How to Write Terms of Service for Virtual Reality

Legal contracts will pervade and regulate virtual reality. Just as end user license agreements (EULA) govern the use of software, legal terms of use will govern virtual reality "space." Some terms of use will be like No Trespassing signs. Others will will be warnings or disclaimers of liability.

Legal Notices Are Common.

Modern life is filled with legal notices and contracts. For example, as a visitor enters a physical building, it is common that the manager of the building will notify the visitor -- with a legible sign -- that guns are prohibited inside the building. Notices like this can be legally enforceable against a visitor: bring a gun into that building, and you can be ejected and perhaps arrested.

Property Rules

Legal Terms in VR Could Impose a Binding Contract.

In a virtual reality environment, the terms of use could cover myriad topics. They could confirm the intellectual property rights of the VR developer. Or they could restrict the legal power of a user to violate intellectual property (e.g., a work of art) by, for instance, forbidding the user from recording the property.
virtual reality contract

The terms could limit the power of a user to sue the developer if its data security is weak. (Example: "You give us your personally-identifiable information at your own risk. We cannot assure the security of your information, and we take no liability for any compromise of your information.")

Or ... the terms could impose legally-binding fees on a visitor. (Example: "If you enter this virtual room, you agree to pay VR Dev, Inc. $5.")

Enforcement of terms would often require the gathering evidence of the terms and how they appeared in the virtual space. See blog post about capturing legal evidence in virtual or augmented reality

Legal Terms Might Be Enforced on Bots.

Google reported that its DeepMind bot is able to navigate a Doom-like 3D maze similar to how a physical robot can navigate through a physical building. Cool.

But when a bot visits a virtual space, legal terms -- written in natural language not robot language like robots.txt -- might be imposed on it, even though no human actually set eyes on the terms or interprets the legal meaning of the terms.

Why do I say that?

Refer to the famous case Internet Archive v. Shell. Ms. Shell published a web site, and posted legal terms on that site. The terms said that any visitor to the site agreed by contract that if it made a copy of a page from the site it would pay Ms. Shell $5000 per page. Internet Archive engages in the public service of archiving the Web. Using an automated program (a bot), Internet Archive made copies from Ms. Shell's website. Then, Ms. Shell sued Internet Archive for breach of contract, seeking money! Internet Archive argued in court that it was impossible for it to enter a contract with her because the copying was performed by an automated program and no human had reviewed the terms posted on Ms. Shell's site.

However, on a first-blush review, the court sided with Ms. Shell. The court ruled she had sufficiently proven the possibility of breach of contract so as to force the lawsuit into deeper proceedings.

The risk of deeper proceedings meant greater cost to Internet Archive and the possibility of an embarrassing loss in court.

Then Internet Archive and Ms. Shell settled their dispute. Internet Archive apologized to her, and she accepted the apology. She dropped her demand for money from Internet Archive.

Ms. Shell achieved a victory and established the possibility that a bot could be legally bound to contract terms communicated by natural language.

Legal Notices Will Be Published as Audio.

When Time Magazine's Lisa Eadicicco tried Microsoft's HoloLens, what surprised her were the sounds. Through HoloLens, she saw 3D objects as she expected. But she did not anticipate that the audio would be so meaningful.

She could hear objects that were out of view! She reported that she could hear them moving, similar to how we can hear creatures moving in real space, even though we don't see them. In other words, a rich VR experience will communicate by way of audio as much as by video.

Accordingly, some legal notices and contracts will be posted as audio, and/or they will attract attention by audio. For instance, as a VR explorer enters a landscape, she may hear a certain tone to indicate that legal terms apply to that landscape and she can read them if she so elects.

Notice of a Contract Might Be Given By Haptic Vibration.

Instead of audio, however, legal notices might bring attention to themselves through haptic feedback. For instance, a little vibration on the left side of a headset might indicate that

  • a legal notice is present,
  • the legal notice is binding, and
  • the user can access the notice (similar to clicking "Legal Terms" link at bottom of web page) if the user so desires.
I am interested to hear comments on this topic.

How to Write Information Security Policy

In the 5-day SANS Institute course called "Legal 523," Law of Data Security and Investigations, I teach these general tips for how to write infosec policy for an organization.

1.     The organization is wise to have some kind of written Risk Assessment. For a less-complex organization, the Risk Assessment need not be very long, but a Risk Assessment shows the organization is evaluating infosec risk (such as risk of breach of credit card data) and setting priorities based on that risk.

2. The organization is wise to identify a high officer as having responsibility for overseeing privacy and data security.

3.     As I explain in the course, I like this statement as an accurate, overarching rule of infosec policy:  "Company strives to maintain a reasonable, continuous process for implementing, reviewing, improving and documenting security and privacy in information technology. This process places more emphasis on the never-ending professional efforts of Company's IT staff than on paperwork, recognizing perfection is impossible." I like making clear in all policies that the quoted language is the ultimate policy, and everything else is subordinate to that quoted language.

4.     As I teach in the course, I am wary of any statements of absolute in policy. When an organization says that the organization "will" or "must" or "shall" do anything in IT, the organization is setting itself up for potential failure. No organization can always do any particular IT thing. Therefore, I prefer using words like "the organization strives …" or "the organization aspires …". And of course, if an organization says that it strives or aspires to do some thing, then the organization should in fact work hard to do that thing.

5.     An organization can responsibly require staff to do certain things (assuming those things are in fact achievable). For instance, an organization can require staff to maintain passwords that meet certain characteristics. (Example: "Each staff member must have a password for that is no shorter than 12 characters.")

6.     In my experience, the bigger problem is not whether an organization fails to cover particular topic X or topic Y in written policy. Instead, the problem is that the organization writes too many policies, which are too long, too hard to read, and too prescriptive and are disconnected from the reality of the fluid, dynamic challenges of modern infosec. The best standard is nimble, never-ending "professional attention" by the infosec team rather than satisfaction of a checklist covering particular topics (firewall, anti-virus, intrusion detection etc.).

7. Published "privacy policies" need to be carefully written so as not to promise privacy or security that is unrealistic.

The foregoing ideas are applicable generically. An organization subject to particular laws or threats may need to behave differently.

I welcome comments. I know some smart people will disagree with me on some of the ideas above.

-Benjamin Wright

How to Record Augmented Reality Legal Evidence

Audits and Official Inspections | Virtual Reality

Digital evidence can be faked. One way to enhance the reliability of digital evidence is to have a responsible person attest to its creation and authenticity.

Real-time narration bears witness to the truth.

This video demonstrates the recording of evidence from augmented reality.


The video records “reality,” which is the footage captured with the back camera on a smartphone as the inspector walks. The reality is “augmented” with information that is superimposed over the footage. Here the augmenting information includes compass and geolocation data that change as the inspector walks.

The video could constitute legal or audit evidence showing precisely what happened as the inspector moved about a certain parcel of land. The evidence might be used in a court of law or other official proceeding, or it might be used to support tax or financial statements. 

The video might show, for example, that the inspector encountered a "no trespassing" sign in the augmented environment.

It might show he accepted or rejected legal terms and conditions (like an end-user license agreement or EULA).

Alternatively, it might be used to show how the compass app functioned (or malfunctioned) or used intellectual property such as trademarks or copyrighted images.

Legal affidavit makes record more credible.

The lower left-hand corner of the video displays real-time footage from the phone’s front camera. It shows the inspector narrating the record, explaining what is happening step-by-step. The video also records audio of his voice as he talks and walks.

The inspector takes these measures to authenticate the video:
  • shows his face with his moving lips as he narrates,
  • identifies himself,
  • identifies the technology he is using,
  • describes the data as it appears on the screen of his phone,
  • closes by formally signing the video with these words recorded in both the audio and the small video window on the lower left corner: “I Ben Wright hereby sign and affirm this record as my official work.”,
  • vocalizes the date and time.

In effect the audio and video of the inspector constitute a legal affidavit confirming the augmented reality record. The investigator is placing his professional reputation behind the evidence depicted in the video.

Something similar could be done with a record of virtual reality or other immersive environment.

Augmented reality can entail more than audio and visual feedback.

Augmented reality could provide haptic feedback. So for example as the inspector walks, his smartphone could vibrate. The visual video record might not capture this vibration. However, the inspector could describe it in his vocal narration of events.

A pattern of ominous vibrations might signal danger or no trespassing. A calm vibration might signal approval or "thank you".

Augmented and virtual reality could (someday) even provide smell and taste feedback, which the inspector could describe vocally in a record like the video above.

More on this topic

For more analysis of these ideas, please see : Attestation of record captured from website

See related ideas on legal records made by robots and cyborgs.

I would be pleased to hear comments.

-Benjamin Wright

Active Defense for the Internet of Things

Summary: Attackers will hack the Internet of Things. Then defenders will invoke "active defense." To support unexpected and unconventional active defense, defenders can post legal terms and warnings.

Today, a hot topic is hacking -- breaking into -- the Internet of Things.

The Internet of Thinks includes myriad little devices -- like smart Nest thermostats -- that are connected to the net via channels like wifi and bluetooth.

At SANS Institute's Network Security 2015 conference, experts demonstrated how to manipulate things remotely, in ways that are not intended by the designers of the things. Experts hacked into a flying drone, a wireless teddy bear and a doll.

Active Defense to the Rescue?

But if attackers will hack into "things," then defenders will use so-called Active Defense to defend the things.

SANS Instructor John Strand for example teaches a whole array of techniques for tricking or annoying attackers or for collecting threat intelligence from them.

One technique is Kippo, a fake SSH server that captures the attacker's commands on his local machine, even after the attacker thinks he has logged out of the SSH server. Dick Dastardly would be proud.

Another tool Strand teaches is a spider trap or WebLabrynth. It serves up to an attacker an endless supply of junk data that could crash the attacker's web crawler software and possibly even the hard drive that supports the web crawler. What a surprise to the attacker who thought she was just hacking into a toy!

Active Defense Law

What are the legal implications of Active Defense techniques? Generally speaking a good active defender would have legal justification for thwarting and snooping on an attacker.

But Active Defense is an evolving, loosely-defined style of cyberdefense. It might embrace a zany repertoire of tricks, spoofs and unconventional maneuvers.

To reinforce legal justification, an Active Defender might post a legal notice that says the attacker consents to being tricked or tracked.

So for example, a wireless teddy bear might post a statement like this:

“Warning. No trespassing. If you hack this device, you consent to us deceiving you, tracking you and taking other unconventional steps to stop you and prosecute you to the fullest extent of the law.”

According to SANS instructor Josh Wright, this statement might be published "in the mobile application or the web UI of the device, using a modal dialog or other splash/landing page." It might be published many different ways. The statement needs to be accessible to the attacker, though not necessarily screaming in his face.

Posted Warnings Affect the Legal Interpretation of an Activity.

My point is that the publication of warnings and statements of legal consent can help to confirm the legal justification for Active Defense of lots of things connected to the Internet, including drones, robots, teddy bears and creepy dolls.

Furthermore, such statements can help to confirm that the professionals who execute or give advice about Active Defense are behaving ethically.

Compare my discussion of Offensive Countermeasures that warn a trespasser away from physical danger.

What do you think?

Attorney Benjamin Wright teaches the law of data security and investigations at the SANS Institute.

Post Script. At SANS Institute's Network Security 2015 conference, my fellow instructors were handing out coveted Hack the Internet of Things badges. You should have been there.

A Standard of Professional Attention for Data Security

Better than a Checklist of Minimum Requirements

By what legal standard should the holder of PII be held? PII means personally identifiable information like social security numbers and medical information.

I argue the standard should be this: A data holder must have an on-going process for devoting professional attention to security.

Under this standard, a sizable data holder like a hospital or a retail chain deploys a team of professionals to work all the time, every day. Any legal review of the data holder is an enormous amount of work . . . an utterly massive amount of work. Under this standard courts, insurers or regulatory authorities must undertake an exhausting analysis to conclude whether a data holder met the standard.

“Minimum Technical Requirements” Is a Common But Flawed Standard.

But the professional attention standard that I advocate is not universally acknowledged by authorities.

Instead, a commonly-articulated standard is that the data holder must achieve some “minimum requirements.” Those minimum requirements amount to a prescriptive checklist of specific technical measures the data holder must take. The authority promoting the minimum requirements argues that each and every requirement is easy to do, so failure to do any one of them merits some kind of penalty.

Here are two examples of a legal authority arguing that a data holder failed to meet minimum, easy requirements for data security:

One: Cyber-insurer Denies Coverage Because Hospital Failed to Do Everything on Minimum Checklist. 

In Columbia Casualty Company vs. Cottage Health System a hospital had paid for cyber insurance. Then a breach happened. The insurer sued the hospital, seeking to deny coverage because – in good part – the hospital failed to satisfy some specific minimum requirements like installing patches on servers.

Two: FTC Says Medical Laboratory Violated Law Because It Missed Some Specific Checklist Points. 

The Federal Trade Commission is locked in an epic struggle against the victim of a cyber attack, LabMD. In this proceeding FTC’s lawyers maintain that LabMD violated data security law because LabMD failed to implement specific low-cost checklist items, such as adoption of written security policy (which is different from an unwritten policy), formal training of employees, destruction of data on people for whom no healthcare was performed and failure to update operating system.

See Footnotes 5-14 and accompanying text, Complaint Counsel’s Opposition to Respondent’s Motion to Dismiss. Public Document Number 9357, filed May 6, 2015.

It is important to observe that FTC’s lawyers give no credit to LabMD for what it did right; LabMD did in fact have a substantial, on-going InfoSec program. But FTC’s lawyers simplistically say: You missed some specific technical points in our checklist; therefore, you violated the law. No deeper analysis is necessary. [See update below.]

The Minimum Requirements Checklist Does Not Align with Reality.

The minimum requirements approach is easy for an authority like FTC to enforce. An audit will always find that a data holder did not meet some specific minimum requirement. That is reality. So any time the FTC looks, it will find that the data holder failed to meet this requirement or that requirement, even if the data holder maintained a substantial, professional, good faith InfoSec process.

But the minimum requirements approach is ineffective.

Every day, major data breaches happen. The reason is that data security is astonishingly hard to achieve in a functioning organization. As I write this post today, the big breach in the news is US Office of Personnel Management. Breaches are routine. Breaches are normal.

According to InfoSec pundit Bruce Schneier:

“In general, it is far easier to attack a network than it is to defend the same network. This isn’t a statement about willpower or budget; it’s a statement about how computer and network security work today. A former NSA deputy director recently said [link omitted] that if we were to score cyber the way we score soccer, the tally would be 462456 twenty minutes into the game. In other words, it’s all offense and no defense. … In this kind of environment we simply have to assume that even our classified networks have been penetrated.”

In practice, achieving all of the minimum, low-cost requirements – 24 hours a day, 365 days a year -- is exceedingly hard to do. Each little requirement viewed in isolation might be “low cost,” but collectively they are not low cost. More importantly, striving for minimum requirements is not the most effective approach to security. As a multitude of institutions have proven, the data holder can invest great resources in security and still be breached.

InfoSec is a fierce competition, and you might not win that competition even if you work hard at it. Like a rugby game, security invariably involves tradeoffs, judgment calls and good faith mistakes.
Cyber Defense as competition.
Even “easy” measures might not make sense on account of such things as compensating controls, prioritization of attention, rapidly-changing threats and technology, disruption caused by “patches” or the operational needs of the data holder.

The Better Standard Is Professional Attention.

So the better standard is not that the data holder meet specific minimum requirements on a prescriptive checklist. The better standard is that the data holder maintain a professional program to attend to security.

To understand that standard, let’s look at an example. A hospital (Massachusetts Ear and Eye Infirmary) lost a laptop containing patient data. The Department of Health and Human Services investigated. HHS concluded that the hospital violated HIPAA data security requirements and imposed a $1.5 million fine.

But the analysis by HHS was telling. HHS emphasized the violation and fine were not about a specific security measure, i.e., encryption on a laptop. HHS did not say, "Encryption is easy. You did not encrypt. Therefore you broke the law."

Instead, said HHS, the violation was that the hospital failed over time to maintain an effective, on-going process for evaluating the security of portable devices and responding to that evaluation. See Resolution Agreement September 13, 2012.

Perfection in Information Security Will Never Be Achieved.

If data holders like hospitals must achieve perfect minimum data security – if they must always meet all the “low-cost” measures that can be dreamed up -- then they should cease operating. They will never get to legal compliance, and they will owe infinite fines and infinite compensation to victims like patients. That outcome is absurd.

A better approach is to motivate data holders to maintain a process, a responsible on-going program. It is like motivating a sports team to train rigorously and play its heart out on the field.

That approach includes recognizing that oftentimes organizations with good programs will be breached. Organizations with good programs should be rewarded for having the programs. They should be spared penalty when a breach happens.

Data holders, like sports teams, should be cheered for playing hard, even when they lose.

This topic keeps me humble. I'd be pleased to hear comments.

--Benjamin Wright

Disclosure: Mr. Wright has performed work for LabMD.

Update on LabMD: Administrative Law Judge ruled against FTC and the standard of liability it was advancing.

eDiscovery: Opportunities for Creative Thinking by IT Professionals

Deep knowledge of technology is critical to winning modern lawsuits. When an enterprise is in litigation, the legal team needs advice and ideas from IT staff and other forensic experts.

Discovery of Records Resolves Lawsuits

Consider in particular the discovery phase of a commercial lawsuit.  The lawyers representing an enterprise wish to request, through the rules of discovery in litigation, that the adversary turn over records that are relevant to the lawsuit. The adversary’s records can help to resolve the lawsuit.

Fishing Expedition Not Tolerated

But under the rules, the lawyers must have some reason to believe that specific kinds of records exist in order to ask for them. The lawyers can’t simply ask that the adversary rummage through all of its digital stuff – all email, text messages, files, folders, images, metadata, tapes, hard drives, backup, cloud-computing accounts and on and on -- and turn over “all relevant records.” Such a request would be an open-ended fishing expedition,  which the court will not tolerate. Such a request would be far too broad and therefore not enforceable.

So the lawyers face a chicken-and-egg paradox. They want the adversary’s records, and they are entitled to get some of those records. But if they don’t know which specific kinds records the adversary might have, then they don’t possess the technical knowledge necessary to frame a request for them.

The Internet of Things Is an eDiscovery Bonanza

Enter the Internet of Things.
Evidence from Small Connected Devices
New technology – like smartphones, smart-watches and smart-grid power meters – begets prodigious quantities of heretofore unimaginable records. The records can show, for instance, who was at a certain place at a certain time or when a particular event occurred in a work room. The technology changes and advances constantly. Many new and surprising kinds of records – records that could be very impactful in a lawsuit – emerge every day.

A Demonstration from Investigative Journalism

Here’s an example of how new technology breeds surprisingly influential new records and evidence. News media investigated the spending habits of former Congressman Aaron Schock. Congressman Schock relished using social media to tell the world what he was doing all the time. But unbeknownst to him, he was telegraphing little clues – little records – about himself that would prove to be embarrassing.

Schock published Instagram photos that included time and geolocation data.
Geographic Location on Photograph
The ever-watchful Associated Press matched this data with his official (publicly available) expense reports. The AP deduced, for instance, that he illicitly rented a private jet, at taxpayer expense, for his transportation connected with a particular fundraising event in Peoria, Illinois. Ouch.

As an investigative journalist, AP published its analysis and concluded that Schock was abusing his travel expense budget. This and similar revelations contributed to Schock’s resignation.

Now Let’s Apply that Example to Litigation

Just as digital details like geolocation data can help the news media scrutinize spending by a politician, they can be decisive in a commercial lawsuit. But often the lawyers handling a lawsuit need help from people with technical expertise. Lawyers may not realize that, for example, if a video is stored in Sharepoint at an adversary enterprise, then Sharepoint may store reliable metadata about the date of the video and the dates of each revision to that video.

Very often, under the rules of discovery, the lawyer’s request for something like Sharepoint metadata must be predicated on more than a mere guess that “some kind of meta data somewhere exists with respect to the video in question.” In their eDiscovery request for records from the adversary, the lawyers need to refer to some empirical evidence that Sharepoint metadata would be relevant to the case at hand.

That’s precisely where an alert IT staffer can add value. If the staffer understands the details of the case, he or she may be able to divine that the adversary was using Sharepoint to store a video. Further, the staffer might know enough about Sharepoint (or be able to learn through quick research) to advise the lawyers they should target Sharepoint metadata in their eDiscovery request. That kind of advice can make or break a case!

IT Experts: You Should Be Inspired and Empowered  

A person with technical knowledge should be inspired to be creative … and to think outside their normal roles … to help their legal team to discern and articulate that the adversary possesses unconventional records that should be produced.

By Benjamin Wright

What is Best Practice for Government Email Retention Policy?

Central archive promotes internal control, deters corruption.

Enterprises like businesses and government entities should generously retain the email of important employees in a central archive. A central archive is controlled by the IT department, not the employees whose email is in the archive. Such an archive ensures records are conveniently available and searchable for audit, e-discovery and internal investigations.

IRS investigation nightmare proves the need for a central archive.

The current poster child in favor of central archives is the Internal Revenue Service. IRS is currently enduring a nightmare owing to its failure to archive employee email centrally. This nightmare is not over. But it has transpired enough to teach painful, timeless lessons.

The nightmare in question is the investigation into the emails of an IRS executive named Lois Lerner. Lerner headed an IRS division handling sensitive tasks (evaluating the tax status of nonprofits).

The Inspector General at IRS recently opened a criminal investigation into whether one or more employees at IRS attempted to destroy or hide Lerner’s emails (that is, government records).   If an employee did that, the employee could go to jail.

Scandals often hinge on electronic mail.

Here’s the story. A political controversy erupted over Lerner’s work. Congress demanded her emails. (Logically, emails are a very relevant thing for an investigator or legal adversary to demand in today’s age. In modern enterprises, emails record most of the action by managers and executives.)

Astonishingly, IRS replied to Congress that all of Lerner’s emails had been destroyed because the hard drive on her single laptop had crashed. What?!

Furthermore the Commissioner of the IRS (its top executive) testified to Congress that Lerner’s emails were irretrievable . . . could not be recovered by any means. What?!

A manager’s emails need to be archived and segregated from the manager.
In effect IRS was saying that its IT systems were designed so that the retention of many important emails depended upon the function of a single PC hard drive. That’s nuts . . . for two reasons.

First, PC hard drives commonly fail; important records like management emails need to be copied some other place. Reliance on a single PC hard drive constitutes gross mismanagement.
electronic mail archive
PC hard drives can fail.

Second, if sensitive records are stockpiled in a single place under the control of a single employee, then that employee has the ability to destroy her records. She has the ability to cover up her own wrongdoing in the event of an investigation into her performance or malfeasance.

What’s more, it strains credulity for an enterprise to say that large numbers of emails of an executive are irretrievable, even after a hard drive has crashed. Copies of those emails are likely scattered far, wide and deep, especially in backups and on servers.

And in fact, when the IG investigated, that’s what IG discovered. Lots of Lerner’s emails are on backup tapes and (potentially) on server hard drives.   Recovering all this is much work. But it can be done by patient, well-resourced investigators.

The emails were not "irretrievable" as the IRS Commissioner had testified to Congress. One can't expect the IRS Commissioner to be an expert on computers and records. Obviously he has to base his testimony on advice from other people. And obviously he got horrible advice, in good part because IRS had failed to archive Lerner's emails in a centralized, competent archive.

IRS could have avoided this embarrassment.

For IRS as an enterprise, this investigation is becoming a long, expensive and embarrassing saga. A protracted criminal investigation like this can be very damaging to the reputation of the enterprise and to overall employee morale, even if the investigation concludes that no crimes were committed.

An enterprise like IRS is wiser to archive email centrally, under the control of the IT department and outside the control of individual employees. If IRS had at the outset archived Lois Lerner’s emails in a centrally-controlled appliance, they would not have (seemingly) disappeared and the IRS would be spared from this debilitating forensic investigation.

By Benjamin Wright

Legal Training for New CISSP Exam | CPE Too

The information security world is in turmoil. For infosec professionals, the adoption of smart legal practices is becoming more urgent.

Keeping with the times, the CISSP exam -- and related CPE requirements -- are being refreshed as of April 15, 2015. (CISSP stands for Certified Information Systems Security Professional.)

Cyber Threats Rise

The refresh reflects the alarming new reality of information security around the globe. 2014 was a banner year for data breaches and cyber attacks: Home Depot, Sony Pictures Entertainment, Community Health Systems, et al. And already for 2015 we’ve seen records breached for 80 million people at health insurer Anthem.
Privacy Law
As a consequence of this bad news, lawsuits are becoming more common and government audits & investigations are becoming more intrusive. For example, in the wake of the Sony Pictures attack, former employees of Sony have sued the company for allowing their personal information to be exposed.

CISSP Exam Covers Legal Issues

In this context the CISSP exam is changing. Among the topics in the exam are:

  • Law
  • Compliance
  • Regulations
  • Privacy
  • Policy
  • Investigations
  • Evidence
  • Ethics

These are all topics I address in a five-day bootcamp, “Law of Data Security and Investigations,” taught at the SANS Institute. SANS and I have been delivering and updating this course – known as LEGAL 523 --for many years. This course has served many hundreds of students from around the world.

Like the CISSP exam, the course embraces both old (timeless) lessons and new lessons. Through the years, the process of teaching the class -- engaging with smart students -- has improved my understanding of the topic; it has helped me refine the material, iteration after iteration.

LEGAL 523 is unique in the world. I am aware of no other course that seriously competes with it. It is taught by a practicing lawyer, who has years of experience. He devotes his professional life to keeping up with latest developments, such as New Jersey’s new law S.562 that (more or less) requires health insurers to encrypt personally identifiable information.

SANS LEGAL 523 | Law of Data Security and Investigations

By Benjamin Wright

Note: LEGAL 523 is not a cram course for the CISSP exam. It aims to teach all professionals (CISSPs, lawyers, auditors, investigators, penetration testers, managers and others) how to cope with the most pressing legal risks in data security and data investigations.

Blockchain Smart Contracts | Fraud, Taxes & Evidence

The Case for Supporting Automated Contracts with Traditional Legal and Audit Documentation

Blockchain enthusiasts envision smart contracts, where assets and transactions are governed on the type of shared ledger that controls Bitcoin.

Here is an example of a “smart contract:” Alice, Inc. earns bitcoin by mining. Alice controls a bitcoin account to which earned bitcoin is added from time to time. Alice, Inc. promises to pay Bob Corp. 25% of the bitcoin added to the account each week. (Assume the value to be paid Bob is around $250,000 per year.) Alice management sets up this transaction by adopting rules on a functioning, publicly-accessible Ethereum-based blockchain. The functions of the blockchain automatically execute the transaction and cause the requisite bitcoin to move from Alice’s account to Bob’s bitcoin account.

The transaction is functionally complete, but poorly documented.

In principle, this transaction is functionally complete. In principle the code on the blockchain could control and execute the transaction as intended by Alice and Bob.
Crypto 2.0 Needs Scrivener

However, I argue that for many businesses like Alice, Inc. the transaction needs more legal and audit documentation. The establishment of rules on a public blockchain ledger may not be enough to satisfy Alice, Inc.’s responsibilities to stakeholders, including shareholders, creditors and tax authorities.

Now, management at Alice, Inc. might (hypothetically) disagree with me. Management might argue that by setting up the transaction on the blockchain it has undertaken and documented a transaction that is just as legally-binding as a promise made with paper and ink. The blockchain is open for public inspection. Anyone can inspect the function of the blockchain and the open-source code that runs it.  Anyone can monitor the transactions recorded and executed on the blockchain. The transactions are executed under publicly-known, publicly-validated cryptographic security measures, including hash algorithms and digital signatures.

Accordingly, argues management, even if the smart contract does not execute, Bob Corp. can still refer to the code recorded in the blockchain as evidence of the intent of the contract and thereby enforce the contract in a court of law just as if it were written in ink on paper.

Judicial cases support the proposition that a smart contract could be enforced in court.

In support of its position Alice management might cite case law interpreting security measures instituted with respect to property such as land. Courts have long evaluated the “security measures” instituted on land to ascertain whether rights of ownership to land have changed by way of “adverse possession.” Those security measures have included gates, locks, fences and the like.

So, for example, a New Mexico court said that adverse possession of land could be interpreted from the history of locks used on a gate that controlled access to the land. Dethlefsen v. Weddle, Opinion Number: 2012-NMCA-077, New Mexico Court of Appeals, 2012.

Similarly Mississippi courts have said that adverse possession of a parcel of land could be interpreted by examining fences on the land, including their location, history and purpose.

To understand evidence of security measures, a court may need to hear testimony from witnesses, such as people who understand the land in question.

In other words courts have much experience examining publicly gatherable evidence of security measures used to control property and then interpreting that evidence as a record of the rights and ownership pertaining to the property. Another way to say it is that the function of fences, gates and locks is a form of language, and with enough effort a court can come to understand that language.

Courts can interpret security measures, just as they can interpret words written on paper.

If courts can do that for land, argues Alice Inc.’s management, then courts can do it for logical evidence that can be seen by all on a blockchain. Just as courts can hear testimony from witnesses who know land, courts can hear testimony from cryptographic experts who understand blockchains.

In theory, if the blockchain stopped functioning, and Alice otherwise refused to transfer the bitcoin to Bob Corp., Bob could sue for breach of contract and win a judgment against Alice. With the help of qualified witnesses, Bob could prove the existence and meaning of the smart contract by referring to the code and security measures used in the blockchain.

A contract need not be written in natural language in order for a court to understand it or enforce it. So argues management at Alice, Inc., who believes no additional documentation is necessary.

Good business documentation seeks more than just enforceability in court.

But I have a rebuttal to the foregoing hypothetical argument by management at Alice, Inc. Just because a contract is legally enforceable does not mean it is documented well enough for accounting purposes.

Alice’s management may be correct that the smart contract is written, recorded, understandable and enforceable.

Nonetheless, Alice, Inc. still has problems with this transaction. Good business practices expect businesses to better document substantial transactions like a promise to transfer roughly $250,000 in value per year.

A promissory note is greater documentation than is a mere notation in a ledger.

A business like Alice, Inc. needs to account to stakeholders. One example of a stakeholder might be a bank that has lent money to Alice and expects Alice to repay the loan and otherwise maintain a strong balance sheet. Another example of a stakeholder would be a corporate shareholder. If Alice is a larger corporation, it could well have numerous shareholders, including founders (and their heirs and family members) angel investors, venture capitalists and employees.

Promissory Note to Support Autonomous Contract

Critical to a business’ accounting to stakeholders is its maintenance of books, ledgers and documentation to show revenue, expenses, assets, liabilities and so on. Those books, ledgers and documentation enable a third-party auditor to review and opine on the financial statements the business provides to stakeholders.

But if Alice’s evidence for its obligation to Bob is just the entries on a public blockchain, that evidence may not satisfy the auditor. The auditor may lack the expertise to interpret the blockchain. Blockchain technology is very new and very complex. Few accountants in the world are today qualified to review a blockchain.

Alice’s auditor may refuse to approve Alice’s financial statements . . . or may flag the poorly-documented contract as a problem.

Famous court case calls for backup documentation.

An instructive court case is SEC v. World-Wide Coin Investments, 567 F.Supp. 724 (N.D. Ga. 1983). World-Wide Coin was a small, publicly-owned company. It was subject to the US securities laws, including the requirement that it “make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of assets of the” company. 15 USC § 78m(b)(2)(A). The court found that the company had failed to satisfy that requirement for records. Among many other recordkeeping defects, the court found: “no promissory notes or other supporting documentation has been prepared to evidence purported loans to World-Wide.”

In other words, at this company obligations to pay money (repay loans) were supported by only sketchy notations and/or memories stored in the heads of staff members. But the court said that’s not good enough to serve the interests of stakeholders (even though the people to whom money was owed were not complaining). Sketchy notations and human memories are inadequate to constitute “reasonable records.” Obligations to pay money need to be documented by written evidence like promissory notes or contracts.

Outside auditors demand good documentation.

Let’s apply the World-Wide Coin lesson back to Alice, Inc. Its outside auditor will expect Alice to have reasonable records of obligations. (Further, under general corporate law Alice’s creditors and shareholders also expect Alice to maintain reasonable records of obligations.) Those records give the auditor comfort that the financial ledgers shown to the auditor are in fact accurate.

If the auditor is uncomfortable with the quality of Alice’s documentation, the auditor could point to the World-Wide Coin case for the proposition that Alice is deficient (even if Alice is not a publicly-owned company that must comply with the securities laws like 15 USC § 78m(b)(2)(A)).

In the mind of the outside auditor, deficient documentation of transactions could be a symptom of deeper problems at Alice. 
  • One problem could simply be sloppiness such that Alice – innocently, naively -- does not understand its obligations and therefore is incompetent to account for its financial status.
  • A second, more sinister, problem could be that management at Alice is intentionally obscuring the company’s financial condition for the purpose of fraud. The poster child for this problem is Bernard “Bernie” Madoff, one of the most infamous of all financial crooks. He and the staff at his company deliberately maintained sketchy or nonexistent documentation of contracts and other transactions in order to hide the company’s true condition from auditors, investors and regulators. 

Tax authorities demand good documentation.

In regards to Alice, Inc.’s accounting documentation, another stakeholder is a tax authority. If Alice is a US company it must pay federal income tax. Alice will likely try to reduce its tax liability by claiming the transfers of bitcoin to Bob Corp. reduced Alice’s income.

In support of Alice’s claim, the Internal Revenue Service expects Alice to keep adequate records and documentation. The records and documentation enable IRS auditors to confirm Alice’s annual income.

Section 6001 of the Internal Revenue Code requires each taxpayer to keep records necessary to show whether the taxpayer owes tax.

The taxpayer has the burden to prove the authenticity of its records. Gillespie v. Commissioner, 35 T.C.M. (CCH) 269 (1976).

Sometimes, owing to inadequate documentation of transactions, IRS disagrees with a business taxpayer’s calculation of tax. In Bard v. Commissioner, for example, the IRS disallowed deductions the taxpayer had taken for the costs of precious metals purchased in cash transactions. The taxpayer had documented the purchases with little more than a fragmentary telephone log kept in a looseleaf notebook, without numbered pages. Although the taxpayer appealed to the tax court, the court sided with the IRS. It sustained the disallowance of deductions, which increased the taxpayer’s tax liability considerably. 60 T.C.M (CCH) 485 (1990).

In theory a tax auditor can understand the smart contract on the blockchain. But in practice the tax auditor may consider the blockchain to be too obscure and therefore inadequate to support Alice’s tax claims.

Accordingly, Alice, Inc. may be saving itself heartache in a tax audit by supporting the smart contract, at the outset, with a traditional, written promissory note.

Why is a promissory note needed?

In all likelihood the code for a functioning smart contract will not include all the information that is critical from a legal or accounting perspective, such as the precise legal name of the parties (Alice, Inc. and Bob Corp.).

The process or drafting a promissory note or similar document – to stand along side a smart contract -- imposes intellectual and ethical rigor on business people and programmers who may otherwise be in a hurry. In my experience executives and coders can dash-off ideas and deals quickly, with little regard for the details that may not seem important at the time.

But those details are the domain of the scrivener (the document draftsman). The disciplined scrivener knows that a promise to pay needs to nail down topics such as the precise legal identity of the parties, whether the promise was made by an authorized officer of the promising company, whether the obligation to pay can be enforced in court (outside of the blockchain), and more.

Conclusion: Smart contracts and traditional documentation complement each other.

Smart contracts are good, and companies like Alice, Inc. should use them where they make sense. But substantial smart contracts need to be supported by traditional written documentation like paper contracts or promissory notes.
What do you think? If any of my ideas are off-target, please let me know.

By Benjamin Wright

Legal Terms for Crypto 2.0 Project

Generic Disclaimer of Liability

Ethereum’s Vitalik Buterin inspires me to offer a contribution to the cryptocurrency community (a.k.a. Crypto 2.0). Buterin observes how many different projects are underway within the community, working on cryptocurrencies, blockchains, smart contracts, distributed ledgers, decentralized consensus and the like. 

These projects include Bitcoin, myriad altcoins, Bitshares, Ethereum, Counterparty and others. More projects will come. 

Many of these projects are open source. Many of them celebrate their informality. Legal formalities were scarce when Satoshi Nakamoto launched Bitcoin.

Buterin recommends that the folks working in their different projects (he calls them “silos”) make their projects inter-operate, all for the greater good. Particular projects may come to specialize in offering browsers, blockchain services or decentralized applications (DApps) that can help other projects.

Generic Legal Terms

For such projects, here (tentatively) are legal terms to publish conspicuously to stakeholders.

Project Terms

1. This Project is built and used by a community of people from all over the world. 

2. The Project includes the data, work, ideas, protocols, software, processes and documentation that are contributed to it. Original contributions to the Project are open source and public domain forever. 

3. The Project is offered “as-is.” The Project, its contributors, leaders, promoters and users disclaim all liability and all warranties, whether express or implied. There is no assurance that the Project will be accurate or error free, will achieve any particular result or complies with any particular law or property right. You use, rely on or contribute to the Project at your own risk. 

4. The Project may discontinue or change at any time.  

5. If any portion of these Terms is held to be invalid or unenforceable, the remaining portions remain in full force and effect.

Analysis of the Terms

The foregoing is a generic form. It is short so that it is more likely to be read. It strives to cope with legal risk in furtherance of the project.

It condenses terms for services and terms for software into a single unified statement. For some projects the distinction between services and software makes little sense. In fact there may be no “service” per se. The project assembles software so that a freeform community of miners (workers or voters) can use it in a process to achieve a result, such as a consensus vote on what time it is or the execution of a transaction.

Yet, the project may be more than just software, which is the subject of a traditional open-source license.

Risk Begone!

One goal of these Terms is to reduce the potential (theoretical) liability of some project stakeholders to other stakeholders. Some malcontents may claim that others promised they'd get rich but the riches never materialized. The malcontents might try to sue in a court, or just complain in public.

The Terms above aim to curb the risk of liability on the part of any party. But it does not eliminate the risk.
electronic contract
Legal Notice

Property Ownership Might Be Disputed.

A second goal is to reduce the possibility of unexpected claims of ownership to something. But it does not eliminate the possibility.

The terms say, “Original contributions to the Project are open source and public domain forever.” That sentence does not guarantee that no one can claim ownership to something, such as ideas or code. It applies only to “original” contributions. So if Jane contributes proprietary code that was stolen from Phil, then that code would not be an original contribution. Phil might still claim ownership. 

Further, Nick might muddy the topic of ownership (of the code he contributes) by widely declaring: “The ‘open source and public domain’ terms of the Project do not apply to the code that I contribute. The code that I contribute is copyrighted and patented by me.” Nick's unruly declaration raises unsettling issues over how legal terms are negotiated in an online community.

Your Project May Need Something Different.

The generic Project Terms above are not customized for the needs of any particular project. Some projects will be wise to have different or additional terms. For example:
  • Certain terms that are specific to software, and other terms that are specific to services.
  • Reference to a particular license or terms, such as (for open-source software) the GNU General Public License.
  • Notice that the project uses technology such as a particular algorithm under a specified license.
  • More formality and detail to confirm that all contributions to the project and its software are open source and free.
  • Explicit limitation of liability to a certain amount. The Mozilla Public License (MPL) referenced below limits liability to $500.
  • Choice of law. The MPL chooses California law.

The Project Terms above are obviously for a free, open-source project. A proprietary project or a project that is charging fees may need different or additional terms. Appropriate terms might look like a license that commonly comes with proprietary software or a service agreement for paid services.

Disclaimer and Caution

Notice: This blog post is just public discussion. It is not legal advice for any particular situation, and I am not your lawyer. If you need legal advice, you should retain a lawyer.
public warning
Legal notice modifies risk because it warns people
before they take action that could cause them injury.

I am skeptical that the Project Terms above would protect someone such as a project leader who is intentionally deceiving people.

I consider the Project Terms I publish above to be in the public domain. You may use them any way you wish. But you are responsible, not me.

Feedback Invited

What do you think? I welcome discussion and feedback. I may revise the Terms above, so check back from time to time.

Footnote: The Project Terms published above are inspired by and these things connected with Mozilla Firefox: 

  • “About Your Rights,” accessible through Firefox address bar at “about:rights”
  • “Mozilla Firefox Web-Based Information Services,” accessible through Firefox address bar at “about:rights#webservices”
  • Mozilla Public License, Version 2.0