07/01/2019 - Expert Witnesses Dr Stephen Castell Discusses Blockchain vs. Trust: Cryptic Expert Issues

by Dr Stephen Castell CITP MEWI*

An article for the Newsletter of the WitnessDirectory.com, the directory of expert witnesses serving the US, Uk, Australia and global adversarial systems.

Crypto: the Millennials' Rock'n'Roll

"Blockchain technology introduces permanence and immutability into the digital world. ... Three aspects are needed to build a modern society. The first is memory. ... The second is communication. ... The third component, which underpins the other two, is trust. ... everything runs on trust. We trust our banks to keep our money safe. We trust Google with our personal and work emails. We trust the courts to make unbiased decisions and keep proper records. Memory and communication are of limited use in the absence of trust.

For the most part, this trust is not misplaced. Banks and courts are highly regulated entities ... But this trust is still a human affair, and hence regularly betrayed. ... trusts costs money. We pay these institutions a trust tax, which in practice translates to thick legal agreements and insurance premiums. ...
Enter blockchain. Blockchain is the technological revolution that commoditizes trust. ... by integrating trust on an infrastructural level into any service built on blockchain. Trust normally has to be enforced via laws, courts, armies, and other costly, fallible institutions. Replacing these with disinterested cryptography promises a revolution in the way we enable trust. ...

[This brings up] the right to be forgotten. A law that grants individuals, under some circumstances, the right to demand of websites that they remove information about themselves. However, in a distributed consensus system like blockchain, enforcing the right to be forgotten becomes technically impossible. ...
As technology becomes part of our extended mind, the right to be forgotten can be construed as tantamount to memory manipulation. You might think that this is an important and necessary thing we have to do in order to protect social harmony, or you might loathe it as an entrenchment on your individual freedom. Blockchain technology, however, has no opinion. It takes no ethical stance. It protects our collective memory from adulteration, ill-intentioned or otherwise, with no regard for whatever the consequences may be."
Julio Santos, November 14. 2017 [1]

It is difficult not to notice the vigour and pizazz of the current mania for Crypto-Algorithmic Blockchain Technology and it is a fair bet that there is far more being written about, energy going into, and money being invested in (gambled on?) Bitcoin and other cryptocurrencies, blockchain, smart contracts and distributed ledger technology than even into Artificial Intelligence (AI). Almost every other person you run into, particularly if a Millennial, seems to be involved with an Initial Coin Offering (ICO) or Initial Token Offering (ITO). With just a 'White Paper'. little or no investment due diligence, and taking advantage of a regulatory vacuum, this 'Crypto Tribe' are raising billions in real legal tender, 'fiat currencies'. This substantial finance-raising is being used to fund fantasy coins and tokens – with no more obvious or established economic utility or asset value than, well, a bar of gold - in the hope of developing and successfully launching a plethora of brave new business and social ideas, products and services, heralded by enthusiasts as a whole new 'crypto-economy'. [2]

No doubt a few of these will prove to be commercially-successful, reputable, significantly disruptive game-changers, and usher in the possibility of some sort of new - trusted - global 'crypto-economy' paradigm. But at the moment, one can be forgiven for believing that most ICOs/ITOs, cryptocurrency 'mining', and crypto-coin trading exchanges have already been largely taken over by the 'black cash' of drug-dealers and the like, and in a substantive not-easily-reversible way.

Many of the Millennials, let down after the post-2008 credit crunch by governments, the banks, and educational system, and, it appears, largely not needing to be subject to Know Your Client (KYC) and Anti-Money Laundering (AML) strictures, may not be too worried where they get their ICO money from, or how it is actually going to be (accountably) spent, or whether that will result in a viable business. Nevertheless, and leaving aside the fraudsters and money-launderers, I wish these crypto-enthusiast Millennials well. Indeed, I have dubbed ‘Crypto’ the Millennials’ Rock’n’Roll. Some of us were lucky enough to have lived through the exciting birth of the Real Rock Thing, sixty years ago and, still regularly feeling its enduring foot-tapping tingle, I simply say: Rock On, Millennials!

I myself suggested, over thirty years ago, just such a new, disintermediated wholly digital cash currency, in a letter published in July 1995 in Computing magazine:
"... As cybertrading grows, the new, powerful common electronic trading currency will be 'owned' by no single physical nation state, central bank institution, economic or political grouping. We could even call it the ECU. Not the European Currency Unit, of course, but the Electronic Cash Unit".

And, long before the Millennials were even born, in a fictional article. 'Ye Nom De Das Geld', in the December 1971 issue of GONG (the student magazine of the University of Nottingham) I went even further with my conceit of a 'Post-Purse Paradise':
"Brother and sisters, I welcome you to the post-purse paradise. ... Geld is in heaven, all's well with the world. ... Cromstock and I first mooted the possibility of an Economic Reformation taking place in Britain in The Journal Of Comparative Economics during ... 1969. ... to put into practice ... the tenets of the Quasicurrency Theory which I had been formulating over the preceding twenty-five years. ... " [3].

It may well be that many, probably most, of the current species of cryptocurrencies, currently digitally ‘materialising’ daily, as if by magic, through one ICO or another, will fade away, and/or at some point be regulated out of existence. Blockchain applications generally however are undoubtedly here to stay. The majority of these will be serious, robust implementations, by established major corporations, with most of us, as consumers, hardly needing to know about the technical, legal or operational details. It seems clear that, within a few years, an extensive settled, but vigorous and continually innovating. 'blockchain applications industry' will be in place, one bearing little resemblance to the frantic cryptocurrency 'bandit territory' landscape of today.

Blockchain: Sceptical ICT Professionalism and Legal Due Diligence

As an ICT expert and professional I am however duly cautious about this newly unfolding 'crypto-economics’' blockchain landscape. This caution is a proper part of being a skilled professional applying knowledge and experience to assess the most appropriate tools and technologies for a given (business or other) application's requirements. The savvy ICT expert bears in mind, for example, not only that there are no finalised international/ISO standards yet for blockchain (eight standards are in development under ISO/TC 307), but also there is far more to specifying, designing, developing, testing, deploying and maintaining an appropriate complete QA-assured system than just ‘the blockchain bit’. And whether to use blockchain as a component at all for a given business/system requirement is of course a critical feasibility exercise that the seasoned professional will know is essential.

It should be no surprise if a diligent ICT systems engineer may conclude, on an experienced expert assessment, that many things can be achieved just as effectively by other means.

He or she will carefully and responsibly consider all the pros and cons to ensure that the non-expert customer/client/investor/employer (to whom a professional fiduciary duty is owed) gets the most suitable, ‘fit for purpose’, secure, robust and performant system available, and takes properly risk-assessed competitive advantage of any new developments in technologies, tools, methodologies and processes (and always consistent with the budget/price willing to be paid, of course) [4].

Furthermore, the legal status of cryptocurrency, smart contract and distributed ledger technology is not clear, or uncontentious. In the USA, there is already ICO litigation on foot. [5]. Having been involved in advising on ICOs, prior to launch, I have encountered some significant tensions and challenges between the crypto-enthusiastic, blockchain technical specialist, and the sober business development objectives of, and the professional due diligence to be done for, the putative ICO-issuing company owner or managing executive.

Consider, for example, this scenario: a highly proficient, high-profile, software engineering entrepreneur and thought-leader, let us call him Joshua, a US citizen, reckoned by many to be one of the most experienced, and imaginative, technical and regulatory experts in the blockchain and cryptocurrencies field, is in the process of developing and launching various Initial Coin Offering ventures and services. Joshua asserts “nobody knows more about how to do this work in the right way, in compliance with every single rule and regulation, than I do”. In particular, there is a substantial going-concern OTC-listed company, let us call it XYX-CAP, Inc. ('XYX-C'), which is poised to do an ICO, designed, led, promoted, launched and actioned-to-market by Joshua.

The following queries and issues arise:

(1) If the XYX-C Coin created by this ICO is likely to be deemed by any relevant (US or other) regulatory or law-enforcement authority to be 'asset-backed', and for that reason (or, indeed, any other) equivalent to issuing a security, would it not be advisable, 'just to be safe', to seek securities regulatory approval for this ICO before it is publicly launched? If so, what exactly is the relevant and correct ‘securities regulatory approval' to be sought, with whom, where, etc and how does one go about that, correctly, accurately and timeously?

(2) Joshua says "It's very important to be aware that this is an open community blockchain project. This necessarily involves launching something that will have the XYX-C name attached to it in perpetuity, but giving up exclusive control of what it becomes", If the CEO of XYX-C is not wholly comfortable with this, are there any sensible steps that XYX-C can take to protect its name, brand and trademark to counter (or at least ameliorate) 'giving up control of what it becomes'? If so, what, and how, and at what cost to put it in place?

(3) Suppose this ICO goes badly wrong at some point, and either the XYX-C company, or the public at large investing in the XYX-C Coin, claim they have lost money, or otherwise been damaged by taking part in its launch, and also claim that Joshua, and/or I, made misrepresentations, and were negligent/fraudulent, and thus seek reparation from or, worse, criminal prosecution of, us, what can he and I do to avoid, or protect against, that possibility, or its consequences, at the outset, i.e. before the ICO is launched publicly? Are there any sensible legal and practical protective steps we can take? [6]

The 'Right to be Forgotten'

Sceptical ICT professionalism and legal due diligence apart, the ‘Right to be Forgotten’ may in and of itself be something of a barrier to the ubiquitous introduction of computer and communications systems applications based on cryptographic blockchain software and technology. The General Data Protection Regulation (GDPR), in force from May 25, 2018, includes in its provisions Article 17:
"Right to erasure ('right to be forgotten')" ... (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; …

In my analysis and view, blockchain, with the ‘permanence and immutability’ of data records written to the blockchain as a critical, fundamental, key feature, is potentially likely to be structurally unable to be compliant with Article 17, Right to Erasure, of GDPR.

There is a view that, in regard to interpreting and implementing 'erasure' in practice, simply 'putting data beyond use' electronically satisfies the standards for GDPR data privacy. This would mean that, for example, setting record 'delete' flags, 'losing' cryptographic keys, or overwriting hash tables, will be sufficient to qualify as 'erasure'. In my preliminary view that is, on the face of it, too weak to satisfy what is intended and stipulated by Article 17 GDPR. If Article 17 seeks to provide only for 'putting data beyond use' it would, I feel, have said so. The people doing the drafting would surely have been aware of the established legal precedents/court orders on data records, and recording media, destruction (and proof/certification thereof), corporate, industry and professional standards as regards Record Retention and Destruction, and Statutes providing Requirements and Guidelines for Public Bodies as regards Citizens' Records Disposal. (7)

It seems to me that, in regard to the true implication of 'erasure', which is the wording actually chosen, the intention and meaning is something stringent and strong. If GDPR intends 'erasure' just to mean 'putting data beyond use', or even 'deletion', in the usual technical sense that these terms are used, and implemented, in electronics and computer data technology practice, it would have said so - GDPR was years in the drafting, with many highly-qualified legal and technical people involved, globally, in intensive discussions and reviews, before finalisation.

No, 'erasure' is the word carefully enacted in the GDPR; and 'erasing' has many quite clear synonyms in English; eradicating, obliterating, destroying, abolishing, removing, shredding, disposing of, wiping out, dissolving, doing away with, getting rid of... At the extreme, where digital data recorded on servers, or electronically held, copied, distributed and communicated in computer and communications media, systems and networks are concerned, 'erasing' could arguably mean, for true efficacy in practice, 'returning to a free molecular state' by way, for example, of ‘burning, consuming in flames."

In my view it follows that anyone implementing applications or systems using a blockchain, given the foundational, inherent 'permanence and immutability' of its data records, where such records may contain personally identifiable details of a 'data subject', will do so at risk of not being physically or verifiably able to comply with Article 17 GDPR, and thus potentially subject to the significant financial and other penalties available and arising thereunder.

Lest it is thought that there is going to be little likelihood of requests, whether to companies or organisations holding or processing systems and databases containing personally identifiable details of ‘data subjects’, or to the courts, for applicant data subjects to be ‘forgotten’, well, I suggest: think again. A few years back the possibility of widespread use of such requests may have seemed fanciful, but since the Cambridge Analytica allegations – that this data analytics firm used personal information harvested from more than fifty million Facebook profiles, without the data subjects’ permission, to build a system that could target US voters with personalised political advertisements based on their psychological profile – anyone using social media, for example, is now well aware of the right not to have personal data used for purposes for which they were not originally, and freely, provided.

Indeed, even before the coming into force of GDPR, the English Courts have already upheld such a critical request:
Google loses landmark 'right to be forgotten' case Jamie Grierson Ben Quinn Fri 13 Apr 2018
Businessman wins legal action to force removal of search results about past conviction
A businessman has won his legal action to remove search results about a criminal conviction in a landmark "right to be forgotten" case that could have wide-ranging repercussions. ... the claimant ... was convicted more than 10 years ago of conspiracy ...


In summary, I suspect that some of the potential future issues that ICT systems professionals and experts may well be asked to investigate and upon which to provide analyses, conclusions and opinions, in regard to trust in, legal and technical reliability of, and associated disputes over, blockchain-based systems applications, are likely to include:

Cryptocurrency ICOs/ITOs:
Allegations of false or negligent representations in 'White Papers', Public Issue Documentation and Presentations, Websites. Failure to carry out due diligence as to project viability, systems and business integrity, quality standards, financial probity, implementation rigour.
Consequential losses: investors losing money, businesses going bust, causality.

Operational systems failures: the blockchain itself may be reasonably robust and reliable, but all interface/interconnect systems still need to be specified, designed, coded, constructed, tested and commissioned to acceptable ICT industry and professional standards.
Consequences: assessment of outages, denial, inaccuracy and unreliability of service, data transaction failures, errors or faults, data going missing, people losing money unable to conduct reliable business, smart contracts corrupted, distributed ledgers not capable of being trusted.
Assessment and apportionment of causality, liability, and responsibility for damages, losses and compensation.

Blockchain and GDPR Article 17:
In regard to requests 'to be forgotten' by data subjects, where their personally identifiable data are held on 'permanent and immutable' blockchain records: advice and management of implementation of Court Orders granted for 'erasure'.
Opinion as to efficacy of 'erasure' techniques, transactions, technologies, processes, proposed or implemented.
Verification of the ‘erasure’ carried out: what constitutes sufficient evidence and proof of accuracy, correctness, completeness and persistence?
Assistance with discussions with Information Commissioner's Office as to validity of requests ‘to be forgotten’, confirmation of the extent, reliability and security of 'erasure' (to be) carried out, and reasonableness of any possible/proposed fines or penalties to be imposed.

Ownership of IP:
Advice and guidance as to: whether relying on third-party blockchain platforms, or developing its own blockchain software in-house, any developer or company seeking to build blockchain-based applications runs the risk of IP infringement (there are as yet no ISO standards, and already more than 650 blockchain patent applications filed with the US Patent Office).
Assessment of impact, consequences, remediation: e.g. litigation over patents and software copyright.
Expert investigation, search and advice as regards Prior Art, and/or Lack of Inventive Step, for patent infringement actions and challenges to the original Grant of Patent.
Advice and guidance in connection with negotiations with patent or copyright owners over use restrictions, licence fees, development capability.

Clearly, future blockchain disputes and litigation could be an active area for ICT experts.

And Further...

This is of course in addition to the 'usual' relentless occurrence of disputes over computer systems failures generally. Failures of confidence, good faith and expectation (Cambridge Analytica alleged private data misuse), of dependable cybersecurity (potential Facebook password hacking), of mission-critical financial systems implementation (TSB online banking deficient systems upgrade), of product 'fitness for purpose' (VW Dieselgate emissions ‘cheat’ software), and of clinical operational reliability (NHS faulty breast cancer-screening algorithm): these are just a few examples of the latest crop in a steady and growing stream of ever-upscaling IT Disasters that have regularly emerged over the past thirty years.

I myself have been involved as expert witness in the largest and longest computer software and systems contractual disputes to date reaching the English High Court, and Sydney Supreme Court, with damages claimed in such actions in the hundreds of millions of pounds. Indeed, nearly twenty years ago, in the USA Foxmeyer case, we have already seen the failure of an entire substantial multi-billion corporation due to the faulty implementation and management of a major company-wide computer systems upgrade project [8].

With Blockchain/Distributed Ledger/Smart Contract/Cryptocurrency developments and systems, and, we can reliably add, those now offering or dependent on Visual/Augmented/Mixed Reality/Immersive Technology, The Internet of Things/Smart Buildings/The Connected Home, Data Analytics/GDPR, and Artificial Intelligence (AI)/Machine Learning/Algorithms, disputes and damages over and/or caused by evermore-‘intelligent’ computer software and data communications and processing are certain to increase, and potentially cause increasingly widespread and relentlessly-larger financial and other anxiety, consequences and damages.