I’ll let everyone reading this column in on a little secret: The definitions of “blockchain tech” used by various state legislatures to look technologically astute are something of a running joke among the hardcore crypto-lawyer set.
One exception to this is the definition used by Vermont and California, the least-bad definition of a chain I’ve read so far. Those laws refer to “a mathematically secured, chronological, and decentralized ledger or database.”
Simple, straight, to the point. I give California and Vermont a solid C-minus: the definition hits the high notes, but it also probably captures an instance of Postgres-XL that stores passwords as MD5 hashes. This is quite obviously not what the definition is supposed to do, but because it’s poorly drafted, that’s what it does.
Other states are far, far worse. Take, for example, Arizona’s definition, which says “blockchain technology” is
“a distributed, decentralized, shared and replicated ledger, which may be public or private, permissioned or permissionless, or driven by tokenized crypto economics or tokenless… protected with cryptography, is immutable and auditable and provides an uncensored truth.”
“Uncensored truth.” What the hell does that even mean? Anyone who has a passing familiarity with blockchains will know that blockchains can’t guarantee an “uncensored truth” as they only show the transactions that validators committed to the chain. If censorship happened, we’re not going to find out about it, because it isn’t going to be there. “Tamper-evident” would be a more accurate description.
Furthermore, not all blockchains are ledgers, just as not all databases are ledgers.
D minus, Arizona. See me after class.
Then there’s Colorado, which doesn’t define “blockchains” but, in a bill about state records, just refers to them in plain English. Simple, and, if put in front of a judge, it probably works. Colorado also gets points for the zany title of its blockchain-aware legislation: “an Act Concerning the use of Cyber Coding Cryptology.”
THE FACT THAT CONNECTICUT LEGISLATORS FELT THE NEED TO COPY-PASTE OTHER STATES’ TERRIBLE DEFINITIONS REVEALS ONLY THAT THEY AND LEGISLATORS OF OTHER STATES HAVE ABSOLUTELY NO CLUE WHAT THEY’RE DOING.
Connecticut — my home state — gets a solid F for its latest effort. The short story here is that someone managed to convince a member of the state house to introduce a bill that would abolish non-compete clauses in employment contracts where a “blockchain” company was one of the counterparties.
If you wish to see my testimony on the bill you may find it in full here. Apart from being very anti-business, the bill also proposes a definition of “blockchain” so broad that it would capture practically any contract with any employee of any company that employs distributed software architecture of any kind.
It defines “Blockchain Technology” as a
“distributed ledger technology that uses a distributed, decentralized, shared and replicated ledger that may be public or private, permissioned or permissionless and that may include the use of electronic currencies or electronic tokens as a medium of electronic exchange”.
If you recognize this, it’s because you have seen something very close to it before in Arizona (and Rhode Island, New York, Tennessee and Michigan, among others). The fact that this definition is the law in Arizona doesn’t mean it’s correct.
A blockchain, as any informed person will tell you, is a hash-linked chain of blocks. If we wanted to be a little more specific, we might say “a hash linked chain of blocks that usually (a) uses digital signatures to authenticate transactions, (b) P2P networking protocols to communicate those transactions and (c) Merkle trees to render the transaction log tamper-evident.”
The Connecticut bill doesn’t do this. It continues by defining “Distributed Ledger Technology” as a critter which
may include supporting infrastructure, including blockchain technology, that uses a distributed, decentralized, shared and replicated ledger, whether public or private, permissioned or permissionless, and that may include the use of electronic currencies or electronic tokens as a medium of electronic storage.”
This definition is both duplicative and incorrect.
Not all distributed databases are distributed ledgers, despite the fact that this bill treats them as one and the same on a plain English reading. Not all distributed systems are “decentralized,” either, despite the fact that the bill defines a blockchain system as “distributed and decentralized.” Similarly, not all blockchain systems are decentralized.
The term “decentralized” itself lacks a uniform and concrete definition in both (a) industry and (b) under any law in any jurisdiction of these United States or indeed the world. “Decentralized” is an adjective, like “fluffy” or “happy,” and the word has no place in laws deciding what software should or should not be regulated by the government.
“Why should we care?” I hear you ask.
Well, the problem with a sloppy and overbroad definition is that sloppy definitions lead to sloppy and overbroad application on businesses that the drafters didn’t intend to capture.
Second, the fact that Connecticut legislators felt the need to copy-paste other states’ terrible definitions reveals only that they and legislators of other states have absolutely no clue what they’re doing. It’s like stealing an answer key to a test, only stealing the wrong key: if everyone makes the same mistakes, everyone’s probably cheating.
Third and finally, banning non-compete clauses in employment contracts for software firms is a great way to ensure that software firms stay out of your state, and Connecticut needs all the jobs it can get.
Summing up, state legislatures have proved only one thing with bills that define “blockchain” incorrectly: that they don’t understand the technology. Accordingly they shouldn’t be writing laws that regulate it.
Legislators passing “blockchain” laws should keep it simple in the operative text, add necessary context in the preamble, rely on the Golden Rule of statutory interpretation — that is, follow the literal meaning of the words in a statute, except where the result would be absurd — in case of disputes and leave it at that.
If states want to promote the use of blockchain tech, they need to be advised by people who possess a solid technical understanding of what they’re trying to legislate, the commercial issues involved in deploying that technology, how to speak clearly about both of those things, and who are independent and disinterested.
If the current laws on the books are any indication, the states have a lot of work to do.
This is the latest installment of my column, Not Legal Advice, which now runs as a biweekly column on CoinDesk. As the name suggests, this is Not Legal Advice. Nothing I say is legal advice unless you have paid me a hefty retainer and signed an engagement letter. This installment of Not Legal Advice is the first to have run on CoinDesk. Read it here or read it below. Or don’t. It’s your life. Live it.
Much ink has been spilled over the last six years about the extent to which U.S. securities laws can and should apply to the sales of cryptographic tokens by protocol developers.
The default position that a conservative law firm will follow is that in the U.S. the sale of a token by a protocol developer before a token network is launched is the sale of a security. Current Securities and Exchange Commission (SEC) policy appears to say that, in the life of any cryptocurrency, there will come a point when the token has been distributed to sufficiently many hands and the network’s architecture is sufficiently distributed – or as SEC corporate finance director Bill Hinman put it in 2018, “sufficiently decentralized – where purchasers would no longer reasonably expect a person or group to carry out essential managerial or entrepreneurial efforts,” and thus the token ceases to be a security.
SEC Commissioner Hester Pierce, aka “Crypto Mom,” thinks the government should facilitate startups that want to have a go at turning their definitely-are-securities-today into maybe-not-securities-tomorrow. She has proposed a safe harbor to achieve this, whereby token startups will be given a three year head start to take an ICO coin and turn it into a “decentralized” network, i.e. one which
“is not dependent upon a single person or group to carry out the essential managerial or entrepreneurial efforts… (such that) the tokens must be distributed to and freely tradeable by potential users, programmers, and… secondary trading of the tokens typically provides essential liquidity for the development of the network and use of the token.”
The three year safe harbor period will allow protocol devs time to
“facilitate participation in, and the development of, a functional and/or decentralized network, unrestrained from the registration provisions of the federal securities laws so long as [certain] conditions are met.”
In other words, under the proposal, crypto projects would be able to sell securities to the public and work towards “decentralization” by, among other things, selling still more of these securities and creating a robust market for these securities, in the hope that engaging in the sale and marketing of these securities will turn them into non-securities, despite the fact that they will function in the marketplace exactly as securities do today at all relevant times.
This proposal would be hilarious if it weren’t so serious.
The most significant issue is that the proposal relies on a standard for “decentralization” which isn’t entirely certain today. Although the SEC has “decentralization” guidelines in print, projects that appear technically indistinguishable receive differing regulatory treatment for reasons that, to industry experts, are not immediately apparent.
Take, for example, Eos, Sia, and Telegram. Eos claims to have raised north of $4 billion in a year-long, rolling ICO that kicked off with the purchase of billboard advertising in Times Square, New York, at the Consensus 2017 conference. Sia did an unregistered ICO also, raising roughly $150,000.
Telegram, by contrast, endeavored to sell its tokens to US persons via the Rule 506(c) exemption of Regulation D. At a predetermined future date, Eos’ and Sia’s presale tokens converted to live network tokens. At a predetermined future date, Telegram’s presale tokens were to convert to live network tokens.
Eos was fined $24 million, or about 60 basis points on $4 billion, and walked away, and its once-were-securities-but-I-guess-now-they’re-not coins continue to be listed on major exchanges. Comparatively smaller offender Sia was fined $250,000, or twice what they raised, and walked away. Telegram, by contrast, drew an emergency injunction in the Southern District of New York and the project has ground to a halt.
Of course, there are reasons why the SEC might be friendlier to some startups and less friendly to others. For example, startups that approach the SEC and cooperate will be treated more gently than those that do not. But, fundamentally, the real problem here is that the SEC’s “decentralization” test, as currently used, and as proposed to be used in the future, is unquantifiable to the point of being unconstitutionally vague.
There is no agreed statutory or technical definition of what makes a project more or less “decentralized.” Even highly technically competent (and prominent) developers and industry marketers cannot agree on a uniform definition of the term, which more often appears to be marketing-speak than as a definite, measurable quality, I struggle to see how the government should be in a better position to do so.
For this reason I would struggle to advise a client seeking to adhere to the “decentralization” test whether they are decentralized or not.
It's remarkable how dishonest the Facebook Libra technical documents are. They repeatedly describe Libra as decentralized, when it obviously isn't.
Reminds me of how often academics have lied to my clients, claiming their trusted consensus solutions are trustless/decentralized. https://t.co/UIGIBRgCXS
The only thing that is made clearer by this proposal is that, to paraphrase an industry colleague, “’blockchain technology’ and Mom & Pop investors don’t have lobbyists. Coinbase does.”
This proposal is fantastic for startups who need capital, market venues who need trading volumes to survive, and the lawyers who advise them. For this reason I don’t expect that many U.S. law firms will raise significant objections to this proposal which, if adopted, would almost undoubtedly be the single greatest creator of transactional legal work since the invention of securitization.
It would facilitate a headlong rush of issuers into the lightly-regulated crypto-capital markets as every company in the world sought to obtain American investors’ capital without selling them so much as a single basis point of equity or taking on a single dollar of debt, all without needing to sort out the details for 36 months.
If that’s the rule the SEC wishes to adopt and the result it wishes to bring about, that’s the Commission’s prerogative. I might suggest that a simpler approach would be for the government to approach tokens like it approaches Bitcoin: treat coins sold in an initial coin offering as something sold, a securities sale, and treat a mined coin as something made, a mere commodity, which will still allow for a great many experiments in blockchain tech to flourish without creating incentives for every company in America to launch its own token.
2) Crypto scam numbers on the rise
The Wall Street Journal reports on 8 February:
Seo Jin-ho, a travel-agency operator in South Korea, wasn’t interested in exotic investments when a colleague first introduced him to PlusToken, a platform that traded bitcoin and other cryptocurrencies. But the colleague was persistent…
His investment grew at a dazzling rate. He invested more—a lot more. In less than five months, he bought $86,000 of cryptocurrencies, cashing out only $500.
The story ends in a familiar way, with Seo Jin-ho losing all of the money he invested.
Crypto-analytics company Chainalysis estimates that after a fairly busy 2017 in which $1.83 billion was “invested” in crypto scams, 2018 was a quieter year. This is perhaps understandable given the noises that the SEC made from January through November.
In 2019, however, a staggering $3.99 billion – that’s billion with a B – was reportedly lost to crypto-investment scams. This suggests that regulatory intervention in 2018 was not aggressive enough to deter the continuing growth of “scam” activity.
Clamping down on scams is almost universally understood as an important prerequisite to mass adoption and acceptance of cryptocurrencies as a viable payment and financial services technology. When asking why investors seem so uniquely susceptible to crypto scams, it bears mentioning that each of the top ten coins in circulation was issued otherwise than through a regulated channel, with the SEC and Department of Justice, at least as far as the public is aware, declining to take action against ethereum, tether, XRP, litecoin, Binance Coin, bitcoin cash, bitcoin SV, and tezos, and taking a $24 million punt on EOS, despite there being identifiable promoters for each project (usually a notionally non-profit foundation but sometimes a for-profit entity).
The absence of an adequate regulatory regime means that a new “scam” project is virtually indistinguishable from one that has shed that label through accidental success. The marketing material for, say, ethereum and for any “scam” currency are primarily found on informal channels such as internet fora and Twitter promotional posts rather than in the form of an offering circular. The closest thing to “legitimacy” that any particular project can obtain is a listing on Coinbase or Binance, commercial actors with commercial interests that call for them to list and trade more coins in greater volumes, regardless of the gain or loss to investors.
A “safe harbor” that made it more difficult for retail investors to distinguish bona fide projects like Blockstack from known scams like OneCoin for a three-year period would likely undo much of the progress towards mainstreaming crypto adoption that has been made to date, which has seen large institutional players like Bakkt or Fidelity Digital Assets enter the space.
Social media companies will now be regulated by broadcast watchdog Ofcom, giving it the ability to fine and police companies such as Facebook, Twitter and Instagram.
Digital media and culture secretary Nicky Morgan announced that under the new legislation tech companies would now be held accountable for the content on their platforms.
The new legislation means companies such as Facebook and YouTube will be judged on their “duty of care”, and be liable for exposing users to illegal or damaging content. Until now, companies including TikTok, Snapchat and Twitter have been for the most part been self-regulating.
tl;dr the UK government is planning to implement the Online Harms White Paper (the “White Paper”) it published in April of last year, despite the fact that the White Paper is dystopian and insane.
I could go chapter and verse about the UK Online Harms White Paper proposals, as some have done. However, I don’t want to do that, as much of the document, after a review, revealed itself to be a rationalization for implementing draconian Government control over digital speech. If you wish to read the document – which runs to 102 pages – you should. However, I can summarize the practical effects of the document very briefly as follows:
1) The British Government has a list of “harms” that it wants to expunge from the Internet
These “harms” fall into two general buckets.
First, there is a list of “harms with a clear definition” which will be banned. These include CSAM, immigration crime, extreme/revenge porn, harassment, hate crimes, encouraging suicide, inciting violence, and sale of illegal goods, that will all be banned.
By way of comparison, some of this content is illegal in the United States where most of these technology companies are based.
Some of this content is not illegal in the United States.
Using online platforms to advocate for things can be illegal in the UK under several statutes, including, inter alia, the “encouragement” offences under the Terrorism Acts (which can be committed recklessly). Generally speaking, however, advocacy is constitutionally protected in the United States. There are certain limits around material support for designated foreign terrorist organizations, but insofar as the domestic political situation is concerned advocacy falling short of incitement is fair game.
While the U.S. has a concept of “hate crimes,” “hate speech” – punishable in England by Sections 4, 4A, and 5 of the Public Order Act 1986, as amended, and the Communications Act 2003 for online communications – is not one of them. Simply uttering a hateful idea is squarely within the protection of the First Amendment – “the proudest boast of our free speech jurisprudence is that it protects ‘the thought that we hate,'” wrote Justice Alito in Matal v. Tam (2017) – and the same goes for printing it online. Mind you, the presence of hateful speech online might go to proving motive for some other underlying offense, e.g. if your speech is threatening, interfering with a candidate for elective office, or the like, which (in the case of hate crimes) is usually an aggravating factor which is considered at the sentencing phase.
But hate speech per se is not a crime in these United States. Hate speech per se is, under several different content-based speech statutes, capable of being a crime in England.
Similarly, “incitement” as such is not necessarily illegal to the extent that the incitement is sufficiently remote from the possibility of actual violence being carried out. The applicable rule comes from the “imminent lawless action” test set down by Brandenburg v. Ohio, for example, and advocating in favor of violence or encouraging suicide can be constitutionally protected. Iin the latter case, in most cases but not all – see, e.g., the manslaughter conviction of Michelle Carter, which – surprisingly – was denied cert in SCOTUS last month.) This is down to the fact that the U.S. First Amendment was designed to abolish forever English political crimes like seditious libel and Scandalum Magnum (an ancient fake news misdemeanor that was seldom used, as it required the prosecution to prove the publications were false – which seditious libel did not require).
U.S. technology companies are not obliged to take down or remove illegal material, subject to narrow and specific statutory exceptions, and are immune for its existence on their servers as long as they do not “materially develop” the content, due to the operation of Section 230 of the Communications Decency Act. That notwithstanding, they are obliged to respond to legal process from law enforcement and/or civil litigants when served with it. Accordingly tech companies with US operations are well placed already to answer legal process in relation to suspected offenses of these types and will have routine correspondence with state and federal law enforcement to respond to subpoenas, search warrants and emergency disclosure requests.
Companies will also have efficient means in place to deal with CSAM. When an interactive computer services provider in the U.S. detects CSAM, they’re already subject to a mandatory reporting obligation to the National Center for Missing and Exploited Children (“NCMEC”, pron. “Nick-Mick”) and must put in place a legal document hold for 90 days pending receipt of legal process from the FBI or other law enforcement agency.
Second, there is a list of “harms with a less clear definition,” including cyberbullying, trolling, extremist content, “disinformation,” violent content and, advocacy of self-harm.
These categories of speech are, generally speaking, not subject to prior restraint in the United States and in some cases are in fact protected speech under the First Amendment to the U.S. Constitution.
In some cases (bullying, intimidation) the position is slightly muddier as we have to ask when this type of conduct crosses the line from free speech into a common law offense like stalking or threatening, and there may be private causes of action available to the victim (libel, emotional distress, intrusion upon seclusion) which can also be wielded by the victim in a court of law against the perpetrator.
2) The British Government will force tech companies to police these “harms,” even where they are legal in England, and including many “harms” that are totally legal in the United States
As things currently stand, for the most part – aside from the mandatory reporting obligation mentioned above – US tech companies are not required to police user content. They’re required to respond to legal process from US courts. They’re required to respond to subpoenas that have been domesticated in a state where they can be served. Apart from that, they’re basically free to let their users sling whatever shit they want to at one another and are immune from civil liability for doing so under Section 230 of the Communications Decency Act, which I explain here.
The British government has decided
The government will establish a new statutory duty of care to make companies take more responsibility for the safety of their users and tackle harm caused by content or activity on their services.
Compliance with this duty of care will be overseen and enforced by an independent regulator.
All companies in scope of the regulatory framework will need to be able to show that they are fulfilling their duty of care. Relevant terms and conditions will be required to be sufficiently clear and accessible, including to children and other vulnerable users. The regulator will assess how effectively these terms are enforced as part of any regulatory action.
The regulator will have a suite of powers to take effective enforcement action against companies that have breached their statutory duty of care. This may include the powers to issue substantial fines and to impose liability on individual members of senior management.
This proposal is actually very similar to certain provisions in the (likely unconstitutional) proposals being promulgated in the U.S. by Senator Lindsey Graham and Attorney General Bob Barr, cynically named the “EARN IT” Act.
People and companies complained. The British replied:
The Online Harms White Paper set out the intention to bring in a new duty of care on companies towards their users, with an independent regulator to oversee this framework. The approach will be proportionate and risk-based with the duty of care designed to ensure companies have appropriate systems and processes in place to improve the safety of their users.
The White Paper stated that the regulatory framework will apply to online providers that supply services or tools which allow, enable or facilitate users to share or discover user-generated content, or to interact with each other online. The government will set the parameters for the regulatory framework, including specifying which services are in scope of the regime, the requirements put upon them, user redress mechanisms and the enforcement powers of the regulator.
The consultation responses indicated that some respondents were concerned that the proposals could impact freedom of expression online. We recognise the critical importance of freedom of expression, and an overarching principle of the regulation of online harms is to protect users’ rights online, including the rights of children and freedom of expression. In fact, the new regulatory framework will not require the removal of specific pieces of legal content. Instead, it will focus on the wider systems and processes that platforms have in place to deal with online harms, while maintaining a proportionate and risk-based approach.
To ensure protections for freedom of expression, regulation will establish differentiated expectations on companies for illegal content and activity, versus conduct that may not be illegal but has the potential to cause harm, such as online bullying, intimidation in public life, or self-harm and suicide imagery.
Couple of things going on here.
First,the British government claims that they’re walking the proposal back because they promise to only police illegal speech and will let be other types of legal speech, e.g. “disinformation” and “trolling.” (TBD pending draft regulations and codes of practice.) The problem of course is that British speech codes are so vaguely drafted that any speech which is even mildly offensive can be, and is, caught within the definition of “illegal content.” There are reported cases where reading from the works of Winston Churchill or a Bible verbatim has been enough to result in arrest. We’re not dealing with a free country here.
The Public Order Act 1986, Malicious Communications Act 1988, Communications Act 2003, Terrorism Act 2000, Terrorism Act 2006, and Racial and Religious Hatred Act 2006, Part 3 would all be struck down in the United States, either for not being content-neutral, overbreadth, or vagueness (see e.g. the ratio of Norwood v. DPP, which is the current state of the law, versus the ratio in DPP v. Redmond-Bate, which preceded Norwood, was how the law on offensive speech stood in 1999, and was arguably overturned by Norwood). We have seen, time and again and as I expand on more fully here, what would be fairly inoffensive or even benign speech in the U.S. draw a conviction from an English magistrates’ court which is upheld on appeal.
Second, although the framework “does not require the removal of,” i.e. does not create a regime of mandatory takedown orders for, legally compliant content (subject of course to the proviso that virtually any offensive speech is capable of being illegal in the UK), the framework does not need to create a mandatory takedown regime for the British government to be able to force companies to remove legal content of which it disapproves. This has the advantage of being more plausibly deniable (copies of specific orders saying “take down this post” signed by an OFCOM official has a “Ministry of Love” vibe to it and won’t look good in the press, s a policy manual saying “this type of post is harmful” won’t offend the nanny staters quite as much).
To the extent that a code of practice adopted by OFCOM penalizes social media companies for hosting speech which is highly offensive but not illegal, social media companies will be obliged to remove the content if they wish to avoid the British penalty.
See e,.g. the UK’s Counterterrorism Internet Referral Unit, or CTIRU, operated by the Met. CTIRU sends notifications to interactive computer services providers of content the British government considers illegal under antiterrorism laws, generally extreme political content. CTIRU does not, however, issue process e.g. search warrants or orders e.g. RIPA notices with a view to ascertaining the identity of the sender and enforcinfg the law in relation to that content.
CTIRU is a censor. The consequence of the notification is that the provider could be held liable in a British court for the content; the e-commerce directive provides similar coverage to online service providers as the US Section 230, but there is a proviso under Art. 14(a)(1) of the e-commerce directive that “actual knowledge” of illegal content removes that immunity.
So by conceding that the
new regulatory framework will not require the removal of specific pieces of legal content
…nothing has really been conceded at all. As we said above, it’s not hard for a British prosecutor to argue that speech which offends – no matter the content – is illegal. And a promise that Ofcom won’t be able to compel the removal of specific “offensive but legal” content is not the same thing a promise by the government that it won’t allow OFCOM to penalize social media companies for hosting it. Although the existence of penalties for failure to comply with the Online Harms regime plus notification under Article 14(a)(1), which still applies in Britain during the transitional period should not constitute a “political content takedown order,” it should effectively amount to a strong political takedown request or suggestion, with penalties possible if enough of such suggestions are ignored.
Third,it is still unclear what obligations companies will have to actually comply with. The Government says that
regulation will establish differentiated expectations on companies for illegal content and activity, versus conduct that may not be illegal but has the potential to cause harm
but of course, if we look back to the White Paper, we’re not going to know what those obligations are for some time. It seems that any Bill will delegate most of the authority for developing these responsibilities to OFCOM, the British telecommunications regulator, which will then
[set] out what companies need to do to fulfill the duty of care, including through codes of practice” and take “prompt and effective enforcement action in the event of non-compliance (as set out in Chapter 6)”.
These powers may include, inter alia, the power to levy fines, compel additional information regarding the breach of the practice code, compel “third party companies to withdraw any service they provide that directly or indirectly facilitates access to the services of the first company, such a search results, app stores, or links on social media posts,” mandatory ISP blocking, and creating new crimes for failure to obey OFCOM’s diktats.
This is truly Orwellian. The British government is suggesting it should have the power to order companies falling under its jurisdiction to destroy any other company which refuses to obey British content standards but is following the content standards of its home jurisdiction (otherwise it would have been shut down already by domestic authorities).
If enacted, this should be a frontal attack on the First Amendment.
3) Global enforcement will be complicated and likely ineffective
Speaking as one who advises small companies, all of this compliance is going to be extremely burdensome and make the U.S. look like a much more attractive place to open up shop online (which it is already, but will be more so if these proposals are implemented).
Much of this will be hard to enforce. The real worst-of-the-worst baddies will not wind up using services like Facebook but will likely wind up running their own metal and rolling out their own cryptosystems. (Baddies using mainstream services give away their IP, user agent strings, and other identifying data which makes them easy to find.)
Since the baddies can migrate off of Facebook as easily as one logs into another service using OAuth, the only real, effective purpose of this proposal is to turn OFCOM into a morality regulator online that makes social media firms enforce British legal conventions on speech and conduct… without the British having to expend police and court time and resources to get the desired result. As more and more decentralized content providers e.g. ActivityPub or LBRY crop up it will be impossible to find a corporate entity to hold to account for web content which will be sharded and stored overseas.
If enacted it is therefore likely to only affect essentially law-abiding but politically edgy British domiciliaries, like Count Dankula, using British services or US services that are big enough to want to maintain corporate presence in the UK. So all of the big players, but by no means most of the players in numerical terms.
Companies in the United States don’t have to obey British court orders. To the extent a British regulator sought domestication of a British regulatory determination or court order in a U.S. state such that it would become binding on a U.S. person once served, under no circumstances would a British determination or court order survive that process if it were unconstitutional.
Most of the Online Harms regime, as proposed, would be unconstitutional on its face and virtually all of the Online Harms regime, as proposed, is likely to be unconstitutional as-applied. Orders issued thereunder and penalties levied will therefore be unenforceable before U.S. courts (in e.g. an MLAT procedure or where seeking to enforce a money judgment).
My prediction is that many online companies will choose to re-domicile or withdraw from the UK before subjecting themselves to this hugely burdensome regulatory regime. If this regime is enacted, OFCOM will essentially attempt to serve as the world’s morality police; it will not, however, have any power outside of the UK’s territorial boundaries.
If the UK feels like destroying its tech industry with burdensome regulation and extremely labor-heavy (and legal advice-heavy) compliance obligations, go right ahead, knock yourselves out. More billable hours for me.
Two facts belie the stated purpose of the proposal, to “impose a duty of care to protect social media users from online harms.”
First, the UK government and its counterparts in the USA already have adequate powers to address serious crime.
Second, both governments have inadequate powers to restrain trolling and offensive political rhetoric – in the US because of the First Amendment, and in the UK, because there are not enough prosecutors and police to investigate, try, and convict every Internet troll that violates the provisions of the Communications Act 2003.
Third, trolling and offensiveness are what users want. if users didn’t want to encounter trolls and edgy politics on the Internet, they would not be on the Internet and have social media accounts. If they dislike the experience they are perfectly capable of either logging off or using their block buttons, or in extreme cases, bringing an action against other internet users.
So we see the purpose of the proposal is not to restrict content to protect the people, who are perfectly capable of protecting themselves. It is to protect the state. In particular it serves to protect those programmatic objectives of the state which are most subject to vitriolic criticism on the Internet, as well as adjacent “offensive” content, in relation to which prosecutors will use the broad discretion granted to them under English speech codes to suppress and terrorize anyone who dares possess and express a controversial, irreverent, or iconoclastic thought.
I am a child of the global financial crisis (GFC).
I’m not an economist, but I spent the first half of my professional life working out the consequences of the last debt crisis, the existence of which most economists missed until it was far, far too late to stop. Any securitization lawyer who still had a job in the wake of the GFC – between New York and London there were probably a few hundred of us – will know exactly what broke in these transactions, what modifications needed to be made to fix them, and who needed to take a haircut as these fixes were implemented.
If you don’t know what securitizations are, those are the structured debt transactions which nearly brought down the economies of the Western world in 2008, an event that was stopped only by massive government and central bank intervention.
As a paralegal in a big city law firm’s securitization team in 2007, I remember reading about the gradual ticking up of default rates in the outer boroughs of New York City and asset writedowns by big banks. I was living in the City of London when Lehman went down. I remember the images of bankers clearing out their desks. I remember the long faces worn by all of the other bankers who remained employed, that week. I remember Bear Stearns going down earlier that year, and friends from university losing their first jobs. I remember the conference room on the top floor of the shipping company’s headquarters across the street from my shoebox-sized (25m square) apartment on Charterhouse Square in which I lived in my final year of law school, ablaze with light at midnight as its officers tried to position the company for the coming storm.
I remember it being overcast, drab, and gray, just like the boring, too-small suits British professionals tend to wear. I remember reading about how the overnight lending markets froze up – completely. I remember, months later, hearing how the United Kingdom was less than twelve hours away from ATM machines being switched off.
It was the end of the world. I will never forget any of this as long as I live.
I started by first job as a junior lawyer in 2009, at the same firm where I had worked as a paralegal. I spent the next five years of my career being principally concerned with securitizations. Specifically, I worked on teams that took these transactions apart, and personally spent most of my billable hours drafting documents or doing diligence for transactions that restructured or unwound deals that had gone, or were on their way to going, south. The bonds in these deals failed because they were backed by cheap debt, which itself was backed by worthless assets, the prices of which had been vastly inflated by the availability of cheap debt. What many of them shared is that the cheap debt never had any chance of being repaid on schedule, if at all.
This cheap debt therefore had no business ever being originated. Yet it was.
NIRP and the potential for an associated out of control “NIRP Bubble” gives me the willies because it is the ultimate creator of cheap debt. It creates systemically cheap debt. Cheap debt looks like a great deal at the time for happy borrowers. NIRP reduces the price of money itself – it makes low rates systemic across virtually every category of borrowing (unlike, say, mortgage securitizations, which confined the cheapest debt to secured loans – although the attendant boom also loosened credit conditions generally). It turns every man, woman, and child in the Western world into happy borrowers whenever we borrow. But, as with the subprime crisis, debt cannot stay cheap forever. Cheap debt eventually becomes expensive debt. And when that happens, if the debt load is too high, you get a debt crisis.
NIRP is very possibly laying the groundwork for a massive debt crisis which will be as obvious to our children, in hindsight, as the subprime bubble seems to us. “Well of COURSE people shouldn’t have overstated their income and taken out ARMs they couldn’t afford.” Well of course we shouldn’t have funded state entitlement programs with trillions in low-interest debt and ensured our governments and, by extension, our societies were addicted to low interest rate revolving credit facilities writ large.
Central bank rate setting is basically an adjustable rate mortgage for states and their entire economic systems.
The problem is that here the central banks, though nominally independent, are in fact subject to the whims of the political apparatus, and NIRP/cheap debt solves a lot of short term political problems. Not only does it juice the economy (longest bull run in history!) but it prevents governments from needing to make what Habermas identified in Legitimation Crisisas their most fundamental choice in resource allocation – between the demand for welfare by the populace and a low tax burden by enterprise – and putting that risk off for the future in the form of debt, which accumulates as and is quantified by the annual budget deficit and accumulated debt balance.
Habermas understood that this is a very dangerous game. States are, when they do this, creating expectations of satisfaction of what he termed “programmatic demands.” i.e. “stuff the population expects will get done, otherwise they’ll revolt.” The title of the book, Legitimation Crisis, refers to Habermas’ description of what happens when a state is ‘no longer able to satisfy the programmatic demands it has set for itself.’ The risk breaks out into the open, leading to the untethering of institutions and political expectations, upheaval, and revolutionary change. Accumulating debt is the process of deferring making hard choices between certain programmatic demands. When a state does this it reduces political risk in the present by increasing political risk in the future.
NIRP is the ultimate expression of state-sponsored entities kicking the can down the road.
We see this happening in places like Venezuela or Zimbabwe, but we think that it cannot possibly happen in the United States. We’re smarter than that. We’re bigger than that. We’re better than that, we think.
But the thing is, we’re really not.
I’m sure Leonid Brezhnev once said something similar. The Soviet Union posted some solid growth numbers and was the center of half the world too, once upon a time.
The subprime crisis got its start when hitherto-illiquid markets for real estate got access to global capital markets and cheap debt. Cheap debt appeals to the eternal human proclivity towards high time preferences. So when we flood the world in it, this financing is going to be taken up and used. With gusto.
Increasing central bank balance sheets and budget deficits across the Western world indicate this is exactly what’s happening. Yet central bank governors don’t see the monster they’re creating.
NIRP is fairly new, so I’m not saying that some debt disaster is going to happen now, or next year, or even the year after that. What I am saying is that where deficit hawks might have been wrong in the past, a stopped clock is right twice a day – and NIRP might be a critical element, a missing piece, the unforeseen development, that finally makes that narrative, which while logical has consistently been wrong, relevant.
There are a couple of critiques I’ve seen of this view, that NIRP will create a debt crisis.
“So they’ll never raise rates again. Easy.”
Then they’ll have inflation. Which is equivalent to default, is already here in asset prices, and is starting to bleed over into the rest of the economy. Some say the fact that Taco Bell managers are getting paid $100,000 a year is due to “tight labor conditions.” One could argue that the tight labor conditions are the result of a glut of cheap money. Time will tell.
“The Fed can always keep rates low by buying new notes.”
Do not need investors if Fed willing to keep rates low. Yes, unexpected inflation can be a "real" default. Or, it can be a state-contingent "haircut" that is implicitly agreed to. Everything depends on how wisely debt/expenditures are managed, not the debt per se.
Debt hawks like Ron Paul are widely disbelieved these days, I think, because central bankers got away with QE without hyperinflation. As a result, they think they can get away with anything.
This critique works now. It does not work when there’s a crisis. As with all crises, the next one cannot be foreseen with absolute certainty, so folks usually assume that things will continue as they are and venerable institutions like the Federal Reserve will always have clever enough boffins with effective enough tooling to allow business as usual to continue.
It is not a stretch to assume that in a future crisis those tools will have long since run out of potency. This is widely acknowledged across the banking industry.
The likes of the European Central Bank and the U.S. Federal Reserve have “no conventional measures left to effectively cushion” the blow of a “real economic crisis,” Christian Sewing said at the Sibos banking conference in London.
Central bankers bravely assert that they can always use unconventional tools. But there may be less in the cupboard than they suppose. The efficacy of further quantitative easing in an environment of well-functioning markets and already very low medium-term rates is highly questionable. There are severe limits on how negative rates can become. A central bank forced back to the zero lower bound is not likely to have great credibility if it engages in forward guidance.
NIRP can’t work forever.Eventually rates will go up or something will break. That may take the form of inflation or hyperinflation. I query how long the Fed will be able to keep rates low while people use wheelbarrows of cash to buy bread, which is where helicopter money eventually ends. If Venezuela is an indication a central bank can engage in insane behavior for a very long long time, but I suspect the non-unitary nature of the American state and the sophistication of federal constitutional arrangements would prevent a bonkers monetary policy from holding sway for very long.
Also, this isn’t a U.S. problem but a global one. Saudi Arabia, for example, has a $12 billion dollar-denominated note out there. If it were to redenominate to Riyals, print the Riyals and use that to satisfy investor claims, that would be a default. The privileges attendant with being the backbone of the global financial system accrue to one country only, the United States, and at the moment we seem to be doing everything in our power to lose that position.
“How do you default on a negative rate note?”
You don’t necessarily have to default on that note to suffer the consequences of a default. You can effectively default by triggering runaway inflation and printing money. You can also default on some other obligation you can’t pay because you have an enormous debt load and can no longer issue new notes because the market won’t lend to you affordably or at all. That’s still a default and will affect your ability to tap capital markets.
The first things to freeze up during the global financial crisis were revolvers like ABCP and short term loans like the overnight market. The government debt sector is basically a huge RCF. Modern Western governments will cease to function if they can’t issue more debt. Freezing them out of the capital markets, even for a short amount of time, would be enough to cause an immediate political crisis.
So when will all this happen?
Who knows? This is not even a theory, more a hunch, a feeling that we’ve been here before and our leaders have failed to learn from their mistakes. This post is an introductory argument based on that hunch. I leave it to folks with advanced degrees in mathematics to model and quantify this hunch. 50-year lows in unemployment and all-time highs in the stock market don’t tell me that I should sit back and enjoy the ride. These things tell me something all-time extraordinary is happening.
I could be wrong, another debt crisis may never happen, and NIRP may herald the beginning of a glorious new era where debt is infinitely cheap and growth continues forever. My instincts tell me that forever growth will not be the end result of NIRP. I think the end result is that large debts will get accumulated, lenders will begin to lose confidence that these loans will ever be paid back, rates will go up, and debts accumulated will either no longer be capable of being serviced or revolving facilities will no longer have buyers.
Crises generally break out when there’s a shock.
I think the shock required to shake the world will need to be of global proportions. Who knows what it’ll be. A big war? An invasion of space groundhogs dropping out of warp in low Earth orbit, sent here by the Marmot Star Empire?
Maybe. But I think it’ll be something that initially looks small and contained, but which scares the hell out of investors due to its macro implications, which will set off the next big crash. And we’re not talking about a correction (which we’re overdue for anyway) but a really, really big crash that could be years off.
If Ghawar Field runs dry before our species cracks fusion, say, in the next decade, that might do it. Everyone’s growth projections would be revised down and it might become apparent that countries with huge debt loads can’t grow enough to repay them.
To conclude, all I know are two facts. First, that rates today are lower today than at any time in recorded history; second, that for all our technology and sophistication, we are nonetheless subject to the same laws of economics and thermodynamics as our ancestors.
I preface this blog post – part of my Not Legal Advice series – by stating that it is absolutely not legal advice and I am not your attorney. See disclaimer. If you have an engagement letter that is signed by both of us and you have put a retainer on account, then and only then am I your attorney and then and only then am I giving you legal advice.
The below is provided for general informational purposes only.
They received 710 requests impacting roughly 1,222 accounts. That’s just a hair under two requests per day, or, as Kraken CEO Jesse Powell put it on Twitter, “3 if you don’t count weekends!”
ShapeShift CEO Erik Voorhees took a rather dim view of Kraken’s situation:
Kraken has to deal with two formal surveillance requests per day. This is so sad that productive industry is being diverted like this. It makes a poorer world. The government is spending Kraken’s money to do police work. https://t.co/aHUtlKwFlH
That’s a lot of requests, but not a crushing amount; I would imagine Google and Microsoft get more. EDIT: Although I had thought one full-time paralegal should be enough to handle that kind of workflow, at least in terms of triaging the requests and initiating exports of user data, Kraken CEO Jesse Powell chimed in to indicate that the costs of servicing these requests was considerably higher:
Actually, the cost to service these requests was over $1m in 2019.
Clearly, government inbound creates significant overheads – although practically every major company (Google, Microsoft, Facebook, Uber) each has a team dedicated to precisely that task, in many cases headed up by a former law enforcement officer or prosecutor. The greater the volume of requests, the more expensive that business function becomes.
Before I go further, I should add: I’m a libertarian. That means that, in my heart of hearts, I don’t like government overreach or state surveillance, or state power for that matter. But I’m also an attorney (in the US) and a solicitor (in England), which means that I have to live in the real world where government has these powers and businesses large and small are obliged to respect them.
If you run a small to medium-size enterprise in crypto that deals with the public, you will get hit with a subpoena or a search warrant at some point. It’s inevitable. For folks who haven’t been served with one of these before, it can be unnerving to leaf through a court order that says YOU ARE COMMANDED TO APPEAR and IT IS HEREBY ORDERED in bold font.
So what do you do?
1) Don’t panic. It’s (probably) not about you.
Yes, it’s entirely possible that you’re the target of this legal process. But if you’ve never been served with government process before, chances are good that if the subpoena is asking for disclosure about one of your users, customers, or subscribers rather than your business operations, it’s not about you. Your lawyer will tell you what the score is.
If it is about you, you will need to respond. However, for businesses that do a lot of transactions (data or financial) with the public, it’s much more likely that preservation letters, subpoenas, warrants, or other forms of request for information aren’t about the recipient but rather are about a user of the recipient’s service, e.g., someone who sets up an account to buy Bitcoin on a Bitcoin exchange.
2) Even though it’s (probably) not about you, don’t talk to the government without the assistance of counsel.
Your lawyers should be doing the talking if any talking is to happen at all. If you really feel the need to talk with the government about the data request, go talk to your lawyers, and we will talk with the government. We deal with this stuff for a living. You don’t.
Also in the don’t-talk-to-the-government column is that when you do communicate with the government you should be exceedingly polite. Do not do something like this or its written equivalent:
When you’re served with a data disclosure request by law enforcement your job is not to make a point, even if you’re a libertarian. Your job is, at minimum, to respond to the document request as completely as you can while also protecting your interests and the interests of your business. If you’re feeling particularly civic-minded, you could also say that by being responsive to law enforcement you’re helping to keep your fellow citizens safe.
It is possible to do this without acting like a jerk. If you get an e-mail containing legal process, you don’t have to respond right away (although generally it’s courteous to let the other side know it has been received, you can let your lawyer do that – more on that below). If a federal agent calls you on the phone, get his name, phone number, and e-mail address, thank him for calling, and let him know your lawyer will call him back.
3) Preserve all documents and data.
Don’t destroy or delete anything the request could have conceivably asked for. Back it up immediately.
4) Things to be aware of before you call your attorney
4A) There (probably) isn’t a rush to respond.
There (probably) isn’t a rush to respond; look on the face of the subpoena and it should have a deadline for production on it, and that date is likely to be several weeks or even a month from the date on which the subpoena has been served.
The primary exception to this is where the government is asking for disclosure of user/customer data on an emergency basis, due to the existence of a life threatening emergency, which the government can ask for under the federal Stored Communications Act.
America is a free country, so you aren’t required to comply with any information request that is unaccompanied by legal process; however, refusing such a request when the police have advised you that there’s a life-threatening emergency (a) isn’t a good look, (b) is going to really piss the government off and (c) means the government is likely to come back later with a subpoena or search warrant compelling the disclosure anyway, and they’re not going to be particularly friendly when they do.
If you run a large business, you already have a legal department that deals with these things. If you run a small business, you don’t, so make sure you have an attorney or member of in-house staff who is responsive. By this I mean when it’s 10:30 PM on a Saturday night and you get an e-mail from the FBI’s National Threat Operations Center requesting emergency disclosure of subscriber data, your attorney or staffer is willing to drop whatever he is doing to make himself available to field that request.
The law doesn’t sleep and neither can your compliance function.
4B) You (probably) don’t have to appear anywhere.
If you’re dealing with a grand jury subpoena, I know the document says in bold and all caps “YOU ARE COMMANDED to appear at the Marmot J. Squirrelstein Federal Courthouse on [date] blah blah.” There’s also (probably) another line, which is not in all caps, further down which says “In lieu of appearance you can provide documents” and that’s (probably) what the government wants. But you will want to confirm that with your lawyer.
4C) Don’t tell any third parties about the information request. In-house, ensure knowledge of government requests is kept on a need-to-know basis.
Document preservation requests, subpoenas and search warrants are often paired with non-disclosure orders that prohibit the recipient from discussing it with anyone except need-to-know staff and the company’s lawyers. Unless you have successfully challenged those orders, you must obey them.
Which brings us to the next step:
5) Call your attorney immediately after you’ve been served.
If you want to fight the order or object to the scope of disclosure, you can, but it’s not going to be cheap. If you’re a startup in the US without a sophisticated legal department with a big budget challenging a domestic US order will not be easy.
I know plenty of seasoned litigators who are experienced in this area and will be happy to refer you to them. In the alternative, call up the ACLU or the EFF, as Signal recently did to get a gag order lifted.
If you’ve never received a request for information, document preservation letter, national security letter, grand jury subpoena, administrative subpoena, search warrant, or emergency disclosure request before, call your attorney and he or she will help understand what kind of document you’ve received and what that document requires you to do – not all government data requests are the same, and not all are mandatory. Different agencies have different powers to ask for different kinds of information (and to prevent you from talking about the matter). Depending on what type of business you run, different statutory powers will authorize these requests and govern what your obligations are in relation to them.
If you’re based in the U.S., and the request comes from outside the U.S., you may have the option of refusing the request. Or you might not, if the request was validly made under a Mutual Legal Assistance Treaty, or “MLAT”, agreement. Your lawyer will help you parse your options.
If you have received a data request before, you should already have a protocol in place for dealing with them. Which brings me to my next point…
6) Plan ahead.
With any online business it’s possible to almost fully automate data production. You will need to balance the ease of automation with the requirement for data security. Err on the side of security.
The bulk of the U.S-source requests you will get will be subpoenas. Subpoenas issued under a particular statutory authority tend to request the same type of information as every other subpoena issued under that authority, and businesses tend to focus on particular types of commercial activity, so you should have a pretty good idea ahead of time what sort of information you’re going to be asked to provide.
Make sure you have a system in place where a small number of highly trusted staff have the ability to securely pull the requested data and provide it to law enforcement on short notice.
7) Your company can have a productive dialogue with law enforcement, but you have to let your lawyers do the talking.
In my experience, law enforcement officers and state prosecutors are courteous, highly professional people. However, they have a job to do. The mission comes first.
There’s no reason why you and your business can’t be on good terms with law enforcement or even helpful to law enforcement. However, your first concern should be to ensure that, in all your dealings with law enforcement, your interests are protected. The best way to do that is to run communications with law enforcement through your attorney and in writing.
For example. Suppose that one day, a few weeks after your lawyer provided a response to a subpoena, a friendly FBI agent calls you up and asks to have a casual sit-down over coffee to trade notes. She’s a nice person with a friendly demeanor, is just passing through town and is interested in Bitcoin and all things crypto.
You will think having that sit-down is a good idea, because you want to be helpful, don’t want to be rude and hey, it’s always nice to meet new people operating in your space.
Always decline these requests. At the very least, let your lawyers know that you’ve been contacted. If you want to be of assistance to law enforcement, be of assistance – through your attorneys. Ethereum dev Virgil Griffith had several such sit-downs and he has had to hire the best criminal defense lawyer in Bitcoinland, Brian Klein, to clean up the mess. Even if you are completely innocent of any offense, as most people are, let your lawyers do the talking.
Law enforcement will understand completely if you refer them to your counsel. They won’t think of you as rude. If they were in the same position, it’s what they would do.
And that’s it!
Summing up, if you run a business in crypto, and that business has users from the general public, it’s a virtual certainty that, at some point, the government is going to ask you to provide information in connection with an investigation.
Generally, these requests pertain to the commission of serious crime. Generally these requests are neither capricious nor unreasonable.
Dealing with these requests, and dealing with law enforcement generally, can be easy or hard. Regardless of one’s politics, keeping your business on good terms with the state is, generally speaking, the better business decision, if for no other reason than the fact that the U.S. government is bigger than you and has unlimited money and time.