“Trust the process”? – Privacy and cyber security issues with legal proceedings via NFT | Locke Lord LLP
Recently, courts in New York and London issued orders in two unrelated cases – LCX AG v 1.274M US Dollar Coin[1] and D’Aloia v. Binance Holdings and others[2] – authorizing the plaintiffs to serve proceedings on anonymous defendants using a non-fungible token (“NFT”).
These appear to be the first known legal decisions allowing service using NFTs, transferred by means of “airdrop” into the defendants’ wallets on the Ethereum blockchain. Delivery of a token by airdrop involves the sender transferring a token from one wallet to another party’s wallet on the blockchain, typically on an unsolicited and unexpected basis.
This article addresses the privacy and cyber security implications of performing (and receiving) services via NFT in this way.
Background: NFTs
NFTs have found prominence in the last 18 months mainly as a medium for collectibles, especially digital artwork, but there are potentially several different uses for the technology.
NFTs are uniquely identifiable packets of information stored on the blockchain (usually the Ethereum blockchain network). This information may include smart contracts (which are essentially lines of code that specify the parameters of how the NFT works) and associated media, such as text, image files, music or videos. This media information can be stored “on-chain” (ie as data stored on the blockchain network itself), but is more often stored “off-chain”, ie on the conventional world wide web, with the on-chain token simply acting as a token to the relevant media file.
Various uses for NFTs and blockchain have been explored in recent years, such as: ticketing,[3] property rights records[4] and identity verification.[5] However, NFTs and blockchain are not typically used to transfer personal or business communications. Despite the decisions in New York and London, service of court proceedings via the NFT is unlikely to become the norm anytime soon. Although it is now legally and technologically possible to serve the proceedings by this method (subject to a court’s permission), conventional methods of service, such as post, courier or email, are likely to remain the most appropriate to use for the foreseeable future.
Having said that, service from the NFT can have a real and practical use in litigation in a number of situations:
- For claimants who are victims of crypto-asset theft or fraud, where the identity of a defendant(s) is unknown (beyond a wallet address on the blockchain);
- When the defendant’s wallet is not linked to a centralized exchange (eg Binance or Coinbase) so that the defendant’s identity cannot be ascertained through third party disclosure orders against the exchanges.[6]
- When timing is essential, for example to reduce the risk of the defendant disappearing assets.
- When the defendant is outside the plaintiff’s jurisdiction and service by conventional means (such as mail or even through diplomatic channels), it can take several weeks if not months.
LCX and D’Aloia
IN LCX and D’Aloiaclaimants were victims of cryptocurrency theft and fraud respectively. LCX involved the theft of US$8 million of cryptocurrency from the claimant’s wallet, while D’Aloia alleged that he was the victim of a scam in which he was tricked into transferring cryptocurrency into wallets controlled by one or more unknown individuals, operating under the guise of a website with the domain tda-finan.com.
In each case, the claimant commenced proceedings to recover the incorrect cryptocurrency and applied for the court’s permission to serve the proceedings on the defendants via NFT (“Service Token”). At the time of the proceedings, the personal identity of the defendants was not known beyond their wallet addresses (which take the form of a unique hex string of 42 characters), nor was it possible to identify individuals’ residences or places of business. who controlled these wallets. As such, the plaintiffs sought permission to serve court documents by sending a service token to these wallets.
In case of LCXthe service tokens contained a hyperlink to the claimant’s attorney’s website that hosted the relevant court documents served.[7] The hyperlinks also contained a tracking mechanism, so that it could be determined whether the defendant clicked through to view the relevant documents. It is unclear from the reported decision by D’Aloia how the relevant documents were transferred in this case.
Privacy considerations
There are two aspects of blockchain technology that are fundamentally incompatible with the privacy and rights of individuals under the EU General Data Protection Regulation (“GDPR”) and the UK Data Protection Act 2018 (“DPA”):
- Blockchain is a public ledger, meaning that anyone in the world can see its contents; and
- Blockchain is immutable, meaning that information on the blockchain network cannot be deleted.
Inspection of Court Documents: The fact that the blockchain is public means that service via an NFT airdrop (including when linked to documents hosted on a public website) may be impractical in cases where the court documents contain testimonial evidence and confidential or private information, particularly where injunction. In theory, the rest of the world can find out about the proceedings when the service is performed via the blockchain.[8]
Tracking: Privacy laws can also create difficulties in using a tracking mechanism that can confirm that the defendant received the proceedings. It may be that the website hosting a hyperlink to legal documents can handle this by referring users to an appropriate privacy policy and/or cookie policy, but this needs to be considered on a case-by-case basis.
Deleting data: The immutability of data on the blockchain makes it difficult (if not impossible) to delete the contents of NFT. The inability to delete data generally violates many privacy laws, including the GDPR and the California Consumer Privacy Act (“CCPA”), because data subjects have the right to request the deletion or correction of their personal data. This means that it may never be practical to host legal documents on the blockchain itself – parties must therefore rely on conventional internet sites to host information and/or documents (as was the case in LCX), with the blockchain token acting more like a digital sign and not containing any personal data itself. The fact that the defendant may be anonymous and identifiable only by reference to a wallet address is irrelevant as privacy legislation defines personal data or personal data broadly. For example, the CCPA[9] includes “unique personal identifier” as protected information, and GDPR in the UK and EU also includes an “identification number” or “online identifier” in their definition.[10]
In addition, some laws give a registrant the right to request the deletion of their personal data. If, several years after the court case was settled or closed, a registered person whose identity corresponded to (or included) a wallet address wanted to exercise their legal rights to have their personal data deleted, this would not be possible if the information was stored exclusively on the blockchain .
Cyber security concerns
Interaction with airdropped tokens: It is increasingly common for blockchain wallet owners to see malicious or spam tokens airdropped into their wallets[11], in what is essentially a Web 3.0 version of phishing. If malicious tokens are interacted with, they can do anything from directing wallet owners to fraudulent websites, to executing smart contracts that spread the entire contents of an owner’s wallet. Parties in control of a wallet are therefore advised never to interact with out-of-air NFTs or click on hyperlinks from unknown sources. With this in mind, the transfer of important legal documents via an airdropped NFT may well be ignored by the recipient.[12] This does not matter in practice, because the doctrine of service of legal documents generally relies on constructive notice, in much the same way that service of documents by post or email works (ie, it does not matter whether the party being served has actually seen documents, as long as the serving party has taken the relevant step to serve).
To the extent a law firm or claimant receives a follow-up token on the blockchain from the defendant (e.g. pretending to be a read receipt or serving documents as a return), they would also be well advised not to interact with the token and seek help from blockchain professionals .
Creating and Sending the Service Token: Most legal advisors and claimants – especially individuals – are unlikely to have the expertise to create an NFT without the help of professionals experienced in blockchain and crypto-asset matters. It may therefore be necessary to work with trusted third-party providers to create a Service Token (along with a tracking mechanism if desired) and transfer it over the blockchain. It may also be necessary to create a wallet from which to send the service token. To the extent law firms engage in activity of this nature, they need to review their internal IT and risk management policies, as many firms may have restrictions in place relating to crypto assets. Firms may also wish to consider the implications of creating and/or sending a Service Token, with respect to any liability they may incur as a result of conducting crypto-asset transactions, particularly if the Defendant were to somehow claim or suffer damage or loss as a result to have received or interacted with the token.
Conclusion
The prospect of serving legal proceedings via NFT is an exciting development in litigation and may be appropriate (if not the only option) in certain types of litigation. However, the parties and their legal advisors must think carefully and conduct a risk analysis before jumping on board the NFT service bandwagon in any given case.
—–
[1] LCX Ag v. 1.274M US Dollar CoinNo. 154644/2022, 2022 WL 3585277 (NY Sup. Ct. Aug. 21, 2022).
[2] [2022] EWHC 1723 (Ch).
[3] Seatlabs is an example of NFT based event tickets – https://www.seatlabnft.com/
[4] The Dubai Land Department, for example, has led the charge in adopting blockchain technology since 2017: HM Land Registry in England and Wales has been considering blockchain technology for a similar period.
[5] Goldfinch, a decentralized credit protocol, recently created Unique Identity (UID) NFTs. These are non-transferable tokens that represent on-chain KYC and investor verification:
[6] Exchanges should have KYC (“know your customer”) records on all their account holders, although it may take some time to get this information in practice – at the very least, a court order is likely to be required and even then the accuracy of that data can be wrong, especially in cases where the defendant is an alleged fraud.
[7] https://www.hklaw.com/en/general-pages/lcx-ag-v-doe
[8] This is in direct conflict with the procedure in England, for example, where court documents cannot be opened to non-parties until all defendants have filed an acknowledgment of service, and even then witness evidence is generally not made available to non-parties.
[9] Cal. Civ. Code § 1798.140 (West).
[10] Article 4(1) of the GDPR (which also has effect in the UK by virtue of the DPA 2018).
[11] Monkey-themed phishing scams are on the rise, experts warn
[12] The same can be said for service by e-mail (ie a cautious e-mail user would be well advised not to click on hyperlinks to an e-mail they do not expect to receive), which is consistent with the restrictive approach taken of the English courts and civil procedure rules which only permit service by email where the recipient has expressly consented to being served by such means.