Establishing blockchain policy

This whitepaper aims to explore a policy-based approach to applying blockchains, or more generally Distributed Ledger Technology (DLT) to a limited geographical or market region. In order to do this, we first lay out the problems that DLTs face, and the mitigation strategies that the market is adopting to deal with these limitations. The DLT space is undergoing rapid expansion and the number of projects has become so great, that it is a challenge to list them all. The technologies that are listed are meant to be a high level survey, but so many are named in the sections that follow that a ‘definitions’ section might easily exceed the length of the rest of this paper. We therefore encourage the reader to explore each one on their own and independently evaluate, which approach applies best to their specific needs.

The only definition that we would like to make in this paper is that of blockchains and of distributed ledgers, as we use both terms with slightly different meaning.

Blockchains were the first technological structures to solve the double spend problem and they rely on a massively replicated ledger that is appended by adding transactions in blocks. Each block is cryptographically linked to the previous block with the use of a cryptographic primitive called secure hash.

Distributed Ledger Technology (DLT) is the more general category of solutions that aims to order transactions, but may not use a linked chain of blocks to achieve its goal. Examples of distributed ledgers include Directed Acyclic Graphs (DAGs) and some approaches that aren’t clearly structured as replicated chains of blocks but implement a shared transaction order nonetheless.

Download full report Establishing blockchain policy

PDF, 2.5 Mb

Executive summary

With widespread innovation comes a need for control

Blockchain has been on the lips of innovators and pundits over recent years. The level of interest and investment from technology buffs, venture capital, and established companies alike suggest that the revolutionary technology is here to stay.

The promise of blockchain can be understood best when used as a contrast to traditional integration approaches that focus on permissioned data sharing through a shared data store. Blockchains challenge this with the proposition to minimise the role of the shared service and data component and allow for privacy-friendly, direct peer-to-peer exchange of information that can be cross validated against a shared record of proofs.

As a result, the distributed ledger space might be the fastest growing area of innovation in the entire technology sector today. Along with huge potential to disrupt business and government operations, it presents many challenges. As with all emerging technologies, innovation, expansion, and development have been and will be led by both startups and major technology companies, collaborating and pushing each other to develop sustainable models. However, as with any disruptive technology, it is appropriate that a strategy be adopted to both foster innovation and control missteps that may occur due to experimentation and some inevitable misuse.

These strategies vary from technological routes that address scaling and privacy directly, through standards that address interoperability, to policy that aims to establish an environment for the technology to flourish and deliver its value. Establishing the right policy environment is the most important factor in mitigating the challenges and defining a way for organisations to cooperate, according to defined rules.

The impact of different approaches to blockchain policy

Depending on the appetite for innovation, policies can be either restrictive or permissive. Leaning too far to either end of this spectrum can yield negative results; stagnation if the policy is too restrictive, or harmful compromise if it is too permissive.

A good policy should aim to achieve a stated set of goals, define its scope of operation, be clear on how to operate under it in a compliant manner, and define who the authorities are. Moreover, a policy must evolve in a continuous improvement cycle that adjusts to lessons learned and a rapidly changing technological and global landscape.

Several countries have taken steps to establish such policies for their jurisdictions, varying in both purpose and approach. The United Arab Emirates (UAE) has been very active in this space, launching several programmes that include a blockchain platform for government entities, and a legislative sandbox for fintech startups. The sandbox enables the startups to explore the implications of the technology on the way business is conducted, to aid in defining what regulatory changes may be necessary to adapt to the developing landscape, if any.

Establishing the ground rules for blockchain governance

This paper dives into the challenges that blockchains and the broader distributed ledger technology landscapes pose, like privacy, performance, unpredictability, security, access to law enforcement mechanisms, and cryptocurrency as a new type of asset. The solutions discussed aim to establish some ground rules, which will allow organisations to establish governance structures that will help them navigate the technological landscape, while understanding some of the most important components of a strategic approach to policy.

The following high level strategies are suggested:

Technology – Organisations should adopt a technology-agnostic approach when looking to implement blockchain systems. Identities and data formats constitute core interoperability capabilities.
Governance – Organisations need to adopt flexible policies towards blockchain that are ready for a fast-paced and ever-changing technology landscape. Rigid polices risk becoming quickly outdated.
Governance – Organisations should lean more towards an innovative rather than risk-averse approach to blockchain, as the latter will be prohibitive to launching successful initiatives.

This paper is an output of the 2nd Global Leaders Exchange, held annually at the Future Blockchain Summit, hosted by Smart Dubai and Dubai World Trade Centre.

Assumptions
Strategic considerations
Intellectual property
Interoperability
Incentive models
Privacy and confidentiality
Security
Addressing these challenges through policy

Assumptions

Designing a governance model and policy should be as independent of the chosen technology as possible. This is especially important in a rapidly changing technological landscape, such as the DLT space, where the right choice of technology may change frequently, and there may be several technologies and standards that are in use at the same time. The need for multiple technologies is greater for governance approaches that are aimed at a geographic region, rather than a specific market niche. Whereas a governance model closely associated with a niche market might be able to converge on a small set of technologies, a geographically oriented governance structure will need to cover a broader set of use cases and needs to be more technology agnostic.

As a thought experiment, a good policy and governance model should function well, even when the chosen technology is a shared spreadsheet.

Policies can be difficult to change and so must serve their purposes over extended periods of time, this means that an overly prescriptive policy runs a very high risk of becoming quickly outdated. A policy that is too strongly tied to an industry landscape that has progressed can easily become counterproductive.

Strategic considerations

The goal of a good policy is to establish principles that will achieve a set of desired outcomes. To come up with a good policy, its creators must take into account the possibility that established rules may have consequences that are opposite of the desired outcomes by limiting options or by slowing down its subjects in achieving the desired goals. Therefore, the principles must be carefully considered and evaluated against positive as well as negative effects.

A good strategy for achieving desired outcomes, while avoiding risks can be modeled as a balance of progress versus risk management. If progress is given too much priority, risky decisions may be undertaken and jeopardise the intended goals. On the other hand, if risk management is given too much priority, attempts at progress will be thwarted or subjects may choose other frameworks that are more conducive to achieving the desired goals faster.

For this reason, the right balance for a DLT governance policy should benefit from an approach that leans toward the permissive end of the spectrum. This is especially important because DLT use cases can be tricky to work into models that deliver business value, and falling short of expectations is common.

Innovation is a famously difficult process to navigate as it involves dealing with failure in the face of elevated expectations. If the policy leans too strongly toward restraint before business value has been proven, the policy subjects may become strongly disincentivised from taking on innovative projects and from investing into the space.As use cases prove their value, and where risks to compromising events are deemed to be increasing due to a high amount of activity and decreased visibility, it may become prudent to tighten the policy slowly over time. This is consistent with allowing for a more progressive approach when the adoption and exposure are small, and gradually attenuating risk as the stakes become greater.

Intellectual property

As DLTs are still nascent, research is always ongoing on its component elements, so breakthroughs may be encountered. The approach to intellectual property is evolving too, with some firms applying for patents or following a Software as a Service (SaaS) model, and some offering their technology to the market with permissive open source licensing conditions and full disclosure of source code.

The open approach has proven to be the most effective at spreading new types of solutions, when faced with limited resources for development and distribution. From a policy perspective, giving policy subjects a choice of approach to creating or using intellectual property is desirable, but needs to be balanced with interoperability across the policy’s jurisdiction. Interoperability can be achieved by requiring data interchange format and encryption standards to be followed, so that ecosystem innovation efforts of participants are not restricted by choices made by others. The benefit of standardising interoperability through data and encryption standards is that both data objects and encryption standards can function across blockchain platforms.

An example of the effects of standardisation is that identities issued on several platforms could all serve to access one service, or vice versa, a single identity from one provider could operate across independently developed and operated services.

Interoperability

With numerous DLT networks forming and with the lack of established standards, interoperability may become a barrier for the smaller networks to merge and form larger and possibly higher-value networks. Although there are efforts to provide technical solutions for interoperability, they all present their own challenges. This also contributes to the hesitation companies and government agencies are going through when deciding where to invest in blockchain and which technology to bet on.

Incentive models

DLT use-cases and networks that do not have a proven incentive model, such as the mining model, may struggle with financially maintaining security of the network. Any established network must therefore have funding plans that ensure its adoption and an incentive model that will take hold once the value flowing out of them begins to be realised.

Privacy and confidentiality

As discussed earlier, privacy and confidentiality are key factors when it comes to blockchain and DLT. Information on the blockchain is immutable by design, hence, it is possible that the use of blockchain may bring challenges with complying with privacy regulations and standards, such as the European GDPR (General Data Protection Regulation), Bahraini PDPL (Personal Data Protection Law), Qatari DPL (Data Protection Law) and expected laws across the GCC. The main concern is that data stored in a replicated and indelible medium is a risk to privacy. This is true, even if the data is encrypted, since guarantees about the security of encryption are time-bound for any given encryption scheme. This means that in order for encryption to remain effective, it must be possible to upgrade the encryption when weaknesses are found, and old copies need to be deleted. This is a concern even before we start considering the “right to erasure” that has gained adoption in Europe as an emerging legally required feature of systems that store personal data.

Even in a private blockchain network that implements Zero Knowledge Proofs, where no information is actually stored on the blockchain, the volume of transactions alone may be confidential information between competitors in the same network. This can be another obstacle for blockchain network formation, especially for industry networks that would naturally include competitors.

These challenges mean that the only viable mechanism today for handling personal data is to store and manage it off-chain in traditional systems with known privacy enabling architectures, such as private cloud and point to point encryption.

Security

Private blockchains lose some of the security aspects inherent to fully trustless public blockchains. In a closed loop of trusted nodes, a security breach of one of the nodes might compromise the whole network. This elevates the importance of infrastructure security and key management and presents a crucial area for standardisation and enforcement across all participants.

Addressing these challenges through policy

As a deduction from the previous sections, a good policy in the DLT space needs to be as technology agnostic as possible and permissive in a way that stimulates innovation, while containing risks and mitigating the challenges that impede blockchain adoption and network formation.

Instead of dictating approaches and solutions, the form of which no one can reliably predict, a policy can provide guidance and stimuli for participants to agree on an approach to move forward to test it. As such, a DLT policy might give priority in network formation to industry governing bodies or can stimulate the formation of such bodies that can drive network formation. Additionally, it can identify the areas that network participants need to openly address.

However, one foundational element that can be directly addressed through a policy and that can have a profound effect on blockchain implementation is identity management. Having a trusted source for issuing digital identities for entities and individuals can play a significant role in driving adoption and facilitating interoperability between blockchain networks, and this is not exclusive to private blockchains.

In other areas, policy can provide the general guiding principles, such as requiring that no data gets stored in clear on the blockchain, specifying the minimum security standards that networks need to adopt, and addressing the key laws and regulations that the networks need to uphold while providing support and guidance on the laws and regulations that are not yet ready for a fully-digital age.

Direction of a restrictive vs permissive risk management approach

Examples of nationally led approaches

United Arab Emirates
Malta
Liechtenstein
United States
European Union

United Arab Emirates

The UAE has undertaken a broad and multi-faceted blockchain-themed initiative called Emirates Blockchain Strategy 2021. The aim of this strategy is to transition 50 percent of applicable government transactions to a blockchain by 2021.

As part of this initiative, Smart Dubai has launched a Blockchain Platform as a Service to host government use cases, and there are over 30 blockchain projects under development. Through this policy, government entities are encouraged to establish integration channels with the aim to improve functioning of services that cut across areas of responsibility of several entities, and increasingly to enable digital integration with the private sector.

Abu Dhabi Global Markets Financial Services Regulatory Authority (ADGM FSRA) has initiated a regulatory sandbox and has issued guidance for the regulation of crypto assets with the aim to establish rules to govern the safe operation of cryptocurrency related fintech businesses, while the Central Bank of the UAE (CBUAE) has circled warnings confirming that cryptocurrencies are not considered as a valid/ recognised currency under current regulations/legislation, and are banned from being used in a commercial transaction context.

In addition, the Emirates Authority for Standardization and Metrology (ESMA) are one of the twelve observing members Monitoring ISO/TC 307 (ISO Blockchain Standards).

Malta

Malta’s approach is highlighted by their regulation of blockchain and DLT through technology certification, which has been performed with the aim of not stifling innovation. In particular, the MDIA Act establishes the Malta Digital Innovation Authority, which is entrusted with certifying blockchain and DLT platforms via a system auditor that reviews and assesses the technology arrangement and provides assurance on the solution’s quality and characteristics. This has been developed to enhance the community’s trust in the technology by creating a form of regulation through certification in a sector that is currently lacking such measures.

Liechtenstein

On the other hand, Liechtenstein has focused on regulating the token economy, whereby its blockchain act focuses on the creation, storage, and transfer of tokens, along with the security for enforcement of the rights associated with every token, thus creating a token economy.

United States

In the United States, several different policies can be observed. The federal government has taken a hands off approach, enabling state governments to create and implement their own policies and regulations. In a bid to attract innovation, some states have taken the approach of removing the legal barriers for the adoption of blockchain by developing blockchain-friendly legislation. For instance, the State of Illinois has published the Blockchain Technology Act, specifying the permitted use of Blockchain for conducting business and prohibiting local government restrictions on Blockchain or smart contracts.

Another state that took the lead in creating a permissive policy is Wyoming. The state has passed a collection of 13 blockchain and cryptocurrency friendly laws. Among them is the establishment of a new type of bank that can hold crypto assets for its customers starting in 2020.

The state of New York took a more restrictive approach by creating the BitLicense, which is issued by the New York State Department of Financial Services. Under this regime, any business operating in the virtual asset space must first obtain approval for a license to carry out activities.

European Union

The European Union has taken a measured approach to introducing blockchain-related policies or legislation, adopting a permissive stance with wide discretion given to the member countries. An early permissive move in 2015 by the EU was to allow exchanges of traditional currency for cryptocurrency not to charge VAT on their service, effectively allowing cryptocurrencies to function as forms of money. As a restrictive counterbalance, the EU has also mandated KYC and AML measures to be implemented by exchanges under the Fifth Money Laundering Directive (5MLD).

In addition, The European Parliament is requesting that the European Commission and other EU authorities take various steps to maximise the potential of Blockchain and DLT in the EU, and that any regulatory approach towards DLT should be innovation-friendly, should enable passporting, and should be guided by the principles of technology neutrality and business-model neutrality. They have also underlined that the Union should not regulate DLT per se, but should try to remove existing barriers to implementing Blockchains, calling on the Commission and the Member States to foster the convergence and harmonisation of regulatory approaches. This supports the Commission’s approach of following a use-case method in exploring the regulatory environment around the use of DLT and the actors using it by sector.

The European Data Protection Supervisor (EDPS), the EU’s independent data protection authority, has been given the responsibility of: providing further guidance on how DLT can comply with the EU legislation on data protection, and in particular, the General Data Protection Regulation; working with international organisations to enhance the development of technical standards for smart contracts and to undertake an in-depth analysis of the existing legal framework in all member states on the enforceability of smart contracts; assessing whether any potential barriers to use of smart contracts are proportionate, noting that legal certainty could be enhanced through coordination and mutual recognition between member states; and analyse whether a European passport for DLT-based projects could be introduced to enhance legal certainty for investors, users and individuals and promote financing to small- and medium-sized enterprises.