Polsinelli BitBlog
Blockchain Developers Urge Congress – Be Bold About Data Privacy and Security
Crypto is dead or on life support, waiting for regulation to rid it of ‘crypto contagion.’ Meanwhile, blockchain technology – the virtual, public ledger technology that records crypto transactions – is very much alive, as evidenced by emerging applications in the healthcare, transportation, and real estate industries.1 Even crypto skeptics who mockingly blame “magical thinking” for infecting a generation of investors agree, at a minimum, there is a potential legitimate use of crypto “as part of new payment systems using blockchain technology” for such things as “sending money internationally more efficiently and cheaply than current systems.”2 For these and related reasons, last week twenty-eight technology organizations, including various blockchain alliances, implored US Lawmakers “for the sake of freedom and democracy” to defend privacy for everyday people, asserting that software developers in the US are “being chilled by clumsy, misguided legislative and regulatory actions.”3 To be clear, it’s not as though lawmakers have been sitting on their hands. In 2021, at least 45 states introduced or considered more than 250 data privacy and security bills, and 36 states enacted such bills. In 2022, thirty-seven states addressed pending legislation regarding cryptocurrency, digital or virtual currencies and other digital assets.4 In their letter, however, open source and decentralized project leaders focused not only on the right to privacy but also “the right to code” and asked lawmakers to: Oppose legislation that criminalizes writing code for privacy-preserving tools, Support tools that give individuals and communities control of their data, Allow for encryption and anonymity vs. pro-surveillance protections, and Encourage tools that safeguard data privacy and security. These are not new concerns. On March 9, 2022, some of these were emphasized in the Executive Order on Ensuring Responsible Development of Digital Assets, which sought to ensure “that digital asset technologies and the digital payments ecosystem are developed, designed, and implemented” with privacy and security in their architecture.5 The Executive Order also encouraged the heads of relevant agencies such as the Federal Trade Commission (FTC), “to ensure that digital assets do not pose undue risks to consumers, investors, or businesses, and to put in place protections as a part of efforts to expand access to safe and affordable financial services.” On September 16, 2022, the White House went a step further, releasing a fact sheet titled First-Ever Comprehensive Framework for Responsible Development of Digital Assets which seeks to ensure similar rights to those being sought by the blockchain developers in their letter to lawmakers: “protect national security, respect human rights, and align with democratic values.”6 In addition, the White House asked the FTC again to pursue enforcement actions against unlawful practices and to redouble its efforts to monitor consumer complaints and enforce against unfair, deceptive, or abusive practices. Just over a month later, the FTC announced a decision it said would have a “100% chance of far-reaching” impact.7 On October 24, 2022, the FTC announced a settlement against online alcohol delivery platform, Drizly, and its CEO for a data breach that exposed the information of 2.5 million consumers. Drizly is relevant to the Executive Order and the Fact Sheet because it provides a roadmap for how to be bold about data privacy and security for open-source technology. As highlighted in its press release, the FTC settlement with Drizly follows a recent FTC trend of “requiring a firm to minimize data collection” – to ensure companies only collect what they need – and a recent notice of proposed rules for commercial surveillance, “the business of collecting, analyzing, and profiting from information about people.”8 As in Drizly, US lawmakers and technology organizations should be bold by at least adopting the conditions deemed necessary to anticipate the ‘technological shifts’ that impact the ‘right to code’ by doing the following: Implementing practices that reduce or prohibit the collection of consumer data that is not necessary for pre-specified business purposes; Implementing a comprehensive security program that includes multifactor authentication and prevention mechanisms for unsecured data; Implementing practices covered in past decisions which have emphasized conducting regular risk assessments and incident response planning; and Creation of a public retention schedule for certain types of data, including timeframes for the eventual deletion of stored data. At a minimum, organizations should adhere to the mandate included in recent FTC decisions that require organizations, “in light of any changes to operations or business arrangements” or “new or more efficient technological or operational methods,” to evaluate and adjust their security programs to address new and related risks.9 1 See, e.g., https://shelterzoom.com/, https://dimo.zone/, and https://www.revvy.tech/. 2 Cryptocurrency – Cryptoscam – Why Regulation, Deposit Insurance, and Stability Matter by George Sutton (https://www.utahbar.org/wp-content/uploads/2023/01/2023_FINAL_01_Jan_Feb.pdf (at pages 18-26). 3 https://www.fightforthefuture.org/news/2023-01-09-open-letter-for-the-sake-of-freedom-and-democracy-incoming-lawmakers-must-defend-privacy/ 4 https://www.ncsl.org/research/financial-services-and-commerce/cryptocurrency-2022-legislation.aspx 5 https://www.whitehouse.gov/briefing-room/presidential-actions/2022/03/09/executive-order-on-ensuring-responsible-development-of-digital-assets/ 6 https://www.whitehouse.gov/briefing-room/statements-releases/2022/09/16/fact-sheet-white-house-releases-first-ever-comprehensive-framework-for-responsible-development-of-digital-assets/ 7 https://www.jdsupra.com/legalnews/ftc-announces-decision-with-a-100-9442008/ 8 https://www.ftc.gov/news-events/news/press-releases/2022/08/ftc-explores-rules-cracking-down-commercial-surveillance-lax-data-security-practices 9 https://www.ftc.gov/system/files/ftc_gov/pdf/2023185-drizly-combined-consent.pdf
January 23, 2023
Evolving Trends For IP Licenses in NFT Terms and Conditions
With the proliferation of non-fungible tokens (“NFTs”), particularly in the art space, an interesting and potentially groundbreaking practice has developed where certain intellectual property (“IP”) pertaining to the NFTs is licensed to the NFT buyers and their subsequent transferees. This type of IP license was made famous by the developers of the Bored Ape Yacht Club, who included a commercial use license in their terms and conditions and, based on public statements, intended that these licenses would allow NFT holders to more fully commercialize their Bored Apes. Granting the owner of an NFT, or for that matter, any reproduction of a work of art, a commercial use license has until now not been common practice, as traditionally, the buyer is only allowed the use of that item. This trend of granting greater IP rights to NFT owners is aligned with the ethos of Web3 - allowing holders to have more control over digital assets and contents. This licensing of commercialization rights to a particular NFT holder presents interesting opportunities for buyers to monetize their NFT purchases. It also presents new challenges as developers try to work out the most appropriate legal construct to serve the interests of both the overarching project and individual owners of the NFTs. Some of those challenges recently played out when major changes were made to the license terms in two popular NFT projects: Moonbirds and CryptoPunks, each demonstrating a different strategy of allocating IP ownership of NFTs. Moonbird NFTs have been sold for as high as 350 ETH (approximately $570,000 based on current price of ETH as of August 22), and CryptoPunk NFTs have sold for as high as 8,000 ETH, approximately $13 million based on current price of ETH as of August 22). Moonbirds Shift to CC0 One approach to licensing, which is uniquely “Web3,” is the placement of otherwise protectable copyright IP into the public domain through the use of Creative Commons “No Rights Reserved” (“CC0”) agreements. The idea behind CC0 is that when art is placed into the public domain, it allows more people to use and otherwise advance that art without fear of infringement, which in turn increases the notoriety and value of the original works. The original Moonbirds Terms of Sale licensed the artwork in the individual Moonbird NFTs to the holders of those NFTs for commercial use. The relevant excerpt from those original terms is below: On August 4, 2022, Kevin Rose (a founder of the Moonbirds project) announced on Twitter that Moonbirds would be moving to a CC0 public license. This change from licensing the artwork only to individual owners - to now allowing the public at large to have equal rights over the use of that artwork has upset certain Moonbirds NFT holders who previously had greater IP rights and suddenly were left with diluted commercialization rights due to the sudden change in license terms. Yuga Labs Releases Long-Awaited CryptoPunks Licensing Another example of the potential decentralization of the IP ownership of NFTs is contained within the terms recently released by Yuga Labs in conjunction with CyptoPunks. When Yuga Labs acquired CryptoPunks in March of 2022, they issued a press release that said “[w]ith this acquisition Yuga Labs will own the CryptoPunks and Meebit brands and logos, and as they’ve done with their own BAYC collection, Yuga Labs will transfer IP, commercial, and exclusive licensing rights to individual NFT holders.” On August 15, 2022, those long-awaited licensing terms were finally released. Some interesting features of those terms include: An explicit coupling of licensing rights to the asset itself, which means when the asset is transferred the licensing rights which accompany that asset follows. Listing of the smart contract which the applicable NFTs were deployed on, potentially to preemptively cut off claims by V1 CryptoPunk owners to IP rights under the agreement. V1 CryptoPunk owners purchased an NFT with an error in the code for the smart contract. To fix the coding error, the original creator (Larva Labs) sent out a new smart contract. V2 CryptoPunks became successful and popular. Recently, original V1 CryptoPunk owners decided to wrap their V1 CryptoPunk NFTs in a new smart contract and sell them. The wrapped version of the V1 CryptoPunks fixes the coding error but resulted in duplicate CryptoPunk NFTs (i.e. the artwork is identical between V1 and V2). No explicit reservation of rights to amend the IP licensing terms on a going-forward basis (as was included in the Moonbirds terms). These terms by Yuga are far more comprehensive than the Bored Ape Yacht Club licensing agreement. Ed Lee, the author of Nau NFT, put together a helpful infographic showing certain differences between the CryptoPunks and Bored Ape Yacht Club licenses. It is unclear if this CryptoPunks license was released first to determine any potential weaknesses or holes before releasing a revised license for Bored Ape Yacht Club holders, or if it was simply done to create clarity after their statement on the issue regarding their CryptoPunk IP purchase. Final Thoughts The Web3 industry mentality surrounding the decentralization of ownership, including ownership of copyrights and other IP, is a new development which is likely to have legal ramifications across all industries. As with any developing industry, it will likely take time for law to be established regarding these current Web3 industry practices. As shown in the above Moonbirds and CryptoPunks licensing changes, these current practices and the laws surrounding them are constantly changing. That is why it is important for developers to engage legal counsel early to assist those developers in creating an appropriate IP strategy for their particular goals. While there are clearly challenges in expanding and decentralizing the IP of NFT owners, these trends are an exciting development in that it demonstrates Web3 being put into commercial practice.
August 23, 2022
