Ebenhoch: How to achieve legal blockchain compliance

# How to achieve legal blockchain compliance in a systematic way
Dr. Peter Ebenhoch

![Shimano Chain](shimano2-circle.png)

.footnote[Internationales Rechtsinformatik Symposium, Salzburg 2019 – peter.ebenhoch@effectas.com –	http://www.peterebenhoch.com ]

---

# 1. Introduction

.footnote[Ebenhoch: Achieving blockchain compliance, IRIS 2019 – peter.ebenhoch@effectas.com –	 http://www.peterebenhoch.com ]

---
class: left

_“Anything can be lost or stolen, of course, but QuadrigaCX is big on security.”_

- December 9th 2018: The CEO of QuadrigaCX, Gerry Cotten, dies in India (cardiac attack).
- Januar 19th 2019: His wife Jennifer Robertson announces that wallet keys on his encrypted notebook cannot be retrieved, resulting in assets worth 180 Million Dollar CAD being unaccessable.
- His wife remains with a Yacht, an airplane and valuable land properties.
- His companion is under suspicion to be the convicted money launderer Omar Dhanani – pretending a different identity.
]

]
.right-column[
![gerrycotten](gerrycotten.png)
]

.footnote[https://amycastor.com/2019/02/12/how-the-hell-did-we-get-here-a-timeline-of-quadrigacx-events, https://www.bloomberg.com/news/articles/2019-02-04/crypto-exchange-founder-dies-leaves-behind-200-million-problem]

--
.right-column[
![No move possible](nomove.png)
.small[
Customers are not able to withdraw the assets they had bought using real money.
]

]

---

# Déjà-vu?

IRIS 2018

Scams, Crimes and Hacks

- 2018-02-15 Optioment: 80 Mio EUR
- 2018-01-30 Coincheck. 500 Mio USD
- 2018-01-22 IOTA-hack. 4 Mio USD
- 2018-01: EY: "10% of ICO funds are lost or stolen"
- 2016: DAO-Hack 50 Mio USD
- 2014: Mt. Gox 450 Mio USD

Additional presentations & workshops:

1. 2018-09: Blockchain and Anti-Corruption (International Anti-Corruption Academy)
3. Organizational Dependencies of Blockchains (upcoming)
4. Blockchain-Technologien als Babyklappe für den gesunden Menschenverstand [submitted für SwissICT conference in fall 2019

</div>

---
class: left, middle

# Legislative action?

#### Liechtensteinisches Gesetz über "Vertrauenswürdige Technologien" (Blockchain-Gesetz):

_Die Begebenheit, dass das Vertrauen durch die Technologie und nicht durch° Organisationen geschaffen wird, hat den Ausschlag gegeben, dass für das Gesetz der
Begriff „vertrauenswürdige Technologie“ als Anknüpfungspunkt definiert wurde._

.small[16.11.2018: Ministerium für Präsidiales und Finanzen]
.small[
°"nur" in the original PDF replaced by "durch" by PE (ratio: error assumed).
]

---
class: left

# Reality vs promise

## How can we find clarity?

.left-column[
Reality
- Scams
- Fraud
- Hacks
- Ponzi schemes
- Money laundering
- Undermines data protection regulation
![](DSCF4055.0-small-2.jpg)

]

.right-column[
Promise
- The trust machine
- No intermediary necessary
- Decentralization
- No owner
![](trustengine.png)
]

.footnote[Ebenhoch: Achieving blockchain compliance, IRIS 2019 – peter.ebenhoch@effectas.com, 	 http://www.peterebenhoch.com ]

---
.logo[![Chain](shimano2-circle-handout.png)]

# Agenda

1. Introduction
2. Methods
  - ISO 31000 & ISO 27005 risk management methodology 
  - Assets, vulnerability, threads & controls
  - Applying ISO 27005 to blockchains
  - BC as IT-systems
3. Risky areas of blockchain technology
   - Interfaces (Wallets) | Decentralization | Sourcecode deployment | Power and Electricity | Reversability | Data quality (for DLT) | Limited availability | High complexity and fragility
4. Findings
  - Blockchain rely heavily on organizational support
  - Blockchain technology does not provide trust 
  - Blockchains features (non-reversability, immutability, disguise, complexity) thread legal concepts
  - With clarity about primary and secondary assets Blockchains can be begulated with ease  
5. Conclusions
6. Resources

.footnote[Ebenhoch: Achieving blockchain compliance, IRIS 2019 – peter.ebenhoch@effectas.com, 	 http://www.peterebenhoch.com ]

---

# 2. Methods

A. The logical thinking process (LTP) by Eliyahu Goldratt & Bill Dettmer 
B. ISO 31000 & ISO 27005 risk management methodology

.footnote[Ebenhoch: Achieving blockchain compliance, IRIS 2019 – peter.ebenhoch@effectas.com –	 http://www.peterebenhoch.com ]

---

# ISO 27005: Approach

![ISO 27005](iso27005.png)

- Primary assets are non-material, eg. _trust_
- Secondary assets are the real artefacts, eg. _block_, _wallet_, _power-supply_, etc.

.normal[
→ Only secondary assets can be under direct thread. 
→ Many blockchain crimes & scams have been rooted in the context of secondary assets. 
→ We have to differentiate between blockchain issues on the conceptual and on the factual level.
]

.footnote[Ebenhoch: Achieving blockchain compliance, IRIS 2019 – peter.ebenhoch@effectas.com –	 http://www.peterebenhoch.com ]

---

## BC Concepts as primary assets

For example:

- "Bitcoin - zivilrechtlich betrachtet" – Albrecht Mandl, IRIS 2016
- Datenschutz auf öffentlichen Blockchains* – Jörn Erbguth 
- etc.

→ Conceptual aspects of blockchains have dominated scholarly discussion ... 
→ and _are now even inserted 1:1 in laws_:

- Blockchain as "trustworthy technology" - https://www.llv.li/files/srk/vnb-blockchain-gesetz.pdf

.footnote[*https://erbguth.ch/Erbguth_DatenschutzBlockchains.pdf – peter.ebenhoch@effectas.com –	 http://www.peterebenhoch.com ]

---
.logo[![Chain](shimano2-circle-handout.png)]

## Blockchain implementations

But Blockchains are IT-systems, which rely on organized artefacts ...

---
.logo[![Chain](shimano2-circle-handout.png)]

## Influence factors

... which can be influenced and controlled by external factors:

![Influence factors](influence.png)

---

# 3. Risky areas of blockchain technology

.footnote[Ebenhoch: Achieving blockchain compliance, IRIS 2019 – peter.ebenhoch@effectas.com –	 http://www.peterebenhoch.com ]

---

## Risky areas of BC technology

Analysis reveals these risk areas:

1.  Interfaces (Wallets): Security issues, Know-your-customer, fees
2.  Sourcecode deployment: Hidden control mechanism
3.  Power and Electricity: Massive miner concentration levers out protection mechanism
4.  Limited availability: Delayed transaction and block confirmation
5.  High complexity and fragility of cryptographic methods: Undermines transparency and robustness
6.  Decentralization: Veil to hide organizational responsibility
7.  DLT Data Quality: Missing data input control / Garbage in – garbage out
8.  Non-reversibility: There is no inherent mechanism to reverse a Blockchain transaction

→ Blockchain applications and their legal compliance relies heavily on organizational preconditions and influences [1-7]. 
→ All influence factors are anchors to establish __risk controls__ and to __regulate Blockchain applications__.

.footnote[Ebenhoch: Achieving blockchain compliance, IRIS 2019 – peter.ebenhoch@effectas.com –	 http://www.peterebenhoch.com ]

---

## Risk #6: Decentralization

> _ The term "decentralized" functions as a liability shield for those operating the systems (developers and miners), creating what I call a "Veil of Decentralization"._

> _Misunderstanding the power dynamics within blockchain systems can lead to faulty risk assessments, in that we may view the tokens of these systems as less malleable than they actually are._ 
— Angela Walch°

→ The term "decentralization" hides the fact that blockchains are real IT-applications which are operated by people & organizations.

.footnote[°Walch: Deconstructing 'Decentralization' – Exploring the Core Claim of Crypto Systems, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3326244]

---

## Risk #7: DLT Data input control

Blockchain technology does _not support data verification and data management_:

__The garbage-in & garbage-out principle applies.__

__DLT applications require heavenly on domain specific organizational support to manage data quality.__

__For DLT-applications, organizations are indispensible to grant data quality and to ensure trusted data.__

In addition
→ If reversible transactions are needed, organizational support is required to mediate.

.footnote[Ebenhoch: Achieving blockchain compliance, IRIS 2019 – peter.ebenhoch@effectas.com –	 http://www.peterebenhoch.com ]

---

## Risk #8: Non-reversibility

> _«With the possibility of reversal, the need for trust spreads.»_ 
> _«What is needed is an electronic payment system based on cryptographic proof __instead of trust__.»_ 
> _«Transactions ... impractical to reverse ...»_ 
— Satoshi Nakamoto

__Blockchain technology ...__

→ __ replaces trust with cryptography and is not capable of creating trust at all.__ 
→ __ supports only non-reversable transactions, and detaches from social and legal contexts.__ 
→ __ undermines legal principles (eg. Titel & Modus) and faces injured parties with asserted technical bondages.__

.small[
The DAO-case (slock.it) and the reported recent loss at Quadriga are intended and accepted Blockchains issues.
]

---

# 4. Findings

1. Blockchains applications as IT-systems rely heavily on organized IT-artefacts. 
2. The pretended lack of ownership melts away when facing miner concentration, hidden hierarchization (master nodes) and source code deployment.
3. The factual IT-organization and each interface offers means to regulate Blockchains.
4. Blockchain technology _does not provide trust_. 
5. Blockchain DLT-applications require organizations to manage data quality.
6. The high complexity of the technology gets beyond reproducability even for it's own creators.

.footnote[Ebenhoch: Achieving blockchain compliance, IRIS 2019 – peter.ebenhoch@effectas.com –	 http://www.peterebenhoch.com ]

---

# 5. Conclusions

Blockchain startups fail to redeem the promised benefits, because these vanish into thin air:

→ Blockchain technology does not provide trust and cannot omit the middleman.

→ Legal reflection has to take into account the real actualization of the technology and must not get into the trap of the illusion of fictional promises.

→ __Remaining Blockchain benefits (avoidance of double spending, immutability of records) can be utilized by using logic cause-effect rationality and standardized risk management methods.__

.footnote[Ebenhoch: Achieving blockchain compliance, IRIS 2019 – peter.ebenhoch@effectas.com –	 http://www.peterebenhoch.com ]

---

# 6. Resources

---
.logo[![Chain](shimano2-circle-handout.png)]

# Resources

.footnote[Ebenhoch: Achieving blockchain compliance, IRIS 2019 – peter.ebenhoch@effectas.com –	 http://www.peterebenhoch.com ]

---
.logo[![Chain](shimano2-circle-handout.png)]

## Resources

* Walch, Angela: Deconstructing 'Decentralization': Exploring the Core Claim of Crypto Systems, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3326244, 2019
* MIT Chainletter, https://go.technologyreview.com/newsletters/chain-letter/
* Ebenhoch, Peter
  - Blockchain-Compliance, IRIS 2018 paper
  - Blockchain for GRC-professionals, IACA seminar 2018
  - Organizational dependencies of Blockchains, upcoming
  - Blockchain-Technologien als Babyklappe des gesunden Menschenverstands, eingereicht für SwissICT Tagung Herbst 2019
* Nakamoto: Bitcoin: A Peer-to-Peer Electronic Cash System, 2008
* Gerard, David: Attack of the 50 foot blockchain, 2017
* The Economist: The trust machine, 2015: http: https://www.economist.com/printedition/2015-10-31

Contact

- Dr. Peter Ebenhoch, effectas GmbH, 6300 Zug, Switzerland,  peter.ebenhoch@effectas.com
- http://www.peterebenhoch.com

.footnote[Ebenhoch: Blockchain Compliance, IRIS 2019, Salzburg – peter.ebenhoch@effectas.com –	 http://www.peterebenhoch.com ]