Asserting Legal Terms in Smart Contract Relationship

 Blockchain and smart contract commerce are expanding rapidly. Parties do business relying that software will execute transactions as intended. But software can be flawed, and one trading partner can behave in a way that the other partner did not expect.

Here is an example of an alleged software flaw that has given rise to a lawsuit: The owner of a non-fungible token says a flaw in NFT platform Oversea allowed a hacker to steal the NFT. In February the owner sued Oversea in federal court seeking compensation. McKimmy v. OpenSea (Civil Action No. 4:22-CV-00545) S. District of Texas.

Often, the legal expectations in a smart contract are not well articulated. Example from the Livepeer Web 3.0 ecosystem: The holder of an LPT token might "stake" the token with an orchestrator (node operator), expecting the financial returns advertised by the orchestrator.

Livepeer is based on Ethereum, but uses some words that are different from the usual words in Ethereum. Use of different words could cause legal confusion.

The precise, easy-to-understand legal relationship between the parties might not be stated anywhere. One response from the token holder would be unilaterally to communicate terms to the orchestrator.

The token holder might, for example, send an email to the orchestrator saying something roughly like this: "These are the terms on which I delegate (stake) my LPT token with you. You agree to these terms by moving forward with our relationship. You will give me rewards XYZ. You will provide me those rewards even if Livepeer software fails to deliver those rewards to me. Neither you nor your creditors may assert control over my token beyond what is considered as "staking" generally within the Ethereum community. If I successfully sue you to enforce these terms, you will pay my attorney's fees. These terms are governed by the law of the state of ABC."

Be careful when stating terms this way. A party like the token holder should not state terms that are unfair or onerous. The stated terms should honestly reflect the expectations of the parties based on the context. Fairness and honesty go to the core of good human relations (justice and human dignity) and are much more likely to win favor in court.

What do you think?

(This post is just for public discussion and not legal advice for any particular situation.)

Staking Tokens in Ethereum, Web 3.0

I am studying Web 3.0 in the Ethereum ecosystem. I don't understand much yet. As research, I think out loud here, in public. I'm looking at an example web 3.0 project, Livepeer, a decentralized blockchain platform for video streaming, which delivers a concrete, real-world service.

Livepeer issues a token called LPT, which powers the blockchain, causing the video streaming service to operate. Someone who purchases LPT tokens has the option to delegate (stake) those tokens with a different party, an "orchestrator." This process of delegating (staking) tokens is common in Ethereum world. Ethereum is a proof-of-stake blockchain, and participants cause the blockchain to function by proving they have staked so many tokens. Participants thereby earn rewards.

In Livepeer, the participants, that is, the orchestrators (aka node operators), need tokens they can "stake" so they can cause ("fuel") the Livepeer blockchain to function and so they can earn rewards.

In Livepeer, multiple orchestrators compete to persuade LPT holders to delegate/stake LPT tokens with each orchestrator. Each orchestrator publishes terms indicating the orchestrator will take a stated cut of rewards earned from using staked tokens and will deliver a stated reward to the token holder.

I'll bet the relationship between orchestrator and token holder is governed by a "smart contract." But, around that smart contract could be legal problems. The smart contract code might be flawed. Or surprises like bankruptcy could happen. So I imagine disputes between orchestrator and token holder. I'll bet there's room for written terms and conditions between orchestrator and token holder. Ts&Cs might address: Is orchestrator legally liable if the process doesn't work as token holder expects? Is that liability limited or unlimited? Are there circumstances where orchestrator or its creditors may seize staked tokens or the rewards? 

I'll bet there is industry custom within Ethereum world answering these kinds of questions, but I'll bet that custom is often ambiguous.

I imagine one party or the other publishing Ts&Cs, stating if we do business, here are the terms. I wonder whether there are any standard Ts&Cs for orchestrators and token holders in Ethereum world.

I imagine one party publishing terms that conflict with the published terms of the other party. This conflict would manifest a new instance of an old controversy in contract law: "battle of the forms" (topic in my SANS LEG523 course).

Can anyone enlighten me? What have I gotten wrong? Where can I find insights on questions above? Thanks!

 Complying with GDPR when Transferring EU Data to US

Authorities on both sides of the Atlantic struggle to find a convenient way to support the transfer of personal data from the European Union to the United States. Here I discuss possible paths forward:

GDPR as Barrier to Market Entry?

Tim Cook's embrace of the EU's General Data Protection Regulation (GDPR) is a major development. All of us in infosec need to pay attention.

But Cook's privacy vision challenges organizations, large and small: How in practice does any organization actually comply with GDPR's vague standards? GDPR's principles are easy to express in a speech on stage. But they are difficult to understand and apply in diverse organizations on a day-to-day basis.

A substantial step any organization can take is to appoint a chief data protection officer (or something like that). But the appointment and genuine support of a DPO entails a great deal of work by policy and legal professionals.

What Cook does not acknowledge is that it is relatively easy for trillion dollar company (Apple) to throw armies of lawyers and policy wonks at the task of privacy "compliance."  But it is much more difficult for smaller and start-up organizations.

Vague privacy standards can become a barrier to entry into the market. If small organizations lack the bureaucratic resources to debate and evaluate privacy day-in and day-out, then large corporations have a new competitive advantage. When Apple started in a garage it could not afford a team of wonks and lawyers to evaluate and document privacy compliance. Apple is different today.

I do not question Tim Cook's sincerity or good faith.

Three reasons investigators should take the Law of Data Security and Investigations (SANS Legal 523 course)

I have the honor of teaching a 5-day course at the SANS Institute: "Law of Data Security and Investigations" (SANS Legal 523).

The course is an intensive bootcamp on how to manage risk in cyber law, including GDPR, privacy, contracts, data breaches, forensic investigations and other kinds of cyber attacks. It emphasizes the careful selection of words -- in reports, policies, contracts, answers to infosec questionnaires and the like -- to achieve a better outcome from a legal controversy.

An important audience for the course is the cyber investigator, including an incident responder, a penetration tester and a digital forensic expert.

Here are three reasons investigators should take the course.

1. To understand the unpredictable ways your evidence might be used in law.

Cyber investigators are busy these days. There is so much evidence to collect and evaluate from computers, the cloud, mobile devices and so on. Many investigators lack training to help them understand all they different ways their evidence might be used, such as in civil or criminal court, in arbitration, in contract disputes, in business negotiation and in internal decision-making. When investigators learn to see how many different (and unpredictable) ways their evidence might be used, they will follow different procedures and prepare better reports.

2. To learn how to promote yourself as a professional skeptic.

The course teaches that it is very common for cyber evidence to be misinterpreted. Cyber investigators can reduce misinterpretation by learning to be professional skeptics about evidence. They learn how to avoid jumping to conclusions about evidence and thereby help others, such as their management, to make better legal decisions about the evidence. The course teaches specific techniques for exercising and promoting professional skepticism.

3. To obtain GLEG certification that burnishes your credentials.

Like other leading SANS courses, Legal 523 comes with a GIAC exam. If a student passes the exam the are awarded the GLEG certification.

A GLEG certification can help to confirm to an employer that an investigator has completed rigorous training in the law applicable to cyber investigations. In addition, GLEG certification can inform an authority such as a judge or regulator that the investigator possesses cyberlaw qualifications.

The course is delivered in live classrooms and online.

Learning Investigation Law

Photo credit: @chrisfurtick

Online Cyber Law Training

OnDemand version of SANS Institute's Legal 523 course "Law of Data Security and Investigations" is popular with students in a hurry. The course is paired with the coveted GLEG certification.

Another reason some students prefer the OnDemand version is it allows them to absorb the material in bite-sized chunks. You can listen for a few minutes, stop the audio, read the notes, think, and then continue.

EU's General Data Protection Regulation

SANS Institute Publishes White Paper by Benjamin Wright

Executive Summary

Adoption of the new General Data Protection Regulation (GDPR) is motivating organizations worldwide to improve existing technical controls for securing personal information. Organizations should be especially aware that the GDPR and other recent legal developments amplify the negative repercussions of a data security breach -- meaning organizations have increased incentives to avoid a breach.

Data security law in Europe continues to evolve. Enactment of the GDPR, which takes effect May 25, 2018, will impose formal, new data security requirements on organizations within the European Union, affecting many companies.

In parallel, in October 2016, France adopted the Digital Republic Bill. It dramatically increases fines on those organizations that fall short on security. For larger, multinational organizations, these types of new security regulations reflect three major trends:

  • Greater potential monetary penalties imposed by regulators
  • More rules for disclosure of data breaches
  • Increased exposure to diverse proceedings and investigations into whether data security is adequate

As a consequence, larger organizations should begin immediately to redouble the implementation of information security controls and technologies, which includes automated IT security monitoring, testing and measuring.

This paper provides recommendations and a checklist for technical compliance with the GDPR. These recommendations are equally imperative for avoiding a painful data security breach. Included are several case studies showing how companies can effectively use advanced technology for regulatory compliance and reduced breach risk.

Read the full paper titled Preparing for Compliance with the General Data Protection Regulation (GDPR): A Technology Guide for Security Practitioners.

How to Keep InfoSec Investigation Secret

Confidentiality Labels as Compliance with Professional Ethics

In the investigation of a data security incident, proper use of confidentiality labels can help a lawyer or other professional show they are complying with ethical requirements for confidentiality.

Consider the American Bar Association Model Rules of Professional Conduct, “Client-Lawyer Relationship, Rule 1.6 Confidentiality of Information.” Rule 1.6(c) reads, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

Official commentary to that Rule says: “When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. …  Factors to be considered in determining the reasonableness of the lawyer's expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement.”

Not Every Security Incident is a Breach

So let’s consider how this Rule 1.6(c) might apply to a data security investigation. A data security investigation can be very sensitive for an enterprise. The investigation can require much work and analysis to determine the legal impact of a security incident. The analysis may conclude that the enterprise has suffered a data security “breach” for which notice must be given and for which the enterprise is legally liable. On the other hand, the analysis may conclude there was no “breach” and therefore no requirement for notice and no liability.

Accordingly, it is in the best interests of the enterprise that the investigation be kept legally confidential. The enterprise does not want its legal adversaries (such as regulators or class action plaintiff lawyers) to know anything about the investigation. If the adversaries possess details from the investigation, they might use those details to penalize, hassle or assert liability against the enterprise.

An attorney working for the enterprise can help to promote the confidentiality of the investigation -- and all information and communications related to it -- by ensuring that the information and communications are properly labeled as “Confidential attorney-client communication,” “Confidential attorney work product created in preparation for dispute” or something like that.

In many cases law respects confidentiality associated with attorney communications and work. For this reason, non-lawyer professionals, like infosec experts, are motivated to involve a lawyer in their investigations.

Labels like those above can be powerful to prevent the unintended or unauthorized disclosure of sensitive information. The labels warn anyone who sees the information (police, vigilantes, regulators, contractors, employees, whistleblowers and so on) that it is confidential and protected by law. The labels can also help to prevent disclosure of the information through legal process such as a subpoena, a police raid or discovery in a civil lawsuit.

Thus, the labels would be a crucial part of a lawyer’s reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information belonging to the lawyer’s enterprise client. Furthermore, the labels could be evidence of a reasonable expectation by the lawyer that the information will be treated as confidential by law.

In other words, proper use of these labels can help an infosec lawyer comply with ethics Rule 1.6(c) quoted above.

How to Make a Legal Recording of Mixed Reality

Evidence of Digital Interaction in Physical Space

This blog post teaches how to make an evidence-rich record of mixed reality. Mixed reality is like virtual or augmented reality, but doesn’t necessarily involve a headset. It shows information from both the real world and the cyber world (e.g., "nearables," wearable computers or SCADA devices). The information in a mixed reality environment can be much more complex that what a user perceives through a virtual reality headset.

The Internet of Things (IoT) Creates a Mixed Reality.

In the video below the mixed reality involves interaction among a Bluetooth location Tile, the apps on a smartphone and the cameras and microphone on the phone. As the video is made, the phone is physically moving from one place to another.
Internet of Things - Attached to pet cat
Details of the interaction are memorialized in a video that shows:
  • images and sounds from the real, physical world; 
  • activity happening on or through the phone; 
  • sounds and Bluetooth signals emitted from the tracking Tile (which is attached to a cat) when the Tile is prompted by an app on the phone;
  • distinctive visual change in the Tile app as the phone draws nearer to the physical location of the cat:
    1. circle displayed in the app changes from gray, to dotted green to solid green
    2. then the tile icon in the app swings back and forth to show the physical Tile is emitting sounds that can be heard through the air (You can actually hear the sound from the Tile as it is detected by the microphone on the smartphone.) 

The video includes narration from an eyewitness -- the “investigator” -- who explains what is happening in real time.

The Video Records Images from Both the Front Camera and the Back Camera on the Phone.

In parts of the video, the investigator appears on the left side. When the investigator appears, the investigator is being recorded with the front-facing camera on the phone. The right side of the video shows what the investigator sees and records with the back-facing camera on the phone.

The narrated explanation helps the observer – such as a judge or jury who watches the video in the future – understand and believe the evidence so that the observer can reach legal conclusions. (Examples of legal conclusions are that a party is guilty, or innocent, or liable, or trespassing or in compliance with a regulation.)

Notice that the sound of the narrator's voice changes as he walks with the phone. The phone's microphone picks up an echo as the narrator walks through a narrow space (a stairwell). Subtle details like this could have forensic significance when the video is analyzed later. They help to show whether the video is fake or authentic. 

A video record like this might be valuable in resolving:
  • a lawsuit
  • a tax audit 
  • a police investigation 
  • a child custody dispute
  • a dispute over assets in probate court
  • a response to an information security incident 
The video reliably captures facts as they appear at the time. It captures the facts in chronological sequence. The video is a version of "screencast" evidence record I have explained elsewhere.

Mixed Reality Is Here Only Momentarily.

The facts captured in a video like this might be ephemeral. They might not be reproducible later. The digital world is in constant flux. For example, the Tile might behave a certain way at the time the video is made, but behave a different way an hour later due to an update to the software that runs the Tile or the app that controls it on the phone.

The investigator lends credibility to the video record by ending his narration with a legally binding statement of authentication: “I Ben Wright hereby sign and affirm this video as my official work.” He concludes by stating date and time with his voice and his lips. That date/time statement can be linked with related representations of the date and time, including the time displayed on the screen of the phone itself in the final moments of the video. The representations of date and time make it harder for a fraudster to counterfeit or manipulate the video later.

Trustworthiness Depends on the Investigator’s Credibility.

Obviously the investigator could fabricate this video, just as other eyewitnesses could fabricate their testimony about what they saw. But if the investigator has a good reputation, then the observer of the video (judge or jury) has more reason to believe what is depicted in the video.

The video can serve as evidence of what happened, even if the investigator is not available later to vouch for it.

Legal records like this video might be needed in court many years after their original creation. Therefore the multitude of visual and auditory details captured in the video, together with the voice authentication stated by the investigator, can be invaluable to a court that is trying to understand and evaluate what happened long ago.

Video is Efficient Tool for Professional Investigator.

Historically a professional investigator made records by snapping a few photographs and writing a text report. But to write a report takes a long time. This video captures a great deal of compelling evidence in a short time.

Notice that the end of the video records details about how the video was made. For example it shows the video was captured with the AZ Screen Recorder App. Details like that might help answer questions by a judge if the video were used in court.

Mixed Reality is Rapidly Growing More Common.

The modern world sports a spellbinding array of digital devices and sensors that can detect and transmit information useful to an investigator like a police officer. Mixed reality devices include;

The backup camera/sensor on a car begets a mixed reality. 

The driver sees a video image from the camera. But the driver experiences much more than just a video image.
Mixed Reality for Motorist
Superimposed on the image are colored guidelines. Plus the system, which includes multiple cameras and sensors, presents a simulated image of what the car and its surroundings look like from 20 feet above! (Cool)

The cameras/sensors may emit audio if the car approaches danger. Moreover, the sensors may give the driver haptic feedback through the driver's seat. All of this "reality" transpires in a physical space where the driver also directly hears, sees and feels what is happening in and around the car.

I invite your comments.

Related Blog Posts: 

How to Write Terms of Service for Virtual Reality

Legal contracts will pervade and regulate virtual reality. Just as end user license agreements (EULA) govern the use of software, legal terms of use will govern virtual reality "space." Some terms of use will be like No Trespassing signs. Others will will be warnings or disclaimers of liability. 

Like the terms of use for web sites or mobile apps, some virtual reality terms of use will prohibit unauthorized activity (example: "You agree not to simulate sexual acts.)

Legal Notices Are Common.

Modern life is filled with legal notices and contracts. For example, as a visitor enters a physical building, it is common that the manager of the building will notify the visitor -- with a legible sign -- that guns are prohibited inside the building. Notices like this can be legally enforceable against a visitor: bring a gun into that building, and you can be ejected and perhaps arrested.

Property Rules

Legal Terms in VR Could Impose a Binding Contract.

In a virtual reality environment, the terms of use could cover myriad topics. They could confirm the intellectual property rights of the VR developer. Or they could restrict the legal power of a user to violate intellectual property (e.g., a work of art) by, for instance, forbidding the user from recording the property.
virtual reality contract

The terms could limit the power of a user to sue the developer if its data security is weak. (Example: "You give us your personally-identifiable information at your own risk. We cannot assure the security of your information, and we take no liability for any compromise of your information.")

Or ... the terms could impose legally-binding fees on a visitor. (Example: "If you enter this virtual room, you agree to pay VR Dev, Inc. $5.")

Enforcement of terms would often require the gathering evidence of the terms and how they appeared in the virtual space. See blog post about capturing legal evidence in virtual or augmented reality

Legal Terms Might Be Enforced on Bots.

Google reported that its DeepMind bot is able to navigate a Doom-like 3D maze similar to how a physical robot can navigate through a physical building. Cool.

But when a bot visits a virtual space, legal terms -- written in natural language not robot language like robots.txt -- might be imposed on it, even though no human actually set eyes on the terms or interprets the legal meaning of the terms.

Why do I say that?

Refer to the famous case Internet Archive v. Shell. Ms. Shell published a web site, and posted legal terms on that site. The terms said that any visitor to the site agreed by contract that if it made a copy of a page from the site it would pay Ms. Shell $5000 per page. Internet Archive engages in the public service of archiving the Web. Using an automated program (a bot), Internet Archive made copies from Ms. Shell's website. Then, Ms. Shell sued Internet Archive for breach of contract, seeking money! Internet Archive argued in court that it was impossible for it to enter a contract with her because the copying was performed by an automated program and no human had reviewed the terms posted on Ms. Shell's site.

However, on a first-blush review, the court sided with Ms. Shell. The court ruled she had sufficiently proven the possibility of breach of contract so as to force the lawsuit into deeper proceedings.

The risk of deeper proceedings meant greater cost to Internet Archive and the possibility of an embarrassing loss in court.

Then Internet Archive and Ms. Shell settled their dispute. Internet Archive apologized to her, and she accepted the apology. She dropped her demand for money from Internet Archive.

Ms. Shell achieved a victory and established the possibility that a bot could be legally bound to contract terms communicated by natural language.

Legal Notices Will Be Published as Audio.

When Time Magazine's Lisa Eadicicco tried Microsoft's HoloLens, what surprised her were the sounds. Through HoloLens, she saw 3D objects as she expected. But she did not anticipate that the audio would be so meaningful.

She could hear objects that were out of view! She reported that she could hear them moving, similar to how we can hear creatures moving in real space, even though we don't see them. In other words, a rich VR experience will communicate by way of audio as much as by video.

Accordingly, some legal notices and contracts will be posted as audio, and/or they will attract attention by audio. For instance, as a VR explorer enters a landscape, she may hear a certain tone to indicate that legal terms apply to that landscape and she can read them if she so elects.

Notice of a Contract Might Be Given By Haptic Vibration.

Instead of audio, however, legal notices might bring attention to themselves through haptic feedback. For instance, a little vibration on the left side of a headset might indicate that

  • a legal notice is present,
  • the legal notice is binding, and
  • the user can access the notice (similar to clicking "Legal Terms" link at bottom of web page) if the user so desires.
I am interested to hear comments on this topic.

See also:

  1. How to make a legal recording of a "mixed reality" experience.
  2. Legal measures brand and property owners may take to regulate augmented reality