AI Breaks the World, Crypto Fixes It, Part VI: Hacking the 2024 Election With Biden Deepfakes (A Thought Experiment)

https://prestonbyrne.com/2024/02/13/hacking2024/

This is the sixth post in a six-part series, the five previous ones being:

  1. AI Breaks the World, Crypto Fixes It;
  2. AI Breaks The World, Crypto Fixes it, Part II:the “AI Misinformation” problem can be completely solved by cryptocurrency-based “proof of human”; 
  3. AI Breaks the World, Crypto Fixes It, Part III: How Crypto Can Solve the Joe Biden AI Deepfake Problem;
  4. AI Breaks the World, Crypto Fixes It, Part IV: The Great Zoom Robbery; and
  5. AI Breaks the World, Crypto Fixes It, Part V: OnlyFakes Requires New Forms of “Proof of Human.”

I had a very pleasant chat with one of my counterparts in the antifraud division of a bank this morning, who shall for present purposes remain nameless.

It was a very productive conversation. We agreed on a great many things. First, we agreed that biometrics is an authentication solution for devices but not a great authentication solution for one’s identity across multiple platforms. Second, we agreed that there is not a “magic bullet” solution for identity and that whenever a new gimmick other than strong cryptography was introduced into the mix – cell phone based 2FA or

We also agreed that given the pace at which AI is advancing, the usual ways we verify identity – hearing someone’s voice, for example, or relying on scanned copies of their identity documents – are going the way of the dinosaur, and that the only thing will fix it is strong cryptography.

Most importantly, we agreed that, given the pace of A.I. development and the adoption of these tools by open-source actors, that although there is a dim awareness of an “identity problem” brewing among the highest echelons of the American state, policymakers and business leaders are not meeting the problem with the urgency it demands.

We know, for example, that the White House understands both the problem and at least partially understands what is needed to start providing a solution. See e.g. by this quote they supplied to the WSJ about what I jokingly referred to as a “Proof-of-Biden” application for “watermarking content” cryptographically…

…although the fact that they’re using the term “watermark” to describe the solution betrays a degree of ignorance of the true scale of the problem. If the only issue our society faced with AI were that we need to determine which “Dark Brandon” meme emanated from POTUS vs those which emanated from people making fun of POTUS, then yes, a cryptographic watermark with a “Vote for Biden” browser extension might do the trick.

The problem with AI, however, is not that people will post unauthorized Internet memes. It is that AI drives the cost of creating a personalized message capable of being delivered in Joe Biden’s voice, to every voter in the United States, down to near-zero. A foreign threat actor could conceivably hand-deliver campaign messaging, that sounds like the President, to every single household in the United States with zero effort, messaging which voters could not distinguish from the real thing.

Hacking the 2024 election with AI: how it might be done

It is the Friday before election day, 2024. Donald J. Trump is ahead by four points nationally and in key battleground states. (This is a thought experiment, not an expression of hope or a prediction, so don’t shoot the messenger.)

In China, PLA Unit 61398 has spent the previous 8 months cataloguing Americans’ political preferences and pairing those preferences with phone numbers. The PLA unit furiously devises propaganda which it plans to deliver in Joe Biden’s voice to every American household which paints the President in a maximally negative light, tailored to that individual voter, following a successful penetration test earlier in the year where the PLA called thousands of New Hampshire voters with a simple robocall (this actually happened, although it is not presently known who the perpetrators were).

The Friday before election day, as most American families sat home eating dinner, the phone rings. On the other end is a Joe Biden’s voice, in AI, delivering a message which is tailored to terrify that individual voter and paint the President in the least flattering possible light.

Over the weekend, the campaigns duel with one another over social media. Biden’s campaign blames Donald Trump for the calls; Donald Trump’s campaign says that Biden was responsible and, in any case, Biden is someone they should fear, accuses the “Deep State” of election interference. Voters, who not being technologists have encountered AI deepfakery for the first time, afraid and confused, go to the polls three days later.

Regardless of who wins, the playbook that was run by U.S. politicians in 2016 (the Democrats, with “muh Russia”) and 2020 (the Republicans, with January 6th) would be repeated, only this time on steroids, because the interference was deeply personalized and had wended its way into every home in the United States. The losing side would accuse the winning side of election interference; both sides would understand that the election had actually been interfered with by somebody, although they would not know whom had so interfered; and, on balance, the trust in American democracy would be eroded significantly.

It doesn’t really matter who wins the election from a foreign adversary’s perspective. The confusion and the acrimony is the win. It is this threat, not the obviously fake social media post from an openly partisan influencer on Twitter, that we need to be preparing for, that mere watermarking is insufficient to address, and that only one technology – cryptocurrency-as-distributed-PKI – can be integrated with our communications systems with sufficient speed that we could ensure the integrity of all communications across our society

In the AI age, we are hugely vulnerable to foreigners and criminals using these tools to impersonate us. At every level, with every transaction. Integrating cryptocurrency PKI with our communications systems would be the greatest national security win since the atom bomb. We should be embarking on a project as ambitious as the Manhattan Project to fortify our communications from these kinds of threats.

AI Breaks the World, Crypto Fixes it, Part V: OnlyFakes Requires New Forms of “Proof of Human”

https://prestonbyrne.com/2024/02/06/ai-breaks-the-world-crypto-fixes-it-part-v-onlyfakes-requires-new-forms-of-proof-of-human/

I write this post for you from 30,000 feet above France, on my way back to America from another wonderful Satoshi Roundtable event in Dubai. We are about to descend into London so I must keep my remarks short so I can put my laptop away in anticipation of the usual disembarkation scrum one encounters after a long flight.

This is the fifth post in a five-part series, the four previous ones being:

  1. AI Breaks the World, Crypto Fixes It;
  2. AI Breaks The World, Crypto Fixes it, Part II:the “AI Misinformation” problem can be completely solved by cryptocurrency-based “proof of human”; 
  3. AI Breaks the World, Crypto Fixes It, Part III: How Crypto Can Solve the Joe Biden AI Deepfake Problem; and
  4. AI Breaks the World, Crypto Fixes It, Part IV: The Great Zoom Robbery.

We learn today of a website called OnlyFakes, which exists for the sole purpose of producing fake ID cards for accessing cryptocurrency exchanges or other businesses which verify ID remotely in order to confirm a user’s identity for regulatory compliance purposes.

The use-case this will likely, initially address is hacking the KYC function of offshore crypto exchanges. Crypto exchanges are not bricks-and-mortar businesses. As such, when performing KYC checks on their users they require users to prevent proof of their identity and locality, most often in the form of government-issued identification cards and less often in the form of proof of address like a bank statement or a utility bill.

See, e.g., this fake California ID generated by the app:

Looks a lot like the real thing, and is likely impossible for an exchange to verify.

The problem with conducting KYC verification in this way is not one which can be fixed by video calling, either. As we learned in the last entry in this series which I wrote *checks watch* two days ago, scammers can and will also deepfake live over platforms like Zoom.

As the previous posts in this series have made clear, the problem of faking one’s identity on the web is not one which is fixable with the web. No unsigned communication made over the Internet can be believed anymore. The AI is too good, more human than human, and cannot offer “proof of human” as such. It is not only reasonable to expect that this will soon leak out of the web-world into the real world, it is inevitable that this will happen. An AI which can convincingly fake a driver’s license can also convincingly fake a utility statement, or a bank check, or anything else, and since most utility statements are delivered by e-mail these days, a real statement and a false one will be printed on the same household printer and will likely be indistinguishable.

For now, there are only two things AI can’t fake: actual physical presence and a digital signature using a robust digital signature algorithm like ECDSA. We must combine these things and physical hardware to create a multi-factor, multi-signature proof-of-human.

Our governments must embrace cryptocurrency technology and encourage its development because cryptocurrency, for all its faults, is the best – and only – mass-distributed PKI system which can even begin to serve the “proof of human” function our societies desperately need in order to normally function.

AI Breaks the World, Crypto Fixes It, Part IV: The Great Zoom Robbery

https://prestonbyrne.com/2024/02/04/great-zoom-robbery/

This is a follow up to three earlier posts:

  1. AI Breaks the World, Crypto Fixes It;
  2. AI Breaks The World, Crypto Fixes it, Part II: “AI Misinformation” problem can be completely solved by cryptocurrency-based “proof of human”; and
  3. AI Breaks the World, Crypto Fixes It, Part III: How crypto can solve the Joe Biden AI deepfake problem.

And now for our fourth installment in the series, a story about an audacious heist in which an AI was used to steal $25 million from a Hong Kong company by faking the entire senior management team on a Zoom call:

A finance worker at a multinational firm was tricked into paying out $25 million to fraudsters using deepfake technology to pose as the company’s chief financial officer in a video conference call, according to Hong Kong police.

The elaborate scam saw the worker duped into attending a video call with what he thought were several other members of staff, but all of whom were in fact deepfake recreations, Hong Kong police said at a briefing on Friday.

“(In the) multi-person video conference, it turns out that everyone [he saw] was fake,” senior superintendent Baron Chan Shun-ching told the city’s public broadcaster RTHK.

I have rammed this point home in my three prior posts, but will do so again: the advent of AI means we cannot trust anything we see or do online anymore. See e.g. this report where an engineer allegedly used ChatGPT to convince desperate men to buy Soho House memberships to score a date:

Or this, where an engineer used ChatGPT to aggressively filter out dates:

Mind you, on Hinge, there really isn’t a solution to this problem that cryptography can present – if you have a single user willing to lie about who they are in order to scale up their own personal communications capacity, then you’re going to have a hard time fixing that with crypto. The only way you’re going to be able to tell who your counterparty is, is by meeting them in person.

The question is how we increase the threshold of verifiability in unencrypted (telephone) and other mostly non-cryptographic (Zoom) communications protocols. Already in the last two weeks AI has been used to interfere with the New Hampshire Democratic primary election and steal $25 million from this Hong Kong comapny. The only solution to this problem is to bake crypto-protocols into everything, preferably by using existing consumer crypto infrastructure like Metamask wallets, integrating with those, signing all communications with digital signatures and aggressively blocking/whitelisting our business contacts so that when we get four of our colleagues on a Zoom call, and they’re all presenting valid digital signatures, we know that we’re (a) either talking to the real deal or (b) someone managed to get hold of their private keys.

Because, at least for now, a private key is the only thing in the world an AI can’t fake.

We have to do this, and given the pace at which AI is accelerating, we have to do it very, very quickly.

AI Breaks the World, Crypto Fixes It, Part IV: The Great Zoom Heist

https://prestonbyrne.com/2024/02/04/ai-breaks-the-world-crypto-fixes-it-part-iv-the-great-zoom-heist/

This is a follow up to 4 earlier posts:

  1. AI Breaks the World, Crypto Fixes It
  2. AI Breaks The World, Crypto Fixes it, Part II: “AI Misinformation” problem can be completely solved by cryptocurrency-based “proof of human”
  3. AI Breaks the World, Crypto Fixes It, Part III: How crypto can solve the Joe Biden AI deepfake problem

We learn from fake news CNN today that an AI was used to steal $25 million from a Hong Kong company:

A finance worker at a multinational firm was tricked into paying out $25 million to fraudsters using deepfake technology to pose as the company’s chief financial officer in a video conference call, according to Hong Kong police.

The elaborate scam saw the worker duped into attending a video call with what he thought were several other members of staff, but all of whom were in fact deepfake recreations, Hong Kong police said at a briefing on Friday.

“(In the) multi-person video conference, it turns out that everyone [he saw] was fake,” senior superintendent Baron Chan Shun-ching told the city’s public broadcaster RTHK.

I have rammed this point home in my three prior posts, but will do so again: the advent of AI means we cannot trust anything we see or do online anymore. See e.g. this report where an engineer allegedly used ChatGPT to convince desperate men to buy Soho House memberships to score a date:

Or this, where an engineer used ChatGPT to aggressively filter out dates:

Mind you, on Hinge, there really isn’t a solution to this problem that cryptography can present – if you have a single user willing to lie about who they are in order to scale up their own personal communications capacity, then you’re going to

The question is how we increase the threshold of verifiability in unencrypted, non-cryptographic (they do mean different things) communications protocols like the telephone and Zoom. Already in the last two weeks AI has been used to interfere with the New Hampshire Democratic primary election and steal $25 million from this Hong Kong comapny. The only solution to this problem is to bake crypto-protocols into everything, preferably by using existing consumer crypto infrastructure like Metamask wallets and integrating with those, sign all communications with digital signatures and aggressively block/whitelist our business contacts so that when we get four of our colleagues on a Zoom call, and they’re all presenting valid digital signatures, we know that we’re (a) either talking to the real deal or (b) someone managed to get hold of their private keys. Because a private key is, for now, the only thing in the world an AI can’t fake.

We have to do this, and given the pace at which AI is accelerating, we have to do it very, very quickly.

Notes on the stupid “DAO terrorism” piece in Wired

https://prestonbyrne.com/2024/01/26/notes-on-the-stupid-dao-terrorism-piece-in-wired/

Wired published an article alleging that DAOs are potentially the next major hub for coordinated extremism online.

The article leads with:

Can you imagine what a digital white ethnostate or a cyber caliphate might look like? Having spent most of my career on the inside of online extremist movements, I certainly can. The year 2024 might be the one in which neo-Nazis, jihadists, and conspiracy theorists turn their utopian visions of creating their own self-governed states into reality—not offline, but in the form of Decentralized Autonomous Organizations (DAOs).

Wired

The author of the article, Julia Ebner, appears to have some impressive credentials researching extremists in Europe, having apparently “an academic extremism researcher who writes books on political movements”infiltrated” (read: “attended publicly advertised meetups”) of groups like Generation Identity and Reconquista Germanica. These groups are not exactly hard to find; Germanica, for example, principally consists of a Discord group, and Discord, Inc. is a San Francisco-headquartered social media company whose eponymous application stores all user communications in the clear, or, in a form which can be decrypted by the host of the servers where that content is stored.

Academic research of extremist groups of this kind is straightforward because, for the most part, participants of such groups are a bunch of LARPing dorks who post edgy memes with no opsec. A dead giveaway that an extremist group is unserious is where the servers the group utilizes are based in the United States and the FBI can get a grand jury subpoena doxxing a user of those servers in the space of an afternoon (if they even need one at all, as many companies will render voluntary disclosure of these records when serious criminality threatening life or serious bodily injury is alleged). Where those edgy posters, sometimes referred to as “edgelords,” are European, posting racist memes is something which they will be liable to get arrested for, because posting racist memes is illegal just about everywhere in the UK and the European Union.

I would be more impressed with Ebner’s assertions here if she had infiltrated a group that was actually difficult to infiltrate and which actually uses cryptoprotocols for their communications. An example of one such group would be the Taliban, who used WhatsApp to coordinate their lightning strikes against Kabul and other major Afghan cities during the U.S. withdrawal of that city, something Facebook was never held to account for by any major U.S. politician or Congressional committee.

I have some experience with DAOs, having helped design the first Ethereum prototype of one in 2014 and advised a number of others since. Their principal role is to manage on-chain smart contracts and decide when certain administrator-level permissions on those contracts, such as setting interest rates or adding or removing features, should be removed from those contracts.

As a general rule, by the time a proposal for such a change actually gets agreed on and implemented, considerable discussion about the proposal has already occurred, generally on Web2 communications channels and generally, again, out in the open and on logs which store the conversations in readable form. Generally the DAO part of the puzzle is half-baked and not well thought out, with a token serving primarily the purpose of pre-funding the DAO founders so that they can get some runway to sling new code and figure it out. Rarely, such as in the case of projects like MakerDAO, the project has tight product-market fit and token holders will periodically swing in to vote on a proposal. Even in those cases, “governance portals” where relevant communications on these votes take place exist in the open, on the surface web, where they can be easily accessed and observed by token-holders who will not want to “dox” themselves in order to participate (although many large token holders choose to do exactly this).

Wired writes:

What are the stakes if trolling armies start cooperating via DAOs to launch election interference campaigns? The activities of extremist DAOs could challenge the rule of law, pose a threat to minority groups, and disrupt institutions that are currently considered fundamental pillars of democratic systems. Another risk is that DAOs can serve as safe havens for extremist movements by enabling users to circumvent government regulation and security services monitoring activities.

Rebutting: this is absurd. “Extremist” groups of the type Ebner studies, the type which has members who live and work freely in Western societies without committing actual crimes, but have opinions that make them assholes, and largely peace-loving, crypto-nerd filled “DAOs” do not create “safe havens” from anything. Their communications are largely mediated by the surface web, in the clear, where they can be and are routinely monitored by law enforcement agencies, both criminal (in the case of the extremists) and civil (in the case of DAOs).

DAOs in particular are ill suited to concealment given that (a) smart contracts are all publicly examinable onchain, (b) blockchain transaction data on the most popular EVM chains where the overwhelming majority of DAOs live is unencrypted and ingested by massive machine-learning analytics engines by companies like Chainalysis which work directly with law enforcement on a daily basis and (c) for the most part the only thing DAOs do is coordinate on smart contract state changes, which nobody gives a shit about, whereas the dissemination of “extremist” thought usually relies on the transmission of edgy memes/propaganda, which is not something which is economically practicable onchain given that it would be prohibitively expensive to fill up a block with a gif whereas posting it on a Discord server – again, which is where most “extremists” hang out.

Crypto and DAOs aren’t the droids you’re looking for, Wired. When the Taliban starts using DAOs instead of using WhatsApp for their communications (which will likely never happen) this is a conversation worth having. In the meantime, perhaps you should stop trying to smear a nascent and largely innocent industry of brilliant hackers who are trying to make the world a better place.

How crypto can solve the Joe Biden AI deepfake problem

https://prestonbyrne.com/2024/01/22/how-crypto-can-solve-the-joe-biden-ai-deepfake-problem/

This is a direct follow-up to two previous posts: first, The “AI Misinformation” problem can be completely solved by cryptocurrency-based “proof of human”, and second, AI is digital abundance, crypto is digital scarcity, and the world needs both.

Yesterday, U.S. Senator Elizabeth Warren posted the following on Twitter:

Senator Warren can be forgiven for thinking that crypto is money. Those of us who have worked in the space for awhile know that it is much more than that. “Crypto” as such is not merely money but rather it is the union of a finite state machine with a unit of account that humans wishing to access that state machine can treat as money, or, as put by Ian Grigg, simply “a state machine with money.” This access, and indeed all aspects of the permissioning and functioning of such systems, can be linked to the payment of fees and the payment of fees is secured not by accounting and billing departments, but rather by public-private key authentication.

Which brings us to today’s story about another prominent Democrat, Joe Biden. Or rather, a story about an AI apparition of Joe Biden:

New Hampshire is having a primary election this week. The Democratic iteration of this was particularly controversial as the national party successfully blocked RFK Jr. from appearing on the ballot and then attempted to shut the primary down. As a result, Joe Biden does not appear on the primary ballot and instead is running a write-in campaign in order to secure the state’s votes for his reelection campaign.

Someone who was clearly unhappy about this state of affairs launched an (extremely illegal) voter suppression campaign where an AI-generated, robocalled voice pretended to be Joe Biden and instructed voters to stay at home on Tuesday.

How does this relate to crypto, you ask? First, read the two blog posts I linked to above. Second understand from those blog posts that the problem of AI abundance is not going to go away – it is going to get worse and it is going to get considerably more difficult to discern from the real thing.

There are several possible responses we, as a society, can mount to AI deepfakery. One of them is to ban AI, which is unlikely to do much good in the long run considering that there are many countries which will not also ban it, and it is generally speaking impossible, unless our civilization collapses and the tech is forgotten, to put this technological genie back in its lamp.

We must therefore find a way to filter the AI out of our lives. The only way to do this is to use technology which an AI cannot, presently or for the foreseeable future, fake. One such technology is a public-private key.

Here’s how such an app might work. Users could set up a crypto wallet address at a .BTC or .ETH domain. That address could be integrated into the phone system and a social phone book where users can add their pubkey addresses and communicate it to their contacts on their iPhones, and accept their contacts’ pubkey addresses in return. Every “call” made to a phone line would come with corresponding cryptographic proof indicating that the call had been signed by the user’s private key together with the date/time or some other timestamped data which could not be repeated. Users could add their favorite politicians, such as Elizabeth Warren or Joe Biden, to their whitelisted numbers, and public chains could act as easily verifiable registries of such numbers. Thus any phone number which called and held itself out as Joe Biden which wasn’t Joe Biden would be instantly flagged and/or blocked.

Yes, cryptocurrency is a money technology. It is also an unfalsifiable truth technology, one which is already in the hands of millions of Americans and is waiting for other applications from legacy infrastructure to incorporate it into their services and thereby improve them.

AI and crypto are mirror image technologies; crypto fixes the problems that AI creates. If we want to secure the 2024 election, the United States needs to adopt and integrate public blockchains into 20th century technologies and do so with alacrity, instead of trying to ban them.

A short note on designing blockchain systems for RWAs/real-world assets: permissioned contracts on unpermissioned chains

https://prestonbyrne.com/2024/01/18/rwas/

Back in 2014, I founded one of the first (if not the first) permissioned blockchain companies. True story (here’s the corresponding WSJ article). The company was founded by two lawyers, Iraq war hero Casey Kuhlman and myself, only one of whom (not me) could code, and a brilliant quantum mathematician and LLL smart contract coder from the University of Guelph named Dr. Tyler Jackson, who went by the considerably blander pseudonym Dennis McKinnon.

The project had its genesis in a competition, a bounty to be specific, announced shortly after the Bitcoin 2014 conference in Amsterdam by Bitcoiner and Hoppean anarchist Olivier Janssens. At or around the same time, Brock Pierce of Mighty Ducks fame had been elected to the Bitcoin Foundation’s Board of Directors. This was a controversial move; Pierce had been mixed up with some bad folks in Hollywood as a younger man, and opponents of his candidacy pointed to those events from his youth as reasons to oppose his involvement with Bitcoin.

I offer no opinion on those discussions. Janssens, an opponent of Pierce’s, announced a bounty to replace the Bitcoin Foundation with computer code. Casey, Tyler and I quickly assembled a team to create and publish a white paper for the first Ethereum DAO, which we called Eris, which would allow users to carry out the functions of nonprofit organization and crowdfunding on a new, not-yet-live platform called Ethereum. Janssens, unimpressed with our use of a new blockchain platform, awarded the $100,000 grand prize to Mike Hearn (who later, famously, ragequit Bitcoin two years later during the 2016 bear market) and granted us second prize at $10,000 for our trouble.

That prototype later became the first permissioned blockchain prototype and wound up doing things like automating the first commercial paper app for the R3 banking consortium and the first bond prototype deployed by Deutsche Bank.

I tell this story to you now because I see it being relitigated in two spheres: first, the DAO sphere, where experiments with new types of organization frequently confuse the software for the organization. Second, in the so-called RWA, or “real world asset” space, where I see new entrepreneurs eager to follow-up crypto’s spectacular victory in the form of an ETF approval by building more bridges between our industry and traditional finance.

If you read our Eris whie paper, we wrote – 10 years ago – that

“one of our overarching design goals [was] to continue to design and build DAOs in such a way that they abide in full compliance with legal and regulatory obligations. We set out below the types of functions we have incorporated in Eris version 0.1; we have built it to be coupled with a real-world legal entity, ideally a non-profit, so that such organisations can benefit from the significant efficiencies which blockchain and cryptographic technologies enable while still complying with the legal formalities and necessities of the jurisdictions in which they operate and any related enforcement mechanisms such as court orders.”

Back in 2014, people thought we were insane or didn’t understand what we were talking about – remember, this is before Ethereum and DeFi even existed, we forked Jeff Wilcke’s proof-of-concept version 3 Go prototype. Now that people understand the potential of smart contracts, these design goals are perhaps a little more understandable to normal folks, rather than just crypto-anarchist legal hackers.

To blockchain devs exploring the RWA space, my advice is this: remember that a RWA on a blockchain is a permissioned system on an unpermissioned system, a permissioned smart contract on an unpermissioned chain. The asset must have a rulebook all its own which is separate and distinct from the chain on which the asset lives, that rulebook likely requires an administrative override/”master key” which can rewrite the ownership of the asset or any aspect of its behavior on demand (while of course not deleting the intervening state changes, as this is impossible), and that complying with the legal formalities is the sine qua non for an application to be accepted by the marketplace.

Put another way, as you’re building these things, make sure you have a lawyer on hand – in-house or external – who understands the asset class you’re working with very well, knows the rulebook for that asset class cold, and do not leave them in a legal function but rather move them to a business function for at least 50% level-of-effort: in other words, integrate that lawyer on your dev team very early on so that your specification matches the real-world requirements.

(Twitter thumbnail below since they killed link previews.)

The Bitcoin Bull is back and you want to start a crypto company: 5 pitfalls to avoid

https://prestonbyrne.com/2024/01/03/the-bitcoin-bull-is-back-and-you-want-to-start-a-crypto-company-5-pitfalls-to-avoid/

The below is not legal advice, and is provided for general informational purposes – your mileage may vary. I share this as I see these issues crop up again and again in my practice, and they’re issues you may wish to discuss with your lawyer(s) as you prepare to take the plunge.

On the eve of a raft of spot Bitcoin ETF approvals and what appears to many to be the dawn of a new crypto bull market, young entrepreneurs without access to large GPU clusters will doubtlessly begin to consider, after a year flirting with generative A.I., whether cryptocurrency is a worthy subject of their attention once again. 

The answer to that question is: of course it is! Cryptocurrency is the future of money and it is still very, very early days. Before taking the plunge, however, know that many entrepreneurs have done so before you, myself included. Below are a number of perennial issues which crop up with new crypto founders, who in their haste to get ahead of the bull sometimes forget to cover the basics.  

  1. Did I get the basic documents right, and did I get them in writing?

The absolute most important thing is to make sure that all commercial understandings between you, your co-founders, and your employees are agreed in writing. If I had a Bitcoin for the number of times I’ve had to fix a problem based on arrangements that started with a handshake and a smile and later went sour, I would be sipping margaritas on a beach in Tahiti instead of working as a partner in a law firm. 

All matters pertaining to equity and salary compensation, shareholder rights, token grants, and code ownership should be agreed before anyone starts working at the company or joins its cap table. If you don’t have a signed contract, you don’t have a deal, and that’s how fights start. Nobody should start at the company until everything is agreed in writing and that writing is signed and dated by all parties. 

Don’t put it off, don’t leave it till the last minute, don’t agree that you’ll fix it later. Do it now.

And for the love of God, don’t give your Day 1 cofounders equity that isn’t subject to a vesting agreement.

  1. Is my idea regulated, and if so, where and how?

“Do you want to run a software services company or a financial services company?” There is a difference, and this is the first question I normally ask a new founder looking for guidance. Unlike, say, 2014 or 2017, there are well-defined rulebooks for crypto this cycle, and there are regulators who are fully geared up to enforce them. As such, complying with those rulebooks – rather than “seeking forgiveness and not permission” – is likely a sounder growth strategy in this cycle than it might have been in previous ones.

Crypto is mature enough as an asset class that many jurisdictions, such as the E.U., United Kingdom, and multiple U.S. states including New York, California, Vermont, and Wyoming, have crypto-specific legal rulebooks. If the U.S. isn’t the right jurisdiction to operate your business, you might be able to incorporate a subsidiary in a country that is. 

Other governmental entities lacking fit-for-purpose cryptolaw, such as the U.S. federal government, have nonetheless published years worth of guidance and enforcement precedent – particularly in the money transmission and securities law arenas – which new companies should consider when deciding what kind of business they’re planning to offer and how they’re going to offer it. 

  1. Is avoiding the U.S. going to create wacky tax consequences?

One consequence of recent U.S. enforcement action has been U.S. developers seeking friendlier climes offshore, particularly in the British Virgin Islands or the Cayman Islands. 

This strategy is imperfect; first, if you break U.S. law from overseas, and you’re a U.S. person, you are what we in the legal industry would refer to as “being easy to get hold of” from a regulator’s point of view. Second, owning shares in offshore firms creates tax reporting requirements for you and the firm, and possible tax liability for you. Just because your technical cofounder in Mauritius thinks that a Cayman incorporation works for him, which it might, doesn’t mean it is going to work for you or the business. 

Same thing goes for complex structures involving multiple companies in multiple jurisdictions: on Day 1, unless there are very compelling tax reasons to do otherwise, you should have one company, and that company should generally be incorporated and have its headquarters in the country where the management resides, can physically present themselves to the company’s bank, and can receive mail. 

  1. Does decentralized tech require a decentralized team?

Many cryptocurrency companies have chosen to eat their own dog food, so to speak, by adopting decentralized management and operational structures to match the globe-spanning consensus technologies with which they work. 

While admirable, operating a “decentralized team” can also be a complete pain in the neck, particularly for early-stage businesses with tight budgets. Generally speaking, payroll and tax filing complications and associated expense rises sharply as you add employees and operations in new jurisdictions, not only across state borders but especially across international ones. Sometimes teams choose to apply a bandage to these problems by hiring full time employees as independent contractors. This can work, for a time, but if the jurisdiction on the other side decides that your “contractors” were actually “employees” at a later date, getting back into compliance with the tax authorities can be expensive and painful. 

Team communication is also more difficult, particularly where communications are asynchronous. Choosing to spread out your team might help you get good talent. Bringing your team to you might help you utilize that talent better and at a lower cost. 

  1. Have I done something weird and unconventional that is going to make the company unfriendly to U.S. investors?

Although this is less true now than it was in the past, as a general rule, U.S. venture funds are set up to invest in U.S. companies, and by “U.S. companies” we really mean “Delaware corporations.” Most startup charters and investment documents are drafted to deal with Delaware law and setting up in another jurisdiction or using another entity, such as a Wyoming DAO LLC, can have unexpected complications. Wyoming, for example, has been desperate to attract new corporations. This causes problems when a founder sets up there and later discovers that Wyoming LLCs, for example, include a default statutory obligation to refrain from competing with the company, which causes obvious problems when co-founders break up. 

Similarly, other weird things one sometimes sees in crypto are things like pseudonymous co-founders, weird community ownership DAO structures, decentralized management, etc. While of course I can appreciate novel experiments using cryptography to create new forms of governance, if you want an easier path to a SAFE or a term sheet, stick with a Delaware corporation.

And below here’s the new twitter thumbnail because Twitter doesn’t do link previews anymore. Licensed under the Pixabay license.

Section 230A: The Freedom for AI Innovation and Research Use Act (the “FAIR Use Act”)

https://prestonbyrne.com/2023/12/31/section-230a-the-freedom-for-ai-innovation-and-research-use-act-the-fair-use-act/

This is bullshit:

This should be our response:

47 U.S.C.§ 230A

A. Findings.

This Congress finds the following:

  1. The rapidly developing array of artificial intelligence services available to individual Americans represents today, much as the developing array of Internet services thirty years ago, an extraordinary advance in the productive capacity and availability of educational and informational resources to our citizens.
  2. AI offers the chance for individual self-fulfillment. Like the Internet, the flourishing of A.I. services will benefit all Americans with the minimum of government regulation.

B. Policy.

  1. It is the policy of the United States to permit, promote, and encourage the development of AI Models to the maximum possible extent, with a view towards the United States becoming the unchallenged artificial intelligence leader in the world. Achieving this requires that artificial intelligence be unhindered by Federal, State, or foreign regulation, or by copyright infringement lawsuits on the training data which will drive this engine of economic development

C. Protection for use of copyrighted material as training data.

  1. Use by any developer, provider, or user of any copyrighted work as part of programming, training, interacting with, republishing, or otherwise using the output of AI Model which has been trained on a copyrighted work, where that model or associated databases do not store a substantially complete copy of the copyrighted work, shall be “fair use” for the purposes of 17 U.S.C. § 107.

D. Protection for AI Model providers.

  1. No provider or user of an AI Model shall be treated as the publisher or speaker of any output of any AI Model resulting from a prompt provided by another information content provider.
  2. “Information content provider” has the meaning given to it in 47 USC § 230(f)(3).
  3. “AI Model” means any service or system which provides or enables access to an artificial intelligence model by users or computers, whether by running the model locally or accessing the model remotely via a computer server.

There is no such thing as a crypto-asset security

https://prestonbyrne.com/2023/12/22/there-is-no-such-thing-as-a-crypto-asset-security/

Today the SEC announced an enforcement against the very rustically-named BarnBridge DAO. In its announcement, it said:

The Securities and Exchange Commission today announced that BarnBridge DAO, a purportedly decentralized autonomous organization, and its two founders, Tyler Ward and Troy Murray, will pay more than $1.7 million to settle charges that they failed to register BarnBridge’s offer and sale of structured crypto asset securities known as SMART Yield bonds. The Commission also charged the respondents with violations stemming from operating BarnBridge’s SMART Yield pools as unregistered investment companies. To settle the SEC’s charges, BarnBridge agreed to disgorge nearly $1.5 million of proceeds from the sales, and Ward and Murray each agreed to pay a $125,000 civil penalties

This echoes written remarks by crypto industry bête noire and U.S. Securities and Exchange Commission Chair Gary Gensler last week, denying Coinbase’s request for rulemaking, stating that

“as the marketplace for crypto asset securities develops, Commission staff continue to engage with crypto asset market participants, including by providing staff guidance regarding crypto asset securities and non-security crypto assets.

“Crypto asset security” is not a term which has legal meaning. It is an invented term by the SEC to cover its ass for its aggressive enforcement in the crypto space commencing in 2021, a full twelve years after the crypto space began, and continuing to the present day.

Some backstory is warranted. During the height of the 2017-18 ICO boom, after the DAO Report and before the first enforcement actions, the question of whether, when, and how the United States would seek to enforce its securities laws in the cryptocurrency space remained, for the most part, theoretical. Among practicing attorneys, there were two camps. It was the author’s observation that attorneys over the age of 40, or not directly in the employ of cryptocurrency companies, tended to adopt the view that cryptocoin ICOs were “investment contracts” per Howey and, accordingly, that consequences for issuing those tokens without a registration statement being in effect, or listing those tokens on crypto exchanges, should follow. This view was reinforced by the pronouncements of then-SEC Chair Jay Clayton, who claimed in Senate hearings and television appearances that “every ICO [he’d] seen”[1] was a security. Clayton’s earlier remarks were recently echoed by SEC Chair Gensler, who quipped that while “Congress could have said in 1933 or 1934 that securities laws applied only to stocks and bonds… Congress included a long list of 30-plus items in the definition of a security, including the term ‘investment contract’… These laws have been on the books for decades.”[2]

In the other camp, a number of law firms publicly advanced the theory, often in law review-length papers, that cryptocurrency tokens on completed networks should be treated as consumptive and thus not satisfying the “expectations of profits” limb of the Howey test, per precedents such as Forman.[3]  This view was, confusingly, reinforced by a speech by then-Director of the Corporation Finance Division of the SEC Bill Hinman in May of 2018, which has come to be known by practitioners simply as the “Hinman Speech,”. During this speech, Hinman further confused the matter by pronouncing , sans precedent, that “[i]f the network on which the token or coin is to function is sufficiently decentralized – where purchasers could no longer reasonably expect a person or group to carry out essential managerial or entrepreneurial efforts – the assets may not represent an investment contract.”[4]  

Legally, and retrospectively, it seems likely the “utility coin” argument was wrong and the “it’s a security under Howey” argument was right. Prospectively, the question we should be interested in is whether the legal situation in the U.S. ought to be the case. This is particularly so given that other countries like the United Kingdom have charted a different regulatory approach than the United States which lets the spot crypto markets exist as long as there’s a modicum of consumer protection and AML/CTF regulations are complied with (i.e. the position the United States took w/r/t its exchanges prior to 2023),

In my opinion, the legal case for regulating cryptoassets separately from investment contracts is about to get considerably stronger due to rapid technological change. As I wrote a few weeks ago in my post about my crypto-AI thesis, crypto might have looked like an investment security in 2009 or 2014 because it lacked product-market fit. Going forward, as we see an increase in AI-generated content and the need for cryptographically secure authentication and proof-of-human increases, it is likely that cryptocurrency will play an important role in these authentication systems – as, at least as far as we know, bruteforcing a private key is not a power that an AI is going to have for the foreseeable future.

The U.S. Congress is so dysfunctional that to say the U.S. crypto industry has a long road ahead of it to get the Securities Act of 1933 would be a monumental understatement. Tons of work needs to be done, both from a PR perspective and a user friendliness perspective, to change the public perception of crypto as a zany version of the Pink Sheets for nerds into a necessary part of living in a digital world.

Today’s lesson is that the use of language is an important part of crafting that public perception. Every time we adopt the SEC’s “crypto asset securities” terminology, we are acknowledging the correctness and the appropriateness of a 90-year-old regulatory scheme for paper investments from the era of telegrams and morse code for distributed cryptosystems that settle transactions worth billions, from opposite sides of the world, in a fraction of a second, from a handheld phone.

There is no such thing as a “crypto-asset security.” There are cryptoassets, and there are securities. Countries like the United Kingdom can tell the difference between them. Why can’t ours?


[1] Stan Higgins, SEC Chief Clayton: “Every ICO I’ve Seen Is a Security” (February 6, 2018),CoinDesk, https://www.coindesk.com/markets/2018/02/06/sec-chief-clayton-every-ico-ive-seen-is-a-security/

[2] Gary Gensler, Chair, Testimony of Chair Gary Gensler, Before the United States House of Representatives Committee on Financial Services, Sept. 27, 2023.

[3] United Housing Foundation v. Forman, 421 U.S. 837, 854-55

[4] William Hinman, Digital Asset Transactions: When Howey Met Gary (Plastic) (Speech, June 14, 2018), https://www.sec.gov/news/speech/speech-hinman-061418

In DeFi, code is not law; code is a source of law

https://prestonbyrne.com/2023/12/03/code-is-not-law-code-is-a-source-of-law/

Fellow member of the crypto bar, Gabe Shapiro, writes:

“Code is law” is one of those annoying phrases which is repeated a lot by folks in cryptoland who don’t actually know where it comes from or approach the issue without nuance. The phrase originates from Larry Lessig’s 2000 article of the same name and his later book Code and other Laws of Cyberspace. In that essay, Lessig wrote:

Ours is the age of cyberspace. It, too, has a regulator. This regulator, too, threatens liberty. But so obsessed are we with the idea that liberty means “freedom from government” that we don’t even see the regulation in this new space. We therefore don’t see the threat to liberty that this regulation presents.

This regulator is code–the software and hardware that make cyberspace as it is. This code, or architecture, sets the terms on which life in cyberspace is experienced. It determines how easy it is to protect privacy, or how easy it is to censor speech. It determines whether access to information is general or whether information is zoned. It affects who sees what, or what is monitored. In a host of ways that one cannot begin to see unless one begins to understand the nature of this code, the code of cyberspace regulates.

Lessig did not, by this, mean blockchain code. Bitcoin would not happen for another nine years and although essays such as Nick Szabo’s Formalizing and Securing Relationships on Public Networks pre-dated Lessig, Szaboian smart contracts would be relatively obscure for at least another decade and a half.

What is law?

The answer to this depends on who you ask. I am a strictly amateur jurisprudence scholar as I have to earn my bread by drafting technology contracts, but I have read a thing or two and accordingly have some basic thoughts on this subject which might be of interest at a dinner party if not an academic journal.

Two of the better modern theorists on the subject are H.L.A. Hart and Hans Kelsen, neither of whose works are widely taught in American law schools. Others, like Dworkin, have theories based in the legitimate use of force; for reasons that will be made clearer, those arguments are not relevant for crypto, and may even be rendered irrelevant by it, mainly because the amount of force required to stop it is greater than any state is individually able to presently marshal.

Hart’s theory was that there was a hypothetical rule, which he referred to as a “rule of recognition,” against which all other rules may be judged as being of binding legal authority or not. It might better be termed “you know sovereignty when you see it;” ask any practicing lawyer whether an order or edict is of a binding and legal character and they will be able to answer in the affirmative or the negative. Ask them why the rule is binding and what it has in common with all other rules can be somewhat more complicated, particularly in a multiple-sovereignty federal system. In the U.S. system we might say “actions which are unconstitutional are not legal; actions which are constitutional,” by which we mean anything which is carried out lawfully by any government entity under the Constitution, “are legal.”

But who made the Constitution legal? Hans Kelsen argued that it was something called the grundnorm, or basic norm, which is valid “because it is presupposed to be valid; and it is presupposed to be valid because without this presupposition no human act could be interpreted as a legal, especially as a norm-creating, act.” In essence, the grundnorm serves as a rational definition for what previous centuries may have referred to the “Mandate of Heaven” or “Divine Right of Kings;” it is the ultimate ought.

But these theories, as all theories in social science which can be comprehended by that which is observed, are necessarily and permanently incomplete. Recognizing this, a relatively obscure scholar in London, Dr. Werner Menski of the School of Oriental and African Studies, argues that both norms and rules are insufficient; by reference to legal systems of Asia and Africa which incorporate a range of quasi-legal or (what we in the West would recognize as) nonlegal rules in customary law traditions without formal courts or in some cases, even the monopoly on the use of force, he argues that humans nonetheless continue to order their affairs in a fashion which serves the function of what we would call a legal system. Menski’s argument is that “law” is in fact a hybrid construction made up of a variety of non-legal sources, and that the interaction of those sources results in something that analysts starting from scratch view as abstract “rules of recognition,” principles on the application of force, or amorphous and unknowable basic norms.

…and code is not that

The most annoying thing about Lessig’s thesis and the subsequent parroting of it by everyone else on the Internet is that, despite being a comparative amateur in jurisprudence, I deal with web applications on the daily and it’s abundantly clear to me that the code that runs the Internet is very clearly not legal in nature. Rather rather it lives in and is subordinate to the legal system, especially in cases where the legal system can get ahold of the person running that code (and it very nearly always can, no matter how big the target might be).

What Lessig referred to as “law” was in fact the non-appealable realm of discretion that hosts of internet applications (and, at that time, particularly, web applications) exercised over their servers, something that internet applications do in accordance with law rather than as lawmaker. This fact has been borne out again and again in the intervening decades since he coined the phrase, all the more so as the governments of the world begin to exercise increasing legal control over the Internet space. This is true not only for places like Europe where European social media laws, in particular the German NetzDG and the EU-wide Digital Services Act and GDPR, intervene heavily in the type of content platforms may host and the obligations they assume for hosting it, but also in the United States, where the Constitution and Section 230 – legal arrangements, to be sure – delineate clear private property and free speech interests over code (see: Bernstein v. United States), servers and their operation, Keep an eye on NetChoice v. Paxton for the next big installment in the U.S.

The impact that the exercise of private discretion on private servers can have on the Internet as a whole can be compared to legal systems like the First Amendment – and indeed that’s one of the issues in Netchoice. Does this render such internet systems and their moderation policies “law,” though?

Not really, at least in any sense that a lawyer would recognize. Let us use an example of my front yard instead of a server. Let us suppose it is a beautiful and breezy Connecticut summer day and I am out in my yard grilling steak, photosynthesizing, and avoiding seed oils with my fellow crypto people. Out of nowhere, a trespasser – let’s say it’s Richard Heart, for sake of argument and to add color to the example – decides to enter my yard and join the party, where he is unwelcome.

At that point, in the state of Connecticut I have a number of options. After notifying him that he needed to leave I could attempt to use reasonable force, but not more than that, to eject the trespasser. I could call the police. If he asserted a claim to my lawn I would be able to refute that claim, and procure his ejection, by reference to land records held at the town hall.

Suppose I decide to call the police, who charge him with third degree criminal trespass and remove him from my property, and obtain a bail order of protection barring him from being on my property or within 100 feet of me for the duration of the proceedings (a not atypical consequence). It could certainly be said that my actions were legal. But actions taken in accordance with the law, or informed by the law, does not make those actions, or those courses of action, also law. The law in question is C.G.S. 53a-109.

Let us now run a second hypothetical, where I am running servers – marmot-talk.net, the discussion forum for marmots in crypto – and Richard Heart swans into my servers looking to promote his cryptocurrency Hex. Here, I can be a little more aggressive than the trespassing example; the First Amendment treats my server not like my front yard, but like a printing press. Not only can I do anything up to and including a permanent banhammer from the server, but on account of federal law I have broad civil immunity for doing so. Here, the law in question is the First Amendment and 47 USC § 230(c)(2); but just as ejecting Heart from my lawn was legal, but not law, so too is the ejection of Heart from my servers.

In the traditional, Web2 context, code is not law. Code is a rulebook, to be sure, one which can be tuned to any use-case and agenda. But that does not make it law.

Updating Menski’s taxonomy for the new example of DeFi

Before going any further we need to define DeFi. Assume arguendo the following definition: “DeFi is an ecosystem of applications and users designed to mediate transactions and communications, where the applications run on blockchain networks which are resilient to destruction and largely immune to judicial control otherwise than by obtaining control over users and their private keys.”

Let us update Menski’s Triangle as follows, either as “Menski’s Digital Triangle” or though I am loath to describe it with my own name, as I have not seen this put down anywhere else, “Byrne’s Square.”

I do not think it would be appropriate to speak of smart contract as constituting a law unto itself. We know that legal systems require something approximating sovereignty or a rule of recognition, as Hart required; they usually require some general normative presupposition of legitimacy at the base of the system, as Kelsen supposed; and they require, more often than not, a monopoly on the use of force, as Dworkin suggested.

Menski’s model seems the appropriate one to apply here, as it is open-ended and can account for new systems like smart contracts – and artificial intelligence, as long as we’re on the subject of evolving topics in Internet law – in its conception of a legal system. The pluralist model is accretive; when a new piece is dumped into its stew it does not throw away prior assumptions and, in platonic fashion, assume that we simply were talking about the wrong abstract essence and that through discovery and academic publication we will find a new one. Instead it assumes that the new inputs – the “bits” – will have a relationship to everything else in the system.

In the legal pluralist’s conception of the world, when code is everywhere, the law of code is everywhere, too. That does not render the code law, but one of its myriad sources, in relation to which different communities will enact different rules that are legal in nature. The immutable character of the code is a consideration that will determine the outcome of the proceeding – not the law itself, but its source. What in the United States is a felony is, apparently, excusable white-hattery in France. DeFi, and “bits” more generally, are facts of life.

And, speaking as one who has been in crypto for over ten years it is absolutely marvelous to see the legal system starting to evolve to accommodate our reality rather than the other way around.

To beat U.S. regulators, Defi needs to design itself in accordance with the First Amendment

https://prestonbyrne.com/2023/11/15/to-beat-u-s-regulators-defi-needs-to-design-itself-in-accordance-with-the-first-amendment/

The best thing about America is freedom of speech. I mean this with the utmost seriousness. Having lived in England for 15 years, I have seen the alternative, where making true statements of fact (Campbell v Mirror Group Newspapers, YMA v PJS), right wing rhetoric, left wing rhetoric, protesting, praying silently) and various other types of religious, political, or philosophical expression lead not only to ostracism if said in the wrong place or setting (as is common in America) but also can lead to arrest (which is extremely uncommon, and largely unconstitutional, in America). Indeed, a story from 2015 in the Telegraph indicated that five Internet trolls were being convicted every single day in England and Wales – for Internet trolling. Think about that for a minute.

The differences between the American and English systems are, of course, deliberate; the First Amendment was, in the words of 20th century American legal scholar Zechariah Chaffee, designed to “make further prosecutions for criticism of the government, without any incitement to law-breaking, forever impossible in the United States of America.”

Without going into too much background as this is a post about crypto and not English free speech rules, in England back in the day, as now, the expression of a true statement of fact is not necessarily protected by law simply because the fact is true. Back in the 1700s, for example, a number of delicts punished the sort of speech which we see on Twitter daily and, at least for the members of the crypto bar I know, post daily. These include seditious libel, being speech which was either true or false but tended to give rise to disaffection among the public against the King and his ministers, and scandalum magnatum, a “fake news” law where slandering a great man of the realm was not punishable as a tort but also as a misdemeanor. (If the U.S. crypto bar teleported back to 1693 England, we’d be in a lot of trouble on a pretty regular basis.)

If the government was really unhappy with you, they would simply take the fact pattern for seditious libel and charge you with treason; see e.g. the case of printer William Anderton from 1693; Anderton was charged with High Treason “for that he did Compose, Print, and Publish Two Malicious and Treasonable Libels” including one titled “A French Conquest neither desirable nor practicable,” and in which was contained “the Rankest, Vilest, and most malicious Treasons that ever could be Imagined by any man to be put in Paper.” Anderton was, subsequently, executed at Tyburn; his confederates, however, being charged with merely seditious libel, were allowed to keep their lives.

This was the background of the First Amendment, which states in relevant part that “Congress shall make no law… abridging the freedom of speech, nor of the press[.]” Importantly, and unlike British courts which have for decades consistently failed to uphold the legal obligation to preserve free speech contained in the UK Human Rights Act, American courts guard speech jealously, and as new forms of speech emerge, the courts, generally quite rapidly, move to protect these new forms of expression from state control.

This includes software and, notably, cryptography. See e.g. Bernstein v. United States. That includes the software you write. Just because you write software, however, doesn’t mean that all of your business activities carried on subsequently are also protected speech – see e.g. the somewhat silly free speech kerfuffle around Tornado Cash, a business in all but name that happened to have a smart contract at its core. There is a difference, a big one, between using software in a (regulated) business and publishing software as a form of (unregulated) creative expression.

Ever since Opyn, 0x, and Deridex got dinged by CFTC for failing to register as Futures Commission Merchants, Designated Contract Markets or Swap Execution Facilities, respectively, I’ve had a couple of calls or podcasts a week with friends and clients alike wondering how, exactly, to adapt.

I think the answer is simple: First Amendment that shit, redesign how we make DeFi applications and get not most of the centralization out of the picture, but all of it. This requires complete separation of transaction execution and data provision, with the transaction execution needing to happen entirely on-chain and client-side, and the data provision needing to come from a third party service like a blockchain explorer which plays no role in transaction execution and has no connection to the wallet running in the client.

I talked about this with a space full of Chia folks a couple of weeks ago; a recording of that is below. Summing up that conversation for this blog post, DeFi’s current vulnerabilities arise from the fact that data and transaction execution are carried out by centralized facilities of some kind, usually in the form of a hosted user interface which users interact with in order to utilize the functionality of an AMM.

The UI – the centralized server – is what must disappear from all AMMs, following the “Space Marmot Test” I describe in the below scenario. DeFi businesses must cluster into two different types: (a) FOSS developers of DeFi software which runs entirely client-side, and (b) public data sources which those DeFi apps can hit.

While the law is a moving target and depending on the product your app aims at facilitating transactions in and whether you as a market participant might also be regulated, in terms of coming up with software, protocols, and ways of doing business that are likely to survive regulatory attack, you can’t do much better than running a business which is engaged in First Amendment protected expression.

What that looks like in terms of a finished software product utilizing distributed cryptosystems, I leave to brighter minds than my own. What I do know is that we can decentralize all the things – for real this time – and, if we do, our ecosystem will be much harder to kill.

What are we waiting for?

My thesis: AI is digital abundance, crypto is digital scarcity, and the world needs both

https://prestonbyrne.com/2023/11/14/my-thesis-ai-is-digital-abundance-crypto-is-digital-scarcity-and-the-world-needs-both/

As the next crypto bull market appears to be gathering steam, I am occasionally asked what my long-term thesis on crypto is, and how that thesis has changed since 2014. This is, in a sense, part of the job of being a crypto-lawyer; where traders are tasked with predicting the future of prices, our role as legal advisors is to try to predict the future of rules, and guide clients who are trying to pick between this jurisdiction and that one for their new businesses. Having a thesis is table stakes.

One common, and incorrect, refrain I often hear – several times a week – is that you can’t found a crypto company in the U.S. and that you should instead set up as a BVI or Cayman foundation or something like that. This is not, generally speaking, correct. US laws around securities and commodities are rather agnostic as to where you set up a corporation; what they care about is where your users are, the locations of the subject matter of the transactions your startup might facilitate.

Of course, American regulators are hostile to crypto, which discourages American entrepreneurs from setting up shop here and is literally driving perfectly good jobs and innovation out of the country even though there’s not a compelling legal reason to do so. (American companies don’t have to service American users if they KYC, which would permit them to be compliant with American rules around e.g. securities issuances – see literally any Reg S offering undertaken by an American company.) This much is known to anyone. The tougher questions are (1) why they’re hostile, and (2) whether they’ll continue to be hostile in the future.

The answer to (1) is easy; a bunch of boomer Marxists who don’t understand technology are currently dominant in the universities and the civil service.

The answer to (2) is rather more difficult. My thesis is that AI is going to demonstrate crypto’s necessity and drive adoption as quickly as AI proliferates.

Critics frequently harp on the fact that cryptocurrency does not yet have product-market fit, and/or that the Securities Act of 1933 is the right long-term regulatory regime for the asset class. In 2014 this view, which I also held at that time, was correct. Today, if we assume the world will cease to exist tomorrow, it is probably also correct.

To the extent those critics are currently right based on present technology levels, it is unlikely that they will be right for much longer. Artificial intelligence is the reason why.

If it were true that in 2009 nobody needed the double-spending problem fixed, or that in 2014 nobody needed cryptographically secure state machines with money to execute contractual obligations, or that today anyone needs their transactions encrypted and hidden from AI-powered surveillance bots run by criminals or foreign threat actors, by 2029, it is entirely possible, even probable, that everyone will. These are functions that no stock, nor bond, nor evidence of indebtedness, nor any investment contract has ever performed, but are ones at which cryptocurrencies of various kinds routinely excel.

We are already at a point where machines and software are so advanced, so capable of portraying human voices, faces, and emotions, that, among other things, soon we will not even be able to trust our eyes when having video calls with our own loved ones or speeches from our leaders, due to so-called “deepfakes.” This is a world where authentication, metering interaction with irrevocable digital cash (a la charging for receipt of e-mail like Balajis’ startup 21 tried five years ago), “proof of human,” and, in particular, strong cryptography, will become exceedingly important.

We will soon be inundated with an army of infinite generative AI models trying to wend their way into our inboxes, our feeds, our head-space. Proving who the humans are and only letting them through if they prove they’re human – or pay a price – is the only way we’ll be able to filter the spam.

So that’s my thesis. Crypto didn’t have product-market fit in the past because the technology for which cryptocurrency was actually built, practical AI, didn’t exist until this year. And the more AI the world has, the more crypto it will need to keep it at bay and put a price on the most valuable and rare resource of all: our time.

Image credit Patrick Blumenthal.

The “AI Misinformation” problem can be completely solved by cryptocurrency

https://prestonbyrne.com/2023/11/01/the-ai-misinformation-problem-can-be-completely-solved-by-cryptocurrency/

I was on the Tweets Xeets this morning when I stumbled across this video of our stunning, brave, and illustrious Vice-President calling out “misinformation” enabled by artificial intelligence: This comes on the heels of an AI-based executive order essentially requiring big compute clusters to register with the government, which my friend and colleague Dr. Matthew… Continue reading The “AI Misinformation” problem can be completely solved by cryptocurrency

IJBL Article: UK Rules, While Strict, Nonetheless Avoid America’s Securitarian Trap

https://prestonbyrne.com/2023/10/18/ijbl-article-uk-rules-while-strict-nonetheless-avoid-americas-securitarian-trap/

Volume VII of the International Journal of Blockchain Law (IJBL) is now live, and an article I wrote is in it!

The IJBL is published by the @Global Blockchain Business Council (GBBC),  IJBL is written and edited by lawyers, and designed to help interested business and non-legal communities better understand the regulatory world of blockchain and digital assets.

Volume VII explores the evolution of UK’s pioneering cryptocurrency regulation since 2009, in which I argue that the UK is charting a more fruitful regulatory course than the United States. Other articles cover the Southern District of New York’s recent rulings around token issuances and sales, the General Division of the Singapore High Court’s stance on cryptocurrency in insolvency contexts, and an analysis of International Organization of Securities Commissions (IOSCO)’s DeFi Consultation Report. 

Check it out for free here: https://gbbcouncil.org/initiatives/international-journal-blockchain-law/

How to handle unlawful or undesirable content in your blockchain application

https://prestonbyrne.com/2023/10/17/how-to-handle-unlawful-or-undesirable-content-in-your-blockchain-application/

This is the longer version of a shorter note posted on Brown Rudnick’s website.

Most consumer Internet businesses, including Web3 businesses, are, at their core, publishing businesses. Some publishing businesses are like the New York Times which commission, post, and host content which they have created themselves. Most Internet businesses, however, ingest content originating from somewhere, or more often someone, else, such as user-generated content like marketplace listings, social media posts and videos, or blockchain transaction data, and republish it under their own domains under license. 

With success, comes legal issues, and principal among these is “content moderation” or “trust and safety,” industry terms meaning “the censorship and removal of undesirable content.” Moderation takes place for a variety of reasons including user demands, advertiser demands, or government demands. What demands come to a business, and how businesses choose to respond to them, will vary widely from one platform to the next – one would not expect to encounter large volumes of hate speech on a marketplace or personals app, for example, nor would one usually expect to see personals ads on apps which focus on news. 

As blockchain-based applications begin to move into areas formerly exclusively occupied by Web 2 – Friend.Tech, for example, trying to break into social media – the censorship question rears its ugly head in novel and vexing ways. This is because of a simple, but fundamental, way in which most blockchain databases differ from SQL-style databases used by existing Web 2 incumbents: most internet businesses don’t require agreement on permanent, uncensorable, and immutable global state, whereas blockchains do.  

Decentralized technologies like Bitcoin are designed to render censorship or deletion virtually impossible. How then, do you address the need for censorship and deletion on the one hand while integrating blockchain technology on the other? Particularly with something like, say, a decentralized version of Twitter, how do you square the fact that blockchains might be used with an objective of undermining censorship laws in repressive jurisdictions like Russia without complying with the much more limited but nonetheless very binding censorship requirements in jurisdictions like England or the United States? 

The answer will depend in large part on what the developer of the application is trying to design for. We must assume that a network which allows all lawful speech to be released to the world free from censorship will have the exact same design characteristics, in terms of censorship resistance against third parties, as one which allows all unlawful speech. Code doesn’t know the difference between these two categories, and in either case, one user should not be able, in a non-nerfed blockchain system, to shut down or censor any other user. 

Censorship resistance against third parties, however, does not require censorship resistance against oneself. Most of the time, blockchains are not used by themselves to host and serve an entire DeFi or Web 3 application. More often, they are linked to hosted user interfaces and third party datastores, whether something centralized like an S3 bucket on Amazon, or whether decentralized like a content-addressable system such as Bittorrent or IPFS. (Blockchains hosting raw image or video data is exceedingly rare, and uneconomical, due to blocksize constraints and the existence of fee markets for large, in data terms, transactions.) 

It is at these visual layers, rather than through running a full node and interacting with the chain in the command line, where most users experience blockchain tech. YouTube competitor LBRY, for example, offered an uncensorable blockchain which acted as a registry of sorts containing pointers to digital IDs and content, and a website, LBRY.com, which hosted and displayed content linked to those IDs. If a user chose to violate LBRY.com’s terms of service, the blockchain ID or URLs could be deindexed from the LBRY.com site on the surface web, rendering them inaccessible to anyone who either didn’t know where to look on the chain or wasn’t willing to run a node themselves or reimplement the LBRY.com application on their own – which practically nobody was. Other early storage systems like Sia bifurcated their protocols in two, splitting into a paid service (Sia Pro) and an unregulated, free service (Sia Sky) utilizing separate domains, with the paid service playing by the rules and the unregulated service remaining unregulated. Users chose the experience which made the most sense to them. 

Ultimately, the “decentralized” solutions we’ve seen to date tend to use blockchains to ensure only that text, links, and identity are uncensorable, with heavy penalties for putting plaintext on the chain and contributing to blockchain bloat. As a result, identity is usually the one thing app devs in the Web3 space will always delegate to the chain, with a variety of alternative approaches being available for texts and links. Video content and links are overwhelmingly hosted in the cloud, not on the chain, meaning that users who don’t want to see objectionable content on the chain should be able to deindex it either via block lists or blacklists.

At the end of the day, the most important thing to remember about the internet of publications integrating uncensorable blockchain technology is this: censorship against the world doesn’t mean censorship against yourself. Developers looking to address the content moderation problem in a blockchain-enabled application should therefore keep the following in mind:

  • Legal compliance to address the unlawful/undesirable content problem starts with application design. You only get the chance to hash a genesis block once, and remember that any changes you want to make to the protocol might require a hard fork at a later date. 
  • Users will expect and demand the ability to control their own experiences on the Internet. 
  • Because blockchains scale poorly, as a general rule app developers should ask the blockchain to handle the bare minimum content possible, ideally limiting themselves to IDs, “money” (i.e. the native cryptocurrency) and any smart contract transaction logic required to effectively use “money.” 
  • Content BLOBs will, in practically every case, be pushed out to the cloud – whether to third-party servers or be self-hosted by posters, user interfaces should have the ability to deindex user IDs which violate their terms of service or the law. Storing raw user-generated content and metadata onchain – as a system like DeSo does – presents an enormous compliance problem for node operators as well as a bloat problem, and is best avoided.
  • The non-blockchain components of a blockchain-enhanced application will likely need to have a range of tools available to control the user experience. Site admins for a website which operates in tandem with the blockchain will need all of the usual tools to take down unlawful content and pull subscriber records in response to law enforcement queries like any other Web2 application.
  • Unless the blockchain component of a Web3 app is completely nerfed, users trading in objectionable speech in applications designed in the manner described above would still have the ability to talk to the blockchain, by running a node and communicating with the chain through the command line if not through hosted UIs. In transactions directly with the chain they should be able to verify their identities.
  • Ultimately, the (neoliberal big tech content moderator) maxim “freedom of speech is not freedom of reach” is instructive. Hosted UIs are regulated just like any other website and will need to be managed in a very conventional fashion. If a user’s speech is so objectionable that their blockchain ID is deindexed or blacklisted by the most popular user interfaces, if those controversial users want to be heard they will have find someone willing to host them or, in extremis, they will have to host themselves.

A short note on the absurd Stoner Cats settlement

https://prestonbyrne.com/2023/09/13/a-short-note-on-the-absurd-stoner-cats-settlement/

This blog post is a follow-up to my blog post Substance Over Form: A Short Note on the SEC’s First NFT Settlement regarding the Impact Theory project. I assume you have read that before you read this.

Stoner Cats is slightly different in that, with Impact Theory, the NFTs were essentially a security dressed up as an NFT, much in the way that a security can be instantiated as a certificate or by book-entry.

Stoner Cats was different in that the sale of the tokens

The SEC claims:

The purpose of the Stoner Cats NFT offering was to fund the production of an
animated web series called Stoner Cats. SC2 told investors it would develop the Stoner Cats web series based upon the managerial and entrepreneurial efforts of SC2 and its agents. SC2 promised investors in the Stoner Cats NFTs exclusive access to the web series and an online community, as well as access to unspecified, future entertainment content. SC2 offered and sold the Stoner Cats NFTs as an investment into SC2’s efforts to create this content. SC2’s public communications tied the success of the show to the value of the NFTs and thus led investors reasonably to expect to profit from the managerial and entrepreneurial efforts of SC2.

Stoner Cats did this by selling merch from the series in NFT form.

Each Stoner Cats NFT was associated with a unique still image of one of the
characters in the Stoner Cats web series, with different expressions, apparel, accessories, and backgrounds, resulting in a multitude of NFTs. Purchasers could not choose their NFT in the offering, but instead received a random allocation. Over 62% of the purchasers in the offering bought more than one Stoner Cats NFT. In addition, at least 20% of the Stoner Cats NFTs purchased in the offering were resold in the secondary market before the first episode of the Stoner Cats series aired, two days after the offering, and the majority of the NFTs purchased in the offering were resold in the secondary market before the release of the second episode on November 15, 2021.

So here’s what gets me about this. Buying film stills from a movie is a thing that happens. Below is a montage together with three cells from a theater which played the movie Pink Floyd: The Wall. The SEC appears to be saying that if you sell these stills before you produce a web series – say, by selling stills from the pilot – you’re now selling securities. If you sell them after you’re done making the series, as evidenced by the huge market for film stills which the SEC has never once intervened in, I suppose you’re not.

The SEC points out that “the show was largely incomplete at the time of the offering… [t]he final episode was not released for another fifteen months[.] SC2 sought to persuade investors that the show and the NFTs would be successful as a result of SC2’s entrepreneurial and managerial efforts.” Ok. Let’s accept this logic for a second and ask some further questions of the SEC.

When is a show “complete” and NFT sales of stills are therefore permitted? After the pilot? After the first season? Second season? First run? Spinoff? Sequel? When, exactly, is an artist allowed to sell an NFT representing a good which is already routinely sold as a collectible all over the Internet without it becoming a security?

Impact Theory was an obvious example of an entrepreneur trying to dress up an investment contract as an NFT. Stoner Cats is an example of the SEC trying to dress up a collectible as an investment contract.

Maybe the facts and circumstances of Stoner Cats really made this a project worth enforcing against. NFT projects will certainly have to spend more money on lawyers after this. NFT projects, going forward, will have to do extensive and expensive legal analyses and pre-publication reviews to try to avoid Stoner Cats’ fate in marketing these collectibles.

That said, this is truly a borderline case. The statement of facts in the SEC’s settlement – which the SEC was free to write by itself without any input from anyone else – isn’t even a slam dunk, and that’s after even the most cursory review. Does the SEC really have nothing better to do – for example, rulemaking to bring our crypto regs into the 21st century, or pursuing obvious frauds – than picking on a bunch of web cartoonists selling trading cards of film cells portraying cats?

Substance over form: a quick note on the SEC’s first NFT Settlement

https://prestonbyrne.com/2023/08/28/impactheory_settlement/

From ZachXBT this morning:

I cannot recall something which was labeled as an NFT being treated as a security by American regulators previously. According to the SEC, this case is the first. With that in mind, it’s important to revisit first principles on selling crypto-critters in the United States. One thing which I see a lot of, all the time, is when developers start out with something which is unregulated and gradually mission-creep their way into something regulated.

Given how powerful cryptocurrency tech is, these mistakes are shockingly easy to make. This is because cryptocurrency, particularly the smart contract variety, is capable of “captur[ing] unlimited richness in flows of actions and events; computer scientists might prefer to recognise this as a state machine with money.”

A state machine with money, of course, is capable of performing virtually any function normally performed by the financial technology stack because it automates and secures the “money” portion of it programmatically in a manner which in TradFi needs to be secured by a human authenticator. Ian Grigg’s essay Financial Cryptography in 7 Layers neatly disaggregates the wet-code concepts which are factored by a human authenticator which most crypto developers, frequently unknowingly, attempt to program into their smart contract applications, compressed into a single layer as they try to implement a particular specification.

“Legal,” of course, pervades all of these layers, and we get a chance to see projects as they evolve. To paraphrase Rousseau, “most crypto projects are born free, yet everywhere they are in chains.” Designing a basic protocol application and the act of hashing a proof-of-work genesis block is not, generally speaking, a regulated activity anywhere in the world. It is the stuff protocol engineers do afterwards in relation to that genesis event, incentives that they create to bring in new users – items 5-7 on the 7 layer framework – which, generally speaking, creates the liabilities.

So last week, for example, we saw the Tornado Cash indictment come down. There were howls of dissent from much of the crypto community over this due to the perception that the U.S. government was seeking to censor code and suppress open-source developers. Without prejudice to the constitutional presumption of innocence to which all criminal defendants are rightly entitled, having read the indictment, it seems that there was rather a lot of post-instantiation management of the Tornado Cash platform which, had I been a developer, the devs might have chosen to think better of and avoid. Leaving protocols published on GitHub without choosing to then embark on associated altcoin launches or management of the protocol as a going concern might be a recipe for protocol failure and obsolescence. It’s also a way to hew much more closely to the First Amendment and cases like Bernstein v. United States.

Similarly, one thing I see often enough, and increasingly in the wake of the Gensler SEC’s crackdown on more “traditional” ICO products, is the recharacterization of certain crypto-asset securities as “non fungible tokens” or NFTs. Impact Theory basically issued “NFTs” in three tranches:

In relation to which the SEC assessed as follows:

In advance of the offering, Impact Theory publicly stated that it would deliver “tremendous value” to KeyNFT purchasers. Impact Theory also stated that it would use the offering proceeds for “development,” “bringing on more team,” and “creating more projects.” Consistent with the foregoing, Impact Theory collected the proceeds from the KeyNFT sales in a single crypto asset wallet and used a portion of those proceeds to pay certain vendors providing services related to Impact Theory’s business.

It bears reminding that the Howey test “embodies a flexible, rather than static, principle” which is designed to look towards the substance of the transaction and not how it is labeled when determining whether something is or isn’t a security. The NFT space, which is relatively new, is no different – if a non-fungible token is sold in exchange for an investment of money in a common enterprise, with an expectation of profit arising from the efforts of a promoter or a third party, it is just as liable to be a security as a fungible token which sold in the same manner and with the same expectations.

Mind you, Impact Theory seems, at least from the settlement, to have been very far on the wrong side of the line, a dissent from Commissioners Pierce and Uyeda notwithstanding – “It’s like investing 10k with a 300k upside, for a small risk,” went one statement from the Discord; “Everyone here is an early adopter! Buying a founders key is Like [sic] investing in Disney, Call of Duty, and YouTube all at once,” went another; “you are investing in [the Impact Theory] team and regarding this is an opportunity that has never been there its like handing $20 to Mark Zuckerberg in his dorm room,” went another – but the regulatory mistake is also one which could be fairly easily committed by inexperienced founders or otherwise legitimate projects who are stacking on additional functionality to please their users.

Just as an unstoppable blockchain app ignores the law, the unstoppable law ignores the blockchain. Labels and choice of data structures are part of the regulatory puzzle but are not dispositive. Substance is.

Infinitely expressive “state machines with money” tempt developers to build things that people will want to buy, and make it trivially easy to do so. But writing the code for the machine is one thing which happens fairly low down on the conceptual 7-layer stack; operating the machine as a going concern is quite another and lives at the top of the stack, where the laws are most active too. Understanding that different regulatory regimes apply to different layers is a basic prerequisite for giving good advice in this area. Just as a token labelled a “utility token” has been assessed as problematic by American regulators, so too can a token labelled a “non-fungible token,” even if the token is in fact non-fungible. Proceed accordingly.

Section 301: Crypto’s Section 230?

https://prestonbyrne.com/2023/07/20/section-301-cryptos-section-230/

Section 230(c)(1) of the Communications Decency Act is very short – 26 words in length in total. It states that “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”  

These words are deceptively simple but they form the backbone of the social Internet as we understand it today, because the words render platforms like Reddit, Facebook, and Twitter more or less absolutely immune for the content their users post. This allowed them to grow; speech otherwise comes with a lot of liability (infringement, defamation) and Section 230 and other provisions like the (much-reviled) immunity, notice and takedown regime under the DMCA for copyright infringement have resulted in an Internet which can develop unhindered by lawsuits and local rules in the fifty states which, otherwise, would have tied it down.  

For this reason, Jeff Kosseff called Section 230 “the twenty six words that created the Internet,” also the title of the book he wrote on the subject. The story behind Section 230 is convoluted and strange but suffice it to say, without the rule or something like it, the user-generated web would not be what it is today.  

We may now be approaching something like this with crypto with today’s release of the draft text of the Financial Innovation and Technology for the 21st Century Act (hereinafter the FIT Act, “FIT for the 21st Century… see what they did there?) which proposes to amend the much-hated provisions of the Securities Act of 1933 and the Exchange Act of 1934 to regularize crypto business.

The bill is huge and there’s a lot to consider, so this post confines itself to Section 301 and Section 301 alone. Let’s dive in.

1. Section 301 basically Nukes Howey

Everyone knows what the Howey test is. “Investment contracts” are securities as defined in Section 2(a)(1) of the Securities Act. Howey defines what an “investment contract” is. The FIT Act removes crypto – properly, “digital commodities” (more on that later – from the definition of an investment contract.

  Section 2(a)(1) of the Securities Act of 1933 currently reads:  

(1)The term “security” means any note, stock, treasury stock, security future, security-based swap, bond, debenture, evidence of indebtedness, certificate of interest or participation in any profit-sharing agreement, collateral-trust certificate, preorganization certificate or subscription, transferable share, investment contract, voting-trust certificate, certificate of deposit for a security, fractional undivided interest in oil, gas, or other mineral rights, any put, call, straddle, option, or privilege on any security, certificate of deposit, or group or index of securities (including any interest therein or based on the value thereof), or any put, call, straddle, option, or privilege entered into on a national securities exchange relating to foreign currency, or, in general, any interest or instrument commonly known as a “security”, or any certificate of interest or participation in, temporary or interim certificate for, receipt for, guarantee of, or warrant or right to subscribe to or purchase, any of the foregoing.  

Section 301 of the Bill amends this to read:  

The term “security” means any note, stock, treasury stock, security future, security-based swap, bond, debenture, evidence of indebtedness, certificate of interest or participation in any profit-sharing agreement, collateral-trust certificate, preorganization certificate or subscription, transferable share, investment contract, voting-trust certificate, certificate of deposit for a security, fractional undivided interest in oil, gas, or other mineral rights, any put, call, straddle, option, or privilege on any security, certificate of deposit, or group or index of securities (including any interest therein or based on the value thereof), or any put, call, straddle, option, or privilege entered into on a national securities exchange relating to foreign currency, or, in general, any interest or instrument commonly known as a “security”, or any certificate of interest or participation in, temporary or interim certificate for, receipt for, guarantee of, or warrant or right to subscribe to or purchase, any of the foregoing. The term does not include a digital commodity or a permitted payment stablecoin.

This change, if enacted, would be absolutely titanic. At the moment, the language “investment contract” covers virtually anything anyone can invest in. The Act proposes to remove “digital commodities” (more on that later) or “permitted payment stablecoins” (which I’m going to skip in this post for word count’s sake), and provides a pathway to determine with legal certainty whether an asset should be so categorized.

2) Section 301 also Neuters the Exchange Act vis a vis digital asset exchanges

  Section 3(a)(1) of the Exchange Act reads:  

(1)The term “exchange” means any organization, association, or group of persons, whether incorporated or unincorporated, which constitutes, maintains, or provides a market place or facilities for bringing together purchasers and sellers of securities or for otherwise performing with respect to securities the functions commonly performed by a stock exchange as that term is generally understood, and includes the market place and the market facilities maintained by such exchange.   The significance of this definition is that if you’re running an exchange that trades securities you need to be registered as a national securities exchange or operate something called an Alternative Trading System or ATS, neither of which is particularly easy to do (nor cheap) and both of which are really not fit for purpose for assets like Bitcoin which have no issuer.  

The amendment proposes:  

The term “exchange” means any organization, association, or group of persons, whether incorporated or unincorporated, which constitutes, maintains, or provides a market place or facilities for bringing together purchasers and sellers of securities or for otherwise performing with respect to securities the functions commonly performed by a stock exchange as that term is generally understood, and includes the market place and the market facilities maintained by such exchange. The term ‘exchange’ does not include a digital asset trading system, blockchain protocol, or any person or group of persons solely because of their development of a blockchain protocol.

…followed by a number of consequential amendments to subsequent provisions of the Exchange Act which would honestly be a bit too long to reproduce in full here. The upshot of it is that if an asset is a digital commodity, venues that trade those assets will be outside of the Exchange Act regime. The Exchange Act has long been considered an inappropriate regime for the trading of cryptoassets. This bill takes “digital commodity” cryptoassets out of it.

3) Definitions introduced elsewhere in the bill provide Section 301 with a very precise way of defining a Digital Commodity

 Broadly speaking, the assets that are sought to be carved out of the regime are so-called “digital commodities.” What are those? Well, there’s a definition! And unlike previous, shoot-from-the-hip attempts from e.g. Bill Hinman to provide a shortform test for whether an asset

The FIT Act proposes the following:

‘Digital commodity’ means…  

(i) any unit of a digital asset held by a person, other than a digital asset issuer, a related person, or an affiliated person, before the first date on which each blockchain system to which the digital asset relates is a functional network and certified to be a decentralized network under section 44 of the Securities Exchange Act of 1934, that was—  (I) issued to the person through an end user distribution described under section 42(d)(1) of the Securities Exchange Act of 1934; or  (II) acquired by such person in a transaction that was executed on a digital commodity exchange; or  

(ii) any unit of a digital asset held by a person, other than a digital asset issuer, a related person, or an affiliated person, after the first date on which each blockchain system to which the digital asset relates is a functional network and certified to be a decentralized network under section 44 of the Securities Exchange Act of 1934; and  

(iii) any unit of a digital asset held by a related person or an affiliated person during any period when any blockchain system to which the digital asset relates is a functional network and certified to be a decentralized network under section 44 of the Securities Exchange Act of 1934.   

So the network has to be functional and certified. How to we certify? Well a new Section 44 of the Securities Act of 1933 exists for that! And it basically says that you publicly file a bunch of disclosure documents with the Commission and self-certify that your coin is “decentralized,” there’s a rebuttable presumption that you’re right, and if the Commission disagrees they can attempt to rebut that presumption within thirty days of filing.

SEC. 44. CERTIFICATION OF CERTAIN DIGITAL ASSETS.

‘‘(a) CERTIFICATION.—Any person may certify to the Securities and Exchange Commission that the blockchain system to which a digital asset relates is a decentralized network.   

‘‘(b) FILING REQUIREMENTS.—A certification described under subsection (a) shall be filed with the Commission, and include—    ‘‘(1) information regarding the person making the certification;  ‘(2) a description of the blockchain system and the digital asset which relates to such blockchain system, including— ‘‘(A) the operation of the blockchain system; ‘‘(B) the functionality of the related digital asset;  ‘‘(C) any decentralized governance system which relates to the blockchain system; and  ‘‘(D) the process to develop consensus or agreement within such decentralized governance system;   (3) a description of the development of the blockchain system and the digital asset which relates to the blockchain system, including –  ‘‘(A) a history of the development of the blockchain system and the digital asset which relates to such blockchain system; ‘‘(B) a description of the issuance process for the digital asset which relates to the blockchain system; ‘ (C) information identifying the digital asset issuer of the digital asset which relates to the blockchain system; and  ‘‘(D) a list of any affiliated person related to the digital asset issuer;  ‘‘(4) an analysis of the factors on which such person based the certification that the blockchain system is a decentralized network, including –   ‘‘(A) an explanation of the protections and prohibitions available during the previous 12 months against any one person being able to ‘‘(i) control or materially alter the blockchain system;  ‘‘(ii) exclude any other person from using or participating on the blockchain system; and  ‘‘(iii) exclude any other person from participating in a decentralized governance system;    ‘‘(B) information regarding the beneficial ownership of the digital asset which relates to such blockchain system and any the distribution of voting power in any decentralized governance system during the previous months;  ‘‘(C) information regarding the history of upgrades to the source code for such blockchain system during the previous 3 months, including ‘‘(i) a description of any consensus or agreement process utilized to process or approve changes to the source code;  ‘‘(ii) a list of any material changes to the source code, the purpose and effect of the changes, and the contributor of the changes, if known; and  ‘‘(iii) any changes to the source code made by the digital asset issuer, a related person, or an affiliated person;  ‘‘(D) information regarding any activities conducted to market the digital asset which relates to the blockchain system during the previous 3 months by the digital asset issuer or an affiliated person of the digital asset issuer; and ‘‘(E) information regarding any issuance of a unit of the digital asset which relates to such blockchain system during the previous 12 months;    ‘‘(5) with respect to a blockchain system for which a certification has previously been rebutted or withdrawn under this section, specific information relating to the analysis provided in subsection (f)(2) or (g)(3), as applicable, in connection with such rebuttal or withdrawal.  

‘‘(c) REBUTTABLE PRESUMPTION.—The Commission may rebut a certification described under subsection (a)  with respect to a blockchain system if the Commission, within 30 days of receiving such certification, determines that the blockchain system is not a decentralized network.   

OK, so what’s a “decentralized network” then? Right up on Page 6 of the bill, some new amendments to the 1933 Act are proposed:  

The term ‘decentralized network’ means the following conditions are met:   

‘(A) During the previous 12-month period, no person  ‘‘(i) had the unilateral authority, directly or indirectly, through any contract, arrangement, understanding, relationship, or otherwise, to control or materially alter the functionality or operation of the blockchain system; or  (ii) had the unilateral authority to restrict or prohibit any person who is not a digital asset issuer, related person, or an affiliated person from   ‘(I) using, earning, or transmitting the digital asset;  (II) deploying software that uses or integrates with the blockchain system;  (III) participating in a decentralized governance system with respect to the blockchain system; or  (IV) operating a node, validator, or other form of computational infrastructure with respect to the blockchain system.   

(B) During the previous 12-month period  (i) no digital asset issuer or affiliated person beneficially owned, in the aggregate, 20 percent or more of the total amount of units of such digital asset that (I) can be created, issued, or distributed in such blockchain system; and  (II) were freely transferrable or otherwise used or available to be used for the purposes of such blockchain network;   (ii) no digital asset issuer or affilated person had the unilateral authority to direct the voting, in the aggregate, of 20 percent or more of the outstanding voting power of such digital asset or related decentralized governance system; or (iii) the digital asset did not include voting power.  

(C) During the previous 3-month period,  the digital asset issuer, any affiliated person, or any related person has not implemented or contributed any intellectual property to the source code of the blockchain system that materially alters the functionality or operation of the blockchain system, unless such implementation or contribution to the source code (i) addressed vulnerabilities, errors, regular maintenance, cybersecurity risks, or other technical improvements to the blockchain system; or  (ii) were adopted through the consensus or agreement of a decentralized governance system.   

(D) During the previous 3-month period, neither any digital asset issuer nor any affiliated person described under paragraph (20)(A) has marketed to the public the digital assets as an investment.   

(E) During the previous 12-month period, all issuances of units of such digital asset were end user distributions made through the programmatic functioning of the blockchain system.     

So basically fair launches where all coins in circulation are mined, would be “decentralized,” would be “digital commodities” and therefore would not be “securities” and thus not subject to the Securities Act or Exchange Act securities regimes.

Conclusions: not perfect, but a lot better than what we have

Is this legislation perfect? No. It’s also enormous so there’s much more to digest in the bill which might temper my initial opinion of Section 301.

Would it, if passed, open the floodgates to legal and regulated cryptocurrency innovation in the United States within certain well-defined boundaries, both in terms of increasing the number of the cryptocurrencies available and the DeFi venues on which they can be traded, while having some restrictions in place that restrict possibilities for insiders to get unfairly enriched? Yes.

If Congress is looking to clear up the confusion created by the recent Ripple Labs litigation looking forward, this is certainly a good place to start.

Ripple Labs Ruling Throws U.S. Crypto-Token Regulation into Disarray  

https://prestonbyrne.com/2023/07/13/ripple-labs-ruling-throws-u-s-crypto-token-regulation-into-disarray/

What, legally speaking, is a cryptocurrency token sold to the public?

Following Thursday’s bombshell split decision by judge Analisa Torres of the Southern District of New York in SEC v. Ripple Labs et al., the answer appears to be that XRP is both an unlawfully sold investment contract when sold to VCs or institutional buyers, but a perfectly lawful, “something else” when sold anonymously via cryptocurrency exchanges, or distributed to employees or by insiders.

The only thing this ruling guarantees for cryptocurrency issuers, then, is continued uncertainty in the cryptocurrency markets – uncertainty which Congress, and only Congress, can step in to correct.   

At issue in this case is whether a decade’s worth of token distributions by Ripple Labs are sales of securities by dint of the transactions being “investment contracts” as such term is defined by the “Howey Test” in SEC v W.J. Howey Co., 328 U.S. 293 (1946, as clarified by subsequent precedentsThat test says, in brief, that a contract, transaction or scheme involving (1) the investment of money (2) in a common enterprise with (3) a reasonable expectation of profits arising from the entrepreneurial or managerial efforts of others is a juridical critter known as an “investment contract” and is, per the federal Securities Act of 1933, to be regulated in exactly the same manner as a security.   

For the purposes of conducting the Howey analysis, the court in Ripple Labs divided Ripple’s sales of tokens into three categories: (1) institutional sales to hedge funds, VCs and the like; (2) programmatic sales to retail directly on digital asset exchanges; and (3) “as a form of payment for services,” such as in restricted token purchase agreements or option contracts, to employees and other service providers.  

Ripple loses on “Institutional Sales” of XRP…  

On the first category of sales, institutional sales, Ripple lost. There are few if any informed legal commentators who I have seen arguing that any court should have found otherwise.  

…but wins on “Programmatic Sales”… 

On the second category of sales, programmatic sales, the Court found in Ripple’s favor, arguing that the third, “expectation of profits” prong of Howey was not met. “Ripple’s Programmatic Sales were blind bid/ask transactions,” the Court wrote, “and Programmatic Buyers could not have known if their payments of money went to Ripple, or any other seller of XRP” and as such “a Programmatic Buyer stood in the same shoes as a secondary market purchaser who did not know to whom or what it was paying its money.” As a result, the Court opined, “Programmatic Buyers purchased XRP with an expectation of profit, but they did not derive that expectation from Ripple’s efforts (as opposed to other factors, such as general cryptocurrency market trends)—particularly because none of the Programmatic Buyers were aware that they were buying XRP from Ripple.”  

The Court here clearly erred, for one simple reason: the expectation of profit prong doesn’t require an expectation of profit as a result of the efforts of the seller, but rather the efforts of another; per Howey, “the efforts of the promoter or a third party.” As will be obvious to anyone active in the industry, XRP’s principal promoter is and always has been Ripple Labs, whether a purchaser was aware they were purchasing tokens from Ripple Labs or not.   

For an example of the SDNY applying this principle correctly, look no further than a 2020 decision granting the SEC’s motion for a preliminary injunction in a massive win against the Telegram messenger app and its blockchain development subsidiary. There, Judge Kevin P. Castel (more recently famous due to his smackdown of a couple of lawyers who wrote pleadings that included ChatGPT hallucinations) linked purchasers’ expectation of profits “upon the essential entrepreneurial and managerial efforts of Telegram[,]”not the entrepreneurial and managerial efforts of intermediaries who were selling Telegram SAFT contracts to all and sundry at the time.

It was “Telegram’s commitment to develop the project,” not the intermediary sellers’ resale efforts, which the Court held constituted the “essential efforts of another” for the purposes of this Howey prong. Because of this, I expect Ripple’s win on this point to be overturned on appeal.   

…and bizarrely also wins on “Other Distributions” of XRP  

Finally, and most bizarrely, Ripple won on the basis that “Other Distributions” to e.g. employees did not satisfy the first prong of Howey, the “investment of money” prong. This one is a real head-scratcher because it is abundantly clear from the precedents that an “investment of money” for Howey purposes need not actually include the transfer of funds – what it requires is only that the purchaser “gave up some tangible and definable consideration in return for an interest that had substantially the characteristics of the security.”   

Yet, after stating that Ripple’s “Other Distributions” “include distributions to employees as compensation and… to develop new applications for XRP,” relationships which in practically any commercial setting are regarded as possessing the requisite bi-directional movement of contractual consideration necessary to satisfy this prong (employee provides services; employer provides tokens), the Court concluded that the necessary contractual consideration was nonetheless absent and no “tangible or definable consideration” was paid to Ripple. Employees providing services and third parties developing applications for use on a protocol strike me, as a commercial lawyer, as profoundly tangible and measurable things in relation to which great sums of money and cryptotokens are routinely paid.   

That the consideration for this prong can be minor, or even nominal, is not a point which has been seriously disputed for some time, even among the crypto bar. Peter Van Valkenburgh at Coin Center wrote in 2017 that even “free” distributions of tokens via an airdrop which required a user to provide only an e-mail address was sufficient consideration flowing from the investor to the issuer, and going the other way issuers benefited through the receipt of “value by spawning a fledgling public market for their shares, increasing their business, creating publicity, increasing traffic to their websites, and, in two cases, generating possible interest in projected public offerings.” For this reason, this finding strikes me as probably erroneous and vulnerable to challenge on appeal.   

Schrodinger’s Shitcoin  

The legal status of XRP, then, seems to possess a kind of quantized duality, Schrodinger’s Shitcoin – it’s a security when sold to an institutional investor in a primary sale, but not a security when sold behind the anonymity of a cryptocurrency exchange, or when sold in exchange for services to insiders.  This position strikes me as deeply unsatisfactory from the standpoint of regulatory consistency – no other security magically transmogrifies from a security to a non-security after it is sold more than once – as well as being a manifestly incorrect application of the line of precedents relating to the first and third Howey prongs when one considers the entirety of the reasons why an XRP purchaser buys XRP tokens.   

There are other issues in this case relating to Ripple executives Chris Larsen and Brad Garlinghouse. I leave those issues undiscussed here to focus on the legal problems faced by cryptocurrency issuers and keep under my word count. As for issuers, the U.S. market is thus presented with two broad pathways for further development, much as it had in 2017 after the SEC’s Bill Hinman unwisely invented the “sufficiently decentralized” test for token issuance which launched a thousand ICOs, and was subsequently benchslapped by District Courts across the United States.   

The first path is that our unfit-for-purpose regulations will not change and a new wave of token issuers will seek to avail themselves of this narrow and in my view likely incorrect ruling to launch new programmatic token schemes, and the SEC will find itself bringing enforcement actions against these schemes in two to three years, to the detriment of the American economy, investors, and innovation more broadly. Startups following this first path should exercise extreme caution – as my colleague Palley puts it, “that order in the Ripple case is a partial summary judgment from a single district court judge. While persuasive, it’s not binding precedent on other courts and will likely be appealed and could be reversed. Don’t yolo into anything based on that decision.”  

The second path is that the U.S. Congress realizes that it makes no sense for a thing to be a security in one transaction but not another, and passes laws – as the UK is now doing – to normalize cryptocurrency investment by conferring a well-defined legal status on all token transactions, requiring an aggressive disclosure regime and doing away with the Securities Act of 1933’s requirement that we regulate tokens which are paired with no contractual promises, an asset class the United Kingdom has described as a third, distinct category of personal property unlike anything which has come before, in the same manner as we regulate contractual instruments.   

Conclusions 

Ripple’s business of selling tokens should be legal in the United States, within regulatory guardrails. Currently, it isn’t. In my view Judge Torres’ ruling holding that it is, will likely be overturned on appeal. My hope is that Congress will get its act together and decide that it’s time for cryptocurrency tokens and cryptocurrency exchanges to receive their own purpose-built disclosure and supervisory frameworks which will take cryptocurrency regulation out of the slow and contradictory hands of our courts, and the politically motivated hands of the SEC, to allow U.S. crypto business to proceed, with regulatory certainty, in a more laissez-faire manner, such as is permitted in jurisdictions like the United Kingdom.

My expectations of Congress are, however, quite low. I hope to be proven wrong.  

Image licensed under the Pixabay license.

“Disinformation” is not a crime

https://prestonbyrne.com/2023/07/04/disinformation-is-not-a-crime/

In the middle of last month, in the case of Missouri et al. v. Joseph R. Biden et al., the State of Missouri made a motion for a preliminary injunction against Joseph R. Biden, the President of the United States, in his official capacity, and various other individuals in their various official capacities as heads of government agencies, such as Tony Fauci and Xavier Becerra, and anyone acting in concert with them, seeking to prevent them from doing the following:

from taking any steps to demand, urge, encourage, pressure, or otherwise induce any social-media company or platform for online speech, or any employee, officer, or agent of any such company or platform, to censor, suppress, remove, de-platform, suspend, shadow-ban, de-boost, restrict access to content, or take any other adverse action against any speaker, content, or viewpoint expressed on social media[.]

Today, July 4th, 2023, a federal district court largely granted that motion.

In relation to which Pravda the New York Times had this to say:

The Washington Post was similarly disappointed, whining that “[t]he Donald Trump-appointed judge’s move could undo years of efforts to enhance coordination between the government and social media companies.”

But will it actually?

Talking to the government as a web company: a lawyer’s perspective

There’s a reason lawyers say “don’t talk to the police.” I would extend that principle and say “don’t talk to the government.” We don’t say this because you shouldn’t cooperate with the government, or that the government is somehow inherently bad. It’s because talking to the government involves potentially huge amounts of personal liability if you happen to put a foot wrong by making a materially false statement, for example. You can limit this liability substantially by keeping your communications few and always making those communications with the assistance of a legal team.

As such, it is extremely unusual for businesses to have frequent, casual, unsupervised contacts between senior staff and federal agents, and why most folks who are in the “helping-u-deal-with-the-government” business had our collective jaws hit the floor when we learned that Homeland Security was openly deputizing private actors to help them insinuate government propaganda policy in corporate boardrooms.

Putting politics (including free speech issues) to one side for a moment, allowing senior corporate officers to have that level of close, unsupervised contact with DHS and the FBI is insane. If law enforcement and the corporations they regulate are that chummy, someone’s not doing their job correctly. Normally, when contact is inbound from a federal agency, it is done as a result of and pursuant to some official process, usually authorized by a court or a grand jury, in writing, where the government has a legally binding demand and the company has a legally binding obligation to respond.

With a web company like Twitter or Facebook, those sorts of communications – the legally binding kinds – likely fall into the following categories, at least from American government agencies:

  • The overwhelming majority of the legal process likely consists of grand jury and other administrative subpoenas, where a grand jury has been empaneled and is investigating some crime for which records are sought. Generally when served on an internet communications company these subpoenas can only obtain non-content subscriber logs. For content you’ll need a…
  • Search warrant signed by a judge, issued upon probable cause that the records held by the social media company contain evidence that will assist in the commission of a crime.
  • 2703(d) Orders, which are sort of a halfway point between a subpoena and a search warrant in terms of the kind of information which is available, in that it can get detailed logs about with whom an internet user communicated but not the content of that communication (which requires a warrant).
  • National Security Letters, which can demand non-content data but are authorized by senior officials at the FBI rather than a grand jury.

Mind you, in the event of a genuine emergency, which I personally regard as being an actual threat to life or property however small, law enforcement may request, social media companies may volunteer, this information if they wish. Otherwise, the obtaining this information from a web company requires U.S. law enforcement to follow a statutory pathway set out in the USA PATRIOT Act and the Stored Communications Act in order to get it.

What these pathways share in common is that they relate to criminal proceedings or regulatory violations. If you aren’t breaking any laws, there’s no reason for the government to empanel a grand jury or obtain a search warrant. Moreover, these orders do not, repeat not, require social media companies to take any action against the content in question once the orders are given.

American laws on content do not empower the government to deputize social media companies as political speech enforcers

This is not the case in the rest of the world. Take for example the Christchurch Shooting in 2019. In that shooting, a deranged individual named Brenton Tarrant posted a manifesto online before live-streaming what can only be described as an absolutely horrific crime on Facebook Live.

As it happens, the Christchurch Shooting happened in New Zealand, not America, and New Zealand has a censorship law which it more or less immediately invoked against that content, like many other countries around the world also do. The country subsequently embarked on a global crusade, the Christchurch Call, to wipe the video off the web. Social media companies, including Zoom, Dailymotion, Youtube, Google/Alphabet, Facebook, and even Twitter enthusiastically signed on to this initiative.

In the United States, there would be no legal requirement on Facebook to remove his account after receiving a search warrant from the FBI. There is not, as far as I am aware, any rule of law in any jurisdiction of the United States, state or federal, which would empower the government to order that content removed. Indeed, there’s a rule – 47 U.S. Code Section 230(c)(1) – which says that Facebook not only has no obligation to remove that content, but Facebook is presumptively immune from liability even if it made an editorial decision to leave it up.

“Disinformation” is not a crime

This is the key distinction between the American and European (the latter of which includes Canadian, NZ, Australian) approaches to speech regulation of the Internet, and why the relationship of a social media company to the U.S. government necessarily has to be different than its relationship with a foreign one.

In Europe/Canada/NZ/Australia, expressing a controversial point of view, without more, can be a speech crime. In America, it is not. We see, however, that there remain many avenues for law enforcement to make requests of social media companies and for social media companies to respond to those inquiries. All that is required first is the evidence of a commission of a crime and judicial supervision, or some valid investigatory process like the empaneling of a grand jury.

The question we should be asking ourselves about Missouri v. Biden is whether we want the government using informal pressure to police speech which the people, with the legal bargain enshrined in the First Amendment, have not authorized the government to police.

The government’s track record is not strong on this point. Official state mouthpieces have, in the last three years, labeled statements criticizing the official position on vaccine efficacy, laptop computers allegedly belonging to a certain presidential candidate’s son, and the origins of a certain coronavirus “disinformation.” As it turns out, all of those government pronouncements on matters of considerable public importance were false, and the so-called “disinformation” was true.

If the state thinks a crime has been committed, there are a great many avenues for it to let this be known to social media companies. The New York Times is complaining of speech which is sub-criminal and merely unpopular. The Times laments that a federal court had the temerity to tell the Executive Branch to stay out of regulating the sort of speech that, in America, normally you’d complain about to a college administrator or a human resources department – not a policeman.

Post-COVID, the “just trust us” dog won’t hunt. For now, the government has their Twitter accounts and gray checkmarks. I can only suggest that they use them. The result of Missouri v. Biden will not be a catastrophic reduction in state capacity to enforce the laws or police bad behavior on the web. Really, all it will mean, going forward, assuming the result from this preliminary injunction holds, is that the government will simply have to win the argument by embracing transparency and presenting evidence in public – just like everyone else, and just as they should have been doing from the start.

Postscript

Reminder: “disinformation” is not a crime

https://prestonbyrne.com/2023/07/04/reminder-disinformation-is-not-a-crime/

In the middle of last month, the State of Missouri made a motion for a preliminary injunction against Joseph R. Biden, the President of the United States, in his official capacity, and various other individuals in their various official capacities as heads of government agencies, such as Tony Fauci and Xavier Becerra, and anyone acting in concert with them, seeking to prevent them from doing the following:

from taking any steps to demand, urge, encourage, pressure, or otherwise induce any social-media company or platform for online speech, or any employee, officer, or agent of any such company or platform, to censor, suppress, remove, de-platform, suspend, shadow-ban, de-boost, restrict access to content, or take any other adverse action against any speaker, content, or viewpoint expressed on social media[.]

Today, July 4th, 2023, a federal district court granted that motion.

In relation to which Pravda the New York Times had this to say:

Talking to the government as a web company: a lawyer’s perspective

There’s a reason lawyers say “don’t talk to the police.” I would extend that principle and say “don’t talk to the government.” We don’t say this because you shouldn’t cooperate with the government, or that the government is somehow inherently bad. It’s because talking to the government involves potentially huge amounts of personal liability if you happen to put a foot wrong by making a materially false statement, for example. You can limit this liability substantially by keeping your communications few and always making those communications with the assistance of a legal team.

As such, it is extremely unusual for businesses to have frequent, casual, unsupervised contacts between senior staff and federal agents, and why most folks who are in the “helping-u-deal-with-the-government” business had our collective jaws hit the floor when we learned that Homeland Security was openly deputizing private actors to help them insinuate government propaganda policy in corporate boardrooms. Normally, when contact is inbound from a federal agency, it is done as a result of and pursuant to some official process, usually authorized by a court or a grand jury, in writing, where the government has a legally binding demand and the company has a legally binding obligation to respond.

With a web company like Twitter or Facebook, those sorts of communications – the legally binding kinds – likely fall into the following categories, at least from American government agencies:

  • The overwhelming majority of the legal process likely consists of grand jury and other administrative subpoenas, where a grand jury has been empaneled and is investigating some crime for which records are sought. Generally when served on an internet communications company these subpoenas can only obtain non-content subscriber logs. For content you’ll need a…
  • Search warrant signed by a judge, issued upon probable cause that the records held by the social media company contain evidence that will assist in the commission of a crime.
  • 2703(d) Orders, which are sort of a halfway point between a subpoena and a search warrant in terms of the kind of information which is available, in that it can get detailed logs about with whom an internet user communicated but not the content of that communication (which requires a warrant).
  • National Security Letters, which can demand non-content data but are authorized by senior officials at the FBI rather than a grand jury.

Mind you, in the event of a genuine emergency, which I personally regard as being an actual threat to life or property however small, law enforcement may request, social media companies may volunteer, this information if they wish. Otherwise, the obtaining this information from a web company requires U.S. law enforcement to follow a statutory pathway set out in the USA PATRIOT Act and the Stored Communications Act in order to get it.

What these pathways share in common is that they relate to criminal proceedings or regulatory violations. If you aren’t breaking any laws, there’s no reason for the government to empanel a grand jury or obtain a search warrant. Moreover, these orders do not, repeat not, require social media companies to take any action against the content in question once the orders are given.

American laws on content do not empower the government to deputize social media companies as political speech enforcers

This is not the case in the rest of the world. Take for example the Christchurch Shooting in 2019. In that shooting, a deranged individual named Brenton Tarrant posted a manifesto online before live-streaming what can only be described as an absolutely horrific crime on Facebook Live.

As it happens, the Christchurch Shooting happened in New Zealand, not America, and New Zealand has a censorship law which it more or less immediately invoked against that content, like many other countries around the world also do. The country subsequently embarked on a global crusade, the Christchurch Call, to wipe the video off the web. Social media companies, including Zoom, Dailymotion, Youtube, Google/Alphabet, Facebook, and even Twitter enthusiastically signed on to this initiative.

In the United States, there would be no legal requirement on Facebook to remove his account after receiving a search warrant from the FBI. There is not, as far as I am aware, any rule of law in any jurisdiction of the United States, state or federal, which would empower the government to order that content removed. Indeed, there’s a rule – 47 U.S. Code Section 230(c)(1) – which says that Facebook not only has no obligation to remove that content, but Facebook is presumptively immune from liability even if it made an editorial decision to leave it up.

“Disinformation” is not a crime

This is the key distinction between the American and European (the latter of which includes Canadian, NZ, Australian) approaches to speech regulation of the Internet, and why the relationship of a social media company to the U.S. government necessarily has to be different than its relationship with a foreign one.

In Europe/Canada/NZ/Australia, expressing a controversial point of view, without more, can be a speech crime. In America, it is not. We see, however, that there remain many avenues for law enforcement to make requests of social media companies and for social media companies to respond to those inquiries. All that is required first is the evidence of a commission of a crime and judicial supervision, or some valid investigatory process like the empaneling of a grand jury.

The question we should be asking ourselves about Missouri v. Biden is whether we want the government using informal pressure to police speech which the people, with the legal bargain enshrined in the First Amendment, have not authorized the government to police.

The government’s track record is not strong on this point. Official state mouthpieces have, in the last three years, labeled statements criticizing the official position on vaccine efficacy, laptop computers allegedly belonging to a certain presidential candidate’s son, and the origins of a certain coronavirus “disinformation.” As it turns out, all of those government pronouncements on matters of considerable public importance were false, and the so-called “disinformation” was true.

If the state thinks a crime has been committed, there are a great many avenues for it to let this be known to social media companies on very short notice. What the New York Times is complaining of is speech which is sub-criminal and merely unpopular. Post-COVID, the U.S. political class has destroyed trust for at least a generation.

For now, they have Twitter accounts and gray checkmarks. I can only suggest that they use them. The result of Missouri v. Biden will not be a catastrophic reduction in state capacity to enforce the laws or police bad behavior on the web. Really, all it will mean, going forward, assuming the result from this preliminary injunction holds, is that the government will simply have to win the argument by embracing transparency and presenting evidence in public – just like everyone else.

UK blazes its own trail with new cryptocurrency rules. Will it exercise restraint, or kill the golden goose?

https://prestonbyrne.com/2023/06/30/uk-blazes-its-own-trail-with-new-cryptocurrency-rules-will-it-exercise-restraint-or-kill-the-golden-goose/

Earlier this month, the UK’s financial conduct regulator, the Financial Conduct Authority or FCA, announced new, near-final proposed rules, following recently-enacted secondary legislation, on financial promotion of crypto-assets within the country. Taken together with the passage of the UK Financial Services and Markets Act 2023 (the “2023 Act”) earlier this week, which brings crypto-assets under the UK’s broader financial regulatory regime contained in the UK Financial Services and Markets Act 2000 (“FSMA”), including FSMA’s rules on financial promotions, it is now all but inevitable that the FCA’s new rules – or ones very close to them – will be entering into force on schedule on or about October 8th

This is the culmination of a yearslong effort in the UK government to create new rules to govern cryptocurrency business within its borders. As such it represents something of a departure for the UK from its usual approach to cryptoasset regulation. Historically, the United Kingdom’s financial regulators have not had the power to regulate – and thus have avoided regulating – crypto-assets such as Bitcoin, Ethereum, Cardano, or Cosmos in their capacity as investments, at least in the same manner that they regulated TradFi instruments such as securities. This differs significantly from the regulatory landscape in the United States where, infamously, the U.S. Securities and Exchange Commission asserts more or less plenary authority over the cryptocurrency sector by utilizing 90-year-old securities legislation, and in relation to which it has been prosecuting a regulation-by-enforcement campaign in the federal courts.

Among many other things the 2023 Act does, it folds certain types of regulated activities, like arranging deals in or managing investments when crypto is the underlying product, into the FCA’s regulatory scheme. It also grants additional, and as far as I can tell open-ended, powers under a new “Designated Activities Regime” to impose crypto-specific, as-yet-undetermined rules and restrictions on the industry, which in the government’s opinion include powers to go so far as banning of particular types of crypto business or asset. 

The most immediately relevant provisions from the Act for cryptocurrency developers, though, are aforementioned changes which bring cryptocurrency marketing fully under the existing financial promotions regime. Generally speaking, in the UK one is not allowed to “communicate an invitation or inducement to engage in investment activity” in the course of business to a prospective customer unless conducted or approved via a regulated entity, or an exemption applies. Regulated entities under the new regime for crypto include FCA authorized firms, registered cryptoasset firms, or authorized firms which have passed through regulatory gateway legislation (which is currently with Parliament). How these communications may be made and what they must contain is governed by complex rules, too; given that penalties for noncompliance include fines and potential imprisonment, strict adherence to the rules is a must. 

Current state of play

What does this mean? Unlike in the U.S., and news stories saying “crypto is now a regulated activity,” cryptocurrency itself has not been redesignated as a regulated product. As far as this writer can tell, the act of hashing a genesis block, mining coins, and distributing them otherwise than in the course of business still isn’t regulated, whereas in America there are those who would argue that it is. 

Engaging in certain types of “regulated activities” which are already regulated vis a vis other kinds of investments in relation to crypto, however, will be regulated going forward. For service providers undertaking what would otherwise be regulated activities, it means compliance and licensure. Developers and issuers, on the other hand, should still consider the UK open for business, although they will need to approach doing business in the UK and with UK consumers with considerably more care than before. Unlike in the U.S. where the regulator is asserting that crypto-assets are securities, cryptoassets qua cryptoassets are more or less treated the same as they were a year ago. Extremely stringent rules around marketing cryptocurrency to consumers are proceeding ahead with dispatch, and it is in this marketing where the heaviest compliance burden for devs will arise.

The types of marketing covered by the financial promotion regime could include not only marketing in a formal sense like a television advertisement or an investment memorandum, but also less formal communications where cryptocurrency companies usually market their protocols such as podcasts, hackathons, conference events, and meetups, or online banner ads and Tweets. The new regime also includes communications to high-net-worth and sophisticated investors.

Moreover, at least based on my reading, the new rules make no distinction between ICO-based cryptoassets like Polkadot or Cosmos and cryptocurrencies which are generally regarded as “decentralized” and not subject to much regulation even in the United States, such as Bitcoin or Ethereum. This means that something as seemingly harmless as a cryptocurrency ATM might need to have any marketing copy it displays on its user interface (“Buy crypto here!”) reviewed by an FCA-authorized firm and brought into compliance with the new rules.

The bargain that appears to be emerging in the UK is that the price of freedom to develop and trade crypto is tight regulation on how it is marketed to consumers. If things get too out of hand, more rules may follow. But they haven’t followed yet. This is a novel approach which, unlike the draconian regulatory crackdown underway in America, strikes what feels like a fairer balance between free markets and consumer protection. This approach gives the crypto markets latitude to evolve on their own while also incentivizing higher levels of disclosure from those who seek to make money selling to those markets. 

The tantalizing possibility here is that the UK Treasury exercises restraint with its new powers and that existing, regulated market participants with large UK presences – companies like BnkToTheFuture and eToro immediately come to mind – might fill the gap and develop businesses which evaluate and prepare the volumes of marketing disclosures that will be needed to promote the sale of cryptocurrencies available for sale on their platforms, while the government remains hands-off of developers and software startups operating within its borders. 

If the regulators can exercise a bit of self-control and sit on their hands, there’s a good possibility Britain could eat America’s lunch. Whether they can resist that temptation remains to be seen.

How to Build a Crypto Exchange Post-Coinbase

https://prestonbyrne.com/2023/06/06/how-to-build-a-crypto-exchange-post-coinbase/

I developed something of a reputation for being a skeptic about the legal propriety of selling cryptocurrency tokens in the United States. I used to write about this extensively, particularly in 2017 when I was studying for my LL.M. and, accordingly, had more free time and latitude to say what I wanted.

Moreover, I held this position when it was unpopular and non-obvious, unlike the recent crop of crypto critics like former government lawyer John Reed Stark (who seems to take endless glee in kicking the industry while it’s down). See, e.g., on July 9th, 2014, when my friend Tim Swanson and I were quoted in a CoinTelegraph article, “Mitigating the Legal Risks of Issuing Securities on a Cryptoledger,” when I said that “[Virtually] nobody has done this correctly. To date I have not seen a single crypto-security that has been properly structured.”

People thought I was crazy at the time. Others probably thought I was just a jerk. The truth is probably somewhere between the two. Keep in mind, of course, that in 2014 the idea of an “Initial Coin Offering” didn’t really exist; entrepreneurs like Joel Dietz marketed his “Swarm” crowdfunding token as “crypto-equity,” a term which fell into disfavor by more sophisticated projects like Ethereum which, only a month after I was quoted in the CT article, launched its ICO. But even that wasn’t called an ICO. That, presumably per whatever advice was given to Joe Lubin by his lawyers, was a “sale of crypto fuel for the Ethereum network.” Or as the New York Attorney General alleged in its lawsuit against KuCoin, a security.

Ethereum subsequently exploded in 2017 and with it came a thousand imitators and other variations just like it. U.S. regulators were slow to respond. SEC Director Bill Hinman added fuel to the ICO fire when made his famous “Hinman Speech” which set out the (now-discredited) “sufficiently decentralized” exception to the Howey test. (Keeping in mind that Hinman was based out of San Francisco, the general assumption among those of use who were not in the cool SF VC crowd was that they had successfully convinced that office that Ethereum – a popular investment out there – was the next Internet and the best thing for the government to do would be to get out of the way and let Ethereum prove it.)

I think it is safe to say, five years later, that Ethereum has not cracked a lot of the scaling issues it would have needed to crack in order to become the next Internet. With those broken promises on one side, perhaps it is not surprising that the government has decided to adopt a more traditional approach as well, with the NYAG’s office alleging that Ethereum is a security in her recent lawsuit against KuCoin for violating New York’s Martin Act.

What followed the Hinman Speech can only be described as confusing. Up till the Hinman speech, the SEC really had only gotten involved in the crypto business in cases of obvious and notorious fraud. The first such case that I can recall was the case of SEC vs. Trendon Shavers and Bitcoin Savings and Trust (a Ponzi scheme) and SEC v. GAW Miners, Joshua Homero Garza et al. (another Ponzi scheme involving the sale of “mining contracts” and a $20 stable coin called “paycoin”).

In terms of non-fraud enforcement, the SEC started to bring its first set of enforcement actions, announced by way of settlements, with a number of coin-related projects in late 2018, only months after the Hinman Speech was published. The first such settlement, with a founder of early decentralized exchange, or “DEX,” EtherDelta, was announced on Nov. 8th, 2018; the SEC claimed that the DEX operator was operating an unregistered exchange, which necessarily implied that the SEC took the view that some of the assets on EtherDelta – being Ether and ERC-20s – were securities. Ten days later, the SEC announced its first settlements with two otherwise completely unmemorable ICO issues, Airfox and Paragon; both respondents agreed to register their tokens as securities (which does not appear to have happened as far as I can tell).

What followed over the next year was a range of weird settlements which failed to serve as a deterrent to further ICO issuance being conducted at the same time as a bunch of weird transactions which tried to pretzel their way into compliance with the non-guidance guidance issued by Bill Hinman. EOS, for example, which advertised its product on a giant Times Square billboard during Consensus 2017 and raised north of $4 billion in crypto (as valued at the time), was somehow allowed to skate by paying a $24 million fine – and not even a requirement to register! Other projects were not so lucky. Kik Interactive, Telegram, and Ripple Labs reached launched absolutely gargantuan ICOs; both Kik and Telegram lost badly in federal court, and I do not rate Ripple’s chances. Similarly the much-smaller LBRY project, based in New Hampshire and which pre-dated EOS by some years, was not, as far as I am aware, offered a settlement deal with the SEC which would have permitted their business to continue operating; the only logical reason I have been able to deduce for this is that the SEC’s Boston office wanted a scalp and the only place you’ll find a crypto startup in New England is in New Hampshire.

This brings us to the Coinbase complaint. Nothing about it will come as a surprise to any attorney who has been practicing in the U.S. after 2018.

The charges alleged are numerous. The SEC accuses Coinbase of violating the registration requirement of the Securities Act of 1933 in relation to its custodial staking offering.

It also charges Coinbase with violating the Exchange Act’s registration requirements, which require anyone effecting transactions in securities to register and be supervised by the Commission. Furthermore, Coinbase is charged as operating as an unregistered broker-dealer and with operating as an unregistered clearing agency, being “any person who acts as an intermediary in making payments or deliveries or both in connection with transactions in securities or… provides facilities for comparison of data respecting the terms of settlement of securities transactions.”

I am not going to spend this entire blog post quoting chapter and verse on broker-dealer registration requirements because that would be boring. I also won’t go into a detailed Howey analysis on many of the coins mentioned in the complaint – including Solana, ADA, Matic, Filecoin, SAND, AXS, CHZ, FLOW, ICP, NEAR, VGX, DASH, and NEXO. The important thing here is that the SEC is seeking, as a remedy, a permanent injunction against Coinbase from operating an unlicensed exchange. If they can get one of the tokens to stick and win at trial, they may be able to shut down Coinbase’s core business completely.

What did surprise me is that it took this long. Back in 2017, I hypothesized that one day there would come an event – one I referred to as the law enforcement would launch something akin to “simultaneous dawn raids at the major exchanges and the homes and offices of the major ICO promoters, with a variety of agencies in a variety of countries co-ordinating their activities.” It’s hard to tell whether we’re at the beginning of a process that extensive, but if the SEC is going after Coinbase, no one in Coinbase’s business is safe. I called that event “The Zombie Marmot Apocalypse,” said it was massively bearish for crypto and I think it is safe to say that it is now upon us.

The question then turns to what comes next. Crypto isn’t going anywhere, so I think the answer is “new exchanges that aren’t carrying all this regulatory baggage.” In terms of how that might look, here’s my current thinking:

  1. Paradoxically, there is probably no better time – other than 2012 – to start a crypto exchange than today. For the first time since perhaps the start of Bitcoin itself, compliance will cost less than non-compliance. Existing industry giants have a lot of legal-technical debt they need to work through which will distract them and cost enormous amounts of money.
  2. Crypto is not going to die. In places where it is growing most quickly, particularly Latin America and Africa, there is neither the political will nor the harmonized enforcement capacity to shut it down.
  3. Making companies like Coinbase treat crypto tokens as old-fashioned securities is like trying to regulate Starlink like we regulate road traffic. Equally, expecting the U.S. government to simply just let crypto happen was not realistic. Increased lobbying efforts and an openness to compromise by U.S. crypto giants will result in a middle path in the U.S. which will regularize crypto business within the next five years if not sooner.
  4. The companies that will succeed will have a growth strategy which doesn’t include the United States, and will then need to be ready to move to the United States on hair-trigger alert once regulations are favorable – or, in the alternative, they’ll need to develop a subsidiary that operates like INX and gets the appropriate regulatory approvals. I suspect that regulations will eventually loosen up so that companies like INX can operate more like companies like Coinbase and Gemini do today. To achieve scale, startups will need to build a toehold in countries with substantial populations of English-speaking crypto users which don’t ban ICOs and permit exchanges to trade spot crypto without regulating them as broker-dealers or clearing agencies.
  5. The only G20 country can think of which satisfies these criteria is the United Kingdom. The UK should be used as a launchpoint to access English-speaking Africa and India while the U.S. gets its act together and (likely) has a change in Presidential administrations to one that doesn’t want to completely eliminate avenues of escape from the dollar.

So. Crypto’s not dead, it’s just in need of a little legal tune-up. May the best and most compliant startup win.

Compliance: Impossible

https://prestonbyrne.com/2023/05/03/compliance-impossible/

It is increasingly clear to me that running a globally compliant business is no longer possible in certain important domains. In two specific spheres, crypto and publishing, the problem is most acute. As the post-war international order fractures, so too does the Internet. The result is that soon Internet businesses in crypto or publishing will have no choice but to violate the law somewhere if they want to continue to exist.

In the case of crypto, there are generally three regimes: (A) the United States and OECD; (B) BRICS; (C) Rest of World.

Although there is substantial variation within the U.S./OECD crowd (for example, the United Kingdom and Australia do not generally regulate ICO coins as transferable securities whereas the U.S. and Canada do), the general understanding is that the government has a substantial interest in regulating practically every touchpoint or intermediary which facilitates access to blockchain protocols and even, in the case of recent U.S. Securities and Exchange Commission noises around exchanges and/or U.S. treatment of the Tornado Cash smart contract, even access to protocols without access to intermediaries, even if overseas operators cannot be accessed directly from the U.S. but need to be accessed via VPN.

The result is that crypto businesses fundamentally cannot do in the United States what they are permitted to do in many other places, meaning crypto cannot be used in the United States in the manner it is used in other places. The U.S. requirement to treat every token like a full blown security, and all of the intermediary re-insertion to the process that entails (transfer agents, broker-dealers, custodians, ATSs, etc.) defeats the entire point of using the technology in the first place. As a result, a lot of crypto companies carrying on certain regulated activities will wind up having two different crypto businesses – an American-only offering and a rest-of-world offering – because of the irrationally harsh approach American regulators are taking to the space.

In the case of publishing, similarly, each country is charting its own course regarding Internet censorship and state control of published materials on the Net. Generally speaking, there are two regimes: (A) the United States and (b) rest of world (“ROW”). In this matrix, however, the United States is the freest jurisdiction in the world, with strong First Amendment protections for sites wishing to host user generated content and for the content users choose to post, as well as the affirmative defense for platforms which host that content from civil actions in the form of 47 U.S.C. § 230(c) (commonly known as “Section 230”).

No power on Earth can force an American company running an application on American metal to censor even a single bit of user generated content which is lawful in the United States.

The ROW, on the other hand, has a variety of different regimes with different rules, but one thing in common: most of the ROW confers the right on the state to order platforms to take down political content which would be lawful in the United States. This is the case with Germany’s NetzDG, with the E.U. Digital Services Act, with the Brazilian Paim Law or recent nation-wide ban of the Telegram app, and, if enacted, with the United Kingdom’s Online Safety Bill.

At the moment, companies such as Twitter generally comply with these laws by removing content or blocking it in the subject jurisdictions but allowing it to remain accessible from elsewhere, such as in the United States. As the world splinters, however, I expect that countries’ censorship regimes will become more demanding and that erasure, not obscuration, will be required. Much like the U.S. SEC/CFTC/DOJ/WTF/BBQ have problems with VPNs when it comes to digital money, so too will the Europeans when it comes to speech. Companies will have no choice but to fold to every petty takedown demand or fall out of compliance.

Combine with this with conflicting data privacy regimes, or laws in places like Poland which bar companies from censoring social media users, or a desire to simply not engage in political censorship and… well, you get the idea. You can’t comply with conflicting requirements at the same time, and you can’t run a business that has American values in a European country.

I am of course speaking in generalizations here. Any one of the statutes mentioned in this post could merit a an entire book’s worth of writing by itself, so read the above not as specific conclusions following rigidly structured analysis but rather as hunches based on how these laws feel, to me, as I have been getting my hands dirty with them.

Speaking and transacting combined represent the overwhelming majority of human activity. It occurs to me that America is making the gravest of strategic mistakes by choosing to be the world’s leader when it comes to decentralized, digital publication of words and the expression of ideas, but not the world leader – or even a major player – when it comes to the adoption of decentralized, digital money.

I suspect that A.I. will likely fall into the “publication” category barring some political disaster and so America will have another chance to lead the world there. But the brightest possible future belongs to the country which decides to become the most technologically advanced, and the country that does that is the one that embraces total freedom for its people, not in one category of technology or another, but in all of them at the same time.

This – with an assist from Alan Greenspan – is what lit the fires of the American economy in the megaboom years of the 1990s and 2000s, and could do it again today. America could own the 21st Century. Instead we’re printing to infinity and blowing our lead. What a shame.