Blockchains Uncut:: Risks, Rewards & Regulation
Blockchains Uncut:: Risks, Rewards & Regulation
Blockchains Uncut:: Risks, Rewards & Regulation
October
2019
Executive summary
In May 2010, Laszlo Hanyecz, a software developer and early
Bitcoin enthusiast, purchased 2 pizzas for 10,000 Bitcoins to
prove the cryptocurrency could work as a means of exchange.
It was the first documented time Bitcoins were used This could be technologies used to launch
to pay for something in the real world. Fast forward and interact with private or public blockchain Key takeaways:
about 8 years and 10,000 Bitcoins were worth networks. Given the prominence of public • The use of cryptocurrencies that operate on blockchains has provoked significant interest in the
approximately $200m. blockchain networks, like Bitcoin, a lot of the underlying technology.
principles we discuss are focused on these types
Bitcoin’s sharp price rise and equally sharp fall • Wider applications beyond digital currency, include: cross-border payments, financial
of blockchains (recognising that they share some
over the following months attracted a wealth of markets trading and settlement, trade finance, insurance, identity management, and supply
common features with private blockchains),
media coverage in the cryptocurrency and the chain management.
although we do also discuss certain features of
blockchain technology underpinning it. Bitcoin • The financial services sector is central in testing and developing a deeper understanding of the
private blockchain networks.
has not quite captured the hearts and minds of value that blockchains can deliver in particular use cases.
its user base as a reliable means of exchange yet, There is widespread recognition that many
• Although no specific privacy regulation exists for blockchain technologies, there are relevant
but there is no doubt that blockchain technologies organisations are still in the exploratory phase
and applicable frameworks, including a general European legal framework for the use and
are more significant in the breadth and depth of of working out how the technologies can best
management of personal data: the General Data Protection Regulation (GDPR) which came into
their potential application than as a mere record be applied. But reflecting the excitement of its
force in May 2018.
of payment transactions on a public blockchain potential, venture capital investment in blockchain
technology startups has surged, as has the volume • Before implementing a blockchain project, organisations should carry out a privacy impact
network. This is why organisations are excited
of blockchain-related patent applications. Proof assessment to identify any issues and conflicts, and find solutions to mitigate or eliminate
about it. The advantages are well-publicised –
of concept testing is also increasingly moving to certain risks.
decentralization, security, immutability. However,
many questions still exist: what are blockchain limited live deployment. Recently, Facebook created • Beyond privacy and contract considerations, intellectual property (IP) and dispute resolution
technologies, why use them, who is responsible if renewed interest in cryptocurrencies following the are important areas for legal consideration.
things go wrong and what does the future hold? publication of a whitepaper, websites, and working • Regulators worldwide are examining how to regulate cryptocurrencies and other cryptoassets
code relating to its new proposed cryptocurrency, such as initial coin offerings (ICOs) and asset-backed tokens. There is no one harmonised
Blockchains uncut: risks, rewards and regulation Libra. Libra aims to create a “reliable digital approach. So, some jurisdictions regulate cryptocurrency intermediaries and treat ICOs as
seeks to answer these questions; explaining the currency and infrastructure that can deliver on the securities offerings while in others both are largely unregulated.
technology and its advantages and disadvantages, promise of the ‘internet of money.’” 1 • Blockchains provide new and important security features which can be highly beneficial when
examining some of the legal considerations and how
As adoption of blockchains begins to shift from used in the right context, but they are not an automatic panacea for security in the storage and
they apply across certain jurisdictions, and critically
lab-based prototypes to the commercial phase, transfer of digital information.
exploring some potential applications. This report
complex legal aspects surface, and getting them • Blockchains have potential for significant use in tax, including the automation of manual
is based on our experience working on blockchain
right becomes the imperative. We advise clients processing of payroll tax, employment tax and any transaction-based taxes.
projects and discussing blockchain projects
on everything from commercial contracts and
and issues with other people in the industry,
data privacy to the interface between smart
with contributions from a variety of Bird & Bird
contracts and the law. This enables us to
colleagues from different jurisdictions. As a result,
understand the challenges and considerations at
it has a focus on UK and EU law principles. Unless
each step of the process and the bespoke solutions
specified otherwise, when we refer to blockchains
that are most appropriate.
we are referring to the technologies (i.e. the
software) that set out the rules for how distributed Jonathan Emmanuel
databases are created and updated. Partner in Bird & Bird’s Tech & Comms sector group
1 https://libra.org/en-US/wp-content/uploads/sites/23/2019/06/LibraWhitePaper_en_US.pdf
2 © 2019 Bird & Bird – All rights reserved © 2019 Bird & Bird – All rights reserved 3
Contents Introduction
Introduction Page 5 Blockchains are widely regarded as one of the most
Demystifying blockchains Page 6 important technologies of the future, because of the benefits
that they promise to deliver in cost-savings, security, and
Smart contracts Page 18
data reliability.
Legal issues: data protection Page 22
Cost savings because they cut out the need A balance needs to be struck: regulation is needed
Legal issues: contracts Page 24 to rely on a trusted, always available, central to provide greater trust and transparency for users
authority and they remove the need to reconcile and investors; yet a high regulatory bar may stifle
Legal issues: IP Page 26 data between organisations; security because of continued innovation, which in turn would limit
the use of public key cryptography and digital the potential of blockchains.
Legal issues: enforceability Page 28 signatures; and data reliability because of the use
Markets, jurisdictions, legislators and regulators
of cryptographic hashes - in many blockchains any
are currently competing with each other to balance
Regulation Page 30 attempt to edit data is immediately obvious
those objectives. This will initially have the most
to multiple parties.
impact in the financial services sector, due to its
Security Page 32
Beyond storing payment data relating to Bitcoin high proportion of intermediaries. As the financial
on the public Bitcoin blockchain network (one of services sector experiments with blockchains and
Tax Page 34
many different blockchains), blockchain advocates drives the technology forwards, other sectors will
acclaim the technology’s wider application, follow suit.
Conclusion Page 37
including uses in cross-border payments, financial
For any project today, it is crucial to understand
markets trading and settlement, trade finance,
Glossary Page 38 the application of existing law in relation to
insurance, identity management, and many
blockchains, particularly in the context of data
other services. In many cases, the theme is that
protection, contracts, IP and dispute resolution —
a central database controlled by a trusted central
much of it involving cross-border, or multi-
The information given in this document concerning technical legal or authority can be replaced by a replicated or
jurisdictional operations. Moving forwards, a
professional subject matter is for guidance only and does not constitute legal
distributed database where entries are added
or professional advice. Always consult a suitably qualified lawyer on any
new body of law and regulation may need to
specific legal problem or matter. Bird & Bird assumes no responsibility for such without the central control of a specific authority.
information contained in this document and disclaims all liability in respect of be created and applied to such technologies,
such information. But, such enthusiasm should be tempered and,
particularly in relation to initial coin offerings
Bird & Bird is, unless otherwise stated, the owner of copyright of this document for the reasons we explain later, use cases which
and its contents. No part of this document may be published, distributed,
(ICOs) and the treatment of cryptocurrencies.
extracted, re-utilised, or reproduced in any material form, except with our rely on recording physical items on a blockchain
express prior written approval. It is therefore important to understand not
database may not always be completely resistant
only today’s regulations but also to maintain an
to fraud. Organisations should be wary of thinking
ongoing understanding of the implications of new
blockchains are an automatic panacea for creating
regulations as they evolve.
reliable digital currencies or recording honest data.
This report is intended as a starting point for those
It is important to clearly differentiate two areas of
looking at the potential application of blockchains
regulatory clarity needed for these technologies.
in their sector.
The first is regulation around the trading of
cryptocurrencies and activities around capital
raising through token sales. The second is the
regulation around the effective, pragmatic
governance of blockchain networks and the
behaviour of their participants.
4 © 2019 Bird & Bird – All rights reserved © 2019 Bird & Bird – All rights reserved 5
Demystifying blockchains
There has been a considerable amount of buzz surrounding Each node connects with other nodes to form the Addresses
Bitcoin network. Anyone can join the network
blockchains in the 9 years since Laszlo’s Bitcoin transaction. by setting up a node correctly. Once the node
Bitcoin addresses are derived from a public key
and operate like a bank account number. When a
However, as of 2019, blockchain technologies have slid into is set up it can connect over the Internet to
Bitcoin owner creates a transaction they need to
other nodes in the network and do a variety
the “Trough of Disillusionment” in Gartner’s Hype Cycle2. of things including downloading and storing
specify the recipient’s Bitcoin address to which
they want to transfer the relevant Bitcoin.
the latest copy of the Bitcoin blockchain (the
This drop in enthusiasm is not surprising: “We are seeing an increasing interest in the application database of all Bitcoin transactions), creating
Digital signatures
the technologies were never going to live up of blockchain technologies in financial services in the and sending transactions and validating and/or
to the media hype. However, it is not all doom context of private blockchain networks,” says Jonathan mining transactions to add them to the database. Accounts are controlled by digital signatures
and gloom. Following the completion of R&D Emmanuel, partner in Bird & Bird’s Tech & Comms Currently, there are approximately 10,000 nodes created by that account’s private key. We will
programmes and pilots, as organisations sector group in London. “More and more clients forming the Bitcoin blockchain network. refer to Bitcoin owners that operate accounts
begin to understand the specific benefits of are moving from the proof of concept stage to limited through their private key as “account holders”.
particular blockchain platforms and the use live deployment to test particular use cases using real Peer-to-peer
A private key is used by the account holder to
cases they can be appropriately deployed transactions. Often the use case involves better sharing The network is called peer-to-peer because each access and control their account by creating
towards, and as the blockchain companies of data amongst stakeholders taking advantage of node in the network is equal in status, and data is digital signatures for their transactions. A digital
(and technologies underpinning them) begin to blockchain’s benefits: immutability, security, and the shared directly between them. Contrast this with signature is created by the account holder
mature, experts expect a “blockchain spring” ability to add bilaterally or multilaterally validated the client-server model, where there is a “master” applying a mathematical formula to the data in
to emerge and an uptick in focused blockchain records without specific third party control. It has huge server that maintains complete control over its a transaction using their private key, without
deployment in live environments in a variety of potential beyond this, especially when coupled with data and distributes the data to clients who ask revealing their private key. The resulting digital
different industries. smart contract deployment, and we are progressing for it (e.g. browsers (clients) calling a website signature can be mathematically validated by any
quickly from the R&D phase towards real life adoption.” (the master server) for data). party against a combination of the data and the
public key of the signer.
So how does the technology work? Wallets
There are two main differences between a Bitcoin
There is no one blockchain. Instead, there are different varieties of blockchain technologies Bitcoin owners often use software applications account and a bank account. First, you do not
and networks. Blockchains can be public (permissionless) or private (permissioned). In a public called wallets. Wallets are typically more need anyone’s permission to create a Bitcoin
blockchain (e.g. the public Bitcoin network), the relevant software can be freely downloaded from lightweight than nodes, and do not attempt account, and second, if you lose your private
the Internet by anyone, which enables them to join a network, view all the data moving across the to store the entire ledger of all transactions. key, you are not able to “reset” it as you might a
network, and transact within the network. Private networks (e.g. Hyperledger Fabric or R3’s Corda) They also do not attempt to validate all global password or a PIN.
afford greater control over who can join the networks, what data is shared, and to which participants. transactions. Instead, they deal with the creation
of accounts and transactions and only interact Where are Bitcoins stored?
with the network via a trusted node.
Bitcoin network...breaking down the terminology Bitcoins themselves are not stored in a wallet but
Accounts and key pairs are stored as records on the Bitcoin blockchain
Let us use the public Bitcoin blockchain network, validate transaction instructions (e.g. A sends X database linked to a specific address — the
its best-known application, as an example. Bitcoin Bitcoins to B), how they share those instructions An account, or address, is effectively a pair of account holder’s address. Therefore, ownership
blockchain software encapsulates in software with other participants, and how those cryptographic keys: one public and one private, of Bitcoins resides in the person that has control
code the rules that govern how its database transaction instructions become recorded in the created mathematically, often using a wallet. over the relevant private key that relates to the
of transactions (think of it as a spreadsheet or replicated ledger. The network is made of nodes The keys are actually just numbers, generated Bitcoin address that the Bitcoins were sent to.
pages of a ledger) is created, maintained and (sometimes called peers or clients): computers as a mathematically linked pair: the private key Private keys should not be shared with any person
updated. These rules are sometimes referred to that run various implementations of the Bitcoin is a number picked at random from a very large otherwise they could access the relevant account
as the relevant blockchain’s protocol. In Bitcoin, software (downloaded from the Internet). list and the public key is created by applying a and spend any Bitcoin associated with the Bitcoin
the protocol contains rules for how participants mathematical formula to the private key. address linked to it.
2 https://www.gartner.com/en/documents/3947355/hype-cycle-for-blockchain-technologies-2019
6 © 2019 Bird & Bird – All rights reserved © 2019 Bird & Bird – All rights reserved 7
A Bitcoin transaction from start to finish:
The account holder accesses their Account Account Account
validation and mining wallet and selects an account. 1
In order for a transaction to be recorded on to
Public Public Public
the Bitcoin blockchain and hence the Bitcoin
transferred from one address to another it must be Private Private Private
validated and then incorporated into a block (also
known as mining) which is then distributed to the
whole network of nodes that each independently
validate each block.
The account holder creates a
Validation transaction to spend some Bitcoins. 2
Private
Diagram on the right hand side describes the
validation phase. Transaction
6 7
A node that receives the transaction can validate This is the
the digital signature against the transaction data validation 8
and the public key(s) associated with the sending process: the node
If the node considers
account. A node will also run some other checks in is validating a
the transaction as
9
accordance with the blockchain protocol transaction has
valid, it shares the Mining nodes will come across
(e.g. checking the sender owns the Bitcoins they been sent and
transaction with the validated transaction and
are attempting to spend). approved by the
other nearby nodes. compete with each other
account holder.
The nodes follow to pack it with other validated
the same process transactions and be the
ensuring eventual first to create a valid block.
propagation of See the description of
validated transaction the mining phase on the
to all nodes. next page.
8 © 2019 Bird & Bird – All rights reserved © 2019 Bird & Bird – All rights reserved 9
Mining
Once the validation phase is complete, the a target number! The miner will broadcast this This involves nodes taking the block data including an uninterrupted chain of record (hence the
validated transactions are shared by nodes. valid block to other miners and nodes who will the nonce in the block and hashing it once to verify term blockchain) that goes back to the start of
Eventually, mining nodes (nodes that run each validate this block independently. for themselves the hash of the block starts with the database when the first block was added (the
specialised mining software) will come across a the required number of zeros. Once the block is genesis block).
Mining nodes will compete with each other to be
validated transaction and decide whether they validated, it is added to the database. Proof of
the first to create a valid block. There is no easy Each block is linked because the hash of the
want to pack it with other validated transactions Work mining provides a method for determining
way to create a valid block: miners need to take previous block is included in the next block.
and create a valid block. which validated transactions get recorded onto
the block data and try different numbers for the After a block has been added it is very difficult to
the database and when: only once they have been
The process of creating a valid block is called nonce to create a hash that meets the rule alter the data that it contains. Hence, blockchains
incorporated into a successfully mined block are
mining. Part of the mining process involves (i.e. a hash that starts with the required number are referred to as immutable, which we explain in
they considered as recorded or “confirmed”.
creating a hash. As we describe in more of zeros). This is called Proof of Work mining. more detail on pages 12-13 in this chapter.
detail in the “Security” chapter, a hash is an The Bitcoin blockchain database is a chain of
What is the incentive for a miner to perform these
output of a fixed length that is created when a these valid blocks linked to each other forming
repetitive calculations? In each block, there is
mathematical algorithm called a hash function
one single transaction that allows Bitcoins to be
is applied to any amount of input data. In the
created from thin air. This is called the coinbase
context of blockchains, special algorithms called
transaction and miners use it to pay themselves Valid block prescribed format:
cryptographic hash functions are used, which
an amount of Bitcoin as determined by the
have specific properties. The resulting output of
protocol (currently 12.5 Bitcoins per block). Each block within the database
the algorithm is referred to as a cryptographic hash PREVIOUS HASH
This expands the supply of Bitcoin. follows a prescribed format
(though often shortened to just “hash”) and can be including: The hash of the
thought of as a fingerprint of the input data. In addition to the coinbase transaction, miners are 3 previous block in
+
the database.
also offered transaction fees from account holders The data (e.g. a list of validated
First, a mining node takes a list of new validated
that want to have their transactions recorded in transactions, the transaction
Validated transaction
transactions that it has detected and wants fees), including the nonce and 1
+
the blocks. These fees are recorded in the relevant
to include in the block, and combines it with previous hash.
transaction and are determined entirely by the
the hash of the immediately preceding block,
some technical data, and a number chosen at
account holder. Account holders can offer high Validated transaction
random (called a nonce). Second, it calculates
a cryptographic hash of all of that data, which
transaction fees to incentivise miners to prioritise
their transactions over others so they get recorded
+
onto the Bitcoin blockchain database faster. Validated transaction
+
involves performing a series of mathematical
This is a market-based system for having
steps on the data. If the hash that is created is The nonce (randomly
smaller than a target number (which is adjustable,
transactions recorded quickly, and fees can vary
selected number). 2 Nonce
by orders of magnitude depending on how busy
according to the Bitcoin protocol) then the block
the Bitcoin network is at any point in time.
is considered valid. The criteria that the hash HASH
needs to meet is often described as “the hash The valid block is then broadcast to the other
must start with a certain number of zeroes” — this nodes in the network for double-checking until a
is shorthand for the number being smaller than majority agrees that it is correct.
10 © 2019 Bird & Bird – All rights reserved © 2019 Bird & Bird – All rights reserved 11
So what are the benefits of using
blockchain technologies? You can add new blocks of data to the blockchain
database but it is very hard to interfere with data in
The description on pages 8-11 is a high-level existing valid blocks in the blockchain database:
description of a specific blockchain, Bitcoin,
but it gives some insight into the complexities
underpinning the technology. The excitement
surrounding blockchains and their application
BLOCK 1 PREVIOUS HASH
BLOCK 2 PREVIOUS HASH
BLOCK 3 PREVIOUS HASH
to assorted use cases derives from some of the
key features blockchains share in common,
for example:
+ + +
• Immutable: you can add new blocks of data Validated transaction Validated transaction Validated transaction
to a blockchain database but, as the diagram
to the right shows, it is very hard to interfere
+ + +
with data in existing valid blocks without
Validated transaction Validated transaction Validated transaction
the change being obvious to all parties and
therefore rejected.
+ + +
Validated transaction Validated transaction Validated transaction
• 51% attacks: because the hash of each block
is produced by hashing the data in that block + + +
(which includes the hash of the previous Nonce Nonce Nonce
block), tampering with a block would affect
all subsequent blocks. So you would need HASH HASH HASH
to remine all subsequent blocks to make
sure they linked, which is very difficult
to successfully complete as it requires
significant computational power, and to
make matters even harder the re-mining
would need to be complete before new valid You could try to tamper with BLOCK 1 by changing the data You could try to re-mine BLOCK 1 to create a new
in it but retaining the original hash and the original nonce: block that contained new data and a new hash:
blocks were added to the blockchain you
were trying to tamper with. As new valid
blocks are added to the bitcoin blockchain TAMPERED BLOCK 1 NEW BLOCK 1 BLOCK 2
PREVIOUS HASH PREVIOUS HASH PREVIOUS HASH
every 10 minutes that is very difficult
to achieve unless you have 51% of the X
computational power of the mining nodes. New validated transactions
replacing original
+ New validated transactions
replacing original
+ +
transactions from BLOCK 1.
Validated transaction transactions from BLOCK 1. Validated transaction Validated transaction
+ + +
Validated transaction Validated transaction Validated transaction
+ + +
Validated transaction Validated transaction Validated transaction
Retain
+ New nonce replaces
original nonce from + +
Nonce BLOCK 1. Nonce Nonce
original hash.
However, other nodes would quickly see the tampered block is However, the new hash in the new
not valid because the new data in it would not match the original BLOCK 1 would not match the original
hash (when you hash the new data including the original nonce, hash from the untampered BLOCK 1
the hash will not correspond to the original hash). referred to in the next valid block.
12 © 2019 Bird & Bird – All rights reserved © 2019 Bird & Bird – All rights reserved 13
• Decentralised and trustless: account holders • Peer-to-peer: because the network is peer-to- Weighing up the advantages and disadvantages
do not need to rely on a trusted central peer it can continue to function even if some and considering the regulated environment
authority to set up accounts. Instead, they nodes in the network become unavailable. in which some blockchain use cases are being
rely on public keys as accounts (which, as This makes the network more robust than tested, organisations are understandably
mentioned earlier, can be created by anyone networks reliant on a central server where the cautious when adopting such a new technology
using mathematics). Account holders also network could go down if the central server is involving their potentially business critical
do not need to rely on a central authority to unavailable. activities. Presently, we are seeing organisations
maintain the database as anyone can set up a test the technology in proof-of-concept
node and download the same database, create However, these advantages should be weighed environments for a limited number of users.
and send transactions, validate transactions, against the disadvantages. For example, Bitcoin Before live deployment, organisations need to
and then mine blocks so they can be recorded has been criticised for its lack of speed and do appropriate due diligence to understand what
onto the database. If any rogue node tries to transaction throughput: the current rules of use case they are using the blockchain for, why
manipulate data or the process then there Bitcoin’s blockchain means new blocks are added blockchain is appropriate and have a thorough
are checks and balances in the blockchain to the database approximately every 10 minutes; understanding of the organisation’s role in the
software which means other nodes would in other words the database updates itself every network, including: whether they want to be
ignore or exclude them (e.g. the transaction 10 minutes and processes about 4-7 transactions running and operating the network (in which case
is identified as invalid because the digital per second, depending on the amount of data a public blockchain network will not be suitable),
signature does not match the accompanying contained within the transactions3. This is very or merely act as a participant, as well as the legal
transaction or public key, or one of the blocks slow compared with the speed of centralised ramifications (e.g. if they are running the network
in the blockchain recorded on one node looks databases like Mastercard’s or Visa’s. For then they may need to take responsibility for
like it has been tampered with so other nodes example, a retail transaction with a Visa card only failures). Many organisations often fail to do
reject the tampered data propagated by that takes a few seconds to process, and Visa’s card the appropriate due diligence, resulting in
node). In addition, digital signatures are a way scheme database states it is capable of processing failed or half-complete projects. With the right
for the network to be happy that transactions more than 24,000 transactions per second4. guidance and completion of the relevant due
sent for validation and addition to the Further, many blockchain networks have been diligence, stakeholders can identify problems and
database have been approved by account subject to hacks, either of the wallet software implement appropriate mitigations. For example,
holders (assuming the account holder has not containing accounts (which has led to those users if personal data will be recorded on a blockchain
had his private key stolen). losing cryptocurrency) or the blockchain software database, has an appropriate privacy impact
itself (see our description of the 2010 overflow assessment been completed?
• Security: public/private key cryptography
bug in the “Security” chapter. In addition, whilst
(used to set up an account) is very secure.
public/private key cryptography is very secure, if
Whilst it is easy to create a public key from a
you lose your private key or it is stolen then you
private key it is mathematically infeasible with
can never access your account to get your Bitcoin,
today’s technology to reverse-engineer the
and if someone copies your private key, they have
private key from the public key.
full access to spend the Bitcoins in your account.
3 https://blocksplain.com/2018/02/28/transaction-speeds/
4 https://usa.visa.com/run-your-business/small-business-tools/retail.html
14 © 2019 Bird & Bird – All rights reserved © 2019 Bird & Bird – All rights reserved 15
Use case — Track and trace: recording spare parts IDs on a private blockchain network
The automotive industry has been trying to combat counterfeit spare parts for decades. It is very difficult to
keep track of spare parts in the automotive industry and also identify which ones are legitimate and which
ones are counterfeit. This means counterfeit spare parts get incorporated into cars which creates issues such
as cars breaking down prematurely and the costs associated with product recalls.
Could we assign each legitimate spare part with a hard copy certificate and record a digital version of that
certificate on a blockchain database for permissioned stakeholders to then interrogate to double check
if spare parts they receive from organisations are legitimate or not? Once the certificate is recorded on a
blockchain database it is difficult to tamper with it which will assure stakeholders in terms of the integrity
and security of the database.
16 © 2019 Bird & Bird – All rights reserved © 2019 Bird & Bird – All rights reserved 17
Smart contracts
The concept of smart contracts, first proposed by computer
scientist Nick Szabo in the late 1990s, emerged long before
the evolution of blockchain technologies.
However, the idea that they might be deployed enabling the performance of transactions through a So smart contracts, whilst simple in theory, can networks like Ethereum). In such circumstances,
onto a blockchain network (in contrast to code digital mechanism without any further input. Smart be used to transparently manage agreements being able to revert to a natural language contract
being deployed on a central server) has generated is perhaps something of a misnomer since their between people or organisations. A smart that the parties have signed that deals with such
increased publicity for the concept. Here we move effect is usually quite simple. contract, under English law, may constitute a circumstances (e.g. in the event of mistake or
from a first generation blockchain (Bitcoin) to a legal contract (provided the key elements of a error the parties agree to reverse the transaction)
Once deployed, parties can trigger a smart contract
second generation blockchain that stores more than contract are met: offer, acceptance, intention to is helpful.
by sending a transaction to it. If these transactions
just simple transaction data about a single asset. create legal relations and consideration). But, it is
meet the input conditions of the smart contract Perhaps it is best, therefore, to construct
Ethereum is an example of a second generation currently difficult to envisage them successfully
code, the smart contract will automatically execute agreements between parties relating to smart
blockchain. The code comprising the smart contract operating as a complete substitute for a natural
in accordance with its terms to result in the output. contracts as a combination of a natural language
is compiled and incorporated in a transaction language contract as it is not currently possible to
Some smart contracts rely on additional data from contract and the relevant smart contract code
(the “contract transaction”) and that contract create code that captures all the subtle nuances
the outside world that is fed into them e.g., foreign (the smart contract can be incorporated by
transaction is validated and recorded in a valid and complexities of commercial agreements.
exchange rates). This data can be fed by trusted reference into the natural language contract (e.g.
block in the way described earlier in this report and For example, taking the use case on pages 20-21,
third party systems, commonly known as oracles. by reference to an address or repository where
is then stored on a blockchain. Once deployed, the what if the reason why Mark did not send the
the code is stored) and a functional specification
smart contract is assigned an address so relevant check-out transaction was because he was not
participants know where to send transactions to
The process for establishing a smart happy with the quality of Joanne’s contract law
of the smart contract can be included in the
trigger its code.
contract would typically involve a series workshop? What terms in a simple smart contract
relevant natural language contract so the parties
of steps: based on computer code can he rely on to defend
have certainty as to the desired purpose of the
A smart contract is an agreement between parties • The relevant parties negotiate terms and code). To the extent there is a conflict between
his actions? How does computer code capture a
in the form of a computer code on how a set of create the smart contract code based on the two, the parties to the natural language
non-exhaustive list of circumstances (like force
procedures or processes will operate. A frequently agreed terms. contract can agree which component (the natural
majeure events) or replace centuries of common
cited example of a smart contract is a vending language contract or the smart contract) will
• One party creates a contract transaction law and statute relied upon to deal with issues
machine or juke box where the software in the prevail.
which includes the compiled smart contract such as fraud, misrepresentation or a mistake?
machine enables the transfer of an output (e.g.
code and signs the contract transaction to
chocolate or music) on the occurrence of an input Once a smart contract is deployed and immutably
create a digital signature.
(e.g. correct payment). One commonly used recorded on a blockchain, little can be done to
• The contract transaction and digital signature
definition by The Chamber for Digital Commerce change its logic unless the deploying party has
are sent to the blockchain network for
describes smart contracts as: “Computer code that, introduced a “kill” mechanism to stop the code
validation and recorded on the blockchain
upon the occurrence of a specified condition (or executing. Without a kill mechanism, if a person
database.
conditions), is capable of running automatically sends a transaction to the smart contract by
according to pre-specified functions. The code can • The smart contract is included in a block accident the code will automatically self-execute
be stored and processed on a distributed ledger and has its own address so account holders and it cannot be reversed unless the parties
and would write any resulting change into the or oracles know where to find it and send independently agree to reverse it through a
distributed ledger.5” transactions to it. separate transaction or advocate for a fork in the
• The smart contract is triggered in response blockchain database to reverse the output of the
Therefore, smart contracts are conditional on an
to valid inputs: transactions sent from the smart contract (something which is very difficult
event happening in the form of a specific input, as
relevant account holders or from oracles. to agree given the deliberately decentralised
a result of which, a specific output will occur. They
governance structure of public blockchain
self-execute in accordance with the agreed terms,
5 https://digitalchamber.org/protecting-state-smart-contracts-innovation/
18 © 2019 Bird & Bird – All rights reserved © 2019 Bird & Bird – All rights reserved 19
Smart contract use case
The public Ethereum blockchain network is well-known for its use of smart contracts. On Ethereum
there are three types of transactions: (1) a transaction to send Ether to someone (similar to a Bitcoin
transaction); (2) a transaction to deploy a smart contract on the blockchain; and (3) a transaction to
call a smart contract to trigger it. The diagram described below illustrates how a very simple smart
contract could be used in the real world.
blockchain network.
MARK’S
ACCOUNT
Mark pre-funds the contract account and Joanne checks the CONTRACT ACCOUNT
BLOCKCHAIN Ether balance of the contract account and sees it has 1 Ether.
PREVIOUS HASH PREVIOUS HASH
Having agreed the smart contract terms she has confidence
the contract account will transfer the balance to her if she
4 01110101
11100011
0011 011
meets the input terms of the smart contract linked to it.
+ +
Validated transaction Validated contract
+ transaction
+
Joanne starts the workshop at 12.00. At this point, Mark will
Validated transaction send a new transaction to the smart contract, confirming
+
Validated transaction Joanne’s check-in time (“check-in transaction”) and digitally
Validated transaction + signs it to show he has approved it. The check-in transaction
is validated and recorded into a block on the blockchain in
5
Validated transaction
+ +
accordance with the rules of the relevant blockchain network.
The recorded block is given a time stamp.
Check-in
+ Check-out
Nonce
Nonce
Joanne finishes the workshop at 13.00. Mark then sends
transaction transaction
HASH
HASH another transaction to the smart contract confirming
Joanne’s check-out time (“check-out transaction”) and the
6
process at step 5 above is repated.
20 © 2019 Bird & Bird – All rights reserved © 2019 Bird & Bird – All rights reserved 21
Legal issues: data protection
The interface between blockchains and the legal framework Organisations have to consider different issues relating to data protection when implementing a
for data protection is complex. blockchain network, such as:
• How does the role of a miner differ from a transaction creator or a validator?
Although no specific privacy regulation exists for that every element of each chain is permanent • Identifying international data transfers and how to regulate these.
the technology, there is a general European legal and replicated widely and internationally. • Compliance with security requirements, privacy by design and the data minimisation
framework for the processing of personal data: Conversely, GDPR requires the opposite: that principle (is it really necessary to use a blockchain network? Is the type of blockchain that the
the General Data Protection Regulation (GDPR) personal data must be deleted – either after organisation wants to implement the most suitable one?).
which came into force on the 25 May 20186. To a retention period when information is no
Consequently, prior to implementing a blockchain network, organisations should carry out a
be fully aligned with GDPR, parallel legislation in longer needed, or for example, when a relevant
detailed analysis of what kind of information is going to be collected and shared on the network,
each of the EU member states has already been individual requests that it be done, under certain
how it is going to be processed and stored, and what are the risks. This will help them to identify
implemented or recently approved. circumstances (the right to be forgotten).
any issues or conflicts at an early stage and find solutions to mitigate or eliminate certain risks by
GDPR makes no reference to blockchains. To date, the French Data Protection Authority deploying the most appropriate kind of blockchain and determining what data is stored on-chain
Instead, it sets the framework of how personal (Commission Nationale de l’Informatique et des versus off-chain.
data can be collected, processed and disclosed Libertés (CNIL)) has highlighted the problem
within any environment. Likewise, no EU in a recent guidance note which identified
member state has yet enacted any data protection the challenges of blockchains in the context
legislation that makes any specific reference to of personal data7. These challenges have also Some of the challenges posed by GDPR to blockchain networks can be solved, for
blockchain technologies. been flagged on a recent and very exhaustive example, by:
report submitted to the EU Parliament about the • Putting in place proper contractual arrangements between all the parties involved. A participant
As a consequence, neither EU legislation nor any agreement will require that all the entities who decide to get into a blockchain establish rules for
interplay between Blockchain and the GDPR8.
laws of EU member states take into consideration the blockchain network, derived from their obligations. Also required by GDPR, this will include
“This is an important call for European regulators
that technologies such as blockchain conflict in prescriptive clauses when entities are acting as processors and controllers or joint controllers;
to keep an eye on blockchain technologies and to
some areas with the principles of the new data and/or
issue more guidance to help organisations find a
protection framework. For example, in a public
balance between the technology and the regulatory • Establishing the proper mechanism under GDPR to allow international data transfers.
blockchain, you cannot unilaterally delete or
framework” says Lupe Sampedro, partner in the Areas of conflict, such as the impossibility of deleting data, cannot be solved but can certainly be
remove all traces of blockchain data: reflected by
International Privacy & Data Protection practice mitigated, as the CNIL suggests, by using proper technology solutions that make the data practically
its architecture, the philosophy of blockchain is
at Bird & Bird. inaccessible. For example, commonly used cryptographic hash functions such as SHA-256 may be
insufficient to transform personal data into anonymous data (if the hash function was derived from
a known piece of personal data such as an email address acquired from a data breach, it is not time
consuming or costly to get a computer to hash that email address and then cross-check the resulting
hash function against the hash functions in a database to identify the “anonymous” email address).
However, hashing operates on a spectrum and there are more advanced hash functions with
stronger privacy guarantees that may make it harder to identify encrypted personal data9.
Therefore, although some blockchain technologies conflict or pose challenges to compliance with
some GDPR principles, organisations can find solutions from a contractual, technological, or technical
perspective that allow them either to fully comply (where possible) or to get closer to complying with
GDPR principles.
22 © 2019 Bird & Bird – All rights reserved © 2019 Bird & Bird – All rights reserved 23
Legal issues: contracts
The first task (that some organisations fail to do) is to perform
appropriate due diligence.
For example, what type of blockchain network participation. In addition, the pseudonymous Because private blockchain networks can be set up so
do you want to set up and why? It is worth noting nature of public networks means it is often that one entity or consortium is in charge of running
that private blockchain networks can be set up difficult to identify the real-world identities of the it, real-world contracts become more relevant in terms
by taking the open-source software code used to account holders in the blockchain network. of governing the rights and obligations of the relevant
deploy public blockchain networks like Bitcoin and stakeholders. For example, an organisation may want
Given some of the challenges of public
amending it to set up your own private blockchain to use proprietary software owned by the blockchain
blockchains as mentioned above, organisations
network. Alternatively, you can set up a private developer to set up a private blockchain network.
we have worked with tend to focus on private
blockchain network using proprietary software In such circumstances, the organisation can engage
blockchain networks. Private blockchain
developed specifically for enterprise use. the blockchain developer to run the blockchain
networks enable organisations to set up a
network (including all the nodes) on its behalf as
In a public blockchain network, there is network where they can have more control over
its subcontractor on the basis the network is made
deliberately no central authority in charge of the who can join the network (as opposed to a public
available by the organisation to its customers (let us
network – it is fully decentralised and run by the network where anyone is free to download the
call them “participants”).
nodes and each node is a peer, i.e. treated equally software and set up a node to connect to the
so one node does not have more influence than network). This control can help satisfy anti- In such circumstances, the contracts governing the
another. As a result, there is no standard contract money laundering and know your customer use of a private blockchain network would typically
governing participants’ rights and obligations checks that organisations will want to ensure comprise:
and no formal terms of use, although there are are met. In addition, in a private blockchain • The blockchain services agreement between
governance frameworks which we mention network, organisations can decide whether one the blockchain developer and the organisation,
below which may set out some terms relating to entity or consortium is in charge of running and governing the launch, operation, support, and
access and use of the blockchain. The code that upgrading the network. In the event of issues development of the network.
participants run is, in effect, the definition of such as software defects, lack of availability of
• The participation agreement or charter
the rules, and participants that apply different the network, service level failures, breaches of
governing the “rules” of the network between
logic (either by accident or with malicious intent) security or confidentiality, it is useful to know
the organisation and each participant. In
soon fall out of synchronisation with the rest of who is accountable. We can call this entity the
this agreement, the organisation is providing
the network, as the other participants would not “blockchain developer”.
access and use to the nodes of the blockchain
agree with the results of the differing participant.
Of course, whether or not an entity can be made network operated by its subcontractor and
In some public blockchain protocols, a responsible depends on the setup of the network. may provide commitments around availability
governance regime is often established to set For example, will the blockchain developer have of the network. Any commitments will need to
out some ground rules in terms of how updates control over all the nodes forming the network be carefully assessed against the obligations of
or fixes to the blockchain software will be so they can meet availability and service level the blockchain developer under the blockchain
proposed, discussed, and made available, and commitments? Or, will they have control only services agreement to ensure the organisation is
how to undo blocks which should not have been over a proportion of the nodes running the not committing to more than what the blockchain
recorded in the first place. Typically this happens network, in which case they can only reasonably developer is committing to it. For example, if
with majority consensus. However, the rules be expected to be responsible for those nodes the blockchain developer agrees to provide 99%
are often not always well-drafted or stored in and not the nodes run by other stakeholders? availability of the network, then the organisation
one place, making it difficult for participants to should not consider offering a better availability
have certainty as to the terms of use governing service level to the participants.
24 © 2019 Bird & Bird – All rights reserved © 2019 Bird & Bird – All rights reserved 25
Legal issues: IP
IP is of particular importance in relation to the software
underpinning a blockchain network.
Understanding who owns the relevant IP, and Many jurisdictions restrict the patentability of enforced save in “defensive” situations, or simply In relation to open source software, a key
who can use, exploit and enforce such rights software, algorithms and the business methods to to clarify what is in the public domain, thus issue to consider is whether any third parties
is important. Such clarity provides certainty to which blockchain technologies may be applied. restricting the ability of third parties to obtain have contributed to the blockchain software.
users and blockchain software developers. For Quite frequently because of this and the criteria patents which could have then been enforceable It is important to make sure that contributions
blockchain technologies the main IP comprises imposed by the patenting system, together with against the original organisation. Not infrequently to blockchain projects used are licensed
patents, copyright, confidential information or the time, expense and requirement for a public the optimal solution will be to try to obtain a appropriately and that any contributions
trade secrets and database rights (which may disclosure, it is not appropriate to try to obtain patent for the “central” part of the blockchain provided do not infringe on third party rights.
arise if there has been a substantial investment in a patent. technology invention, and to protect various In relation to the first situation, there are two
obtaining, verifying or presenting the contents of secondary aspects through trade secrets. points to consider. First, it is important to ensure
Instead, it may be better to use copyright, which that any contributing third parties have made
a database). Some of these IP apply automatically
will usually automatically arise and protect the One can also envisage the possibility of
(e.g. copyright and database rights); others must contributions via a contributor licence agreement
software underlying the particular blockchain organisations developing alternative business
be registered (e.g. patents). Regardless of the (CLA) so it is clear what terms the contribution
and keep the invention protected as a trade models. An organisation could grant licences to
exact IP in particular blockchain software, parties was made on. Second, the parties should check
secret. The same applies to database rights, which the copyright in its blockchain software for free
will often contractually agree the rights and the CLA terms are appropriate: are the terms of
also arise automatically when the necessary with a view to encouraging widespread uptake,
obligations relating to use of the IP underlying it. the licence granted by the blockchain software
criteria are met. The use by the relevant software having also applied for a patent underlying the
Understanding the open source software ecosystem developer in relation to the blockchain software
developer of the law of confidence to protect technology (which would not become public
is also likely to be important for any blockchain (that uses such contributions) aligned with the
against disclosure or misuse is common, at least knowledge for some time). If the software then
software that is built on open source software. CLA terms? For example, if the licence to the
in the initial stages of development. Often this is becomes widely adopted, a paid up licence could
blockchain software is perpetual and irrevocable,
The starting point for patents is that you do not achieved through a confidentiality clause in the later be sought for any underlying patent rights
and if needed, with the right for users to sub-
automatically get a patent for setting up and contract. This balancing act is often as much of a with the threat of an injunction prohibiting
license and create derivative works, does the
running a blockchain. Instead, to obtain a patent commercial consideration as a legal one. further use if royalties are not paid. Although
CLA, governing the use of the contribution, allow
you must make a formal application, and meet such a business model runs contrary to much of
“Nevertheless”, says Tim Harris, partner in Bird the blockchain software developer to grant such
a number of criteria for patentability. This takes the open source ethos of the blockchain world,
& Bird’s Intellectual Property practice, “filings rights to its users in relation to such contribution?
time and costs money. and may also run into legal difficulties in its
for blockchain patents are rapidly increasing, enforcement, the threat could be sufficient to
A number of questions therefore arise, primarily principally in the fields of payment architectures, persuade at least some organisations to agree to
whether a patent is going to be possible at all cryptography and network protocols or security the patent licence in order to obtain certainty and
for the particular blockchain technology under arrangements”. A organisation may seek a avoid a legal dispute.
consideration. If this is the case, the next question blockchain patent in order to help commercialise
is usually whether patenting will be the best, or its technology directly but there may also be a
most appropriate form of protection? The answer number of indirect reasons for doing so.
to this depends on numerous factors including
A patent filing strategy may be undertaken as an
how the inventor or inventors plan to exploit the
innovation signal to investors or capital markets,
blockchain in question, and whether they think
with a view to making a public patent pledge to
someone is likely to independently come up with
effectively license such patents to the world at
the same or a similar idea, and if so how they
large or on the proviso that such rights will not be
might want to exploit it.
26 © 2019 Bird & Bird – All rights reserved © 2019 Bird & Bird – All rights reserved 27
Legal issues: enforceability
There are a number of problems that may arise in relation to
the enforceability of smart contracts recorded on a blockchain
which participants need to be aware of and consider addressing.
These problems may also apply to other transactions recorded
on a blockchain.
Some of the key points are summarised below:
• As a matter of English law, a contract must • There are also likely to be issues as to how • Complex cross-border issues may also arise Whilst these issues are novel, they are not
have certainty as to its terms. Whilst a the Courts will approach the interpretation in relation to smart contracts — the nodes insurmountable. Jonathan Speed, a partner in
simple smart contract in computer code of smart contracts where they are written which interact on a blockchain and execute Bird & Bird's Dispute Resolution practice says
may be more deterministic or certain than in computer code and whether they will be the terms of the smart contract may be based that "many issues in relation to the enforceability
natural language, it is not yet possible to open to looking beyond the outcome of the in different jurisdictions which may apply of smart contracts can be addressed by having a
create computer code that caters for all the computer code to interpret the contract, for different governing laws to the particular natural language contract and the parties agreeing
complexities of a commercial contract. For example by implying terms into a contract. transaction. So which countries’ courts will the smart contract forms part of it. For example,
example, in many commercial contracts • Significant difficulties may arise in identifying have jurisdiction and which governing law this could specifically identify the governing law
performance is measured by a particular who is responsible for any problems with a will apply to the transaction? Again there that applies to a smart contract transaction and
standard such as “reasonable” or “best smart contract. This could be connected to may not be a straightforward answer to where any dispute under the contract should be
endeavours” or “good industry practice”. technology failures – for example, if there was this question in the absence of an express resolved. Alternatively, in a private blockchain
These standards cannot readily be formalised a bug in the blockchain protocol or defects agreement between the parties. Parties will network, where there is likely to be greater certainty
in computer code. in the operation of the system or network. also need to be aware that counter-parties to a as to who is in control of the blockchain and the
• The parties to a smart contract recorded on Additionally, there may be issues caused smart contract may be based in jurisdictions identity of the participants when compared with a
a blockchain will often be pseudonymous — by cyber hackers, and a number of these where it is hard to enforce Court judgments — public blockchain, participants could be required to
it will be difficult to directly link addresses, incidents have already received significant consideration should be given to this at an sign up to a binding dispute resolution protocol as a
public keys and transactions to a real-world publicity. Tracking down the identity of the early stage and to whether arbitration may condition of access ."
identity, especially in the context of public wrongdoers in these cases can be extremely be a better option as arbitration awards are
blockchains. If it is not possible to identify the difficult because they are able to hide behind enforceable in a large number of states under
parties with certainty this may mean that the addresses which cannot be easily linked to a the New York Convention.
smart contract does not give rise to binding real-world identity.
contractual obligations between the parties
and could be unenforceable. A further, but
related, problem is that it will be difficult for
a party to identify who it needs to sue. It may
be that in such a scenario the identity of the
contracting party (i.e. the relevant party to
the smart contract) could be established by
investigation and evidence being put before
the Court, but this would add significant
complexity and cost to any claim.
28 © 2019 Bird & Bird – All rights reserved © 2019 Bird & Bird – All rights reserved 29
Regulation
Blockchain regulation provokes much debate, particularly in blockchain technology are normally less contentious According to Slawomir Szepietowski, Managing
because they often involve a change in the way an Partner of Bird & Bird’s Warsaw office, at the
relation to cryptocurrencies and other “cryptoassets” that existing activity is carried out by already-regulated beginning of 2019, the Ministry of Finance
are not adequately governed, or governed at all, by existing players. Of course, they raise challenges – such as released guidelines on the tax treatment of
GDPR compliance in the context of a transparent cryptocurrencies, so this might be seen as a step
regulatory frameworks. distributed ledger – but those can usually be worked forward into recognition of cryptoassets in a
through.” wider sense by the Polish regulator. In relation to
This vacuum creates other challenges. As coordination is required for those cryptoassets that commercial use blockchain implementation, the
Regulators in many jurisdictions are seeking to
discussed in our earlier chapter, after coming pose new challenges to traditional forms of financial Ministry of Digital Affairs in Poland has concluded
address concerns over cryptoassets, albeit slowly,
into force last May, the GDPR requires companies regulation, and fall outside the existing regulatory that no domestic regulation is currently needed.
while treading lightly on the general commercial
operating in the EU to delete or update framework.” “They are promoting a regulatory sandbox idea,” he
applications of blockchain technologies where
personal information, yet one of blockchain’s says. “Each particular case is being evaluated with
The use of “harm”, “strong action” and “risks” specific regulation is deemed unnecessary.
key characteristics is its immutability and the the banking supervision or financial supervision
point to consumer protection as the principal aim According to Michael Juenemann, Head of
unlimited duration of the records it creates. authority, from which some specific compliance
of future UK regulation relating to cryptoassets. In Banking & Finance in Bird & Bird’s Frankfurt
Potentially, the law and technology are in conflict requirements may emerge for that implementation.”
a sector as heavily regulated as financial services, office, The German Financial Supervisory
with no regulation in place to determine how that
where consumer protection and transparency are Authority (BaFin) “is looking into blockchain Other regulators, such as The FCA in the UK, have
conflict might be resolved.
paramount, regulators in multiple jurisdictions technology: what it does, what the use cases are, and also accepted a significant number of DLT-based
In 2016, the UK Treasury published a report, have yet to catch up with the pace of technology in which applications they should be regulated. The projects into their regulatory sandboxes. On a
Distributed Ledger Technology: beyond developments. Legislative uncertainty is German Bundesbank is also looking at blockchain positive note for blockchains, the Cryptoassets
blockchain10. It concluded: “Government needs to commonplace while divergent (and sometimes as a software technology to run their settlement and Taskforce report referenced above concluded:
consider how to put in place a regulatory framework contradictory) regulatory approaches can apply. payment systems.” “While the authorities’ immediate priority is to
for distributed ledger technology. Regulation will A key issue here can be what gets treated as a mitigate the risks associated with the current
Meanwhile in Singapore, virtual currency
need to evolve in parallel with the development regulated form of “investment” or “financial generation of cryptoassets, the Taskforce considers
intermediation will be regulated by the new
of new implementations and applications of the security”. that other applications of DLT have the potential to
Payment Services Act, expected to come into
technology.” Although technological developments deliver significant benefits in both financial services
“There is a clear distinction between the use of effect at the end of this year or early 2020. “One
have since moved on at a considerable pace, and other sectors. The authorities do not believe there
blockchain to found cryptocurrencies and other of the key features of the Act is that it will provide
regulation to match them has not. As a result, a are regulatory barriers to further adoption of DLT.”
cryptoassets for example tokenised financial a regulatory framework, specifically for virtual
lack of regulatory clarity persists in the UK and
securities versus its use for general commercial currency intermediaries, to deal with cryptocurrency One cannot underestimate the importance of the
elsewhere.
purposes with the financial services space – such as and e-money issuance,” says Kim Kit Ow, partner in distinction which this reference draws between
The Treasury, in conjunction with the Financial the decentralised maintenance of security ownership Bird & Bird’s Banking & Finance sector group in the considerable challenges of cryptoassets
Conduct Authority (FCA) and the Bank of ledgers, automated transaction management Singapore. and the far less controversial implementation
England, published another report in October and reliable identity verification relying on token of innovative blockchain-based solutions to
Spain has fragmentary regulation for each
2018, entitled Cryptoassets Taskforce11, which possession” says Trystan Tether, Head of the inefficiencies in traditional commercial structures
sector, explains Jose Luis Lorente Howell, Head
stated: “DLT has the potential to deliver substantial London Financial Services group at Bird & Bird. and systems.
of Banking & Finance in Bird & Bird’s Madrid
benefits, both in financial services and other sectors. “With cryptocurrencies and tokenised securities,
office but “there is no harmonised regulation and
Cryptoassets are one application of DLT… there new risks of real harm arise – such as investor losses
the regulators in different sectors are not yet doing
is growing evidence of harm to consumers and from scam new currencies, fraudulent or negligent
anything proactively” he says. “In terms of financial
markets.” It concluded: “Strong action should cryptoasset broker-custodians (intermediaries) and
services, there are concerns from a consumer,investor
be taken to address the risks associated with money laundering abuse – the extent of which is
and an electronic communications perspective, but
cryptoassets that fall within existing regulatory disputed. These risks are inadequately addressed by
the Spanish National Securities Commission has yet
frameworks. Further consultation and international existing regulation. By contrast, commercial uses of
to implement regulation.”
10 https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/492972/gs-16-1-distributed-ledger-technology.pdf
11 https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/752070/cryptoassets_taskforce_final_report_final_web.pdf
30 © 2019 Bird & Bird – All rights reserved © 2019 Bird & Bird – All rights reserved 31
Security
One of the main perceived benefits of deploying blockchains
is the security they provide.
For example, public proof of work blockchains like the Bitcoin blockchain are secure in the This might be useful if participants do not want The transaction was discovered quickly, and with
following ways: the data recorded on a particular blockchain the consent of the majority
database being seen by others. If the account of the network the blockchain was “forked”
• It is hard to make instructions that appear transactions that would be accepted by holder wants to prove that the relevant data so that it reverted to the state prior to the
to come from someone else owing to the participants as the canonical or “real” chain. existed at a point in time they can point to the rogue transaction.
difficulty of “faking” a digital signature. • It is easy to detect attempts to edit transaction in the relevant block (which will have
• It is hard to “re-write history” owing to transactions owing to the cryptographic Essentially the blockchain database split into
a timestamp) and provide their public key to
the amount of hashing needed to create a hashes at many levels. two copies: one database removed the relevant
enable the recipient to decrypt the hash to reveal
longer chain of valid blocks with different block and then continued to encourage miners to
the relevant data.
build blocks onto it with the intent that it would
Hashes also make it easy to detect tampering. become the majority accepted copy, whilst the old
Public key cryptography If data in a block is tampered with, it will become database which included the rogue transaction
immediately obvious that the tampered data no would be disregarded. Today, the commonly
Blockchains rely on public key cryptography and use public keys to create accounts (so no need longer matches the hash and so all participants accepted Bitcoin chain is the one without the
to rely on a central authority to do that) and use their private counterpart keys to digitally sign can see that something has gone awry, and rogue transaction.
transactions to prove the transaction has been agreed to by the account holder. This is in theory typically they will reject the tampered block.
more robust than setting up an account with a third party, with a password which could be guessed. In addition, whilst the blockchain technology
Whilst it is easy to create a private key and convert that private key into a public key by applying itself may today be fairly robust, another attack
False sense of security?
some mathematics to it, it is mathematically impossible with today’s technology to go backwards vector is to hack stakeholders that support the
(i.e. work out the private key from the public key). So as long as you do not lose your private key or However, the strength of the cryptographic blockchain ecosystem, such as cryptocurrency
have your wallet hacked or copied, resulting in the disclosure of your private key, you have a robust technology underpinning blockchains may exchanges. In the first half of 2019, there have
way to set up accounts and send approved transactions. unfortunately give rise to a false sense that been seven major hacks including a hack of
blockchain networks may somehow be Binance, a popular cryptocurrency exchange,
impervious to any form of attack. This is based where over $40m worth of Bitcoin was stolen.
Hashes Hashes are used for multiple purposes in in part on media hype and the common myth
blockchain technologies, including: that blockchain networks like Bitcoin have never “Blockchain technologies are secure by design with
A cryptographic hash is a short fingerprint,
been hacked, which is incorrect. No matter how very powerful cryptography, and that is beneficial, but
or digest of some data. It is the result of a • For proof-of-work mining.
complex the mathematical algorithms or how does that make it impervious to attack? No, it doesn’t,”
mathematical algorithm applied to any amount of • For a block to refer to a previous block.
innovative the software rules might be, there says Simon Shooter, co-head of Bird & Bird’s
data, whether a simple file, an entire USB stick, or • For a transaction to refer to a previous is always a human element that creates its own International Commercial practice. “To adopt any
a whole data centre’s worth of data. An example of transaction in some blockchain protocols. domain of risk — private keys can be copied system, blockchain or otherwise, and to rest on your
an industry standard cryptographic hash function
• To refer to a specific “off ledger” file. leading to rogue transactions, and errors in the laurels and say that’s now fully secure, is a fallacy.”
is SHA-256 (256 bit Secure Hash Algorithm).
In addition, hashes can be used as “proof of underlying codebase can be exploited.
Whilst it is easy to apply a hash function to existence” of some data. For instance, the hash
The Bitcoin blockchain software has had a flaw
some data to create the hash, as with public key of some off-chain data (e.g. a pdf file) can be
exploited: in 2010, a hacker created a transaction
cryptography, it is not currently possible using incorporated into a transaction with a digital
in block 74,638 to create 184 billion Bitcoins
existing technology to work backwards and signature from an account holder for validation
for themselves.
re-create the initial data from the hash. by the network.
32 © 2019 Bird & Bird – All rights reserved © 2019 Bird & Bird – All rights reserved 33
Tax
Blockchain’s core attributes mean that there is potential for
significant use in tax.
The advantages are said to be that organisations HMRC’s and the relevant employee’s blockchain With blockchains incorporated into the tax however, suffered from various technical problems
could see less cost and more efficiency, as smart addresses. If an underpayment has been made by collection process the digital database is difficult and delays, coupled with a mixed public response.
contracts have the potential to automate the the employer, the smart contract could fail (because to be tampered with once the data is entered,
processing of payroll tax and any transaction-based the input was not met) or request the shortfall. If an Aside from integrating IT systems on many levels,
and access to private blockchain networks can be
taxes such as stamp duty on shares. overpayment has been made by the employer, the it is clear that using blockchains would also require
restricted to identified users, providing an element
smart contract could return the surplus. reforming laws on collection of tax mechanisms.
of control for the tax authority. Any changes
Using PAYE (pay as you earn), the current system Currently, there is little or no express legislative
(e.g. to tax rates or banks) are fully transparent to all
of collection of income tax and social security Transfer pricing is another interesting example tax framework in place in which blockchains
identified network users, thus limiting the potential
contributions in the United Kingdom, as an where blockchains could be applied to regulate can operate. There are also strict rules on the
for errors and fraud, and potentially lowering the
example, a blockchain could provide a solution arm’s length terms among a network of parties. By traceability of financial transactions which would
total aggregate cost of tax return preparation.
whereby employers will not need to be responsible using smart contracts, multinational organisations be difficult to apply to a public database where
for the calculation and transfer of tax and social could use blockchains to track their intercompany Nevertheless, there are challenges in migrating users operate on a pseudonymous basis. The use
security payments from salaries. Instead, an commercial transactions. This data could then be to a blockchain based system. First, a migration of private blockchains mitigates these risks as only
employer would log into a decentralised application used to determine and calculate the market value would require a significant development of both trusted users would be invited to participate in the
(DApp) operating on a private blockchain network. and arm’s length terms of other intercompany governmental networks and databases (e.g. how do network, which explains why private blockchains
Within the DApp, the employer would be prompted commercial transactions within the group. The you transition from vast centralised databases to are already preferred by certain users, for example
to complete certain “input” information required fact such data is recorded on a blockchain means, distributed databases in an orderly way?). Second, tax authorities and financial institutions.
by the relevant smart contract deployed on a for the reasons mentioned earlier in this report, blockchain technology is still in its early stages and
blockchain, such as details of the employee’s gross it will harder for stakeholders to tamper with the Further, while blockchains are difficult to tamper
standards have not yet been well-established —
salary, taxable benefits and PAYE code (collectively, data without it becoming obvious to the network. with, this does not stop false information entering
though governmental use may help to drive
“tax data”). The tax data would then be transmitted Contrast this with an excel spreadsheet of data the blockchains at the start. The efficacy of the
standards and harmonisation. We are aware that
from the DApp to a smart contract linked to it where a malicious actor could more easily edit the system would still be reliant on the quality of the
tax authorities are working together to develop best
which would calculate the net salary payable to the data with a greater chance of not getting caught. information provided by the taxpayer. However,
practice and share know-how.
employee and the tax payable to the tax authority smart contracts combined with HMRC’s “Connect”
Smart contracts could also support the settlement The growth of the digital economy is already system, which cross-references and analyses
based on the employee’s tax code (the “output”).
for sales taxes such as value added tax (VAT). placing pressure on national tax systems to try taxpayer data to establish fraudulent or undisclosed
The employer would operate a computer system
For example, a large retailer could participate in new initiatives to catch up. One such example is activity, should improve the quality of the
that would monitor the blockchain for such outputs.
a private blockchain network where it records its the UK’s Making Tax Digital (MTD) programme. information and collection ability available to HMRC.
On receipt of the relevant output, the computer
acquisition of goods and taxable supplies made; The UK Government published its long term plan
system would then instruct the employer’s bank
this information could be sent to smart contracts Some governments though, such as Estonia,
to make the relevant payments to HMRC (a UK to become “one of the most digitally advanced
deployed on a blockchain network. The smart Thailand, Singapore and India, have already started
government department responsible, amongst tax administrations in the world, making it easier
contracts take the input information and calculate to experiment with blockchain-based solutions
other things, for the collection of taxes) and the for parties to keep on top of their tax obligations,
the resulting VAT liability of the retailer based for tax filings and audits. Estonia, for example,
employee, as applicable. In a future scenario, where facilitating more real time tax reporting and
on the terms of its code. The VAT liability is then has been using a distributed technology known as
a Stablecoin digital currency “lives” on the relevant eliminating tax evasion.12” MTD is the UK
immediately paid by the retailer to the tax authority Keyless Signature Infrastructure for taxpayers to
blockchain, it may be possible for the employer to Government’s first significant step towards achieving
(or recovered from the tax authority as the case operate their account and pay tax online. Thailand
send the relevant digital currency to the relevant this goal, requiring VAT registered organisations with
may be). This would provide tax authorities with also announced in December 2018 that it has begun
smart contract and for the smart contract to run the a taxable turnover above £85,000 to keep records
more effective VAT collection and would also trials for a new pilot program designed to reduce
calculations in accordance with its code and then digitally and use software compatible with HMRC’s
benefit organisations waiting for the recovery of fraudulent VAT refunds by using smart contracts to
automatically transfer the digital currency to the API. It is based on a traditional system of internal
their input VAT. track VAT charges at the time of purchase.
record keeping rather than a blockchain. MTD has,
12 https://www.gov.uk/government/publications/making-tax-digital-for-business-stakeholder-communications-pack/making-tax-digital-for-business-stakeholder-communications-pack
34 © 2019 Bird & Bird – All rights reserved © 2019 Bird & Bird – All rights reserved 35
The UAE and Saudi Arabia have launched a proof- understanding of the feasibility” of distributed
Conclusion
of-concept for experimenting with blockchains ledger technology in this field and “explore the
to help cross-border payments between the two potential opportunities and benefits of a digital
countries, and this is expected to be completed in currency”13 in normal market operations between As the hype surrounding blockchains begins to dissipate,
the last quarter of 2019. The Central Bank of the the two countries. it is tempting to jump on the bandwagon and discard the
UAE has stated that it will help it gain a “deeper
technologies as another solution looking for a problem.
Case Study — Insurwave
That is misguided.
Launched in June 2018 as and services to execute processes, the platform Part of the problem has been a lack of careful parties to give effect to their intentions in code.
a joint venture between is a digital insurance value chain. “EY provided application of the technologies to appropriately An example is the Libra Blockchain’s new “Move”
consultants EY and technology the funding. Bird & Bird helped us set up the Joint verified use cases. This is key for organisations programming language. But, for the reasons
organisation Guardtime, Venture, making sure we had access to all the IP to avoid spending unnecessary budget on already explained, there is currently still a role for
Insurwave uses R3’s Corda in the business and that the IP created by the JV unrealistic goals which leads to failed projects and the natural language contract.
blockchain, Microsoft Azure infrastructure, and partners was exclusively licensed to the business,” disappointment. For example, blockchains do
ACORD data standards. Global organisations use it says Crawford. “This is a new business, so you have In determining the way ahead for blockchain
have a place for better tracking of physical items
to transform how they manage risk and how they to think flexibly. We’re now seeking to widen the basic technologies, governments and regulators will
where perhaps a centralised store of data would
work with brokers, insurers and reinsurers. Since model – ship hulls and war zone coverage – to add need to draw a careful distinction between where
not be acceptable to the industry, so a decentralised
its launch, Insurwave has already supported more cargo, property and then potentially pursue other new regulation is genuinely needed to minimise
golden source of data that can be stored, shared
than half a million automated ledger transactions speciality insurance lines.” risk and provide protection, and where existing
and interrogated, might work, with less risk of it
and has helped to manage risk for more than laws and regulations already meet those criteria
He adds: “We have succeeded by keeping it simple, being tampered with. However, this use case relies
1,000 commercial vessels. in full. Fresh regulation, when it comes, should
engaging with clients and understanding business on a degree of trust in these circumstances: you
aim to provide confidence, stability, and above
“It’s not about digitising the existing process; we processes. In the early (pre-launch) days, we have are relying on each party that records and sends
all, certainty for blockchain users in financial
have created a platform that enables a new business had to reengineer our architecture several times — as the digital asset to a blockchain to be sending the
services and other sectors.
model to operate,” says Shaun Crawford, Director a start-up using agile methodology, it was easier: we correct information. Is this appropriate given the
of Insurwave and Global Vice Chair, Industry at EY. were able to make mistakes, and learn and change types of stakeholders participating and the nature The possibilities of what blockchains can deliver
“The biggest advantage we had was timing – getting the platform accordingly, enabling us to try things, of the data being shared? as a technology are perhaps best summarised by
there first. That was our main driver: get out there, put them through, tweak them, and move them on. those who have already deployed it successfully
Looking forward, the benefits of blockchain
with a quality service, and don’t worry too much Now with the added maturity of an in production in their operations. “In the short term, you get
technologies (peer-to-peer, difficult to tamper,
about people catching up. We don’t own the data, platform, we are shifting towards being a software business efficiencies: the first business benefit is
reduced reliance on central authorities) could be
we control and manage it. We set up Insurwave engineering business as we scale our technology and shaving costs out of the end to end value chain, there
used to build new online services. In the Internet
with one member from each part of the value chain: on board our rapidly expanding pipeline.” is no question about that,” says Shaun Crawford.
of Things ecosystem blockchain technologies
the shipping organisation, A.P. Møller-Maersk; the “Then, you get new business opportunities, new
“We don’t see our blockchain as being the supreme could provide a platform to enable machines to
broker, Willis Towers Watson; the reinsurer, XL products, and new business models.”
blockchain taking over the insurance world; we see connect with other machines: machines could
Catlin; and end insurer, MS Amlin. We set up security be allocated accounts they use to send micro
the future as being many private blockchains linked Whether advising on the contracts underpinning
so data flows through the various organisations in a cryptocurrency payment transactions to other
together, each with specific capabilities. The key the setup and governance of blockchain
strictly controlled manner, but we do not use or get machines who, in return, provide data or services
is interoperability, so that you have connectivity consortia, or the rules governing smart contracts
access to it, which also means we are not required to to the “paying” machine. This could allow
which you can achieve one to the other, you have got themselves, lawyers will have a key role to play.
be regulated by any statutory body.” different machines from different manufacturers
security in place so you can move things around.” At Bird & Bird, we look forward to bringing all our
By connecting participants in a secure, private to interoperate with each other without the expertise to help our clients forge new paths for
network with an accurate, immutable audit trail need for a central operator to manage these exciting new business models.
interactions and payments.
13 https://www.arabianbusiness.com/banking-finance/409780-uae-denies-digital-currency-being-used-with-saudi-arabia
36 © 2019 Bird & Bird – All rights reserved © 2019 Bird & Bird – All rights reserved 37
Glossary
Address: A unique identifier that serves as a Distributed Ledger Technology (DLT): A digital Key: Asymmetric cryptography — also known as Private blockchain network (aka permissioned
virtual location, or account, for a cryptocurrency system to record transactions without a central public key cryptography (PKI) — uses pairs of keys: network): A network that places restrictions on
payment. Cryptocurrency can be sent to an administrator or centralised data storage. The public keys, which are publicly known and essential who is allowed to participate in the network and
address similarly to how fiat currency can often be record of transactions is shared over a peer-to-peer for identification and encryption, and private keys, in what transactions.
sent to accounts. network with others. The blockchain system is one which are kept secret and are used for authentication
Proof of work: The puzzle that miners must solve
form of DLT. and decryption. In a blockchain context, public keys
Block: A logical grouping of data stored on a during the block creation process. The proof of
are used to derive account numbers, and private keys
blockchain. Blocks contain eventually permanent Fiat currency: Money without intrinsic value that work is a hash that meets a certain criterion. This
are used to prove control of the accounts.
and unalterable records of transactions that have derives its value from its issuing government requires computational power to be created but
occurred during a period of time. Each block rather than a physical good or commodity. Mining: The process of adding transactions to it can be verified quickly. Thanks to the proof of
contains a cryptographic hash of the previous block Governments guarantee the validity of the the public ledger of existing transactions (the work the blockchain’s data becomes immutable
in a blockchain, linking the two. A blockchain is currency for use in economic trade. Examples of blockchain) by making computer hardware do with time.
made up of a chain of data blocks. fiat currency include the US Dollar (USD) and the mathematical calculations to create valid new
Public blockchain network (aka permissionless
Pound Sterling (GBP). blocks to add to the chain.
Contributor License Agreement (CLA): A legal network): A network that allows anyone to
document that defines the terms under which Fork: When a blockchain diverges into Nodes: A device on the blockchain network that read, write and participate. Nobody has control
intellectual property (such as code) has been two different paths forward, due to lack of contributes to the maintenance of transaction over the network, and they are secure in that
contributed to a project. CLAs ensure that consensus regarding the future state of the records by sharing a copy of the blockchain the data cannot be changed once validated on
permission cannot be withdrawn at a later date, relevant blockchain. Forks can be accidental or and relaying transactions to other nodes. For a blockchain. Bitcoin is an example of a public
so that software can be used in confidence that intentional. Accidental forks occur when miners example, any computer that connects to the blockchain network.
you will not be stopped from using specific pieces simultaneously find a block, and the accidental Bitcoin network is a node.
Stablecoin: This is a type of cryptocurrency. It is
of code at a later date. fork is resolved when subsequent blocks are
Nonce: A number that miners change when trying designed to provide greater price stability by being
added and one chain becomes longer than the
Cryptography: A branch of mathematics that to create a valid block in order to produce a hash pegged to a more stable asset of basket of assets
other(s). Intentional forks are created by changes
describes methods to encrypt and decrypt data, that is less than or equal to a target hash. Any such as fiat currency.
to the underlying protocol and can be either
and create hashes and digital signatures. change to block data (including the nonce) will
“hard” or “soft”. Token: The representation of an asset or utility
result in a completely different hash. The nonce is
Data controller: A body which, alone or jointly with Hard fork — A divergence from the previous (such as cryptocurrency, commodities and loyalty
a key part of the proof of work mining algorithm.
others, determines the purposes and means of the version of the blockchain protocol, where nodes points) on a blockchain.
processing of personal data. adhering to previous versions of the protocol will Oracle: A third-party information source that has
Wallet: A software program that is used by
no longer accept blocks created by nodes running the sole function of supplying off-chain data to
Data processor: A body that processes personal blockchain participants to help them interact with
the new version. blockchains. Oracles find and verify real-world
data on behalf of the data controller. a blockchain network and manage their accounts
Soft fork — A change to the software protocol occurrences and submit the information to a
(e.g. stores public and private keys and enables
Digital signature: A digital file associated with which is backwards-compatible, that is, nodes blockchain.
participants to send transactions for recording on
some specific data and a signatory. Digital running previous versions of the protocol will
Peer-to-peer: A network in which all participants a blockchain).
signatures offer authentication (ensures the accept blocks created by nodes running the new
and devices on a blockchain (nodes) are
message was created by a known sender), non- version.
considered equal. Users (peers) use and provide
repudiation (sender cannot deny having sent the
Hash: An algorithmic function that converts an the foundation of the network at the same time.
message) and integrity (ensures the message was
input of data into an output of a fixed length, Peers make a portion of computing resources
not altered in transit).
typically much shorter than the input data. such as disk storage, processing power or network
bandwidth, directly available to other participants
without the need for central coordination.
38 © 2019 Bird & Bird – All rights reserved © 2019 Bird & Bird – All rights reserved 39
Contact
Jonathan Emmanuel
Partner
Tel.: +44 (0)20 7415 6052
[email protected]
External contributors
Shaun Crawford Director of Insurwave and Global Vice Chair, Industry at EY
Marc S. O’Brien Chief Executive Officer of ETHOS Global Holdings
Dominic Carman Freelance journalist and writer
For information on the international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses, our offices, our members and partners, regulatory
information, privacy, complaints procedure and the use of e-mail see twobirds.com/LN.
References in this document to “Bird & Bird”, the “firm”, “we” or “our” mean Bird & Bird LLP and the other affiliated and associated businesses authorised to carry the name
“Bird & Bird” or one or more of Bird & Bird LLP and those affiliated or associated businesses as the context requires.
The information given in this document concerning technical legal or professional subject matter is for guidance only and does not constitute legal or professional advice.
Always consult a suitably qualified lawyer on any specific legal problem or matter.
Bird & Bird assumes no responsibility for such information contained in this document and disclaims all liability in respect of such information.
Bird & Bird is, unless otherwise stated, the owner of copyright of this document and its contents. No part of this document may be published, distributed, extracted, re-
utilised, or reproduced in any material form, except with our express prior written approval.
Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses.
Bird & Bird LLP is a limited liability partnership, registered in England and Wales with registered number OC340318 and is authorised and regulated by the Solicitors Regulation
Authority. Its registered office and principal place of business is at 12 New Fetter Lane, London EC4A 1JP. A list of members of Bird & Bird LLP and of any non-members who are
designated as partners, and of their respective professional qualifications, is open to inspection at that address.