Dear Ms. Cameron,
ConsenSys Software Inc. respectfully submits this letter in response to the Crypto and Digital Assets All Party Parliamentary Group’s (APPG) inquiry into the UK crypto and digital assets sector. ConsenSys was founded in 2016 after the launch of the Ethereum protocol with the goal of facilitating decentralisation through the development of blockchain-based computing platforms. We believe that, through decentralised networks like Ethereum, we can innovate and achieve like never before. We have dedicated our people, products, and resources to help drive this evolution.
ConsenSys is the leading Ethereum software company. We enable developers, enterprises, and people worldwide to build next-generation applications, launch modern financial infrastructure, and access the decentralised web. Our software suite, composed of MetaMask, Infura, Quorum, Truffle, Codefi, and Diligence, is used by millions and supports billions of blockchain calls. Ethereum is the largest programmable blockchain in the world, leading in developer community, user activity, and business adoption. On this trusted, open source foundation, people around the world are building the digital economies and online communities of tomorrow.
As members of the APPG work on legislative and regulatory proposals, we encourage policymakers across government to pay attention to the innovation in the programmable blockchain ecosystem. This ecosystem not only offers the opportunity for economic growth but also the potential to make the internet more open, egalitarian, private, and secure.
We view this letter as the invitation to converse further, and we hope to engage with you in greater depth on the summarised points set forth below. We appreciate the opportunity to collaborate with you on the important task of bolstering innovation while mitigating the risks that new technologies may present.
The potential opportunities associated with crypto and digital assets in the UK
While considerable attention to date, both regulatory and otherwise, has focused on the price of digital tokens and the speculation often attendant in their issuance and secondary market trading, we encourage the APPG to focus on the technological functionality of nascent blockchain networks and consider regulatory issues around blockchain protocols from this perspective.
As the members of the APPG will be aware, programmable blockchains like Ethereum allow anyone to write and publish code that is accessible to anyone else in so long as they have access to the blockchain network and the ability to compose and transmit on-chain transactions. In recent years, the increase in blockchain software development, as reflected in the number of developers committed on platforms such as Github to solve particular programming problems, has been notable. According to one analysis published at year end 2021, over 18,000 monthly active developers were working on blockchain programming projects, with over 34,000 new developers migrating to the blockchain ecosystem in 2021. While these numbers may be small compared with the global developer community writ large, the trend of developers expressing their interest in and becoming proficient at blockchain software development is unmistakable.
This trend is also something that ConsenSys is working hard to bolster by offering software platforms that permit developers to innovate new tools that can be shared with an increasingly broad user base. While the ConsenSys product, MetaMask, is recognized as the world’s most popular Ethereum self-hosted wallet, few recognize that it is as much a developer platform as it is a client-side key management solution. The clearest expression of this is the release of MetaMask Flask, which is an experimental MetaMask application that allows developers to create new features that can be tested and refined before offering to the public more broadly. The first feature offered through Flask is the Snaps system, which allows developers to create their own programs that expand the functionality of the wallet. ConsenSys is not alone in working to bolster developer engagement and productivity. Examples abound of a thriving developer ecosystem where brilliant minds from all over the globe are tackling the novel problems presented by a nascent technology.
Software developers who are creating protocols and related software that the whole world can use can essentially work from anywhere and hire people from anywhere. They will be incentivized to work from and hire from jurisdictions which best serve their development vision. Jurisdictions that have more pro-blockchain innovation regulatory approaches will, over time, inevitably attract more and more of the best projects and talent.
For a jurisdiction to be a leader in this space, it need only have reliable electricity and internet service—the base inputs for software development—and one or more reasons that developers would want to work from there. The first thing the UK can do to build a reputation as a preeminent jurisdiction for developers is alleviating software developers’ concern that their open source project will snag some inconspicuous regulatory trip wire and result in severe legal consequences. An unfavourable regulatory environment would only ensure that foreign-based developers define the cutting edge of innovation in the blockchain ecosystem. The UK is currently lagging behind the US in terms of the levels of blockchain software development and crypto investment. While this is partially due to factors such as a larger consumer market, a different risk appetite and greater access to venture capital funding in the US, a competitive regulatory regime in the UK could contribute to reversing this trend and attracting more crypto investment to the UK.
The UK’s current state of regulation of crypto and digital assets and the role of UK regulators
The UK’s legal and regulatory regime has solid building blocks that can be leveraged to fulfill the Government’s ambition to make the UK a global hub for crypto investment. These include: (i) a rule of law which enforces contractual rights, protects commercial freedom, and ensures disputes are reliably adjudicated; (ii) highly skilled private legal sector that has the expertise to provide cutting-edge legal advice to technology companies, as well as support them in accessing capital markets or other forms of fundraising; and (iii) regulators that provide clear, consistent guidance informed by views from the industry, as further discussed below.
The FCA has built a reputation for issuing clear, consistent and accessible guidance. For example, the 2019 Guidance on Cryptoassets (PS19/22) has provided industry participants with some much needed clarity around the regulatory perimeter since the early stages of crypto. Another positive aspect of the UK regulatory regime is the clear division of responsibilities between the FCA and the Bank of England, which enhances regulatory clarity and facilitates engagement with the relevant regulators. This is an advantage compared to the US, where industry participants often have to grapple with conflicting comments from different regulatory agencies and inconsistent interpretations of key concepts such as whether certain cryptoassets are “securities”.
We also appreciate the UK regulators’ data-driven approach to policy making, informed by the regulators’ own research as well as data provided by the industry through public consultations. We encourage the FCA and the Bank of England to continue to back their policies by robust data about the cryptoasset industry. This will ensure that policies are not influenced by misconceptions about cryptoassets or their users.
We can contrast the UK regulators’ transparent and predictable approach to policy making with the EU’s recent negotiations on MiCA and ToFR, which largely happened behind closed doors with limited information being released to the public in advance of important decisions. The latter approach has left stakeholders with little time to engage and this has resulted in several unsuitable proposals in the earlier drafts of the regulations, including the requirement to verify owners of third party unhosted wallets or the (widely misconstrued) “ban” on proof of work networks. Although these proposals were fortunately not included in the final political agreement regarding the new regulations, they caused a great deal of concern and confusion in the crypto community and have harmed the perception of the EU as a place for crypto businesses. This can be contrasted with the transparent consultation process on amendments to the UK Money Laundering Regulations, where industry input helped the HM Treasury reach the sensible decision against requiring verification of information collected in connection with unhosted wallet transfers.
Against the backdrop of recent comments from the EU suggesting additional scrutiny of unhosted wallet software usage, the UK has an opportunity to lead the discussion by recognising unhosted wallets for what they are. Unhosted wallets are the mechanism through which users do far more than merely hold, send, and receive virtual currency. They are increasingly an interface through which users control their digital identity, participate in online communities such as DAOs, and engage in commercial activity that does not give rise to any meaningful risk of money laundering or terrorist financing. It is important that any new proposals do not limit the licit use of unhosted wallet software and do not impose greater reporting duties or surveillance burden on users.
At the same time, users could be better served if the industry, in consultation with regulators, developed standards around these interfaces to better protect users from bad actors, security vulnerabilities, and other risks. It is critical that the right balance be struck between fostering innovation and user protection, and that requires a thoughtful, iterative approach. Greater consumer confidence in using unhosted wallets will lead to greater adoption among UK users, which may in turn encourage new investments in crypto-related projects built by teams in the UK.
Another area where UK regulators can lead the way is in exploring ways to address the imbalance of information between mainstream consumers and decentralised applications. The aim of addressing information asymmetries, of course, is to enable consumers to make more informed decisions.
How best public policy can mitigate risks in this nascent ecosystem is a complex question that cannot necessarily be answered by simply extending existing regulations. This is because existing regulatory regimes generally assume the existence of a centralised intermediary. At its heart, crypto is about peer-to-peer transactions that are possible because code replaces the traditional intermediary. How the UK decides to regulate against risks in such a system will determine whether the UK becomes a leader in crypto innovation.
Despite the FCA’s efforts highlighted above, its reputation has recently been harmed by delays in processing applications to register under the Money Laundering Regulations regime, as reported by numerous cryptoasset businesses. This has cast a negative light on the FCA and the UK’s efforts to attract crypto companies more generally. These negative effects may persist for years to come. Several crypto operators have reported decisions to move out of the UK and service their UK clients from overseas. This is an unfortunate outcome, both for UK customers who may not benefit from the protections offered by UK regulations, and for the UK’s competitiveness. Timely communication with regulators and predictability of outcome are important considerations for attracting crypto businesses. The UK government should ensure the regulators have the resources they need to meet these expectations.
The UK regulators’ ability to act nimbly and free from lengthy negotiations with other EU states is a competitive advantage that should be used to its full potential. ConsenSys is committed to sharing its technical and industry expertise, and welcomes opportunities for discussions with UK regulators through public consultations or more informal engagements such as the recent FCA CryptoSprint.
For purposes of this comment, we focus on certain risks associated with using blockchain software (both on-chain code and off-chain tools) and participating in blockchain ecosystems. We also provide some observations on how these risks may be mitigated.
Those who hold digital assets and use them on blockchain protocols are often the targets of scams designed to separate those users from their tokens. As the owner and operator of the MetaMask wallet, ConsenSys sees this phenomenon as regularly as anyone. MetaMask users are targeted on social media and via email by phishers looking to defraud the users into sharing their wallet passwords, which only the users may possess and safeguard. Currently, around 80% of all customer complaint tickets that MetaMask receives through its customer support channel are users reporting phishers. While we maintain a list of reported domains and take steps to warn users from visiting those sites, it is very difficult to keep up with the volume of reports. The situation is made worse by social media platforms like Twitter, where tweeting the word “MetaMask” will conjure bots trying to coax you into handing over your wallet. Those social media platforms have not taken any effective steps to reduce the predatory activity happening on their sites.
Several approaches to this problem are worth pursuing. First, social media platforms that are feeding grounds for predatory phishers should invest more time and attention to eliminating this type of predatory behaviour, particularly where these scams are being launched through paid advertising campaigns to the benefit of these platforms. If you are capable and willing to police the content of speech on your website, you can be rightfully expected to take seriously the explicitly illegal scams that use your platform to target your users.
Second, regulators and law enforcement could collaborate more closely to report, investigate, and disrupt large, organised phishing scams. In this respect, we applaud the actions of the Advertising Standards Authority in tackling online scams through its Scam Ad Alert system. In particular, its partnership with the major digital advertising and social media platforms has the potential to effectively tackle fraudulent ads, including those relating to crypto investment. The online community of users can significantly contribute to these efforts if there is a scam reporting system that is widely publicised and easily accessible to users.
Third, the blockchain ecosystem should also do its part in creating tools that fight back against the tide of online predators. Indeed, this approach is already being taken in a number of forms, including the project “MobyMask”, which is the brainchild of a MetaMask developer. This platform would allow users to report Twitter phishing bots by Twitter handle to create a shared database that would be updated in an accountable and transparent way. The database would serve as a peer-to-peer anti-phishing database that could be integrated into user interfaces for the purpose of warning users. While the project is still in proof-of-concept phase, it is an example of the initiative of the blockchain developer community to tackle and solve problems facing the space through innovation.
b) Hacks and bugs
One risk of on-chain software (i.e. smart contracts) is that it will be hacked by a malicious actor or that it contains a latent bug that may result in a user losing funds. These risks have been highlighted in recent news coverage of a number of sophisticated hacks of protocols and contracts in recent months.
These technological challenges are difficult to address because composing reliable, readily available, and resilient software is very difficult. But they are not insurmountable. First, it is important to remember that blockchain software is in its very early stages. Those who are building and participating in very much experimental protocols are generally aware of the risks they are taking and do so freely. When vulnerabilities are discovered, sometimes through hack or transaction failure, solutions are fashioned to avoid a repeat of the problem.
Second, as protocols age, users have a longer track record of reliable performance upon which they can rely when using the protocol. While risks do not completely disappear, they do meaningfully decrease the longer a protocol has functioned without being hacked or suffering from a material bug in the code.
Third, best practices with respect to software development help reduce the risks of hacks and bugs. These best practices include having a third party code audit conducted before the software is released. ConsenSys specialises in this type of service through its Diligence offering. Diligence maintains a suite of blockchain security analysis tools and pairs up that service with in-person review of smart contract code by a qualified code auditor. This service has been increasingly popular among smart contract developers who wish to avoid vulnerabilities, employ mitigation best practices, model possible threats, and test their software before it is published. The Diligence team has worked on projects for many of the most notable names in the blockchain developer community, such as Uniswap and Aave. Industry-led solutions like software auditing will play an important role in keeping blockchain network users safe from hacks and bugs.
Some programmable blockchain protocol users do not understand that, when they interact with a smart contract, they are often giving that software their approval to send the tokens in their wallet to other addresses. This is a risk to users because, while some contracts require the user to grant narrowly tailored approvals to leverage their functionality, some smart contracts require broad approval, up to and including control over all tokens in one’s wallet for whatever purpose. These contracts are either irresponsibly written or, in some instances, purposefully malicious. An example of a malicious smart contract is one that purports to distribute (or “airdrop”) a fungible token or series of new non-fungible tokens (“NFT”). When a user signs an approval to receive the airdropped tokens or to mint a new NFT, the smart contract instead is programmed to drain the user’s wallet of some or all tokens.
Blockchain developers are addressing this problem through development of sound industry best practices. MetaMask, for one, is considering solutions that can be integrated into the MetaMask interface to warn users whenever a smart contract is asking for unlimited approval over their wallet. In addition to improved ecosystem tooling, user familiarity with how smart contracts function and their attendant dangers will also reduce this risk. Just as it became commonly understood risk management when navigating the internet not to click links or download files relating to unfamiliar websites, so too will it become more common for blockchain users to understand and avoid risky interaction with on-chain software. Government, law enforcement in particular, can greatly assist with reducing this risk by working with industry to pursue any and all malicious actors who are deploying malicious smart contracts to prey on UK users.
d) Software as middleman
Blockchain front-end interfaces that facilitate consumer engagement with on-chain smart contracts perform a valuable service today and will undoubtedly continue to. Given the already complex ecosystem of permissionless blockchains, composable smart contracts, and user-friendly web-based interfaces, end users today largely have to trust the web-based interfaces to be honest, secure, and reliable. As stated above, users could be better served if the industry, in consultation with regulators, developed standards around these interfaces to better protect users from bad actors, security vulnerabilities, and other risks. It is critical that the right balance be struck between fostering innovation and user protection, and that requires a thoughtful, iterative approach.
A serious question the industry must consider is whether a software provider that is providing a front-end interface or even on-chain smart contracts as a business should be publishing information to better inform users about the functionality and risks of that software, and how such information could be most productively conveyed. These risks relating to an informed user base are more quickly and productively addressed by the industry setting and organically enforcing disclosure standards.
Addressing financial crime risks
The risk of financial crime is as important as any risks attendant to programmable blockchain systems. There are two broad points to understand about how financial crime risks can be mitigated.
First, there are new tools native to the digital asset ecosystem that allow law enforcement to more effectively detect, track, and identify criminals that are using blockchain networks to commit crimes and abscond with illicit gains. These new approaches generally do not rely on the traditional model of deputising middlemen to require users to identify themselves, monitor transactions, and report suspicious behaviour. We support law enforcement and regulators increasing their proficiency with these new software tools that leverage the transactional transparency of public blockchains. But it is imperative that these tools be used responsibly and in accordance with the rule of law, regardless of whether the government uses them directly or third party private organisations use them at the government’s behest.
Second, bad actors that are committing crimes targeting or using digital assets generally still aim to exit the blockchain ecosystem with any ill-gotten gains by converting them into fiat currency. Illicit digital asset proceeds are most vulnerable to seizure and recovery when they are turned over to a third party fiat off-ramp in anticipation of converting to fiat and ultimately withdrawal. It is these off-ramps that are rightfully receiving law enforcement and regulator attention to better interrupt a bad actor’s access to fiat currency.
ConsenSys knows this from direct experience. When a MetaMask user contacts our customer support group to report a phishing attack, we have in certain instances been able to track the stolen funds to an account on an exchange. After sharing this information with the user, we have attempted to make contact with someone working at the exchange to get them to intervene. In most instances, those efforts have not elicited a response either at all, or in time to prevent conversion and withdrawal of the stolen assets. Further, at least one effort to reach bilateral agreement on sharing information for purposes of frustrating fraudster scams prospectively was ultimately undone when the counterparty exchange declined to participate.
Failure to collaborate on user-centric issues like this is a shortcoming that should be addressed. To do so, the blockchain community should engage earnestly on new information sharing and crime mitigation practices to interrupt unlawful schemes that are in progress. Regulator engagement that facilitates these industry-wide collaborations would undoubtedly be productive.
CONSENSYS SOFTWARE INC.
By: Natalie Linhart, William C. Hughes