Tl;dr: Coinbase is funding a lawsuit brought by six individuals challenging the US Treasury Department’s sanctions on Tornado Cash smart contracts and asking the Court to remove them from the US sanctions list The lawsuit explains that OFAC exceeded the authority of Congress and the President in sanctioning open source technology, instead of sanctioning bad actors who used it or the property of those bad actors.
By Paul Grewal, General Counsel
Today, Brian Armstrong shared why Coinbase is funding and supporting a six-person challenge (including two Coinbase employees) against new Treasury Department sanctions on open source software associated with Tornado Cash. I wanted to take a moment to share a little more detail about this legal action. At its core, this legal challenge is about how the Treasury Department exceeded the authority Congress and the President gave it by sanctioning open source technology, instead of sanctioning the bad actors who used it or the property of those bad guys. actors. Nobody wants criminals to use cryptographic protocols, but blocking the technology entirely (which is what this sanction essentially does) is not what the elected representatives of the people authorized, especially when effective routes exist to more specifically target bad guys. actors. These sanctions represent a significant unauthorized expansion of OFAC’s authority and have harmed innocent people legitimately seeking to protect their privacy and security using this technology, as the stories of these six individuals make clear.
Tornado Cash Penalties
On August 8, 2022, Treasury’s Office of Foreign Assets Control (“OFAC”) sanctioned Tornado Cash, an open source software project that uses smart contracts to allow users to privately send assets on the Ethereum network. . As part of this action, OFAC added to its Specially Designated Nationals and Blocked Persons List (“SDN List”) Tornado Cash smart contracts, which are publicly available open source tools that anyone can access to send assets from your private accounts and withdraw them. to a different cryptographic address. Smart contracts are essentially code that is not controlled by any individual or group and is executed by the Ethereum network according to strict rules that cannot be changed.
While previous OFAC sanctions against individuals or entities have sometimes listed crypto addresses owned or controlled by these bad actors, OFAC has never before sanctioned an open source technology like Tornado Cash smart contracts. For example, when OFAC sanctioned North Korea’s Lazarus Group, it added eight Ethereum addresses to the sanctions list, each of which were accounts controlled by the Group where they held their assets.
In this case, by adding Tornado Cash smart contracts to its SDN List, OFAC made it illegal for anyone in the US to use this privacy protocol, banning this technology for everyone.
OFAC exceeded its authority from Congress and the president in sanctioning open source technology
Federal agencies, such as the Treasury Department, ultimately derive their authority to act from the people’s representatives in Congress, which enacts legislation defining an agency’s powers. In operating, federal agencies must act within the limits of that authority defined by Congress. If an agency’s action exceeds those powers, Congress has also authorized the courts to review that action, with the remedy of setting aside the illegal action. These challenges are critical to preventing executive overreach and ensuring that agency action remains within limits permitted by the people’s representatives in Congress.
Applying these principles here, Congress passed the International Emergency Economic Powers Act (“IEEPA”), which authorizes the President to freeze assets and prohibit transactions with anyone determined to be a threat to the United States, and the President delegated this power to the Treasury to issue sanctions. However, this delegated power only authorizes OFAC to attack people or their property.*
We are supporting the legal challenge to Tornado Cash’s action because Tornado Cash smart contracts are neither person or property. This means that OFAC exceeded the authority given to it by Congress when it recently added them to the SDN List, effectively banning the technology for all US persons. The intended result of this challenge is for OFAC to remove these associated cryptographic addresses. with your SDN List software, so Americans can use this privacy technology again.
First, at the risk of stating the obvious, Tornado Cash’s open source smart contracts are not people. They are lines of code, not humans, corporations or organizations. Tornado Cash smart contracts allow a user to deposit tokens from one crypto address and then withdraw those same tokens to a different crypto address, and execute automatically without human intervention. They are a privacy tool, a technology, which is neither human nor an entity.
Second, and for similar reasons, Tornado Cash smart contracts are also non-proprietary. The ordinary meaning of “property” is something that is owned, a possession or a tangible or intangible item that someone has legal title to possess. ** Smart contracts are non-proprietary open source code that is not controlled by any individual or group. Instead, they are simply programs that run on the Ethereum network according to preset rules that cannot be changed or altered. In the case of Tornado Cash smart contracts, anyone in the world can send ETH to these contracts, which will then be executed according to preset instructions that neither the original developers of the code nor those sending or receiving funds can change. When an individual uses these smart contracts, he never gives control of his assets to another individual or group and the assets are not combined or commingled; they simply use the privacy code to send and then withdraw their assets.
These new sanctions harmed innocent people and threaten the critical development of crypto-privacy protocols.
Unlike traditional finance, ETH transactions are transparently recorded on the Ethereum blockchain. That means anyone with a computer can see the transaction history and balances associated with a particular user’s address. So when users send ETH from their address to a recipient’s address, anyone can use a public blockchain explorer to look up that sender’s past transactions, learn their spending habits, and check their account balance.
While this transparency is important for auditability and verification, it poses privacy challenges for Ethereum users who reasonably want to protect their personal financial information. For the same reasons you would be reluctant to publicly share all of your private bank statements detailing your spending history, a person who gets paid in ETH doesn’t necessarily want everyone to know how much they earn or how they spend their funds.
Tornado Cash’s privacy protocol allowed users to regain that privacy. Using smart contracts, a user could deposit assets from one crypto address and withdraw crypto assets to a completely different address, severing the clear connection to their previous transactions. Once withdrawn, the user could transfer those assets without fear of exposing their entire financial history or net worth to outsiders. The plaintiffs in this lawsuit represent a cross-section of crypto users and developers who used Tornado Cash to protect their privacy and security for various legitimate reasons, from wanting to safely donate to Ukraine war relief without risk of Russian retaliation, to hiding wage deposits that show how much they earn, to preventing malicious actors from targeting their homes to try and steal large amounts of crypto assets held in their wallets. By creating new private crypto addresses when sending funds to strangers, these plaintiffs could avoid revealing their personal accounts, which they use to hold assets and send personal transactions.
In this way, cryptoprivacy protocols are not only critical to the development of the crypto ecosystem, but are an important tool to protect people against hackers and thieves who might otherwise target crypto address owners who They have significant assets. The sanctions against Tornado Cash have not only blocked this open source technology from Americans, but cryptographers and developers have also been afraid to contribute to other major privacy projects, fearful that their code will be sanctioned in the future.
Coinbase is committed to combating illicit finance and supports reasonable regulations and action against bad actors
Coinbase is fully committed to fighting illicit activity and sanctions evasion. We regularly partner with and advise law enforcement and regulators on a variety of cryptocurrency issues, support critical law enforcement investigations, and respond to many thousands of subpoenas a year. We fully support OFAC’s overall national security goals and greatly appreciate the important work it does to sanction bad guys and block property those actors control. However, in the Tornado Cash action, OFAC did not target the bad actors or the property controlled by those actors; instead, it took the unprecedented step of sanctioning open source technology, a tool legitimately used by many innocent people, but also by some bad actors. We don’t think Congress authorized this, and for good reason. After all, we do not close email or Internet code because among its many users there are some criminals. That is why we are funding and supporting this challenge of six cryptocurrency users looking to recover the critical tools needed to protect their privacy and security.
*50 USC § 1702(a)(1)(B).
**American Heritage Dictionary of the English Language 1412.