Dr Stephen Castell explains why IT professionals need to watch out for crypto-hype and be alert to the problems ahead.

There is currently a crypto-algorithmic blockchain technology mania. Huge amounts of money, commentary, thought, ink and new paper column inches are being lavished on blockchain based technologies such as cryptocurrencies, smart contracts and distributed ledgers.

It seems almost every millennial is involved with an initial coin offering (ICO) or initial token offering (ITO). A few of these may prove to be commercially successful. They may establish a new crypto-economic paradigm. I wish these crypto-enthusiast millennials well. Indeed, I have dubbed crypto the millennials’ rock’n’roll.

I, myself, suggested just such a new, disintermediated wholly digital cash currency, in a letter published in Computing magazine, July 1995: ‘... As cyber trading grows, the new, powerful common electronic trading currency will be ‘owned’ by no single physical nation state, central bank institution, economic or political grouping. We could ... call it the ECU..., ... the Electronic Cash Unit.’

Returning to now, most agree that, in order to protect consumers and investors, this new blockchain-based digital economy is in need of some regulation. The Delta Summit was held in Malta in early October 2018. In front of 4,000 attendees, Dr Joseph Muscat, Malta’s Prime Minister, announced three new acts positioning his EU island as a leader in regulating blockchain applications, ICOs, cryptocurrency trading and, more widely, digital innovation. These acts were:

  • Malta Digital Innovation Authority Act (MDIA Act)
  • Innovative Technology Arrangements and Services Act (ITAS Act)
  • Virtual Financial Assets Act (VFA Act)

Blockchain: Sceptical IT professionalism and legal due diligence

Experienced IT experts should, however, be cautious about crypto-economics hype. There are no finalised standards yet for blockchain (eight are in development under ISO / TC 307). It should also be remembered that there is far more to specifying, designing, developing, testing, deploying and maintaining an appropriate complete QA-assured system than just the blockchain element.

It’s also essential to evaluate whether blockchain is the right component for a given business or system requirement. A diligent IT systems engineer may conclude that many things can be achieved just as effectively by other means.

Notwithstanding Malta’s regulatory initiative, the legal status of cryptocurrency, smart contract and distributed ledger technology is also generally neither clear nor settled. In the USA, there is already ICO litigation on foot. Having been involved in advising on ICOs, I have encountered significant tensions between the crypto-enthusiastic, blockchain technical specialist, and the sober business development objectives of, and the professional due diligence to be done for, the ICO-issuing company owner or executive.

The right to be forgotten

Furthermore, the ‘right to be forgotten’ could become a significant barrier to the ubiquitous introduction of blockchain software and technology. The General Data Protection Regulation (GDPR), in force from May 25, 2018, includes Article 17: ‘Right to erasure (‘right to be forgotten’)’ ... (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.

With the ‘permanence and immutability’ of its written data records, blockchain is potentially unable to be compliant with the GDPR right to erasure. The meaning of ‘erasure’ in English is strong: eradication, obliteration, or destruction. Simply ‘putting data beyond use’ is unlikely to satisfy the GDPR for data privacy. Setting record delete flags, ‘losing’ cryptographic keys, or overwriting hash tables may not be sufficient to qualify as erasure.

If Article 17 sought to provide only for ‘putting data beyond use’ its drafters would surely have said so. There are established legal precedents and court orders on data records, recording media and destruction (and certification thereof). There are also corporate, industry and professional standards as regards record retention and destruction, and statutes providing requirements and guidelines for public bodies as regards citizens’ records disposal.

Until recently, widespread use of requests by applicant data subjects to be forgotten may have seemed fanciful. But, since the Cambridge Analytica allegations, anyone using social media is now well aware of the right not to have personal data used for purposes for which they were not originally, and freely, provided.

For those unaware of the Cambridge Analytica story, it was claimed that this data analytics firm used personal information harvested from more than fifty million Facebook profiles - without the data subjects’ permission - to build a system that could target US voters with personalised political advertisements based on their psychological profile.

Even before GDPR, though, the English courts had already upheld such a critical request. Specifically, Google lost a landmark ‘right to be forgotten’ case when a businessman took legal action to force removal of search results about his past convictions.

Future issues

The future issues that IT systems professionals may be asked to investigate and analyse, and upon which to provide analyses are likely to be varied. Below is a list of possible topics.

Cryptocurrency ICOs/ITOs, trading and exchanges
Allegations of false or negligent representations in white papers.

Failure to carry out due diligence as to project viability, systems integrity, quality standards, financial probity and implementation rigour. For example, under the Malta ITAS Act, registered systems auditors provide assessment and opinion in regard to the ‘certification of innovative technological arrangements.’ Their workings are likely to be open to independent expert investigation in the event of disputes

Consequential losses: money lost, businesses going bust, causality.

Operational systems failures: the blockchain may be robust and reliable, but interconnected systems need to be specified, designed, coded, constructed, tested and commissioned to IT industry and professional standards.

Consequences: assessment of outages, unreliability of service, data failures or faults, data going missing; unable to conduct reliable business, smart contracts corrupted, distributed ledgers not capable of being trusted.

Apportionment of causality and liability for damages, losses and compensation.

Blockchain and GDPR Article 17:
Requests ‘to be forgotten’ by data subjects: where personally identifiable data are held on ‘permanent and immutable’ blockchain records, advice and management of implementation of court orders granted for ‘erasure’.

Efficacy of proposed/implemented erasure techniques, transactions and processes.

Verification of the erasure carried out: proof of correctness and completeness.

Assistance with regards to the validity of requests ‘to be forgotten’; confirmation of the reliability and security of erasure carried out; reasonableness of any possible / proposed fines or penalties imposed.

Ownership of IP:
Whether relying on third-party blockchain platforms, or developing in-house blockchain software, anyone seeking to build blockchain-based applications runs the risk of IP infringement (there are as yet no ISO standards, and already more than 650 blockchain patent applications filed with the US Patent Office).

Assessment of impact, consequences, remediation: e.g. litigation over patents and software copyright.

Expert investigation, search and advice with regards to Prior Art, and / or Lack of Inventive Step, for patent infringement actions and challenges to the original Grant of Patent.

Advice and guidance in connection with negotiations with patent or copyright owners over use restrictions, licence fees, and development capability.

I have been involved as expert witness in some of the largest contractual disputes over computer software and systems failures to reach court, with damages claimed in the hundreds of millions of pounds. Nearly twenty years ago, in the USA Foxmeyer case, the failure of an entire substantial multi-billion corporation was due to the faulty implementation and management of a major company-wide computer systems upgrade project.

Clearly, whether as disastrous as those or not, blockchain systems and software failures, disputes and litigation could also become an equally active area for IT experts.

Dr Stephen Castell CITP MEWI is Chairman of CASTELL Consulting, and is an award-winning independent IT expert, management consultant and project manager professional, with extensive experience in risk assessment, quality assurance and dispute resolution.