Andrea Tosato
← Research

Code is Not Law

By , Professor of Law, SMU Dedman School of Law.

Code governs the possible; law governs the permissible.1

When Lawrence Lessig observed that “code is law,” he meant that software, like physical architecture, constrains what people can do; he did not mean that code generates legally enforceable rights. His insight was descriptive.2 Following the rise of blockchain networks, cryptocurrencies, and smart contracts, however, many came to hold a very different proposition: that whatever code makes possible, the law must recognize as binding.3

That proposition is a category error. It has propagated far more widely than its fringe origins would suggest, reaching legislators, regulators, courts, and private parties alike.4 The corrective is straightforward: code acquires legal force only to the extent that positive law confers it.5

What Lawrence Lessig Actually Meant

Lessig's maxim was one strand of a larger argument: behavior in cyberspace is constrained by four modalities, namely law, the market, social norms, and architecture, and code is the architecture of digital space.6 Code regulates by defining the realm of the possible, not by creating rights. The distinction is easily lost but decisive:

Lessig’s catchy three-word pronouncement should not be read as “code is [positive] law,” but rather as “code is [soft] law.”7

Soft law shapes conduct, and it may do so with great force, but it does not, by itself, generate the rights and duties that the legal system will recognize and enforce.

How the Insight Was Distorted

Two intellectual currents eroded the distinction between code and law. The cyber-separatists, whose manifesto was John Perry Barlow's 1996 Declaration of the Independence of Cyberspace, denied that the law of nation states had any purchase online. The cypherpunks went further, treating cryptography and code as the instruments of a self-governing order beyond the reach of positive law.8 As these ideologies converged with blockchain technology, scholars began to argue that code could create “de facto property rights” or operate “alegally,” beyond traditional legal frameworks.9 The descriptive observation that code constrains behavior morphed into the misguided belief that code could be a source of law.

What Does It Mean to Call Something “Law”?

Asking whether code is law requires first answering what law is. On that central question, “legal philosophy has offered competing accounts of law's nature, including natural law theory, legal realism, and Dworkinian interpretivism, among others.”10 Each delivers a different test for what makes a rule binding, and therefore a different answer to whether code can ever count as law.

In caricature: natural law theory holds that legal validity depends on a rule's conformity with moral principles, so that a deeply unjust rule is, in some sense, not law at all. Legal realism locates law in the observable behavior of officials, above all judges, treating a rule as law to the extent it predicts how courts will dispose of disputes. Dworkinian interpretivism understands law as the set of principles that best justifies a community's settled legal practice in its most attractive moral light. Legal positivism, by contrast, treats law as a system of rules that exists because a society's recognized institutions accept it as law, irrespective of moral content.

Why the Positivist Lens?

Of these competing accounts, this analysis runs through legal positivism. Two propositions sit at its core. The social thesis holds that law's existence depends on identifiable social facts such as legislative enactment, judicial decision, or customary acceptance, not on moral merit. The separability thesis holds that law and morality are not necessarily connected, so that a rule may be legally valid even when morally unattractive. Together they define what it means, for a positivist, to call something law.

The choice of positivism for this analysis is methodological, not a claim that it is the one true theory of law: it rests on three converging reasons.10

First, positivism is the descriptive account of legal authority that lawmakers, regulators, courts, and practitioners actually use day to day. Its descriptive reach is so wide that even the leading contemporary natural law theorist, John Finnis, has conceded that positivism gives a complete account of what counts as legally valid within any given legal system, leaving moral assessment aside.11 Whatever its limits as moral theory, positivism describes the legal system in which the “code is law” debate is actually being conducted.

Second, positivism is uniquely equipped to answer the question the debate is actually asking. At its core, the “code is law” thesis is a claim about legal validity: it asserts that code, standing on its own, can generate the kind of rule that courts will recognize and enforce. That is precisely the question positivism is built to address. Natural law theory asks whether a rule is just; legal realism asks what courts will do with it; Dworkinian interpretivism asks how it fits a community's principled practice. None of these is purpose-built for the question of what counts as a valid source of legal rules. Positivism is.

Third, and most decisively: the strongest version of the “code is law” thesis fails on its own terms. Its proponents argue that blockchain communities, with their consensus protocols and developer norms, have generated their own “nascent legal orders” (a position sometimes branded lex cryptographia). But they do not ground that argument in moral principles, judicial behavior, or interpretive coherence with existing doctrine. They ground it in social facts, namely technical function and community acceptance, and contend that those facts have produced a new source of legally binding rules. That is, by definition, the positivist move: law as a matter of recognized social fact, not moral merit. The strongest version of “code is law” is therefore itself, structurally, a positivist claim, and must be tested on positivism's own criteria. If it fails there, it fails definitively.

Hart's Framework: Primary and Secondary Rules

The decisive modern positivist account is H. L. A. Hart's. Hart refined the older positivist accounts of John Austin and Hans Kelsen (which had treated law as a system of commands backed by sovereign force) by analyzing law instead as the union of two kinds of rules.12

Primary rules impose duties on people: do not steal, drive on the right, pay your taxes. A society could exist on primary rules alone, but it would suffer from three structural defects: uncertainty about which rules are in force, inability to make new rules or repeal old ones, and inefficiency in deciding when a rule has been broken.

Secondary rules solve those defects by operating at a higher level, and they come in three flavors. The rule of recognition is the legal system's master test for what counts as a valid rule of the system, the criterion to which officials and citizens implicitly defer when they identify the law (in the United States, roughly: the Constitution, valid statutes, agency regulations within delegated authority, and judicial precedent). Rules of change empower designated actors to introduce, modify, or extinguish primary rules; publicly, they give legislatures the authority to legislate, and privately, they let individuals bind themselves through contracts, wills, trusts, and corporate charters. Rules of adjudication empower designated actors, typically courts, to determine authoritatively whether a primary rule has been broken and what should follow.

Within Hart's framework, the “code is law” thesis runs aground at the most basic stage: effectiveness at controlling behavior is not legal validity. The point survives translation into the most everyday English:

The fact that code regulates behavior effectively does not make it law any more than the fact that gravity pulls objects downward toward the earth makes it a legal prohibition against flying.14

In more rigorous form: there is “an ontological gap that separates architectural constraints from legal rules.”13 Architecture, including code, compels through possibility and impossibility; a locked door does not tell anyone they must not enter, it simply makes entry impossible. Law, by contrast, obligates through normative prescription. Two contemporary legal philosophers sharpen the distinction in complementary ways. For Joseph Raz, what makes law distinctive is that it uniquely claims authority: it presents itself as creating reasons for action that preempt and exclude contrary considerations. For Brian Leiter, law and code occupy different domains altogether; law operates in the space of reasons and justifications, while code operates in the causal realm of physical constraints.

Legal validity, on Hart's account, “derives from ‘pedigree,’ not performance,”15 meaning a rule counts as law because it can be traced to a recognized source within the legal system, not because it is effective at making people behave.

The Synthesis: Code Is Soft Law Until Law Says Otherwise

Standing alone, code is a uniquely powerful form of soft law: it shapes conduct, often with remarkable finality, but it generates no rights and imposes no duties. Code's regulatory force is causal, not normative; it governs what can happen, not what ought to happen, and the difference is not cosmetic but jurisprudential.

The legal system can nonetheless bridge that gap, but only by exercising its own secondary rules. It does so chiefly through rules of change, in a process best described as investiture: the legal system selects a verifiable technical fact and clothes it with legal consequences, so that what was previously a mere architectural state becomes a state to which rights and duties attach. Investiture can come from a legislature, a court, or an administrative body acting in a public capacity, or it can come from private parties exercising the limited legislative power that contract, trust, and entity law confer on them. Either way, the architecture remains architecture, and the law wraps around it.

From this the central proposition follows, and follows categorically: “code is not law, unless and until law makes it so.”16

Is Code Law?

Standing alone, no. Code is a uniquely powerful form of soft law: it shapes conduct, often with remarkable finality, but absent investiture by the legal system's secondary rules it generates no rights and imposes no duties. Code's regulatory force is causal, not normative. It governs what can happen, not what ought to happen, and the difference is not cosmetic but jurisprudential.

Code can nonetheless become legally operative, but only through one of two pathways of investiture derived from Hart's rules of change. The first is public empowerment: a legislature or other recognized public authority identifies a verifiable technical state and attaches legal consequences to it. The architectural constraint remains architectural, but the law wraps around it, making its effects legally cognizable. The second is private empowerment: parties incorporate code into contracts, trusts, wills, corporate charters, and other instruments that the law already recognizes as creating binding commitments. The legal force of the resulting arrangement comes from the recognized legal vehicle, not from the technical operation it automates.

Outside these two pathways, code remains soft law, however effective: a constraint on conduct, not a source of rights and duties. The proposition is categorical: “code is not law, unless and until law makes it so.”16

Code Mistaken for a Source of Rights and Obligations

The category error that code can itself generate rights and duties has migrated from theory to practice, and the consequences are concrete. Three recurring patterns illustrate what is at stake when participants, drafters, and even lawmakers treat technical capability as legal authority: the assumption that ownership of a non-fungible token carries property rights in what it represents, the assumption that a smart contract is itself an enforceable contract, and the assumption that the architectural arrangement of a decentralized autonomous organization supplies the legal shield of a limited liability entity. Each pattern is a discrete manifestation of the same mistake, and each has produced tangible losses for the parties caught by it.

Non-fungible tokens and the property fallacy. The Bored Ape Yacht Club license states that “[o]wnership of the NFT is mediated entirely by the Smart Contract and the Ethereum Network.”17 That is not how ownership works: “Ownership is a legal concept determined by applicable property law. It is not ‘mediated,’ or otherwise structurally modified by blockchain technology, smart contracts or any technological system.”18 If the owner of an NFT dies, title passes to the heirs under the law of succession, whatever the ledger records. The 2022 theft of actor Seth Green's Bored Ape sharpened the stakes: when the token left his control, the questions of who owned the underlying art, whether the associated license travelled, and whether a good faith purchaser could take clean title could not be answered from the smart contract alone.19 These are property questions with determinate legal answers, because digital-asset transactions ultimately “rest on an unresolved premise: that digital assets can be owned and are governed by established property rules.”20 Under the 2022 amendments to the Uniform Commercial Code the token itself qualifies as a controllable electronic record (a digital record subject to exclusive technological control, analyzed in detail on the companion hub for UCC Article 12 and Controllable Electronic Records), but Article 12 provides that rights in property merely evidenced by such a record are governed by law other than Article 12, so transferring the token does not transfer the copyright or other rights in the artwork.21

Smart contracts mistaken for legal agreements. Some state statutes declare that a smart contract “shall be considered a commercial contract” or that smart contracts “govern” the rights and duties of an organization's members.22 A smart contract is a software script that executes a predetermined operation upon a specified input; an enforceable agreement is a creature of contract law. “The former is a creature of law; the latter is an artifact of code.”23 A smart contract may be the vehicle through which parties form or perform an agreement, but it does not become one by executing: “Smart contracts are only legal contracts when the law recognizes them as having legal effect; otherwise they are simply code used to automate technical acts to be conducted on computer systems.”24 The same confusion surfaced in Van Loon v. Department of the Treasury, a challenge to the Office of Foreign Assets Control's decision to place the Tornado Cash crypto mixer on the Specially Designated Nationals sanctions list. The U.S. District Court for the Western District of Texas held that the immutable smart contracts comprising the mixer were sanctionable “property” on the theory that smart contracts are “a code-enabled species of unilateral contracts,” moving from a technically accurate description of smart contracts to treating them as legally enforceable contracts; the Court of Appeals for the Fifth Circuit reversed.25

Decentralized autonomous organizations and the limited liability that is not there. Founders of venture DAOs frequently assume that technical control over digital assets supplies the asset-shielding function of a limited liability entity. It does not. In Samuels v. Lido DAO, an investor who had bought and lost money on LDO governance tokens sued the Lido DAO and four of its institutional backers (Paradigm Operations, Andreessen Horowitz, Dragonfly Digital Management, and Robot Ventures), alleging that LDO tokens were unregistered securities and that each backer was jointly and severally liable as a general partner in the DAO. The court denied the motion to dismiss, holding that operating an Ethereum staking service that retained a share of validator revenue was sufficient to plead a general partnership. Houghton v. Leshner applied the same partnership theory to the Compound DAO. In Sarcuni v. bZx DAO, nineteen plaintiffs sued the bZx DAO on a negligence theory after a developer fell for a phishing email on his personal computer and the resulting security breach allowed attackers to drain roughly $55 million from bZx protocol users. In each case, federal courts allowed claims to proceed on the theory that DAO participants, including sophisticated institutional investors, had formed general partnerships by default and were exposed to joint and several liability.26 “[L]imited liability ... is a normative creation available only through the legal system's secondary rules of change, when parties comply with applicable entity formation statutes.”27 The lesson recurs across the crypto economy when organizations fail: “In the world of crypto, code is supposed to be king. Yet, when faced with financial ruin, even the most ardent crypto enthusiasts discover that traditional legal systems offer a vital safety net.”28

Code Invested with Legal Authority by Positive Law

Authority thus flows from the law to the code, never the reverse.29

Where the legal system's secondary rules do invest code with authority, the result is not “code is law” but its opposite: the law identifies a discrete technical fact and attaches legal consequences to it, while reserving validity, change, and adjudication to itself. Both pathways of investiture, public and private, are visible in current practice.

Public investiture: UCC Article 12. The clearest example of legislative investiture is Article 12 of the Uniform Commercial Code, adopted in the 2022 Amendments. Article 12 does not declare that code is law; it “carefully defines which technological facts will be granted legal significance and precisely what their juridical status will be.”30 It identifies a verifiable technical fact, control over a controllable electronic record, and attaches specific legal consequences to it: a take-free rule (a purchaser who acquires control for value, in good faith, and without notice of competing claims takes free of those claims, in the manner of a holder in due course of a negotiable instrument), a choice-of-law waterfall that resolves the jurisdictional question for distributed-ledger transactions, and the new categories of controllable accounts and controllable payment intangibles (payment rights, such as a stablecoin's redemption right, evidenced by a controllable electronic record so that the right travels with the token to whoever holds it).31 Those payment-rights categories are the doctrinal foundation for tokenizing financial claims; a companion study of crypto insolvencies records that the early promise that “blockchain operates as a law unto itself” collapsed once insolvent platforms reached bankruptcy court, and that genuine tokenization instead depends on the statutory framework Article 12 supplies.32 The law remains the source of the rule; the code supplies only the triggering fact. The doctrinal mechanics of Article 12 are addressed in the companion research page on UCC Article 12 and Controllable Electronic Records.

Private investiture: contracts, trusts, and entity charters. The same logic governs private ordering. Parties may incorporate code into contracts, trusts, wills, and corporate charters, and the resulting arrangements derive their force from those recognized legal instruments, not from the code itself.33 A smart contract operating within a properly formed contractual relationship is legally binding because contract law makes it so; a venture organized as a limited liability entity under state law obtains its asset-shielding function from the entity statute, not from the smart contract that records its governance. In each case authority flows from the law to the code, and the code's role is confined to executing what the law has already empowered the parties to do.

Could Code Ever Become an Autonomous Source of Law?

Beyond legislation and private ordering lies a third and more theoretical pathway: whether code could be recognized as an autonomous source of law through Hart's rule of recognition. The answer is that this is implausible. A rule of recognition identifies sources that produce interpretable, prescriptive norms, whereas code records factual states and executes deterministically. Code can express that if a condition occurs an operation will run, but not that if a condition occurs a person ought to act. Recognizing code as a freestanding source of law is therefore “more of a theoretical possibility than a present reality.”34

The stakes are not confined to blockchain. The framework extends to every wave of new technology, “from large language models to autonomous robots.”35 “[E]ach generation of technological innovation tempts lawmakers, courts, and market participants to mistake architectural power for normative authority”; the enduring response is that “code governs the possible; only law determines the permissible.”36

Notes

  1. Carla L. Reyes, Andrea Tosato & Andrew Hinkes, Code is Not Law, 54 Fla. St. U. L. Rev. (forthcoming 2026) (manuscript at 19).
  2. Id. (manuscript at 3–5).
  3. Id. (manuscript at 5); see also id. (manuscript at 13) (cataloguing the scholarly claims that advanced the view).
  4. Id. (manuscript at 2).
  5. Id. (manuscript at 5–6).
  6. Id. (manuscript at 7–8).
  7. Id. (manuscript at 8).
  8. Id. (manuscript at 9–11).
  9. Id. (manuscript at 4, 13).
  10. Id. (manuscript at 13–15) (canvassing competing accounts of law's nature, including natural law theory, legal realism, and Dworkinian interpretivism; expounding modern positivism's two foundational propositions, the social thesis and the separability thesis; and setting out three reasons for adopting a legal positivist analytical framework: positivism's descriptive accuracy and dominance in contemporary legal thought and practice, its unique suitability to questions of legal validity, and the structurally positivist character of the claims advanced by proponents of lex cryptographia).
  11. Id. (manuscript at 13) (quoting John Finnis, Natural Law and Natural Rights 26–27 (2d ed. 2011), as conceding that positivist theories offer a “completely adequate” account of “what any competent lawyer . . . would say are (or are not) intrasystematically valid laws”).
  12. Id. (manuscript at 14–19) (applying H. L. A. Hart, The Concept of Law (3d ed. 2012)).
  13. Id. (manuscript at 17) (drawing on Joseph Raz's account of law's claim to authority and Brian Leiter's distinction between law operating in the space of reasons and code operating in the causal realm of physical constraints).
  14. Id. (manuscript at 17).
  15. Id. (manuscript at 19).
  16. Id. (manuscript at 20).
  17. Yuga Labs LLC, Bored Ape Yacht Club License Terms, quoted in Code is Not Law (manuscript at 31).
  18. Code is Not Law (manuscript at 31).
  19. Id. (manuscript at 32).
  20. Andrea Tosato & Christopher K. Odinet, Digital Assets and the Property Question, 78 Fla. L. Rev. (forthcoming 2026).
  21. U.C.C. § 12-104(c), (f) (Am. L. Inst. & Unif. L. Comm'n 2022); see Code is Not Law (manuscript at 43–44).
  22. Ark. Code Ann. § 25-32-122 (2023); Tenn. Code Ann. § 48-250-105 (2022); discussed in Code is Not Law (manuscript at 21–23).
  23. Code is Not Law (manuscript at 22).
  24. Id. (manuscript at 34).
  25. Van Loon v. Dep't of the Treasury, 122 F.4th 549 (5th Cir. 2024), rev'g 688 F. Supp. 3d 454 (W.D. Tex. 2023); discussed in Code is Not Law (manuscript at 26–27).
  26. Samuels v. Lido DAO, 767 F. Supp. 3d 951 (N.D. Cal. 2024); Houghton v. Leshner, No. 22-cv-00781-WHO, 2023 WL 6826814 (N.D. Cal. Sept. 20, 2023); Sarcuni v. bZx DAO, 664 F. Supp. 3d 1100 (S.D. Cal. 2023); discussed in Code is Not Law (manuscript at 37–39).
  27. Code is Not Law (manuscript at 40).
  28. Kara Bruce, Christopher K. Odinet & Andrea Tosato, Bankrupt Crypto Organizations, 104 N.C. L. Rev. 657 (2026) (manuscript at 3).
  29. Code is Not Law (manuscript at 41).
  30. Id. (manuscript at 42).
  31. U.C.C. §§ 12-104, 12-105, 12-107 (Am. L. Inst. & Unif. L. Comm'n 2022); see Code is Not Law (manuscript at 41–44).
  32. Andrea Tosato, Diane Lourdes Dick & Christopher K. Odinet, Debt Tokens, 173 U. Pa. L. Rev. 1103, 1103, 1157–59 (2025).
  33. Code is Not Law (manuscript at 44–48).
  34. Id. (manuscript at 20); see also id. (manuscript at 49–51).
  35. Id. (manuscript at 6).
  36. Id. (manuscript at 51–52).

Related Scholarship

Articles
Essays