> While engaging in any transaction with Tornado Cash or its blocked property or interests in property is prohibited for U.S. persons, interacting with open-source code itself, in a way that does not involve a prohibited transaction with Tornado Cash, is not prohibited. For example, U.S. persons would not be prohibited by U.S. sanctions regulations from copying the open-source code and making it available online for others to view, as well as discussing, teaching about, or including open-source code in written publications, such as textbooks, absent additional facts. Similarly, U.S. persons would not be prohibited by U.S. sanctions regulations from visiting the Internet archives for the Tornado Cash historical website, nor would they be prohibited from visiting the Tornado Cash website if it again becomes active on the Internet.
This is very reasonable! It balances economic sanctions around money laundering and transmittal with freedom of speech.
"You're allowed to talk about this speech, teach it in textbooks and include it in other written publications, but you're not allowed to actually speak it"
Really? If I execute a script that DDoS someone, presumably it should not be treated as "speech" as if it is a protected right. That's such a hilariously slippery slope since you can arguably do "anything" via executing code.
Denial of service attacks are explicitly illegal under the National Infrastructure Protection Act (NIIPA). I don't think a defendant has ever successfully challenged that law on First Amendment grounds, so the basic legal issues appear to be settled.
Of course as a practical matter it can be difficult to prosecute DDoS attackers under that statute. Either they don't leave hard evidence, or they hide in countries which don't extradite.
Courts have already decided this decades ago. At least as far back as Junger v. Daley [1], where the courts recognize a distinction between the expressive power of code as it is read by a person and the functional power of code when it is executed. While the expressive power of code creates a first amendment interest, the functional power of code may create a legitimate government interest in regulating that speech.
The applicable legal test is from United States v. O'Brien [2], which ruled that even though burning a draft card may be expressive speech, the government's interest in draft cards not getting burnt allows them to forbid it without falling afoul of the first amendment.
Junger v. Daley was cited as precedent in Universal City Studios v. Reimerdes [3], where the courts ruled that the functional power of DeCSS being illegal under the DMCA was sufficient to justify banning the distribution of the DeCSS source code.
If speaking magic spells aloud caused flesh-eating demons to be summoned into our prime material plane, you wouldn't be allowed to speak magic spells, either. Klaatu, Verata, Necktie.
Speech is speech, code can be spoken, and it can also be executed. The former is speech, the latter is action. Making API calls and flipping bits in a computer is what crosses the line from one to the other.
> If speaking magic spells aloud caused flesh-eating demons to be summoned into our prime material plane, you wouldn't be allowed to speak magic spells, either.
Yes? This is entirely reasonable if we analogize it to how fiction often approaches it. There might be some evil book, a necronomicon, or killing spells like in Harry Potter. In many fictional media, people are allowed to learn such spells, they're just not allowed to say the spells out loud. Reading and writing a spell is not the same as saying it and thereby executing it.
Okay that solves the First Amendment part, in your view (Citizens United is an example of ruling that transactions are speech, alongside its view that Corporations are afforded these protections)
It doesn't solve Congress’ mandate to the Treasury where OFAC is used against entities that can appeal their own listing on the sanctions list. The smart contracts cannot currently do that.
Citizens united is unique because it is specifically about political actions which are the whole point of the first amendment clause about speech according to originalists. You've also mischaracterized the ruling, which was that spending money on political action is speech, not transactions.
That’s not right: you can even run the code as long as you don’t transact with the sanctioned parties. Matt Green could run a copy for his students to study as long as they don’t allow transactions which violate the sanctions laws, similar to how I can teach you to pick locks and practice but still expect legal consequences if I pick the locks at some stranger’s house.
I'm not that familiar with this code, but if only specific wallet addresses and websites can be blocked, is there anything that stops people from just repeatedly cloning the service altogether and playing whack-a-mole with the government?
That's the same argument I've presented below. The best response I've gotten so far is that there is basically 'precedent' for dealing with that of sanctioning the offender. Precedent is a nearly 3 year lag time... although I'm sure it won't take that long the next time
I think it's important to remember that the government agencies ignored cryptocurrency for a while because it wasn't being used enough to be worth dedicating resources to it. That changed at some point, with different thresholds for different agencies, but now they're aware of the activity and there are services like Chainalysis which make it easy for them to contract for monitoring as a service. I would bet that the time to respond is going to get increasingly fast since there's been a push for ransomware which picked up after that Colonial Pipeline attack and really picked up with the news that North Korea was laundering significant sums.
There are two things which I think will change that game substantially:
1. As this is taken more seriously, companies trying to stay in compliance with the law are going to be enforcing KYC strictly. That's going to make it harder to use things like tumblers because not only will you be paying more to use the service but you'll also be getting tainted tokens which an increasing fraction of businesses either won't accept at all or will accept at a discount rate to compensate for the decreased utility. I think that ratchet effect is going to really limit future services like Tornado Cash: when there's a non-trivial risk involved for using it fewer people will participate and those who do will expect to be paid more.
2. These services depend on liquidity because anonymity is a function of how many people are running money through it. The Treasury department doesn't really care if you and and a few curious friends set up a proof-of-concept instance because unless you can also pump the equivalent of millions of dollars into the system it won't be used by the people they're concerned about (ransomware gangs, North Korea, etc.) since it would take millennia to launder money at their scale. This is similar to how the goal for counterfeiting paper money isn't set to “impossible” but rather accepted at a low frictional level as long as it's too risky for anyone to attempt a sufficiently large-scale counterfeiting operation which could actually impact the overall economy.
You allowed to speak it, you're not allowed to run actual transactions involving actual Tornado Cash funds through it. If you run this code on your property, it won't be Tornado Cash anymore, and as long as it doesn't interact with the prohibited properties, it's not prohibited. Of course, if you start doing the same TC did, you probably will get your very own designation pretty fast.
Github deleted these repos because they represented a business relationship on their part with the sanctioned Tornado Cash entity, not because they considered the code itself illegal. Other copies of the code have not been deleted by Github.
I am of two minds about it, but overall I agree. It is good that Treasury clarified their position ( because heavens know it is hard to divine sometimes what they want to achieve given recent Biden's stance on crypto ). For once that FAQ seems relatively straightforward.
Did open source ( and crypto ) become so important that Treasury got concerned about the rumblings ( because this story was making a long of news in banking )? I am genuinely curious what caused it.
Not really, I'd rank this as "saying the obvious stuff to get it done and over with".
Treasury knows it has standing, and how. They don't give a squib what you do with the code. As long as you don't facilitate transaction processing with it (i.e. money transmitting) with it. The legal teams of the Crypto world basically have to convince the Supreme Court that the Executive does not have the right to engage in economic foreign policy.
The argument advanced here is perverse: you can’t erase the illegality of an action by making it autonomous. In other words: putting a brick on the car’s accelerator doesn’t absolve you when the car runs someone over — the law recognizes that a human or set of humans is the efficient cause of the crime, regardless of how much code (or steel) you obscure it with.
The entertaining thing here, though, is the creators of TC made the blueprint for a brick and then told a bunch of other people running ethereum virtual machines they they had a plan for a brick. Some initial gas fees were paid so the users would actually absorb the 'brick' program.
Then the creator of TC stepped away.
The node operators took the gas fees in exchange for putting the brick on their accelerator and validated the brick contracts.
Who's to sanction here? Honestly the node operators running the Ethereum virtual machine 'car' look like the closest human to hold accountable, if that's the desirable outcome. Continuing our logic, ethereum should basically be shutdown if the runners of the brick program are to be held accountable, because that's basically every node.
This is a fantastic point, and (IMO) reveals the government’s actual intended strategy here.
For better or worse, the government seems to be intent on making a lesson out of the Tornado Cash developer, rather than attempting (probably pointlessly) to shut down all of Ethereum. The point seems to be to send a message: if you publish the brick blueprint, you will be considered the entity responsible. This accomplishes both of the government’s goals: it disincentives future attempts to launder money through smart contracts, and it avoids a protracted legal and technical battle over individual cryptocurrencies and their networks.
Edit: And there are clear parallels in existing legal reasoning: we do not prosecute steel factories for following a client’s specification faithfully, even if it’s later revealed that the specification was in furtherance of something illegal to manufacture (like an unregulated weapon). The exception is when the factory goes to unusual lengths to turn a blind eye, which the government might present evidence to argue negligence or conspiracy.
In that case the government runs into First Amendment issues. Bernstein vs. US ruled that source code counts as protected speech, and courts do consider chilling effects to be infringement.
Technically speaking, every Ethereum node operator with that code is now potentially an unlicensed money transmitter, in violation of U.S. banking regulations.
It'll really only take getting enough of the right ears to get this recognized. Make no mistake, it was never the intent of the United States Government to leave the door open to everyone to operate their own personal money transmitter.
That's actually something I like about this to be honest. There really is no avoiding coming to terms with the fact that structurally speaking, the U.S. regulatory edifice outsources to private industry. All the typical "It's a private business, not the government" people need a reality check. This is how regulation works.
> Technically speaking, every Ethereum node operator with that code is now potentially an unlicensed money transmitter, in violation of U.S. banking regulations.
Except Treasury has released guidance saying the opposite. Not sure what would make one so giddy about a mandatory and opaque financial surveillance apparatus being a part of daily life.
>Not sure what would make one so giddy about a mandatory and opaque financial surveillance apparatus being a part of daily life.
The part where it becomes common knowledge and we actually have a more public discussion on whether it's a good idea in the long run. I actually feel quite squicky about the fact that most people don't seem to realize there's this orchestrated black hole capability strategically wielded with very little recourse by the Executive.
The sooner Americans realize they're basically all criminals, the better. The arbitrary and capricious selection of who to hold accountable for TC transactions is classic divide-and-conquer tactic.
The 'honest' reader here should realize they aren't the 'good guy'. They're just someone a prosecutor hasn't found convenient to destroy yet.
The fact that TC is an autonomous program is central to their statutory argument. They advance two parallel justifications for the argument:
* A separate division of the Treasury (FinCEN) makes a policy distinction between various groups of users/operations of transaction anonymization software. The authors concede that OFAC is not bound to this policy distinction.
* OFAC's stated mission is to bring about a "positive change in behavior." They claim that this can't happen with an autonomous contract, neglecting that the entire point is to scare developers away from deploying and using these kinds of contracts (which is indeed, from the Treasury's perspective, a positive change).
Later on, they make a separate argument that inclusion in the OFAC list exceeds statutory authority under IEEPA. The claim there also relies on autonomy: that the "Tornado Cash Entity" is not meaningfully an operator of the "Tornado Cash Application," because the former cannot cease operation of the latter.
This splits an exceedingly fine hair: it requires the Treasury to accept that the Tornado Cash Entity, despite being the prime mover for the Tornado Cash Application, is somehow not responsible for the thing it wrought. In other words, the "brick on the accelerator" argument.
Later, there's some more plausible hair splitting over whether the term "property" correctly applies, despite there being little to no disagreement over whether North Korea actually did launder a bunch of money through the Tornado Cash Application. So it comes down to whether the Treasury (and a jury) can be convinced that being the prime mover somehow does not matter.
> This splits an exceedingly fine hair: it requires the Treasury to accept that the Tornado Cash Entity, despite being the prime mover for the Tornado Cash Application, is somehow not responsible for the thing it wrought. In other words, the "brick on the accelerator" argument.
I’m with you here. If I build a machine with no off switch that kills anyone who approaches it, even though it’s now completely out of my control… there’s a pretty clear connection between me and my creation.
I have a feeling that people are going to be disappointed when “I built this autonomous thing and because I have no control over it I can’t be held responsible for it” is actually interpreted by the courts as “you built it and are responsible for every crime it commits”
With ethereum applications someone can just publish the blue print, some random person anywhere in the world can publish the application for N ETH, and then everyone running the ethereum virtual machine executes the autonomous thing (interestingly the latter here haven't been sanctioned or blamed/punished at all). Sniffing out who actually paid the ethereum network to absorb the machine could be basically impossible, and once people start getting prosecuted you can bet almost anyone doing so will effectively do it in a way where it is impossible to find them.
Either ethereum virtual machine operators at large is criminal organization or it's an endless game of a cat trying to catch its tail.
>This splits an exceedingly fine hair: it requires the Treasury to accept that the Tornado Cash Entity, despite being the prime mover for the Tornado Cash Application, is somehow not responsible for the thing it wrought. In other words, the "brick on the accelerator" argument.
This is completely thrown out in reality, because Courts've already handled this. If you create a thing that does harm (booby trap), you are still liable for damages incurred as a result of it's fundamental operation as you created the danger. Also see the case withregards to Alfred Anaya to dissuade yourself of the notion that they'd never go after someone for bringing into existence an instance of a tool key in facilitating known criminal activity.
Besides which, Tornado.Cash screwed up as far as I'm aware, because they were financial beneficiaries of the operation of the mechanism. This is also something Courts are quite adept at being able to see through in spite of obfuscatory application of tech. So there is a tangible link there to anchor on both in the sense that the Entity's assets get sanctioned, and any addresses involved in the technical implementation get sanctioned.
Anyone spinning up anything recognizably similar, (and I assure you, a recognizer that runs over the chain to find similar patterns of behavior is well within technical capabilities), will find themselves needing to resort to more and more elaborate constructs as more examples of the underlying implementation pattern of activity become known. This'll converge to becoming Yet Another Form of Financial Engineering Arms Race (tm).
It is very difficult to outpace Nation states. Especially when you consider they are attractive pass times to those who like dealing with large distributed problems once one gets beyond a certain level of financial independence.
The argument is that the sanctions authority granted by Congress to Treasury is limited to persons and entities, and the Tornado Cash smart contracts are neither, nor the property of either.
TL;DR: Nobody thinks that the Tornado Cash smart contracts are themselves persons. The government is clearly operating along the reasoning that a human being had to be (and was, in fact) in the loop as part of deploying the smart contracts. That brings us back to the initial analogy I used: you can't absolve yourself by building a robot that does the crime for you.
> you can't absolve yourself by building a robot that does the crime for you.
But the argument isn't at all about absolving the robot builder. In fact, they explicitly take no view on whether the sanctions against the Tornado Cash entity are justified. They also do not take a view on whether the government would be justified in prosecuting the individuals behind Tornado Cash.
They are saying the government does not have the statutory authority to sanction the robot you built.
That's not what they're saying. They're saying the government doesn't have the statutory authority to sanction the entity that built the robot. This is the entire point of their extended digression on the "Tornado Cash Entity" versus the "Tornado Cash Application."
(Defending the TCE also continues below that, on a mostly irrelevant and unargued tangent about software IP.)
"So there is potentially an entity called Tornado Cash that is controlled by certain individuals, and the web address and some of the Ethereum addresses in the notice can be thought of as either pseudonyms for that entity or, alternatively, as its property. At this point, we’re not offering an opinion on whether it was appropriate to sanction that entity—we do not know all the facts that have led to this action—but we would agree that there may be an entity behind those donation addresses and that said entity may be legally eligible for listing. "
Yeah, I read that. The problem is that it just isn't compatible with the rest of the post: there are extended sections where they point out that the TCE can't be held responsible for the TCA, that even an IP-based case against the TCE would not apply, etc. etc.
In short: they're trying to have it both ways, and it's not coming off well. If they had restricted their attention to just the TCA the argument would be more interesting, but ultimately still not compelling: everybody involved understands that there were some humans who decided to "pull the trigger" and deploy the TCA.
That's just playing semantic games. Like saying "well, the police only has authority over people, and a person didn't kill him - a bullet shot from a gun did!". Somebody was on the back end of that gun, and somebody deployed Tornado Cash. And the police can confiscate the gun and the bullets, and prosecute whoever shot it. The autonomous part here does not solve anything - it's only work if the whole system, ab initio, was autonomous without human intention - but even then the government could claim to regulate an access to it - just as it could, for example, restrict access to an erupting volcano if it wanted, even if no person caused it to erupt. But here it's much simpler because somebody definitely caused TC to operate, so the whole argument disappears.
The people that 'shot' the bullet though are either the node operators or the users of Tornado Cash. Interestingly the node operators (the people ACTUALLY EXECUTING TC, even at this very moment) haven't been sanctioned at all, despite pulling the trigger that enabled these transactions. Logical consistency would dictate that Ethereum as we know it should end as node operators have immutably absorbed and operate reckless machine gun firing wildly on the chain. In fact many of the people interacted with TC don't even have possession of the gun, rather they pay the 'hitman' the node operators to do it.
Well, in this case the bullet analogy is imperfect, as in financial crimes like these there are more than one side which is violating the law. Probably a drug market would be a better analogy - in this case, all of the buyer, the seller and the market organizer are violating the laws (and there's no actual victim, but that's the topic for a different conversation).
> Interestingly the node operators (the people ACTUALLY EXECUTING TC, even at this very moment) haven't been sanctioned at all
Because the crime is not "executing TC", the crime is (certain) financial transactions. TC code is just the means by which it is executed, and the node operators do not intend to execute a specific financial transaction and do not specifically benefit from it. Just like, for example, if you are going to buy illegal drugs, and you send the payment for it via Venmo and then send the stash location using Gmail, Venmo and Google would not be liable for the drug transaction (even if Venmo charged a transaction fee) because for them it's just common transaction like any other. Same would go for node operators.
> In fact many of the people interacted with TC don't even have possession of the gun
It doesn't matter. What matters is who caused the illegal activity to happen. I mean, if you had a chain that is dedicated to money laundering or another illegal activity, and had no other uses whatsoever - it could actually earn OFAC designation probably by itself, as a whole, and then using it and running the node might become a crime. But I don't think OFAC intends to argue that's the case with Ethereum - it's pretty clearly not true, as most Ethereum users and nodes are perfectly happy to follow the law and never do anything illegal.
So who is the counterparty then? The other random guy(s) who deposited the ETH you end up with?
Using the venmo analogy, it would be the actual venmo corporate computers EXECUTING the tornado cash program.
It seems a little odd to me here to not hold the people executing the transaction program accountable if it's on the sanction list explicitly noting TORNADO CASH is OFAC sanctioned. Remember those nodes running the ethereum virtual machine are validating and computing the transaction, and thus the entire foundation of ethereum would be guilty per your assessment, no?
Not every transaction must have a counter-party that is distinct from the initiator. You could transact with yourself, and some form of that may be also illegal - e.g., wash trading or structuring (I am not saying it's how it should be in ideal world, but currently it is definitely the case).
> thus the entire foundation of ethereum would be guilty per your assessment, no?
No, why would it be? Again, the Ethereum system did not initiate the specific illegal transactions - it was used (without their specific cooperation or knowledge) to perform the transactions, it's very different.
> and the police can confiscate the gun and the bullets
Says who? They can only do this the law provides this mechanism. If there isn't, the gun remains the property of the owner (even if the owner is now a convicted murderer).
> but even then the government could claim to regulate an access to it - just as it could, for example, restrict access to an erupting volcano if it wanted
They could, if Congress has passed a law giving the government this regulatory power.
I get that people might feel "autonomous" is a cop-out, but legally, the argument is narrow. It isn't about people getting a way with crime. The crypto currency community would certainly be opposed to Tornado Cash relayers facing money laundering charges as well, but here they are merely saying that the sanctions authority does not extend to the sanctioning of things. And well, it either does or it doesn't. If Iran secretly plants a cherry tree in Central Park, is OFAC allowed to sanction the cherry tree, and prevent people from eating the cherries? They are arguing no, because OFAC has no authority to sanction trees.
> the sanctions authority does not extend to the sanctioning of things
That's the semantic game. If they have authority to limit financial transactions by people, then they have authority to limit financial transactions by people facilitated by things. And things can not (at least not yet, not until general AI exists and recognized as independent legal entity) initiate transactions by itself - somebody caused them to do that, by setting off chain of events that resulted in that transaction. That person can be prosecuted if the transaction is illegal.
> If Iran secretly plants a cherry tree in Central Park, is OFAC allowed to sanction the cherry tree
What you mean by "sanction the cherry tree"? If people use this tree to, say, exchange money (OFAC does not regulate eating, AFAIK) - for example, by hanging sacks with money on its branches - then yes, OFAC would be able to prohibit this way of transferring money to Iran as well as any other way of doing it. Why not?
> They are arguing no, because OFAC has no authority to sanction trees.
It has authority to sanction financial transactions. The means by which they are executed is secondary - it's be stupid for Congress to give them authority to regulate transactions made in one way, but ignore same transactions with same effect made in slightly different way. I don't think anybody would have any luck convincing the courts that was the lawmakers' intent.
You seem uninterested in the details of how legislation is crafted to balance competing interests and values, and in that way both empower but also restrict regularity bodies. Congress did not say to Treasury "you can no 'limit financial transactions by people', good luck". If OFAC were to announce that they want to limit the number of bank transactions a person can do to 5 per day (say they are unable to investigate the larger volume), they would be exceeding their authority.
Another example, the tool that OFAC has here that we are talking about is their designation power, and the restrictions that follow such a designation are partly set in the statute defined by Congress, not something that OFAC has the power to make up.
> Then yes, OFAC would be able to prohibit this way of transferring money to Iran as well as any other way of doing it. Why not?
Transactions with the target entities ("Iran") are already restricted, whether through a crypto transfer or a tree-branch exchange. This is because OFAC has used its proper powers to designate those targets. The question at hand in this hypothetical is whether OFAC has the power /to designate the tree/ itself additionally, thus making it illegal for you to hang a sack of money there, regardless if you are transacting with Iran or just waiting for your cousin to pick it up.
Does OFAC have the power to say "we are designating the Hawala system"?
> Does OFAC have the power to say "we are designating the Hawala system"?
Probably not because "Hawala system" is not an entity that can be defined - it's like banning "cryptocurrencies" in general. OFAC wouldn't be able to do that - because it's not a specific definable entity. Designating a specific hawaladar would be possible for them (though likely not very effective).
Neither of these people are lawyers, and their interpretation of the law has roughly as much validity as a HN comment on the law: sounds good, probably wrong.
The IANAL caveat always applies, but I also counter with "one would be dumb to think the Government would throw up their hands at having been thwarted by this one weird trick.
The obligatory reference to rubber hose cryptanalysis is always something to keep in mind.
> The legal teams of the Crypto world basically have to convince the Supreme Court that the Executive does not have the right to engage in economic foreign policy.
One easy argument is that there is no way to prove that Tornado Cash contracts are foreign assets at all. Ethereum nodes do not know which node - or its geographical placement - saw the deployment transaction first. So it is just as easily deployed from the United States and operates from the United States most of the time, or simultaneously all the time, as all nodes execute the updates states (or Tornado Cash and every contract) and many/most are in the US.
The US has other enforcement tools. OFAC here wasn't it.
Alright, I get it, it's not sinking in, so let me break it down.
>Access to the U.S. electronically facilitated financial system is one of the strongest forms of soft power projection on Earth.
>This is made possible through money transmission being regulated.
>Part of being an authorized money transmitter is compliance with OFAC sanctions on a strict liability basis. OFAC sanctions are not constrained by by normal constraints on domestic law enforcement. You can end up on the OFAC list. You can appeal it, but the burden of proof is on you, and the Government does not have to share with you why you got put on there in the first place.
>Sanctions are often diplomatic. Courts will not say the executive does not have standing, as it's enumerated right in the Constitution, that is the Federal Government's job.
>Violation of sanctions as a U.S. citizen is criminal. While it is not necessarily practicable yet to ascertain which node originated a particular block, it is not impossible to sufficiently instrument enough of the network to make such determinations possible, and eith PoS tending to centralize, the value of setting up said monitoring to facilitate enforceability is high, even if only for investigative/intelligence community purposes. Remember, these are the people who brought you PRISM.*
>Any violations of sanctions will be transparently evident on the blockchain. The receiving address of the value from the sanctioned address will be added to the SDN.
>The overall network effect is such that no one that desires to do business in the U.S. will cash out your coin.
>No technical impossibilities exists that will prevent this eventual outcome.
The only X factor, is how much time it will take for the tooling to get there
I would argue the US dollar is in part worth what it is now because alternative systems exist to bypass the spirit of KYC/AML. It may be a 'careful what you wish for' scenario if America somehow manages to snuff out unregulated use of the dollar -- the market just may find something else.
Does anyone else seriously think it's a complete coincidence the rise of crypto coincided with the rising international cooperation with FATF and other AML/KYC oriented agreements worldwide post 9/11? The ~2010-2020 era was some of the biggest movement in nations coming into compliance with FATF's assessments, I don't think it's an accident crypto exploded during that period.
The thing these Treasury department types don't really want to admit is that Tether has done more for dollarization than just about any branch of government in the past 20 years.
> Treasury would probably prefer these freedom aren't even given
This is how it always worked. Go back to the original articles and read the comments defending OFAC. The code was never sanctioned. The project was. The fact that the project involves an instance of code on an immutable blockchain is mumbo jumbo.
They'd probably need to get some law like DMCA that would prohibit such code, but they don't have it yet, so they don't have a leg to stand on with regard to proscribing the code. They'll probably get to asking for such law pretty soon though.
I read the sanctioned SDN List. Am I reading incorrectly that if someone merely created a new TC instance with new addresses and website, it would not violate sanctions? I don't see the sanction list sanction the actual code, nor the execution of the code, but IANAL.
The SDN here just shows the associated addresses, the published contract instance, and tornado cash website, no?
>If you facilitate money laundering, that is still illegal.
If that is your intent, then sure. But merely mixing funds does not meet the criteria for money laundering.
The road crew who builds the interstate knows 100% it will be used for money laundering, yet builds it anyway and does nothing to stop it. (Same for guys at the gas station who sell the gas). Surely knowing money launderers use something isn't enough to be criminally culpable.
>If you run the code in a way that nobody can interact with it.
IANAL and not legal advice, but it looks to me though that a fresh published contract of TC to new addresses doesn't violate this SDN list, even if it interacts with others.
If you are moving money around on behalf of others and you have a reasonable belief that some of your users are Americans or will eventually deal with American financial institutions (pretty much everyone in the world), then you should have AML (Anti-Money Laundering) and KYC (Know Your Customer) processes in place. Not doing so is just asking for trouble. When you are eventually investigated by the authorities, saying "we didn't ask so we didn't know" is not considered a valid defense.
More to the point, crypto mixers are obviously being used to hide the origin of funds. This is money laundering in the colloquial sense. Whether it reaches the level of criminality will obviously depend on a case by case basis. Running a mixer is, IMO, a very very dangerous road to go down.
Tornado Cash is described as a decentralized crypto-mixing service. Given that description, all it did was move money around. Is this a mischaracterization?
Look at the different stakeholders in the system. Who is the provider of what service? The fundamental separation and removal of custody and trust is precisely what makes something like Tornado Cash a completely different thing than a traditional tumbler / mixing service.
Road builders do not actually move money around on behalf of others, and Tornado Cash developers do not actually move money around on behalf of others. They don't "run a mixer" or otherwise operate the Tornado Cash smart contract. They did provide an interface for interacting with it, but that's not really the issue in question.
Tornado Cash runs autonomously on immutable code. Nobody can force the already-running code to start doing AML/KYC.
In my eyes, you either argue that it was not against the law for the devs to publish the code, or you argue that code is not protected by the first amendment. There's not really an in-between.
> Tornado Cash runs autonomously on immutable code. Nobody can force the already-running code to start doing AML/KYC
The hypothetical involved creating “a new TC instance with new addresses and website.” That’s not already-running code. If you do that and then it’s used for money laundering and you do and don’t do all the things Tornado Cash did and didn’t, yes, obviously, we have that precedent.
Publishing a new TC instance can be done anonymously from anywhere in the world, by anyone who can follow the compilation instructions in the readme, so it's not really an interesting legal question in my opinion.
I'm more interested in discussing the legality of publishing the source code in the first place (is it protected by the first amendment?) and the legal questions surrounding already-instantiated code.
The people 'running' the code are basically the Ethereum virtual mcahine nodes. That is to say, using your definition Ethereum comes crashing down because everyone running the ethereum virtual machine and this application, which still exists on the chain, are criminals guilty of running the code without KYC.
Ethereum clients run the code automatically alongside all the other code on the Ethereum network, impartial to what it is or does. There are estimated to be nearly 10,000 Ethereum clients in operation, distributed globally. Identifying all of their operators, trying to prove intent, and convicting them all of money laundering seems to be a tall ask, even for the US government.
I admittedly haven’t looked at Ethereum in a while, but I’m having a hard time grokking this logic:
> Ethereum clients run the code automatically alongside all the other code on the Ethereum network, impartial to what it is or does.
That can’t be true on its own. If I write the code in Notepad and share it with friends, the Ethereum client isn’t running it. From what I recall, the way to get it to actually run is to spend gas? Isn’t that the step where it changes from published code to executing code?
I 100% agree that the code behind this all should be free speech. But to try to call “spending money to have a global network execute the code” “publishing” is a pretty big stretch.
In the same way that your ISP isn’t going to get shut down for transmitting the bits that initiated the money laundering transaction, the end node operators are not the proposed target here but rather the people picking up the phone and asking the system to launder money, as well as those responsible for the specific instances of the code that are doing the laundering.
There are a few steps to running code on Ethereum:
1. A person writes the source code and shares it
2. A person pays a flat amount of ETH to compile/instantiate the source code on the Ethereum network. The code is not "running" yet (aside from its constructor function, if it has one). Now the code is instantiated at an Ethereum address.
3. A person invokes a function of the code, paying ETH proportional to the amount of execution steps taken before the function returns.
4. A swarm of computers acting as block producers, some with identifiable operating persons and some without, produce a block that officially timestamps that function execution into the chain and applies it to the chain's state.
5. A swarm of computers acting as network observers, some with identifiable operating persons and some without, re-execute the transaction locally to verify that the state change was valid.
> the people picking up the phone and asking the system to launder money
Of course, culpability there goes without saying. That's not relevant to the question of whether Tornado Cash is illegal, it's a question of whether crime itself is illegal; in essence a tautology.
> as well as those responsible for the specific instances of the code that are doing the laundering
It looks like you may be talking about the second step of the five I've laid out.
That step, the instantiation of the code, can be done anonymously from anywhere in the world by anyone who can follow the compilation instructions in the readme. If that's the step where legislators try to enforce culpability, it's a lost cause due to the anonymity. Hypothetically, even if law enforcement were able to perfectly determine the legal owner of every Ethereum address and punish them when they illegally instantiate code, they still can't cause the code to be un-instantiated.
I doubt that law enforcement is going to be successful if they try to force staking outfits to fork the Ethereum network (by actively censoring transactions that other stakers try to publish on the network).
For example, Coinbase CEO Brian Armstrong says that he would wind down Coinbase's staking program before trying to impose a regulation-required fork on the protocol. I suspect that other outfits would follow suit until the only outfits left would be outside the jurisdiction of the regulators.
Only in the sense that DoT has not looked into the matter long enough to figure out if somebody needs a sanctioning.
If you do not comply with AML best practices, you'll still eventually be on the hook the first time a ne'er do well facilitates something through ya. Repeat that process till normal folks start catching on, or someone takes Confress by the hand, and you'll find the regulations come quicker than you think.
Treasury says mixing is money transmission so if you were a US person operating such a service you’d need a MSB license and a license for the states you operate in. Tornado Cash had no US persons operating it (arguably no one was operating it as it cannot be shutdown and does not take fees) and really no US nexus so they just used sanctions instead of criminal or civil charges to get their way.
You cannot in any way facilitate the moving out of any denomination of value from the addressed on the SDN list.
Moving value cross-chain is itself a violation of sanctions. If you start up a new Tornado.cash instance, you're still probably not going to get touched by the rest of the financial network. Risk departments are going to have dig into the details, and legal (if smart) will steer clear. Further, law enforcement will likely root out and make known to Treasury any additional instances of the same infrastructure they uncover, given that inevitably, the usual suspects will be running things through said channels until caught if they don't.
...And you will be hard pressed to find a judge that has the gumption to go so activist from the bench that they go against what Congress has already authorized.
>f you start up a new Tornado.cash instance, you're still probably not going to get touched by the rest of the financial network.
This is what I'm referring to. In the hypothetical that someone tweaks TC to call it something besides Tornado Cash, and runs it with different addresses. It seems to me by the letter of the SDN, from a layman's perspective, it wouldn't violate sanction.
IMO they should have sanctioned any execution of all forks of TC if their desired effect was to stop the service of TC.
They can't "sanction all forks". Sanctions are applied against people and organizations, not technologies. Criminal money laundering is still a crime. It doesn't matter if you use TC or not.
This very sanction is against a tech called “Tornado Cash” which is not an organization or person. If somebody forks the protocol and renames it, and everybody uses it in place of TC, it will probably be under scrutiny by US treasury.
I'd wager it'll end up getting treated like a machine gun. As soon as something too recognizably close to it pops up again, onto the list it goes. In fact, now that I think on it, I could see a case whereby an Office to monitor new smart contracts pops into existence that categorizes pieces of logic such that usage thereof requires some form of bureaucracy.
The "if the U.S. government publishes smart contracts, I win" --Vitalik Buterin or whoever snark may not be as far fetched once tooling is bettee understood.
Humorously enough, ATF already has more than enough experience at that of enforcement (surveiling new designs and classifying new works as NFA/non-NFA) for it to not be converged upon as a potential model for regulation of such logical constructs.
Throw im some aggravating statutory enhancements for any crimes to which cryptocurrency mixing is found to be a component, and you've got a recipe for at least ensuring normal folk in U.S. jurisdictions tend to stay away from it.
...Good God. I hate this. Please don't make me right on half of these guesses.
Most of the value in a mixing service comes from how many people use it. If another one gets significant enough usage they will just sanction that one (assuming the current lawsuit results in a ruling saying they have the authority to).
So... To clarify,
When you say "start another instance pointing at different addresses" are you referring to addresses TC previously used as stores of value prior to having it withdrawn from the Ethereum Chain?
Simply starting another with another set of pool addresses will probably not last long. One of the benefits of a public ledger is it's possible to statically analyze transaction traffic in a statistical manner to quickly home in on new sections of the address space. A sanction will come along once the intelligence community or law enforcement has enough actionable intel to say with confidence that that pool address is channeling activity it shouldn't be, then onto the list it goes, locking any value stored therein out of being moved out of those addresses.
Over time, this will create black holes in the address space essentially. More and more quickly as LE/Treasury/Intelligence Community tooling improves.
With FinCEN Notice 2020-2 it's clear that the US wants to treat crypto as foreign bank accounts to coerce disclosure but that severely limits the scope of regulation they can do as it would place public blockchains as strictly not being American jurisdiction, and it would make monitoring American activity on these blockchains outside of the scope of domestic agencies and spy agencies would not be legally able to spy on American activities on these blockchains. When you understand these facts it explains why the US pursued dubious NK sanctions over what would be a much stronger case of considering the Tornado Cash protocol an unregulated bank which it is. There is a very big technical and legal distinction between what centralized BTC mixers do with UTXOs to be considered laundering and how the Tornado Cash protocol exploits how ETH works on-chain to combine ETH in a single account without taking KYC.
> it would make monitoring American activity on these blockchains outside of the scope of domestic agencies and spy agencies would not be legally able to spy on American activities on these blockchains.
I am genuinely not sure, is it still "spying" if the information is public for anyone and everyone to see? If I publish an attested list of my daily foreign transactions on my blog, I don't see why the government can't use that to prosecute me just because the website may be hosted offshore without it being considered "spying".
Seconded. The actions that can be done with Tornado Cash are specific & finitely-defined: Even if it could be translated into regular banking terms, what Tornado does is not something that a normal bank does, & what Tornado provides is nowhere near the functionality that a regular bank performs for its depositors/lenders.
>US wants to treat crypto as foreign bank accounts to coerce disclosure but that severely limits the scope of regulation they can do as it would place public blockchains as strictly not being American jurisdiction, and it would make monitoring American activity on these blockchains outside of the scope of domestic agencies and spy agencies would not be legally able to spy on American activities on these blockchains.
...You have no idea how this'd shake out do you?
OFAC'll be able to still do it's thing, the only thing it needs is LE or IC input saying "Yup, sanctioned individual's value is there."
Domestic law enforcement will have literally no legal impediment to surveilling the blockchain, because guess what? It's public! They don't even need a warrant to serve. You just send it on over to their node. With a financial institution, you at least generally have a shot at counsel requiring a warrant to be served.
Jurisdiction is going to be determined based on where you (the operator of the transacting medium) operate.
Hell, I could see the potential for some intrepid implementer to put in-line packet analyzers capable of creating a signal propagation map to home in on where a candidate block originated, causing a reversion back to the old school system under which enforceable strict liability will disincent anyone but people willing to participate in good faith from processing anyone else's transactions.
In the end, the only people who have really gotten anything out of this fad, were the people who cashed out early in the hype cycle, and the government/regulators who now jave a medium much more condicive to centralized surveillance.
> While engaging in any transaction with Tornado Cash or its blocked property or interests in property is prohibited for U.S. persons, interacting with open-source code itself, in a way that does not involve a prohibited transaction with Tornado Cash, is not prohibited.
So I would imagine running this code on your own computer is entirely fine, since I see no possibility of you executing a "prohibited transaction" with it.
What does "involve" mean? Running the code for any sort of crypto project typically involves doing some verification work for the other transactions on the chain, one or more of which might be prohibited.
The discussions on this seem to be fixated on the implementation details, when lawmakers tend to focus on results.
The desired result is for people to stop laundering money for sanctioned groups. How the Ethereum network does that isn't of particular interest to the law (yet), but "it's not designed to let us stop that!" isn't going to be an excuse.
Somewhat related, I'm not sure how anyone didn't see this coming from a mile away.
"We must restrict the freedom of Americans so we can better restrict the freedom of people we say are bad". What's more important, the freedom of Americans or the possibility that North Koreans or other "bad" people on the other side of the world can escape the edicts of the US government? Personally I'm far more concerned with the former than the latter. I'm far from alone in thinking that we should massively downsize the federal government and strip them of most of their powers.
We all want results, but implementation details matter, particularly in law. The suit is merely saying that if law makers want to give OFAC the authority to sanction the Tornado Cash smart contracts, they have yet to do so.
112 comments
[ 4.5 ms ] story [ 175 ms ] threadThis is very reasonable! It balances economic sanctions around money laundering and transmittal with freedom of speech.
This is for the courts to decide I guess
Of course as a practical matter it can be difficult to prosecute DDoS attackers under that statute. Either they don't leave hard evidence, or they hide in countries which don't extradite.
The applicable legal test is from United States v. O'Brien [2], which ruled that even though burning a draft card may be expressive speech, the government's interest in draft cards not getting burnt allows them to forbid it without falling afoul of the first amendment.
Junger v. Daley was cited as precedent in Universal City Studios v. Reimerdes [3], where the courts ruled that the functional power of DeCSS being illegal under the DMCA was sufficient to justify banning the distribution of the DeCSS source code.
[1] https://en.wikipedia.org/wiki/Junger_v._Daley
[2] https://en.wikipedia.org/wiki/United_States_v._O%27Brien
[3] https://en.wikipedia.org/wiki/Universal_City_Studios,_Inc._v...
Speech is speech, code can be spoken, and it can also be executed. The former is speech, the latter is action. Making API calls and flipping bits in a computer is what crosses the line from one to the other.
Yes? This is entirely reasonable if we analogize it to how fiction often approaches it. There might be some evil book, a necronomicon, or killing spells like in Harry Potter. In many fictional media, people are allowed to learn such spells, they're just not allowed to say the spells out loud. Reading and writing a spell is not the same as saying it and thereby executing it.
It doesn't solve Congress’ mandate to the Treasury where OFAC is used against entities that can appeal their own listing on the sanctions list. The smart contracts cannot currently do that.
There are two things which I think will change that game substantially:
1. As this is taken more seriously, companies trying to stay in compliance with the law are going to be enforcing KYC strictly. That's going to make it harder to use things like tumblers because not only will you be paying more to use the service but you'll also be getting tainted tokens which an increasing fraction of businesses either won't accept at all or will accept at a discount rate to compensate for the decreased utility. I think that ratchet effect is going to really limit future services like Tornado Cash: when there's a non-trivial risk involved for using it fewer people will participate and those who do will expect to be paid more.
2. These services depend on liquidity because anonymity is a function of how many people are running money through it. The Treasury department doesn't really care if you and and a few curious friends set up a proof-of-concept instance because unless you can also pump the equivalent of millions of dollars into the system it won't be used by the people they're concerned about (ransomware gangs, North Korea, etc.) since it would take millennia to launder money at their scale. This is similar to how the goal for counterfeiting paper money isn't set to “impossible” but rather accepted at a low frictional level as long as it's too risky for anyone to attempt a sufficiently large-scale counterfeiting operation which could actually impact the overall economy.
Everyone was being paranoid about assisting a sanctioned somebody
Did open source ( and crypto ) become so important that Treasury got concerned about the rumblings ( because this story was making a long of news in banking )? I am genuinely curious what caused it.
Treasury would probably prefer these freedom aren't even given, but they'll lose on these points so badly that it's face-saving to concede first.
Treasury knows it has standing, and how. They don't give a squib what you do with the code. As long as you don't facilitate transaction processing with it (i.e. money transmitting) with it. The legal teams of the Crypto world basically have to convince the Supreme Court that the Executive does not have the right to engage in economic foreign policy.
I don't see that happening.
https://www.coincenter.org/analysis-what-is-and-what-is-not-...
Then the creator of TC stepped away.
The node operators took the gas fees in exchange for putting the brick on their accelerator and validated the brick contracts.
Who's to sanction here? Honestly the node operators running the Ethereum virtual machine 'car' look like the closest human to hold accountable, if that's the desirable outcome. Continuing our logic, ethereum should basically be shutdown if the runners of the brick program are to be held accountable, because that's basically every node.
For better or worse, the government seems to be intent on making a lesson out of the Tornado Cash developer, rather than attempting (probably pointlessly) to shut down all of Ethereum. The point seems to be to send a message: if you publish the brick blueprint, you will be considered the entity responsible. This accomplishes both of the government’s goals: it disincentives future attempts to launder money through smart contracts, and it avoids a protracted legal and technical battle over individual cryptocurrencies and their networks.
Edit: And there are clear parallels in existing legal reasoning: we do not prosecute steel factories for following a client’s specification faithfully, even if it’s later revealed that the specification was in furtherance of something illegal to manufacture (like an unregulated weapon). The exception is when the factory goes to unusual lengths to turn a blind eye, which the government might present evidence to argue negligence or conspiracy.
It'll really only take getting enough of the right ears to get this recognized. Make no mistake, it was never the intent of the United States Government to leave the door open to everyone to operate their own personal money transmitter.
That's actually something I like about this to be honest. There really is no avoiding coming to terms with the fact that structurally speaking, the U.S. regulatory edifice outsources to private industry. All the typical "It's a private business, not the government" people need a reality check. This is how regulation works.
Except Treasury has released guidance saying the opposite. Not sure what would make one so giddy about a mandatory and opaque financial surveillance apparatus being a part of daily life.
The part where it becomes common knowledge and we actually have a more public discussion on whether it's a good idea in the long run. I actually feel quite squicky about the fact that most people don't seem to realize there's this orchestrated black hole capability strategically wielded with very little recourse by the Executive.
The 'honest' reader here should realize they aren't the 'good guy'. They're just someone a prosecutor hasn't found convenient to destroy yet.
* A separate division of the Treasury (FinCEN) makes a policy distinction between various groups of users/operations of transaction anonymization software. The authors concede that OFAC is not bound to this policy distinction.
* OFAC's stated mission is to bring about a "positive change in behavior." They claim that this can't happen with an autonomous contract, neglecting that the entire point is to scare developers away from deploying and using these kinds of contracts (which is indeed, from the Treasury's perspective, a positive change).
Later on, they make a separate argument that inclusion in the OFAC list exceeds statutory authority under IEEPA. The claim there also relies on autonomy: that the "Tornado Cash Entity" is not meaningfully an operator of the "Tornado Cash Application," because the former cannot cease operation of the latter.
This splits an exceedingly fine hair: it requires the Treasury to accept that the Tornado Cash Entity, despite being the prime mover for the Tornado Cash Application, is somehow not responsible for the thing it wrought. In other words, the "brick on the accelerator" argument.
Later, there's some more plausible hair splitting over whether the term "property" correctly applies, despite there being little to no disagreement over whether North Korea actually did launder a bunch of money through the Tornado Cash Application. So it comes down to whether the Treasury (and a jury) can be convinced that being the prime mover somehow does not matter.
I’m with you here. If I build a machine with no off switch that kills anyone who approaches it, even though it’s now completely out of my control… there’s a pretty clear connection between me and my creation.
I have a feeling that people are going to be disappointed when “I built this autonomous thing and because I have no control over it I can’t be held responsible for it” is actually interpreted by the courts as “you built it and are responsible for every crime it commits”
Either ethereum virtual machine operators at large is criminal organization or it's an endless game of a cat trying to catch its tail.
This is completely thrown out in reality, because Courts've already handled this. If you create a thing that does harm (booby trap), you are still liable for damages incurred as a result of it's fundamental operation as you created the danger. Also see the case withregards to Alfred Anaya to dissuade yourself of the notion that they'd never go after someone for bringing into existence an instance of a tool key in facilitating known criminal activity.
Besides which, Tornado.Cash screwed up as far as I'm aware, because they were financial beneficiaries of the operation of the mechanism. This is also something Courts are quite adept at being able to see through in spite of obfuscatory application of tech. So there is a tangible link there to anchor on both in the sense that the Entity's assets get sanctioned, and any addresses involved in the technical implementation get sanctioned.
Anyone spinning up anything recognizably similar, (and I assure you, a recognizer that runs over the chain to find similar patterns of behavior is well within technical capabilities), will find themselves needing to resort to more and more elaborate constructs as more examples of the underlying implementation pattern of activity become known. This'll converge to becoming Yet Another Form of Financial Engineering Arms Race (tm).
It is very difficult to outpace Nation states. Especially when you consider they are attractive pass times to those who like dealing with large distributed problems once one gets beyond a certain level of financial independence.
TL;DR: Nobody thinks that the Tornado Cash smart contracts are themselves persons. The government is clearly operating along the reasoning that a human being had to be (and was, in fact) in the loop as part of deploying the smart contracts. That brings us back to the initial analogy I used: you can't absolve yourself by building a robot that does the crime for you.
But the argument isn't at all about absolving the robot builder. In fact, they explicitly take no view on whether the sanctions against the Tornado Cash entity are justified. They also do not take a view on whether the government would be justified in prosecuting the individuals behind Tornado Cash.
They are saying the government does not have the statutory authority to sanction the robot you built.
(Defending the TCE also continues below that, on a mostly irrelevant and unargued tangent about software IP.)
"So there is potentially an entity called Tornado Cash that is controlled by certain individuals, and the web address and some of the Ethereum addresses in the notice can be thought of as either pseudonyms for that entity or, alternatively, as its property. At this point, we’re not offering an opinion on whether it was appropriate to sanction that entity—we do not know all the facts that have led to this action—but we would agree that there may be an entity behind those donation addresses and that said entity may be legally eligible for listing. "
In short: they're trying to have it both ways, and it's not coming off well. If they had restricted their attention to just the TCA the argument would be more interesting, but ultimately still not compelling: everybody involved understands that there were some humans who decided to "pull the trigger" and deploy the TCA.
> Interestingly the node operators (the people ACTUALLY EXECUTING TC, even at this very moment) haven't been sanctioned at all
Because the crime is not "executing TC", the crime is (certain) financial transactions. TC code is just the means by which it is executed, and the node operators do not intend to execute a specific financial transaction and do not specifically benefit from it. Just like, for example, if you are going to buy illegal drugs, and you send the payment for it via Venmo and then send the stash location using Gmail, Venmo and Google would not be liable for the drug transaction (even if Venmo charged a transaction fee) because for them it's just common transaction like any other. Same would go for node operators.
> In fact many of the people interacted with TC don't even have possession of the gun
It doesn't matter. What matters is who caused the illegal activity to happen. I mean, if you had a chain that is dedicated to money laundering or another illegal activity, and had no other uses whatsoever - it could actually earn OFAC designation probably by itself, as a whole, and then using it and running the node might become a crime. But I don't think OFAC intends to argue that's the case with Ethereum - it's pretty clearly not true, as most Ethereum users and nodes are perfectly happy to follow the law and never do anything illegal.
So who is the counterparty then? The other random guy(s) who deposited the ETH you end up with?
Using the venmo analogy, it would be the actual venmo corporate computers EXECUTING the tornado cash program.
It seems a little odd to me here to not hold the people executing the transaction program accountable if it's on the sanction list explicitly noting TORNADO CASH is OFAC sanctioned. Remember those nodes running the ethereum virtual machine are validating and computing the transaction, and thus the entire foundation of ethereum would be guilty per your assessment, no?
> thus the entire foundation of ethereum would be guilty per your assessment, no?
No, why would it be? Again, the Ethereum system did not initiate the specific illegal transactions - it was used (without their specific cooperation or knowledge) to perform the transactions, it's very different.
Because the law against murder was broken.
> and the police can confiscate the gun and the bullets
Says who? They can only do this the law provides this mechanism. If there isn't, the gun remains the property of the owner (even if the owner is now a convicted murderer).
> but even then the government could claim to regulate an access to it - just as it could, for example, restrict access to an erupting volcano if it wanted
They could, if Congress has passed a law giving the government this regulatory power.
I get that people might feel "autonomous" is a cop-out, but legally, the argument is narrow. It isn't about people getting a way with crime. The crypto currency community would certainly be opposed to Tornado Cash relayers facing money laundering charges as well, but here they are merely saying that the sanctions authority does not extend to the sanctioning of things. And well, it either does or it doesn't. If Iran secretly plants a cherry tree in Central Park, is OFAC allowed to sanction the cherry tree, and prevent people from eating the cherries? They are arguing no, because OFAC has no authority to sanction trees.
That's the semantic game. If they have authority to limit financial transactions by people, then they have authority to limit financial transactions by people facilitated by things. And things can not (at least not yet, not until general AI exists and recognized as independent legal entity) initiate transactions by itself - somebody caused them to do that, by setting off chain of events that resulted in that transaction. That person can be prosecuted if the transaction is illegal.
> If Iran secretly plants a cherry tree in Central Park, is OFAC allowed to sanction the cherry tree
What you mean by "sanction the cherry tree"? If people use this tree to, say, exchange money (OFAC does not regulate eating, AFAIK) - for example, by hanging sacks with money on its branches - then yes, OFAC would be able to prohibit this way of transferring money to Iran as well as any other way of doing it. Why not?
> They are arguing no, because OFAC has no authority to sanction trees.
It has authority to sanction financial transactions. The means by which they are executed is secondary - it's be stupid for Congress to give them authority to regulate transactions made in one way, but ignore same transactions with same effect made in slightly different way. I don't think anybody would have any luck convincing the courts that was the lawmakers' intent.
Another example, the tool that OFAC has here that we are talking about is their designation power, and the restrictions that follow such a designation are partly set in the statute defined by Congress, not something that OFAC has the power to make up.
> Then yes, OFAC would be able to prohibit this way of transferring money to Iran as well as any other way of doing it. Why not?
Transactions with the target entities ("Iran") are already restricted, whether through a crypto transfer or a tree-branch exchange. This is because OFAC has used its proper powers to designate those targets. The question at hand in this hypothetical is whether OFAC has the power /to designate the tree/ itself additionally, thus making it illegal for you to hang a sack of money there, regardless if you are transacting with Iran or just waiting for your cousin to pick it up.
Does OFAC have the power to say "we are designating the Hawala system"?
Probably not because "Hawala system" is not an entity that can be defined - it's like banning "cryptocurrencies" in general. OFAC wouldn't be able to do that - because it's not a specific definable entity. Designating a specific hawaladar would be possible for them (though likely not very effective).
The obligatory reference to rubber hose cryptanalysis is always something to keep in mind.
One easy argument is that there is no way to prove that Tornado Cash contracts are foreign assets at all. Ethereum nodes do not know which node - or its geographical placement - saw the deployment transaction first. So it is just as easily deployed from the United States and operates from the United States most of the time, or simultaneously all the time, as all nodes execute the updates states (or Tornado Cash and every contract) and many/most are in the US.
The US has other enforcement tools. OFAC here wasn't it.
>Access to the U.S. electronically facilitated financial system is one of the strongest forms of soft power projection on Earth.
>This is made possible through money transmission being regulated.
>Part of being an authorized money transmitter is compliance with OFAC sanctions on a strict liability basis. OFAC sanctions are not constrained by by normal constraints on domestic law enforcement. You can end up on the OFAC list. You can appeal it, but the burden of proof is on you, and the Government does not have to share with you why you got put on there in the first place.
>Sanctions are often diplomatic. Courts will not say the executive does not have standing, as it's enumerated right in the Constitution, that is the Federal Government's job.
>Violation of sanctions as a U.S. citizen is criminal. While it is not necessarily practicable yet to ascertain which node originated a particular block, it is not impossible to sufficiently instrument enough of the network to make such determinations possible, and eith PoS tending to centralize, the value of setting up said monitoring to facilitate enforceability is high, even if only for investigative/intelligence community purposes. Remember, these are the people who brought you PRISM.*
>Any violations of sanctions will be transparently evident on the blockchain. The receiving address of the value from the sanctioned address will be added to the SDN.
>The overall network effect is such that no one that desires to do business in the U.S. will cash out your coin.
>No technical impossibilities exists that will prevent this eventual outcome.
The only X factor, is how much time it will take for the tooling to get there
Does anyone else seriously think it's a complete coincidence the rise of crypto coincided with the rising international cooperation with FATF and other AML/KYC oriented agreements worldwide post 9/11? The ~2010-2020 era was some of the biggest movement in nations coming into compliance with FATF's assessments, I don't think it's an accident crypto exploded during that period.
This is how it always worked. Go back to the original articles and read the comments defending OFAC. The code was never sanctioned. The project was. The fact that the project involves an instance of code on an immutable blockchain is mumbo jumbo.
The SDN here just shows the associated addresses, the published contract instance, and tornado cash website, no?
https://home.treasury.gov/policy-issues/financial-sanctions/...
If you facilitate money laundering, that is still illegal.
If that is your intent, then sure. But merely mixing funds does not meet the criteria for money laundering.
The road crew who builds the interstate knows 100% it will be used for money laundering, yet builds it anyway and does nothing to stop it. (Same for guys at the gas station who sell the gas). Surely knowing money launderers use something isn't enough to be criminally culpable.
>If you run the code in a way that nobody can interact with it.
IANAL and not legal advice, but it looks to me though that a fresh published contract of TC to new addresses doesn't violate this SDN list, even if it interacts with others.
More to the point, crypto mixers are obviously being used to hide the origin of funds. This is money laundering in the colloquial sense. Whether it reaches the level of criminality will obviously depend on a case by case basis. Running a mixer is, IMO, a very very dangerous road to go down.
Tornado Cash runs autonomously on immutable code. Nobody can force the already-running code to start doing AML/KYC.
In my eyes, you either argue that it was not against the law for the devs to publish the code, or you argue that code is not protected by the first amendment. There's not really an in-between.
The hypothetical involved creating “a new TC instance with new addresses and website.” That’s not already-running code. If you do that and then it’s used for money laundering and you do and don’t do all the things Tornado Cash did and didn’t, yes, obviously, we have that precedent.
I'm more interested in discussing the legality of publishing the source code in the first place (is it protected by the first amendment?) and the legal questions surrounding already-instantiated code.
> Ethereum clients run the code automatically alongside all the other code on the Ethereum network, impartial to what it is or does.
That can’t be true on its own. If I write the code in Notepad and share it with friends, the Ethereum client isn’t running it. From what I recall, the way to get it to actually run is to spend gas? Isn’t that the step where it changes from published code to executing code?
I 100% agree that the code behind this all should be free speech. But to try to call “spending money to have a global network execute the code” “publishing” is a pretty big stretch.
In the same way that your ISP isn’t going to get shut down for transmitting the bits that initiated the money laundering transaction, the end node operators are not the proposed target here but rather the people picking up the phone and asking the system to launder money, as well as those responsible for the specific instances of the code that are doing the laundering.
1. A person writes the source code and shares it
2. A person pays a flat amount of ETH to compile/instantiate the source code on the Ethereum network. The code is not "running" yet (aside from its constructor function, if it has one). Now the code is instantiated at an Ethereum address.
3. A person invokes a function of the code, paying ETH proportional to the amount of execution steps taken before the function returns.
4. A swarm of computers acting as block producers, some with identifiable operating persons and some without, produce a block that officially timestamps that function execution into the chain and applies it to the chain's state.
5. A swarm of computers acting as network observers, some with identifiable operating persons and some without, re-execute the transaction locally to verify that the state change was valid.
> the people picking up the phone and asking the system to launder money
Of course, culpability there goes without saying. That's not relevant to the question of whether Tornado Cash is illegal, it's a question of whether crime itself is illegal; in essence a tautology.
> as well as those responsible for the specific instances of the code that are doing the laundering
It looks like you may be talking about the second step of the five I've laid out.
That step, the instantiation of the code, can be done anonymously from anywhere in the world by anyone who can follow the compilation instructions in the readme. If that's the step where legislators try to enforce culpability, it's a lost cause due to the anonymity. Hypothetically, even if law enforcement were able to perfectly determine the legal owner of every Ethereum address and punish them when they illegally instantiate code, they still can't cause the code to be un-instantiated.
Sort by known wallet size. Those efforts should more than pay for the enforcement costs.
This is AML 101. Except with a public ledger. Cash transactions don't afford law enforcement that luxury.
For example, Coinbase CEO Brian Armstrong says that he would wind down Coinbase's staking program before trying to impose a regulation-required fork on the protocol. I suspect that other outfits would follow suit until the only outfits left would be outside the jurisdiction of the regulators.
https://twitter.com/brian_armstrong/status/15600168272535511...
If you do not comply with AML best practices, you'll still eventually be on the hook the first time a ne'er do well facilitates something through ya. Repeat that process till normal folks start catching on, or someone takes Confress by the hand, and you'll find the regulations come quicker than you think.
Moving value cross-chain is itself a violation of sanctions. If you start up a new Tornado.cash instance, you're still probably not going to get touched by the rest of the financial network. Risk departments are going to have dig into the details, and legal (if smart) will steer clear. Further, law enforcement will likely root out and make known to Treasury any additional instances of the same infrastructure they uncover, given that inevitably, the usual suspects will be running things through said channels until caught if they don't.
...And you will be hard pressed to find a judge that has the gumption to go so activist from the bench that they go against what Congress has already authorized.
This is what I'm referring to. In the hypothetical that someone tweaks TC to call it something besides Tornado Cash, and runs it with different addresses. It seems to me by the letter of the SDN, from a layman's perspective, it wouldn't violate sanction.
IMO they should have sanctioned any execution of all forks of TC if their desired effect was to stop the service of TC.
The "if the U.S. government publishes smart contracts, I win" --Vitalik Buterin or whoever snark may not be as far fetched once tooling is bettee understood.
Humorously enough, ATF already has more than enough experience at that of enforcement (surveiling new designs and classifying new works as NFA/non-NFA) for it to not be converged upon as a potential model for regulation of such logical constructs.
Throw im some aggravating statutory enhancements for any crimes to which cryptocurrency mixing is found to be a component, and you've got a recipe for at least ensuring normal folk in U.S. jurisdictions tend to stay away from it.
...Good God. I hate this. Please don't make me right on half of these guesses.
Simply starting another with another set of pool addresses will probably not last long. One of the benefits of a public ledger is it's possible to statically analyze transaction traffic in a statistical manner to quickly home in on new sections of the address space. A sanction will come along once the intelligence community or law enforcement has enough actionable intel to say with confidence that that pool address is channeling activity it shouldn't be, then onto the list it goes, locking any value stored therein out of being moved out of those addresses.
Over time, this will create black holes in the address space essentially. More and more quickly as LE/Treasury/Intelligence Community tooling improves.
I am genuinely not sure, is it still "spying" if the information is public for anyone and everyone to see? If I publish an attested list of my daily foreign transactions on my blog, I don't see why the government can't use that to prosecute me just because the website may be hosted offshore without it being considered "spying".
This is a very strong statement to make without also making a legal argument to back it up.
Just because you assert that it is a bank does not make it so. What precedents, statutes and regulations would you cite to support your assertion?
...You have no idea how this'd shake out do you?
OFAC'll be able to still do it's thing, the only thing it needs is LE or IC input saying "Yup, sanctioned individual's value is there."
Domestic law enforcement will have literally no legal impediment to surveilling the blockchain, because guess what? It's public! They don't even need a warrant to serve. You just send it on over to their node. With a financial institution, you at least generally have a shot at counsel requiring a warrant to be served.
Jurisdiction is going to be determined based on where you (the operator of the transacting medium) operate.
Hell, I could see the potential for some intrepid implementer to put in-line packet analyzers capable of creating a signal propagation map to home in on where a candidate block originated, causing a reversion back to the old school system under which enforceable strict liability will disincent anyone but people willing to participate in good faith from processing anyone else's transactions.
In the end, the only people who have really gotten anything out of this fad, were the people who cashed out early in the hype cycle, and the government/regulators who now jave a medium much more condicive to centralized surveillance.
Good job, lads.
> While engaging in any transaction with Tornado Cash or its blocked property or interests in property is prohibited for U.S. persons, interacting with open-source code itself, in a way that does not involve a prohibited transaction with Tornado Cash, is not prohibited.
So I would imagine running this code on your own computer is entirely fine, since I see no possibility of you executing a "prohibited transaction" with it.
The desired result is for people to stop laundering money for sanctioned groups. How the Ethereum network does that isn't of particular interest to the law (yet), but "it's not designed to let us stop that!" isn't going to be an excuse.
Somewhat related, I'm not sure how anyone didn't see this coming from a mile away.