brief description in a register maintained by the Department of Communications. Unless the (local or foreign) supplier has registered, they cannot provide their services or products in South Africa.
With that said, the ECTA has not seen any significant developments since its enactment.
The Cybercrime Act 19 of 2020 has, however, criminalised certain behaviours like hacking and the unlawful interception of data.
However, any regulation is only effective if in its jurisdiction.
Blockchain technology is described by a host of terms — "decentralised," "permissionless," and "self-governed" — that may cause users to make assumptions about governance. Blockchain governance is a complicated affair with significant ethical, reputational, legal, and financial ramifications often spread over multiple jurisdictions.
We recommend that the role players in the ecosystem consider their interactions and take advice in order to make informed decisions. The developers should consider some of the risks and how to address them pending a deeper understanding of the regulations.
Managing Director SchoemanLaw Inc