For Rules in Technology, the Challenge is to Balance Code and Law
This article is part of our latest DealBook special report on the trends that will shape the coming decades.
The first time the Harvard law professor Lawrence Lessig told computer scientists they were the unwitting regulators of the digital age — about 20 years ago — he made a coder cry. “I am not a politician. I’m a programmer,” Mr. Lessig recalls her protesting, horrified by the idea.
Now, the notion that “code is law”— from Mr. Lessig’s 1999 book “Code and Other Laws of Cyberspace” — does not shock young engineers or lawyers, the professor says. To digital natives it is “obvious” that technology dictates behavior with rules that are not value neutral.
Big tech companies have reluctantly admitted the same, with Meta, the social media company formerly known as Facebook, going as far as establishing a courtlike board of experts to evaluate decisions dictated in part by programming. And one relatively young sector of tech — the cryptocurrency industry — has embraced the concept of “code as law” wholeheartedly, with some companies explicitly arguing that code can be a better arbitrator than traditional regulators.
Many crypto fans are betting on a future where we bank, create, play, work and trade on platforms with code running the show, and in the booming decentralized finance (DeFi) sector, automated “smart contracts” that are programmed in advance to respond to specific sets of conditions already handle billions of dollars in transactions daily, with no need for human intervention, at least theoretically.
Users put their full faith in programming. No one shares personal information. Code does it all and is supposed to be the whole of the law. “There’s no human judgment. There’s no human error. There’s no processes. Everything works instantly and autonomously,” said Robert Leshner, who founded the DeFi money market protocol Compound, in an interview in August.
But while the idea of a perfectly neutral, self-patrolling system is appealing, high-profile mishaps have cast doubt on the idea that code is a sufficient form of regulation on its own — or that it is immune to human mistakes and manipulation.
A smart contract executes automatically when certain conditions are met. So if there is a bug in the system, a user might be able to trigger an unearned transfer all while technically following the “law” of code. This is what allowed a $600 million theft this summer from the Poly Network, which lets users transfer cryptocurrencies across blockchain networks. The thieves are believed to have taken advantage of a flaw in the code to override smart contract instructions and trigger massive transfers, essentially tricking the automation into operating as if the proper conditions for a transfer were met.
“If you can tell a smart contract to ‘give me all your money’ and it does, is it even theft?” the computer scientist Nicholas Weaver of the University of California, Berkeley wrote about the theft. Unlike old-school agreements, Weaver wrote, ambiguities with smart contracts cannot be resolved in the courts and automated deals are irreversible — so developers must resort to begging when things go awry.
After the $600 million theft, the Poly Network tweeted a request that began, “Dear Hacker,” asking them to return the funds and calling the act “a major economic crime.” Ultimately, most of the money was returned, talk about law enforcement stopped and the hackers said they wanted to show the code was flawed to protect the network.
Similarly, a software upgrade in Compound in September resulted in $90 million being erroneously issued to users. Mr. Leshner said recipients who didn’t return the crypto would be reported to tax authorities, prompting outcry from his community for undermining claims that these programs cannot technically comply with traditional regulatory requirements to identify users. The request also undermined claims that DeFi has no need for oversight from traditional regulators — when a problem arose, Mr. Leshner cited government authority.
For now, DeFi platforms operate in a regulatory gray space, subject to the law of private coders who claim no control over the organization’s governing programs. Platforms and apps built for blockchain networks are often formed under a new kind of business structure known as a Decentralized Autonomous Organization, or DAO, ostensibly democratically governed by a community of users who vote with crypto tokens.
But there are always people behind the code, as disasters have shown.
“That it’s all code and no humans is simply not true. In cases of urgency, this is when you see where power lies,” said Thibault Schrepel, who teaches law at Amsterdam University and created the “computational antitrust” project at the Stanford University CodeX Center for Legal Informatics.
The reason no one wants to claim control of decentralized programs is because it limits liability — with no one in control, there is no one to punish for problems and nowhere to implement the law, Mr. Schrepel explained. “But the idea that code — alone — is sufficient, is wrong,” he said. And if the blockchain community uses code to evade regulation, Mr. Schrepel argues, this will only hamper innovation.
He is part of a generation of techno-lawyers who want to bridge the gaps between code and law. Ideally, he said, code and law could work together. Smart contracts on the blockchain could be used by businesses to collude or to enhance competition, so regulators could analyze code and software programming, cooperating with core developers of decentralized systems. Similarly, policymakers could start translating traditional notions of risk mitigation into code for decentralized finance programs, thinking about the equivalent of reserve requirements that banks have into parameters for programs.
“I’m not going to say it’s easy to advance our thinking,” said Chris Giancarlo of the law firm Willkie Farr & Gallagher, a former chair of the Commodity Futures Trading Commission and author of “CryptoDad: The Fight for the Future of Money.” Still, he asks, “Shouldn’t we try to rethink our approach to regulation to achieve the same policy goals, but in a different way?”
Mr. Lessig agrees. “We need a more sophisticated approach, with technologists and lawyers sitting next to behavioral psychologists and economists,” all defining parameters to code social values into programs so that private interests don’t replace them with their own. “We’re facing an existential threat to our democracy and we don’t have 20 years to wait.”