In May, Nicholas Weaver suggested in Right that the US Treasury should “creatively” sanction Tornado Cash. In August, the Office of Foreign Assets Control (OFAC) followed The weaver’s advice. The results have been quite disastrous for civil liberties, starting with OFAC’s listing of 21 instances of autonomous code released on a blockchain as sanctioned entities with little clarity on the intent or scope of that action. This very first sanction by OFAC of a stand-alone code controlled by no legal person rushed headlong into precedent established this code is speech and protected by the first amendment.
In addition, several contributors to the open source code behind Tornado Cash were suspended from GitHub. These suspensions stirred up fears among privacy-preserving code contributors that if a bad actor uses a tool built with their code, the US government will not only shut down the tool, but also punish contributors who generally have no say in how whose open source contributions are used. “The consequences of [the Treasury Department] adding the Tornado Cash protocol to the sanctions list was actually more important to the world beyond crypto than to crypto itself,” Omid Malekan, assistant professor at Columbia Business School said Grid.
Similar fears about the right to online privacy were echoed by both industry and digital rights groups. Jerry Brito of the Coin Center perhaps best summed up these concerns when speaking to The block“If your right as an American to privacy is only valid if North Koreans never use this tool, then you have no right to privacy.”
Now OFAC has tried clarify the effect of its sanctions on freedom of expression. But digital human rights advocates are justified in maintaining their concerns about the worthy of a costume paralyzing effects OFAC’s sanctions focus on free speech rights and the creation of privacy-preserving technologies.
weaver room provided a detailed explanation of how Tornado.cash works, using the popular cryptocurrency Ethereum as an example. At the highest level, as he said, “Tornado Cash works by having a series of pools of Ethereum or other cryptocurrencies controlled by a smart contract, a program deployed on the underlying blockchain ‘which’ allows someone to withdraw from the shared pool without being tied to their particular repository.
A minus technical analogy the way the virtual currency anonymizer is run could be that Tornado.cash creates a private room full of vaults. A person can enter the private room and leave an amount of Ethereum in exchange for a one-time receipt. Anyone can then take this unique receipt back to the private room and remove it from the corresponding safe. No one would know which box was used by the depositor or the reprocessor, or even if it is the same person. Once a transaction is complete, the reprocessor can choose to publicly disclose the receipt and prove where the Ethereum came from. But they don’t have to, and this break from Ethereum’s public ledger chain is how Tornado Cash can improve privacy.
In particular, all this goes through an autonomous code integrated into the Ethereum blockchain. Nobody owns or controls this code, and therefore no creator derives any part of the profit from its function. Yet this code itself has been sanctioned. In the United States, writing code is protected by the First Amendment as a form of speech. Civil liberties organizations have repeatedly fought, and won, to enshrine the right to encoding as protected expression. If OFAC’s sanctions are not further clarified, this right will suffer a huge blow because, again, OFAC has not only sanctioned the individuals and entities of Tornado Cash, but the open source protocol of Tornado Cash – or, in other words, the code itself.
This has already had a major chilling effect on this code and those who wrote it. The open source code used to run Tornado Cash has been removed from GitHub, the programmer responsible for the code has been stopped in the Netherlands, and the Electronic Frontier Foundation is now to chase on behalf of Matthew Green, professor of computer science at the Johns Hopkins Information Security Institute. Throughout the open source software community, many protest this apparent prohibition of the code as speech, one person having even transformed it into a song. Of those things, the only one that the OFAC clarifications talked about is that the right to sing the Tornado Cash code remains intact.
To be clear: State-sanctioned criminal enterprises, and those who support them, are deplorable and should be stopped, but not in a way that compromises human rights and the First Amendment. By sanctioning the Tornado.cash open source protocol, OFAC has probably outdated his authority in addition to the scary speech. OFAC has the power to sanction persons or property. But Tornado.cash is neither. It’s coded. This is roughly equivalent to sanctioning the email protocol in the early days of the Internet, with the rationale that email is often used to facilitate phishing attacks.
OFAC has yet to clarify what specifically Tornado.cash did wrong, or what other projects need to do differently to avoid being the target of sanctions. Every open source and decentralized project runs the risk of being tainted by bad actors. This often happens when a developer relinquishes control of their code. This chilling effect could spill over to the Internet: if a developer creates privacy-preserving code, the US government could come after them. Without further clarification from OFAC, fewer privacy projects could be built in the United States in the future, which would likely be a huge harm to the human right to online privacy.
OFAC’s sanctions can also be easily interpreted as a warning shot against projects attempting to create anonymous digital assets. With more and more concerns about harm and abusive surveillance With all aspects of Americans’ digital lives and few laws to protect Americans’ privacy online, the need for privacy-preserving technology only becomes more urgent. Software projects should not be criminalized for attempting to replicate the same degree of anonymity and privacy in the digital space that cash trading systems have provided for thousands of years. Money is a public good and some amount of money will always be used in crime. Yet there are no notable calls for a cash ban.
There are many legitimate reasons to seek anonymity in financial transactions. Privacy tools are important, for example, for activists in authoritarian states where disclosing financial information can lead to prison sentences or execution. Anonymity, especially financial, could soon become essential for pregnant women seeking an abortion in the United States, as well as for supporters in states that criminalize donations abortion funds or Planned Parenthood. Simply not wanting personal financial history monitored by governments, corporations, stalkers, or other malicious actors is a legitimate reason to seek out online privacy technologies.
OFAC is on solid ground when sanctioning people or property, including cryptocurrency, involved in criminal enterprises like North Korea’s Lazarus group. But OFAC went too far in sanctioning the code, and there were huge fallouts in terms of free speech and privacy. OFAC has yet to clarify what exactly it was trying to do, and in doing so, reverse this apparent sanction of the code. Writing code is a fundamental human right, as is privacy.