Open Source Utility Tokens are Not Securities Under SEC Jurisdiction

How the West might be lost

by Lucius Gregory Meredith and Ralph Benko

While Gary Gensler is busy cracking down on crypto projects, it is important to look at the details of how the law gets applied. There’s enough room for both Deity and the Devil to reside in the details. In particular, the details regarding utility tokens identifies a class of such tokens that cannot be considered securities according to the definitive Howey Test. Neither the expectation of profit, nor the dependence on the efforts of others apply to these kinds of utility tokens, and as such, they cannot legitimately be considered securities.

The details regarding utility tokens identifies a class of such tokens that cannot be considered securities according to the definitive Howey Test. Neither the expectation of profit, nor the dependence on the efforts of others apply to these kinds of utility tokens, and as such, they cannot legitimately be considered securities

Network access tokens and denial of service (DoS)

If you’re reading this, chances are that you know what an Internet-facing API is, and why it might need to be protected from denial of service attacks. But, just in case you’re one of the “normies”  that don’t know what these terms refer to, let’s you, me, Sherman, and Mr. Peabody all take a trip in the WayBack Machine way back to 2005.

In those days there was still a naivete about the infinite potential of free and open information. QAnon, deep fakes, ChatGPT and other intimations that the Internet might just be the modern equivalent of the Tower of Babel were not yet even a gleam in their inventors’ eyes. Companies would regularly set up network services that anyone with an Internet connection could access, from anywhere in the world (dubbed Internet-facing). Such services were accessed by sending requests in a particular, well defined format (deriving from the software term application program interface, or API) to an Internet address served by machines in the network service the organization had set up.

It was quickly discovered that such Internet-facing APIs were vulnerable to attack. If a single bad actor sent thousands or millions of requests to the service, or a botnet of millions sent a few requests each to the service, it was possible for the service to become bogged down and unresponsive to legitimate requests. Now, in reality, all this was discovered long before 2005. But, by 2005 a practice for dealing with this kind of attack was more or less well established.

The solution is simple. The network proprietor issues a digital token. A request with a given token embedded in it is honored, up to some number of requests per token. This practice is less onerous and costly than having to issue and maintain authorization credentials for login challenges. Many, many companies do this and have done this for the better part of two decades. Not just software or digital service companies like Google and Microsoft issue tokens like this.

Other companies, such as media companies like The New York Times, and The Guardian, also employ this practice. (The hyperlinks above are to their token distribution pages.) The practice is ubiquitous and well accepted. It is intrinsic to the functionality of an open network such as the Web.

These digital assets never were and in no way legitimately can be considered securities under Howey. Specifically, there are legitimate uses of these tokens that do not come with any expectation of profit.  They have a practical utility in the functioning of the system.

Also, it is important to note that many of these services allow for storage of digital content on the networks provided by these services. However, bad actors can still abuse the services by repeatedly uploading illegal content (like child pornography, copyrighted material or even nuclear secrets). So, an entity offering Internet-enabled services must reserve the right to invalidate these tokens in case they discover they are being abused in this or other ways. These utility tokens are essential to comply with a whole host of very good laws. They do not even resemble securities.

Securities and the Howey Test

The Howey Test refers to the ruling in a 1946 U.S. Supreme Court case, SEC vs. W.J. Howey for determining whether a transaction qualifies as an “investment contract.” If a transaction is found to be an investment contract, it’s considered a security. It’s then subject to registration requirements under the Securities Act of 1933 and the Securities Exchange Act of 1934.

According to the U.S. Securities and Exchange Commission (SEC), an “investment contract” a security) exists when there is the investment of money in a common enterprise with a reasonable expectation of profits to be derived from the efforts of others. The ‘Howey Test’ applies to any contract, scheme, or transaction, regardless of whether it has any of the characteristics of typical securities.”

According to the U.S. Securities and Exchange Commission (SEC), an “investment contract” a security) exists when there is the investment of money in a common enterprise with a reasonable expectation of profits to be derived from the efforts of others. The ‘Howey Test’ applies to any contract, scheme, or transaction, regardless of whether it has any of the characteristics of typical securities.”

What Are the Four Elements of the Howey Test?

Since its creation, the Howey Test has been the settled law  for determining whether transactions are investment contracts.

Under the Howey Test, a transaction qualifies as a security if it involves the following four elements:

1. An investment of money
2. In a common enterprise
3. A reasonable expectation of profit
4. Derived from the efforts of others

To be considered a security, a transaction must meet all four prongs of the Howey Test.

It’s worth pointing out that while the test references “money,” that has since expanded to include assets other than money.

Additionally, the term “common enterprise” doesn’t have a clear definition. While many federal courts consider a common enterprise as one that is horizontal, where investors pool their assets together to invest in an endeavor, various courts have used different interpretations.

Reasonable expectation means just what it says: an investor invests in the common enterprise with the expectation that the enterprise will generate profit.

The final factor of the test concerns whether the profit from an investment is mainly or entirely outside of an investor’s control. If investors have little or no control over the investment’s management, there’s a good chance it’s a security. But if an investor has a notable influence on the management of an enterprise, it’s likely not a security.

Of course, since the creation of the Howey Test about three quarters of a  century ago, many have attempted to disguise investments to avoid regulations. That’s why the Howey Test emphasizes substance over form. To combat deceptions, courts examine the “economic realities” of a transaction, rather than simply the name or label it’s given, to determine if it accords with the  Howey Test definition.

Ethereum’s big idea

Satoshi’s discovery of a new class of economically secured, leaderless distributed consensus protocols, embodied in proof-of-work but also, elsewhere, embodied in proof-of-stake and other consensus algorithms, was a pretty good idea. It led to the Bitcoin network. Buterin’s suggestion that Satoshi’s consensus be applied to the state of a virtual machine instead of a ledger was a really good idea, and led to the Ethereum network. It creates a distributed computer that runs everywhere and nowhere in particular. Less poetically, every node in the network is running a copy of the virtual machine and the consensus protocol ensures that all the copies agree on the state of the virtual machine.

Like the Internet-facing APIs launched all throughout the 00’s and beyond, Ethereum’s distributed computer is accessible to anyone with an Internet connection. And, as such, without protection would be vulnerable to denial of service  attacks. In fact, it’s potentially even more vulnerable because a request to the Ethereum distributed computer is a piece of code. This code could, in principle, run forever, or take up infinite storage space. Vitalik’s clever idea, building on the established practice of network access tokens, is to require tokens for each computational or storage step to prevent such abuses.

Vitalik’s clever idea, building on the established practice of network access tokens, is to require tokens for each computational or storage step to prevent such abuses.

These sorts of tokens are entirely separate and distinct from cryptocurrencies like Bitcoin or DogeCoin. Specifically, just like network access tokens regularly employed by Google, Microsoft and all other major digital players, they serve a function related to network authorization. A token holder has the right to submit code for a certain amount of execution or storage.

A good analogy is the old school video game arcades. A player had to put in a token in order to play a game like PacMan for the duration of the game. Ethereum’s network is like an arcade in the “cloud.” Ethereum’s token is like the arcade tokens. It has a specific utility, unlike both fiat and crypto currencies, to power computations. That’s why Ethereum refers to the compute resource corresponding to the tokens as “gas.”

It’s worth reiterating this point in a different way. Currency has a use. It affords coordination and supports commerce. But, this is its only use. Tokens whose only function is to be a medium of exchange have to come up with a different argument regarding their relationship to the Howey Test. That is outside of the scope of this article, but an interested reader might look to Lewis Cohen’s paper in this connection.

The utility of tokens, like ETH, that play a critical role in network authorization and network function is different from a medium of exchange. These “utility tokens” are a natural evolution of the network access tokens that have become the de facto standard in the Internet for defense against denial of service attacks.

As such, these tokens do not come with an expectation of profit any more than a lock on a safe or a burglar alarm on a house. Ethereum is a distributed computer accessible from anywhere in the Internet. People love to play with computers for all kinds of reasons. Utility tokens allow them to do so securely.

ETH has already been determined a commodity

You may wonder why we are focusing on ETH as an example, since the SEC and CFTC both originally ruled that ETH is a commodity. The fact is that many crypto projects have understood and substantially developed Buterin’s insight far beyond what Ethereum has done. Aptos is one. Silvermint is another. And, very notably, RChain was yet another. These projects and their founders, and many more besides face regulatory risk on a daily basis, a burden that is both costly, and gratuitously slows development.

Most projects, with the notable exception of RChain, have chosen to mitigate this risk by basing themselves outside of the US. This creates a brain drain from the US, funneling very bright developers and entrepreneurs and billions of dollars to foreign jurisdictions. It also puts the US at risk. Instead of being a leader in this transformational technology, it is creating the conditions whereby Berlin and Dubai become the de facto hubs for technical innovation in this and adjacent sectors.

Instead of being a leader in this transformational technology, it is creating the conditions whereby Berlin and Dubai become the de facto hubs for technical innovation in this and adjacent sectors.

One of the purposes of this article is to awaken Congress and the SEC to the consequences of not thinking through the implications of the application of Howey to utility tokens, which, for the reasons stated herein, cannot legitimately be construed as securities. Understanding the specifics creates the space for good projects to plant roots and blossom in the US, and thus also be amenable to legal and policy guidance from the US authorities. As much as the SEC might want to stretch out past the US territory, it has no jurisdiction outside the United States. In the words of Princess Leia, the more they tighten their grip, the more star systems will slip through their fingers.

How open source comes into play

But the role of utility in establishing a reason for using the tokens independent of any expectation of profit is not the only relevant element of the Howey Test taking such tokens out from under the defined elements of a security. Open source has a very big role in distinguishing utility tokens like ETH or RChain from securities. Specifically, as we mentioned before, one of the prongs of the Howey Test is whether expected profit of the common enterprise depends upon the efforts of others. Open source offerings, like the Ethereum clients’ code bases, are just that: open. Anyone may develop or modify the code. Anyone may run the code. In the case of Ethereum many thousands of people do. In the case of other utility token offerings, like RChain, hundreds of people and projects do. This fact is not theoretical. It is a practical aspect of modern code bases, and blockchains as a platform.

Use of tokens like ETH to access a distributed computational service does not constitute an expectation of profit. Because the code is open source, anyone may set up a network of Ethereum nodes. Many participants in the Ethereum Enterprise Alliance have done so and continue to do so. Thus, whatever use they may contemplate for the token or the computing service, a user of the token does not depend on the success, or even existence, of the Ethereum network. The public network usually referred to as Ethereum can disappear tomorrow, and their tokens can still serve the purpose for which they were intended because token holders can simply instantiate their own Ethereum network and use their tokens there. Hence, it is not dependent on the work of others and therefore cannot be construed as a security under Howey.

To elaborate, a token is not actually tied to a specific network, or instantiation of a network. In particular, as RChain’s RHOC and REV demonstrated, it is possible to arrange things so that the private key associated with one network works, without change, on another. RChain initially developed its token, the RHOC, as an ERC-20 token on top of Ethereum, meaning RChain’s developers wrote a piece of Solidity code that conformed to the ERC-20 standard, implementing a token supply. RChain made it clear to all RHOC holders that the private key they used to access their RHOC tokens on the Ethereum network would, by design, work without change on the RChain network, once it was live.

For those not familiar with blockchains and private keys, think of the private key as like the password to some online service, like GMail, or Facebook. The principal difference, that most naive users care about, between private keys and passwords for online services is that in nearly all cases if you lose your private key, you are out of luck, whereas for most online services they offer a password reset or recovery procedure. Apart from that difference, thinking of a private key as like a password is a good first approximation.

In the case of Ethereum or RChain the private key is used to digitally sign requests to run smart contract code. The private key used to sign the request can be used to validate or verify that the user making the request indeed has the network access tokens necessary to run the smart contract code.

Forking

It is possible, in a cryptographically secure manner, to ensure that all the private keys in use on one network work on another, without change, and without the person who set up the alternate network knowing the private keys or any other identifying credentials of the private key holders. RChain used this method to ensure that RHOC holders could, in principle, have access to their tokens on the RChain mainnet, once the network was live. It is also possible with RChain or Ethereum that someone else could set up an alternate network and the private keys from the public networks work without change on the alternate network. And, then someone else could set up an alternative to the alternate network, and the private keys initially distributed also work on that one, and so on.

This process of setting up alternative networks is called forking, a term derived from open source, where a fork of an open source code base is a version maintained by a community who wants the code to evolve in a different way than the original code base might be evolving. Forking is used by blockchain communities all the time. It is the principal remedy when there is some dispute that cannot be resolved without redistributing the tokens.

Forking is used by blockchain communities all the time. It is the principal remedy when there is some dispute that cannot be resolved without redistributing the tokens.

This goes to the crux of the matter. When a network may be forked without any change to the private key, a token holder is not dependent on the efforts of others. In the case of RChain anyone with an hour or so to spare can create an entire alternate network. The private keys already distributed will work as they did on the previous network. In RChain’s case this was by design. It’s a part of the advertised features of RChain. Of course, Ethereum also enjoys this property, moving from one version of Ethereum to another. And, as RChain’s RHOC to REV process demonstrated, the property extends to moving from one kind of network (Ethereum) to another completely different kind of network (RChain).

Token redistribution and decentralization

It is important to understand in this context that the token distribution is just a table, a ledger, hosted on the network saying which addresses accessible by private keys are associated with which amounts of tokens. Standing up an alternate network requires supplying the data in this table. Someone might choose to honor the distribution recorded on the blockchain being forked, or not. This is a critical feature of these networks, for reasons we mentioned in the section on network access tokens. It may be the case that a community discovers abuse of the network and its resources. To be compliant with everything from copyright to prevention of the dissemination of illegal content like child pornography or nuclear secrets it must be the case that forks can modify the distribution of tokens. That can prevent offenders from using the network in prohibited ways.

Let’s illustrate this with an example. Suppose a community stands up an instance of the Ethereum network and Bob purchases a large sum of tokens on this network. Later the community discovers that Bob is storing child pornography on the network. First, the community contacts Bob and tells him to cease and desist, but instead Bob persists. So, the community forks the network, leaving Bob to operate the network polluted with illegal and reprehensible content. Since Bob’s private key still works on the fork, if the community didn’t change the token distribution, then Bob could repeat the offending behavior on the fork, polluting the new network. As a remedy, the community launches the new network with a modified token distribution table, in which Bob has no tokens. Now Bob can still use his tokens on the old network, or he can create his own fork of the network and use his tokens there, but the community has excluded Bob from using their network to break the law.

In reality, the community that wants to respect the law simply stands up the alternative network, leaving the criminals literally holding the bag, operating a network that contains illegal content. This is how a technology can be decentralized and yet still avoid anarchy. It’s not just that the nodes in a network are not behind a private firewall. It’s that different communities can fork the technology and operate it in the manner they see fit, and are not dependent on the efforts of others – as they are with Google, or Facebook, or Twitter, or Instagram – to have a network that suits their needs, hosting the content they deem in alignment with their values. And, having separated the wheat from the chaff, the authorities can go after the bad guys without simultaneously trampling the legitimate rights of the good guys.

Conclusion

Utility tokens like ETH, and RHOC/REV are not and cannot be securities for two reasons. One, they serve a crucial purpose in the secure operation of the network, and are not motivated by an expectation of profit. Two, they continue to serve that purpose regardless of which networks are in operation. Any token holder may in practice  stand up their own network, wholly administered by themselves or their agents for their private purposes, and use the tokens they initially acquired on a public network. Thus, they are not dependent on the effort of others.

As stated in a previous article at HackerNoon, the real Slim Shady is Congress (and the SEC).  By failing to recognize the non-security nature of utility tokens, legislators and regulators have injected regulatory ambiguity into a vital developing market. They have given license to well-intended but fundamentally ignorant regulators to approach this new and potentially transformational tech with befuddled aggression, much like the hominids at the beginning of 2001: A Space Odyssey approached the monolith. This dereliction of duty has sent into de facto exile many, many very bright developers and entrepreneurs to our competitors to pursue blockchain technology development in Zug, or Berlin, or Dubai, or Singapore, as well as  other crypto friendly jurisdictions. Cue Also Sprach Zarathustra!

Regulatory rulings and enforcement actions that ignore technical architectures that were specifically and intentionally designed to fail two of the four required elements of the  Howey Test will undermine the US, exporting billions of dollars of great jobs and wealth.

With due respect for the legitimate need to police securities, the SEC is engaging in mission creep that has led it to attempt to regulate non-securities to the terrible detriment of the United States of America, and, indeed, humanity. Time for Congress to step up.

Lucius Gregory (Greg) Meredith, the founder and CEO of F1R3FLY.io, is a mathematician, the discoverer of the rho-calculus, a co-inventor of OSLF (Operational Semantics in Logic Form), and the inventor of the ToGL approach to graph theory.

Ralph Benko, general counsel for F1R3FLY.io, is co-author of several critically acclaimed books, including Redefining the Future of the Economy:governance blocks and economic architecture, and is a former White House official.