As many will remember, in August of 2022 the Treasury Department’s Office of Foreign Assets Control (OFAC) placed what it called “Tornado Cash” along with a list of Ethereum digital wallet addresses, on its “Specially Designated Nationals” (SDN) sanctions list. The goal was to prohibit anyone within the United States from “dealing” with the service, including by sending or receiving money to it.
This unclear order prompted Github to take down the code repository and, within a few days, a Tornado Cash developer in the Netherlands was then arrested for unnamed reasons and two contributors had their Github accounts suspended. A wave of fear and uncertainty swept the open source community about criminal liability for writing or developing code for the Tornado Cash project and related projects.
We wrote about our concerns with OFAC’s actions, and outlined the steps we were expecting to take in response.
Our concerns were straightforward. Governmental actions targeting the publication of code based upon its topic necessarily target speech, triggering First Amendment scrutiny. This is especially clear when that action impacts lawful academic exchanges and scientific development, as OFAC did here. For example, as we explained to OFAC, the removal of the code from Github hindered our client, Professor Matthew Green’s ability to use it in his classes that study privacy-enhancing technologies.
We wrote to OFAC directly regarding Professor Green’s case. OFAC did not respond substantively to us, but a few weeks later they did issue some guidance in the form of an FAQ. The FAQ relieved some of our most critical concerns, but it left others. The entire process demonstrates how ill-fitting OFAC processes are to situations involving scientific and academic speech, or in the context of volunteer-supported open source code development of dual-use tools like mixers.
Specifically, OFAC added to their FAQ Answer 1076, which says:
While engaging in any transaction with Tornado Cash or its blocked property or interests in property is prohibited for U.S. persons, interacting with open-source code itself, in a way that does not involve a prohibited transaction with Tornado Cash, is not prohibited. For example, U.S. persons would not be prohibited by U.S. sanctions regulations from copying the open-source code and making it available online for others to view, as well as discussing, teaching about, or including open-source code in written publications, such as textbooks, absent additional facts. Similarly, U.S. persons would not be prohibited by U.S. sanctions regulations from visiting the Internet archives for the Tornado Cash historical website, nor would they be prohibited from visiting the Tornado Cash website if it again becomes active on the Internet.
This announcement made any legal action against Professor Green—or others copying, making available, and teaching using the code—very unlikely. That is good news.
But the FAQ only addressed interacting with the code as is. It is silent about further development or reuse for other purposes. This is an important issue. Developers should have clear notice about whether they risk criminal liability if they develop the code further or do other things with it, like taking some of the Tornado Cash code and using it in another kind of mixer or in some other project. And the "absent additional facts" limitation on the FAQ is certainly neither clear nor specific, leaving programmers with little certainty about what they can and cannot do with the code beyond the specific examples like putting it into a text book.
Additionally, the facts here also demonstrate how the OFAC process is a poor fit for the First Amendment values required for the scientific publication, education and development processes involved in open source code and computer science more generally. The OFAC process lacks clear notice, is vague, and lacks the due process-style requirements for quick decisionmaking and review. Most obviously, OFAC’s decision to issue the original sanctions order in a way that made no attempt to distinguish between all of the things called Tornado Cash and potential uses of them caused much confusion and a tremendous chilling effect. It caused an entity as large and well-lawyered as Microsoft (the parent company of Github) to believe that they needed to take the code down entirely. It also caused many developers to fear that their contributions to the code could cause them to be criminally prosecuted.
It’s good that OFAC backed off with a FAQ after five weeks, but in the area of speech, the government must do better.
Even if OFAC changes course internally, that also doesn’t mean that the legal questions surrounding OFAC’s actions have been completely settled. Two lawsuits, one brought by CoinCenter and another by CoinBase, are questioning whether OFAC was authorized to sanction Tornado Cash, and whether the sanctions order violates the Constitution. Both cases raise important legal issues. EFF will be watching these cases closely and participating in them where we see a need.
Finally, looming over this case is the larger question of financial privacy, which is turning up in other contexts as well. As one example, the White House’s Office of Science and Technology Policy (OSTP) recently concluded a comment period on digital assets research and development, and one area of inquiry included in their request for information was privacy. We submitted comments that focused in large part on the importance of financial privacy and the harms that can arise when it is discarded.