Showing posts with label Crypto. Show all posts
Showing posts with label Crypto. Show all posts

28 June 2023

Digital Assets

The Law Commission of England and Wales has provided recommendations for reform of the law on digital assets. 

 The Commission states 

 Digital assets – which include crypto-tokens (sometimes referred to as ‘cryptocurrencies’) and non-fungible tokens (NFTs) – are used for an increasing variety of purposes in modern society, such as for investment, for making payments, and for linking to or embodying debt and equity securities. 

Over the last 15 years, personal property law in England and Wales has proven sufficiently flexible to accommodate digital assets. However, as the digital asset market and related technology continue to change, there remains some residual legal uncertainty and complexity. 

The Government therefore asked the Law Commission to carry out a first-ever rigorous common law analysis, showing how the law in England and Wales can respond to this kind of emerging technology. 

The Commission’s recommendations for reform and development of the law aim to provide a comprehensive legal foundation for digital assets which will allow these new technologies to flourish, enabling a diverse range of market participants to interact with and benefit from them.

The recommendations are summarised - 

 1. Legislation to confirm the existence of a distinct third category of personal property under the law which can better recognise, accommodate and protect the unique features of digital assets. The report does not set out clear boundaries for this third category, arguing instead that common law is the best vehicle to determine which objects can fit within it. This will allow for a nuanced approach to recognising that things such as crypto-tokens, export quotas or different types of carbon emissions allowance can be objects of personal property rights. 

2. Creation of a panel of industry-specific technical experts, legal practitioners, academics and judges to provide non-binding advice to courts on complex legal issues relating to digital assets. 

3. Creation of a bespoke legal framework that better facilitates the entering into, operation and enforcement of collateral arrangements relating to crypto-tokens and crypto-assets. 

4. Statutory law reform to clarify whether certain digital assets fall within the scope of the Financial Collateral Arrangements (No 2) Regulations 2003.

The report states

Digital assets are fundamental to modern society and the contemporary economy. They are used for an expanding variety of purposes — as valuable things in themselves, as a means of payment, or to represent or be linked to other things or rights — and in growing volumes. Electronic signatures, cryptography, distributed ledgers, smart contracts and associated technology have increased the ways in which digital assets can be created, accessed, used and transferred. Such technological development is set only to continue. As technology advances and humans spend increasing amounts of time online, our relationships with digital assets will become ever more important. Digital assets The term digital asset is extremely broad. It captures a huge variety of things including digital files, digital records, email accounts, domain names, in-game digital assets, digital carbon credits, crypto-tokens and non-fungible tokens. The technology used to create or manifest those digital assets is not the same for each. Nor are the characteristics or features of those digital assets. We use “digital assets” as a general term, but most of our report and recommendations are concerned with a subset of digital assets with particular characteristics. Personal property rights Personal property rights are vital to social, economic and legal systems. They are important for many reasons. Property rights feature in the analysis of most commercial transactions relating to things of value. Property rights are the key to a proper characterisation of numerous modern and complex legal relationships, including intermediated holding arrangements, collateral arrangements and structures involving trusts. Property rights are also important in cases of bankruptcy or insolvency, when objects of property rights are interfered with or unlawfully taken, and for the legal rules concerning succession on death. Property rights are particularly valuable because, in principle, they are good against the whole world, whereas other — personal — rights are good only against someone who has assumed a relevant legal duty. Digital assets and personal property rights Over the last 15 years or so, the law of England and Wales has proven itself sufficiently resilient and flexible to recognise certain digital assets as things to which personal property rights can relate. That is not surprising, because treating certain digital assets (including crypto-tokens) as things to which personal property rights can relate is a practical and effective way in which to bring the law into line with the expectations of the parties that interact with them. We conclude that the law in this respect is now relatively certain and that the areas of legal uncertainty that remain are highly nuanced and complex. That complexity remains, in part, because both the digital asset market and the technology in question is evolving and will continue to do so. We identify the remaining areas of residual uncertainty and recommend law reform to reduce that uncertainty, but in a way that acknowledges the distinct features of different digital assets. The law reform that we do recommend aims to ensure that the legal system, as part of a wider social framework, can reinforce the overall strength of digital asset ecosystems (which also rely on social elements). Our recommendations also aim to ensure that the private law of England and Wales remains a dynamic, globally competitive and flexible tool for market participants in the digital asset space. Uses for digital assets to which personal property rights can relate Digital assets are used for a number of purposes, including: 1. making payments for goods and services; 2. transferring or communicating value by electronic means (often on a cross-border basis); 3. broadening the scope of and access to markets and increasing the transferability, composability and liquidity of other things; 4. recording other things and recording provenance; and 5. speculation and investment. xx Complex, international (albeit still relatively small) markets have evolved for products and services involving digital assets and specifically crypto-tokens. A crypto-token can be used in a variety of ways: 1. as a thing of interest or of value in itself; 2. as part of a register or record of interests instead of a conventional database entry (albeit a register or record composed of “things”, analogous to the beads on an abacus); or 3. to link to or embody rights such that the holder of the crypto-token can claim performance of the obligations recorded by the crypto-token. Tokenisation of securities One clear use-case for crypto-tokens is the tokenisation of existing things, including securities. Using crypto-tokens to record, to link to or to embody debt and equity securities can be very appealing to market participants, because it allows for easily transferable, non-intermediated securities, accessible both to institutional and retail investors. While existing securities markets enjoy a high degree of legal certainty, tokenised securities markets (or certain parts thereof) might operate differently or need to evolve to recognise the different features of digital assets and crypto-tokens. We think that many of our recommendations and conclusions — along with the work of bodies such as the UK Jurisdiction Taskforce — will be relevant to tokenised securities markets, and will help provide legal certainty in this growing area of finance. Our tripartite approach to law reform in our report In our report we make very few recommendations for law reform. That is for two reasons. First, because we conclude that the common law of England and Wales is, in general, sufficiently flexible, and already able, to accommodate digital assets. Second, because we want our recommendations to be as direct and as implementable as possible. We therefore take a tripartite approach to law reform. Prioritising common law development First, we champion the common law of England and Wales and draw its successes in the digital asset and crypto-token markets to the attention of market participants. Our analysis is intended to form the foundation on which further common law development can be based. We conclude that the law in this area is now relatively certain and that any areas of residual legal uncertainty are highly nuanced and complex. We discuss these remaining areas of residual uncertainty and draw conclusions as to the most appropriate way for the common law to develop in relation to them. Targeted statutory law reform Second, we make two recommendations for statutory law reform. We conclude that, although some digital assets are not easy to place within traditional categories of things to which personal property rights can relate, this does not prevent them from being capable of attracting personal property rights, and that this is clearly the position at common law. Nonetheless, some consultees, including senior and specialist members of the judiciary, said to us that it would be helpful to express this position in legislation. We recommend such legislation and conclude that it will confirm and support the existing common law position. In addition, we conclude that there is one area where the common law cannot give market participants sufficient legal certainty: the development of a new regime for collateral arrangements involving digital assets (specifically, crypto-tokens and cryptoassets). We acknowledge that this issue does not merely involve legal questions; it also involves policy-based judgements beyond the scope of our report. We recommend that, as a matter of priority, the Government sets up a multi-disciplinary project to formulate and put in place a bespoke statutory legal framework that better and more clearly facilitates the entering into, operation and enforcement of (certain) crypto-token and (certain) cryptoasset collateral arrangements. Support from industry-specific technical experts Third, we acknowledge that increasingly advanced technology is likely to lead to a proliferation of digital assets over time, in terms of number, use-case, design and technological functionality. Many of those digital assets are likely to be complex, composable (that is, built up of different interchangeable components and so malleable in their functionality over time) and multi-faceted, and to use different technology. This in turn will give rise to diverse products and services that the law will have to accommodate. We conclude that common law development is better able to keep up with this change than statutory law reform. However, it is an enormous task for the judiciary to remain alive to such technological development. We recommend therefore that the Government creates or nominates a panel of industry-specific technical experts, legal practitioners, academics and judges to provide non-binding guidance on the complex and evolving factual and legal issues relating to control involving certain digital assets (and other issues relating to digital asset systems and markets more broadly). We conclude that such detailed and technology-specific guidance will facilitate clear, logical and consistent applications of legal rules and reasoning over time. xx This would need to include those with expertise in the crypto-token markets, and not just those with expertise in traditional finance markets or intermediated securities markets. A “third” category of thing to which personal property rights can relate We conclude that some digital assets are neither things in possession nor things in action, but that nonetheless the law of England and Wales treats them as capable of being things to which personal property rights can relate. Legislation to confirm and support the existing common law position Some consultees, including senior and specialist judges, said that it would be helpful to express this position in legislation. They said that this would confirm the existing position at common law, facilitate the law’s continued development on the point and lay to rest any lingering authority suggesting that there can be no “third” category of this nature. We recommend such legislation and conclude that it will confirm and support the existing common law position. Avoiding defining hard boundaries of a third category of thing We recommend statutory confirmation that a thing will not be deprived of legal status as an object of personal property rights merely by reason of the fact that it is neither a thing in action nor a thing in possession. However, we conclude that it is not necessary or appropriate to define in statute the hard boundaries of such a third category of thing. We conclude that the common law is the better vehicle for determining those things that properly can (and should) be objects of personal property rights, and which fall within the third category: third category things. These might not necessarily always be digital things and could include things like milk quotas or certain carbon emissions allowances. We call digital things falling within the third category “digital objects”. 

Our third category recommendation and conclusions in practice 

We consider in detail consultees’ concerns with defining hard boundaries for a third category of thing to which personal property rights can relate. Given that our recommendation relating to the third category amounts to a confirmation and restatement of the existing common law position that such a third category exists, we do not consider that it will cause any additional legal uncertainty. 

Application to crypto-tokens, private, permissioned blockchain systems, voluntary carbon credits, in-game digital assets and digital files 

We demonstrate how our recommendations and conclusions might work by reference to a variety of digital assets, including crypto- tokens, private, permissioned blockchain systems, voluntary carbon credits, in-game digital assets and digital files. We conclude that pre-existing boundary issues will remain and that those boundary issues cannot be solved (and indeed, would likely be exacerbated) by statutory law reform. We conclude that the common law is the most appropriate tool for dealing with difficult boundary issues relating to digital assets that are based on very different technologies and for determining whether such digital assets can (and should) attract personal property rights on particular sets of facts. 

Our indicia of third category things 

We discuss consultees’ responses to the provisional criteria we proposed in our consultation paper for the third category. We make consequential modifications and clarifications to those criteria and now treat them as indicia. Our indicia (as modified in this report) accurately describe a certain “core” type of digital asset — namely crypto- tokens manifested by distributed, public, permissionless systems — that are things to which personal property rights can relate at law and which are neither things in possession nor things in action. In our consultation paper we provisionally proposed that a thing should be capable of falling within our proposed third category of thing to which personal property rights can relate if:

1. it is composed of data represented in an electronic medium, including in the form of computer code, electronic, digital or analogue signals; 

2. it exists independently of persons and exists independently of the legal system; and 

3. it is rivalrous. 

Composed of data 

Based on consultee responses, we conclude that “composed of data” need not be a criterion in itself, because the criterion (1) overly focuses the conceptualisation of the thing in question on data; and (2) potentially creates an unnecessary hard boundary for the third category. A thing is rivalrous if the use or consumption of the thing by one person (or a specific group of persons) necessarily prejudices the use or consumption of that thing by one or more other persons. Tulip v Van der Laan [2023] EWCA Civ 83, [2023] 4 WLR 16 at [24], by Birss LJ. 

Existence independent of persons and independent of the legal system 

We clarify the application and interpretation of our second criterion — that a thing must exist independently of persons and exist independently of the legal system — and respond to some concerns raised by consultees about this criterion. 

Rivalrous 

We reiterate and confirm our analysis of the criterion that a thing must be rivalrous. Specifically, we clarify that whether a thing is rivalrous is binary and we distinguish our criterion that a thing must be rivalrous from the concepts of exclusivity of control and excludability. We conclude that our indicia — specifically, the concept that a thing must be “rivalrous” (as endorsed by the Court of Appeal in Tulip Trading) — usefully distinguish this type of digital asset from other digital things such as digital files that are not (as currently designed) capable of attracting personal property rights as a matter of law. 

Control 

We describe (but deliberately do not define) the factual concept that best captures the ability to (1) exclude or to permit access to a third category thing; and (2) put the third category thing to the uses of which it is capable. We call this factual concept “control”. We discuss the legal significance of the concept of control over third category things. We conclude that both the factual concept of control and the legal consequences of control work differently for, and are highly complex in relation to, digital objects. 

Factual control 

First, we conclude that common law jurisprudence will be enhanced and made easier to understand for market participants by focusing on better descriptions and real- world examples of factual control. Factual control in this context is a highly technology- specific concept, in large part determined by the way in which the particular technology in question facilitates the imposition or creation of varying degrees of technical encumbrances in respect of the digital object in question. 

Legal control 

Second, we note that the legal consequences of control are necessarily complex and varied. We do not think that the concept of control alone is sufficiently nuanced, refined, or sensitive to market specificities adequately and definitively to determine the consequences of complex legal arrangements. Instead, we see control as a composite part of more complex legal principles and mechanisms (such as legal transfers, intermediated holding arrangements, collateral arrangements and actions and remedies in respect of digital objects). There are also a vast number of technically distinct digital assets, some of which function more like “digital bearer instruments” and some of which do not. Control works differently for different digital assets, by virtue of the inherent features and functions of the technology itself. The application of control and its legal consequences will therefore be different for different digital assets. Specifically, control works differently for things in possession, things in action and third category things (and, potentially, between different third category things). We conclude that the law should recognise and accept this reality. 

Technical expert group 

We recommend therefore that the Government creates or nominates a panel of industry-specific technical experts, legal practitioners, academics and judges to provide non-binding guidance on the complex and evolving factual and legal issues relating to control involving certain digital assets (and other issues relating to digital asset systems and markets more broadly). 

Transfers We consider how legal transfers of crypto- tokens operate based on, among other things, how a crypto-token transfers as a matter of fact, and the different perspectives of consultees on this issue. 

Extinction/creation vs persistent thing 

We discuss our observation in our consultation paper that “a transfer operation within a crypto-token system typically involves the replacement, modification, destruction, cancellation, or elimination of a pre-transfer crypto-token and the resulting and corresponding causal creation of a new, modified or causally-related crypto-token.” We discuss two opposing views put forward by consultees as to the legal characterisation of such a transfer operation that effects a state change. First, that such a transfer extinguishes a pre- transfer object of personal property rights and creates a “new”, post-transfer object of personal property rights (the “extinction/ creation analysis”). Second, that such a transfer involves the persistence of an object(s) of personal property rights through the transfer (the “persistent thing analysis”). 

A transfer by a change of control 

We conclude that it is possible to effect a legal transfer of a crypto-token offchain, by a “change of control” (along with the requisite intention). An example might include the physical transfer of control through the transfer of hardware, or a transfer on a Layer 2 system. 

A common law special defence of good faith purchaser for value without notice applicable to crypto-tokens 

We recognise that the majority of consultees made strong arguments in favour of the recognition and development of a common law special defence of good faith purchaser for value without notice applicable to crypto- tokens (and third category things more broadly). We agree with the arguments made by consultees. At the same time, we acknowledge that our recommendation for targeted, confirmatory legislation combined with common law development of the parameters of a third category of thing to which personal property rights can relate does not include a statutory definition of such third category things (or some subset thereof ). We acknowledge that this in turn precludes a general statutory “innocent acquisition rule” in respect of such objects of personal property rights, because a statutory innocent acquisition rule would almost certainly need to define the objects of personal property rights in question that benefitted from the rule. We conclude that a special defence of good faith purchaser for value without notice applicable to crypto- tokens can be recognised and developed by the courts through incremental development of the common law. We conclude that this reasoning can also be extended to other third category things. Intermediated holding arrangements We consider how intermediated holding arrangements in respect of crypto-tokens can be structured under the law of England and Wales. We consider crypto-tokens by way of example given the importance of intermediated holding arrangements to crypto-token markets. 

Clarification of terminology 

We discuss consultee responses to the terminology that we used in our consultation paper to describe crypto-token specific intermediated holding arrangements, particularly our use of the term “custody”. In light of consultee responses, we now draw a distinction between “custodial intermediated holding arrangements”, “non-custodial intermediated holding arrangements” and “non-holding arrangements” based on the legal consequences of such arrangements. In particular, we highlight the risks that users of intermediated holding arrangements could be exposed to on the onset of insolvency proceedings of a holding intermediary. 

Contract and trust-based intermediated holding arrangements 

We consider the application of contract and trust law to crypto-token intermediated holding arrangements. We conclude that trusts can support a broad range of custodial intermediated holding arrangements, including where the underlying crypto-token entitlements are held on a consolidated unallocated basis for the benefit of multiple users. We confirm our preferred conceptual approach to the establishment of a such a trust arrangement under the law of England and Wales. We conclude that a presumption of trust for intermediated holding arrangements involving crypto-tokens is neither necessary nor appropriate. 

Section 53(1)(c) of the Law of Property Act 1925 

We consider the potential impact of statutory formalities on the operation of trust-based crypto-token intermediated holding arrangements. We conclude that the existing common law is sufficiently certain in this area and that statutory law reform in respect of section 53(1)(c) of the Law of Property Act 1925, which requires the disposition of an equitable interest to be in writing and signed, is not necessary at this time. We leave open the possibility that it might be necessary or warranted in future as the market evolves. 

Shortfall allocation rule 

We consider, but do not at this stage recommend, a general pro rata shortfall allocation rule in respect of commingled unallocated holdings of crypto-tokens or crypto-token entitlements held on trust by a custodial holding intermediary that enters insolvency proceedings. We conclude that a more extensive, in-depth assessment of the merits of potential insolvency law reform applicable to specific custodial holding intermediaries is necessary. 

Alternative and supplementary legal structures for custodial intermediated holding arrangements 

We discuss the possibility of the common law developing alternative and supplementary legal structures for custodial intermediated holding arrangements that do not rely on trusts. We conclude that this could take the form of holding intermediaries being recognised as acquiring a control-based proprietary interest in held crypto-token entitlements that is subject to a superior title retained by users. We also discuss the application of other private law principles including agency and fiduciary duties. 

Collateral arrangements 

We consider how collateral arrangements in respect of crypto-tokens and cryptoassets can be structured under the law of England and Wales. Again, we specifically consider crypto-tokens and cryptoassets given their prominence in the digital asset markets. 

Title transfer, non-possessory security and possessory security 

We discuss how title transfer and non- possessory security-based arrangements can be used to structure crypto-token and cryptoasset collateral arrangements without the need for law reform. We also explain that possessory security-based arrangements do not apply to crypto-tokens and cryptoassets. 

A control-based security interest in respect of crypto-tokens 

We discuss how the recognition of a control- based proprietary interest to facilitate both the holding of and the grant of security over crypto-tokens and cryptoassets might be a beneficial development within the common law. We conclude that the common law could develop to recognise a control-based security interest in respect of crypto-tokens and cryptoassets (possibly by analogy with pledge). But the development of such a security interest would likely not be a complete solution given that such a security interest would likely be reliant on static, comprehensive notions of control. 

Application and clarification of the Financial Collateral Arrangements (No 2) Regulations 2003 

We consider the applicability of the Financial Collateral Arrangements (No 2) Regulations 2003 (“FCARs”) to crypto-tokens, other collateral that might use and/or be linked to public, permissionless crypto-token systems or private, permissioned blockchain systems (including Central Bank Digital Currencies (“CBDCs”), stablecoins, equity and debt securities and credit claims) and mere register/record tokens. We conclude that many crypto-tokens are likely to fall outside of the scope of the FCARs regime. However, for other collateral that might use and/or be linked to public, permissionless crypto-token systems or private, permissioned blockchain systems (including CBDCs, stablecoins, equity and debt securities and credit claims) or mere record/register tokens, we think the answer is possibly different. For at least some of those things, there is a better argument that they fall within the scope of the FCARs regime. We recommend law reform to clarify this position, although we do not ultimately conclude on what the complete scope of the FCARs regime should be, given that question necessarily involves policy considerations which fall outside of the scope of our current work. 

Tokenisation of securities 

We discuss the tokenisation of equity and other registered corporate securities. We recommend that the laws governing the tokenisation of equity and other registered corporate securities by UK companies are reviewed. The aim of this review would be to confirm, and where appropriate extend, the range of technological facilities (including potentially to public, permissionless ledgers) and operational arrangements through which the valid creation, transfer, and use of such tokenised equity and other registered corporate securities would be legally possible. This would require further legislative change. 

A bespoke statutory legal framework for crypto-token and cryptoasset collateral arrangements 

We conclude that although the law of England and Wales does provide options for granting security in respect of crypto-tokens and cryptoassets, those options are not adequate. As such, we recommend that, as a matter of priority, the Government sets up a multi- disciplinary project to formulate and put in place a bespoke statutory legal framework that better and more clearly facilitates the entering into, operation and enforcement of (certain) crypto-token and (certain) cryptoasset collateral arrangements. Although this recommendation and the work required to implement it are significant, we conclude that there is a very high degree of demand for such law reform among consultees, markets participants and industry bodies. 

Causes of action and associated remedies 

We consider causes of action and associated remedies in the context of third category things. We conclude that much of the current law concerning causes of action and remedies can be applied to third category things without law reform. Often the law does not distinguish between causes of action and remedies that apply to things in possession, to things in action or to third category things and we identify where that is currently the case. In those cases there is no need for bespoke rules or for law reform. Instead, what is required is that the courts continue to recognise the nuances or idiosyncrasies of third category things (including their distinct functionality and technical characteristics) and apply existing legal principles to such things as appropriate. 

Contract and vitiating factors 

We consider the application of various causes of action that arise in relation to contracts, with particular focus on the legal characterisation of an obligation to “pay” non-monetary units such as crypto-tokens. We also discuss the application of various vitiating factors to contracts involving third category things. We conclude that the vitiating factors of mistake, misrepresentation, duress, and undue influence apply similarly to contracts involving third category things as they do to contracts involving things in possession and things in action. We also conclude that the legal principles relating to void contracts can apply to third category things, in the same was as they do to other objects of personal property rights, without law reform. 

Following and tracing 

We consider how the evidentiary processes of following and tracing might apply to third category things and discuss how the factual nature of third category things might complicate legal analysis in relation to those evidentiary processes. 

Breach of trust, equitable wrongs, and constructive trusts 

We consider the application of principles relating to breach of trust, equitable wrongs, and constructive trusts. We conclude that, as regards breach of trust and fiduciary duty, the principles of equity are sufficiently flexible to be applied in situations involving third category things. In relation to constructive trusts, we conclude that the common law is perfectly able to evolve in a logical and clear way and we do not recommend law reform. 

Proprietary restitution, restitution for unjust enrichment and conversion 

We consider three key common law causes of action and how they apply to factual scenarios involving third category things: proprietary restitution; restitution for unjust enrichment; and conversion. We conclude that claims in proprietary restitution and restitution for unjust enrichment likely will be available in the context of third category things, whereas a claim in conversion will not be available. This is because conversion only applies to things in possession. However, despite the broad availability of claims in proprietary restitution and restitution for unjust enrichment, we conclude that such claims are unlikely to succeed where a claimant’s crypto-token is burned by a defendant. Burning involves irreversibly sending a crypto-token to an inaccessible “burn address”, the result being that the token is removed from circulation. Given the unavailability of a claim for proprietary restitution, restitution for unjust enrichment, or conversion following a defendant’s burning of a claimant’s crypto-token, we conclude that there is a lacuna in the law relating specifically to objects that fall within the third category. We do not consider that common law development of the principles of proprietary restitution or unjust enrichment would be the most appropriate means by which to fill this lacuna. Instead, we conclude it would be better for the courts to develop specific and discrete principles of tortious liability by analogy with, or which draw on some elements of, the tort of conversion to deal with unlawful interferences with digital objects. This conclusion acknowledges that the lacuna currently existing within the law arises in situations where a claim based on unjust enrichment or proprietary restitution cannot be made out. 

Injunctions, enforcement, and monetary awards 

Finally, we consider some procedural aspects of the law of remedies, specifically the law relating to injunctions, enforcement, and monetary awards. 

Cause of action 

Generally available in relation to third category things? Capable of providing recourse following the burning of a crypto-token? 

Proprietary restitution Restitution for unjust enrichment 

Conversion Tortious liability for wrongful interference with third category things

Recommendations 

Recommendation 1 We recommend statutory confirmation that a thing will not be deprived of legal status as an object of personal property rights merely by reason of the fact that it is neither a thing in action nor a thing in possession. 

Recommendation 2 We recommend that the Government creates or nominates a panel of industry-specific technical experts, legal practitioners, academics and judges to provide non-binding guidance on the complex and evolving issues relating to control (and other issues involving digital objects more broadly). This panel would need to include those with expertise in the crypto-token markets, and not just those with expertise in traditional finance markets or intermediated securities markets. 

Recommendation 3 We recommend statutory amendment to the FCARs: 1. To clarify the extent to which and under what holding arrangements crypto-tokens, cryptoassets (including CBDCs and fiat currency-linked stablecoins) and/ or mere record/register tokens can satisfy the definition of cash, including potentially by providing additional guidance as to the interpretation of “money in any currency”, “account” and “similar claim to the repayment of money”. 2. To confirm that the characterisation of an asset that by itself satisfies the definition of a financial instrument or a credit claim will be unaffected by that asset being merely recorded or registered by a crypto-token within a blockchain- or DLT-based system (where the underlying asset is not “linked” or “stapled” by any legal mechanism to the crypto-token that records them). 3. To confirm that, where an asset that satisfies the definition of a financial instrument or a credit claim is tokenised and effectively linked or stapled to a crypto-token that constitutes a distinct object of personal property rights from the perspective of and vested in the person that controls it, the linked or stapled token itself will similarly satisfy the relevant definition. 4. We recommend that laws applicable to UK companies should be reviewed to assess the merits of reforms that would confirm the validity of and/or expand the use of crypto-token networks for the issuance and transfer of equity and other registered corporate securities. In particular, we recommend that any such review should consider the extent to which applicable laws could and should support the use of public permissionless ledgers for the issuance and transfer of legal interests in equity and other registered corporate securities. 

Recommendation 4 We recommend that, as a matter of priority, the Government sets up a multi-disciplinary project to formulate and put in place a bespoke statutory legal framework that better and more clearly facilitates the entering into, operation and enforcement of (certain) crypto-token and (certain) cryptoasset collateral arrangements. 

Conclusions 

Conclusion 1 We conclude that factual control (plus intention) can found a legal proprietary interest in a digital object. We conclude that in certain circumstances such a control-based legal proprietary interest can be separated from (and be inferior to or short of) a superior legal title. 

Conclusion 2 We conclude that it is possible (with the requisite intention) to effect a legal transfer of a crypto-token offchain by a change of control or onchain by a transfer operation that effects a state change. 

Conclusion 3 We conclude that a special defence of good faith purchaser for value without notice applicable to crypto-tokens can be recognised and developed by the courts through incremental development of the common law. We conclude that this reasoning can also be extended to other third category things. 

Conclusion 4 We conclude that under the law of England and Wales, crypto-token intermediated holding arrangements can be characterised and structured as trusts, including where the underlying entitlements are (1) held on a consolidated unallocated basis for the benefit of multiple users, and (2) potentially even commingled with unallocated entitlements held for the benefit of the holding intermediary itself. We conclude that the best way to understand the interests of beneficiaries under such trusts are as rights of co-ownership in an equitable tenancy in common. 

Conclusion 5 We conclude that recognition of a control-based legal proprietary interest could provide the basis for an alternative legal structure for custodial intermediated holding arrangements in addition to trusts. This could take the form of holding intermediaries being recognised as acquiring a control-based proprietary interest in held crypto-token entitlements that is subject to a superior legal title retained by users. 

Conclusion 6 We conclude that it would be constructive for the courts to develop specific and discrete principles of tortious liability by analogy with, or which draw on some elements of, the tort of conversion to deal with wrongful interferences with third category things.

Posted by at
Labels: , , ,

19 July 2022

Crookto, Cyber Security and Corporate Responsibility

'Crime and Cryptocurrency in Australian Courts' by Aaron M Lane and Lisanne Adam in Monash University Law Review (Forthcoming) comments 

This article presents the findings of the first empirical study of reported Australian case law involving Bitcoin and other cryptocurrencies between 2009 and 2020. The initial dataset consists of 103 cases, with 59 criminal decisions and 44 other decisions. Focusing on criminal proceedings, the study finds that cryptocurrency has been considered in the context of bail, extradition, restraining orders, trials and sentencing. Significantly, the study finds that the use of cryptocurrency in the commission of an offence is seen by courts as a factor that tends to increase the sophistication or seriousness of the offence – becoming an aggravating factor in sentencing – and leads the court to consider general deterrence above other sentencing purposes.

The authors argue

There is a perception that Bitcoin, and the other cryptocurrencies that followed, are associated with criminal activity. By our count, there are four dimensions to this perception from the literature – which is briefly surveyed here as introductory context for the first study on crime and cryptocurrency in the Australian courts.

First, law enforcement experts claim that Bitcoin is “the currency of choice for cybercriminals” in the commission of ransomware attacks and other forms of theft and extortion in the digital environment. Also in this category, cybercriminals are using cryptocurrency in running fraudulent investment scams. Statistics collected by the Australian Competition and Consumer Commission show that “in 2019, reported losses for cryptocurrency scams exceeded $21.6 million from 1810 reports.” Data reported by Chainalysis puts the global figure at US$7.8 billion. 

Second, cryptocurrencies are used to exchange illegal goods and services from ‘dark web’ online marketplaces, such as Silk Road, which exclusively used Bitcoin for the platform’s illicit transactions. Famously, Silk Road’s founder Ross Ulbricht was convicted in the United States and sentenced to life imprisonment for charges relating to his role in the criminal enterprise. The convictions were upheld on appeal notwithstanding that two federal agents were also charged and sentenced for their conduct in the course of the investigation against Ulbricht, including misappropriating Bitcoin into offshore bank accounts. The Ulbricht saga brought into popular consciousness the fact that cryptocurrencies provided a new payment platform for those seeking to illicitly transact with counterparts across borders, pseudonymously. While estimates vary, the most recent industry analysis reports total illicit cryptocurrency transactions at US$14 billion in 2021 – although this equates to just 0.15% of the total volume of cryptocurrency transactions. 

Third, Bitcoin has been described as a “criminal's laundromat for cleaning money”  that has been earned from illicit enterprises. Of course, money laundering is a serious criminal offence in and of itself. Although, initially, the use of Bitcoin and other cryptocurrencies were not subject to the same regulatory constraints as the use of fiat currency. In 2017, the Federal Minister for Justice and Minister Assisting the Prime Minister for Counter-Terrorism asserted that “it is recognised globally that convertible digital currencies, such as bitcoin, pose significant money laundering and terrorism financing risks because they allow people to move money around the world on a peer-to-peer basis without revealing their identity.” On this basis, the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (‘AML CTF Act’) was amended to require Australian cryptocurrency exchanges to comply with Anti- Money Laundering and Counter-Terrorism Financing laws under regulator AUSTRAC’s purview. The stated purpose of the amendments was to “deter criminals from using convertible digital currencies to move illicit funds and avoid detection” and “facilitate the collection of transactional information about exchanges in digital currency for use by law enforcement, intelligence and national security agencies”. At the end of February 2022, AUSTRAC had revoked the registration of seven cryptocurrency exchanges, suspended another, and refused to register a further six exchanges. 

Fourth, there are concerns that cryptocurrencies could be used for tax evasion. The Australian Taxation Office has provided guidance on various issues surrounding the tax treatment of cryptocurrency. As with money laundering, the pseudonymous, borderless nature of cryptocurrency transactions — combined with Australia’s tax system of self-assessment — means that the task of tax enforcement is more difficult and provides a greater opportunity for tax evasion. Tax evasion is a crime regardless of the underlying legitimacy of the transaction that gave rise to the taxable event. 

As this introduction outlines, it appears that criminal entrepreneurs were among the first to find a use case for cryptocurrencies. It is not surprising, therefore, that law enforcement and regulatory agencies around the world have established digital taskforces focusing on crime and cryptocurrency. Domestically, the Australian Federal Police’s (AFP) Cybercrime Operations Unit and AUSTRAC have primary carriage of these matters among enforcement bodies, in addition to the Australian Cyber Security Centre. State and territory police forces also appear to have developed some capabilities in this area. 

Against this background, it was inevitable that criminal cases involving cryptocurrency would come before the Australian courts. However, there is currently no reported data on criminal cases involving cryptocurrency in Australia. The purpose of this article, therefore, is to investigate in what contexts Bitcoin and other cryptocurrencies have been considered in criminal matters before Australian courts and critically analyse of how the use of cryptocurrency has factored into judicial decision making in the context of criminal proceedings. This article will proceed as follows. Section two introduces Bitcoin and cryptocurrencies. Section three explains the study’s methodology and reports the study’s quantitative findings. Section four provides the study’s qualitative findings. Section five will bring the study’s findings into conversation with theoretical perspectives from the law and economics and criminology literatures. Section six concludes.

In Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 - a landmark judgment - the FCA has identified that obligations for Directors under the Australian Financial Services Licence regime include obligations to adequately manage cyber resilience and cybersecurity risks. RA was found to be in breach of the Corporations Act 2001 (Cth). 

Rofe J made declarations that RI breached obligations under s 912A(1)(a) by failing to ensure adequate cybersecurity measures were in place and/or adequately implemented across its Authorised Representative,  with breach under s 912A(1)(h) by failing to implement adequate cybersecurity and cyber resilience measures and exposing its Authorised Representatives’ clients to an unacceptable level of risk.

He stated 

it is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.

noting  'that the relevant risks and controls deployed to address cybersecurity evolve over time' and that 'as cybersecurity risk management is a technical area, the adequacy of risk management must be informed by people with technical expertise in that area'. 

AFS Licence holders are required to identify the risks faced in the course of providing financial services, including in relation to cybersecurity and cyber resilience. The holders must have established documentation, controls and risk management systems that are adequate to manage risk across their network.

The 'reasonable standard of performance' is to be assessed by reference to the reasonable person qualified in that area, not the expectations of the general public.

Posted by at
Labels: , , , , ,

07 November 2021

Crypto and Ransomware

'Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications' by Harold Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Michael Specter and Daniel J. Weitzner in 2015 commented 

Twenty years ago, law enforcement organizations lobbied to require data and communication services to engineer their products to guarantee law enforcement access to all data. After lengthy debate and vigorous predictions of enforcement channels “going dark,” these attempts to regulate the emerging Internet were abandoned. In the intervening years, innovation on the Internet flourished, and law enforcement agencies found new and more effective means of accessing vastly larger quantities of data. Today we are again hearing calls for regulation to mandate the provision of exceptional access mechanisms. In this report, a group of computer scientists and security experts, many of whom participated in a 1997 study of these same topics, has convened to explore the likely effects of imposing extraordinary access mandates. 

We have found that the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago. In the wake of the growing economic and social cost of the fundamental insecurity of today’s Internet environment, any proposals that alter the security dynamics online should be approached with caution. Exceptional access would force Internet system developers to reverse “forward secrecy” design practices that seek to minimize the impact on user privacy when systems are breached. The complexity of today’s Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws. Beyond these and other technical vulnerabilities, the prospect of globally deployed exceptional access systems raises difficult problems about how such an environment would be governed and how to ensure that such systems would respect human rights and the rule of law.

Their Executive Summary is - 

 Political and law enforcement leaders in the United States and the United Kingdom have called for Internet systems to be redesigned to ensure government access to information — even encrypted information. They argue that the growing use of encryption will neutralize their investigative capabilities. They propose that data storage and communications systems must be designed for exceptional access by law enforcement agencies. These proposals are unworkable in practice, raise enormous legal and ethical questions, and would undo progress on security at a time when Internet vulnerabilities are causing extreme economic harm. 

As computer scientists with extensive security and systems experience, we believe that law enforcement has failed to account for the risks inherent in exceptional access systems. Based on our considerable expertise in real-world applications, we know that such risks lurk in the technical details. In this report we examine whether it is technically and operationally feasible to meet law enforcement’s call for exceptional access without causing large-scale security vulnerabilities. We take no issue here with law enforcement’s desire to execute lawful surveillance orders when they meet the requirements of human rights and the rule of law. Our strong recommendation is that anyone proposing regulations should first present concrete technical requirements, which industry, academics, and the public can analyze for technical weaknesses and for hidden costs. 

Many of us worked together in 1997 in response to a similar but narrower and better- defined proposal called the Clipper Chip. The Clipper proposal sought to have all strong encryption systems retain a copy of keys necessary to decrypt information with a trusted third party who would turn over keys to law enforcement upon proper legal authorization. We found at that time that it was beyond the technical state of the art to build key escrow systems at scale. Governments kept pressing for key escrow, but Internet firms successfully resisted on the grounds of the enormous expense, the governance issues, and the risk. The Clipper Chip was eventually abandoned. A much more narrow set of law enforcement access requirements have been imposed, but only on regulated telecommunications systems. Still, in a small but troubling number of cases, weakness related to these requirements have emerged and been exploited by state actors and others. Those problems would have been worse had key escrow been widely deployed. And if all information applications had had to be designed and certified for exceptional access, it is doubtful that companies like Facebook and Twitter would even exist. Another important lesson from the 1990’s is that the decline in surveillance capacity predicted by law enforcement 20 years ago did not happen. Indeed, in 1992, the FBI’s Advanced Telephony Unit warned that within three years Title III wiretaps would be useless: no more than 40% would be intelligible and that in the worst case all might be rendered useless. The world did not “go dark.” On the contrary, law enforcement has much better and more effective surveillance capabilities now than it did then. 

The goal of this report is to similarly analyze the newly proposed requirement of exceptional access to communications in today’s more complex, global information infrastructure. We find that it would pose far more grave security risks, imperil innovation, and raise thorny issues for human rights and international relations. 

There are three general problems. First, providing exceptional access to communications would force a U-turn from the best practices now being deployed to make the Internet more secure. These practices include forward secrecy — where decryption keys are deleted immediately after use, so that stealing the encryption key used by a communications server would not compromise earlier or later communications. A related technique, authenticated encryption, uses the same temporary key to guarantee confidentiality and to verify that the message has not been forged or tampered with. 

Second, building in exceptional access would substantially increase system complexity. Security researchers inside and outside government agree that complexity is the enemy of security — every new feature can interact with others to create vulnerabilities. To achieve widespread exceptional access, new technology features would have to be deployed and tested with literally hundreds of thousands of developers all around the world. This is a far more complex environment than the electronic surveillance now deployed in telecommunications and Internet access services, which tend to use similar technologies and are more likely to have the resources to manage vulnerabilities that may arise from new features. Features to permit law enforcement exceptional access across a wide range of Internet and mobile computing applications could be particularly problematic because their typical use would be surreptitious — making security testing difficult and less effective. 

Third, exceptional access would create concentrated targets that could attract bad actors. Security credentials that unlock the data would have to be retained by the platform provider, law enforcement agencies, or some other trusted third party. If law enforcement’s keys guaranteed access to everything, an attacker who gained access to these keys would enjoy the same privilege. Moreover, law enforcement’s stated need for rapid access to data would make it impractical to store keys offline or split keys among multiple keyholders, as security engineers would normally do with extremely high-value credentials. Recent attacks on the United States Government Office of Personnel Management (OPM) show how much harm can arise when many organizations rely on a single institution that itself has security vulnerabilities. In the case of OPM, numerous federal agencies lost sensitive data because OPM had insecure infrastructure. If service providers implement exceptional access requirements incorrectly, the security of all of their users will be at risk. 

Our analysis applies not just to systems providing access to encrypted data but also to systems providing access directly to plaintext. For example, law enforcement has called for social networks to allow automated, rapid access to their data. A law enforcement backdoor into a social network is also a vulnerability open to attack and abuse. Indeed, Google’s database of surveillance targets was surveilled by Chinese agents who hacked into its systems, presumably for counterintelligence purposes. 

The greatest impediment to exceptional access may be jurisdiction. Building in exceptional access would be risky enough even if only one law enforcement agency in the world had it. But this is not only a US issue. The UK government promises legislation this fall to compel communications service providers, including US-based corporations, to grant access to UK law enforcement agencies, and other countries would certainly follow suit. China has already intimated that it may require exceptional access. If a British-based developer deploys a messaging application used by citizens of China, must it provide exceptional access to Chinese law enforcement? Which countries have sufficient respect for the rule of law to participate in an international exceptional access framework? How would such determinations be made? How would timely approvals be given for the millions of new products with communications capabilities? And how would this new surveillance ecosystem be funded and supervised? The US and UK governments have fought long and hard to keep the governance of the Internet open, in the face of demands from authoritarian countries that it be brought under state control. Does not the push for exceptional access represent a breathtaking policy reversal? 

The need to grapple with these legal and policy concerns could move the Internet overnight from its current open and entrepreneurial model to becoming a highly regulated industry. Tackling these questions requires more than our technical expertise as computer scientists, but they must be answered before anyone can embark on the technical design of an exceptional access system. 

In the body of this report, we seek to set the basis for the needed debate by presenting the historical background to exceptional access, summarizing law enforcement demands as we understand them, and then discussing them in the context of the two most popular and rapidly growing types of platform: a messaging service and a personal electronic device such as a smartphone or tablet. Finally, we set out in detail the questions for which policymakers should require answers if the demand for exceptional access is to be taken seriously. Absent a concrete technical proposal, and without adequate answers to the questions raised in this report, legislators should reject out of hand any proposal to return to the failed cryptography control policy of the 1990s.

The US Treasury Financial Crimes Enforcement Network (FINCEN) Financial Trend Analysis 'Ransomware Trends in Bank Secrecy Act Data Between January 2021 and June 2021' report comments

This Financial Trend Analysis focuses on ransomware pattern and trend information identified in Bank Secrecy Act (BSA) data. This report is issued pursuant to Section 6206 of the Anti-Money Laundering Act of 2020 (AMLA) which requires the Financial Crimes Enforcement Network (FinCEN) to periodically publish threat pattern and trend information derived from financial institutions’ Suspicious Activity Reports (SARs). FinCEN issued government-wide priorities for anti-money laundering and countering the financing of terrorism (AML/CFT) policy on 30 June 2021, which included cybercrime as a government-wide priority. FinCEN highlighted ransomware as a particularly acute cybercrime concern. The information contained in this report is relevant to the public, including a wide range of businesses, industries, and critical infrastructure sectors. The report also highlights the value of BSA information filed by regulated financial institutions. 

This Financial Trend Analysis is in response to the increase in number and severity of ransomware attacks against U.S. critical infrastructure since late 2020. For example, in May 2021, hackers used a ransomware attack to extort a multi-million dollar ransom, which also disrupted the Colonial Pipeline and caused gasoline shortages. Other recent attacks have targeted various sectors, including manufacturing, legal, insurance, health care, energy, education, and the food supply chain in the United States and across the globe. As Treasury Secretary Janet L. Yellen recently noted, “Ransomware and cyber-attacks are victimizing businesses large and small across America and are a direct threat to our economy.” 

FinCEN analysis of ransomware-related SARs filed during the first half of 2021 indicates that ransomware is an increasing threat to the U.S. financial sector, businesses, and the public. The number of ransomware-related SARs filed monthly has grown rapidly, with 635 SARs filed and 458 transactions reported between 1 January 2021 and 30 June 2021 (“the review period”), up 30 percent from the total of 487 SARs filed for the entire 2020 calendar year. The total value of suspicious activity reported in ransomware-related SARs during the first six months of 2021 was $590 million, which exceeds the value reported for the entirety of 2020 ($416 million). 

Trends represented in this report illustrate financial institutions’ identification and reporting of ransomware events and may not reflect the actual dates associated with ransomware incidents. 

FinCEN’s analysis of ransomware-related SARs highlights average ransomware payment amounts, top ransomware variants, and insights from FinCEN’s blockchain analysis: 

The 635 SARs filed during the review period include 458 SARs reporting transactions that occurred in the same timeframe. The remaining 177 SARs report transactions that occurred prior to 2021. 

Average Monthly Suspicious Amount of Ransomware Transactions: 

According to data generated from ransomware-related SARs, the mean average total monthly suspicious amount of ransomware transactions was $66.4 million and the median average was $45 million. FinCEN identified bitcoin (BTC) as the most common ransomware-related payment method in reported transactions. 

Top Ransomware Variants: 

Ransomware actors develop their own versions of ransomware, known as “variants,” and these versions are given new names based on a change to software or to denote a particular threat actor behind the malware. FinCEN identified 68 ransomware variants reported in SAR data for transactions during the review period. The most commonly reported variants were REvil/Sodinokibi, Conti, DarkSide, Avaddon, and Phobos. 

Insights from Blockchain Analysis: 

FinCEN identified and analyzed 177 unique convertible virtual currency (CVC) wallet addresses used for ransomware-related payments associated with the 10 most commonly reported ransomware variants in SARs during the review period. Based on blockchain analysis of identifiable transactions with the 177 CVC wallet addresses, FinCEN identified approximately $5.2 billion in outgoing BTC transactions potentially tied to ransomware payments. 

FinCEN Identified Ransomware Money Laundering Typologies: 

FinCEN identified several money laundering typologies common among ransomware variants in 2021 including threat actors increasingly requesting payments in Anonymity-enhanced Cryptocurrencies (AECs) and avoiding reusing wallet addresses, “chain hopping” and cashing out at centralized exchanges, and using mixing services and decentralized exchanges to convert proceeds. 

Scope and Methodology: 

FinCEN examined ransomware-related SARs filed between 1 January 2021 and 30 June 2021 to determine trends. The full data set consisted of 635 SARs reporting $590 million in suspicious activity. Of the 635 SARs filed during the review period, 458 report actual transactions that occurred during the review period worth $398 million. The remaining 177 SARs report transactions that occurred before 1 January 2021. FinCEN reviewed and verified each SAR to remove any suspicious activity amount unrelated to ransomware and to extract relevant indicators of compromise (IOCs). From this data, FinCEN identified the top 10 most common ransomware variants and analyzed their IOCs through commercially available analytics tools. This analysis allowed FinCEN to chart the flow of ransomware payments in BTC to identify which CVC exchanges and services ransomware actors used to launder their proceeds. USD figures cited in this analysis are based on the value of BTC when the transactions occurred. FinCEN also compared data gathered for 2021 to SAR data gathered in previous years in order to track ransomware trends. This data set consisted of 2,184 SARs reflecting $1.56 billion in suspicious activity filed between 1 January 2011 and 30 June 2021. 

Ransomware Filings in First Six Months of 2021 Exceed 2020 Total 

The total U.S. dollar value for ransomware-related transactions reported in SARs filed during the review period exceeds that of any previous year since 2011. In the first six months of 2021, FinCEN identified $590 million in ransomware-related SARs, a 42 percent increase compared to a total of $416 million for all of 2020 (see Figures 1 and 2). If current trends continue, SARs filed in 2021 are projected to have a higher ransomware-related transaction value than SARs filed in the previous 10 years combined, which would represent a continuing trend of substantial increases in reported year-over-year ransomware activity. This trend potentially reflects the increasing overall prevalence of ransomware-related incidents as well as improved detection and reporting of incidents by covered financial institutions, which may also be related to increased awareness of reporting obligations pertaining to ransomware and willingness to report. 

As noted in FinCEN’s 2020 Advisory on Ransomware, AECs reduce the transparency of CVC financial flows, including ransomware payments, through anonymizing features, such as mixing and cryptographic enhancements.

Posted by at
Labels: , , , , , , ,

21 June 2021

Blockchain Hype

"‘Lex Cryptographia,’ ‘Cloud Crypto Land’ or What? – Blockchain Technology on the Legal Hype Cycle" (King's College London Law School Research Paper Forthcoming) by Michael Schillig comments 

 Based on an analysis of the literature on the interaction of law and DLT/blockchain, the paper argues that hype cycle dynamics apply in legal discourse. Thinking in hype cycle categories provides a structured way for analysing the potential legal implications of a particular innovation. This critical engagement with enthusiasts, sceptics and pragmatists throughout the different stages may help to present a more realistic picture of DLT/Blockchain’s potential from a legal perspective in the short and medium term. Consequently, the paper discusses the potential for disruption to the legal system envisaged by enthusiasts at the height of inflated expectations, attempts to deconstruct the arguments levelled at the technology by its detractors during the trough of disillusionment, charts the emerging legal landscape that seeks to accommodate and harness the potential of DLT/blockchain on the slope of enlightenment, and concludes by risking a glimpse towards the plateau of productivity.

Posted by at
Labels: ,

03 December 2020

Disruption

The Explanatory Memo for the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 (Cth) states that the proposed legislation will 

amend the Surveillance Devices Act 2004 (SD Act), the Crimes Act 1914 (Crimes Act) and associated legislation to introduce new law enforcement powers to enhance the ability of the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) to combat online serious crime. 

2. Cyber-enabled serious and organised crime, often enabled by the dark web and other anonymising technologies, such as bespoke encrypted devices for criminal use, present a direct challenge to community safety and the rule of law. For example, on the dark web criminals carry out their activities with a lower risk of identification and apprehension. Many anonymising technologies and criminal methodologies can be combined for cumulative effect, meaning it is technically difficult, and time and resource intensive, for law enforcement to take effective action. Just as online criminals are constantly changing their operations and reacting to new environments, the law must adapt in order to give law enforcement agencies effective powers of response. 

3. Existing electronic surveillance powers, while useful for revealing many aspects of online criminality, are not suitably adapted to identifying and disrupting targets where those targets are actively seeking to obscure their identity and the scope of their activities. Without the critical first step of being able to identify potential offenders, investigations into serious and organised criminality can fall at the first hurdle. Being able to understand the networks that criminals are involved in and how they conduct their crimes is also a crucial step toward prosecution. 

4. This Bill addresses gaps in the legislative framework to better enable the AFP and the ACIC to collect intelligence, conduct investigations, disrupt and prosecute the most serious of crimes, including child abuse and exploitation, terrorism, the sale of illicit drugs, human trafficking, identity theft and fraud, assassinations, and the distribution of weapons. 

5. The Bill contains the necessary safeguards, including oversight mechanisms and controls on the use of information, to ensure that the AFP and the ACIC use these powers in a targeted and proportionate manner to minimise the potential impact on legitimate users of online platforms. 

6. The Bill introduces three new powers for the AFP and the ACIC. They are:

• Data disruption warrants to enable the AFP and the ACIC to disrupt data by modifying, adding, copying or deleting in order to frustrate the commission of serious offences online 

• Network activity warrants to allow agencies to collect intelligence on serious criminal activity being conducted by criminal networks, and 

• Account takeover warrants to provide the AFP and the ACIC with the ability to take control of a person’s online account for the purposes of gathering evidence to further a criminal investigation. 

Schedule 1: Data disruption warrants 

7. Schedule 1 amends the SD Act to introduce data disruption warrants. These warrants will allow the AFP and the ACIC to disrupt criminal activity that is being facilitated or conducted online by using computer access techniques. 

8. A data disruption warrant will allow the AFP and the ACIC to add, copy, delete or alter data to allow access to and disruption of relevant data in the course of an investigation for the purposes of frustrating the commission of an offence. This will be a covert power also permitting the concealment of those activities. Whilst this power will not be sought for the purposes of evidence gathering, information collected in the course of executing a data disruption warrant will be available to be used in evidence in a prosecution. 

9. The purpose of the data disruption warrant is to offer an alternative action to the AFP and the ACIC, where the usual circumstances of investigation leading to prosecution are not necessarily the option guaranteeing the most effective outcome. For example, removing content or altering access to content (such as child exploitation material), could prevent the continuation of criminal activity by participants, and be the safest and most expedient option where those participants are in unknown locations or acting under anonymous or false identities. Under these circumstances, it may be prudent for the AFP or the ACIC to obtain a data disruption warrant. 

10. Applications for data disruption warrants must be made to an eligible Judge or nominated Administrative Appeals Tribunal (AAT) member. A data disruption warrant may be sought by a law enforcement officer of the AFP or the ACIC if that officer suspects on reasonable grounds that:

• one or more relevant offences are being, are about to be, or are likely to be, committed, and 

• those offences involve, or are likely to involve, data held in a computer, and 

• disruption of data held in the target computer is likely to substantially assist in frustrating the commission of one or more of the relevant offences previously specified that involve, or are likely to involve, data held in the target computer. 

11. An eligible Judge or nominated AAT member may issue a data disruption warrant if satisfied that there are reasonable grounds for the suspicion founding the application for the warrant and the disruption of data authorised by the warrant is justifiable and proportionate, having regard to the offences specified in the application. The issuing authority will consider, amongst other things, the nature and gravity of the conduct targeted and the existence of any alternative means of frustrating the commission of the offences. 

12. Information obtained under data disruption warrants will be ‘protected information’ under the SD Act and be subject to strict limits for use and disclosure. Consistent with existing warrants in the SD Act, compliance with the data disruption warrant regime will be overseen by the Commonwealth Ombudsman. 

Schedule 2: Network activity warrants 

13. Network activity warrants will allow the AFP and the ACIC to collect intelligence on criminal networks operating online by permitting access to the devices and networks used to facilitate criminal activity. 

14. These warrants will be used to target criminal networks about which very little is known, for example where the AFP or the ACIC know that there is a group of persons using a particular online service or other electronic platform to carry out criminal activity but the details of that activity are unknown. Network activity warrants will allow agencies to target the activities of criminal networks to discover the scope of criminal offending and the identities of the people involved. For example, a group of people accessing a website hosting child exploitation material and making that material available for downloading or streaming, will be able to be targeted under a network activity warrant. 

15. Intelligence collection under a network activity warrant will allow the AFP and the ACIC to more easily identify those hiding behind anonymising technologies. This will support more targeted investigative powers being deployed, such as computer access warrants, interception warrants or search warrants. 

16. Network activity warrants will allow the AFP and the ACIC to access data in computers used, or likely to be used, by a criminal network over the life of the warrant. This means that data does not have to be stored on the devices, but can be temporarily linked, stored, or transited through them. This will ensure data that is unknown or unknowable at the time the warrant is issued can be discovered, including data held on devices that have disconnected from the network once the criminal activity has been carried out (for example, a person who disconnected from a website after downloading child exploitation material). 

17. The AFP and the ACIC will be authorised to add, copy, delete or alter data if necessary to access the relevant data to overcome security features like encryption. Data that is subject to some form of electronic protection may need to be copied and analysed before its relevancy or irrelevancy can be determined. 

18. Applications for network activity warrants must be made to an eligible Judge or nominated AAT member. A network activity warrant may be sought by the chief officer of the AFP or the ACIC (or a delegated Senior Executive Service (SES) member of the agency) if there are reasonable grounds for suspecting that:

• a group of individuals are engaging in or facilitating criminal activity constituting the commission of one or more relevant offences, and 

• access to data held in computers will substantially assist in the collection of intelligence about those criminal networks of individuals in respect of a matter that is relevant to the prevention, detection or frustration of one or more kinds of relevant offences. 

19. There are strict prohibitions on the use of information obtained under a network activity warrant. Information obtained under a network activity warrant is for intelligence only, and will not be permitted to be used in evidence in criminal proceedings, other than for a breach of the secrecy provisions of the SD Act. Network activity warrant information may, however, be the subject of derivative use, allowing it to be cited in an affidavit on application for another investigatory power, such as a computer access warrant or telecommunications interception warrant. This will assist agencies in deploying more sensitive capabilities, with confidence that they would not be admissible in court. 

20. The Inspector-General of Intelligence and Security (IGIS) will have oversight responsibility for network activity warrants given their nature as an intelligence collection tool. This approach departs from the traditional model of oversight by the Commonwealth Ombudsman of the use of electronic surveillance powers by the AFP and the ACIC. However, the approach is consistent with the oversight arrangements for intelligence collection powers available to other agencies, including the Australian Security Intelligence Organisation (ASIO) and the Australian Signals Directorate (ASD).    

21. The Bill also provides that the IGIS and the Commonwealth Ombudsman will be able to share information where it is relevant to exercising powers, or performing functions or duties, as an IGIS or Ombudsman official. This ensures that where a matter may arise during an inspection that would more appropriately be dealt with by the other oversight body, a framework is in place for the transfer of network activity warrant information, allowing efficient and comprehensive oversight to occur. 

Schedule 3: Account takeover warrants 

22. The Bill inserts account takeover warrants into the Crimes Act. These warrants will enable the AFP and the ACIC to take control of a person’s online account for the purposes of gathering evidence about serious offences. 

23. Currently, agencies can only take over a person’s account with the person’s consent. An account takeover power will facilitate covert and forced takeovers to add to their investigative powers. 

24. An AFP or ACIC officer may apply to a magistrate for an account takeover warrant to take control of an online account, and prevent the person’s continued access to that account. Before issuing the account takeover warrant, the magistrate will need to be satisfied that there are reasonable grounds for suspicion that an account takeover is necessary for the purpose of enabling evidence to be obtained of a serious Commonwealth offence or a serious State offence that has a federal aspect. In making this determination, the nature and extent of the suspected criminal activity must justify the conduct of the account takeover. 

25. This power enables the action of taking control of the person’s account and locking the person out of the account. Any other activities, such as accessing data on the account, gathering evidence, or performing undercover activities such as taking on a false identity, must be performed under a separate warrant or authorisation. Those actions are not authorised by an account takeover warrant. The account takeover warrant is designed to support existing powers, such as computer access and controlled operations, and is not designed to be used in isolation. Strict safeguards will be enforced to ensure account takeover warrants are exercised with consideration for a person’s privacy and the property of third parties. There are strong protections on the use of information collected under the power. 

26. The Bill will require the agencies to make six-monthly reports to the Commonwealth Ombudsman and the Minister for Home Affairs on the use of account takeover warrants during that period. There are also annual reports to the Minister for Home Affairs that are required to be tabled in Parliament. 

Schedule 4: Controlled operations 

27. Schedule 4 will introduce minor amendments to Part IAB of the Crimes Act to enhance the AFP and the ACIC’s ability to conduct controlled operations online. 

28. In particular, the Bill amends the requirement for illicit goods, including content such as child abuse material, to be under the control of the AFP and the ACIC at the conclusion of an online controlled operation. 

29. This is intended to address how easy data is to copy and disseminate, and the limited guarantee that all illegal content will be able to be under the control of the AFP and the ACIC at the conclusion of an online controlled operation. 

30. This amendment will not change the overall intent of the controlled operations, which is to allow for evidence collection.

As with all legislation of this type, the devil is in the detail and there are a range of concerns. 

The additional powers in the Bill to circumvent encryption raises questions about the problematical Assistance and Access Act, which would appear to be either ineffective or - consistent with drip by drip eroson of privacy and other liberties - hasn't gone far enough for the agencies. 

Warrant provision by the AAT rather than judges is inappropriate and deeply concerning. Indeed, when we move from the Memo to the Bill it appears that warrants won't be needed: the proposed legislation features a process for “emergency authorisation” where the data disruption powers could be granted by an “appropriate authorising officer” if 

  • there is an “imminent risk of serious violence or substantial damage to property”, 
  • the data held is immediately necessary for the purpose of dealing with that risk, and 
  • the circumstances are “so serious and the matter is of such urgency that disruption of data held in the target computer is warranted”.


 

Posted by at
Labels: , , , , , , , ,
Subscribe to: Comments (Atom)