Senior leaders face a range of ethical and reputational risks in implementing blockchain projects. This article looks at four risks – the lack of third-party protections, the threat of privacy violations, the zero-state problem, and bad governance – and offers advice for how blockchain developers and users can mitigate potential harm.
If I send you bitcoin, that transaction is simultaneously recorded on the more than 12,000 computers, servers, and other devices that Bitcoin runs on. Everyone on the chain can see the transaction, and no one can alter or delete it. Or you can send me a non-fungible token (NFT) on the Ethereum blockchain, and that transaction is simultaneously recorded across all the computers (also known as “nodes”) that Ethereum runs on. These two examples explain, roughly, what blockchain technology is: a way to keep unalterable records of transactions on multiple computers such that a new transaction cannot be recorded on one computer without simultaneously recording it on all the others. The applications of blockchain have grown well beyond cryptocurrency and NFTs, as governments and industries from health care to agriculture to supply-chain operations leverage the technology to improve efficiency, security, and trust.
The core features of blockchain are tremendously appealing, but they are a double-edged sword, opening novel pathways to significant ethical, reputational, legal, and economic risks for organizations and their stakeholders. In this article, I identify four of these risks: a lack of third-party protections, privacy violations, the zero-state problem, and bad governance. For each, I outline the responsibilities of two actors that play crucial roles in managing blockchain decisions and norms: developers (those who design and develop blockchain technologies and the apps that run on them) and users (the organizations that use blockchain solutions or advise clients who use them).
Lack Of Third-Party Protection
Third-party intermediaries, like banks, are often seen as a cost of doing business at best and predatory at worst, but they do play a crucial role in safeguarding customers’ interests. For instance, banks have sophisticated ways of detecting activity by malicious actors, and consumers can challenge fraudulent transactions and scams on their credit cards.
When transactions take place without a third party, customers have no one to whom they can appeal for help. This is often the case with blockchain applications. For example, the digital wallets that people and entities use to send and receive digital assets have public keys, akin to publicly listed physical addresses. They also have private keys, which function like passwords and are possessed only by the wallets’ owners. Losing a private key is a catastrophic event with no recourse: Owners can no longer access their wallets. In January 2021, The New York Times reported that $140 billion worth of bitcoin is locked in wallets whose private keys have been lost or forgotten. With a traditional bank, a lost password delays access to an account only for mere minutes – as opposed to forever.
What Developers Must Consider
Developers need to think about the kinds of services third parties provide that protect stakeholders and then devise a decentralized way to offer those protections. If that is impossible, developers must inform stakeholders that the technology lacks the protections they are accustomed to. A developer may even decide not to develop the app because the risks to users are too high.
What Users Must Consider
Users need to understand the risk of not having those safeguards, for themselves and for those they represent (clients they advise, patients for whom they care, citizens whose rights they are meant to protect). They must be transparent about the risks and get meaningful informed consent from those they serve. They should also explore nonblockchain solutions that can fill in the gaps.
The Lack Of Privacy
The most popular blockchains, Bitcoin and Ethereum, are public. Known for their transparency and accessibility, anyone can view, add to, and audit the entirety of the chain. But if transparency constitutes a serious threat to users’ privacy, a private blockchain may be necessary. Nebula Genomics, for instance, uses private blockchain technology to give patients “full control” of their genomic data.
A blockchain may contain information that some users should see but not others; in that case, a hybrid approach may be warranted, in which private and public blockchains interact with each other. For example, electronic health records contain both highly sensitive data that must be kept private and information that should be shared with entities such as the Centers for Disease Control and Prevention (CDC) and health insurance providers. Hashed Health, Equideum Health, and BurstIQ are all hybrid blockchains that collect and share biometric information while giving patients more control over their data.
What Developers Must Consider
Developers need to carefully consider their ethical duty to balance transparency and privacy and then decide whether a public, private, or hybrid blockchain is appropriate for the use case at hand. One factor that should loom large is the likelihood that a member of the chain could be identified and what the ethical ramifications of that would be. Other crucial decisions include determining who should have access to what data, under what conditions, and for how long.
What Users Must Consider
Users need to understand the implications of transparency on their own businesses and the people they serve. They must understand and address the risk that wallet holders could be identified (including by their accidentally revealing their own identity).
Suppose the client of a financial services company wants to donate money to a charity or a political party anonymously in order to conceal the size of the donation or to keep political or other affiliations private. The financial services company may recommend transferring the funds via a blockchain because the client’s identity will be anonymized on the chain. But it also has an ethical responsibility to inform its client that the anonymous transaction will be public and discuss best practices for avoiding identification.
The Zero-State Problem
The zero-state problem occurs when the accuracy of the data contained in the first, or “genesis block,” of a blockchain is in question. This happens if due diligence is not properly performed on the data or if those entering it make a mistake or alter the information for malicious reasons. In the case of a blockchain used to track goods in a supply chain, for example, the first block may erroneously indicate that a particular truck is filled with copper from a certain mine when, in fact, the material came from a different one. Someone involved with the contents of the truck may have been tricked or bribed along the way, unbeknownst to the person creating the genesis block.
The ethical stakes are raised if we’re talking about blood diamonds or property. If a government creates a blockchain as the database of record for a land registry, and the person entering information into the first block assigns parcels of land to the wrong owners, a serious injustice (land effectively being stolen) occurs. Some organizations, like Zcash, which created a highly secure privacy-preserving cryptocurrency, have (justifiably) gone to great lengths to ensure the trustworthiness of its genesis block.
What Developers Must Consider
Developers must carefully verify all data that will be contained in the genesis block and use best practices to ensure that it is accurately entered. They must also alert users to the zero-state problem and disclose the ways in which a blockchain may contain false information so that users can assess their potential risks and conduct their own due diligence.
What Users Must Consider
Users of a blockchain should vet how the genesis block was created and where the data was sourced from. They should be particularly diligent if the items recorded in the blockchain have historically been a target for fraud, bribery, and hacking. They should ask themselves, Is the organization that created the first block trustworthy? Has the block been audited by a reliable third party?
Users also need to understand that even if data in the genesis block and subsequent ones is accurate and legitimate, mischief can still occur. For instance, ethically sourced diamonds may be put in a truck, and its journey across multiple transfers may be accurately recorded on the blockchain, but that does not stop clever thieves from swapping out the real diamonds with fake ones mid-transit. Users must also inform those they serve about the zero-state problem, disclose the due diligence they conducted on the genesis block, and identify protections that are in place (if any) to prevent fraud.
Blockchain Governance
Blockchain technology is described by a host of terms – “decentralized,” “permissionless,” “self-governed” – that may cause users to make assumptions about governance. They might assume that it’s a wonderland for libertarians and anarchists, for example, or that all members have an equal say in how the blockchain operates. In reality, blockchain governance is a very, very complicated affair with significant ethical, reputational, legal, and financial ramifications. The creators of the blockchain determine who has power; how they acquire it; what, if any, oversight there is; and how decisions will be made and operationalized. A quick look at two cases, one infamous and one ongoing, is instructive.
The first decentralized autonomous organization (DAO), a sort of hedge fund originally called “The DAO,” ran on the Ethereum network. Members had differing amounts of voting power based on how much money (specifically, ether) they put into the joint venture. When the DAO was hacked in 2016, draining some $60 million worth of ether from the fund, members took very different ideological positions on what to do – and whether the hack even constituted a “theft.” One camp felt that the ill-gotten gains of the bad actor, who had taken advantage of a software bug, should be restored to the rightful owners. Another camp thought The DAO should abstain from undoing the fraudulent transactions and simply fix the bug and let the chain carry on. This group held that “code is law” and “the blockchain is immutable,” and thus the hacker, acting in accordance with the code, did nothing ethically unacceptable. The former camp ultimately won, and a “hard fork” was instituted, directing the funds to a recovery address where users could reclaim their investments, essentially rewriting history on the blockchain.
The second example is the dispute about the governance of Juno, another DAO. In February 2021, Juno conducted an “airdrop” (in which free tokens are sent to community members to boost engagement) across its network. One wallet holder figured out how to game the system and received a huge portion of the tokens, worth more than $117 million at the time. In March 2022, a proposal was put forth to draw down the majority of the “whale’s” tokens to an amount considered a fair share of the airdrop. A month later, the proposal officially passed, with 72% of the vote, resulting in the revoking of all but 50,000 of the whale’s tokens. The whale, who alleges he was investing the money of others, is threatening to sue Juno.
Those events demonstrate just how important it is to structure the governance of blockchains and the apps that run on blockchains with great care and due diligence.
What Developers Must Consider
Developers must establish what constitutes good governance, with a special eye toward how governance structures can give rise to hacks or bad actors. This is not merely a mechanistic issue. The values of the developers need to be clearly articulated and then operationalized in the blockchain. Consider, for instance, the philosophical differences that emerged as Ethereum developers weighed whether to alter their blockchain when the DAO was hacked or fix the bug and move on, and the similar disagreements between the Juno token holders who voted in favor of confiscation and those who voted against it. To avoid such ethical issues, developers should institute a North Star that guides governance from the start.
Disagreements arise when rules are not carefully thought through about how power and money are allocated or earned on the system. The DAO hacker exploited a bug in the software, which led to internal turmoil about whether code – even flawed code – truly was law. In the case of Juno, the upheaval stemmed, in part, from not being sufficiently thoughtful about how tokens were distributed in the first place. Developers need to understand that those with voting power may have greatly diverging beliefs, values, ideals, and desires. Strong governance is one of the most important tools for managing those differences, and significant ethical and financial risks can be avoided if developers’ values are operationalized into the infrastructure, policies, and procedures that govern the blockchain.
What Users Must Consider
Users must ask themselves whether the values of the blockchain’s creators cohere with those of their organization and of their clients. They must determine how much volatility, risk, and lack of control they and those they serve can stomach. They must articulate their standards for what constitutes good and responsible governance and work only with blockchains that meet those standards. Users may be using a distributed network with no single authority, but they are most certainly engaging with a political entity.
Toward An Ethical-Risk Framework For Blockchain
The ethical risks of any technology are as varied as the applications for it. An AI-powered self-driving car, for example, carries the risk of killing pedestrians. A social media app comes with the risk of spreading disinformation. The ethical and reputational risks associated with virtually all data-driven technology also apply to blockchain. In implementing blockchain, senior leaders must implement a framework for mitigating these risks. They should carefully consider a range of scenarios: What are the ethical nightmares our organization must avoid? How do we think about the edge cases? They should anticipate that ethical questions will arise, and ask themselves: What governance structures do we have in place? What kind of oversight is needed? Is blockchain technology likely to undermine any of our organizational and ethical values, and if so, how do we minimize those impacts? What protections should be put in place to safeguard our stakeholders and our brand? Thankfully, many of these issues have been addressed in the adjacent AI ethical risk literature, including a guide I authored on implementing an AI ethics program. This material is a good starting point for any blockchain project.
Conclusion
The Wild West promised limitless opportunity for those bold enough to venture into a new land. But there’s a reason the term became synonymous with lawlessness and peril. The world of blockchain is both a game changer and uncharted territory, and senior leaders charged with protecting their corporate brand from ethical, reputational, legal, and economic harm had better pay careful attention to what they do in this world and with whom they do it.
originally posted on hbr.org by Reid Blackman
About Author: Reid Blackman is the author of Ethical Machines: Your Concise Guide to Totally Unbiased, Transparent, and Respectful AI (Harvard Business Review Press, July 2022) and founder and CEO of Virtue, an ethical risk consultancy. He is also a senior adviser to the Deloitte AI Institute, previously served on Ernst & Young’s AI Advisory Board, and volunteers as the chief ethics officer to the nonprofit Government Blockchain Association. Previously, Reid was a professor of philosophy at Colgate University and the University of North Carolina, Chapel Hill.
