Freedom of Speech and Privacy Under Attack
Tornado Cash Sanctioned by US Treasury
The US Department of Treasury rocked the crypto world last week by adding crypto-mixing-service Tornado Cash to its OFAC list of Specially Designated Nationals And Blocked Persons (SDN) that it administers.
Mixers are a way of adding financial privacy to otherwise very public crypto transactions that would end up visible to everyone on the blockchain. Mixers allow users to deposit their crypto into a metaphorical whirlpool of other cryptocurrencies and use various methods to obscure the original wallet addresses, so that funds can be withdrawn without a history of all prior transactions being revealed.
In the official press release, Tornado Cash has been sanctioned for its role in providing hackers with a vehicle to launder stolen cryptocurrency:
“WASHINGTON – Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned virtual currency mixer Tornado Cash, which has been used to launder more than $7 billion worth of virtual currency since its creation in 2019.”
(It’s important to note right off the bat that, despite media outlets reporting otherwise, $7 billion is the amount of all funds that have been mixed through the protocol, and of that it’s estimated that only 30% can reasonably attributed to criminal money laundering.)
Secretary of the Treasury for Terrorism and Financial Intelligence, Brian E. Nelson, said:
“Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks. Treasury will continue to aggressively pursue actions against mixers that launder virtual currency for criminals and those who assist them.”
Then 2 days after the sanctions announcement, an alleged Tornado Cash developer was arrested in Amsterdam.
Why is this a constitutional violation, and overreach of power?
Previously, OFAC had added the crypto mixing service “Blender” to the SDN list, but Blender is a custodial service and a company, or some like entity, which means that the Treasury has the legal authority to sanction them. In Coin Center’s recent article about the events, they note:
“This also means that when Blender is added to the SDN list, the individuals who run the mixer—who indeed are the Blender entity—can file a petition for removal from the SDN list.”
In the case of Tornado Cash, however, addresses have been sanctioned that are not tied to any individual, and are instead smart contract addresses not controlled by anyone. OFAC has sanctioned the mixer itself. It’s important to note that this mixer will continue to operate automatically as long as the Ethereum network continues to operate, and anyone in the world can send ETH to one of these addresses and receive mixed coins in return, without the facilitation of any middlemen. Coin Center explained:
“The Tornado Cash Entity, which presumably deployed the Tornado Cash Application, has zero control over the Application today. Unlike Blender, the Tornado Cash Entity can’t choose whether the Tornado Cash Application engages in mixing or not, and it can’t choose which “customers” to take and which to reject.”
Coin Center observed:
“By treating autonomous code as a “person” OFAC exceeds its statutory authority … we believe that OFAC has overstepped its legal authority by adding certain Tornado Cash smart contract addresses to the SDN List, that this action potentially violates constitutional rights to due process and free speech, and that OFAC has not adequately acted to mitigate the foreseeable impact its action would have on innocent Americans.”
They continue:
“How can it be proper to add to the sanctions list not a person, or a person’s property, but instead an automated protocol not under anyone’s control? On its petition for removal web page and elsewhere, OFAC states:
The ultimate goal of sanctions is not to punish, but to bring about a positive change in behavior. Each year, OFAC removes hundreds of individuals and entities from the SDN List. Each removal is based on a thorough review by OFAC.
If the purpose of sanctions is not to punish, but to change behavior, then it makes no sense to add to the SDN List an immutable smart contract that cannot change its behavior because it has no agency. It is not a person nor is it under the control of any person.”
The Tornado Cash protocol can not file a petition for removal from the list, because it is not a person — and third parties can not petition for removal.
“… the government has essentially accomplished a ban on Americans using a particular internet tool without any clear prospect that the restriction will ever be lifted.”
Furthermore, the power of the government being afforded under these sanctions rules is the power to block property, and it “must be property in which some foreign country or national has an interest.” How can the Tornado Cash application be considered property, when it is non-proprietary software operating on every global computer that is also running the Ethereum open-source client. Coin Center remarked:
“It is no more the property of the Tornado Cash Entity than the phillips-head screwdriver in every American’s home toolbox is the property of its inventor, Henry F. Phillips.”
Coin Center is arguing that because Tornado Cash can not be said to be “property in which some foreign country or national has an interest” (50 U.S.C. §1702), then adding the Tornado Cash Application to the SDN List or blocking it under the specific powers granted by Congress to the President in IEEPA is outside the bounds of the statute and therefore invalid.
They also argue that designation of these autonomous contract addresses means that Americans using the protocol for legitimate purposes can no longer access their property, which denies them their right to liberty and property without proper procedural due process.
Finally there’s the issue of freedom of speech:
“The intent is to chill speech such that Americans not only avoid interacting with these specific contract addresses, but avoid interacting with any protocol that is substantially similar to the code in those addresses. It’s a ban not just on a specific application, but on a class of technology, and according to the Financial Times, Treasury officials have, in fact, said exactly that:
We do believe that this action will send a really critical message to the private sector about the risks associated with mixers writ large,” the Treasury official said, adding that it was “designed to inhibit Tornado Cash or any sort of reconstituted versions of it to continue to operate.”
While typical OFAC actions merely limit expressive conduct (e.g. donating money to a particular Islamic charity), this action sends a signal—indeed seems to have been intended to send a signal—that a certain class of tools and software should not be used by Americans even for entirely legitimate purposes. Even if this listing is truly and exclusively aimed at stopping North Korean hackers from using Tornado Cash, and even if the chilling effect on the use of the tool by Americans for legitimate reasons was acceptable to OFAC in a collateral impact analysis, it may not be sufficient to a court.”
Coin Center is now exploring bringing a challenge to this action in court.
Reminder:
Surveillance is not inevitable. We need to stop normalizing it. We all have the right to privacy, and the tools that help us protect that privacy are as crucial today as they’ve ever been.
Here is a quote from the Cypherpunk Manifesto to round out today’s newsletter:
“Cypherpunks write code. We know that someone has to write software to defend privacy, and since we can't get privacy unless we all do, we're going to write it. We publish our code so that our fellow Cypherpunks may practice and play with it. Our code is free for all to use, worldwide. We don't much care if you don't approve of the software we write. We know that software can't be destroyed and that a widely dispersed system can't be shut down.
Cypherpunks deplore regulations on cryptography, for encryption is fundamentally a private act. The act of encryption, in fact, removes information from the public realm. Even laws against cryptography reach only so far as a nation's border and the arm of its violence. Cryptography will ineluctably spread over the whole globe, and with it the anonymous transactions systems that it makes possible.”
By Will Sandoval, NBTV Associate Producer, and Naomi Brockwell.