LEGAL AND REGULATORY INTERVENTION IN THE CRYPTOCURRENCY SPACE

• Author: LAU Chin Yang Joseph1 BA (Oxford), LLM (Intellectual Property and Technology Law) (National University of Singapore); Teaching Assistant, Faculty of Law, National University of Singapore.
• Publication year: 2021
• Citation: (2021) 33 SAcLJ 10050
• Published date: 01 December 2021
• Date: 01 December 2021

I. Introduction

1 In 2008 “Satoshi Nakamoto” posted a whitepaper describing “Bitcoin”,2 the dominant cryptocurrency which laid the ground for all subsequent cryptocurrencies.3 A “cryptocurrency” is a system which meets the following conditions:4

(a) it is distributed and achieves consensus on its state;.

(b) it keeps an overview of digital representations of value (referred to as “cryptocurrency units” in the interest of convenience) and their ownership;

(c) it defines whether new cryptocurrency units can be created. If new cryptocurrency units can be created, the system defines the circumstances of their origin and how to determine the ownership of these new units; and

(d) ownership of cryptocurrency units can be proved exclusively cryptographically;

(e) it allows transactions to be performed in which ownership of the units of cryptocurrency is changed; and

(f) if two different instructions for changing the ownership of the same units of cryptocurrency are simultaneously entered, it performs at most one of them.

The first commercial use of Bitcoin was a purchase of pizzas for 10,000 BTC.5 At the time, 1 BTC was worth US$0.0025.6 Bitcoin has since increased in value and usage. On 18 July 2020, 1 BTC was worth around US$9,122.11.7 In terms of usage, whilst knowledge of Bitcoin was once confined to Internet forums,8 it is now legal means of payment

in Japan.9 Simultaneously, other cryptocurrencies like NEO and Ether have emerged.

2 While cryptocurrencies are increasingly ubiquitous and valuable, they are not without risks. In 2018, Europol estimated that 3–4% of illicit proceeds in Europe were laundered through cryptocurrencies and there are reports of terrorist groups soliciting support in Bitcoin.10 These risks have not gone unnoticed: Singapore has passed the Payment Services Act 201911 (“PSA”), under which cryptocurrency dealing or exchange services are “digital payment token” services subject to anti-money laundering (“AML”) and counter financing of terrorism (“CFT”) requirements.12

3 However, some argue that legal and regulatory intervention in the cryptocurrency space is neither necessary nor feasible. In terms of necessity, these arguments focus on the data structure used by many cryptocurrencies, known as “blockchain”:13 a distributed digital ledger using cryptographic algorithms to verify the creation or transfer of digital records in a distributed network.14 As the blockchain purports to create an “immutable” system safe from fraud, identity theft or tampering,15 some therefore argue that no legal or regulatory intervention is required to

police cryptocurrency networks16 that use blockchains against fraudulent conduct. Instead, such networks may rely on the “immutability” of blockchain to disincentivise abuse.17

4 As for the feasibility of intervention, four issues are commonly raised. Firstly, there is frequently no single entity controlling a cryptocurrency network,18 seemingly presenting no target for intervention to ensure its compliance with laws and regulations. Secondly, users of some cryptocurrencies transact on these networks using pseudonyms, complicating the identification of the accused or defendant for the purposes of proceedings based on transactions on these networks.19 Finally, cryptocurrency networks are distributed internationally, raising questions regarding the issues of jurisdiction20 and governing law for

proceedings based on transactions on such networks.21 In addition to these issues, which stem from the allegedly “trustless” and “decentralised” nature of cryptocurrencies, the “immutability” of blockchain also poses challenges for legal and regulatory intervention. For instance, the General Data Protection Regulation22 (“GDPR”) and Singapore's Personal Data Protection Act 201223 (“PDPA”) require rectification or erasure of data in certain circumstances. The “immutability” of blockchain therefore appears to render cryptocurrencies using it incapable of compliance with the GDPR or PDPA. Collectively, these challenges suggest that legal and regulatory intervention in the cryptocurrency space is impossible. This article queries the truth behind such claims, which can be broken down into three basic propositions:

(a) cryptocurrencies are “trustless”, “immutable” and “decentralised”;

(b) these traits render cryptocurrencies self-regulating; and

(c) cause cryptocurrencies to defy legal and regulatory intervention.

A deep dive is taken into the technology behind cryptocurrencies, with the accuracy of the above statements being tested against the capabilities and limitations of that technology. In discussing (c), this article goes one step further and makes proposals on how courts and regulators can address the challenges for legal and regulatory intervention posed by cryptocurrencies. In canvassing all the above, this article adopts the following structure. In part II of this article, the technology behind Bitcoin is explained to provide the requisite technical background; (a), (b) and (c) are discussed in Parts III, IV and V below respectively.

II. The technology behind Bitcoin

5 Many cryptocurrencies are based on Bitcoin, such that understanding the technology behind Bitcoin allows one to appreciate

the mechanics of a wide range of cryptocurrencies.24 Information on the Bitcoin network is stored on a network of nodes.25 Copies of the “ledger” (the record of transactions on the network)26 are stored on each full node,27 with all copies of the ledger being continuously updated. The ledger takes the form of a blockchain, whose accuracy is maintained through a process of peer-validation.28 Understanding how this works requires an explanation of “private” and “public” keys. “Private keys” are numerical identifiers unique to each user of the Bitcoin network and which are private to the user to whom they belong.29 “Public keys” are generated from private keys30 and, when run through hashing algorithms, produce “addresses”31 (hashing algorithms convert input data into a “hash” which is unique to the input data from which it was derived — any change in that data produces a different hash).32 “Addresses”, analogised to bank account numbers, identify the “accounts” from which users of the network exchange BTC.33 Public keys and their corresponding addresses can be shared with other users of the network34 and are “pseudonymous”, meaning that they do not, in and of themselves, reveal the identity of their owners, enabling parties to transact on the network without disclosing their identity.35 However, it is inaccurate to say that users of the Bitcoin

network are incapable of being identified and hence “anonymous” (ie, of unknown name),36 as all transactions involving their public keys are recorded on the blockchain and it remains possible to use this information to tie public keys to their users.37

6 Equipped with this understanding, we follow a transfer of 5 BTC from Alice to Bob. To do this, Alice creates a transaction message containing, inter alia, her and Bob's addresses, the amount to be transferred to Bob's address and Alice's “digital signature”.38 Digital signatures prove that transactions originate from transferors, without transferors having to disclose their private keys.39 They are generated by combining a user's private key with the transaction message in an algorithm and the user's public key can then be used to verify that the transaction message originated from that user.40 Returning to the example of Alice and Bob, to affect the transfer, Alice first broadcasts the transaction message for verification by nodes known as “miners”.41 Miners bundle all unconfirmed transactions into “blocks” and compete to verify them in a way which other miners will accept.42 Part of the verification

process involves checking that Alice's digital signature is correct43 (see Figure 1 below).

Figure 1

7 However, the correctness of Alice's digital signature only establishes that the transaction originated from her — it does not establish that she had 5 BTC to transfer to Bob.44 To tackle this problem and ensure the veracity of transaction information, Bitcoin uses an algorithm known as “proof of work” (“PoW”).45 Explaining PoW, each unconfirmed transaction in a block is hashed and these hashes are organised into pairs, concatenated together and hashed again, with this process being repeated until a hash representing all the transactions in the block (“Merkle root”) is obtained.46 The following, inter alia, then comprise the “header” of the block of unconfirmed transactions (“Candidate Block”): the hash of the previous block in the blockchain, the Merkle root

of transactions in the Candidate Block and a “nonce”.47 The header of the Candidate Block is then hashed using Secure Hash Algorithm 256 (“SHA256”), producing an identifying hash for it.48 The Bitcoin protocol requires identifying hashes to start with a certain number of zeroes and the “nonce” is a random number which, when hashed with other data in the header of a Candidate Block, produces a hash satisfying the Bitcoin protocol.49 Finding the nonce is computationally intensive — generally it takes ten minutes for specialised computers to find the nonce.50 Once a miner finds the nonce and generates the required hash for the Candidate Block, it broadcasts the Candidate Block to the network.51 While finding the nonce is computationally intensive, it is easy for other miners to verify its accuracy and they express acceptance of the Candidate Block by using its identifying hash as input data for the header of the next block of unconfirmed transactions up for validation.52 The network rewards the miner who found the nonce first with BTC and he may also earn transaction fees offered by the transferor.53

III. Cryptocurrencies are not completely “trustless”, “immutable” and “decentralised” in every case

8 Although most cryptocurrencies work on essentially the same scheme as described for BTC, not...