In “Code And Other Laws of Cyberspace“, American legal scholar Lawrence Lessig distilled the argument of his earlier essay “The Constitution of Code” to sum up the unintended effects of Internet network protocols and server software on the regulation of human behaviour in what was then called “cyberspace’:
In real space, we recognize how laws regulate— through constitutions, statutes, and other legal codes. In cyberspace we must understand how a different “code” regulates—how the software and hardware (i.e., the “code” of cyberspace) that make cyberspace what it is also regulate cyberspace as it is. As William Mitchell puts it, this code is cyberspace’s “law.” “Lex Informatica,” as Joel Reidenberg first put it, or better, “code is law.”Code v2.0 p.5
“Code is law” is an inspired turn of phrase. But as written it is a descriptive statement rather than a prescriptive one. Not “code must be law” but “code happens to share some salient features with law in the ways that it constrains human action online”.
As with the concept of the negative freedom of free speech, “code is law” can become (mis)understood as a positive, prescriptive norm in environments that collapse the distinction between expression and effect by embodying them in software. For Ethereum no less than for LambdaMOO, all the world is code and to speak is to change that world. Code is speech, after all, as Bernstein v. Department of Justice established in the US.
“Code is law” became an early slogan of the Ethereum Comunity. Inspired by Nick Szabo’s concept of “smart contracts” and the possibility of organizing human collaboration and allocating economic resources on the blockchain, this made sense. To model contracts in software that runs independently of human control makes code law in a more literal way than internet protocols do.
And then the DAO hack happened.
A single bug in “The DAO“, code running on the Ethereum blockchain to gather and manage investments in new projects, allowed an attacker to start draining fifty million dollars worth of cryptocurrency from it into their own account. As the attack progressed the community tried different strategies to slow down or stop it, but they could not reverse it.
If “code is law” is a normative statement for code running on the Ethereum blockchain, then the effects of the attack should not be reversed. The fact that the behaviour that was encoded in the DAO was absolutely not the behaviour that was intended by its human authors was irrelevant. Whatever the outcome of the code, it is correct because code is the just regulator of human behaviour on the network. The solution to failing to correctly translate human intentions into machine code running on top of the Ethereum blockchain is just to write better code next time. The no-takesy-backsies principle must reign supreme.
“Code is law” also applies to the code that runs the Ethereum blockchain itself, though, underneath any code that runs on it like The DAO. That code can be modified, deployed to the network, and run with newly changed behaviour independently of the code running on top of it. And whatever the outcome of doing this, if code is law here as well then it is correct because, well, code is the just regulator of human behaviour that is modelled in code on the Ethereum blockchain.
Heated debate about whether on-chain bugs or off-chain patches should be the ultimate arbiter of code-is-law led to two versions of Ethereum splitting from each other shortly after the DAO hack. (I didn’t participate in the DAO, and my concern at the time was to see the least harm done to Ethereum as a project and to avoid setting a precedent, I’m writing here entirely with the benefit of hindsight.) A modified version of the Ethereum software that neutralised the attack transfers (with apologies to critics who love to call this a “rollback“) gained majority support from the network. An initially unmodified version continued as “Ethereum Classic“.
The irony to Ethereum Classic is that once a choice had to be made whether to run the version of the Etherum network that neutralised the DAO hack or not, human choice determines which code is law. Where this decision can be implemented simply, rather than having to overcome path-dependent processes, code is not sovereign. To be sure, changes to Internet protocols are designed and implemented by human beings. But the era when the fundamental protocols of the Internet could be changed simply or quickly is long gone. Ipv6 adoption, for example, has already taken more than two decades with no end currently in sight.
We could argue that if code is not law for Ethereum Classic then code is doubly not law on the main Ethereum fork because not only was the protocol code changed but the effects of the on-chain attack were changed as well. But this would obscure the more fundamental choice. Which is between “code is law” as a normative statement for Ethereum Classic and as a descriptive statement for Ethereum.
The former becomes a contradiction as soon as it is implemented by human beings.
While I was writing this essay news came in of a series of 51% attacks on Ethereum Classic, with an attacker rolling back its blockchain over a thousand blocks in one instance. The response of Ethereum Classic’s developers has been to retain lawyers off-chain.
If code is law is the use of code on computers to bring hash power to bear on a blockchain also law? At the level of the code that runs the Ethereum Classic blockchain, yes it is (I am not a lawyer, and I mean this in the same sense as the original statement that “code is law”…). A 51% attack is simply a choice of which chain to mine with which software. This is how the Ethereum Classic Chain came into existence in the first place.
We can try to extract a coherent ethics from all of this. The operating system, blockchain network and on-chain software levels of code can all be examined as sites where “code is law” can be descriptive or prescriptive and where deploying resources to run different code can be argued to be just or unjust.
But if recourse to these resources, and to the resources of the fiat economy and to centralized state law, is a human choice then seeking to simply normatively assert that code is law proceeds from a contradiction. It becomes at best a taboo. And to seek to enforce that taboo through state legal means intensifies the contradiction more than a little.
As proof-of-stake systems and maturing blockchain protocol software locks in the operation of on-chain software the normative sense of “code is law” will gain in strength alongside the descriptive sense.
But the ethics of blockchain software operation will remain a more complex game for some time yet.