Sanctions Should Target Bad Actors. Not Technology.
Tl;dr: Coinbase is funding a lawsuit brought by six people challenging the US Treasury Department’s sanctions of the Tornado Cash smart contracts and asking the Court to remove them from the U.S. sanctions list. The lawsuit explains that OFAC exceeded its authority from Congress and the President in sanctioning open source technology, rather than sanctioning the bad actors who used it or the property of those bad actors.
By Paul Growl, Chief Legal Officer
Today, Brian Armstrong shared why Coinbase is funding and supporting a challenge by six individuals (including two Coinbase employees) against the Treasury Department’s novel sanctions of open source software associated with Tornado Cash. I wanted to take a moment to share a little more detail about this legal action. At its core, this legal challenge is about how the Treasury Department exceeded the authority Congress and the President granted it in sanctioning open source technology, rather than sanctioning the bad actors who used it or the property of those bad actors. No one wants criminals to use crypto protocols, but blocking the technology entirely (which is what this sanction essentially does) is not what the people’s elected representatives authorized — especially when there are effective routes to more narrowly target bad actors. These sanctions represent a significant unauthorized expansion of OFAC’s authority, and they have harmed innocent people seeking to legitimately protect their privacy and security using this technology, as the stories of these six individuals make clear.
Tornado Cash Sanctions
On August 8, 2022, Treasury’s Office of Foreign Assets Control (“OFAC”) sanctioned Tornado Cash, an open source software project that uses smart contracts to allow users to send assets privately on the Ethereum network. As part of this action, OFAC added to its Specially Designated Nationals and Blocked Persons List (“SDN List”) Tornado Cash’s smart contracts, which are publicly available, open source tools that anyone can access to send assets from their private accounts and withdraw them to a different crypto address. Smart contracts are essentially code that is not controlled by any individual or group and is executed by the Ethereum network according to strict rules that cannot be modified.
While prior OFAC sanctions against individuals or entities sometimes listed crypto addresses owned or controlled by these bad actors, OFAC has never before sanctioned an open source technology like the Tornado Cash smart contracts. For example, when OFAC sanctioned the North Korean Lazarus Group, it added eight Ethereum addresses to the sanctions list — each were accounts controlled by the Group where they held their assets.
In this case, by adding the Tornado Cash smart contracts to its SDN List, OFAC made it illegal for any U.S. person to use this privacy protocol — banning this technology for all.
OFAC Exceeded Its Authority From Congress and the President in Sanctioning Open Source Technology
Federal agencies, like the Treasury Department, ultimately get their authority to act from the people’s representatives in Congress, which enacts legislation defining an agency’s powers. When operating, federal agencies must act within the bounds of that Congressionally defined authority. If an agency’s action exceeds those powers, Congress has also authorized courts to review that action, with the remedy being to set aside the unlawful action. These challenges are critical to preventing executive overreach and ensuring agency action stays within the bounds of what the people’s representatives in Congress allowed.
Applying these principles here, Congress passed the International Emergency Economic Powers Act (“IEEPA”), authorizing the President to freeze the assets of, and prohibit transactions with, any person determined to be a threat to the United States, and the President delegated this power to Treasury to issue sanctions. However, this delegated power only authorizes OFAC to target persons or their property.*
We are supporting the legal challenge to the Tornado Cash action because the Tornado Cash smart contracts are neither person nor property. This means OFAC exceeded its authority from Congress when it recently added these to the SDN List — effectively banning the technology for all U.S. persons. The outcome sought by this challenge is to have OFAC remove these crypto addresses associated with software from its SDN List, so that U.S. persons can once again use this privacy technology.
First, at the risk of stating the obvious, Tornado Cash open source smart contracts are not persons. They are lines of code, not humans, corporations, or organizations. Tornado Cash’s smart contracts enable a user to deposit tokens from one crypto address and later withdraw those same tokens to a different crypto address, and are executed automatically without human intervention. They are a privacy tool, a technology, that is neither human nor an entity.
Second, and for similar reasons, the Tornado Cash smart contracts are also not property. The ordinary meaning of “property” is something owned, a possession, or a tangible or intangible item that someone has legal title to possess.** The smart contracts are non-proprietary, open source code not controlled by any individual or group. Instead, they are simply programs that run on the Ethereum network according to preset rules that cannot be changed or altered. In the case of the Tornado Cash smart contracts, anyone in the world can send ETH to these contracts, which will then run according to preset instructions that neither the original developers of the code nor those sending or receiving funds can change. When an individual uses these smart contracts, they never turn over control of their assets to another individual or group and assets are not commingled or mixed; they simply use the privacy code to send and then withdraw their assets.
These Novel Sanctions Harmed Innocent Individuals and Threaten the Critical Development of Crypto Privacy Protocols
Unlike in traditional finance, ETH transactions are transparently recorded on the Ethereum blockchain. That means anyone with a computer can view the transaction history and balances associated with a particular user’s address. So, when users send ETH from their address to a recipient’s address, anyone can use a public blockchain explorer to look up that sender’s prior transactions, learn about their spending habits, and check their account balance.
While this transparency is important for auditability and verification, it poses privacy challenges for Ethereum users who reasonably want to protect their personal financial information. For the same reasons that you’d be reluctant to publicly share all your private bank statements that detail your spending history, a person who receives their salary in ETH does not necessarily want everyone knowing how much they make or how they spend their funds.
The Tornado Cash privacy protocol allowed users to regain that privacy. Using smart contracts, a user could deposit assets from one crypto address and withdraw crypto assets to a completely different address, severing the otherwise clear connection to their prior transactions. Once withdrawn, the user could transfer those assets without fear of exposing their entire financial history or net worth to third party strangers. The plaintiffs in this lawsuit represent a cross section of crypto users and developers who used Tornado Cash to protect their privacy and security for various legitimate reasons — from wanting to safely donate to Ukraine war relief without risk of Russian retaliation, to concealing salary deposits that would show how much they earn, to preventing malicious actors from targeting their homes to try to steal large quantities of crypto assets held in their wallets. By creating new, private crypto addresses when sending funds to strangers, these plaintiffs could avoid disclosing their personal accounts, which they use to hold their assets and send personal transactions.
In this way, crypto privacy protocols are not only critical to the development of the crypto ecosystem, they are an important tool to protect individuals against hackers and thieves who may otherwise target owners of crypto addresses that hold significant assets. The sanctions against Tornado Cash have not only blocked this open source technology to U.S. persons, but cryptographers and developers have also been scared away from contributing to other important privacy projects, fearful that their code will be sanctioned in the future.
Coinbase is Committed to Combating Illicit Finance and Supports Reasonable Regulations and Action Against Bad Actors
Coinbase is fully committed to combating illicit activity and sanctions evasion. We regularly partner with and advise law enforcement and regulators on a range of cryptocurrency topics, support critical law enforcement investigations, and respond to many thousands of subpoenas a year. We fully support OFAC’s overarching national security objectives and greatly appreciate the important work it does to sanction bad actors and block the property those actors control. However, in the Tornado Cash action, OFAC did not target the bad actors or the property controlled by those actors; instead, it took the unprecedented step of sanctioning open source technology — a tool legitimately used by many innocent people even if also by some bad actors. We do not believe Congress authorized this, and for good reason. After all, we do not shut down email or the internet code because among its many users are some criminals. That is why we are funding and supporting this challenge by six crypto users seeking to regain critical tools needed to protect their privacy and security.
*50 U.S.C. § 1702(a)(1)(B).
**American Heritage Dictionary of the English Language 1412.
Sanctions Should Target Bad Actors. Not Technology. was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.
8 September 2022 13:32