For blockchain it's time to face up to governance and regulation

Governance of decentralised systems is an unlikely 'hot' area for researchers, technologists and lawmakers alike

Governance and regulation. These words don't sit at all well with blockchain and its revolutionary foundational credo. But as cryptocurrencies have multiplied use cases for blockchain have grown, like it or not, so have those necessary evils.

But the global extent of public decentralised networks and the fact that most are open-source community-led projects presents some unique challenges in ensuring that decision making power and control do not become concentrated in one place - i.e. that they remain 'decentralised' - while avoiding decision-making paralysis and inefficiency. Then there's the complication of cryptocurrency tokens.

Tokens are central to the functioning of many decentralised networks, providing the fuel for their internal markets and incentivising good behaviour, and but they are also sold to raise funds and traded speculatively.

Of particular concern to regulators like the US SEC is whether tokens should be seen as utilities, and therefore beyond the scope of financial regulation, or securities in which case a whole heap of rules apply. Regulators are also digging into the exchanges where cryptocurrencies are traded. Know Your Customer (KYC) and Anti-Money Laundering (AML) laws are now in force in many countries, notably the US.

Outside of the financial arena, there is much discussion about how data protection regulations such as GDPR should apply to systems for which they were not designed; and within the projects themselves, many are struggling to work out how to allocate decision-making power without inadvertently replicating the centralised model they are trying to replace.

For these reasons, in the 'Web 3.0' world, governance is suddenly a word on everyone's lips.

Beyond bitcoin

The upswell of revolutionary idealism that greeted bitcoin had its roots in the birth of the web two decades earlier. In 1996's A Declaration of the Independence of Cyberspace, John Perry Barlow wrote of a digital utopia free from intrusions by governments of the industrial world, but by 2009 that dream was gone. Then along came bitcoin and its promise to make government obsolete and the passion reignited.

So far at least, cryptocurrency has not led to the collapse of the banks, but as blockchain use-cases proliferate beyond bitcoin, inevitably there are many more points of contact with the rest of the world. It is here, in the exchanges, wallets and interfaces with other networks, that the need to clarify the rules of engagement becomes avoidable.

We really need to be thinking about how we can design for more rules-based web - Jamie Burke

Far from ushering in a utopia, the lack of rules embedded in the original web has caused all sorts of problems, allowing the rapid spread of disinformation, malicious bots, fraud and data insecurity, commented Jamie Burke, CEO of Outlier Ventures, an incubator and investor in decentralised, AI and IoT technologies. And if we extrapolate those trends into the vastly more complex landscape of smart cities and autonomous trading bots that make up the emerging Web 3.0, we ain't seen nothing yet.

"We really need to be thinking about how we can design for more rules-based web," Burke said. Decentralised networks offer this potential, but decentralisation is not enough.

More decentralised than thou

Decentralised, peer-to-peer networks are a major technological breakthrough, allowing disparate individuals and organisations to reach agreement on actions and transactions in the absence of a central authority. While use cases are still emerging, they could be the basis for inclusive, secure and transparent systems covering many aspects of public and private life. But some are more decentralised than others in their operations and governance structures. Does this matter, and if so why and in what contexts? Unsurprisingly, it's complex.

Ben Koppelman is a governance specialist who has advised both government policymakers and blockchain and AI startups. There is an urgent need to start thinking beyond the technology, he argues. Leaving everything to automated algorithms and smart contracts as suggested by some technologists is a simplistic solution to a complex set of social issues, yet that's where we are.

"In a space dominated by engineers, the race to build things with new tech means the more social science side of things is often seen as an afterthought or a metric that can be worked out like any other," he said.

Just because the architecture is decentralised, that doesn't mean power is decentralised - Ben Koppelman

Yet people are not so easily excluded from the calculus, witness the failure of the DAO.

"Just because they're anti-government, the ideologues in bitcoin thought that politics somehow evaporated, but I always thought that was nonsense," he said. "There are still people involved. There's no such thing as a pure technology; it's always embedded in social systems. Just because the architecture is decentralised, that doesn't mean power is decentralised."

Decentralisation can become a mantra, a goal in itself. It may seem very new, but there are parallels elsewhere and not only in tech. In the political sphere, decentralisation has been in vogue, off and on, since the Second World War, but efforts such as introducing markets into public services have rarely lived up to their sales pitch as a panacea for moribund hierarchies, Koppelman points out. While there have been some successes, they are usually a result of many other factors coming together too. Decentralisation is necessary but not sufficient, and since responsibility is more diffuse, it may bring further governance problems of its own.

As with government, so it is with networks. Decentralisation alone will not guarantee a more equitable system. Without checks and balances, it's likely that the core developers of a decentralised network such as a blockchain will become very powerful indeed; after all, it is they who understand the complex technology, and it is they who release updates to the code. This tension has already caused conflicts within the bitcoin community and others, revealing that the network may be decentralised but political power certainly is not.

What projects need, Koppelman said, are carefully designed systems, a separation of powers by which responsibility for approval of new code and its implementation are devolved to the wider community of users.

At the interface

Crypto-tokens provide the networks' incentive layer, rewarding good behaviour and making bad behaviour prohibitively expensive. As such, tokens provide utility, enabling internal markets and providing a built-in governance structure of sorts. But these tokens are bought with fiat currencies on exchanges and increasingly those exchanges are subject to local or international regulations.

Moreover, with each network essentially a self-contained entity, what happens when they are integrated (which they inevitably will be)? Will there be some sort of API where the currencies are exchanged at the border, or will a single currency be adopted, and how will this affect the internal markets and governance? If currencies are exchangeable between networks will that change their classification from utility to security in the eyes of important regulators like the SEC? And if KYC rules are applied to cryptocurrencies, what does that mean for anonymity and security if a database of personal information must be stored somewhere?

For Koppelman, it is exactly at these interfaces between systems where workable rules need to emerge, and the rules will need to be multijurisdictional. Exchanges can be anywhere in the world.

The local nature of current regulation is problematic for those like Burke who see Web 3.0 as a global public utility. There needs to be more innovation alongside the distributed ledger technologies (DLTs) to make this work, he said, but at least the regulators seem to be getting to grips with the fact that cryptocurrencies should not all be regulated in the same way.

"It's a slightly painful journey, but the fact that the SEC has effectively said that ethereum is not a security indicates that they fully understand the distinction, as do other regulators, but they're wanting to control all the naughty stuff happening alongside it."

Next page: The challenges of GDPR, token sales and identity

For blockchain it's time to face up to governance and regulation

Governance of decentralised systems is an unlikely 'hot' area for researchers, technologists and lawmakers alike

GDPR - a poor fit for decentralisation

GDPR was being drawn up at the same time as blockchain was emerging. Inevitably then, it fails to take into account the unique properties of decentralised systems that could be beneficial for its stated aim of handing control of data back to individuals.

Gavin Johnson is a technology lawyer at aGenium who's involved in a construction sector blockchain project being designed at University College London aimed at alleviating cash flow constrictions in large projects. He also advises a number of decentralised startups.

An obvious sticking point, he says, is the GDPR's right of erasure (right to be forgotten). This does not sit well with the immutability that makes blockchains such a powerful tool for audit and might preclude storing personal data on them. However, a saving grace might be the encryption used by most decentralised ledgers and storage systems. One-way hashing or encryption of personal data might be enough to make it anonymised or at least pseudonymised in the eyes of the law, but as yet no requirements or guidance have been published.

Another issue is the difficulty in identifying the key responsibilities of ‘data controller' and ‘data processor' on which GDPR hinges. Applied to a decentralised system, the labels may be meaningless.

I think the real power of blockchain is individualisation - Gavin Johnson

With no test cases to draw on and many details to be worked through it's hard to predict the final shape the rules will take, but Johnson believes that GDPR, with its emphasis on individual control, will ultimately be positive for decentralised systems.

"I think the real power of blockchain is individualisation. I can hear the idealism that comes screaming out when I say that, but that's what it's about, putting you back in control," he said. "The right to be forgotten is very powerful, and if you make the individual responsible for their own data … then something like [Cambridge Analytica scandal] should never happen again. So GDPR is moving in that same direction."

After the gold rush

ICOs (initial coin offerings) - or token sales - broke new ground in the way they allowed decentralised projects to fund their work without having to go through the usual routes of venture capital or bank loans. Until recently, regulators could be bypassed too.

"ICOs are an interesting way of funding," said Johnson. "With an IPO you have to sacrifice part of your company, and if you cede control to some VC firm or another investor they don't know what you're doing, they don't know what you can do because they're not well enough informed."

During the crypto gold rush of 2016-17, a fair few of the startups that raised millions through ICOs were exposed as incompetents, chancers or fraudsters leading to a loss of faith. Inevitably legislators stepped in, and raising money this way is much harder now, particularly given the crash that followed the boom.

Johnson advises the startups he's involved with to get on the right side of the regulators as soon as possible. Certification is a badge of trust he points out, an important differentiator where that commodity is in short supply. Two years ago this might have alienated as many as it reassured, but not now.

Koppelman believes the ICO might just turn out to be one of the most important innovations to emerge in the blockchain era, equivalent to the invention of the stocks and shares which funded the industrial revolution. Regulators will need to be careful not to snuff out the spark by heavy-handed application of the rules.

Identity in crisis

Digital identity is a cornerstone of the way advanced societies work, but the way it is treated now in the online world is problematic, insecure and piecemeal, with usernames, passwords, government records, and other identifiers held in separate centralised silos.

One of the most attractive promises of decentralised systems is the possibility of self-sovereign identity. In this model the user creates their own unique digital documents (or decentralised identifiers, DIDs) and these remain under that individual's control. These DIDs can be augmented with other identifiers and cryptographically certified by relevant authorities, so for example, someone wanting to prove their age or that they are licensed to drive could hand over a digital certificate signed by the authorities without having to reveal any other information about themselves.

Thus, your 'identity' is made up a collection of many attributes, including pseudonyms, all of which are under your control and can be stored where you like.

Much work is ongoing in this area, including in startups like Sovrin, which is supported by Outlier, in a W3C group led by Microsoft, and experiments with systems based on reputation as a proxy for identity. But for DIDs to be truly portable across systems, regulations such as the European electronic identification, authentication and trust services regulation (eIDAS), certain aspects of GDPR and many other regulations will need clarification.

At present there are many more questions than answers when it comes to governance of decentralised systems, which is why it has become an unlikely 'hot' area for researchers, technologists and lawmakers alike.

An extended version of this article is available in Computing's market intelligence service Delta

Delta is a new market intelligence service from Computing to help CIOs and other IT decision makers make smarter purchasing decisions - decisions informed by the knowledge and experience of other CIOs and IT decision makers.

Delta is free from vendor sponsorship or influence of any kind, and is guided by a steering committee of well-known CIOs, such as Charles Ewen, Christina Scott, Steve Capper and Laura Meyer.

Ten crucial technology areas are already covered at launch, with more data appearing and more areas being covered every week. Sign-up here for your free trial of the Computing Delta website.