The U.S. Office of Foreign Assets Control (OFAC)'s placement of “Tornado Cash” as an entity on the Specially Designated Nationals (SDN) sanction list raises important questions that are being discussed around the world. OFAC explained its sanction by saying “Tornado Cash (Tornado) is a virtual currency mixer that operates on the Ethereum blockchain and indiscriminately facilitates anonymous transactions by obfuscating their origin, destination, and counterparties, with no attempt to determine their origin,” and, therefore, is a “threat to U.S. national security.”
The issues EFF is most concerned about arise from speech protections for software code and how they relate to government attempts to stop illegal activity using this code. This post outlines why we are concerned about the publication of this code in light of what OFAC has done, and what we are planning to do about it.
On August 8, acting under Executive Order 13694, OFAC added something it called “TORNADO CASH (a.k.a. TORNADO CASH CLASSIC; a.k.a. TORNADO CASH NOVA)” to the SDN list, along with a long list of digital currency wallet addresses. Once an entity is on the sanctions list, U.S. persons and businesses must stop “dealing” with them, including through transfers of money or property.
According to the Treasury Department, the Tornado Cash mixer has been used to launder Ethereum coins, including coins worth millions of U.S. dollars from the Lazarus Group, a Democratic People’s Republic of Korea (DPRK) state-sponsored hacking group, as well as the proceeds of several ransomware outfits. We have no reason to doubt this claim, and it is legitimately serious. Like many other kinds of computer programs (as well as many other tools), the Tornado Cash smart contract on the Ethereum blockchain can be, and indeed is, used for legal activities, but it is also used for illegal ones. According to Chainanalysis’ study of mixers generally, known “illicit [wallet] addresses accounted for 23 percent of funds sent to mixers this year, up from 12 percent in 2021.”
Confusingly, however, the name “Tornado Cash” could refer to several different things, creating ambiguity in what exactly is sanctioned. Tornado Cash “Classic” and “Nova” refer to variants of the software that exist in both source code form on GitHub and running on the blockchain. Tornado Nova is a beta version, with functionality apparently limited to 1 ETH/transaction.
Meanwhile, the OFAC press release quoted above refers to “Tornado Cash” as both an anonymity-enhancing technology and a sanctioned entity. “Tornado Cash” is also the name of: the underlying open source project that developed and published the code on GitHub; the name of this autonomous mixer software that resides as a smart contract (application) running on the Ethereum network; the URL of the tornado.cash website (listed by name on the SDN); and could be considered a name of an entity consisting of some set of people involved with the mixer. OFAC did not identify or list any people involved with the mixer as sanctioned by name. While the OFAC listing is ambiguous, Coin Center has drilled down on what it believes is and is not a sanctionable entity in the Tornado Cash situation, distinguishing between an entity and the software itself.
EFF has reached out to OFAC to seek more clarity on their interpretation of the sanctions listing, especially the scope of what OFAC means by “Tornado Cash,” and we hope to hear back soon.
EFF Representation of a Computer Science Professor’s Right to Publish Code
EFF’s most central concern about OFAC’s actions arose because, after the SDN listing of “Tornado Cash,” GitHub took down the canonical repository of the Tornado Cash source code, along with the accounts of the primary developers, including all their code contributions. While GitHub has its own right to decide what goes on its platform, the disappearance of this source code from GitHub after the government action raised the specter of government action chilling the publication of this code.
In keeping with our longstanding defense of the right to publish code, we are representing Professor Matthew Green, who teaches computer science at the Johns Hopkins Information Security Institute, including applied cryptography and anonymous cryptocurrencies. Part of his work involves studying and improving privacy-enhancing technologies, and teaching his students about mixers like Tornado Cash. The disappearance of Tornado Cash’s repository from GitHub created a gap in the available information on mixer technology, so Professor Green made a fork of the code, and posted the replica so it would be available for study. The First Amendment protects both GitHub’s right to host that code, and Professor Green’s right to publish (here republish) it on GitHub so he and others can use it for teaching, for further study, and for development of the technology.
Code is Speech is a Core Principle
For decades, U.S. courts have recognized that code is speech. This has been a core part of EFF’s advocacy for the computer science and technical community, since we established the precedent over 25 years ago in Bernstein v. U.S. Dep’t of State. As the Tornado Cash situation develops, we want to be certain that those critical constitutional safeguards aren’t skirted or diluted. Below, we explain what those protections mean for regulation of software code.
Judge Patel, in the Bernstein case, explained why the First Amendment protects code, recognizing that there was:
“no meaningful difference between computer language, particularly high-level languages …, and German or French … Like music and mathematical equations, computer language is just that, language, and it communicates information either to a computer or to those who can read it. ... source code is speech.”
The Sixth Circuit agreed, observing in Junger v. Daley, that code, like a written musical score, “is an expressive means for the exchange of information and ideas.” Indeed, computer code has been published in physical books and included in a famous Haiku. More directly, Jonathan Mann recently expressed code as music, by singing portions of the Tornado Case codebase.
Thus, the creation and sharing of a computer program is protected by the First Amendment, just as is the creation and performance of a musical work, a film, or a scientific experiment. Moreover, as Junger and Bernstein acknowledged, code retains its constitutional protection even if it is executable, and thus both expressive and functional.
Establishing that code is speech protected by the Bill of Rights is not the end of the story. The First Amendment does not stop the government from regulating code in all cases. Instead, the government must show that any regulation or law that singles out speech or expressive activity passes constitutional muster.
The first and key question is whether the regulation is based on the software’s communicative content.
In Reed v. Town of Gilbert, the Supreme Court has said that “defining regulated speech by particular subject matter” is an “obvious” content-based regulation. More “subtle” content-based distinctions involve “defining regulated speech by its function or purpose” (emphasis added).
A regulation that prohibits writing or publishing code with a particular function or purpose, like encrypting communications or anonymizing individuals online, is necessarily content-based. At a minimum, it’s forbidding the sharing of information based on its topic.
The Legal Standards for First Amendment Scrutiny
Content-based laws face strict scrutiny, under which, as Reed explains, they “are presumptively unconstitutional and may be justified only if the government proves that they are narrowly tailored to serve compelling state interests.”
Thus, government regulation based on the content of code must be “narrowly tailored,” which means that laws must be written so narrowly that they are using the least restrictive means to achieve their purposes. This means that the government cannot place restrictions on more speech than is necessary to advance its compelling interest. Under Junger, functional consequences of code are not considered a bar to protection, but go to whether a regulation burdening the speech is appropriately tailored.
The government frequently argues that regulations like this aren’t focused on content, but function. That’s incorrect, but even if the government were right, the regulation still doesn’t pass muster unless the government can show the regulation doesn’t burden substantially more speech than is necessary to further the government's legitimate interests. And the government must “demonstrate that the recited harms are real, not merely conjectural, and that the regulation will in fact alleviate these harms in a direct and material way.” (Turner Broad. Sys. v. F.C.C.).
Under either analysis, GitHub has a First Amendment right to continue to host independent copies of the Tornado Cash source code repository. Professor Green’s fork and publication through GitHub is protected, and neither the hosting nor the publication of these independent repositories violates the OFAC sanctions.
The government may have legitimate concerns about the scourge of ransomware and harms presented by the undemocratic regime in the Democratic People’s Republic of Korea, but the harm from fund transfers does not come from the creation, publication, and study of the Tornado Cash source code for privacy-protective technologies.
Nor will prevention of that publication alleviate the harms from any unlawful transfers over Tornado Cash. Indeed, given how the Ethereum network functions, whether or not Prof. Green publishes a copy of the code, the compiled operational code will continue to exist on the Ethereum network. It is not necessary to further the government's interest in sanction enforcement to prohibit the publication of this source code.
Moreover, improvements and other contributions to this fork, or any other, are also protected speech, and their publication cannot be constitutionally prohibited by the government under either standard of scrutiny.
Based on thirty years of experience, we know that it takes a village to create and improve open source software. To ensure that developers can continue to create the software that we all rely upon, the denizens of that village must not be held responsible for any later unlawful use of the software merely because they contributed code. Research and development of software technology must be able to continue. Indeed, that very research and development may be the very way to craft a system that helps with this situation – offering us all options to both protect privacy in digital transactions and allow for the enforcement of sanctions.
OFAC should do its part by publicly issuing some basic clarifying information and reducing the ambiguity in its order. Regardless of how one feels about cryptocurrency, mixers, or the blockchain, it’s critical that we ensure the ongoing protection of the development and publication of computer software, especially open source computer software. And while we deplore the misuse of this mixer technology to facilitate ransomware and money laundering, we must also ensure that steps taken to address it continue to honor the Constitution and protect the engines of innovation.
That’s why EFF’s role here is to continue to ensure that the First Amendment is properly interpreted to protect the publication, iteration and collective work of millions of coders around the world.