2022-09-18 Threat Modelling NFT (Non-Fungible Tokens)
Internal link: https://miro.com/app/board/uXjVPLiTJA4=/
External link: https://miro.com/app/board/uXjVPLiTJA4=/?share_link_id=163582107457
Recording of session: https://circle.cloudsecurityalliance.org/discussion/meeting-recording-threat-modeling-session-20-oct-2022?ReturnUrl=%2fcommunity-home1%2fdigestviewer%3fcommunitykey%3da9786cbe-105a-420f-a353-8bbe10ab684d
So we did the threat modeling of "NFTs" at a high level.
Some key takeaways:
One of the biggest topics of discussion was the legality and regulatory aspects of NFTs. It was also noted that various regulatory agencies can classify an NFT as a security, resulting in essentially a post-facto situation concerning the law and taxes potentially.
A related discussion centered around defining what activities and levels of activity are likely to pique regulatory interest. It was noted that an open source literature search (e.g. of SEC enforcement actions) is possible, which correlated with token data, and guessing as to how long enforcement action takes could allow for a rough idea of what is most likely to result in a regulatory action being taken. Alternatively, someone could simply ask regulators and see if they will provide any meaningful answers, perhaps this is something to suggest to the crypto press.
Additional discussion around the issues surrounding asset management and holding. e.g. custodial vs non-custodial holders took place. It was noted that custodial holders such as exchanges, custodians, and so on are likely to be encouraged or even forced to provide the data, this is already taking place, e.g. Canada's Proceeds of Crime (Money Laundering) and Terrorist Financing Act has already been used to get US-based exchanges to monitor transactions and provide data.
Some final discussion centered on theorizing what happens if legal enforcement meets the immovable technical mountain, e.g., "you must delete this data" or "you must return these keys," where this is not technically possible.
Concerning the general lack of maturity, both technically and legally of NFTs, and the cross-jurisdictional nature combined with the potential for post-facto illegality (e.g. you are holding NFTs that are suddenly classed as a security, requiring reporting, taxes, and so on), it was generally agreed that this is an interesting legal problem and likely to be an expensive one.
If you are interested in these threat modeling exercises please feel free to join us, they occur monthly (e.g. October 18, 2022), you can view the calendar (https://csaurl.org/meeting-blockchain), and we're on Circle at https://csaurl.org/circle-blockchain