Hello What’s Next readers! There’s a lot going on in the encryption space in this issue—from smart contracts and blockchain, to criminal investigations. Plus, an update on that whole WHOIS debacle, and pop quiz! When does “consent” for data processing not really mean consent under the GDPR? Read on.
IRL: Smart Contracts and Crypto Regulation at she(256)
The gender gap in blockchain may be more abysmal than it is in law, but I’ll tell you this: If Blockchain@Berkeley’s she(256) conference is any indication, it isn’t because there’s a pipeline problem. The day-long event on the UC Berkeley campus featured women who are true experts in the field and was attended by lots of young women – and not a few men – eager to hear what they had to say. It also yielded insights into the future shape of “smart contracts,” and how the blockchain community is feeling about recent regulatory pressure. (For those unfamiliar, “she(256)” is a play on “sha(256),” the 256-bit Secure Hash Algorithm used in Bitcoin mining).
One of the speakers was Monica Quaintance of the Brooklyn-based startup Kadena, which is engineering a new approach toward smart contracts called Pact. Quaintance actually railed against the term “smart contract” as a misnomer; she prefers “crypto charter.”
“When non-blockchain people hear the term ‘smart contract,’ it means something different in their minds,” she says. Coding a “smart contract” doesn’t actually facilitate the creation of an agreement (the parties might not really even understand it, if they don’t write the code), and it can’t be changed if somebody messes up. For that, Quaintance says, you need a different framework allowing parties to enter into agreements, code them, and then change them if they want later – just like amending a regular, old contract.
Another takeaway: Smart contracts still have a ways to go with automated enforcement, acknowledged Aparna Krishnan, head of education at Blockchain@Berkeley. Making sure the money wired to the correct account? That, a smart contract can probably handle. Making sure the plants get watered? A little more tricky.
On the regulatory side, the event came a day after The New York Times story quoting former regulator Gary Gensler as saying that Ether and Ripple—the second and third most-traded cryptocurrencies, respectively—were probably issued in violation of the securities laws. That infused some tension in the final panel; Aya Miyaguchi, executive director of the Ethereum Foundation, warned that regulators getting too strict could “limit the potential” for growth in this nascent space. Christine Chiang, communications lead at a company called Cosmos, talked about how legal compliance can be dealt with through software modules they are developing.
>> I/O: For women reading this that are in the blockchain industry or advise blockchain companies, what’s your sense of the gender divide? Is it similar to legal industry and the rest of tech? I’d love to hear your thoughts: firstname.lastname@example.org
Watch This Space: Decryption Suppression
After I wrote last month about a magistrate judge’s order compelling decryption of a criminal defendant’s various electronic devices here in San Francisco, I learned about another case in federal court in Florida that touches on similar themes—but has a twist.
Gal Vallerius was nabbed last year by federal authorities while he was on his way to a beard competition in Texas (yes, you read that right, a beard competition). The wizard-bearded French national was making his first visit to the U.S., and was detained on suspicions of being a moderator on an infamous dark web drug market, who goes by the moniker “OxyMonster.”
But according to his lawyers at the Federal Public Defender’s office, Vallerius didn’t know why he was being stopped; investigators told him they were conducting routine checks for child porn. And so he unlocked his iPhone, iPad, and his laptop to be searched.
Now that he’s facing drug-related charges, Vallerius’ attorneys at a hearing last week in the Southern District of Florida urged a judge to suppress the evidence that the authorities obtained from those devices, arguing that he was tricked into giving up his Fifth Amendment and Fourth Amendment rights (before being Mirandized, no less).
“The agents did not ask Mr. Vallerius for the PINs and passwords in order to do a standard border search; they were specifically looking for evidence of the crimes that they suspected him of committed,” his attorneys wrote. “By asking him for the PINs and passwords to his devices, they were seeking to elicit incriminating information and evidence against Mr. Vallerius in what was an ongoing investigation.”
>> Think Ahead: A ruling is expected within the next couple weeks. It’s an interesting case not only because it involves the dark web and Gandalf-level beard, but because it tugs at the question of how authorities can gain access to people’s digital lives.
Dispatch from the Interwebs: WHOIS Update
I wrote last week about whether WHOIS, the global public directory of domain name registrants, will go dark because of the GDPR. Here’s a brief update after the meeting on Monday between EU data regulators and executives from the Internet Corporation for Assigned Names and Numbers. Short answer: At least partly.
“It is clear from our meeting that registrant, administrative, and technical contact email addresses must be anonymized,” Göran Marby, the president and CEO of ICANN, wrote in a blog post after the meeting. “From our discussions, we agreed that there are still open questions remaining, and that ICANN will provide a letter seeking additional clarifying advice to better understand our plan of action to come into compliance with the law.”
Marby didn’t say anything about ICANN getting a moratorium from GDPR enforcement while it comes up with a solution — read between the lines there. For more on this issue, check out my full article on the topic.
Protocol: NYAG, and ‘Hard Fork’ in Tezos Suits?
Ok, so it’s kind of a crypto-heavy week, but I’d be remiss if I didn’t mention the New York attorney general’s foray into trying to tame the wild world of crypto exchanges—and the latest developments in the potentially ground-breaking litigation against Tezos.
➤➤ NYAG Eric Schneiderman isn’t getting the reaction he wanted from the crypto world—although maybe it’s the reception he expected. After his Investor Protection Bureau sent letters and questionnaires this week to 13 cryptocurrency trading platforms seeking information on operational controls and other issues, at least one company said it wouldn’t comply and another expert called the action “extraordinary,” reports my colleague MP McQueen.
Jesse Powell, CEO and co-founder of Kraken FX, a major cryptocurrency exchange based in San Francisco, publicly rebuffed Schneiderman’s letter on Twitter:
➤➤ Meanwhile, on the civil litigation side, the investor class actions against blockchain startup Tezos are experiencing what you might call a “hard fork.” A federal judge last Friday ruled that the first case filed against the Tezos project should go back to state court in light of a recent ruling by the U.S. Supreme Court about securities class action jurisdiction.
The entities behind Tezos, which aims to be a new smart contracts platform similar to Ethereum, raised $232 million in an ICO last year. Some investors have sued to claw back the cryptocurrency they invested amid delays in the project’s launch. The twin suits could produce divergent rulings on how securities law interacts with crypto—unless one of the cases is stayed. A still open question is, what happens if Tezos launches while all this is ongoing?
Parsing the GDPR: Consent Confusion
Lest you be laboring under the illusion that everyone has figured out the GDPR but you, my colleague Caroline Spiezio on our in-house law department desk has some news that should be, er, comforting? At a recent panel event in Silicon Valley, in-house lawyers from major tech firms including Facebook, Uber, Salesforce and Dropbox all expressed just how challenging the principle of “consent” for data processing can be under the the new law, which comes into effect May 25.
“One of the major shifts that has occurred under GDPR is that you actually need to remove [requests for] consent when discussing the basis to process employee data, because of the huge discrepancy of power between the employer and the employee,” noted Amanda Katzenstein, product and privacy counsel for Salesforce.”The employee doesn’t always really get a benefit and it’s not going to be true consent.”
OK, so consent is a no-go in employment setting. But what about regular folks who just want to say, participate in a social network? Facebook lead product counsel Andrew Rausa noted that giving somebody the ability to consent also gives them the ability to withdraw consent. “And think about it, if you’re not able to process that data, are you able to run your business?”
>> Takeaway: Very little in the GDPR is as straightforward as it might seem. Rausa urged in-house lawyers to talk with their software engineers about the data they are collecting to get a better understanding of how to craft compliance. Subscribe to the Legal Speak podcast for my upcoming episode about the GDPR and how it’s changing the way lawyers work.
That’s it for this week. Keep plugged in with What’s Next!