Web 2023.0 - a sleeping giant?

Even the most steadfast advocates of a brave new world built on blockchain, cryptocurrencies and NFTs must admit it has been a rough year for Web3 (to put it mildly).

Web3's flagship innovation, Bitcoin, is currently down 75% since its all time high; the Luna network collapsed leading Voyager and Celsius to file for bankruptcy; 3AC was forced into liquidation and the recent meltdown of FTX has caused a contagion of panic, signalling the beginning of the end for some.

There is a 'but' behind the pantomime and apparent implosion of crypto, as Web3 continues to make technological advances and promises to disrupt many industries with use cases too compelling to ignore. The wheels have come off the bus, but it is not yet time to write it off.

Here we take an optimistic look to the future of Web3, what it has to offer, and some of the legal challenges it faces as it scales.

Third-party risk: decentralised finance

At its core, Web3 is about eliminating third-party risk by using decentralised blockchain technology. In many ways, the events of this year are reflective of the problems that have always existed in traditional finance. The 'I told you so' brigade which has been galvanised by the recent downfall of FTX may be surprised to learn that the fractional reserve banking system (in which only a small proportion of bank deposits are backed by cash available for withdrawal) is the system used by virtually every major bank worldwide.

Decentralised finance (DeFi) corrects for this by recording transactions on a publicly available blockchain. If DeFi users want to know where their funds are, they can check the on-chain data in real time. In addition, DeFi enables users to deposit and store funds while retaining complete control and custody of their assets. Piggybank advocates will be familiar with this principle of self-custody. DeFi also offers all the tools of traditional finance like lending and borrowing but instead of relying on a bank to underwrite the loan, transactions are made on a peer-to-peer basis and guaranteed through smart contracts.

However, cutting out the middleman has its own challenges. As we explore here, smart contracts are self-executing protocols which rely on logic-heavy code which cannot capture the nuances of written contracts. Smart contracts have no special legal status in the UK, and so to be enforceable they must satisfy the same criteria as any other contract. Most smart contracts have a plain English analogue which is translated into code form, but the peer-to-peer nature of DeFi compared to the one-to-many nature of traditional finance means that the negotiated aspects of relationships between users may only be recorded in code. The Law Commission has confirmed that code is capable of forming the basis of a contract, but the precise method of interpretation remains untested.

The DeFi community is very alive to the technological difficulties of scaling a distributed network. Transaction volumes are limited by the fact that every transaction must be verified and recorded on the blockchain. However, scaling DeFi also presents legal challenges; if DeFi wants to attract players in traditional finance to offer DeFi products on a B2C basis, then it may be hard to square the use of smart contracts with the requirements of consumer laws which require contractual terms to be written in plain and intelligible language.

Web3 is not the answer to everything and to solve these problems we expect DeFi to converge with other emerging technologies, particularly artificial intelligence (AI), for example to reverse engineer smart contracts from code to plain English. Web3 and AI projects have often pitted themselves against one another with start-ups competing for funding from the same venture capital allocations. However, as these technologies mature and become more refined, there is likely to be a need for more overlap and interoperability between these sectors.

Privacy and security: Zero-Knowledge Proof

This year has also seen a rise in high-profile data security breaches. In August, a hacker under the alias "teapotuberhacker" announced that they had breached Uber's source code, internal databases, and gained access to user data. Despite sounding like the alias of teapotuberhacker's partner in crime, "zero-knowledge proof" (ZKP) is actually an innovative technological solution to many data security breaches.

ZKP works by verifying information between parties without revealing the information itself. Take, for example, the most well-known cybersecurity tool: passwords. This process works by the password-holder proving to the service-provider that she knows her password by disclosing it to the service-provider, who then verifies it by checking it against the data it has stored. ZKP allows the password-holder to prove that she knows her password, without ever revealing it to the service-provider. It also allows the service-provider to authenticate the password, without knowing it.

The use case for ZKP goes beyond authentication. Earlier this year, Google and Facebook were fined €150m and €60m euros respectively for failing to obtain proper consent from their use of cookies to target ads at their users.

This crack-down on cookies has been a point of contention in the adtech sector., Cookies are the most powerful tool advertisers have to create personalised ads. Unfortunately, they can also be invasive and rely on an archive of personal data (often shared inadvertently) to profile and target individuals.

Enter our protagonist, ZKP, which could allow users to share their personal data with advertisers using ZKP so that advertisers can serve personalised ads without processing any personal data about their users. This is where it gets complicated but, in a nutshell, this is made possible because an advertiser can verify that the personal data it has received from the user is accurate, without actually processing the personal data. There are some complicated equations available for those mathematically inclined, but here is an illustrative example for the rest of us: I could prove I know my way through a maze by blindfolding you (with your consent) and navigating you to the middle. When you take your blindfold off, you wouldn't know how to complete the maze, but you would know that I do. That is the essence of ZKP.

The prevailing wisdom is that privacy and security are problems which can be solved by regulation. However, these are technical problems with a technical solution. ZPK is in its infancy, but it promises a best-of-both worlds approach for both service-providers and customers.  If technologies like this become widely adopted, 2023 might finally see a solution to the disconnect between the adtech ecosystem and the EU and UK data protection regimes.

Corporate governance: Decentralised Autonomous Organisations

A Decentralised Autonomous Organisation (DAO) is an emerging form of corporate structure. It is a community-led organisation with no leadership structure or hierarchy. Decisions are made from the bottom-up rather than the top-down, and tokens function like shares to allocate voting rights and ownership. Transparency takes precedence, so DAO balance sheets are publicly available on the blockchain rather than reported annually. In less technical terms, it's Web3's answer to employee-owned businesses like John Lewis.

DAO governance frameworks are recorded on the blockchain as a smart contract. The smart contract is like the articles of association, defining the rules for participation and co-operation among members. However, unlike articles of association, the smart contract is a self-executing protocol which automatically executes once certain conditions are met. For example, if a charitable DAO is set up, then the distribution of funds to the chosen cause might automatically transfer once the voting threshold in the smart contract was met.

DAOs have several clear use cases, particularly where incentives need to be aligned. The majority of existing DAOs are involved in the management of collectively owned assets and pooled investment funds. DAOs could also be used to administer a trust or execute a will.

However, DAOs at present suffer from some key risks, most notably lack of legal personality, risk for members of direct legal claims ,and uncertainty of jurisdiction. 

Lack of legal personality

The characterisation of DAOs as a legal entity is one of many open-ended questions. DAOs are, like the acronym suggests, decentralised. They are comprised of members in multiple jurisdictions and do not have any central authority or place of business. Because DAOs lack legal personality they cannot perform a number of functions needed to truly scale, including:

• Entering into contracts
• Benefiting from limitations of liability
• Paying taxes
• Opening bank accounts
• Making transactions
• Protecting intellectual property
• Acting as a parent or holding entity with subsidiaries.

Which specific form of legal entity is suitable for a particular DAO will depend on many factors, and there are a number of jurisdictions which claim to have compelling structures to meet the objectives of a DAO, and which are becoming popular jurisdictions.  These include the Cayman Islands, Singapore, Wyoming and a small number of other US states. None are perfect and most are a re-hash of a traditional corporate entity - in some cases suffering from square-peg-in-round-hold problems.  Some however are more tailored to Web3 principles - for example in 2018 Vermont established the ‘blockchain-based limited liability company’ (BBLLC), and more recently Wyoming passed a law allowing a DAO to incorporate itself as a Limited Liability Company (LLC) and defines DAOs as “a limited liability company whose articles of organization contain a statement that the company is a decentralized autonomous organization”.

Risk of claims against members

The absence of any formal legal characterisation of DAO structures does put members at risk. In the US, the Commodity Futures Trading Commission (CFTC) recently brought charges directly against the members of Ooki (a DAO providing margin trading and lending facilities) for breach of financial regulations on the basis that DAOs are an unincorporated association without any corporate shield to protect individual members from liability. The implication – at least in the US – is that the members of a DAO are personally liable for the DAO's actions.

Uncertainty of jurisdiction

Under existing legal systems, jurisdiction is typically determined by reference to the country where the legal entity is incorporated. The absence of any legal identity is not only a problem for members of DAOs but is also a problem for regulators. If a DAO is comprised of worldwide members, unincorporated, with no place of business or central point of authority, then who has jurisdiction? Legislatures may well be better off granting DAOs a form of legal identity than stress-testing the limits of existing laws to try and regulate them.

DAO structures go to the heart of the difficulty of regulating Web3: how do you regulate a technology that relies on decentralisation, with a legal system that relies on accountability?

If you can't beat them, regulate them

Currently, Web3 and its associated innovations largely fall outside of the regulatory perimeter. The boundaries between regulated cryptoassets and unregulated cryptoassets are not well defined. However, as the saying goes, the law is playing catch-up, and all signs point towards governments trying to bring Web3 into the scope of regulation.

In the UK, the Law Commission has launched a call for evidence about how DAOs should be characterised. In the call for evidence the Law Commission states “Many thousands of DAOs exist today, but few appear to be structured using the law of England and Wales. Huge amounts of value flow through, are created, used and sometimes lost by DAOs. This raises questions about their legal status, the liabilities of those who participate in them, and the rules and regulations that apply to them.”  The Commission will undertake a 15-month scoping study to identify options for how DAOs should be treated and to clarify their legal status.  Responses are required by early 2023 and so next year should see more light shed on the treatment of DAOs in the UK.

At the same time the Financial Services and Markets Bill, currently going through Parliament, addresses the regulation of payment systems using “digital settlement assets” defined as “digital representations of value” – in other words, digital tokens representing money.

It pays to remember that Web3 is not unregulated by accident. The blockchain foundation on which Web3 is being built was first developed precisely to create a financial system and technological infrastructure outside the existing regulatory framework. The difficulty of regulating decentralised technology is its flagship feature, not a bug. However, regulation done the right way might be exactly what Web3 needs to give it the credibility that the underlying technology deserves. We expect to see progress towards this in 2023.