Smart Blockchain Contract Law

Many propose to use block-chain technology to make “smart contracts.” Examples include:

  • Blockstream, which proposes to run contracts off of “sidechains” to the Bitcoin blockchain;
  • Ethereum, which is a decentralized publishing platform for powering contracts; 
  • OpenBazaar, which proposes to be a decentralized market for using Bitcoin to make purchases

Bitcoin Succeeds.


These proposals are early in their development. They build on the pioneering success of Bitcoin.

Bitcoin is truly remarkable. It is the first distributed ledger to operate usefully and perpetually, independent of any central institution or sponsor. See my discussion of a distributed public ledger.

Proposals for smart contracts seek to launch distributed ledgers to execute transactions that are more complex than Bitcoin; Bitcoin  just keeps debits and credits of “coins.”

“I Hereby Bequeath My Bitcoin to My Kids.”


Here is an example of a complex smart transaction, as explained by Stephan Tual, CCO of Ethereum:  Stephan says he holds digital assets like bitcoin. He imagines setting up a commitment under Ethereum for distributing his assets upon his death. To govern that commitment, he imagines these rules as his digital last will and testament:


  1. If Stephan does not appear on the Internet for three consecutive months, then
  2. His assets will be transferred to accounts belonging to his two designated heirs.
  3. The issue whether Stephen has failed to appear on the Internet for three months would be resolved by a vote among “miners” that maintain the Ethereum blockchain.
(A premise behind Stephan's will is that if he does not appear on the net for three months, then he "must be dead.")

Transaction Executes Automatically.


In theory a smart transaction -- in this case Stephan's last will and testament -- will execute automatically, without involvement of a court or government or central authority, just as a transfer of bitcoin executes today. I analyze Stephan's smart will below. But first, let me provide some background . . .

Smart transactions – smart contracts – might govern myriad different deals, such as escrows, stock sales, credit default swaps, last wills and testaments, and corporate governance through shareholders.

Some envision smart contracts without the need for lawyers.

The concept is admirable. As an e-commerce lawyer, I am eager to see it in action.

But I am skeptical that smart contracts and smart transactions can exist in a pristine universe, separate from traditional law, traditional legal analysis and traditional legal draftsmanship.

Law Does Apply to Blockchains.


An old saw holds that “law abhors a vacuum.” What that means is that law applies wherever it needs to apply. People cannot get away from law. They cannot declare themselves, their computers, their data, their assets, their transactions, their communications, or their blockchains as free from law (though they may influence which law applies and how it applies).

Accordingly, you can control some bitcoin, subject to the Bitcoin blockchain. And the Bitcoin blockchain
bitcoin law
Blockchain
operates without direction from government authority. But that does not mean law has no impact on your control of your bitcoin. So – for instance – if you got your bitcoin by running the illegal Silk Road market, then law can take your bitcoin from you and cause it to be sold, with the proceeds going to the government. Reference the experience of criminal suspect Ross Ulbricht.

Legal Talent Needed.


Let’s go back to Stephan Tual’s last-will-and-testament example above. Experience has proven that writing, interpreting and executing a will can be tricky, just as writing, interpreting and executing a contract can be tricky.

Any person can write a legally-binding will or contract. You don’t have to be a lawyer to write these documents, whether you write them on paper, in software code or on stone tablets.

However, my experience is that some people are more skilled at writing such documents than others. Some lawyers are more skilled at it than other lawyers.

Legal training, legal analysis, and experience in the practice of law can all be helpful in composing wills, contracts and similar documents so that they achieve the desired outcomes. When you want to write a contract for the sale of widgets, you are not required to retain a lawyer to do the writing. You can do it yourself. However, you may get a better outcome if you do hire a lawyer who is qualified and talented at writing sales-of-widgets contracts.

How to Avoid Misunderstanding


Poorly conceived terms in a will or contract can be misinterpreted. They can be ambiguous. Or they can fail to anticipate contingencies that thwart the real intent of the document.

Here are examples of misinterpretations, contingencies or issues that might apply to Stephan Tual’s last-will-and-testament:


  • What happens if Stephan has not “appeared on the Internet for three months” because he is sick? He is still alive, and he may still need his digital assets. Why must they now go to his heirs?
  • What if Stephan has died, but someone has stolen his credentials and falsely appears on the Internet as him? (In this scenario, one can imagine a court stepping in and forcing the transfer of Stephen’s assets to his heirs, even though -- according to the evidence conveniently available to the Ethereum miners -- he still “appears” on the Internet.)
  • What if 17.5 years from now the “Internet” is replaced by something so strange and so unanticipated that the “miners” cannot interpret what it means to “not appear on the Internet for three months”?
  • What if someone tricked Stephan into approving an Ethereum last-will-and-testament that he did not understand or intend?
  • Might there be ways to structure Stephan’s last-will-and-testament so as to reduce the tax liability incurred by his heirs?
  • Think of the overhead cost of “miners” constantly monitoring the Internet, indefinitely, to evaluate and vote on whether Stephan has appeared somewhere over the past three months. Is it practical to expect that this overhead can be sustained for the next 40 years of Stephan’s life?

Intended Terms Can Be Coded Into the Will or Contract.


A skilled lawyer – or other professional such as an accountant – could help Stephan understand these problems and address them. They might be addressed variously by way of
  • the coding behind his “smart will,”
  • the publication of special words/terms connected with his will,
  • the adoption of measures that address risk (e.g., the division of Stephan’s assets into multiple accounts, corporations or trusts), or
  • recommending that Stephan manage his assets a completely way.


All those things are the stock in trade of the traditional practice of law or accounting.


To Be Effective, Contract Practice Must Keep Up with Technology.


In a “smart transaction” environment, traditional legal analysis and legal draftsmanship will encounter new twists. The same happened when we moved from old-fashioned paper contracts to modern electronic contracts. For instance, the “battle of the forms” – under which contract terms and conditions are negotiated – can unfold differently over the Internet compared to how they unfold when people exchange paper documents via snail mail.
two-way peg
Transparent Ledger

Therefore lawyers will need to acquire new skills to help clients compose and evaluated contracts for the smart, blockchain universe.

By: Benjamin Wright, Author, The Law of Electronic Commerce

How to Cope with Block Chain Legal Liability

Some institutions may hesitate to participate with a blockchain until they get assurance on potential liability.

Bitcoin Is Just One Example of an Explosive Idea.


Bitcoin’s blockchain is a specific example of a greater idea. It is a distributed ledger. A distributed ledger is a powerful innovation for accounting.
debit credit
Traditional Central Ledger
It replaces the traditional centralized ledger for keeping track of trades and ownership of assets, such as money, stocks, barter, commodities and more.

The centralized ledger requires a central authority like a bank to keep track of debits, credits or other matters of account.

In contrast, a distributed ledger manages debits and credits by community action. In Bitcoin, the members of this community, this “crowd,” are called miners. They perform calculations and confirm transactions publicly, such that all the participants can observe what is happening and verify accuracy.

The distributed system does not rely on a central authority, who can be corrupted.

Bitcoin’s blockchain is the first really successful application of a distributed ledger. But visionaries see much more for the future.

A Better Way to Administer Trust


In effect a distributed ledger is a method for managing trust among entities without requiring the entities constantly to check back with headquarters (the central authority) to confirm that an entity or party is entitled to a measure of trust. Checking back with headquarters for every transaction is inefficient.

Checking with the crowd that maintains the block chain (the miners) can be more efficient.

What is even more important is this: to corrupt a large crowd of miners is harder than to corrupt a central authority.

An Open Ledger Manages Trust.


Therefore IBM is exploring use of block chain to manage trust in the Internet of Things, where a multitude of devices (like your smart watch and your home thermostat) share data and responsibility with one another.

An example Internet-of-Things transaction might be the decision for a thermostat to trust an instruction from a certain smart watch to increase temperature by three degrees at 2:03 p.m. The confirmation of transactions might be distributed across a large and constantly evolving multitude of devices (a crowd). No single device is trusted too much. But the system can function if most of the devices are trustworthy most of the time.

Confirmation of any unit of trust [see footnote] comes from multiple miners in the crowd, but not necessarily all the miners.

Potential Liability for Errors or Omissions


Bitcoin’s block chain runs on open source software. Many people have contributed to its development and updating.

[Video above depicts action on Bitcoin's block chain through bitcointicker.co; video saluted by @BTCticker.]

Many distributed ledger projects will involve the collaborative efforts of many parties.

However, some institutions (like a large nonprofit foundation) will be concerned about the potential liability that comes from associating themselves with a block chain project. Their contribution might look like an endorsement or an acceptance of responsibility.

Block chains will not always work as expected. For instance, Bitcoin as originally designed has proven vulnerable to attack in that hackers can steal bitcoin from an individual trader if they can compromise the credentials for a trader’s single signature. For that reason Bitcoin is evolving to multiple-signature credentials.

In the future, as a new blockchain is created an institution that supports it would not want to be a “deep pocket” target for a lawsuit from someone who claims the block chain’s poor design caused damage. (Example case: member banks settle liability for actions of electronic mortgage clearinghouse.)

Warn Users of Risk.


For this reason institutions are wise to insist that the block chains they support come with disclaimers and/or terms of use. These types of statements can explain and disclaim risk.

For instance, something like the following statement might be published widely in connection with a block chain that manages ownership among stockholders of a corporation:

This block chain is offered "as-is" with no assurance of reliability. Use at your own risk. 

The statement might go on to explain with some detail the kinds of risks that are present, such as flaws in software or a future decrease in miner incentive to work.

A disclaimer is not a perfect shield from legal liability. It probably does not protect an institution from liability if the institution knowingly engaged in fraud. But a well-crafted disclaimer can dramatically reduce the risk of liability.

Example Disclaimers


Here are three examples of institutions insisting on the publication of disclaimers relative to their contributions to community projects.

  1. The payment card community works together to publish the Payment Card Industry Data Security Standard. The PCIDSS sets standards for securing credit card data. However, it is possible that a merchant who follows PCIDSS will still suffer a data breach. The institutions that participate in the PCI community and promote the PCIDSS desire no liability for a shortcoming in the standard. Their solution is to require anyone downloading a copy of the standard to agree to a contract that disclaims liability and places risk with the user merchant.
  2. The American Medical Association works with the National Supplier Clearinghouse to facilitate communications of Medicare claims by healthcare providers. However, the methods and technology of the Clearinghouse may not give a healthcare provider the desired outcome. AMA wants no liability. Therefore access to the Clearinghouse website requires the user to click on terms that disclaim liability by AMA.
  3. Ethereum.org publishes this statement regarding the initial sale of "Ether": 
Ether is a product, NOT a security or investment offering. Ether is simply a token useful for paying transaction fees or building or purchasing decentralized application services on the Ethereum platform; it does not give you voting rights over anything, and we make no guarantees of its future value.

What Stands in the Place of Legal Liability?


The user of a block chain that comes with a disclaimer might ask how he can get assurance if legal liability has been disclaimed. The answer is that the user can rely on “collective intelligence.” The user can observe the collective behavior of the community using the block chain to understand the risk associated with it. If a large and smart community is using the block chain in a transparent way, then the user can sense a measure of assurance, though he knows he probably cannot use the legal system to enforce that assurance.

Cyber Insurance Distributes Risk.


Another way to manage risk is to acquire insurance. Some block chains may require participants to pay a fee, part of which could goes to the purchase of cyber insurance to cover the participants for risk of loss.

Alternatively the terms of a block chain might require that each participant purchase certain insurance for itself and absolve all other participants of liability.

Hold Harmless Clause Assigns Risk and Incentives.


The absolution of liability might be worded different ways, depending on the needs and culture of the community. For instance, an absolution of liability might include:

  1. An indemnification clause in which each participant holds each other participant harmless from any claims based on the first participant’s reliance.
  2. A caveat that the absolution of liability does not apply to intentional fraud, which is proven beyond a reasonable doubt. Such a caveat sets up a high standard of evidence that a participant must meet in order to collect from others on account of their misdeeds.


By: Benjamin Wright

==

Footnote: The “unit of trust” might measure any number of things. In Bitcoin it measures a debit or credit of bitcoin. But the unit of trust could measure ownership of land or commodities. It could even measure community perception on whether an entity or individual professional is in compliance with law, ethical principles or industry standards.

Related: Recording Bitcoin Legal Evidence

Bitcoin Services Agreement | What Terms Should a Customer Demand?

Many wallets and platforms like Coinbase provide services to Bitcoin and other cryptocurrency customers. Typically a service provider requires customers to agree to the provider’s standard terms of service. And typically individual and small business customers lack leverage to negotiate these terms.

However, some customers do have leverage. Customers may have leverage because they bring a large volume of business to the provider, or they have teamed up with other customers to negotiate as a group. Alternatively they possess the patience to shop among service providers to find the most favorable legal terms.

What Terms Protect the Customer’s Interest?

The following are some (not all) of the terms that customers may desire but that are not commonly offered to small customers:

1. A Clear Statement of What Services Are Being Provided to the Customer


Technology services providers are known for being vague about what services they are providing the customer. Some Bitcoin service providers are equally vague. For example Coinbase’s standard User Agreement says, “Coinbase securely stores 100% of all bitcoin associated with your Coinbase Account in a combination of online and offline storage.” However, the agreement itself does not define “storage.”
bitcoin ownership
Legally, what does
"storage" of bitcoin entail?
It may be that here “storage” means Coinbase is managing the credentials that control the credit of bitcoin to the address pertaining to customer in the Bitcoin blockchain. But Coinbase’s Agreement does not say that. Further, it does not say the customer is entitled to those credentials and any value associated with them. It does not say that the Blockchain address belongs to customer.

What does the User Agreement say that the customer is entitled to? The User Agreement does little more than imply that all the customer is entitled to (at most) “FEES PAID TO COINBASE BY YOU IN THE PRECEDING THREE (3) MONTHS.” See Section 9.1. That’s it.

Coinbase’s User Agreement seems to say nothing about the customer being able to obtain the customer’s blockchain credentials or the blockchain credit pertaining to the customer. Maybe that is because the customer is not entitled to those things. But if that is the case, I’ll bet many customers would be surprised. The customer may think he has 10 bitcoin, but in fact all he has is the right to obtain from Coinbase a return the past three months of fees (at most). Those fees could be worth much less than 10 bitcoin.

2. Effort to Overcome Force Majeure


Service providers often insist on a “Force Majeure” clause in their agreements. And that may be fair as far as the customer is concerned.
Fire
What if fire strikes?
“Force Majeure” means superior force. Typically a Force Majeure clause says the service provider is excused from performing services in the face of a superior force such as war, natural disaster and the like.

video
However, the customer prefers that the Force Majeure clause not allow the provider simply to close shop in the event of adversity. For example if the customer is a merchant, and the service provider ceases operation on account of an earthquake, then the customer is in a lurch. So the customer wishes for the provider to work to overcome the adversity.

The customer might insist that the agreement provide:
  • the service provider will promptly notify the customer of the force majeure event and then regularly update the customer about the status of the event; and
  • the service provider will use commercially-reasonable efforts to overcome the event. (In other words the provider will take reasonable disaster recovery measures and will strive to return to normal service quickly.)

3. Response to Subpoena or Court Order for Information

The service provider holds sensitive information about the customer. That information might include address data, transaction history, blockchain credentials, investment details and more. The information might be relevant to divorce, tax collection, private lawsuits, bill collection, child support obligations and many other disputes.

Adversaries to the customer might try any number of legal means to get the information from service provider. They might try a civil subpoena, a tax summons, a police raid or a grand jury subpoena. An official order demanding information might issue from most any legal jurisdiction in the world (e.g., Uganda or Canada), regardless of the geographic location of the customer or the service provider.

The legal validity of a subpoena or other demand for information can be open to dispute. It is possible that an adversary would issue a subpoena that is unjustified or overly-broad. What is worse, sometimes Internet service providers (especially smaller ones that lack a large legal staff) can be overly generous in responding to a subpoena and turn over more information than is required. (See Theofel vs. Farey-Jones, 341 F.3d 978, 981 (9th Cir. 2003), in which an ISP disclosed too much of a business customer’s email to the customer’s lawsuit opponent.)

Accordingly, a customer desires terms like these: If someone makes a legal demand for records about the customer, then . . .


  • service provider will promptly give a copy of the demand to the customer. (Under rare circumstances the service provider is forbidden by law from informing the customer that US law enforcement is seeking information about the customer.)
  • service provider will wait to comply with the demand until the applicable deadline. Often a subpoena will give the service provider, say, two weeks to comply. If the service provider waits to the end of the two weeks, that gives the customer time to study the subpoena and react to it. The customer might for instance believe the subpoena is invalid or overly-broad; so the customer might appeal to a court to “quash” the subpoena or reduce its scope. (See details about quashing a subpoena in a US court.)


Similarly customer desires that service provider enter a non-disclosure agreement (“NDA”). Under common NDA terms the service provider would not disclose or use customer records without permission (except as required by law). The customer does not want the service provider to give customer’s information to customer’s competitors. Neither does the customer want service provider itself to use customer’s trading data to compete with customer.

4. Cooperation with Audits, Investigations or Requests for Information


Just as a customer is reluctant to let adversaries access the customer’s information held by the service provider, the customer desires assurance that the customer itself can access its own information and details about how transactions are processed.

A customer desires an agreement that under no circumstances will service provider:


  • place a lien on customer’s data [A lien is a legal measure that impairs a person's freedom to sell or transfer its property, such as its data.]; or
  • deny customer access to his/her data.


Sometimes technology service providers take the position that in a dispute with the customer, the provider can withhold data or deny service. For example the vendor of a cloud-based electronic patient record recently denied a medical practice in Maine access to its own patient records!

But from the perspective of the customer, the service provider holds unfair advantage if it can hold data hostage in the event of a dispute. The customer argues that if there is a dispute the service provider should not hold data hostage; instead, service provider can sue the customer and enforce the results of the lawsuit through normal legal procedures.

The customer may have both a commercial need and an ethical need to access its records. What would be an example of an “ethical” need for records? Suppose the customer was a law firm. The law firm might be controlling bitcoin on behalf of a client in settlement of a dispute. The law firm is obligated under its professional code of ethics to ensure it has access to the relevant records.

What’s more the customer may need assurance that the customer’s auditors can confirm and understand transactions. Relevant auditors might include financial auditors, tax auditors and security/internal control auditors. Hence the customer might insist that the service provider:


  • maintain adequate documentation about how its system works; and
  • cooperate with customer’s auditors.


For its part, service provider might insist that it be compensated if its staff must spend time responding to audit requests.

In regards to the security/internal control auditors looking out for the interests of customers: the service provider may find it is impractical to respond to all customer audit requests one-by-one. Therefore the service provider might itself hire a single auditor to conduct an audit for the benefit of all of its customers under a standard like Statement on Standards for Attestation Engagements (SSAE) No. 16 published by the American Institute of Certified Public Accountants (AICPA).

These Ideas Apply Beyond Cryptocurrencies.

The foregoing terms are not unique to Bitcoin. They might serve the needs of customers of many kinds of technology and e-commerce services.

If I’ve made any mistakes, please let me know so I can correct myself.

By: Benjamin Wright

[The foregoing is not legal advice for any particular situation. If you need legal advice, you should retain and consult a lawyer.]

Related:



How to Write, Interpret, Enforce a Contract for Bitcoin

Stated Terms and Conditions Influence Legal Result.

Suppose John offers to sell a valuable widget to Betty in exchange for Betty agreeing to “pay 5 bitcoin” and Betty accepts the offer. They agree by recorded audio:

 [In regards to audio contract, see footnote below.]

Then suppose John delivers the widget to Betty, but Betty fails to deliver the bitcoin.

What are John’s legal rights?

Mutual Consideration Supports Contract.


Under US law it appears John and Betty have formed a legally enforceable contract. The parties made mutual promises for valuable consideration. The widget is valuable, and the bitcoin is valuable under current market conditions.

But the novelty of Bitcoin could make the precise outcome of a lawsuit by John against Betty hard to predict.

The “Money” that Is Not Money.


Although some people use the word “currency” to describe the phenomenon popularly known as Bitcoin, Bitcoin might not actually be a “currency.”  Unlike dollars, it has not been deemed in US law as legal tender that can be used to extinguish a debt.

Further, the Internal Revenue Service views bitcoin as property – which is subject to capital gains taxes – rather than currency -- which normally is not subject to capital gains taxes.

What Are the Remedies for Breach of a Virtual Money Contract?


So if John sues Betty for breach of contract, it seems he could succeed in showing he is the victim of a breach and he is entitled to remedy under contract law.

But it could take some effort for a court to understand the contract.

Bitcoin is a specific example of a general idea. The general idea is trading by way of a distributed cryptographic ledger. In Bitcoin the distributed ledger is called the "block chain."

If a distributed ledger is competently designed and implemented, it inherently follows the rules programmed into its software. As people use the software, they adopt "customs" of trade that can be understood without a lot of explanation by contract for each trade. For example, by Bitcoin custom the term "to pay" five bitcoin arguably means to modify the block chain to indicate as follows:

1. debit five bitcoin from the payer's address identified in the block chain; and

2. credit five bitcoin to the payee’s address identified in the block chain.

Industry Custom May Resolve Some Ambiguity.


Thus, John and Betty’s contract say she will “pay” 5 bitcoin to John. The custom around Bitcoin suggests that Betty is required to interact with the block chain to debit 5 bitcoin relative to her address and credit 5 relative to his address.

However, bitcoin and similar technology are evolving so quickly that clear custom may not have had time to coalesce. A full review of the interaction with block chain around the world may show confusion or ambiguity about what is customary and what is not customary. (See story about a failed Bitcoin transaction.)

In contract practice, if there might be confusion about custom, the draftsman of the contract can employ words to reduce the confusion. He might for instance write out a long statement of steps that Betty will follow to cause and confirm a 5 bitcoin credit to appear relative to John’s address.

Alternatively, he might refer to an authoritative statement of Bitcoin custom. He might say in the contract, “This contract will be interpreted under Bitcoin custom as articulated in https://en.bitcoin.it/wiki/Main_Page ." That sentence might resolve many questions about custom, but probably not all questions.

What Should Happen in a Court of Law?


However, neither block chain software nor Bitcoin custom explain what should happen in a court of law if a party fails to execute a trade (e.g., Betty fails to “pay” the five bitcoin).

The software and the custom fail to explain what the consequences should be if Betty does not control the agreed amount of bitcoin at the time in question. Is she required to purchase five bitcoin and then transfer it to John?

Or can she satisfy her obligation by delivering to John a quantity of pork bellies (a valuable commodity) equal in value to five bitcoin? That particular outcome does not seem right because we have no evidence that John is easily able to accept pork bellies.

What Should Be the Remedy for Breach of Contract?


If a court forced Betty to render to John 5 bitcoin using the block chain process, that outcome could be called “specific performance” under contract law. Specific performance means Betty must literally do what the contract says.  But commonly US courts disfavor specific performance.

Specific performance requires the court to understand what is going on.

In order for a court clearly to understand specific performance in Bitcoin, the court might need to digest quite a bit of testimony from experts. The experts would have to explain to the court how the block chain works and so on. That would be a lot of work for the court.

Courts Prefer Money Judgment Rather Than Specific Performance.


Instead, a court is likely to prefer to give to John a “judgment” for an amount of legal-tender-money equal to the value that Betty failed to deliver to John. A judgment is a ruling that enables John to take legal action relative to Betty and her property.

This judgment is the contract law remedy for Betty's breach of contract; it is an official statement that Betty owes a debt to John.

This kind of remedy is called a “money judgment.” A money judgment is easier for a US court to understand and oversee.

In the US legal system, money judgments are rendered and enforced all the time. Our system has managed money judgments for centuries.

In contrast, to require Betty specifically to execute some performance relative to the so-called “block chain” would be – for a court – a new and complex exercise.

Money Judgment Means Greenback Dollars.


Typically, in a US court, the amount of money in a judgment would be stated in US dollars. If John does obtain a court judgment, he can use regular  court procedures to enforce the judgment. Enforcement can include an array of actions by John, including placing and foreclosing a lien on Betty’s property, like

  • her house, 
  • her car, 
  • her bank account which is denominated in dollars or euros, 
  • her pork bellies, 
  • her intellectual property such as a patent, . . . or 
  • (theoretically) her bitcoin.

But typically the calculation of satisfaction of the judgment would be made in dollars.
legal tender
Court Judgment
Calculated in US Dollars.

For example, if John’s judgment is in the amount of $2500, then the value of his lien on Betty’s house would be up to $2500. When Betty sells her house, John would be entitled to $2500 of the proceeds.

Typically Betty could satisfy the judgment by paying John the requisite number of dollars.

But What If John Wants Specific Performance?


Let’s say John is really serious, at the outset of the contract, about wanting 5 bitcoin, rather than dollars. He could write the contract to state in detail something like the following:

(A) Betty represents that she controls a Bitcoin address with at least 5 bitcoin of credit.

(B) Betty will execute specific steps to credit 5 bitcoin to the Bitcoin address identified by John.

(C) If Betty fails to follow the steps, then John “will suffer irreparably harm and significant injury the degree of which may be difficult to ascertain.”

(D) John is entitled to an order from court requiring Betty specifically to execute the steps articulated under (B) above.
bitcoin symbol

Written Contract Details Add Certainty.


The contract as stated in the audio above leaves open to interpretation questions like:

  • when Betty must pay the bitcoin;
  • whether interest will accumulate if Betty fails to pay on time;
  • which jurisdiction’s law governs the transaction (e.g., Texas . . . or Alberta);
  • whether the party enforcing the contract in court receives compensation for the cost of enforcement, such as attorneys’ fees;
  • how the widget will be tendered or delivered.


Details like these can be specified in a well-written contract, and can help John with his enforcement.

Analysis of Example Agreement


Let’s look at a well-known contract that refers to Bitcoin practice, Coinbase’s User Agreement. Coinbase is a well-known Bitcoin wallet and platform.

Section 2.4 of the agreement says,  “Coinbase securely stores 100% of all bitcoin associated with your Coinbase Account in a combination of online and offline storage.”

What does that sentence mean? The words “store” and “storage” are metaphors for complex, and possibly ambiguous ideas. They mean something other than simply:

(a) keeping physical objects in a three dimensional place (e.g., keeping in a box a sheet of paper bearing the words “one bitcoin”); or

(b) the retention of specific data that expresses bitcoin (Example: It’s not like storing the content of a distinct Excel spreadsheet – which says, “Ben has 6 bitcoin” -- on a hard drive.)

If a customer wanted to reduce the ambiguity of those words “store” and “storage,” then the customer could insist that the agreement provide much more detail. Alternatively the customer might insist that the agreement say that terms like “store” and “storage” will be interpreted under Bitcoin custom as articulated at a place like https://en.bitcoin.it/wiki/Main_Page .

So a general message to readers is that a contract for bitcoin can be written with details that help to reduce risk and misunderstanding. A talented draftsman uses judgment to know how much detail is enough and how much is too much.

This is an intriguing topic, and I’d like to talk about it. Please comment. If I’ve made any mistakes, please let me know.

By: Benjamin Wright

You might also like:



*Footnote: Under the Statute of Frauds, this contract might need to be evidenced by a “signed writing” to be enforceable. An audio recording can constitute a “signed writing.” Ellis Canning v. Bernstein, 348 F. Supp. 1212 (D. Colo. 1972).

How to Talk Publicly about Data Security Breach

Major data security breaches are becoming more common. Among the many that have unfolded in 2014 are Target stores and Community Health Systems (the second-largest for-profit U.S. hospital chain).

Now Home Depot, another major retailer, is in the throes of a substantial payment card breach, apparently involving both credit cards and debit cards.

Home Depot is making some limited public statements. The Home Depot story is only beginning.
Press Releases Matter
Home Depot’s public communications will influence the final outcome of this data breach in terms of law, reputation and customer relations.

I teach a technology law course at the SANS Institute. A key topic is how to communicate publicly about information security, including data breaches and other infosec incidents. In that course students and I review the (in)famous TJX breach (2007). We compare the experience at TJX with the lessons from Target and Sony Playstation Network (2011 breach).

Now, early September 2014, Home Depot’s crisis is playing out. So . . . as of the live delivery of the SANS course October 2014, we will also compare Home Depot’s public and legal response.

The title of the course I teach is Law of Data Security and Investigations. The course is unique in the world.

The goal of the course is to equip professionals with the skill and knowledge necessary to respond to future events in computer security and investigations.

By: Attorney Benjamin Wright

How to Record Evidence from a Mobile Device

Dual-camera video recording on a smart phone can be very handy for a professional investigator such as a financial auditor or a forensics expert.

believable memory
Video Affidavit
The video below demonstrates how an investigator can use a dual-camera video (on a smartphone) to record evidence displayed on a second mobile device. In this case the second mobile device is an e-ink reader.

The video evidence shows how the e-ink reader works as it renders data from the cloud. The “data from the cloud” in this case is just the content from one of my web sites. The e-ink reader features an odd web browser; it blinks as the user scrolls. The point of the demonstration is that the video records exactly:

  1. how the e-ink reader worked (or didn't work) at the time of investigation; and
  2. what information rendered from "the cloud" on the e-ink reader's browser client.




This video is the latest in a series of videos and blog posts I publish to demonstrate how to capture and preserve legal and audit evidence from social media or the Internet of Things.

A Legal Affidavit Confirms Validity by Placing Investigator's Professional Reputation on the Line.


My publications showcase the idea that evidence is more legally useful if it is formally “signed” in realtime by the investigator via webcam or microphone. The realtime signature by the investigator makes the whole record a kind of affidavit. The affidavit could be powerful in court years later when the investigator might not be available to testify about what he witnessed at the time of investigation.

The realtime signature of a record by an ethical and responsible investigator lends credibility and authenticity to the record.

What’s new about this video is that it uses the dual-camera recording capability of an advanced Android phone. The phone I used was an HTC One M8.

Investigator Records His Face, Lips and Voice.


In the video above, the investigator appears in the small window at the top. As the investigator uses the back-facing camera to record what appears on the e-reader, he records himself with the front-facing camera. The recording of the investigator himself serves two purposes:

1. It narrates the evidence. It explains to the future viewer, such as a jury, what is happening as he manipulates the evidence source -- that is, the browser app on the e-ink reader.

2. It authenticates the whole compilation of video evidence. The investigator says, "I hereby sign and affirm this video . . . ". That is a legal signature, binding on the investigator. It is probative to a viewer such as a court who tries to evaluate the credibility of the video as evidence later.

Video of Forensic Examiner Reveals Too Much?

Some professional investigators are hesitant to create video of themselves or the labs in which they collect and assess evidence. They worry they may inadvertently capture a record of their identity, behavior or surroundings that might be misused by an adversary, such as a defense attorney who cross examines an investigator in a criminal trial and tries to discredit the investigator's work or the investigator's ethics.

For example, a video might inadvertently show a can of soda in the lab; food and drink are often forbidden by policy in a forensics lab because they can contaminate evidence. The appearance of the can could raise questions about the competence of the investigator's lab and the ethics of an investigator who has testified that she adheres to high standards of quality.
lab contamination
Unexpected evidence of policy
violation in forensics lab!
If the investigator is concerned that video of his/her face reveals too much, then the investigator might record only audio of his/her vocal narration of the video of what s/he observes. See an example of that idea: http://legal-beagle.typepad.com/security/2011/10/cops.html

I Publish Many Blog Posts on Video-Recorded Legal and Accounting Evidence.


For more detail on these ideas, including analysis and evaluation of alternative forensic tools, please see:


I am keen to hear your comments.

P.S. Although the video above shows how to capture evidence flashing on a computing device (that is, the e-reader), it could also be applied to the recording of physical objects such as papers or a crime scene. The investigator could use the back-facing camera on her phone to record "the evidence," while simultaneously using the front-facing camera to record her face as she vocally describes and authenticates what she witnesses with her visual, auditory, tactile and olfactory senses.

What is the Legal Definition of a Virtual Currency?

The way we use language affects legal outcomes. Language is causing legal controversy around so-called “Bitcoin” and “virtual currencies.” Let’s assess the language applicable to the phenomenon popularly known as “Bitcoin.”

What Would a New York BitLicense Cover?


The New York Department of Financial Services proposes to license and regulate virtual currency businesses under a program commonly known as “BitLicense.”  Some people welcome this proposal as an advance for Bitcoin. Others denounce it as a threat to privacy and freedom because it requires a virtual currency business to collect much identifying information about customers.


What exactly does the proposed regulation cover? Section 200.2 Definitions includes this first sentence:

“(m) Virtual Currency means any type of digital unit that is used as a medium of exchange or a form of digitally stored value or that is incorporated into payment system technology.”

How to Interpret the Definition “Virtual Currency”?


The quoted sentence of Section 200.2(m) is a definition of cosmic breadth. Let’s parse it.

First, it covers digital stuff. But in 2014 a lot of stuff is “digital.”

Second, it covers a “unit.” But it does not define the word “unit.” The word “unit” is so broad, especially when we are talking about digital stuff, it more or less covers anything. The word “unit” could mean a number, a word, a song or most any other digital expression.

If the word “unit” includes any expression of any idea, then the draft BitLicense (strangely) starts to raise First Amendment freedom-of-speech issues.

Third, Section 200.2(m) is limited to a digital unit . . .

1. that is used as . . .

A. a medium of exchange; or 

B. a form of digitally stored value;

OR 

2. that is incorporated into payment system technology.

Wow. That embraces a lot of territory.

Is an Ordinary Electronic Contract a Virtual Currency?


Let’s consider an example.

Suppose Bob sends a message via Gmail to Sally that says, “I promise to pay $100 for a widget.” And Sally replies, “OK.” That email is (more or less) a legally-enforceable contract.

Under contract law, Sally could then via Gmail assign her rights of contract with Bob to Jack in exchange for a gadget. Further, Jack could hold on to the rights for a while (because they are valuable), storing the emails in Gmail.

Finally, using Gmail, Jack could assign his rights to Maria in exchange for a whats-it.

Thus, arguably, the $100-for-a-widget contract is covered by Section 200.2(m). The contract is – at least arguably – a virtual currency because it is “a digital unit that is used as a medium of exchange or a form of digitally stored value.” It is a set of valuable, stored rights that went digitally from Bob to Sally to Jack to Maria.

Would Google Need a BitLicense?


Furthermore, if Bob, Sally, Jack or Maria has a New York connection, then the operator of Gmail, i.e., Google, would arguably be engaged in a “Virtual Currency Business Activity” for which Google must have a license. Section 200.2(n) of the draft BitLicense regulation defines “Virtual Currency Business Activity” as “the conduct of any one of the following types of activities . . . : (1) receiving Virtual Currency for transmission or transmitting the same; (2) securing, storing, holding, or maintaining custody or control of Virtual Currency on behalf of others”.

Hmm. So a plain reading of the draft regulation results in Google needing a BitLicense. How strange.

Expansive Language is Common in Cyber Law.


It is not unusual in the Internet age for lawmakers to write laws of such immeasurable scope that they arguably lead to strange interpretations.

The state of Connecticut for instance proclaims: “Any person in possession of personal information of another person shall safeguard the data . . . containing the information from misuse by third parties . . .”  Connecticut goes on to define “personal information” as pretty much any data that could be connected to a particular human. Arguably, “personal information” could include any statement, photo, mouse-click or metadata roughly connected to a person.

But to expect absolutely everyone to protect absolutely every iota of personal information of any other person seems a strange and impractical result. Arguably for example it expects great-grandmother to secure the personal information (photos, names, comments, metadata and so on) about her friends that her computer automatically collects in her browser’s cache as she logs onto Facebook.

Enforcement Limited to the Spirit of the Law?


Now, an advocate for New York’s proposed BitLicense regulation might argue it is not the spirit of the law to regulate the provision of email services like Gmail. The spirit of the law is to regulate some other activity that is hard to define.

Likewise an advocate for Connecticut’s data privacy law might argue it is not the spirit of the law to cover every speck of data in the cache of great-grandmother’s browser.

Other computer laws that use expansive words are interpreted according to their spirit. The federal Computer Fraud and Abuse Act for example hinges on "access" to a computer. In 2014 the expansive word “access” to a computer leaves much room for interpretation. In difficult cases authorities interpreting the word “access” strive to find and apply the spirit behind the CFAA.

However, leaving e-commerce laws -- like the proposed BitLicense regulation -- to be interpreted according to their spirit rather than their actual words is problematic.  Imprecisely-worded e-commerce laws (albeit well-meaning) cause confusion.*[See Footnote]

What is the Legal Definition of “Bitcoin”?


So how do the words of the draft BitLicense regulation apply to Bitcoin (or Dogecoin)?

The phenomenon popularly called “Bitcoin” might be described by lots of words. The phenomenon is new and rapidly evolving. It was not created by government. The phenomenon is not necessarily locked into words like “currency,” “unit,” “medium,” “exchange,” “value,” “transmission” or “storage.” Even though some people use words like that in relation to the phenomenon, that does not mean those words are binding on all people who observe and dance with the phenomenon.

Disclaim the Regulated Concepts?


When law like the draft BitLicense regulation relies on spirit rather than precise words to define the novel technology it is regulating, people have room to define their activity relative to that law.

For instance, people and businesses who observe and converse within the “Bitcoin” phenomenon could declare words like these:

We are engaged in a computing relationship. The relationship is evolving. It has not settled into maturity. We declare that said relationship does not involve any “currency,” “unit,” “medium,” “exchange,” “value,” “transmission” or “storage” as those words are enforceably used by the New York Department of Financial Services. We further declare that our computing relationship . . . our communication . . . disclaims the following words and the spirit behind them: "currency," "unit," "medium," "exchange," "value," "transmission" or "storage" as those words are enforceably used by the New York Department of Financial Services. We compute and communicate in the spirit of free speech, but we don’t engage in the activities regulated by the Department of Financial Services.

No Guarantee


Would a declaration like the foregoing guarantee that law will abstain from enforcing the draft BitLicense regulation against people? No.

However, a declaration like that does no harm.

What’s more, for some people a declaration like that could be constructive, especially given that the draft BitLicense regulation (if adopted) is subject to strange interpretation.

Further, those people would be safer from enforcement if they avoid tricking, deceiving or defrauding anyone.

What do you think?

By: Benjamin Wright

==
Notice: Statements like the above by Benjamin Wright are just public discussion; rely upon them at your own risk. They are not legal advice for any particular situation. If you need legal advice, you should consult a lawyer who has explicitly agreed to provide you advice.

*Footnote: In the mid-1990s Utah adopted legislation to promote cryptographic e-commerce by licensing public-key-infrastructure certification authorities. The legislation was ill-conceived and caused much confusion. Utah eventually repealed the legislation.

Mr. Wright submitted the foregoing as a formal comment to the NYDFS.

Updates

1. More analysis of the definition of "Virtual Currency" under NYDFS's proposed BitLicense regulation.

2. Valid questions raised by the imprecise language in draft BitLicense regulation.

Related: How to interpret a contract for payment by Bitcoin.

How to Prove Bitcoin Evidence

Evidence is fundamental to the use and regulation of cryptocurrencies like Bitcoin. This blog post demonstrates one way to collect and preserve evidence about cryptocurrency transactions, technology and businesses.

Bitcoin evidence might be used as follows:

  • in a court of law to enforce a contract for sale of a product purchased with Bitcoin
  • by a tax authority to calculate tax (The IRS says Bitcoin is property on which capital gains taxes must be paid.)
  • by an accountant to audit the financial condition of a company that owns Bitcoin
  • by a regulator to monitor a Bitcoin exchange (The New York Department of Financial Services proposes to license and regulate virtual currency businesses under a program popularly known as BitLicense.)
  • by a compliance officer at a licensed Bitcoin business to show she checked the function of Bitcoin software at a specified time


Example Evidence in Failed Transaction


Cryptocoinsnews recently reported how evidence was captured and shared regarding a failed purchase purchase of goods paid with Bitcoin. The author says he tried, unsuccessfully, to make a purchase at Tiger Direct, which uses Bitpay to accept
Bitcoin payments. In connection with the author’s research of the failed transaction, “BitPay has sent [the author] the screenshot showing the proper amount paid . . .” In other words Bitpay proffered the screenshot that it made as probative evidence of Bitpay's proper performance in the transaction.



A Screencast Video Is Sometimes Better than a Screenshot.


A screenshot is a common form of evidence for online data and transactions. Screenshots are commonly relied upon in court and in financial audits. They are commonly retained as archives of online events, including contracts or statements of account.

But a problem with a screenshot is that it misses the interactivity of software or an online event. It misses audio feedback. If an investigator wants evidence that after he clicks X then Y happens, he can try to make multiple screenshots and explain them in a written report. But compiling multiple screenshots into a detailed written report is awkward and time-consuming.

A screencast video (including audio), on the other hand, can be worth 10,000 words. Here is a screencast video of a hypothetical review by a compliance officer of a web-based Bitcoin wallet. Notice the audio beeps and the brief notices that blink in the upper right-hand corner and then go away; these would be hard to represent with screenshots stitched into a written report.
 
(I use the demo wallet at Blockchain.info, which is described as “Free. Open Source.”)

Video Freezes Evidence at a Point in Time.


Software and other technology change constantly. This video documents precisely what the investigator sees at a particular time. It also records the audio “beeps” he hears, and it shows precisely when he heard them.

Could the investigator forge or manipulate this video record? Yes, just as investigators can forge other evidence like screenshots or old-fashioned paper documents.

The value of the screencast video evidence depends on the reputation of the investigator.

I have previously analyzed video evidence like this.

The credibility of the video could be enhanced if it were created and signed by more than one investigator.

The statement of date and time by the investigator via webcam makes it more difficult for anyone to manipulate the video, especially if date and time are corroborated by an outside source, such as email to which the video is attached or a cloud service to which the video is uploaded.

For instance, the Youtube (i.e., cloud computing) page for the video above shows the video was uploaded July 17, 2014. I (the Youtube subscriber who controls the page) am not able to manipulate that date. Thus, if six months from now I wanted to create a fake video and claim the date was July 17, 2014, I could not use Youtube to corroborate the date for the fake video.

Legal Signature Supports Authenticity.


A crucial aspect of the video is the webcam signature of the investigator at the end. The webcam-recorded words “I Ben Wright hereby sign and affirm this video as my official work,” make clear the investigator is putting his professional reputation on the line. He is going so far as to record his face and moving lips as he speaks the words. He is making a form of legal affidavit.

The signature potentially opens him to legal and professional punishment if he is lying or cheating. (If he is licensed like a certified public accountant, he could lose his license. He could jeopardize his ability to ever get professional employment again in the future.)

This signed video record could even be valuable years later when the investigator is no longer available or willing to vouch for it. His employer (in the hypothetical video the employer is Acme Virtual Currency Brokerage) may need his evidence long after he leaves employment.

Deeper Evidence Might Be Available.

The video above of course records the function of a wallet at the level of user interface. This record may be adequate for many audits and regulatory reviews. But sometimes deeper evidence may be necessary. Records of logs, ledgers, journals, meta-data, audit trails, and the like may be necessary . . . assuming the investigator has access to them, as well as the time and expertise to make use of them.

In any case, the application of a legal signature by the investigator who collects and authenticates such evidence can contribute to the long-term credibility of the evidence. Often a webcam signature (stating date and time) would be practical, reliable and persuasive to legal authorities like juries.

What do you think?

--
Related: How to verify online forensic evidence.

How to Find Legal Evidence in Backups

Copies of legal and audit evidence are spreading everywhere. The “syncing” of digital devices and services is revolutionizing the forensic collection of electronic evidence.

Discoverable evidence is no longer confined to islands like an email archive or a hard drive. The evidence is multiplying. It is being copied and copied again. It is backed up here, it is automatically shared there, and it is accessible some other place.

Hence, if relevant text messages have been deleted from a phone, they may still be recoverable from a synced backup on:

  • PC hard drive 
  • enterprise email account
  • cloud storage account like Dropbox or Gdrive (cloud storage often enables automated copying to multiple devices; something copied to Gdrive may automatically be copied to your home PC hard drive and the hard drive of your personal laptop)
  • wearable device like a smart watch
  • dedicated local storage device (a “cloud in your home”)
  • television in the living room
  • soon . . . your Internet-of-Things refrigerator!

Can You Remember All the Services Enabled on Your Smartphone?


Today, when a consumer or a business professional sets up a new device like an Android phone, they are encouraged to sync their
contacts and photos with cloud services and with other devices. Many people do not deeply understand what this means.

Recently I witnessed the surprise of an iPhone user who lost her phone and bought a new one. All of her details, like photos and settings emerged like magic on the new phone. Why? Because they were backed up in the iCloud . . . even though she did not realize they were stored there.

Many modern cell phones automatically back up data to the cloud so that the data can be restored if the user "resets" the phone. See this image from an HTC One phone.

Such cloud backup service is a relatively new development in the smartphone universe. The full implications of this service can vary from one situation to the next and from time to time. Can texts be recovered from this backup? Photos? Log-on credentials for mobile apps like Snapchat? Contents of mobile apps, which may themselves contain sensitive messages, images, geolocation data etc., etc.?

An investigator may need to research and play around with a service to learn what evidence can be recovered from it in any given situation. The investigative process is unpredictable and labor-intensive. Therefore it may be expensive if you are paying an investigator to work by the hour.

The backup functionality can be complex, and hard for even a reasonably educated person to understand. I have been working with a new HTC One phone (July 2014). I've enabled automatic backup, but I am still puzzled about precisely what the backup does. I see this explanation on HTC's web site:



It says my data is at my "Dropbox storage" . . . but I am not aware that I have ever set up a Dropbox account. So far I've not been able to ascertain whether I can access this "Dropbox storage" by any means other than "resetting" the phone . . . or possibly duplicating the contents of the phone onto a different HTC phone.

(I am guessing that somewhere in the setup of the phone and the setup of the backup function HTC created a Dropbox account for me . . . but that is just a guess. I did not notice this happening. I have not noticed a "welcome" message from Dropbox.)

Many people come to this blog seeking to get texts and photos from a telecommunications carrier like AT&T. However, the carriers are often uncooperative. The better path for recovering data may be from the cloud backup, such as HTC's Dropbox storage or Apple's iCloud.

Did You Automate and Then Forget?


Some cloud services encourage you to make automatic backups because they want you to become dependent on them. Microsoft’s OneDrive gave me three extra free gigabytes of space if I’d set up the CameraRoll on my Windows laptop to upload its contents automatically to OneDrive. Microsoft is hoping I will upload so much (perhaps without thinking about it) that I will need to purchase additional storage.

HTC and Apple provide backup as an incentive for the customer to come back to them when the customer purchases a new device.

Many users will forget about their various backups. Therefore, if they were asked in a legal deposition or interrogatory whether they had backups they’d honestly say no. However, a diligent investigator could find the backup(s).

Does Investigator Need Training?


An effective investigator does not necessarily need special equipment or high technical skills to find the backed up data. Instead, the investigator needs patience and an inquisitive disposition. Computer devices like tablets and online services like OneDrive are emerging and changing constantly. No one can know everything about them. However, their features and behaviors can be researched and intuited by a persistent investigator.

With that said, a trained investigator will know how to order and document his work so it can more readily be established as reliable in court. In a criminal prosecution, a court may expect proof of the “chain of custody” for the evidence. Further, the work of a licensed and/or certified investigator may be perceived as more credible.

What’s more, sometimes special forensic tools are critical to recovering data. For example, a forensic specialist reports he recently used forensic tools to recover deleted email by accessing the “shadow” copy maintained for disaster recovery on the hard drive of a Windows PC.

Is the User Given Good Legal Disclosure?


When a user syncs a device with something else, there’s never a sensational notice like this: “Warning. By syncing your phone, you are creating backup records of photos and text messages that can be discovered by the police or your ex-spouse in a legal investigation.” Users are often presented lengthy (boring) terms and conditions, but few users scroll screen-after-screen on their mobile devices to read and absorb the
implications of the terms. As the adjacent photo shows, the terms may say that nonspecific, neutral-sounding “content” will be stored, but rarely do users cogitate over that word.

When a user sets up syncing, they may create a password that they then forget. Sometimes the only practical way to access the synced backup records is by using the device from which the records originally came. For instance, an app on a phone may be causing records to be stored on a social media or cloud site. The only practical way for the investigator to get credentials for logging onto the site might be to use the app as it is installed and configured on the phone.

With appropriate authority, a talented investigator can reset passwords and recover forgotten accounts. Authority might come from, for example, user consent, a court order or a BYOD agreement between the user and her employer. 

iCloud and iPhoto Pitfalls


Apple's iCloud is notorious for storing records in ways that confuse iPhone or iPad users. This confusion has contributed to a scandal around nude celebrity photos.  Remarkably, a user (like a celebrity) can delete photos from his/her iPhone but not realize they are still stored in iCloud, waiting to be discovered by an investigator . . . or a hacker.
Like pink stain in
"The Cat In The Hat Comes Back,"
data won't disappear.
Further, even if the user has figured out how to delete the photos from iPhone/iPad and iCloud, they can still be backed up in iPhoto on the user's Mac desktop or laptop. Getting rid of all the data requires extraordinary diligence!

By: Benjamin Wright

Professional Standard of Responsibility for Data Security

The CEO of retail merchant Target lost his job owing in part to a data security breach. The Chief Information Officer lost his job too. Target is a turning point in the history of data breaches. It is changing the way enterprises approach data security.
Target breach is legal milestone
Lessons from Target

Insecurity Is a Fact of Life


To prevent data from leaking out is very hard – in fact, super hard – for an enterprise to achieve. To explain that point, journalist Quinn Norton publishes an article titled “Everything Is Broken.”  Although she speaks in terms I would not use (she says computers are “broken”; I say our expectations for computer security are unrealistic), I subscribe to her basic message: typical computers and software are inherently insecure. They are riddled with holes. They were not designed, they were not created, they are not deployed like M1 tanks.

Encryption Exemplifies Security's Unachievability

Take encryption. The public discussion about security often assumes that “encryption” is an achievable solution to much of the data security problem. But sustained use of encryption in a functioning enterprise – or by a reasonably careful individual – is a nightmare that is rarely acknowledged. To quote Norton: “Managing all the encryption and decryption keys you need to keep your data safe across multiple devices, sites, and accounts is theoretically possible, in the same way performing an appendectomy on yourself is theoretically possible.”

She goes on to explain that so often encryption programs can be circumvented because – for example -- they sit on top of code written in the C programming language, which is often written by sloppy developers who fail to use secure coding practices. Secure coding in C requires a lot of discipline. According to knowledgeable expert, "C is unforgiving if you are lax in secure coding practices."

An example of a C programming vulnerability is the catastrophic Heartbleed bug that attracted so much attention when news of it broke April 2014. Security guru Bruce Schneier said that on a scale of 1 to 10, Heatbleed is an 11 in its magnitude!

Think about Schneier’s comment from a public policy perspective. Heartbleed had been sitting out there for years, unknown to the community, as loophole in commercially-popular encryption (OpenSSL). But the public policy conversation assumes “encryption” is good, practical, achievable.

Norton argues there are more Heartbleeds out there; the community just hasn’t identified them yet.

Another recent controversy demonstrates how impractical encryption can be. For years, many smart people have relied on TrueCrypt to encrypt records. Then suddenly TrueCrypt's developers announced the program is insecure and everything encrypted with it needs to be re-encrypted with something else. Even though the community is debating whether TrueCrypt is in fact insecure, the controversy compounds the nightmare for many enterprises that in good faith have devoted resources to encryption.

When we consider encryption as solution, we must acknowledge that the practical application of encryption is destined to fall short.

Breaches Are Normal


In data security, everyone makes mistakes, even the best experts. RSA itself – the gold standard among infosec vendors – suffered a major security breach in 2011. Hackers used spear phishing against RSA employees to compromise the company’s SecurID authentication tokens. (csoonline.com “The 15 worst data security breaches of the 21st Century,” February 15, 2012)

What about the National Security Agency? It is reputed to employ the best computer security team in the world. It devotes a massive budget to computer security. But it suffered a cataclysmic breach. Edward Snowden stole the NSA blind.

No one is immune to data security breaches, even when they have very qualified people working for them and they devote tremendous resources to the problem.

Data security is a highly adversarial contest, similar to high-stakes litigation. The enterprise faces very smart, capable and persistent adversaries, like Mr. Snowden or like talented opposing counsel.

Losing the data security contest is normal, just as losing a lawsuit is normal and losing a football game is normal.

CISO Emerges as a Peer to General Counsel


It is in this harsh, unpredictable environment that enterprises like Target must manage sensitive data like payment cards and healthcare records.

For an enterprise, managing data security has become like managing legal rights and liability. The enterprise will never get close to perfection. It will never know whether it made all the correct decisions. But it can devote professional attention to the problem.

Historically the infosec team at the enterprise was composed of technical staff under direction of the Chief Information Officer. Infosec guys often complained that their guidance did not get the needed respect. They’ve had a reputation for writing long, highly prescriptive security policies that say this “will” be done and that “must” be installed. Even though their policies often would not be followed, they felt it necessary to use unrealistic, compulsory policy language just to be heard. They spoke in simplistic, black and white terms.

The historical practice out of the infosec team is markedly different from the practice out of general counsel’s office.  Business lawyers eschew directives like you "must" do this and you "will" do that.  Often such absolute mandates are too simplistic to address the challenges the enterprise faces. Rarely do lawyers say something like, “The enterprise must file this lawsuit because the enterprise is guaranteed to win a bunch of money in the lawsuit.”

But when lawyers talk, executives listen. Corporate lawyers are esteemed, pretty-well paid professionals. General counsel is an executive.

Though lawyers can speak in soft tones, their “advice” and “recommendations” carry weight. Their advice and recommendations are perceived as having serious impact, even if the advice and recommendations are not always followed or not perfectly followed.

Seeking Higher-Caliber Security Advice


The world is changing. Target is rumored to be shopping for a Chief Information Security Officer who will not be a subordinate of the CIO.  Rather, the CISO will be a peer of the CIO. According to Business Insider, this elevation of the CISO (and therefore the elevation of the infosec team) is an emerging trend among enterprises. “This Week In Payments News: Target Undecided On Who Will Be In Charge Of Stopping Hackers,” May 25, 2014.

Here is my interpretation of the trend: Management of data security has become mission critical for the modern enterprise. But management of security involves tradeoffs and unknowns akin to those applicable to the management of legal rights and liability.

The modern enterprise seeks sage leadership on data security. The enterprise will never achieve perfection; it will never know whether its decisions were the best. But the enterprise wants to get the kind of guidance from its security staff that it gets from its legal staff.

The implication is that the modern enterprise is seeking sharper, better-qualified security staff, and it is willing to pay higher salaries to get it. The modern enterprise is in the hunt for a more professional infosec team, lead by an executive-level CISO.

Legal Motivations for Professional Attention


When a patient visits a doctor, there is no guarantee the patient will get well. When a client retains a lawyer, there is no guarantee the client will win its lawsuit or achieve a desirable legal outcome.

The risk of an unhappy outcome is recognized in professional malpractice law.

So long as the doctor or lawyer exercises diligence and care, the professional is not liable for malpractice, even though the outcome is undesirable. Law motivates the professional to work and even be creative and take educated risks, but it recognizes that the task at hand can be unwinnable. It leaves much room for imperfection, mistakes in judgment and plain old bad luck.

I argue similar motivation should apply to data security in an enterprise. The enterprise should be motivated to seek qualified security expertise. But very commonly a diligent application of that expertise will fail to a greater or lesser degree. Qualified people will make mistakes. The possibilities for error and surprise are infinite.

Moreover, data leakage is like a serious disease. Often it is simply not curable. Law should motivate good work, but it should not punish a failure to cure.

Hence I argue that the law of data security should not hold an enterprise liable for a data leak if the enterprise meaningfully employs qualified staff.

I don’t anticipate infosec staff will be licensed like doctors or lawyers anytime soon. But I do think law can recognize the difference between qualified, vigilant staff and the absence of the same. And the law should recognize that even with qualified, vigilant staff, bad outcomes are normal, par for the course.

==
By: Benjamin Wright, attorney and teacher of Law of Data Security and Investigations at the SANS Institute.

Update:

Target's new CISO will report to the CIO. However, I'll bet that the new CISO will be treated as a trusted professional whose recommendations are given weight.

Related:

1. Floods of data breach notices

2.  Putting a Professional Standard of Care into Infosec Practice