Consumer Law within the Web3 space

/in /by

Legislative interventions in consumer protection lag far behind the reality of events that increasingly see web3 shopping, especially given the expansion of NFT purchasing.

The information obligations under the Consumer Code and European law require professionals providing goods or services to consumers to provide information to consumers in clear and comprehensible language, prior to the conclusion of the contract.

Fulfilling this obligation can be complex due to the innovative nature of these goods, and understanding for the consumer what he or she is really buying, without adequate prior information, could lead to an increasing number of disputes.

The European legislator adopted specific rules applicable to contracts for the supply of digital content with Directive (EU) 2019/771, which was transposed into Italian law by Legislative Decree No. 170/21 amending the Consumer Code.

The new discipline expressly deals with ‘goods with digital elements‘, i.e., those goods with a digital component without which they cannot function. The digital component may be internal to the good, incorporated, or external, interconnected, but in both cases it must be essential for the good itself, meaning that without this characteristic it would not be able to perform its functions.

In the specific context of the sale of digital goods, the new subjective and objective conformity requirements dictate that the characteristics of the digital content must correspond, respectively, to what is stipulated in the contract and to what can reasonably and objectively be expected from the digital content itself.

The European Directive also states that the seller must ensure that the consumer is provided with the updates, including security updates, necessary to keep these goods in conformity for the period of time that the consumer can reasonably expect, taking into account the type and purpose of the goods and digital elements, and the circumstances and nature of the contract.

The seller must therefore fulfil a strict obligation to provide information about available updates so as to be exempt from liability for lack of conformity in the event that the consumer, despite receiving information, does not provide the necessary updates or installations.

In the specific case of the purchase of NFT, non-conformity of the goods can be recognised when the content is not available or is altered.

On the other hand, doubts as to the non-conformity of the goods arise when the NFT does not exhibit the promised rarity characteristics; the scarcity of the NFT is in fact fundamental for the quantification of its value, and a degree of rarity significantly lower than that expected by the consumer could render the goods unfit for use and therefore not conforming according to the subjective requirements. 

The contractual terms and conditions of sale of the NFT should therefore set out precisely what degree of rarity is to be guaranteed in the future for the NFT sold, and comply with the requirement of good faith and contractual transparency with regard to multiple other, often underestimated issues, such as, but not limited to, the possible consequences in the event of failure of the blockchain and the action for damages.

Another issue that will be decisive for the application of the protections provided by consumer protection legislation is to resolve, in NFT purchases, the status of consumer.

Article 3 of the Consumer Code defines a consumer or user as ‘a natural person acting for purposes which are outside his or her trade, business, craft or profession’.

In practice, however, we see an increasing use of NFT for advertising or marketing purposes, and the category of buyers is divided into occasional and ‘speculative’ or ‘collector’ buyers, who might not be considered consumers but rather ‘professionals’.

This first distinction will be the basis for the interpreters of the law for the application of many other issues that currently do not find practical application because the European consumer protection rules were designed for the conclusion of “traditional” contracts, not through smart contracts: think of the issue of the so-called unfair clauses and the impossibility of double signature of clauses required by Art. 1341 of the Italian Civil Code; or the so-called consumer forum, today it is difficult to establish the domicile of the consumer.so-called unfair clauses and the impossibility of the double signing of clauses required by Art. 1341 of the Civil Code; or the so-called consumer forum, to date it is difficult to establish the domicile of the buyer/consumer in the crypto world, precisely because of the anonymity that characterises blockchain environments.

The EU’s new Markets in Crypto-Assets Regulation (MiCA) may partly provide a solution, as it prohibits the anonymity of crypto-asset holders for admission to trading platforms, but NFTs will be excluded from the scope unless they fall under existing crypto-asset categories. 

The European Commission will be tasked with preparing a comprehensive assessment and, if deemed necessary, a specific, proportionate and horizontal legislative proposal to create an NFT regime and address the emerging risks of this new market.

Purchase of NFT and right of withdrawal

Another crucial issue for consumer protection and web3 shopping concerns the right of withdrawal.

According to Directive 2011/83/EU on consumer rights, the consumer must be informed about the possibility and how to exercise the right of withdrawal, i.e. the right to withdraw from a distance contract within fourteen days, without having to provide any justification. 

The smart contract under which an NFT is usually sold does not allow for the exercise of the right of withdrawal, as it is not possible to stop the execution for non-performance or in case of a change of heart.

The smart contract in fact uses the formula “if this/then that”, by virtue of which, upon the occurrence of a given event (this), certain effects are produced (that), which are predetermined by the parties themselves, based on strict instructions.

In application practice we therefore see numerous transactions with general contractual terms and conditions that explicitly exclude the right of withdrawal.

This exclusion is justified by making the NFT purchase hypothesis fall within the exceptions provided for in Article 59, letters a), b) i), m) and o) of Legislative Decree No. 206/2005 (Consumer Code). 

In this respect, it is recalled that the right of withdrawal is excluded (sub-para. a) in service contracts after the service has been fully performed if performance has begun with the consumer’s express agreement and acceptance of the loss of the right of withdrawal following the full performance of the contract by the trader and (sub-para. b) where the price is linked to fluctuations in the financial market which the trader is unable to control and which may occur during the withdrawal period.

Furthermore, the right of withdrawal is excluded (sub-para. i) with respect to the supply of sealed audio or video recordings or sealed computer software which have been opened after delivery, or (sub-para. m) with respect to contracts concluded at a public auction.

Another exception (sub-para. o) is for the supply of digital content (such as NFT) by means of a non-material medium (such as a private key for an NFT or other NFT redemption code) if performance has begun and, if the contract imposes an obligation on the consumer to pay, if three cumulative conditions are fulfilled: 

  • the consumer has given his prior express consent to commence the performance during the right of withdrawal period;
  • the consumer recognised that he thus lost his right of withdrawal;
  • the trader has provided confirmation of the conclusion of the contract in accordance with the terms of Directive 2011/83/EU for distance contracts.

A possible solution to allow consumers to exercise their right of cooling-off could be found in the new NFT standard, which would guarantee their purchases against scams (better known as ‘rug-pulls’) as well as the possibility to ask for a refund in case of withdrawal before the deadline.

The term ‘rug-pull’ refers to a type of scam that generally occurs when the developers of a project, after creating the cryptographic token, increase its value in order to attract as many investors as possible, and then withdraw all funds and abandon the fraudulent project.

When speaking of a standard for NFT instead, one is reminded that it refers to the unique identification of a token with respect to others of the same smart contract, called ‘ERC-721’, introduced, as is well known, in 2017, by Ethereum, as the first protocol for the creation of NFTs and to date the most widely used, representing a unique and infungible asset.

The publication of a new anti rug-pull standard, ERC-721R, officially released on 11 April 2022 and aimed, among other things, at countering fraudulent NFT projects, could give the user a right to reconsider their purchase and, thus, be refunded the price paid for the minted NFT.

In particular, this mechanism takes place through a lien on the deposit of the sums placed as collateral by the smart contract. These funds can only be withdrawn, by the creators, after the lapse of a period of time (such as the 14 days for the right of withdrawal in off-premises purchases) that allows buyers to return their NFT and receive a refund from the signed smart contract.

This new standard represents a possibility both in terms of openness towards innovative solutions concerning the user’s right to rethink and the consequent exercise of the right of withdrawal, and in terms of a guarantee against certain fraudulent practices: although the purchase of NFT is irreversible, if during this period the creators decide to rug-pull, buyers will be able to request a refund of their funds by the end of the waiting period, losing only the gas fees incurred for transaction costs.

The use of such a new protocol for the generation of NFTs, besides being more advantageous for buyers, as it would limit possible losses to only the fees for processing and validating transactions on the blockchain, presents a real opportunity for commercial service providers to promote their businesses also in the cryptocurrency world, creating trust in the market and attracting more investors.

RIGHT OF WITHDRAWAL AND SALE OF NFT

/in /by

The Case

Porsche’s recent NFT collection made a lot of noise. In the ToS at the time of minting there was a point that allowed users to obtain the right of withdrawal within 14 days of the release of the collection, whatever the new ‘floor price’ after minting.

What is the right of withdrawal? 

The right of withdrawal, commonly referred to as the ‘right to a rethink’, is one of the most important rights given to the consumer by the Consumer Code. 

The right of withdrawal allows the consumer to change his mind about the purchase made outside the seller’s business premises, freeing himself from the contract concluded without giving any reason within 14 days after the purchase. In this case, the consumer may return the goods and obtain a refund of the amount paid.

What is the reference legislation for the right of withdrawal applicable to the sale of NFT?

In Europe, the matter is regulated by the Consumer Rights Directive 2011/83/EU. Directive 2011/83/EU replaces the Distance Selling Directive (97/7/EC) and the Doorstep Selling Directive (85/577/EEC) by harmonising the rules on contracts between consumers and sellers.

Updated with Directive (EU) 2019/2161, it is a regime applicable to a wide range of contracts concluded between professionals and consumers, in particular sales contracts, service contracts, contracts for online digital content and contracts for the supply of water, gas, electricity and district heating; it covers both contracts concluded in shops and those concluded off-premises (e.g. at the consumer’s home) or at a distance (e.g. online).

The update made by Directive (EU) 2019/2161 extended the scope to contracts under which the professional provides or undertakes to provide digital services or digital content to the consumer, and the consumer provides or undertakes to provide personal data. The legislation establishes, inter alia, a number of information obligations for professionals. In particular, they must, before concluding a contract, provide consumers, in plain and intelligible language, with information such as:

  • the identity and contact details of the professional
  • the main characteristics of the product; and
  • the applicable terms and conditions, including payment terms, delivery times, the
  • performance, duration of the contract and conditions of withdrawal.

Finally, online sellers are required to inform consumers whether they are a professional or a non-professional, advising them that EU consumer protection rules do not apply to contracts concluded with non-professionals. 

Directive 2011/83/EU includes a comprehensive set of provisions on withdrawal, under which, inter alia, consumers may withdraw from distance selling contracts within 14 days of the delivery of the goods or the conclusion of the service contract, with certain exceptions, without any explanation or cost; if the consumer is not made aware of his or her rights, the withdrawal period is extended to 12 months.

Europe is not the only community that has adopted strongly protective rules for the weaker contracting party, many countries such as the United Kingdom, for example, have adopted legislation that provides the same or very similar protection.

Which companies are obliged to apply the right of withdrawal?

Article 3(4) of Directive 2011/83/EU defines the objective scope of the regulation by referring to ‘any contract’ concluded between a professional and a consumer.

Therefore, even projects that are based outside the European Union as well as other countries (e.g. the United Kingdom) may still be subject to the consumer laws (of the United Kingdom) and of the European Union and states with similar regulations when selling goods or services to consumers in these states. This is because the scope of these laws includes any company that offers goods or services to consumers in states that offer this protection, regardless of where the company is located.

This means that international companies selling to consumers, e.g. from the UK and EU, must comply with UK and EU consumer laws. Failure to comply with these laws can result in penalties for the company, including fines and legal action.

Can the right of withdrawal be excluded?

There is a casuistry which, in certain specific cases, allows the exclusion of the right of withdrawal. For example, for the matter identified here, Article 16 of Directive 2011/83/EU letter M), tells us that “Member States shall not provide for a right of withdrawal in respect of distance and off-premises contracts relating to […] the supply of digital content on a non-material medium if the performance has begun with the consumer’s prior express consent and his acknowledgement that he would lose his right of withdrawal. This is a very specific provision that, if interpreted correctly, would allow the professional to avoid heavily negative consequences for the economy of the project by remaining within a perimeter of legal compliance.

Deep dive into cybersec: exploits

/in /by

In general terms, an exploit is a series of actions executed to derive the most benefit from a pre existing resource.

In computer security we could interpret it as a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software or hardware. This can include data leakage, privilege escalation, arbitrary code execution (often used as part of a zero-day attack), denial-of-service attacks and viruses.

Going even deeper, this term is used to describe the use of low-level software instructions that exceed the intended function or design of a computer program.

Hackers are always on the lookout for vulnerabilities. They use exploits in order to gain personal data, such as credit card numbers, bank account access, social security numbers and all kind of sensitive information.

The most common vectors for an exploit is injection:

  • A SQL injection, where a bad actor (or someone posing as is) injects malicious code into an entry field in order to extract data from a database.
  • An XSS attacks, where a bad actor injects malicious bits into a website’s source code in order to extract data from the website’s database or server.


Famous exploits

There are many famous exploits and hacks but some of the ones that are most prominent in the public eye are Heartbleed, Sony PlayStation Network Hack, Target Security Breach, Eternalblue (that started the Ransomware trend).

Heartbleed is a vulnerability in OpenSSL that was discovered on April 7, 2014: it was a bug in the protocol that allowed attackers to steal information from servers without being detected. This exploit affected over 66% of all web servers globally, including sites like Yahoo!, Facebook, Google, and Amazon.

The Sony’s PSN (PlayStation Network) one happened even before: In 2011 a group of hackers stole personal information from 77 million accounts. The hackers were able to do this because they had obtained PSN usernames and passwords from an outside party who had hacked into Sony’s network earlier that year.

Target‘s security breach occurred in the 2013 holiday shopping season and saw 40 million credit cards stolen from their systems: in that case the hackers used malware sent to Target’s point-of-sale terminals to steal card data while it was being entered into the system.

Another famous example has been the WannaCry exploit, carried through Eternalblue, a vulnerability discovered by the NSA and kept secret until leaked by a group called Shadow Brokers. It is a security exploit that affects Microsoft Windows and was unpatched at the time of public disclosure. The Eternalblue exploit has been one of the most dangerous exploits in the world, and it has been used to create some of the most devastating ransomware attacks. The Eternalblue exploit has been used to spread WannaCry, NotPetya, and BadRabbit ransomware attacks.

Ransomware is a type of virus that locks up data in the victim’s computer and demands payment in order to release it. It usually spreads through email attachments, downloads from untrusted sources, or in general through a vulnerability in the system.

Stay safe out there!

As the number of people and devices connected to the internet has increased, so have the number of cyber attacks: cyber criminals are always on the lookout for new ways to exploit vulnerabilities in your system.

To prevent it, it’s important to take measures to make sure you are not vulnerable:

  • always update your software and hardware regularly
  • use strong passwords and change them regularly
  • use two-factor authentication whenever possible
  • have a security suite installed that includes antivirus protection and firewall settings that block suspicious or malicious programs from accessing your system.

The latter is especially important for Windows users, but this doesn’t mean that Linux and macOS users should feel safe: as the usage and distribution of Unix based system increase and gain popularity, so are the researches on possible attack vectors.

Updates are a crucial part of keeping your device protected. These updates not only stop exploits, but they improve the security of the device and protect it from known vectors of attack: the biggest part of the most devastating exploitations have been carried out due to unpatched systems (even after the patches have been distributed).

The internet is a digital world that is both beneficial and harmful. It was created to connect people from all over the world, but it has also created a space for hackers to exploit vulnerabilities, posing a risk to everyone without proper knowledge of the problem. That’s why It is fundamental to learn how to protect your privacy and your data, and to gain consciousness about online security and online threats.

Knowledge is power, the power of defending your data from malicious attacks in this case.

Reinforcement Learning (RL): how robots learn from their environment

/in /by

Reinforcement Learning (RL) has been increasingly applied in recent years in the world of autonomous robotics, especially in the development of what have been called ‘curious robots‘, i.e. robots programmed to mimic human curiosity about the external environment.

Indeed, in general, one of the fundamental problems of autonomous robots concerns their ability to autonomously generate strategies to solve a problem, or to autonomously explore an environment. RL makes it possible to improve the robot’s performance in both these areas. Reinforcement learning is one of the three basic paradigms of machine learning, together with supervised learning and unsupervised learning. In the field of ‘open ended robotics’, RL is used to allow the robot to explore and learn from an environment even in the absence of an explicit goal. Briefly, how RL works in this context is as follows: the robot starts to explore a part of the environment with sensors and actuators, i.e. mechanical arms. As soon as the environment is known beyond a certain threshold, the RL algorithm decreases the reward, i.e. positive ‘reinforcement’ – hence Reinforcement learning – in exploring that part of the environment, and forces the robot to explore a new portion. In this way, the robot is driven, autonomously, by a curiosity-like principle. One of the major advantages of using reinforcement learning in the development of ‘curious robots’ is that it allows these robots to learn from their environment in a more natural way. Traditional programming techniques require engineers to specify every step a robot must perform to complete a task, which can be time-consuming and inefficient, especially if the robot finds applications in unpredictable and changing environments. Reinforcement learning, on the other hand, allows robots to learn autonomously from their environment and develop the best interaction strategies. These techniques can also be used to make the robot discover, in a trial-and-error procedure, which is the shortest way out of a maze. In general, RL works very well for exploratory objectives, and for interaction with extremely unpredictable environments, where normal programming techniques would certainly fail. The evolution of this approach could lead in the coming years to robots capable of exploring vast portions of the environment, for long periods of time, without the need for any human supervision. Such technology has applications in multiple fields, both civil and military.

Despite these advantages, there are also some potential risks associated with the use of reinforcement learning in curious robots. One of the main concerns is that reinforcement learning algorithms can be difficult to interpret, which makes it complex to understand how a robot makes decisions and to predict how it will behave in a given situation. Furthermore, reinforcement learning algorithms carry the risk that a robot will learn to perform sub-optimal or even harmful actions if the interpretation of environmental feedback is ineffective.

Overall, although there are certainly risks associated with the use of reinforcement learning in robotics, the advantages of this technique can be significant. By enabling robots to learn complex tasks and adapt more easily to new environments, reinforcement learning can help make robots more versatile and efficient. As long as these algorithms are used carefully and with proper supervision, they can be a powerful tool for improving performance and advancing the field of robotics.

ARTIFICIAL INTELLIGENCE: EXPLORING THE INVISIBLE INNOVATION

/in /by

What is artificial intelligence

 Artificial Intelligence is a field of Information Technology (IT) aimed to allow and demonstrate how a software system can act rationally.

The earliest reference of studies of the human brain are placed around the 17th century BC with the Edwin Smith Surgical Papyrus, demonstrating how humans have been fascinated by gray matter soon after the start of civilization.
It’s only natural that, with the advent of IT, humans tried to replicate the same workflow in a machine.

BRIEF HISTORY OF ARTIFICIAL INTELLIGENCE

Contrary to common belief, Artificial intelligence is not a new field. The first studies about it started in the 1930s with the “thinking machines”, when three major actors defined the basis:

  • Norbert Wiener with his electrical network (mimicking neurons’ activation);
  • Claude Shannon, describing digital signal processing;
  • Alan Turing, that defined the rules to assess any problem from a digital point of view.

Those three key principles concretized together in 1943, when Walter Pitts and Warren McCulloch described the first Neural Network, where artificial neurons were given the task to resolve simple logic functions.

In the next years, studies continued without a real focus (or a real name), until the Dartmouth Workshop was held in 1956, with a very straightforward proposal: every aspect of learning or any other feature of intelligence can be so precisely described that a machine can be made to simulate it. In that precise moment, the term Artificial Intelligence was born and study kept going on. Attention from the public and fundings were on the constant rise, except for two periods called “Winters” – 1974-1980 and 1987-1993 – that saw respectively a major cut of funds by DARPA (1974) and the collapse of LISP Machines (1987).

THE INVISIBLE COMPANION

Luckily, history proven that Artificial Intelligence isn’t only vaporware: after dark times studies begin to prosper again (with some hiccups, for example in 2010 with the EMini S&P 500 futures contracts, when a hot potato effect started unrolling between “intelligent agents”).

Fast forward to today, we can barely notice the presence of Artificial Intelligence, nonetheless it’s a very important and integral part of our lives, participating in:

  • Utilities supplies distribution;
  • Traffic control in major cities;
  • Weather forecast;
  • Food chain of transportation;
  • Logistics;
  • Social media;
  • Habits analysis;
  • Art;
  • and so on

A survey made by Ipsos for the World Economic Forum reported that 60% of the candidates polled think that AI will make their lives easier in the next 3 to 5 years, but only 52% of them think their life will actually be better.

DATA: A DIGITAL DNA

The reason for the skepticism resides in the same core of the AI: the data.

In order to make a system autonomous it needs to be fed data that will subsequently be organized into training datasets from which the machine can learn.

While a lot of data for specific applications are gathered by governments / institutions / organizations, personal data can only be collected with the use of applications like social media. Personal data are obviously very dynamic, hence needing a constant update and collection.

This raised a lot of concerns about privacy and while our data is gradually getting more and more protected thanks to regulamentations (like the GDPR for the EU), it still feels like a wild west.

While in most cases the collection is for a kinda harmless end goal (like clustering for marketing purposes), the same data could be used to manipulate people (e.g. Cambridge Analytica) or, worse, to control people’s lives.

Contact us for advice

REQUEST INFORMATION

Our newsletters

SUBSCRIBE

IMPRINT

Studio Legale Associato Gaeta Shargool | Email: info@aiternalex.com

Largo dei Chiavari, 82 – 00186 Rome, RM (Italy) | VAT: 16705131007

© 2025 Aiternalex | Powered by ORA Comunica | Privacy Policy | Cookie Policy