Who's Responsible? On Legal Liability in Decentralized Systems

Having your cryptocurrency stolen is one of those things that seems like it could never happen to you - until it does.

Hacked exchanges. Fraudulent exchanges. Phishing attacks. Your money has been stolen, and nobody knows about it except for you, alone and aghast at your computer screen, and perhaps the hacker who is piling up stolen funds to buy that Lambo they’ve been dreaming about.

No, but seriously. When David Marcus, the current head of Facebook’s Libra project was grilled during the Senate Hearing on Libra several weeks ago, Senator Kyrsten Sinema (D-AZ) posed an important question about legal liability--one that Marcus seemed hesitant to answer.

Sinema described a scenario in which a scammer based in Pakistan uses an exchange in Thailand to scam an Arizonan whose wallet is issued by a company in Spain. Because Libra is based in Switzerland, she asked, which regulator would the Arizonan contact to seek help?

US Senator Kyrsten Sinema (D-AZ) during the Libra hearing.

After several misfired answers, Marcus said that the Arizonan would need to contact the wallet provider in order to seek recourse for their stolen funds.

However, the question, and Marcus’ hesitancy in answering it, seemed to reveal an important disconnect in the way that Marcus and the Libra team are thinking about the project. After all, regulations regarding criminal activity in something as global as the cryptocurrency industry is a rather sticky wicket - which regulators should the users of any cryptocurrency or crypto-related service provider turn to in the event of a crime?

What's more - when dealing with decentralized networks, who can be held legally responsible for bad things that happen?

And it seems that this disconnect is all but unique to Libra--the creators of many crypto coins and crypto platforms often lack in proper protocol when it comes to liability. Additionally, regulators themselves still tend to fumble when presented with questions of legal liability in the cryptosphere.

To be fair, there isn’t much legal precedent to build off of here - but when something goes wrong in the cryptosphere, who is legally liable?

And what’s more - who can users turn to for help? Should they call the police? The FBI? A lawyer? Or should they be able to rely on the service’s operators or the coin’s creators?

Can cryptocurrency service providers be held accountable?

The (perhaps unfortunate) truth about legal liability in the cryptosphere is that there’s still a lot of gray area.

Take, for example, Libra. Hacked wallets and fraudulent wallet providers aside, who can be held responsible when something goes wrong on the network directly? For example, if the network was hacked due to a vulnerability in the Libra Blockchain ’s protocol?

“The answer may depend on what exact company or Libra association participants are hacked,” explained Jimmy Nguyen, president of the Bitcoin Association and Bitcoin SV advocate, “It’s possible only the hacked entities would hold legal responsibility to users, though the association could also implement agreements to ‘socialize’ the loss to be shared among other Libra network members as well.”

Jimmy Nguyen, President of the Bitcoin Association and BitcoinSV advocate.

However, in terms of cryptocurrency networks more generally, there are a few more important factors to take into account before determining legal liability. “[Liability] depends on whether the cryptocurrency network is truly decentralized or not, and also on what goes wrong,” Nguyen said. “ If the private issuer of an ICO or similar-type token engages in a scam, it is easy to identify that issuer for legal claims.”

As an example, Nguyen pointed to the Ripple Network, “which is created by a private company (Ripple Labs).”

“While it has an open-source protocol and uses a network of participating financial institutions, it would be very difficult for Ripple Labs to avoid responsibility for legal issues on the network,” he explained, adding that “indeed, Ripple Labs has been the subject of a FinCEN case which resulted in a monetary penalty, a Department of Justice settlement, and several class-action lawsuits – related to conduct with respect to the XRP token and associated Payments network."

Braden Perry, a litigation, regulatory and government investigations attorney with Kennyhertz Perry, said that the liability of a blockchain’s creator would very much depend on the legal arguments that were being made in a particular case.

“I’m sure a crafty attorney would create some legal arguments that the administrators of a private blockchain network would have some potential liability, but to my knowledge that has yet to be tested,” he told Finance Magnates.

“These private blockchains may be considered to be joint ventures, with liability to its owners and operators. Exchanges, for example, have been held liable, including Mt. Gox and Bitfinex. I could see some data privacy or negligence issues with coding and control of the private networks, but the application of the law and liability questions would be complex.”

”Exchanges [and operators of other kinds of crypto platforms] will clearly have legal liability in the countries where they hold a regulatory license and where they have operations.”

Nguyen explained to Finance Magnates that one thing is for sure, at least when it comes to jurisdiction: “exchanges [and operators of other kinds of crypto platforms] will clearly have legal liability in the countries where they hold a regulatory license and where they have operations,” he said.

Additionally, “exchanges should also have legal liability in every country where they accept users (beyond perhaps any incidental use which the exchange could show it did not intend to allow).”

Perry agreed, providing a specific example--“generally, exchanges that do business with US customers are subject to US laws. It can be difficult for service and other legal issues, but an exchange user doing business with a company, wherever they are located, can bring an action and are subject to US laws.”

Braden Perry, Partner at Kennyhertz Perry, LLC.

Nguyen added that however, “this is a difficult area to police as the cryptocurrency world is both digital and global,” and that this is why the crypto industry should work “to build an ecosystem that is government and regulation-friendly across all geographies.”

What about scammers?

Unfortunately, however, some exchanges and other kinds of crypto platforms are intent on not being regulation friendly. They are intent on either scamming users directly or providing platforms for financial crime and other kinds of do not offer clear information--or any information on how they can be contacted.

Even if the platform provider is relatively easy to reach, it’s likely that there’s no legally-enforced guarantee that they will be able to reimburse hacked users for their losses or to help them at all.

“Typically, fraudulent operators are not properly licensed or regulated as they should be,” explained Perry. “They hide their locations and identities and locations and are very difficult to track down.”

Perry explained that this is part of the reason why “takedowns” of fraudulent actors in the crypto space and other kinds of illicit internet-based businesses, such as Silk Road’s Ross Ulbrecht, are still a rare occurrence. “It happens, but not often and too many times fraudulent and illicit actors simply shut down after they know they’ve been exposed and move on to a new scheme.”

Nguyen pointed to two other successful examples of legal takedowns within the crypto space: “the U.S. Department of Justice’s shutdown of Liberty Reserve in 2013, and the criminal prosecution (and conviction) of Mark Karpeles, the former CEO of the doomed Mt. Gox exchange.”

Can law enforcement really help?

So, when fraudulent activity takes place--and the platform provider isn’t necessarily in the users’ home country--where can they turn?

Perry explained that in the US, “Users can still go to the FTC with international scam information.”

“The FTC can investigate and work with other countries law enforcement and regulators to attempt to address the situation,” he said. “It is complicated, though. And usually takes longer than the user would like if any redress can be made.”

However, outside of the US, Nguyen said that “if they have been cheated, cryptocurrency investors should report the culprit to applicable government agencies (such as the financial and securities regulatory agencies) in their home country where the investor held and used their account with the exchange or platform.”

“They should also report to government agencies in the country or countries where the exchange or platform claims to hold any regulatory licenses; if an agency issued the exchange’s regulatory license, that agency will definitely want to know about any questionable activities by the licensed exchange.”

And while local law enforcement probably won’t be able to help a user whose funds have been breached, contacting police or other on-call law enforcement agencies may be a useful thing in the long run. At the very least, local law enforcement agencies may be able to direct victims to the proper authorities--though some in the crypto community are doubtful.

But where authorities may be unable to take proper action, private companies have stepped up to take the lead. For a price, there are a number of companies that can help hacked users track down their stolen Bitcoins.

Still, it seems like it’s going to be a while before these services are free and equally available for everyone. And until then, in the words of BitcoinTalk user RodeoX--we are more or less “on our own.”