Liability with no control

Vitalik Buterin, co-founder of Ethereum, recently authored an article which challenges our basic assumptions on the rule of law in cyberspace. It now behooves the legal community to focus on emerging concepts in and around “decentralized liability”.

In his article, Buterin argues that “control over users’ data and digital possessions and activity is rapidly moving from an asset to a liability.”

He observes that recent regulatory scrutiny over privacy, data localization, the sharing economy, and cryptocurrency have created—or threaten to create—a compliance burden for tech companies and software developers.

As a consequence, Buterin states that the developer mentality has shifted from, “I want to control more things just in case” to “I want to control fewer things just in case.”

Decentralization is thereby offered, albeit indirectly, as a practical means of limiting legal liability:

...the present-day regulatory landscape ... has unintentionally dealt the movement for minimizing ... centralization ... a surprisingly strong hand.... And it would be highly beneficial to the movement to take advantage of it.

The idea, translated into legal parlance, is that a diffusion of control is expected to spread responsibility to the point where no conventional theory of liability makes sense.

Buterin’s observations offer an insightful new operational strategy for internet actors. However, the suggestion that decentralization could limit legal liability is, quite frankly, terrifying for the rule of law and law enforcement in cyberspace.

Courts, legislators, regulators, treaty drafters, and legal academics will need to rethink our traditional understanding of liability as applied to decentralized parties on the internet. This, in turn, will require us to consider new issues in legal personality, liability, fundamental rights, privacy, and international law.

The inquiry must begin with the following new principal issues:

• What is “decentralized liability”?
• How is culpability measured under a theory of decentralized liability? and
• How can decentralized liability be tracked while respecting privacy?

For the purposes of this article, let’s define “decentralized liability” simply as liability that is spread among innumerable actors who themselves are spread all over the world, do not necessarily know each other, and are not organized by any one entity, and whose actions occur over the internet, and have a cumulative and causative effect.

This definition can be used with the legal analysis provided in prior peer-to-peer file-sharing cases. However, those cases have barely scratched the surface of decentralized liability.

The foundational file-sharing case is the 2005 U.S. Supreme Court decision, Metro-Goldwyn-Mayer v. Grokster. In that case, the defendant corporation was aware that its subscribers were using its software to infringe copyright. The courts considered whether it was liable in contributory and vicarious copyright infringement. When the matter reached the U.S. Supreme Court, much focus was placed on the defendant’s objective to cause and profit from its subscribers’ infringement.

Another important U.S. case is In Re: Aimster Copyright Litigation, decided by the Seventh Circuit Court of Appeals in 2003. The court held that the platform’s use of peer-to-peer encryption for user privacy amounted to willful blindness regarding user activities. In particular, the court held that peer-to-peer encryption would not save the platform from liability arising from its users’ copyright infringement.

More recently in Canada, the courts have dealt with decentralized file sharing in cases also arising from copyright infringement. However, the Canadian cases focus on Norwich orders to get subscriber information from internet service providers (ISPs). They do not explore whether a file-sharing platform or protocol invokes liability for being created and operated primarily to enable infringement.

The U.S. Grokster and Aimster line of cases bear the most relevance to decentralized liability, but offer little assistance where the aggrieved parties are users spread across the world; the cause of action is tort (as opposed to copyright infringement); and damage is caused by a decentralized platform or through a protocol developed in open source.

Moreover, there is no judicial consensus on whether filtering requirements can be imposed on ISPs, as a means of preventing illegal online activity close to the source. Filtering requirements have been rejected in Europe, but approved in Australia.

Suffice it to say, the present legal landscape is unequipped to handle decentralized liability and its various proximate issues. We need new legal solutions for these new legal problems.

The following questions are offered as guideposts for thought, in preparation for the inevitable test cases against decentralized actors.

Generally speaking, when liability is diluted between innumerable actors on the internet:

• What is the interplay in the laws of conspiracy and joint-and-several liability?
• What is the threshold for recklessness and willful blindness?
• What is the standard of foreseeability regarding damage?

With respect to liability against specific types of parties:

• Can node owners and their associates be liable?
• Can outsourced software developers and open-source software repositories be liable, notwithstanding applicable indemnity clauses?
• Can the provision of compiled software or raw code, to consumers by a third party software distributor or file server, be sufficient to ground a finding of inducement liability?
• Can a corporate blockchain developer be culpable when: (a) its control persons have a financial interest in the blockchain network’s performance, and (b) it effectively has no control over network operations and performance?

With respect to development and operational practices:

• Is the line between a bug and malicious code a question of law, or a question of fact requiring expert evidence in every case?
• How is proximity to a bug or malicious code established, when innumerable developers have been involved on a long-term project and there are persistently poor code-commenting practices?
• Should discriminate data-routing attract liability, or be treated like “link-forwarding” in the context of cyber-defamation?
• To what extent is the practice of pushing updates on users capable of focusing liability on specific parties?

With respect to jurisdiction and private/public international law issues:

• Is a corporate defendant’s registered address relevant when the insiders and beneficial shareholders are spread all over the world?
• Is the location of node clusters a suitable standard for establishing jurisdiction?
• How should state sovereignty and international comity apply to prevent unworkable problems of concurrent jurisdiction among innumerable courts spread all over the world?
• When any country’s law could conceivably apply, and there are many points of conflict between national laws, how should the applicable law be determined
• Can public international law be invoked when nations do not take minimum reasonable measures to prevent their citizens from contributing to decentralized tortious damage?

Special thanks to Idan Levy for his valuable research assistance in the preparation of this article.