Risks and considerations for privacy, cybercrime and blockchain

30 Jun 2022

Introduction

It is common cause that the legal framework around blockchain technology is in its infancy in most countries. In most jurisdictions, the debate focuses on the taxation of the assets as opposed to the regulating standards to limit user risk.

Blockchain technology has a lot of potential, which excites me. It would limit issues and risks but, as with most things, it is a double-edged sword. For example, the records are uneditable – the days of selective memory to avoid liability are over. Moreover, the security it offers is better than its equivalents.

In a recent article by Reid Blackman, he explains the nature of blockchain as follows:

“…If I send you bitcoin, that transaction is simultaneously recorded on the more than 12,000 computers, servers, and other devices that Bitcoin runs on. Everyone on the chain can see the transaction, and no one can alter or delete it. Or you can send me a non-fungible token (NFT) on the Ethereum blockchain, and that transaction is simultaneously recorded across all the computers (also known as “nodes”) that Ethereum runs on. These two examples explain, roughly, what blockchain technology is: a way to keep unalterable records of transactions on multiple computers such that a new transaction cannot be recorded on one computer without simultaneously recording it on all the others….”

The very nature of the technology, therefore, lends itself to some risks, which need to be considered and observed.

Lack of third-party protection

Third-party intermediaries (like banks) have sophisticated ways of detecting activity by malicious users and consumers can challenge fraudulent transactions. Thus, users need to understand the risk of not having those safeguards in the blockchain environment. In addition, there must be transparency around the dangers and meaningful informed consent must be obtained from users.

The lack of privacy

The most popular blockchains, Bitcoin and Ethereum, are public. Thus, anyone can view, add to and audit the entirety of the chain. This in certain contexts could lead to a threat or breach of users’ privacy. Therefore, users need to understand the implications of public blockchains and associated transparency.

Jurisdictional issues and zero-state problem

According to Reid Blackman, the zero-state problem occurs when the accuracy of the data contained in the first, or “genesis block” of a blockchain is in question. This happens if due diligence is not adequately performed on the data or if those entering it make a mistake. Therefore, blockchain users should vet how the genesis block was created and where the data was sourced.

A recent case in the Supreme Court of the State of New York illustrated the gravity of the jurisdictional issue in the matter of LCX AG versus John Doe Nos. 1-25:

“This is an action for the unauthorised access to and theft of nearly $8 million worth of various virtual assets held by Plaintiff, a virtual asset service provider in Liechtenstein. All of the virtual assets were based on the Ethereum blockchain.

The theft was perpetrated by Defendants, unknown persons who took numerous measures to obscure the resulting transaction trail left behind on the Ethereum blockchain, including exchanging the stolen assets for other forms of virtual assets and the use of virtual asset services tailor-made to foil virtual asset tracing investigations.

Plaintiff’s investigation has led it to initiate recovery actions in Liechtenstein, Ireland and now in the United States, wherever recovery of the stolen assets may be effected.”

This case illustrates the challenges faced, not just in identifying the parties due to the fact that this happened in a public blockchain. The wallet address of the owner and the person in control thereof is easy enough to establish. The difficulty lies in finding and recovering the assets, although this problem is not unique to blockchain.

Governance

In South Africa, the Electronic Communications and Transactions Act 25 of 2002 or “ECTA”, provides that suppliers (not users) of “cryptography” services or products must register their names and addresses and the names of their products with a brief description in a register maintained by the Department of Communications. Unless the (local or foreign) supplier has registered, they cannot provide their services or products in South Africa.

With that said, the ECTA has not seen any significant developments since its enactment.

The Cybercrime Act 19 of 2020 has, however, criminalised certain behaviour like hacking and the unlawful interception of data.

However, any regulation is only effective if in its jurisdiction.

Blockchain technology is described by a host of terms — “decentralised”, “permissionless” and “self-governed” — that may cause users to make assumptions about governance. Blockchain governance is a complicated affair with significant ethical, reputational, legal and financial ramifications often spread over multiple jurisdictions.

Conclusion

We recommend that the role players consider their interactions and take advice in order to make informed decisions. The developers should consider some of the risks and how to address them pending a deeper understanding of the regulations.

Contact an expert at SchoemanLaw for assistance in all your technology legal needs.

See also:

• Unpacking the legal side of Artificial Intelligence
• A token approach – Web3 domains
• The tech series
• Certain sections of Cybercrimes Act in effect

(This article is provided for informational purposes only and not for the purpose of providing legal advice. For more information on the topic, please contact the author/s or the relevant provider.)