Writing and publishing code alone cannot be a crime
A recent speech from a CFTC commissioner is concerning for free software development
Recently CFTC Commissioner Brian Quintenz gave a speech that began by asking one of the most important policy question generated by the emergence of cryptocurrencies and public blockchains: “How can our regulatory apparatus, built to register and oversee intermediaries, adequately police our markets and set standards for a disintermediated market?” He then outlined the core challenge with respect to public blockchains: “Identifying who is responsible for ensuring that activity on the blockchain complies with the law.” The fundamental innovation of public blockchains is to remove the need for an intermediary—the party typically responsible for complying with regulations is gone. So what happens next?
Commissioner Quintenz has repeatedly proven to be on the cutting edge of developments in blockchain technology and his astute identification of these issues underscores his dedication to making careful and innovation-preserving policy in our space. As we’ll explain below, we agree with Commissioner Quintenz that neither the core developers of public blockchains, nor the miners, nor the users generally, should be held responsible for unlawful activity, and we agree that engagement with smart contract developers is more likely to generate positive policy outcomes than enforcement. However, we strongly disagree with his suggestion that smart contract developers could be held responsible if they can “reasonably foresee” that the code they write—the tools they build—could be used to break the law
Who is definitely not responsible for unlawful use of smart contracts?
The Commissioner identified the players who could be held responsible within public blockchains: core developers, users, miners, and smart contract developers. And then he specified some CFTC regulated activities for which these parties might be responsible when they are carried out using a smart contract or a series of smart contracts (i.e. a protocol): swap contracts, event futures, and marketplaces for event futures (i.e. prediction markets).
He quickly dismissed the possibility that either core developers, miners or users (in general) could or should be held to account for unlawful activity on a public blockchain. Here’s a summary of why:
- Core Developers
- have no involvement in the development of the unlawfully used smart contract code,
- write code (the public blockchain client software) upon which any number of applications (lawful or unlawful) can run, and
- may not even be aware that a particular smart contract is deployed and is being used unlawfully.
- Miners and General Users
- are not in a position to know and assess the legality of each particular application on the blockchain when they validate signatures and execution in smart contract transactions (miners) or use adjacent, lawful applications (users generally).
We agree entirely with Commissioner Quintenz on these points. Holding any of these parties responsible would be both,
- morally wrong because it would punish people for acts they did not commit and about which they may not even be aware, and
- hugely detrimental to the progress of science and technology because it would chill the development of tools that have manifold legitimate uses.
Additionally, though the Commissioner does not make this argument, banning or conditioning the publication of core blockchain software would be a content-based restriction on free speech. Given the several legitimate uses of such software that would also be precluded by a ban, the restriction would not be narrowly tailored to serve a compelling government interest, and would therefore likely prove to be unconstitutional.
We also agree with the Commissioner that the most fruitful way to discourage unlawful use of public blockchains is “engagement instead of enforcement,” and we are heartened that the Commissioner believes that regulatory flexibility could be warranted, suggesting, “it may be that new products require the Commission to rethink its existing regulations or provide regulatory relief.”
Are smart contract developers responsible if they can “reasonably foresee” unlawful use?
It’s important to note that Commissioner Quintenz has been a leader in thoughtful policy-making toward cryptocurrency, and he was very clear in his speech that none of this is obvious or settled. He said, “The answers to these questions are still being contemplated, but I have a few thoughts of my own that I would like to share and on which I would welcome feedback and discussion.” We are very grateful that he’s taking a cautious approach to making policy here and wants to get feedback from the ecosystem. In the spirit of that discussion, here’s where we disagree with his speech.
Regarding the responsibility of smart contract developers, Commissioner Quintenz said:
The developers of the code could claim that they merely created the protocol and therefore have no control over whether and how users choose to use it once it is part of the public domain. They would place the liability on the individual users, who are the actual creators and counterparties of the event contracts.
In my view, this analysis misses the mark. Instead, I think the appropriate question is whether these code developers could reasonably foresee, at the time they created the code, that it would likely be used by U.S. persons in a manner violative of CFTC regulations. (Emphasis added.)
Smart contract code is a tool, and like nearly any tool—whether it be a hammer, a gun, or a web browser—it can and will be picked up and used by both good and bad people for both legal and illegal purposes. It is not only possible, it is easy to reasonably foresee that any smart contract will be used for illegal purposes, because tools are themselves purpose-agnostic.
Nor is this unique to smart contracts. If we were to use the gold standard of written commodities contracts, the International Swaps and Derivatives Association (ISDA) Master Agreement, to offer a commodity swap to a retail investor here in the U.S., then we will have used that contract unlawfully. Should one hold the authors of the Master Agreement accountable for our actions? ISDA didn’t make this illegal agreement, we did by filling in the salient details within their forms. All ISDA did was create the protocol, and yes, ISDA does, in fact, call its suite of agreements and processes “a protocol,” just like several smart contract suites for blockchain applications. Could ISDA have reasonably foreseen this illegal use of their protocol? Yes, of course they could foresee that use. In fact, ISDA offers the following disclaimer of responsibility in their terms of service agreement:
The Service is provided by ISDA as a service to market participants in the interests of market efficiency and transparency. Any party wishing to use a particular ISDA Protocol should consult with its legal advisors and any other advisors deemed appropriate prior to using or adhering to the ISDA Protocol. ISDA assumes no responsibility for any use to which any ISDA Protocol – and any of its documentation — may be put.
For comparison, let’s take one example from the world of smart contracts. Augur is a protocol for event futures just like ISDA’s protocol is a protocol for derivatives transactions generally. Augur contracts are executed on the Ethereum blockchain and the software behind those smart contracts is developed by the Forecast Foundation and freely offered to the public. Like ISDA, the Forecast Foundation does nothing beyond offering generic tools that can be used by persons to form and execute agreements. As the Forecast Foundation states on its website, they merely,
Support the development of open-source trading protocols, oracle systems and related technologies that advance transparent, open and financially sound markets, as well as their underlying protocols and toolings.
And also like ISDA, the Forecast Foundation can reasonably foresee that their tooling could be used for unlawful purposes, and has a very similar disclaimer of responsibility:
Augur is a protocol, freely available for anyone to use however they please. … Users of the Augur protocol must themselves ensure that the actions they are performing are compliant with the laws in all applicable jurisdictions and must acknowledge that others’ use of the Augur protocol may not be compliant. Users of the Augur protocol do so at their own risk.
As Commissioner Quintenz pointed out, “if the contract is a product within the CFTC’s jurisdiction, then regardless of whether it is executed via a written ISDA confirmation or software code, it is subject to CFTC regulation.” But similarly, the author of the misused protocol, whether it be ISDA or Augur, is not the the responsible party, unless we can find some deeper involvement in the crime than mere publication of a tool.
It may be that Commissioner Quintenz agrees. As he wrote:
Think of someone asking you to borrow the keys to your car because they want to rob a bank. If you let them borrow your car, it would be reasonable for the government to hold you partially responsible for the ensuing criminal activity. However, it would be unreasonable for the government to prosecute the car manufacturer.
This is absolutely the correct analysis. Borrowing from the Commissioner’s metaphor, to our mind, most developers of smart contracts are like car manufacturers, and—barring some involvement beyond merely publishing code—they are not the person lending their keys to a bank robber. We look forward to working with Commissioner Quintenz and the CFTC to finding constructive answers to these complicated questions.