Protecting the First Amendment rights of coders to develop and publish code is a core EFF value. It’s also one where we’ve played a central role in developing the law. So, we were happy that the court in the Tornado Cash lawsuit dismissed a government objection and accepted our amicus brief in support of the plaintiffs.
The case, Van Loon v Department of Treasury, arises from the U.S. Treasury Department’s decision to put Tornado Cash, an open-source project, on its specially designed nationals (SDN) list. As a result of that listing, the project was taken down from GitHub. Developers were deeply concerned that they might face charges and fines for simply participating in it.
Our brief draws on decades of legal and practical experience with open-source developers to explain why putting the open-source project on a sanctions list could set a dangerous precedent and violate First Amendment protections for code development.
EFF long ago helped establish that publishing computer code is protected speech under the First Amendment. As we explained to the court, whenever the government seeks to restrict our speech—including code—based upon its content, its actions are subject to the highest level of scrutiny and must be done in the least speech-restrictive means available. The Treasury Department Office of Foreign Assets Control (OFAC) failed this test when it included the open-source project in placing “Tornado Cash” on the SDN list.
By way of background, the SDN designation made it a crime to interact with any part of Tornado Cash, which the government knew included the open-source project published and collectively developed by dozens of developers on GitHub. The SDN listing not only chilled those developers’ speech, it also understandably caused GitHub to remove Tornado Cash code from its website. Importantly, reaching the GitHub repository was not necessary to address concerns about the approximately one-third of the actual uses of the Tornado Cash software on the Ethereum blockchain that were allegedly illegal.
We understand and support the important government interests the SDN list is intended to address. But no matter how justifiable its goals, the government’s actions still must be properly tailored to avoid causing fear, confusion and censorship of scientific development and academic exchanges. OFAC did not do so for Tornado Cash. For example, as we explained to the court, the removal of the code from GitHub hindered our client, Professor Matthew Green, from using it in his classes at the Johns Hopkins Information Security Institute that study privacy-enhancing technologies..
And the government’s subsequent actions didn’t remedy matters. After we wrote to the Treasury Department about our concerns, the agency did not narrow its definition in the SDN order, but instead added in its public FAQs that U.S. persons would not be prohibited from copying open-source code and making it available online for others to view, “as well as discussing, teaching about, or including open-source code in written publications, such as textbooks, absent additional facts.”
While this announcement removed the immediate threat of legal action against Professor Green and others for specific educational uses, or basic copying, making available, and teaching the extant code, it did not resolve the chilling effects of the listing on open-source developers or GitHub. This is especially true since OFAC did not specify what “additional facts” might create severe criminal liability. As a result, developers still do not have clear notice about whether they can, for instance, take a piece of the code and use it in another program, including another kind of mixer. Predictably, there has been little, if any, further development or use of the open-source project.
Open-source developers and GitHub are owed more under First Amendment. That the code may be later used by others to take illegal actions does not undermine protections of their speech. The SDN listing creates serious civil and criminal penalties, yet the government has still provided no clear guidance as to what would run afoul of its prohibition on Tornado Cash.
At the same time, the government has demonstrated that it could clarify what the listing means for open-source developers and that less restrictive alternatives exist. It had the ability to tailor its prohibition to its legitimate concerns about, for instance, the Tornado Cash mixer being used to launder Ethereum coins from a North Korean hacking group. The government could, at the very least, have clarified at the outset that it would not be applied to the open-source project hosted on GitHub or that it would only be applied to actual transactions, not the publication of the code itself.
There are many other important and interesting legal arguments in the case, and the parties in the lawsuit and other amici have addressed them. EFF focused on this issue because it is foundational to a free and open Internet, with ramifications including, but also far beyond, cryptocurrency and mixers.
We are urging the court to recognize these actions for what they are—unconstitutional violations of the First Amendment—and hold the government to the appropriate higher standard.