By Steven Sprague March 20, 2026
On March 17, 2026, SEC Chairman Paul Atkins stood before an audience and declared that the previous administration's approach to crypto was "a misguided regulation-by-enforcement campaign" that "killed many would-be products or driven them offshore." Two days later, at SEC Speaks, he called it a "shoot-first-and-ask-questions-later approach." He announced a new five-category taxonomy that, for the first time, draws clear lines around what is and what is not a security.
I know something about that enforcement campaign. I was one of the people it was aimed at.
My name is Steven Sprague. I am the former CEO of Rivetz, a cybersecurity company that sold an ERC-20 utility token in 2017. The SEC sued us in 2021. A judge ruled against us in 2024. The case is now on appeal in the First Circuit (No. 25-1451). And the question I cannot stop asking is simple:
If Rivetz launched today, exactly as it launched in 2017, would the RvT token be a security under the SEC's own new framework?
The answer is no. And that answer is a problem — not for me, but for the SEC.
Let me state the facts plainly, because the SEC's narrative and the actual facts of this case diverge in ways that matter under the new taxonomy.
In the summer of 2017, Rivetz International SEZC sold a product: the RvT token, an ERC-20 token designed to power cybersecurity operations on devices with Trusted Execution Environments. Here is what we did and did not do:
What we did:
And here is a fact that deserves its own paragraph: Of the total sale, a single enterprise customer in the USA purchased 10,000 ETH worth of tokens under a separate enterprise contract for a specific project — a blockchain-powered community in Nevada. That customer still holds 3,999,600 of the 4,000,000 tokens they purchased (wallet: 0x37DAd2f4F477B085C5E91a10D6A5eAb6daB6a445). They have never traded a single token. They bought a product for a purpose, and they still have it. That is not an investment contract. That is a purchase order.
Chairman Atkins' March 17 framework establishes five categories:
| Category | Definition | SEC Jurisdiction? | |---|---|---| | Digital Commodity | Value from programmatic operation + market dynamics | No — CFTC | | Digital Collectible | Unique blockchain assets (NFTs) | No | | Digital Tool | Utility tokens functioning within a protocol | No | | Stablecoin | Asset-backed or algorithmic price-stable tokens | Case-by-case | | Digital Security | Traditional securities that are tokenized | Yes |
RvT was designed to pay for device attestation, policy enforcement, compliance recording, and cross-chain verification operations. It was a cybersecurity utility token for machines. It is, by any honest reading of the new framework, a Digital Tool — Category 3.
It is not a commodity. It does not derive value from mining or staking. It is not a collectible. It is not a stablecoin. And it is certainly not a "traditional security that is tokenized" — it was never a stock, a bond, a note, or a share of anything.
Under today's taxonomy, the SEC would have no jurisdiction over RvT. Full stop.
The court ruled that RvT was an investment contract under the Howey test because, at the time of sale, the token's value was "directly dependent on Rivetz's entrepreneurial efforts." The ecosystem wasn't fully built yet. Therefore, buyers must have been investing in our future efforts. Therefore, security.
But here is the fact the court did not grapple with: the RvT smart contract was deployed, live, and functional on the Ethereum blockchain before the first token was ever sold. It remains live and operational today, nine years later. It is computer code, running on a decentralized network, executing functions when called. It was not a promise. It was not a prospectus. It was software.
The SEC admitted this under oath. In response to my Request for Admission No. 1, the SEC admitted that "the RvT smart contract was launched on the blockchain and available to provide token holders functional smart contract operations at the time the tokens were delivered to the customers." In response to RFA No. 2, the SEC admitted that "the source code of the contract was publicly available prior to the end of the token sale to enable any third party developer to have access to the functional smart contract capabilities without any further documentation or support from Rivetz."
Read that again. The SEC admits the product was functional. The SEC admits the source code was public. The SEC admits third-party developers could use it without any help from Rivetz.
And that is exactly what happened. Third-party developers — the people who built cryptocurrency exchanges — independently integrated the RvT ERC-20 contract into their platforms. They used the open-source functions of the smart contract to enable their customers to buy and sell RvT tokens. Every one of those buy and sell events emitted blockchain timestamps and recorded information that served the customer then and serves them today. The "ecosystem" the SEC said didn't exist was being built by independent third parties using the open-source code of the very product the SEC claims had no utility.
The SEC's argument about "ecosystem" is the fundamental error of this case. The court conflated two entirely different things: expectation of profit from resale and expectation of value from software upgrades. Every software company in the world promises future updates. Microsoft promises Windows will get better. Apple promises iOS will add features. Adobe promises Creative Cloud will improve. Promising that your software will be upgraded does not make the initial sale a security. If it did, every software pre-order in history would be an unregistered securities offering.
The Howey test asks whether purchasers had an "expectation of profits solely from the efforts of the promoter." But "profits" in Howey meant profits from an enterprise — a share of the orange grove's harvest, a percentage of the oil lease, a fixed 14% return. It did not mean "I hope this product becomes more useful and therefore more valuable." That is a product purchase, not an investment contract. A Taylor Swift ticket scalper expects to profit from resale, but no one has ever called a concert ticket a security.
This is the logic of the enforcement era that Chairman Atkins just called "misguided."
Let me be precise about what the court's reasoning means in practice: any token sold before its ecosystem is fully operational is a security. That is the standard the Rivetz case sets. Not because of fraud. Not because of deception. Not because anyone lost money on a promise we made. But because we were still building — even though the product itself was already functional, already deployed, and already being used by third parties.
The SEC brought this as a pure Section 5 case — unregistered offering. No fraud alleged. No deception alleged. They did not need to prove anyone was harmed. They only needed to prove we didn't file a registration statement before selling software.
I want to be candid about the legal error we made in 2017, because it is instructive. The Token Sale Agreement — the contract every purchaser signed — was clean. It specifically sold a token. It explicitly stated that tokens "do not represent or confer any ownership right or stake, share, security, or equivalent rights, or any right to receive future revenue shares, intellectual property rights or any other form of participation in or relating to the Ecosystem and/or Company." Every buyer warranted they were purchasing "solely for the purpose of receiving Services, participating in the Ecosystem, and supporting the development, testing, deployment and operation of the Ecosystem" and "not purchasing Tokens for any other purposes, including, but not limited to, any investment, speculative or financial purpose."
The error was including the technical whitepaper as an exhibit to the sale. The whitepaper described the broader cybersecurity market, the vision for trusted computing on blockchain, and the architecture of the system Rivetz was building. It was a technology document. It did not focus on token price or token value. It described how the technology worked and what problems it solved. But the SEC treated every aspirational technology statement in the whitepaper as a promise of profit — as if describing the potential market for cybersecurity attestation was the same as promising investors a 14% return.
This is the sleight of hand at the core of the SEC's case. They took a technology paper about cybersecurity architecture, attached it to a product sale agreement that explicitly disclaimed any investment purpose, and argued that the technology paper created an "expectation of profits from the efforts of others." By that logic, every software company that publishes a technical roadmap alongside a product sale is conducting an unregistered securities offering.
Under the new taxonomy, this logic collapses. The entire safe harbor proposal is built on the recognition that tokens can begin life as investment contracts and then cease to be securities once the issuer fulfills or abandons its promises. Chairman Atkins credited Commissioner Peirce's 2020 Token Safe Harbor for this insight. The SEC's own new interpretation states:
> An investment contract ends when either the issuer has fulfilled its representations or promises, or the issuer has failed to satisfy its representations or promises.
Now apply that standard — not to argue Rivetz is no longer a security, but to ask the questions that every token project launching today must answer. And pay attention to a single word, because the entire Rivetz ruling turns on it.
The word is "ecosystem."
It appears eighteen times in a sixteen-page ruling. It is the load-bearing word in the court's Howey analysis. The chain of reasoning is: Rivetz promised to build an ecosystem → the ecosystem did not yet exist → token value depended on Rivetz building the ecosystem → therefore, expectation of profits from the efforts of others → therefore, investment contract → therefore, security.
Here is what makes this remarkable: the word "ecosystem" does not appear anywhere in the Howey decision. Not once. The Supreme Court in 1946 spoke of "common enterprise," "efforts of the promoter," and "expectation of profits." It spoke of orange groves and service contracts and net proceeds. The word "ecosystem" is not part of the Howey test. It is not part of the Securities Act of 1933. It does not appear in any statute.
Trace where it came from. The word "ecosystem" only enters the case law through the crypto enforcement cases — the very enforcement campaign Chairman Atkins has called misguided. SEC v. Kik Interactive (2020, S.D.N.Y.) is where it appears. The Kik court adopted "ecosystem" as the analytical framework, finding that "the success of the ecosystem drove demand for Kin and thus dictated investors' profits." The Kik ruling found a common enterprise because sale proceeds were used for "the construction of the digital ecosystem in which the token could be used." The Rivetz court cited Kik for exactly this proposition.
So the genealogy is: the Supreme Court in Howey never said it. No federal statute says it. The traditional securities cases the Rivetz court relied on for the Howey framework — SG Ltd., Rodriguez v. Banco Central — never said it. A single district court in the Southern District of New York introduced it in 2020, in a crypto enforcement case, during the enforcement campaign that Chairman Atkins now calls misguided. And now, through Kik, "ecosystem" has become the operative word in the First Circuit's treatment of utility tokens — including Rivetz. The trigger word for investment contract classification in crypto was invented by the enforcement campaign that the current SEC says should never have happened.
The word "ecosystem" is doing the work that the Howey test was not designed to do. Howey asks whether purchasers expected profits from the efforts of others — meaning a share of the enterprise's returns, a percentage of the harvest, a fixed return on investment. It does not ask whether a technology platform will grow. It does not ask whether a product will become more useful. It does not ask whether a network will attract more participants. But "ecosystem growth" has been substituted for "expectation of profits," and no court has grappled with whether that substitution is legitimate. The Rivetz court did not analyze whether the token conveyed a share of profits, or a right to dividends, or a percentage of revenue. It analyzed whether the ecosystem would grow. That is a fundamentally different question than the one Howey asks — and it is a question that every token project in existence answers "yes" to, because describing ecosystem growth is how you describe a technology product.
The court wrote: "the utility of the [RvT] Tokens may grow over time to the extent that more participants and services are added to the Ecosystem." It wrote: "growth of the ecosystem would increase demand for RvT tokens, thereby increasing their value." It wrote: "the value of purchasers' RvT tokens was directly dependent on Rivetz's entrepreneurial efforts to build and market the technology needed to create a security ecosystem."
Read every whitepaper published in 2025 and 2026. Read every token launch announcement. Read every project pitch deck. Count how many times the word "ecosystem" appears. It is the most common word in crypto. And under the Rivetz case law, it is the word that converts a product sale into a securities offering.
That is not an exaggeration. The court did not find the investment contract in the token. It did not find the investment contract in the purchase agreement. It did not find it in the price or the payment method. It found it in the promise to build an ecosystem — and in the implication that building the ecosystem would increase the value of the token for holders. Every project that uses the word "ecosystem" in connection with a token sale is making the same representation the court found dispositive in the Rivetz case.
This observation exposes the questions that the SEC's new taxonomy does not answer:
If a company sells a token and then offers product support, is that "building the ecosystem"? The Rivetz Token Sale Agreement was deliberately structured with no warranty, no promise of support, and no ongoing service obligation. Revenue was booked immediately on delivery as product revenue — not deferred, not amortized over a service period. The court ignored all of this. It looked past the contract to the promotional language about the ecosystem. So the question for the next founder is: if you sell a token and then publish a software update, are you "building the ecosystem" in a way that sustains the investment contract? If you fix a bug, is that an effort to grow the ecosystem that keeps the security classification alive? Every responsible software company supports its products. Under the Rivetz case law, that support — if described in ecosystem terms — may be what makes the product a security.
If the Rivetz sale ended on September 10, 2017, and Rivetz put up a web page today that said "Buy RvT" with the exact same purchase contract — is that a securities offering? The token exists. It is still listed on exchanges today. It still functions as an ERC-20 token. Nothing about the product has changed. But the SEC's framework says an investment contract can expire. So has the ecosystem promise expired? If Rivetz is no longer actively building the ecosystem, is a new sale just a product sale? And if the answer is "yes, it's still a security," then what exactly would have to change? How does a founder ever escape the ecosystem promise once it has been made?
Can Monad really sell tokens without risk of breaking this case law? Can any project? The comfortable assumption is that the new taxonomy has drawn clear lines. But the Rivetz precedent says a court looks past contractual formalities, that disclaimers do not matter, that describing your ecosystem is evidence of promising profits, and that holding your own unsold inventory creates a common enterprise with buyers. Every major token launch today does exactly what the Rivetz ruling found dispositive: it describes an ecosystem, it explains how the token functions within that ecosystem, and it implies that growth of the ecosystem will increase demand for the token. The blinders are on. But wearing blinders does not make the risk go to zero. The word "ecosystem" is in every pitch deck in crypto. Under SEC v. Rivetz, that word is the trigger.
Does the investment contract ever actually end? The RvT token is listed today. I represented myself pro se for five years fighting the SEC. Is that a "managerial effort" to build the ecosystem? Is this blog post one? If Rivetz wakes up tomorrow and ships a product update, is that "growing the ecosystem" in a way that revives the security classification? Under the SEC's new framework, the contract ends when managerial efforts cease. But a token on a blockchain never dies. The smart contract executes today exactly as it did in 2017. And a founder who cares about their product never stops working on it. So where is the off switch? The SEC's framework assumes investment contracts have a natural endpoint. The Rivetz ruling defines the investment contract in terms of the ecosystem. But ecosystems, by definition, do not have endpoints. They grow or they die — but they do not expire on a schedule. The SEC has created a classification that, once triggered by the word "ecosystem," may never turn off.
These are not abstract questions. They are the live questions facing every token project in 2026. And the answer to every one of them depends on what the word "ecosystem" means in a courtroom.
But the case law says otherwise. The judgment stands. The precedent is set. And every future case will cite it.
Here is the problem the SEC faces: the Rivetz fact basis is now law. A federal court ruled on specific facts — facts that under the new taxonomy would produce the opposite result. You cannot undo a federal court ruling with rulemaking. You cannot issue guidance that contradicts binding case law in the First Circuit. Under the current Supreme Court, post-Loper Bright, the SEC does not get deference on its interpretation of what constitutes a security. The courts decide. And the court in Massachusetts has already decided — based on the law as the prior SEC presented it.
The new taxonomy does not fix this. It makes it worse. Because now the SEC's own position is evidence that the prior position was wrong. And the case law built on the wrong position does not quietly go away. It sits there, waiting to be cited.
Much of the current policy discussion around token safe harbors focuses on "decentralization" — the idea that a token transitions from a security to a non-security once control passes from the issuer to a decentralized network. Commissioner Peirce's framework gives projects three years to decentralize. The entire premise is that early-stage tokens should be permitted to exist in a protected space while the ecosystem matures.
Now connect this to the ecosystem problem. The theory behind decentralization as a safe harbor is that once a network is sufficiently decentralized, no single party's managerial efforts drive the growth of the ecosystem. The ecosystem is in the hands of the community. There is no "promoter" whose efforts generate the "expectation of profits." The Howey chain breaks because the "efforts of others" prong fails — the "others" are now everyone and no one.
That is the theory. But look at what it actually means in light of the Rivetz case law. The SEC is saying that the word "ecosystem" triggers investment contract classification, and the cure for that classification is decentralization — the point at which no one is responsible for growing the ecosystem. In other words: describing an ecosystem creates the legal problem, and decentralizing the ecosystem solves it. The entire regulatory framework is built around a word that the Howey test never used, that no federal statute defines, and that entered the case law through the very enforcement campaign the current SEC calls misguided.
This creates a trap. A company that builds a product, sells a token, and continues to improve the product is — under this framework — engaged in "managerial efforts to grow the ecosystem" for as long as it remains involved. The only escape is to stop being involved. To decentralize. To hand it to the community. But what if the product requires ongoing development? What if the technology demands expertise that only the founding team has? What if the responsible thing — the thing that protects users — is to keep building?
The decentralization safe harbor says: stop being the one who grows the ecosystem, and the security classification goes away. But for many products, stopping is irresponsible. And the Rivetz case law says: if you keep building, you are sustaining the investment contract. The founder is trapped between a legal framework that punishes continued involvement and a product responsibility that demands it.
A company can own a token. A company can promote a token. A company can hold unsold tokens as inventory — because that is what they are. Inventory. Product sitting on a shelf that has not been sold. Limited supply does not create a security. Limited editions do not create a security. Resale markets — even for digital products — do not create a security. Nobody argues that a company selling limited-edition sneakers is conducting a securities offering because resellers profit on StockX.
No Rivetz employees or founders were "granted" tokens as equity compensation. Tokens were not distributed as shares. There was no vesting schedule that mimicked stock options. The company held unsold tokens the same way any manufacturer holds unsold inventory — at cost, on the shelf, waiting for a customer.
The real question is not whether the network is decentralized. The real question is whether the token conveys a share in the enterprise's profits. If it does, it is a security regardless of how decentralized the network is. If it does not, it is not a security regardless of how centralized the company is. The RvT token never conveyed any share in any enterprise. The SEC admitted this under oath. Decentralization is a proxy for the ecosystem question. But it is the wrong proxy — because it forces founders to abandon their products in order to escape a legal classification that should never have applied in the first place.
Here is where this gets complicated for the SEC — and why I believe the Commission should take action.
The Rivetz ruling is now case law. It sits in the First Circuit on appeal. It establishes that:
1. A utility token sold before full ecosystem completion is an investment contract 2. No fraud is required — pure Section 5 liability 3. The issuer's promotional statements about the project's potential are sufficient to establish "expectation of profits from the efforts of others"
The Rivetz case law says the opposite of the new taxonomy. It says if you sell the token before the ecosystem is mature, you have committed a federal securities violation. No safe harbor. No transition period. No grace. No amount of decentralization fixes a sale that already happened.
These two positions cannot coexist.
On June 28, 2024, the Supreme Court overturned Chevron deference in Loper Bright Enterprises v. Raimondo. Courts are no longer required to defer to federal agencies' interpretation of ambiguous statutes. The SEC cannot simply assert that a utility token is a security and expect courts to agree because the SEC says so.
This matters for the Rivetz appeal and for every crypto case going forward. The question before the First Circuit is not what the SEC thinks the law means — it is what the law actually says. And the law, as the SEC itself now interprets it through the new taxonomy, says that utility tokens functioning within a protocol are Digital Tools, not securities.
The SEC cannot have it both ways. It cannot tell the First Circuit that RvT was a security in 2017 while simultaneously telling the market that tokens like RvT are Digital Tools that fall outside SEC jurisdiction. The facts haven't changed. The token hasn't changed. Only the SEC's position has changed.
Under the current Supreme Court, agency flip-flops of this magnitude face serious scrutiny. If the SEC's new position is that most tokens are not securities, then the case law built on the opposite premise — including SEC v. Rivetz — is not just wrong. It is an artifact of the very enforcement campaign that the current Chairman has called "misguided."
And here is the deeper constitutional problem: the SEC cannot fix this with rulemaking. The Rivetz ruling is a federal court's interpretation of what constitutes an "investment contract" under the Securities Act of 1933. That is a question of statutory law, not agency regulation. Post-Loper Bright, courts exercise independent judgment on statutory interpretation. The SEC can publish all the guidance and taxonomies it wants. A future court in the First Circuit is not bound by SEC guidance — it is bound by SEC v. Rivetz.
To actually fix this, the SEC has two paths: get the case overturned on appeal, or ask Congress for new legislation that defines digital assets outside the Howey framework. Rulemaking alone cannot override case law. A taxonomy published on the SEC website does not amend the Securities Act. The SEC is stuck between a precedent it created and a policy it now believes is correct — and the only way out is through the courts or through Congress.
This is why the SEC should not settle this case in the ordinary course. It should join the appeal. It should tell the First Circuit that its own prior position was wrong. It should ask the court to vacate the judgment. Because if the SEC does not act, the Rivetz precedent will be the weapon that every future enforcement action uses to drag utility tokens into Category 5 — regardless of what the taxonomy says.
I am not asking for sympathy. I am asking for consistency.
Let me be clear: even if the SEC wants to stand behind the Rivetz ruling — even if it believes the enforcement was correct and the case law is sound — the Commission still has work to do. Because right now, no one knows how to comply.
The Rivetz ruling establishes a set of tripwires. Any future project that touches any of them risks the same outcome. But the ruling does not tell you where the tripwires are. It tells you that Rivetz tripped. It does not tell you how to walk.
Consider what the ruling actually hinged on. Much of the court's analysis rested on a June 1, 2017 internal update I sent via Mailchimp to approximately 100 people — investors, advisors, and supporters who had been following Rivetz's work for years. It was not a press release. It was not published on a website. It was an email update to a small list. In that email, I mentioned that "the ICO market has been very hot" and described our plan to "presell access to the service." The court treated these statements as foundational evidence of an investment contract — as promotional representations creating an expectation of profit from our efforts.
If an internal email update to 100 supporters can establish the basis for an investment contract, then every founder in crypto who has ever sent a newsletter to their community is at risk. And that is the problem. Not for me — for the next person.
If the SEC supports the Rivetz case law, it must define the path forward. The new taxonomy and safe harbor are a beginning, but they do not answer the hard questions the Rivetz ruling creates. Here is what founders and their lawyers need to know, and what the SEC has not yet addressed:
1. How do you promote an ecosystem without creating an "expectation of profit from the efforts of others"? The court found that describing the market opportunity for cybersecurity, explaining how the technology worked, and outlining future development plans all contributed to an investment contract. But every software company describes its market. Every startup explains its roadmap. Where is the line between technology marketing and securities promotion? The ruling does not say.
2. How do you handle exchanges and resellers? This is fundamentally a resale question. Every product in the world has resellers. People buy sneakers and resell them on StockX. People buy concert tickets and resell them on StubHub. People buy collectibles and resell them on eBay. The original seller is not conducting a securities offering because a buyer resells the product at a profit. But in crypto, the existence of exchanges — which are simply resale markets — is treated as evidence that the original sale was an investment contract.
Every token project today interacts with exchanges and resellers. Every exchange charges fees. Rivetz did not. We deliberately avoided any exchange or reseller support — no listing fees, no market-making arrangements, no liquidity provisioning — because we believed that supporting secondary market resale risked being viewed as supporting market making, which would strengthen the argument that RvT was an investment. Our caution did not help us. The court noted that tokens became tradeable on resale markets anyway, because third-party exchanges independently integrated the open-source ERC-20 contract on their own initiative. They were resellers who chose to resell our product without our involvement. Under the current case law, the mere existence of resale activity was treated as evidence of an investment contract — regardless of whether the issuer participated in, paid for, or even wanted that resale.
If a buyer purchases a product with the intent to resell it at a profit, does that convert the original sale into a securities offering? If so, every limited-edition product sale in history is at risk. Nike does not conduct an unregistered securities offering when it sells sneakers that resellers flip for twice the price. And Nike invests in building the ecosystem every single day — it sponsors athletes, runs the SNKRS app, builds community, creates scarcity, promotes drops, and explicitly drives demand that increases resale value. Nike's "managerial efforts to grow the ecosystem" are relentless and public. Resellers profit directly from those efforts. Every element of the Rivetz court's Howey analysis is present: investment of money, common enterprise (Nike holds inventory too), expectation of profit from the resale, driven by the efforts of Nike. And yet no one would call a sneaker drop a securities offering. The difference is not legal. The difference is that the SEC chose to apply "ecosystem" to crypto and not to sneakers.
Under the Rivetz case law, if a token issuer describes an "ecosystem" that might grow, and a buyer purchases with the intent to resell once the ecosystem grows, the original sale is an investment contract. The buyer's intent to resell — not the seller's intent to offer an investment — is what creates the security. That is a standard no product company can survive. Does the SEC expect issuers to prevent third parties from reselling their open-source tokens? Is that even technically possible with an ERC-20 contract that anyone can read and integrate?
3. How do you write a whitepaper that describes the market without describing token value? The court treated market size figures — $6 trillion in cybersecurity damages, 200 billion IoT devices — as evidence that we were promising token appreciation. But those were industry statistics from independent forecasts. They described the problem our technology solved, not the price of our token. Under the Rivetz standard, any technical document that describes market demand for the underlying technology could be construed as a promise of token value appreciation. How should founders describe their market?
4. How can users be free to use their digital property on secondary markets without that use being imputed back to the issuer? We did not promise secondary market support. We did not engage in market making. Third-party exchanges independently integrated the ERC-20 contract. But the court treated secondary market activity as evidence of an investment scheme. If a buyer resells a product, is the original seller responsible for the buyer's profit expectations?
5. How do you provide ongoing software support without it being treated as "ongoing managerial efforts"? Every software product receives updates. Every responsible developer patches bugs, adds features, and improves performance. The court treated Rivetz's future development plans as evidence of an investment contract — because token value would increase as the software improved. Taken literally, this means any software company that sells a token-gated product and then improves the product is engaged in a securities offering. How should founders provide support without tripping this wire?
6. How does a company hold unsold inventory? The court noted that Rivetz Intl. controlled approximately 85% of RvT tokens after the ICO — because only 30 million of the 70 million offered were sold. The remaining tokens were unsold product. Company inventory. But the court treated this as evidence of "commonality" — the idea that Rivetz's fortunes were tied to token holders' fortunes. If holding your own unsold inventory creates a common enterprise with your customers, then every manufacturer with warehouse stock is in a common enterprise with its retailers.
These are not hypothetical questions. They are the questions that every crypto lawyer in America should be asking their clients right now. And the honest answer is that no one knows, because the Rivetz case law does not provide answers — it only provides consequences.
The crypto legal community is underestimating this. There is a comfortable assumption among crypto counsel that the new taxonomy and safe harbor have solved the problem — that "just follow the framework" is sufficient advice. It is not. The Rivetz precedent sits in the First Circuit. It establishes that contractual disclaimers do not matter, that generic ERC-20 functionality does not create utility, that internal emails can establish investment expectations, and that holding unsold inventory creates commonality. No amount of clever contract drafting overcomes a federal court ruling that says the court looks past "contractual formalities and limiting language." The lawyers who tell their clients this is easy are the ones who have not read SEC v. Rivetz.
The core problem is now visible: the word "ecosystem" has been substituted for the Howey concept of "common enterprise" and "expectation of profits," and no appellate court has examined whether that substitution is valid. The Kik court introduced it. The Rivetz court adopted it. It was never tested at the circuit level or above. This is the specific error that Chairman Atkins called out when he said the enforcement campaign was misguided — not merely that too many cases were filed, but that the legal theories those cases advanced distorted the meaning of existing securities law.
If the SEC means what it says about ending regulation by enforcement, there is one action that addresses the root cause: the SEC must issue a formal memorandum on the use of "ecosystem" in investment contract analysis. The memorandum should clarify that describing a technology ecosystem — its participants, its growth potential, its market opportunity — is not, by itself, sufficient to establish an "expectation of profits from the efforts of others" under Howey. Technology marketing is not securities promotion. Describing how a product works within a network is not the same as promising a return on investment. The word "ecosystem" in a whitepaper is not the equivalent of "guaranteed 14% annual return" in an orange grove prospectus.
Without this clarification, every token project in 2026 that uses the word "ecosystem" — which is all of them — is building on a legal foundation that the crypto enforcement cases corrupted and that no higher court has corrected.
The SEC has three paths forward:
Option 1: Join the Rivetz appeal and let the First Circuit weigh in. The Rivetz case is on appeal (No. 25-1451). The First Circuit has the opportunity to be the first appellate court to examine whether "ecosystem growth" is a legitimate proxy for "expectation of profits" under Howey. The SEC can file a motion indicating that its current interpretation of the securities laws is inconsistent with the lower court's reasoning — specifically, that the introduction of "ecosystem" as the operative framework expands Howey beyond what the statute and the Supreme Court intended. This is the cleanest option. It corrects the error at the source. And if the First Circuit finds the substitution improper, it provides the clarity that the entire industry needs. If the question is significant enough — and it is — the Supreme Court should ultimately weigh in on whether "ecosystem" belongs in the Howey analysis at all.
Option 2: Issue a formal SEC memorandum on "ecosystem" in the Howey analysis. Even without joining the appeal, the SEC can publish interpretive guidance that explicitly addresses the role of "ecosystem" language in investment contract determinations. The memorandum should state that describing a technology ecosystem does not, by itself, satisfy the "expectation of profits" prong of Howey. It should distinguish between technology marketing (describing how a product works in a network) and investment marketing (promising financial returns from an enterprise). And it should answer every one of the practical questions above — how to promote, how to support exchanges, how to write whitepapers, how to provide ongoing service — with specific guidance that accounts for the Rivetz and Kik precedents. The taxonomy is a category system. What is needed is a compliance manual.
Option 3: Do nothing. Leave the Rivetz precedent standing. Leave "ecosystem" as the unexamined trigger word in crypto securities law. Publish a taxonomy that says utility tokens are Digital Tools while the case law says any token associated with an "ecosystem" is an investment contract. Wait for some future defendant to spend years and millions of dollars litigating the contradiction. Let the courts sort it out — which is precisely the regulation by enforcement approach that Chairman Atkins has promised to end.
Option 3 is the path of least resistance. It is also the path of least integrity. And it is the path of greatest risk — not for the SEC, but for every founder who reads the taxonomy, believes they are building a Digital Tool, uses the word "ecosystem" in their documentation, and discovers in a courtroom that one word converted their product sale into an unregistered securities offering.
In a follow-up piece, I will walk through each of the questions above in detail — examining what the Rivetz court actually relied on, how "ecosystem" functioned in the analysis, and what a compliant token launch would look like today if a founder took the case law seriously rather than the comfortable assumptions of crypto counsel. The answers are harder than the industry thinks. And getting them wrong costs more than legal fees — it costs companies, products, and careers.
I am not writing this to relitigate my case. I am writing this so that the next executive — the one sitting in a conference room right now with a legitimate product, a real technology, and a token that could power it — can make a decision without spending $500,000 on legal advice and still not getting a clear answer.
I said to opposing counsel after the ruling: congratulations on the win, but I'm pretty sure you made a mess. Regulation by enforcement is a legitimate tool — if it produces clarity. The Rivetz ruling does not produce clarity. It produces fear. It tells every founder in America that if you sell a token before your ecosystem is fully built, and if you publish a whitepaper describing what you're building, you may have committed a federal crime — even if your product was functional, even if every buyer signed a contract disclaiming investment, even if no one was defrauded, and even if you spent every dollar building the business.
That is not clarity. That is a minefield.
I built Rivetz on a simple idea: that the hardware security capabilities already present in billions of devices could be used to make blockchain transactions safer. We worked with Trusted Execution Environments, Trusted Platform Modules, and device attestation — technology I had spent my career developing, including years supporting and evangelizing the Technical Working Group at the Trusted Computing Group and onboarding NSA as an observer to the standards body.
The SEC did not allege that this technology was fake. They did not allege we deceived anyone. They did not allege fraud. They alleged we failed to file paperwork before selling software to people who signed contracts to buy it.
Under today's rules, that sale would be legal. Under today's taxonomy, that token would be a Digital Tool. Under today's safe harbor, even if it started as an investment contract, it would have long since ceased to be one.
The SEC and I share the same mission: clarity. Chairman Atkins has said the enforcement campaign was misguided. I agree. But agreeing it was wrong is not the same as fixing it. The case law from that campaign is still on the books. It will be cited. It will be used. And it will continue to punish the next executive who tries to do what I tried to do — build a real product, sell it honestly, and use blockchain to make it work.
The case law needs to match the policy. The precedent needs to match the taxonomy. And the agency that admits it was wrong needs to act like it — not just for me, but for every founder who comes next.
Steven Sprague is the former CEO of Rivetz Corp. and Rivetz International SEZC. He represented himself pro se in SEC v. Rivetz Corp. et al. (D. Mass. No. 3:21-cv-30092), now on appeal in the First Circuit (No. 25-1451). He previously served as CEO of Wave Systems Corp., a founding member of the Trusted Computing Group. The views expressed here are his own.
Case References:
sha256:96dfe95efdafa88e2af82e2d9a0a25edf3507891a136387048ea322aa25fcac0
IPFS stores a JSON envelope containing metadata (owner, tags, timestamps, source info) and a plainContent field.
The on-chain contentHash is the SHA-256 of the plainContent field value only — not the full IPFS document.
This is by design: the envelope metadata may vary, but the core content hash is immutable and anchored on-chain at creation time.
IPFS JSON envelope
├── owner, tags, timestamp, source, version (metadata)
├── contentHash: "sha256:..." (on-chain anchor)
└── plainContent: "{ ... }" ← THIS is what is hashed
curl -s "https://gateway.pinata.cloud/ipfs/Qmbrc2zoKoEJJHxvsi9LgLFf5tLfHjdeXZ7T5Ki3xrFNv4" -o envelope.json
plainContent field# Python — extract the inner content that was hashed
import json
with open('envelope.json') as f:
envelope = json.load(f)
plain_content = envelope['plainContent'] # This is the hashed value
plainContent# Python
import hashlib
hash = hashlib.sha256(plain_content.encode('utf-8')).hexdigest()
print('sha256:' + hash)
Expected (on-chain): sha256:96dfe95efdafa88e2af82e2d9a0a25edf3507891a136387048ea322aa25fcac0
Computed (from plainContent): sha256:<your result from Step 3>
→ If they match, content integrity is confirmed.
Visit: https://polygonscan.com/tx/0x5a2c1df5d413d52dc19e8582fb9a6458fb65d5985d8bf37c298552c557e298d0
Check: KeyVaultCreated event at block 84730168
Creator: 0x3f07d9de7d4f803d748f254c526fa6f351e3f8b1
The contentHash is stored in the encryptedKeysData field of the event.
| Claim | Evidence |
|---|---|
| Content is authentic | SHA-256 of plainContent matches on-chain contentHash |
| Published by 0x3f07...f8b1 | KeyVaultCreated event creator field |
| Published at known time | Block 84730168 timestamp |
| Content not modified | IPFS is content-addressable + hash match |
| Provenance chain intact | Contract → Event → IPFS → Hash = complete chain |
gateway.pinata.cloud/ipfs/Qmbrc2zoKoEJJHxvsi9LgLFf5tLfHjdeXZ7T5Ki3xrFNv4plainContent fieldplainContent (UTF-8 encoded string)sha256:<computed> matches sha256:96dfe95efdafa88e2af82e2d9a0a25edf3507891a136387048ea322aa25fcac00x3f07d9de7d4f803d748f254c526fa6f351e3f8b1 via Polygonscan