In short, the blockchains may provide the architecture framework that makes possible the so-called Fourth Industrial Revolution that brings “bits and atoms” together and thrives off massive amounts of processed, global information. It makes the aspirational goal of an Internet of “open data” possible. With this, we might free up the world’s data so that smart people everywhere can work with it. Open access to data should better enable humankind to collectively figure out solutions to our many problems and make better products more efficiently. It is an extremely empowering concept.
Code Is Not Law
As we’ve said elsewhere, there’s no guarantee that this sweeping vision of a new enabling platform for the global digital economy will come to fruition. In addition to various technological and internal governance challenges, which we’ll address in coming chapters, there are numerous external barriers to adoption. There are also some thorny questions to resolve before blockchain technology or any other decentralized trust system can comprehensively underpin the world’s transactions and information exchanges.
The challenges include those posed by regulators, who are struggling to keep up with the category-defying changes that cryptocurrency poses. It took two years for the New York Department of Financial Services to come up with its benchmark-setting BitLicense regulation for money transmission with digital currencies like bitcoin. By the time it was enacted in 2015, the crypto world had moved on to smart contracts and Ethereum; now it’s all about utility tokens, initial coin offerings, and decentralized autonomous organizations—none of which were foreseen by the regulation’s authors. One risk is that regulators, confused by all these outside-the-box concepts, will overreact to some bad news—potentially triggered by large-scale investor losses if and when the ICO bubble bursts and exposes a host of scams. The fear is that a new set of draconian catchall measures would suck the life out of innovation in this space or drive it offshore or underground. To be sure, institutions like the Washington-based Coin Center and the Digital Chamber of Commerce are doing their best to keep officials aware of the importance of keeping their respective jurisdictions competitive in what is now a global race to lead the world in financial technology. But we live in unpredictable political times in which, to say the least, policy-making is not being guided by rational, forward-thinking principles. The sheer lack of clarity on the intention of regulators and legislators is itself a limit to the technology’s progress.
We are going to need regulations—a framework for understanding how the new organization and governance models of blockchain logic can be interpreted by traditional legal systems, whether based on old or new laws. How do we legally define ownership of a digital asset when rights to it come down to control over a private, anonymized key? Where do jurisdictional responsibilities lie when a blockchain ledger is shared around the world or when there’s no way to know which computers within a global network will execute the randomly assigned instructions contained within a smart contract? Advocates for these new ideas might argue that new laws aren’t needed, but they can’t make the claim that they deserve some kind of exemption from regulation altogether. The online world is not a world unto itself; it exists as a subset of the broad framework of laws and norms that we’ve built up over the centuries.
Some libertarian-minded crypto enthusiasts who want to live entirely by the rules of a blockchain and free themselves from dependence on government are fond of citing the phrase “code is law,” used by Harvard professor Lawrence Lessig. Some have over-interpreted this message. Lessig never meant that software code could be a substitute for real-world law, that all disputes would be resolved by these automatic machines, only that code shares some of the qualities of law in the way it proscribes the behavior of computing components. To see code as a substitute for the law is to reduce the latter to something far smaller than what it is. If the law were merely a set of instructions and rules, then yes, perhaps we could just have computers, working together in algorithmic concert, arbitrating and executing all of our digital exchanges with each other. But the law goes much, much deeper and much, much broader than that. The philosophical question of “what is law?” can prompt a host of different answers, but the more you dig into the concept the harder it is to separate law from what Carl Jung called our “collective unconscious,” a set of ideas about how to treat each other that we’ve inherited from prior generations and iteratively altered over millennia. It’s simply not something we can reduce to computer code.
No episode brought this lesson home more forcefully than the debacle of The DAO attack of June 2016. The DAO stands for The Decentralized Autonomous Organization. In using this name, the founders of The DAO appropriated an acronym that had until then been used as a generic description of a variety of new, and potentially valuable, systems of automated corporate management and attached it to an extreme expression of techno-anarchic ideals. The DAO was an investment fund established by Slock.it, a smart contracts development group founded by Ethereum’s former chief commercial officer, Stephan Tual, and two others. This entity, The DAO, was to be entirely managed by software code—no CEO, no board of directors, no managers of any kind. This kind of thing had been talked about in theory, but these guys were the first ones to give it a shot. The basic idea was that the platform would allow the funds’ investors to vote on how to allocate its money—that is, to select from a variety of proposed projects. The idea was that a more democratic, and supposedly superior, investment logic would emerge than that of traditional funds, where fund managers’ interests don’t always align with those of their principals.
It was pie in the sky to the moon, and then some. Investors were invited to buy DAO tokens with ether, Ethereum’s native currency, giving them a stake in The DAO fund. Decisions on investments would depend on token holders’ votes on submitted business proposals. After that, the contributions, dividends, and distributions would all be handled according to the Ethereum-based smart contract that ran The DAO. The concept sparked an inordinate amount of excitement among decentralization utopians within the crypto community, who saw it as a way to prove that effective economic decisions could be made without relying on third-party institutions, whether private or government.
Lawyers expressed concerns about the lack of redress in the event of losses, and respected cryptographers such as Zcash founder Zooko Wilcox-O’Hearn and Cornell professor Emin Gün Sirer gave grave warnings about flaws in the code that would allow a clever hacker to siphon off funds. Despite this, investors poured $150 million of ether into DAO tokens in just twenty-seven days. It was, at the time and at that valuation, said to be the biggest crowdfunding exercise in history.
As it turns out, the whole concept was doomed by defects unnoticed by founders and investors blinded by hubris and idealistic faith. In the pitch documents explaining the terms of the deal, Slock.it said, “The DAO’s smart contract code governs the Creation of DAO tokens and supersede[s] any public statements about The DAO’s Creation made by third parties or individuals associated with The DAO, past, present and future.” This was a bold—and, as it would turn out, poorly conceived—statement. It pushed Lessig’s “code is law” concept to an extreme interpretation, a literal interpretation. They wanted to eliminate humans, and their fuzzy, subjective notions of what is right and wrong, from the equation.
The flaw in this logic was soon made apparent. In the early hours of Friday, June 17, 2016, monitors of The DAO’s ether account realized that it was being relentlessly drained of funds. A massive attack was under way by an unidentifiable participant who’d figured out that if he or she wrote a program to interact with the smart contract, it could constantly ask for and receive funds, sent to a copycat DAO that they controlled. The attacker built a virtual version of an out-of-control ATM, one that could not be turned off by the now autopilot-managed DAO system. Before they locked the attacker out, he or she siphoned off almost $55 million worth of ether.
The panicked organizers now found themselves in legal no-man’sland since they had declared that nothing