Epicenter - Learn about Crypto, Blockchain, Ethereum, Bitcoin and Distributed Technologies - Peter Van Valkenburgh: Coin Center – The Sanction on Tornado Cash
Episode Date: August 24, 2022On August 8, 2022, the US Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctioned Tornado Cash, citing allegations it helped North Korea's Lazarus hacker group launder millions... of dollars worth of crypto proceeds stolen from various crypto projects over the past few years. Coin Center believe that OFAC has overstepped its legal authority by adding certain Tornado Cash smart contract addresses to the Specially Designated Nationals And Blocked Persons (SDN) List, potentially violating US Americans' constitutional rights to due process and free speech.Peter Van Valkenburgh, Director of Research at Coin Center, joined us for an in-depth look at how OFAC operates, why he believes this sanctioning represents an overreach, what's next for Tornado Cash, and what this means for the rest of the blockchain ecosystem.Topics covered in this episode:An overview of the Tornado Cash caseWhat is the Office of Foreign Assets Control (OFAC)?How is it determined who gets on the OFAC list? What happens to you if you're on the list?Does this only apply to US Americans?How does one get removed from the list?What did Tornado Cash do wrong, and what should they have done?Is there an acceptable level of maliciousness within the system?Comparison to PGPWhy Tornado Cash was targeted over other privacy enhancing toolsThe reaction from the crypto ecosystemEpisode links:OFAC - The Office of Foreign Assets ControlCoin CenterTornado Cash on TwitterCoin Center on TwitterPeter on TwitterJoin the Epicenter team!Sponsors:Tally Ho: Tally Ho is a new wallet for Web3 and DeFi that sees the wallet as a public good. Think of it like a community-owned alternative to MetaMask. - https://epicenter.rocks/tallycashThis episode is hosted by Friederike Ernst. Show notes and listening options: epicenter.tv/458
Transcript
Discussion (0)
This is Epicenter, episode 458 with guest Peter Van Berkenberg.
Welcome to Epicenter, the show which talks about the technologies, projects and people driving decentralization and the blockchain revolution.
I'm Friedricha Anz, and I'm speaking with Peter Van Berkenberg again, who is the director of the director of research at Coin Center.
We're here to talk with Peter. I'm here to talk with Peter about the tornado cash situation.
But before I do that, let me tell you about our sponsor.
week, our sponsor is Teleho, and Teleho is redefining the wallet as a public good.
You can think of it like a community-owned alternative to Meta-mask.
It offers a much smoother user experience compared to many other wallets and has an impressive
user interface.
So basically, you can see all your account balances at once and swap between assets from within
the wallet at a much lower price.
The wallet also offers one of the best ledger integrations and full
ENS and UNS domain support.
And it's recently added its first side chain, Polygon.
And on Teddy Ho, Polygon support is now built in automatically and ready to use.
And with Teddy Ho, you can enter the Metaverse with a Web3 wallet that's fully community
owned and operated.
It's also Dow.
So the commitment to community ownership stretches far beyond the wallet.
In January, they became the first sponsor of EtherSJS, an open-source JavaScript library
helping developers connect to Ethereum, and they recently announced a pledge to commit 2.5%
of their total token supply to a Gitcoin architect.
So head to tally.cash slash download to redefine your Web3 wallet experience.
And I would also like to announce that we are hiring.
We are looking for a community manager to help grow the audience of Epicenter and take us
to the next level.
And if you're passionate about crypto and creating great content, reach out to us.
There are details on the job description in the show notes.
And please also share this with anyone who you think might be a good fit for this position.
Okay, Peter, it is so good to have you on.
You have been on many times before to talk about regulatory matters in the yes.
Usually it's bad news when I'm here, right?
Usually it is bad news.
We still like having you on.
And today we're here to talk about the tornado cash situation.
So can you give us a short rundown of what happened?
Yeah.
So I guess in very brief, there is an office within the United States Department of Treasury called OFAC, the Office of Foreign Asset Controls.
And the Office of Foreign Asset Controls is the division of Treasury that enforces
and sets policy for U.S. sanctions. And sanctions is, as many of your listeners, probably already know,
sort of probably the chief policy tool, foreign policy tool that the U.S. uses these days.
Because mercifully, we don't go to war very often, but when we have states that we identify as enemy states
or we have persons that we identify as involved in terrorism or other horrible activities,
we use the sanctions to cut them off from the global economy to the extent that the U.S.
can get away with that because we have most of the banks and a lot of the systems for moving
money.
And OFAC is the office that does it.
So OFAC, they get their power from this statute that was passed by Congress in the
middle of the 20th century called the International Emergency Economic Powers Act.
That statute came from originally an older law called the Trading with the Enemy Act.
So you can get us. That one actually has more of a flavor of what it actually is, you know.
The more modern language is more polite, but it also maybe hides the ball a little.
And under that statute, the president or anyone that they delegate, which in this case would be the Secretary of Treasury and the director of OFAC, can identify emergencies.
In this case, there's a cyber emergency that was declared at the end of the Obama administration.
because of North Korean hackers and ransomware and other things like the Lazarus Group.
And so under that emergency, the office can then take action to investigate, to block,
to prohibit Americans from interacting with, from using, transferring, importing, importing,
the property of a foreign person or group of persons.
And so that's a very sweeping power.
You can find that at 50 USC 1700.
And where have we seen that power used in the past?
We've seen that power used in the past to designate persons like the Lazarus Group,
which was the hacker collective in North Korea,
as sanctioned persons, which means as an American,
you're no longer allowed to transact with those persons.
Last May, we saw them bring sanctions against blender.io,
which was a Bitcoin mixer.
It was a custodial Bitcoin mixer where you sent Bitcoin to certain address.
addresses, a few people, probably Russian foreign nationals, were sort of loosely organizing that,
controlling the funds sent to those addresses, mixing them and sending them back to you.
So blender.io and its aliases, like its website and its Bitcoin addresses were added to the
OFAC list. And then just last week, or two weeks ago now, I suppose, the Office of Foreign
Asset Controls announced that they were sanctioning, and this is their press release, another
mixer like Blender.io, and that other mixer turns out to be tornado cash. And this has led to,
I think, maybe we would think on this podcast or a lot of people listen to this podcast, somewhat
predictable confusion and outrage and fear, because while we didn't particularly mind,
may have even agreed with the notion of sanctioning the Lazarus Group or sanctioning some Bitcoin
addresses that are controlled by people who are actually actively mixing people's funds on
their behalf, tornado cache is, of course, a different kind of mixer. It's non-custodial. At least 21 of
the sanctioned addresses. So there's this list, the SDN list, where the names Lazarus Group,
blender.io, tornado cache all show up. And this list usually also includes aliases or identifiers
of the sanctioned person's property. And so in the tornado cache example, at least 21 of the
Ethereum addresses added to that list, and we've had several people look at this to confirm,
are credibly autonomous or immutable contracts running on the Ethereum blockchain with no
ability of the original authors of those contracts to update them, change them, control the funds
moving through them. They're really just robots on the internet. And so this raises all kinds of
questions because as an American, you're not allowed to interact with anything on the SDN list.
Typically, that's not too hard because it's like, oh, I guess I can't buy this house in Iran anymore.
That's the property of a foreign national.
But if the thing on the OFAC list is suddenly not a house in Iran or a bank account in Panama, it's just this public tool that's widely available to anyone who syncs up with the Ethereum network, it creates all kinds of ripple effects as to like, I guess I can't interact with this.
I can't touch this.
I can't.
What if my money's locked in the contract because I was using it for my own personal privacy?
And it also raises very practical questions of how the law is supposed to work, which we can get into.
Coin Center's interest here is, I think, primarily to do with whether OFAC has overstepped its statutory powers.
Because the statutory powers say you're allowed to block property in which a foreign country or national thereof has an interest.
But does a foreign country or national have an interest in those 21 smart contracts that literally,
no one has control over. I don't think they do by virtue of the very real and provable fact that
those persons or people can't change that contract. And so we would argue, and we may end up arguing
in court, that this is beyond the statutory powers that Congress granted OFAC and therefore
it's not a permissible action. And then the developers of the original contract are probably going
to end up, they may end up in court. They may say, look, all
All we did was write software.
Yes, we are kind of like a loose group of people that contribute to an open source software
project that ended up creating these contracts on the Ethereum blockchain.
But they are not our continued property.
We had no intent to allow North Korea to use this tool to launder money.
And we're researchers and software developers.
And so we should deserve some protection under free speech standards, at least in the US,
maybe in Europe as well.
And so this is all unfolding in real time.
and you have lots of questions I know that we can use to drill deeper into it.
Yes, I have lots of questions.
So you know me so well.
Maybe let's start at the tail end.
So let's say I am a very unfortunate individual and I end up on the O fact list.
So what exactly does that do to me?
So basically you said basically by the powers that kind of the United States government is somehow imbued with
because, you know, it has so much of the economy under its control and the banking system and so on.
And I get cut off from the international economy.
What does that actually look like?
So, I mean, to be very clear, the powers that are described in AIPA,
the International Emergency Economic Powers Act, are powers to prevent Americans from transacting with you if you're on the SDIN list.
And so, you know, if you think of that in a minimized way, you think, well, I just can't deal with America anymore.
But of course, America is where many, if not the majority of large technology and finance companies are based, whether it's Google, whether it's J.P. Morgan, whether it's Wells Fargo, you know.
And all of these companies together form huge swaths of critical infrastructure around the world, whether it's for moving packets of data or moving.
money. That's changing. That's changing for a couple reasons. I think Europe and certainly China and
Russia don't like having to rely on these intermediaries because they're realizing that that means
they can be fully cut off if, say, somebody is sanctioned in those countries. And it's also changing
because of folks like your listeners who are building decentralized tools with the goal of
replacing intermediaries with software so that we can have a more neutral and fair world. But at least in
the meantime, obviously, if no American or American corporation is allowed to interact with you
or your property, whether it's by transacting with your property or materially supporting you or
selling you DNS registry services or any number of other things, you are going to have a hard time
doing whatever it is you wanted to do. And, you know, to be very honest, that is, in some cases,
a good and effective tool for seeing the change that we want to see in the world as Americans.
it's a little bit aggressive.
It's less aggressive than going to war with the country.
And so, I mean, it would be wrong not to address the elephant in the room,
which is that Vladimir Putin invaded Ukraine just recently,
has brought the world to the brink of global conflict closer that it's been in,
you know, probably a century or half a century.
And the main tool that we're using to fight that,
aside from the Ukrainians who are fighting it directly, is sanctions.
I'd point out that there was actually a really provocative and convincing thread that somebody tweeted recently that I was looking at and I retweeted about all the ways the Russian oligarchs are getting around sanctions because they can kind of have backroom deals with powerful bankers around the world and say like, you don't really want to sanction me.
You want to sanction Vladimir Putin, which completely takes all the wind out of the power of the sanction sales and is also unsurprising, given how corrupt we know the international banking sector actually is.
And that's where most money gets laundered.
But, you know, this is the way we do foreign policy.
This is how things have evolved in the latter half of the 20th century and the 21st century.
And so, you know, this is the power.
And we can have a debate about whether that power is justified, whether it's kind of the U.S. being a bully, whether we want the U.S. to be a bully in some cases and don't want them to be a bully in other cases, right?
And then what happens ultimately when something ends up on the U.
the SDN list that maybe isn't properly the target of sanctions, like isn't actually an al-Qaeda
terrorist or a North Korean hacker, but is a tool that's used by a bunch of innocent persons
just trying to defend their own privacy online.
So seeing that I, for instance, am not an American. And I mean, I have a bank of America,
a bank council, obviously that would be gone. But seeing that I also bank with German banks,
would they also close my accounts?
I mean, is it a transitive ban?
So basically, if they interact with me,
then American banks disallow to interact with my German banks.
So this gets into something that is also fundamental
about the way we've done financial surveillance and control
in the last half century.
We don't have very clear standards and rules.
We have what is called, euphemistically, a risk-based approach to anti-money laundering
and counterfinancing of terrorism policy.
And what that means is if you're a bank, say a U.S. bank or an international bank with many
contacts in the U.S. because you want to engage in correspondent banking, you want to connect
to all the U.S. people, so you, on behalf of your European customers or things like that,
then you are obligated under U.S. laws and maybe a.
under the laws of your own country, which happened to look a lot like U.S. laws because of an organization
called the Financial Action Task Force, which was started out of the OECD, still meets in Paris every year,
tries to make sure that all the member nations, and there's no treaty here, there just happens to be
sort of voluntarily sent delegates from every member state around the country, around the world,
tries to make sure that all the member nations have the same anti-money laundering standards.
And all of this comes down to a what I said earlier is a bit of a euphemism, a risk-based approach.
And so I can't give you a firm answer that the book of any money laundering compliance here in the U.S.
says a transaction that's two hops away from an OFAC sanctioned Ethereum address is okay, but one hop away is not okay.
It's a risk-based approach.
And so every institution is going to look at their risk and think, oh, do I want to touch that or not?
And I don't think it's surprising to say that bankers are inherently conservative people who are fairly risk-averse, except when it comes to maybe leveraging customer assets to make big profits.
They're certainly, I mean, you know, they're certainly risk-averse when it comes to their regulators because their regulators can shut them down.
And so you end up with this default regime of extreme caution.
Yeah, there's no black-letter rule that says, I'm not allowed to touch a transaction that's now eight hops away from an OFAC-sanctioned address.
but because it's eight hops away, I still suspect it.
And, you know, if I'm worried about my bank examiners coming into our back room and looking through our books and asking questions, I'll just not do it, especially if it's not profitable to me.
And, you know, especially in crypto winter, maybe, it's not profitable to me.
So the collateral consequences are pretty severe.
And it's all because of this sort of, you know, there's a fog.
There's a fog of fear and uncertainty.
There's no clear standard.
and therefore the standard that it becomes the default rule is just extreme risk aversion
because the penalties are so severe.
I think one thing I haven't explained on this podcast yet, which I probably should have led
with, is that a violation of OFAC, in other words, an American transacting or someone
subject to American jurisdiction, a U.S. person, a violation by transacting with a sanctioned
entity, if it's willful, is a $1.5 million fine?
and 30 years in jail.
Those are maximums, but the prosecutor is perfectly within the rights to seek the maximum.
And just to underscore how grave this is now, there's a fellow in New York state, I believe,
a professor at one of the New York universities who used tornado cash to donate to Planned Parenthood
to support abortion rights here in the U.S.
and then tweeted about it.
He outed himself.
He's like, yeah, I violated the law.
And so, you know, you couldn't ask for a more open-shut case of a willful violation of OFAC.
And I don't know.
I don't know the guy personally.
So he seems like an okay guy on Twitter.
I would not want him to get slapped with a $1.5 million fine and 30 years in jail.
Okay.
That is pretty steep.
So surely there's a good process of determining.
who actually gets on this list, right?
I mean, it's a rather slap dash list of different entities.
So how am I notified in advance if they're going to put me on it?
Do I have due process?
Can I appeal?
I'll say one thing about the list.
The U.S. government's not usually good at providing machine-readable data in consistent data formats.
They have a tendency to like announce things through a PDF.
You can get the OF list.
In Jason, you can get it in any format you want.
It's like well-structured and regular.
They have conventions that they always use.
Like certain things are in parentheses.
It's great data.
They don't mess around in this case.
It's maybe a slapdash list as far as how it's an amalgam of everyone
that the American government considers an enemy at a given point in time.
But it's good data.
It's very clean.
So you asked a different question about due process.
In the U.S., U.S. persons, especially American citizens, and there's some gray area about foreign nationals residing in the U.S., but let's just say, you know, American citizens to start to take the easiest case, have what we refer to as procedural due process rights.
And those are described in the Fifth Amendment of our Constitution, which means it's really, you know, the highest law of the land.
even Congress can't pass a law that abrogates those rights unless it passes a new constitutional
amendment, which we only do every 40 years or so to the extent we ever do it at all because it
requires really high majorities and the approval of the states. So the highest law of the land
says that you have procedural due process. And procedural due process in rough summary, because
it's been explained in case after case since the founding of the republic, looks like this.
Before there is a deprivation of your liberty or property, you should have notice.
In other words, like a warning.
This is going to happen.
We're going to take this action.
And then maybe after the deprivation, but at some point, not long after the deprivation,
an opportunity for a hearing, public hearing, where the evidence against you can be shared,
you can bring witnesses impeaching that evidence.
and then a decision by a neutral decision maker,
which ideally and typically would be
what we call an Article III judge,
you know, part of our judiciary,
not this goes to the separation of powers
that, you know, Montesquieu and Locke and others
started talking about during the Enlightenment
is that we don't want the executioner
to also be the judge and jury.
And so, you know, these are the standards.
And so you might say, okay,
does OFAC follow these standards?
And the answer is not really, usually.
And so then you might say, okay, is the Constitution just a joke?
No, it's just been chipped away at in a couple interesting ways.
So first of all, most people who end up on the O-FAC list groups or entities are foreign nationals,
and they don't have constitutional rights under our system.
And that's kind of a larger conversation.
I mean, this is why Guantanamo Bay was not located on U.S. soil.
It's a little insidious.
We'll leave that at that.
What if you are an American who ends up basically on the O-FAC list because you're maybe part of a group or an entity that may have some foreign control, but also has Americans in controlling part of it?
Here, in theory, you do still have constitutional rights, we would hope, for procedural due process.
But there's only a couple of cases, and they're mostly about Islamic charities, Holy Land versus Rams.
and I think Haramadan, I may be misproncing that, versus U.S., which is an organ-based charity
that was allegedly or putatively doing education about, you know, Islam and religious
traditions and supporting, you know, education, but may have also been supporting Al-Qaeda.
Anyway, in these situations where some U.S. entity is involved,
The standard for procedural due process is weakened.
And these are really, there's a saying, bad facts make bad law, because when you go up
before a judge and you're here to defend your procedural due process rights, if the judge
thinks you're just an al-Qaeda terrorist, they may kind of ignore the fact that you're an American
citizen.
So, you know, I'm not saying that case law is bad, but it's certainly not favorable.
It basically says, look, national security needs to be balanced against procedural due process rights,
which means we can't erode them completely because that would be an abrogation of our Constitution.
But we can say we don't need quite as robust notice and public hearing and neutral decision-maker requirements in the national security context as we do in the typical deprivations of liberty context, say under like environmental protection regulation or something like that.
And there's this series of factors called the Matthews factors, which says, are there some processes in place?
We know this is national security, so we're going to allow there to be less processes in place.
But are there some?
And do they still offer some level of safeguard against abuse of these powers and abuse of our procedural due process rights?
And honestly, these are the processes that typically are in place with OFACs.
I'm only now kind of getting to the heart of your question, like what are the processes in place?
hopefully this has been educational.
Typically, if for example,
if for example, let's take an example that's more, that's difficult.
The easy example is like an Iranian national who's got a Bitcoin address
and is just taking money from ransomware attacks at that Bitcoin address.
The harder example is something neutral,
where a lot of people use it for legitimate purposes
and some people use it for illegitimate purposes.
We don't have to use crypto as an example.
here because there have been financial institutions added to the SDN list, like a Honduran bank,
for example, that might have been laundering money for their drug cartel, but also had legitimate
accounts from people in Honduras and maybe even people in the U.S.
In these cases, there's usually a lot of work done by OFAC to make sure that while achieving
their goal, which is to sanction the bad behavior and the bad people, and also to
to push for change in the behavior of those people.
Like, OFAC repeatedly says, we're not just here to punish.
In fact, they say we're not here to punish.
We're here to change behavior.
So typically, you know, folks at Treasury would get on a plane and fly to Honduras and meet
with the directors of the bank to make sure that maybe the criminal directors are ousted,
that the anti-money laundering policies are improved, that any of,
that any Americans or innocent Hondurans or other internationals who have money can get access to their money.
They grant licenses, like specific licenses for people to take their money out of a sanctioned institution.
They grant general licenses, like all Americans can take their money out.
They grant letters of non-application.
You're like, yeah, this is a strong sanction, but actually it doesn't apply to anyone who's doing this with the sanctioned entity.
and before all of this happens, they should do what's called a collateral impact assessment.
And this is sort of the lucy-goosey equivalent of a hearing.
It's not public.
It's usually done in private at the agency, at Treasury.
But at the very least, there should be some administrative record that's private until maybe it becomes declassified that says, yeah, we knew that we were going to affect a bunch of innocent persons, including some Americans who have procedures.
due process rights. And these are the steps we took to mitigate. And so the foundational question
from a due process standpoint, which may end up getting challenged in court with respect to the
tornado cash ruling, is did you do a collateral impact assessment? Because it seems like there's
at least probably a majority of the users, and certainly a large fraction, are just persons trying to
protect their own privacy and not interacting with North Korea, not doing anything wrong, not hackers.
many of them Americans.
And did you do anything after in order to help Americans, like, learn what was going on?
Like, even a frequently asked questions page is a typical step.
It's kind of silly.
It's not really law, but at least it helps, right?
There's no FAQs about this.
Did you grant licenses?
Did you work with people to get their money back to the extent it was trapped in a contract that was involved with a sectioned entity?
And if the answer is no, we didn't do it.
any of that? I can query whether we'll find out or not, but if the answer is no, then I don't think
the procedural due process requirements of our constitution have been followed.
Okay, so what, maybe let's kind of follow this up by a two-pronged question. So how do you get
off the OFAC list? So basically, how do I get off if I'm a person who is on the OFAC list by
say a case of mistaken identity.
And then how does this translate to the tornado cash situation?
How would tornado cash, who's very much not a person, at least of all an American person,
get off the list?
So the case of mistaken identity happens unfortunately quite often.
If you have a common name, especially a name that, I mean, let's just be honest, is sort of
what is maybe Saudi Arabian by origin or Afghani by origin.
And you're like John Smith in their language, which I'm not sure what it is.
I'm not going to guess what that is.
But you will find that you just can't go through TSA security anymore because there's
somebody with the same name that is on the sanctions list.
And in this case, they do a few things.
They'll say things like weak identifiers.
This is all we know about the sanctioned person.
and so we'll put it in quotation marks on the SDN list,
which means persons who are enforcing the sanctioned rules like banks
and security checkpoints in airports are not to take this literally.
They're not to be like,
everyone with the name John Smith has to,
can't go through the gates anymore.
And if there's more information that definitely seems to identify you,
even though you are not a terrorist,
then you can apply to have your name removed
for mistaken identity or for other reasons.
Or you can also apply if it really is you because you've changed your behavior.
Again, OPEC says the goal here is not punishment.
It's behavioral change.
So if you say, like, I've reformed, I'm no longer helping these people launder money.
Take me off the list.
There should be a process to take you off the list.
Now, that process is by all accounts a slow process and by no means a guaranteed process
because it's not like a typical court case where you'll have a public hearing and all this.
it's an administrative process, which in theory, you would then later be able to challenge in court,
but first you have to go through the administrative process, which could be slow and drag on
and be somewhat opaque. But those processes exist. Now, you asked, like, how is it a work in the
tornado cash situation? That is the hard one. Because I think it's worth, and this is something,
you know, we've published at Coin Center in our blog posts about this, it's worth dividing
what's been added to the SDN list into two caps.
categories. There are 21 Ethereum addresses that are, we are quite certain, immutable, autonomous
robots that nobody can control or change. And so if the goal is to change behavior, you're not
going to get a behavior change from those addresses, because those addresses are persons. They can't
change their mind. They're just software that performs as it's supposed to perform. And so,
A, there's never going to be this moment where they can say like, yeah, now we're screening because they're not a they. They can't make these choices. And B, there's never going to be a moment where they can come forward and say, hey, take us off the list because they're just addresses on the Ethereum blockchain. They don't have agency. And so to my mind, that means that those addresses will never come off the list. So it's actually not about behavior change. It's just about punishment. And in this case, it's not punishment of an entity because there's no entity behind those addresses. No one's being enriched by the usage of those addresses.
It's the punishment of all the Americans and foreign persons who want to use those software tools and are now banned from using those software tools.
And so this gets to this question of like if it's not challengeable at all, is there a procedural due process problem?
Because you should have at least some process to challenge a deprivation of your liberty, even in the context of national security where those processes tend to be less rigorous.
And then on the other hand, there's a series of addresses and there's the ALA.
tornado cache and the alias of the website, tornado.cash, and some other identifying information
that I think OPEC would argue is a group of people who have been working together to build this
tool. Now, you know, I don't know for sure to what extent OFEC is aware that these are people doing
something very different than what the blender.io people did. Because of course the blender.io people
were like Russian nationals working together.
They weren't a Delaware incorporated corporation.
They were a loose affiliation of people as well,
but they had real control over the assets set to those Bitcoin addresses,
and they actually actively mixed them.
To the extent there's anyone behind the Tornado Cash entity,
I suspect, this is a factual inquiry,
which we'll need to actually like people will go through,
but I suspect they mostly just write software.
And if all you're doing is writing software,
and publishing it to the Ethereum blockchain, can you rightly be the subject of sanctions?
That's another question.
And can you say, look, this is a mistaken listing because we are not engaged in the kind of activity that you think we're engaged in.
But this all is still very opaque because, again, when OFAC adds people to the SDN list, it doesn't have a big public hearing.
It looks at, say, the authorities on the books, which in this case are the statutory law, AIPA,
and the executive order promulgated by the Obama administration, the cyber order, which says, you know,
people are using, many foreign nationals are using these systems of communication to damage U.S. interests,
to destroy critical infrastructure, to steal money from Americans or from other persons.
and if you're facilitating that in some way,
you can be subject to sanctions.
And so there'll be a whole different case
about the folks who've developed that open source software.
And I don't even know how far that goes also
because the interesting thing about open source software projects
is, of course, that there are hundreds, if not thousands, of contributors.
Like, I'm fairly certain that Tornado Cache's software libraries
include, like, Rust libraries for zero knowledge proofs and things like this
that might have been developed by, say, the Zcash Foundation
or might have been developed by some cryptographer
who predates cryptocurrency even,
like going all the way back to the early days
of just crypto means cryptography.
And so how far back do we go in the chain of software contributions
to define the entity?
Can you really be sanctioned merely for publishing code?
And then the bigger question, I think,
is actually going to be, like,
did they do things beyond just publish code?
I guess that they someone was paying for the DNS registration for the website.
Somebody was probably paying for hosting of the, you know, the GUI, the front end.
Are these the kinds of things?
They're still kind of like speech, but they're also sort of marketing speech and
helping people use a tool.
At what point are you sufficiently helpful in getting people to use a tool,
especially if those people happen to be criminals,
that you're liable for something like money laundering and properly the target of sanctions.
Okay, super interesting background.
So I think we have a good grounding on OFAC now.
So let's talk about the thing that tornado cash in a way is being charged with.
So anything besides the press release that we know, basically what,
what the OFAC body thinks tornado cash has done wrong?
No, there's really just the press release and the fact that the SD&L now contains the alias tornado cash.
So this is, this is, again, why things are different here than the typical procedural due process context
where you get notice of actual specific allegations against you.
And so the press release just says that they facilitated money laundering by North Korean cybercriminals, right?
And it is, I believe, established by like blockchain forensic folks like chain analysis and others that the Lazarus group in North Korea did use the tornado cash tools to launder some Ethereum.
Or maybe it was USDC.
I'm actually not sure.
And so that's the level of specificity.
working on, there was a, there was, it's worth noting that right on the, I think, the day or the day
after the, the announcement, the press release was dropped, there was a tweet from the U.S.
Secretary of State that said, Tornado Cash is a group of North Korean hackers. And, you know,
the tweet was was immediately deleted, or actually not immediately, it stayed up for a while,
which is sort of libelous, quite honestly. But I think, I think somebody realized that like some
turn had tweeted on behalf of the U.S. Secretary of State and conflated the users of the tool
with the tool itself, because from what we understand, the tool itself is not developed by
North Korea. We're actually quite sure of that, you know? So these allegations are just sort of
diffuse and nebulous and damning, but very non-specific charges. It's worth noting that the stuff
that showed up in the SDN list doesn't include the names of any open source software developers.
Even though several people have had, you know, have had GitHub accounts where they've, in their own
name, contributed to the software, have talked about the software and the tools on Twitter.
None of these people are named.
Are they the group that is Tornado Cash?
I don't know.
They weren't specific about this.
Typically, there's specificity.
Like when the Bitcoin addresses for Iranian nationals were added to the O-FAC list, the names of the Iranian nationals showed up.
And so, like, we just have to guess.
And frankly, and, you know, I have to be careful here because I don't want to be making assumptions about the people in OFAC and how well they're doing their job.
But the addresses that are identified as being Tornado Cash's addresses happen to perfectly match the ether scan.
addresses that are tagged as tornado cache, which seems to indicate that that was the source
for the investigators in figuring out which addresses to add to the list.
And I think to anybody who doesn't know, EtherScan is kind of like a Wikipedia tool.
Users of EtherScan can tag addresses to describe what those addresses are.
It's not an authoritative list.
So it is in some ways, if this was the research that was relied upon for the investigation,
It's in some ways like citing Wikipedia for your investigation rather than citing a real source.
The Tornado Cash documents, like technical documents, actually had a much more comprehensive list of Ethereum addresses that are related to the project, several of which didn't end up on the SDN list.
So this is not being done, if you ask me, in a rigorous, legalistic, easily challenged manner.
it's being done in this sort of fog of war that tends to exist around U.S. sanctions policy.
So Brian Nelson, he's the Undersecretary of the Treasury for Terrorism and Financial Intelligence,
he said following the OFAC press release on Tornado Cash,
he said, despite public assurances otherwise, and I'm quoting here,
Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks.
Treasury will continue to aggressively pursue actions against mixes that launder virtual currency for criminals and those who assist them.
So maybe let's talk about what Brian Nelson thinks the tornado cash folks should have done.
Because as far as I'm aware, only in April the tornado cash front end actually blocked Ethereum addresses that were on the OFAC list from using its front end to access the smart contract.
So what exactly should the tornado project have done to mitigate the alleged laundering of money?
I think we can probably say that laundering of money has occurred.
So what should they have done?
And do you think they were contacted previously and encouraged to do this?
Or what do you think happened here in the background that all of us?
are not privy to.
Yeah.
Yeah.
So going back to my Honduran bank example, there typically would be some contact beforehand
and some active collaboration between the sanctioned entity, if it's an FI, if it's
a financial institution, and not just an Iranian national or something like that, to, like,
work to try and change behavior again rather than merely punish.
I don't know if that happened in this case.
I will say that the choice of the phrase, despite public assurances, I think we can guess the choice of that phrase is deliberate so that there weren't private assurances made would be the negative implication of that.
Maybe there also were, but they're just not discussed in the press release and by the undersecretary.
But the choice of the word public assurances seems to indicate that maybe this was just something that they were doing on their own.
I'll tell you that like any U.S. law firm worth its bar to practice law would tell people like,
oh, you're creating a front end website to help people use a technology tool where they can move money.
You should probably follow OFAC sanctions.
So it's not unreasonable to think that the remaining parts of tornado to catch that are centralized and run by persons and persons who may be U.S.
persons or may have U.S. attorneys, even though they're foreign persons because they worry about
all their contacts with U.S. jurisdiction, took these steps, right? And so what are these steps?
You described them to the, I don't know any more than what you described, which is that the
front end at least, and maybe some of the proxy contracts on the Ethereum blockchain, rather than the
actual immutable root contracts on the Ethereum blockchain. We're using Chainalysis's
Oracle for sanctions compliance in the way that they were allowing people to use the front end.
And that means that you could still, using an Ethereum client and say the command line or any
number of other ways to interact directly with the Ethereum blockchain, use these tools
even if you were a sanctioned address.
But you wouldn't be able to use that front end, which is the part that in theory is still
controlled by the entity, which will call Tornado Cash, the developers or the person's paying for the DNS registry and things like that.
And so to me, that that is a step towards sanctions compliance.
And the fact that this step is perceived as or was not just perceived, but like found insufficient by OFAC,
which is why they took this more drastic step to just add the whole thing, add the diffuse name Tornado Cash to the SDN list, was insufficient.
It kind of indicates that maybe, I don't know what else they're expecting.
Maybe they were expecting that they'd be able to change the original root contract, the 21 addresses that actually do most of the mixing and don't have admin keys that allow updatability.
And if that's the case, then they're asking these people to do something that's impossible.
They're asking them to break the Ethereum consensus rules on their own, which is not something that an individual can do on their own.
That's how these systems are architected.
So, you know, I don't think, I think this goes to this larger question of in a typical OFAC sanction against an entity that is not a criminal enterprise, but rather a legitimate business being used by criminals, along with legitimate customers, there would be this give and take, this cooperative effort to just try and make things okay.
You know, specific licenses generalizes collateral impact assessments.
but it doesn't seem like that's happened here
if we just go by the public statement,
which is that there were some public assurances
and we don't think there are enough.
Let's look at maybe the clients of Tornado Cash, right,
or the users of Tornado Cash.
So in the media, there were different numbers flung around
in terms, basically alleging what proportion of funds
that were funneled through Tornado Cash were illicit.
So basically, $7 billion went into tornado cash in total.
And depending on where you actually got your numbers from, it said that between 50 and 70% of the volume was illicit and the rest was listed.
If you look at the chain analysis report, it was more like 25 or 30% that were illicit, still a large chunk, right?
So is there generally an accepted level of abuse of a system?
So the entire system is not automatically seen as malicious.
Because I mean, at some point you kind of, I mean, I don't.
So basically, as much as I am an advocate of privacy and being.
I mean, I don't like the North Korean government as much as the next person, right?
I mean, they do horrible things.
I mean, I think probably some sort of sanctions are in order.
And I mean, this is kind of for me, it's like a little bit of the, you know, are we the baddies?
Should we kind of, should we change our ways?
So what's kind of, what's the acceptable level of misuse of the tools you build?
you know, for someone in the sector or in any sector, really.
So I think there's something really pernicious at work here that's much deeper.
And so this is more just me, Peter, talking about my ideas about decentralization,
unless me talking as like a policy expert or coin center.
But, and I've tweeted a little bit of this.
When you have a base layer like Bitcoin or Ethereum that is public by default,
like fully transparent.
I mean, if you look at the original Bitcoin white paper, Satoshi wrote, I think, is Section 10 on privacy and says, it's kind of private because you have pseudonyms instead of your real name.
But if you keep reusing the same addresses or even, you know, there's change from a UTXO.
Some of it flows back to other addresses you control.
You could be identified and this could be a problem.
And so Satoshi even knew back then that these things were fairly transparent.
And obviously with the rise of blockchain analysis, these things are incredibly transparent,
especially to somebody who's got enough money to pay for a high-end blockchain forensic tool.
They can learn everything about everything you do.
And so the problem with these networks right now is the default is no privacy.
A person who's just sort of playing around with the technology or using it for small transactions
or innocent purposes, like because they want to have it.
dot-e-Ns domain name and they want to buy a silly
NFT and play with their friends online,
these people get no privacy by default.
The only way to get privacy is to take really difficult
additional steps.
And those additional steps are, you know,
use a tool like Tornado Cash, which is an address,
you know, a series of addresses located at a small part of the Ethereum blockchain.
Move money through that.
tokens through that and then withdraw them. It might be somewhat user-friendly, but it's not something
that an ordinary person is going to do. And so who gets the benefit of anonymity on these networks?
It's people who have a lot of money and therefore start to realize the value of privacy.
And they might be totally legitimate people who have not committed any crimes and deserve privacy,
but query why the rich person then gets privacy, but the small,
the small user with only a few eth or fractions of an eth don't get privacy.
And it's other people who have high demands from their technology,
which are, of course, criminals also have high demands from their technology
because they don't get the benefit of courts of law or property rights or other things.
And so they're going to use technology to protect their property rights or their contractual rights.
And so they're going to have the benefit of anonymity.
And this is a really perverse outcome.
It's the exact opposite of what we would want.
If we were a society that, as Bernard Shaw said, should be judged by how it treats its least wealthy persons, those are the people who should have privacy.
Small individual users of Ethereum for social good or for their own purposes.
And, you know, I think probably everyone should have privacy because I don't believe we should be interposing intermediaries that can sort of arbitrate the law before a court even gets involved and block transactions before anyone's been convicted of a crime.
But at the very least, we've got this calibration backwards.
And so, you know, my only response to, like, to directly answer your question, no, there's no, like, magic number of 10 or 5 or 15 percent where now we're just going to call the thing a criminal enterprise.
That doesn't exist in the law.
There's just this risk-calibrated anti-money laundering program, which means people will make their own decisions and risk-averse bankers will make very extreme decisions, unless it's their own self-ylusings.
unless it's their own self-interest that they're protecting,
in which case they might happily launder money for Russian oligarchs because they do.
But to me, this conversation misses the point.
Like, yes, of course the tornado cash addresses happen to have more illicit transactions in them
than your typical Ethereum addresses.
But that doesn't mean that we shouldn't have privacy.
And in fact, that's just evidence of the sad state of privacy on these networks,
where the only people who go and seek privacy are people who have really,
a lot to lose, either because they're rich for legitimate reasons or they're criminals.
And so I just think it's the wrong inquiry.
I think I would follow that almost all of the way, but say if you actually took this to the extreme
and you had a thing that had like 99.9% of, you know, illicit activity and, you know,
no legitimate customers at all, do you think, would you still argue that on, you know, on
principle. Well, what is that thing? So that's the other hard question here. Like, if that thing is,
is a human, is a lawyer, well, actually, I mean, a lawyer is interesting. All the lawyer's customers
are criminals, right? But we still want that lawyer to be able to defend, you know, criminals,
right? I mean, they're not yet criminals. They're accused of being criminals. In general, though,
like if what we're talking about is software, if literally the only users of software, like 99.9% of the users of the software are criminals, should we just ban the software? I don't think we should ban software. I don't think that that, I don't think it's a, it's not a sensible way to stop crime because the only thing you're going to do is prevent innocent people from buying the software or or interacting with the software. And criminals are already criminals. So they don't care if you ban the software. They're going to find,
copies of it somewhere and they're going to use it for their purposes. So like the inquiry here,
we need to be specific. Like if the entity that we're saying is doing 99% of their business as
money laundering and only 0.1% as legitimate transactions is J.P. Morgan, a for-profit company that's all
kinds of tax benefits and other favorable treatment under the U.S. laws, then yeah, we should
definitely sanction J.P. Morgan or or Deutsche Bank or who.
whoever, Deutsche Bank did launder a whole lot of money for rational logarks, like billions.
But if the entity is software, then we're not actually sanctioning some person or thing,
unless we say, well, because you wrote this software, you're now guilty for all the things people do with the software in the future.
That's a recipe for destroying people's desire to innovate.
Like, if I invent a new material, because I'm a material scientist,
and I know it might be used in the barrels of howitzers to make it easier to shell cities,
and I'm worried that the collateral consequences of my invention will mean that I end up in jail,
I'm just not going to invent new materials,
even though these materials also might be the thing that allows us to, I don't know,
improve crop yields or fly to Mars or any number of other things.
Like we can't start getting in the business of saying,
like, your tools are too good.
They're too powerful.
And we believe that the human race is so riddled with evil that it doesn't deserve better tools.
Like, that's nihilism.
Let's talk about good tools, right?
So basically, this kind of, this reminds me of the entire PGP saga.
You know how the U.S. government insisted that PGP was too powerful a technology to be,
in civilian hands and that it really was like a weapon.
Do you think this comparable?
This is like that.
Yeah.
Yeah.
I think we're headed down a road where it's comparable, right?
I want to point out a couple of details.
So what you're referring to is sometimes casually labeled crypto wars or crypto wars one,
because maybe we're now in crypto wars two or even three, depending on which incidents you're counting.
And, you know, some of the amazing moments in that in that first battle were, you know, people would say, look, it doesn't matter if it's a powerful tool and you classify it as a weapon, as munitions.
It's code and code is speech. And people, I think Adam Back was one of them actually. People printed up t-shirts with the actual PGP or maybe it was RSA in Pearl, the raw characters on the t-shirt, at which point if you walk across.
the U.S.-Mexico border wearing the t-shirt, you violated munitions export control laws.
And so it sort of illustrates the point.
This also ultimately got fought out in court in a couple different cases in different circuits.
The most notable one for the PGP stuff was Bernstein versus the DOJ in the Ninth Circuit in the California courts.
And Bernstein, who was a cryptographer and an academic researcher, won because he was literally,
literally publishing PGP in a book. And the court said, look, we have the First Amendment in
this country. You can't have prior restraints on speech. And a licensing requirement to allow
academic researchers to publish their code is a prior restraint on people's right to speak,
to speak of ideas that are there to communicate scientific or historical or other knowledge
about what it is to be human and how to make life better. Because if we start going down
that road of having a government sensor for all that information, we lose everything that makes
us different from our enemies. We lose everything that makes us, I would argue, better than the
North Korean government. This is a little different, though, in a few ways that are very important.
So that's just background. First, the statutory ground that OFAC is using to designate tornado
cash and block Americans from using that tool is the International Emergency Economic Powers Act
instead of the ITAR International Trafficking and Arms regulations.
These are different authorities.
The AIPA is about blocking the property of foreign nationals.
ITAR is about designating certain technologies as weapons.
in both cases some of the results are similar if something is designated a controlled weapon or
munition then Americans aren't allowed to freely move it in and out of the country publish it
widely on the internet things like that if property is blocked because it's a foreign national
whose sanctioned has an interest in it then Americans aren't allowed to interact or transact
with that that foreign property but I
is designed to deal with technologies, whereas AIPA is designed to block and limit property
and foreign nationals and transacting with foreign nationals. So to me, if OFAC really wanted to do
what they did, which is identify at least 21 Ethereum addresses that contain open source code
that is not under the control of anyone but can be used by anyone and shouldn't be used by anyone,
and shouldn't be used by anyone, because that's basically what they're saying,
as Americans shouldn't use this technology.
Then they should have designated it under ITAR as amunitions and said, you know,
Americans aren't allowed to traffic in this.
Instead, they said, this is the property of a foreign national,
which we're going to argue possibly in court, is not true,
because the foreign national in this case, to the extent there even is one,
doesn't actually have control over those 21 Ethereum addresses.
And so that's how this is subtly different.
The legal challenge is going to be different.
Here we would make a statutory argument.
You've exceeded your authority under AEPA.
Maybe you had the authority to basically do the same thing under AITAR,
but you didn't do that.
You abused delegated powers from Congress in AEPA
to do something that should have been done through another avenue.
Whereas in the IATR context, like the Bernstein case,
you're going to go straight to constitutional arguments.
And there's something kind of insidious here.
Because the Tornado Cash Software is identifiable at an address,
it looks a little like property.
Because, you know, what exists at a regular Bitcoin address
or a regular transactional Ethereum address rather than a contract address?
Property.
Like, to the extent it's not empty.
If I send some ETH to an address, that's a regular address,
there's property there.
Here, this is not how those addresses work.
To the extent there's property there, it's property that's been sent through the contract.
The contract is just software logic that controls that property.
And actually, the American, if it's an American using it for legitimate purposes,
is still the sole person that can ever remove property from that account.
So there's no foreign nationals property here.
And so I think it's inappropriate to use AIPA in this case.
But to be clear, there are also not.
not doing the ITAR thing.
Like, if I want to go and take the source code of the Tornado Cash smart contracts, the
solidity code or whatever, and just start printing it on T-shirts or sharing it online,
on my blog, I haven't violated the law.
I don't think.
Some people might think I've violated the law because they're being extremely risk-averse
in their risk-based anti-money laundering program.
But AIPA didn't say you're not allowed to publish this code anymore.
In fact, Aipa has a big carve out.
This is interesting.
It's called the Berman amendments after the congressman that introduced these amendments when
Aipa was passed that says you're not allowed to block or limit the exchange of CD-ROMs or
information, music, records, things like this.
They didn't get up to open-source software libraries because this wasn't, you know, in the 1990s.
This was back in, I think, the 70s.
Well, no, CD-ROMs.
It must have been the 80s.
I should check that out.
But anyway, you know, there's a.
carve out for speech activities in IEPA.
And so that could be become very relevant here if there was an attempt to overinterpret the
action saying not only are these Ethereum addresses not allowed to be transacted with,
you're not allowed to take the code at those addresses and share it widely online or something
like that.
Why do you think tornado cash was targeted rather than some of the other privacy
enhancing tools in Web 3?
So things like Zcash, Aztec, Monero, why tornado?
Two big reasons.
One is because of blockchain analysis, we can see North Korean hacker money from ransomware attacks flowing directly into the tornado cash contracts, right?
And this is the really bad outcome you get when the base layer is public by default.
and you can see people seeking privacy.
And then they might get some privacy, but you saw the money going in.
Now the government has this obvious target for this thing that's providing privacy,
including privacy for hackers.
And maybe they don't, A, recognize that this thing is just a tool and not a business.
So they're confusing Blender.com and Tornado in the way they work.
And so without thinking too much, they're just like, add another mixer to the SDN list
because we can see the funds moving into this,
just like we saw the Bitcoin funds moving into the blender addresses.
Or maybe they also don't care that it's different in this context.
They still know that they can point to a discernible thing on a blockchain,
which makes it look like property, even though it's just ideas.
And they say, like, well, you know, Americans shouldn't be able to interact with that address.
Very different to say, Americans can't interact with the Zcatch protocol, full stop.
because what you're basically then saying is Americans can't use a whole stack of technologies
that start at the network layer and work up.
They're not allowed to, they're not allowed to what, install the client on their computer.
They're not allowed to use the client to transact.
Is that different than, I mean, this is a hard question.
Is that different than you're not allowed to use the Tornado Cash smart contract?
The fact that there is this address that can be added to the list makes it seem different
because the address looks like property, even though we would argue it's not.
Whereas saying like the Zcash client software and any transactions that you'd make using it
starts to look obviously like technology, in which case they should be using ITAR and not
IEPA because you're not blocking property.
To the extent you're blocking property, you're blocking a massive open source MIT licensed
software intellectual property that isn't actually owned by a foreign national because it's a
massive open source project.
I don't know.
Let's look at how the ecosystem has reacted, right?
So basically, if you look at the status of tornado cash now, obviously the smart
contracts are still up because they're immutable.
The centrally hosted interfaces are down predictively.
It's still readable on IPFS in principle.
Lots of RPC endpoint providers actually censor transactions that go to Tornado Cash, notably Alchemy and Infura, which is what a lot of services use.
GitHub has frozen or deleted the accounts of the tornado cash developers.
DYDX has blocked accounts that have interacted with Tornado Cash in the past.
Sucker has frozen USDC on accounts that have interacted with tornado cash in the past.
To what extent do you think this is over compliance?
I mean, do they actually need to do this?
As an RPC endpoint provider, do I have to censor tornado cash addresses as EtherScan?
Can I still show tornado cash contracts?
What's the line in the sand here?
Yeah, so under AIPA and under OFAC rules,
you're not allowed to transact with the designated foreign national or their property, right?
And so we'd argue that the whole thing,
with respect to at least those 21 addresses that are under no one's control,
is already over compliance,
because those 21 addresses actually shouldn't be on the O-FEC list to begin with.
But we would say you need to challenge that in court,
and you probably shouldn't violate the law until we get a ruling from a judge.
To the extent that there is an entity here that's the legitimate target
or legally a proper target for sanctions,
what is over-compliance?
Again, there's no hard and fast rule here
because it's not like there is a black letter standard of this many hops away from a sanctioned person is an okay transaction.
And banks historically, in the more traditional context, you know, when they find out the beneficial owner of an account and they realized that they were also sat on the board of a criminal enterprise, even though they themselves might not have been, you know, maybe they're going to take certain risk, judgments.
and take certain steps in relation to those risk judgments.
So it's hard to say.
I think of all the things you mentioned,
there are ways to make distinctions, though.
So to the extent we believe that all the property in the tornado cash addresses
is actually now legitimately the target of sanctions,
then accepting that property in trade is probably, you know,
the most obvious violation of sanctions.
Like accepting a transaction from tornado cash, which is funny because the way Ethereum works, you don't even necessarily accept it.
It just shows up in your wallet, which is the dusting attack that Jimmy Fallon and Shaquille O'Neal have received property now.
But that's the most obvious violation, right?
If all you're doing is relaying information about the state of those contracts, I could see why a compliance officer in those companies would say, yeah, just don't touch it.
just don't even look at it.
But really, you're just like reading the Ethereum blockchain and telling someone else what it says, right?
And at that point, I have trouble believing that that kind of compliance is the right kind of OFAC compliance.
I'm not the lawyer of Inferra or anyone, and I wouldn't necessarily advise that they keep doing what they're doing.
But you're really just an information relayer at that point.
You're doing information relaying in a way that helps people ultimately make transactions.
and so maybe you're assisting or aiding and abetting the violation of sanctions.
That's probably the legal hook that they're worried about.
But that becomes absurd at a certain point.
And like a few things.
Like again, there's this Berman Amendment in Aipa,
which was the carve-out for speech activities.
It's worth noting that Section 3 says nothing in this law applies to the importation from any country
or the exportation to any country, whether commercial or otherwise,
regardless of format or medium of transmission of any information or informational materials.
That's actually a really big carve out.
And they then go on to mention all the mediums, like not limited to publications, films,
posters, phonograph, records, microfilms, microfilms, tapes, compact SD-ROMs, artwork, etc.
Wire feeds is actually listed there.
Newswire feeds, though, not banking wires.
And, you know, this is an avenue for future research.
I don't know all the facts here, but from my understanding, the SWIFT network, which is, you know, used for international banking settlements, has in the past, I've been told, so this is hearsay, but has in the past I've been told, argued that they're not obligated under OFAC restrictions in a 100% kind of like always avoid dealing with parties way because they are, quote, unquote, in a communications network.
You know, they're just relaying messages of banks. And the banks need to.
comply with OFAC, but to be a neutral communications network, we can't sort of do that sort of
like address by address or bank number by bank number type sanctioning and control.
And so to the extent Swift has made this argument in the past, and again, it's sort of
hearsay. I've heard that they have, but I don't know specifically where and specifically how.
I think the same arguments should apply to an RPC provider, to an infura, to a minor on the
Ethereum blockchain to all of these sort of people who are third parties to these transactions,
and they're really not, they're not actually directly facilitating the transaction.
They're just helping people understand the information they need to understand in order
to make the transaction.
They're really communications providers.
They're not actually, they're certainly non-custodial.
They certainly can't change the transaction because that would violate the rules of the consensus
mechanism.
They could block the communication that ultimately effectuates the transaction, but
that really is just blocking communications, which under the Berman Amendment seems to be something
that's carved out of the OFAC powers rather than in the OFAC powers.
What about if a sanctioned address actually send money somewhere or made a transaction, they would pay
fees, right? They would pay fees to the network. Would that kind of change the situation? Because
then as basically as a network provider as a minor or validator or yeah as basically part of that
communications realm I would be accepting I would be accepting tainted money right this this is great
because this is now I know exactly what I need to research because Friedrich is asking me the hard
questions swift charges interchange fees right I think so now maybe this is where they actually
a bank is if if a bank is actually designated as a sanctioned entity, they'd probably
would be like, okay, now we're definitely not going to accept, you know, fees from you
because we'd be accepting money from a sanction party. And that's different than we think some
of your customers might be subject to sanctions, but we're just taking fees from the bank
intermediary. So maybe that's that maybe that's the dividing line. I don't know. But the mere fact
of accepting fees doesn't necessarily to, to, to, to,
my mind invalidate these carve-outs from OFAC because it's pretty clear here the importation from any
country or the exportation to any country, whether commercial or otherwise, it seems to encompass
not just like political speech that someone's, you know, shouting from the rooftops because they're a
good person. It could be, you know, a data market with data brokers. And I'll add that under
First Amendment law here in the U.S. as it's evolved over the last 10, 15 years, one of the most interesting
recent cases about First Amendment rights was the Supreme Court threw out a Vermont law
on First Amendment ground saying, and what Vermont was trying to do with that law was ban
prescription drug detailers. So marketers for prescription drug manufacturers was trying to ban them
from trafficking and buying and selling prescriber identifying information, like the records
that show which doctors are prescribing which drugs. There are whole marketplaces for this in the U.S.
because we have a somewhat insane health care system.
And Vermont was trying to say, you know, like academics and researchers can buy and sell this information to do research.
And generic drug manufacturers can buy and sell this information.
But for-profit prescription drug manufacturers are not allowed to have like a marketing arm buy and sell this information.
And the Supreme Court said that may be like, you may think that that's legitimate regulation of the prescription drug.
industry, but you've actually just created a prior restraint on speech and you're not allowed.
So they just threw the law out.
So, you know, if that kind of very commercial and to me very non-sympathetic First Amendment
activity, like I don't find drug manufacturers very sympathetic in this case.
If that's protected speech in the U.S., then I have trouble not being sort of even-handed
and saying operating an Ethereum mining client is also protected speech.
doesn't matter if like some of the stuff that gets bought and sold over that information
their communications channel is is you know unhealthy or bad for america you know i don't know
it's a little bit um difficult because because it's i mean it very clearly seems to be the case
that when it comes to oafac people are scared shitless and overcompliant
So basically, say, if you are a validator and basically you're afraid to validate a block with a tornado
cash or tornado cash like transaction, then there's the attestors, right, on Ethereum 2.
So there's like 500 people who need to say, yes, this is correct.
If basically, if it starts falling apart at that layer, we have really big.
big problem. I mean, you don't want to be the person that an example is made out of, right?
So it's, I kind of, I kind of see where people are coming from. But I think it's kind of,
we as a community probably just have to say we will have to hold our ground here.
Yeah. I would also say that that's probably not a good way to design consensus mechanisms.
And I think that's a huge thing to say because there's like a lot riding on Ethereum's
to prove a mistake, but like asking real humans to attest something and all of the real humans
to attest to something.
Oh, it's validators, right?
So the validators have to attest.
So basically the validators, they have to say, look, this is correct.
We saw the same thing.
Yes.
Those are real humans, right?
And I know the goal of that system is to say.
Yeah, but they're people that control the computers.
They're real humans.
And I know the goal of that system is for them to just run the software correctly, which means anything that's valid according to the consensus rules, which are written explicitly, gets an attestation.
So I know it's meant to be just, is it accurate according to the consensus rules, in which case automatically attest.
But the fact of the matter is humans control those computers, and so they are capable of deciding whether to attest or not.
based on information outside of the consensus rules.
Yes.
And so that's an attack vector.
That's a problem.
And so I would argue that this is not a great way to build a consensus mechanism
if the goal is for the network to reach consensus over certain fundamental rules
and not the subjective or jurisdiction-by-jurisdiction-based opinions of the people operating the network.
I don't think Bitcoin's all that much better, honestly, just to be fair to Ethereum people,
because there is actually a choice within Bitcoin as to what chain tip you build on top of
where you perform your proof of work.
You could say, I'm only going to do proof of work calculations on top of a blockchain
that doesn't have sanctioned transactions in it.
And then that would also, that would cause a fork in Bitcoin as well.
It's a little bit more abstract.
The functional result is very similar.
But maybe because it's more abstract, it's okay.
even though by taking this action, deciding to do my proof of work based on this as my inputs,
I'm adding to the probabilistic finality of these transactions, some of which might be sanctioned transactions.
In both cases, it's bad.
And this is something that I think has been under-discussed in the cryptocurrency communities,
which is, you know, privacy for human rights is one thing.
privacy is also important for consensus.
Like minors and validators should not even be aware of the data that they're validating,
aside from the limited facts that are relevant to consensus.
And to the extent they can become aware of other facts, this thing's not going to work in the long run.
And that's something that I think is actually like a hidden benefit of, say, Zcash,
where, you know, the validator is just checking his,
zero-knowledge proof. And that zero-knowledge-proof is the state change that makes all manner of
transactions happen or not happen on the blockchain. And the validator doesn't learn anything about
the specifics of any of those transactions. So if you really want to build an immutable machine
for freedom and individual choice, that doesn't bend to the particular jurisdictional desires
of the CCP or the U.S. government or Germany or, you know, Tom and his prejudices at a big corporation,
then you can't build a system where consensus, you know, allows the validators to learn a bunch
of additional information about what they're reaching consensus over.
I think this is a very fair take. And basically, we will, we as a community will have to
discuss this at length, I fear, particularly over the proposal builder separation, because basically
there, the way that blocks are assembled, basically there will be very few entities who will
actually, it's likely that there will be a recenteralization of entities, actually propose blocks.
So yeah, I mean, if there's, you know, only ever three different proposals, yeah, this is horrible.
So, yeah, I think this is something that we really need to terms with, and we need to come to
terms with.
We've zoomed way out.
I kind of want to circle back for a last round of questions.
about tornado cash.
So if I have money on in tornado cash, what do I do now?
If I have an address that has, I'm asking for a friend, by the way,
if I have an address that has interacted with tornado cash in the past,
is this, you know, past redemption?
Should I deprecate this and kind of try to launder this, you know,
the other way via centralized exchange as long as I still can?
What do you think?
Are you an American?
Absolutely not.
What should I do if I am an American?
Yeah.
I mean, so if you're an American, the sort of simplest reading of the law is you really shouldn't take your money back out if it's still in the contract.
Because it's going to be a very direct example of, you know, there's this sanctioned alias.
And you're going to argue, you've just sanctioned.
You didn't sanction it for an entity because I'm the one that controls the funds in that address.
No one else controls them, but that's a nuanced argument that requires that law enforcement and OFAC understand the nature of what they've just sanctioned and maybe they don't fully understand it.
So don't like force that, force that argument to happen unless you're ready to do it in court.
I wouldn't just go and like, it's silly the way they did this.
I'll take the money out because then again, it's a will.
violation of sanctions law potentially, which is a $1.5 million maximum fine and 30 years in prison
maximum jail time, which is pretty intense. So if you're an American, don't. I would say if you're an
American, especially reach out to the Electronic Frontier Foundation, reach out to fight for the future,
reach out to Coin Center. And I think Coin Center especially might be focusing on this due process
challenge where Americans who've done nothing wrong have their funds locked. And, you know, we're,
be very upfront. We're talking with our lawyers about potentially bringing a challenge. We've received,
Coin Center has received tornado cash donations in the past because we're a nonprofit that
defense people's rights and people sometimes want to donate privately to nonprofits. And actually,
under the U.S. Constitution, you have a right to donate anonymously to a nonprofit because back
during the civil rights movement, when Alabama tried to get the NAACP's donor records for very
bad reasons, because they'll show up at your door wearing, you know, potentially Klan masks.
Like the Supreme Court said we cannot have a world where the government can just unblind and
de-anonymize all the donors to civil liberties organizations because we won't have progress in society then.
So like if you're an American that has money locked in that contract, you have standing, I think, to challenge this designation.
And Coin Center is interested in challenging this designation on statutory grounds that the designation actually exceeds the authority and the statute because it's not sanctioning property that a foreign national has an interest in.
It's sanctioning something that isn't property and that a foreign national doesn't have control over.
And so it's not allowed under the statute.
I think other people who have standing are actually people who got dusted.
I made a joke about, you know, Jimmy Fallon and Shaquille O'Neal.
They had, you know, dot-eath addresses.
They were highly, you know, public about them because of the NFT craze and because of other things.
And they've received, I think, each of them 0.1Eth through tornado cash.
And that immediately creates very serious legal obligations for the receiver.
Under OFAC's regulations, if you accidentally or unintentionally receive sanctioned property,
you have 10 days to file a report with OFAC or else you're in violation of OFAC.
And you file a report and segregate the property from your other property and not touch it.
Don't even look at it.
Send it back.
No, actually, don't send it back because then you're sending money to a sanctioned party.
So these people also have standing to challenge it because by virtue of simply,
receiving the unwanted transaction, they've now got very serious obligations under the law,
which is an injury, which means that you can challenge the law. And also anyone who has used it
in the past and intends to use it in the future. As I said, CoinCenter has received donations
of the past. We intend to receive donations in the future using Tornado Cash to the extent we can
by law. We have standing to challenge. So that's maybe the unsatisfying.
answer because you just want your money out of the damn thing. And you didn't do anything wrong. It's not
criminal money. It's your money. But I think the wise thing to do would be to challenge it in some
process in court not to just go ahead and take your money back out because that would probably
be very unwise from a legal standpoint. What about non-Americans? Yeah, non-Americans. I mean,
if it's a big chunk of money especially, but maybe if it's a small amount, they should talk with
their lawyers. I'm uncomfortable giving an answer there because I don't, I don't know their
particular situation. Like, they could be in some ways under U.S. jurisdiction because of certain
contacts they have in the U.S., business interests they have in the U.S. And so an extreme,
aggressive approach from the U.S. prosecutors could be to use long-arm statutes and extradition
to get control over people who violate sanctions, even if they're not typically understood
American citizens. That's a very, me giving a very cautious, be careful response. I think in general,
to the extent you really don't think you're under the U.S.'s jurisdiction, which is always a
dubious thing to assume no matter who you are in the world, if you were to take the money out of
the contract, yeah, then you're going to have a whole other suite of problems, which is that
all the intermediaries that still fill the gaps where decentralization hasn't,
you know, remove their authority are going to, are going to treat you like a sanctioned party,
effectively, or party to a sanctioned party. And so you could take it out very well, and it's just
going to sit there on the Ethereum blockchain stuck forever because you can't send it to an exchange.
You can't send it even to a lot of defy protocols because they've taken this very aggressive
compliance measure to block usage of their front ends or their protocols.
What about addresses, yeah, that have interacted with tornado cache in the past?
So here's some, it's good, we've got some good news.
If you interacted with tornado cash in the past before the sanctions, you're not in violation of any laws.
The one thing we know for sure is that sanctions law as draconian, as extreme as it is, is not retroactive.
And if it, if it had retroactive application, i.e. every,
and who's transacted in the last 20 years with this entity is now a criminal, even though we
didn't say anything until now. If it was retroactive, it'd be unconstitutional as an ex post facto
law, which is also in our constitution. But am I under an obligation to know about this obscure
American sanctions list as, you know, an unconcerned European citizen just minding their own privacy?
Sorry, that's a little bit of a leading question here.
No, I want to say no, but at the same time, if you're like conducting a lot of business globally, you probably do know about it.
Yeah, you do know.
Chainalysis has an oracle, you know.
Chainalysis has an oracle that you can use on the Ethereum blockchain to identify sanctioned addresses.
So like.
Okay.
Final question, Peter.
Alexei, one of the developers behind Tornado Cash, was arrested a day or two after the
press release came out.
In the Netherlands, incidentally,
what does the future look like for him?
And the rest of the tornado team?
I mean, what does he have to fear being a non-American in the Netherlands?
Yeah.
I'll start with the general question.
What does the tornado cache software developer team have to fear?
To the extent there is an entity Tornado Cash, right?
It's hard to believe that there'd be anyone identified as the actual people in that entity other than the software developers.
Maybe some other people as well, but to the extent there's anyone behind Tornado Cash, it's software developers, right?
In the U.S., they're going to have constitutional rights.
We have pretty strong free speech protections.
I'd argue the strongest free speech protections in the world.
It's one of the remaining good things about being an American.
And so they're going to need to, like, to the extent any legal action is taken against them,
because so far there haven't been any arrests by Americans in America, of Americans.
They'll need to defend themselves using the First Amendment as an affirmative defense, I think.
And that could go in different directions.
And a lot of it's going to come down to the facts of what they did.
If all they did was publish software libraries, I think there's actually really strong First Amendment defenses.
If they sent even one email to a actually sanctioned person like at the Lazarus Group or whatever explaining how to use their tools and encouraging them to use their tools, then that starts to look much worse.
And I don't know any of the facts.
And so there's a whole range of behaviors that on one end are the pure publication of information,
like Bernstein publishing PGP as a book, obviously defensible under the First Amendment.
And at the other end, like maintaining a website and explaining to a North Korean how they can use that website to launder money.
And First Amendment defense could be somewhere in between those two extremes.
It's not going to be willfully helping a North Korean to longer money.
or money. But it's also not going to be, it's not like you're going to lose your First Amendment
defense because you published code in a book. So somewhere in the middle, they're going to have
to form their defense. For the arrest in the Netherlands, I don't know. I don't know Dutch law.
My last name, Van Valkenberg, is Van Valkenberg because some Dutchmen decided to leave the
Netherlands back in the 1600s and settle in New York. From what I understand,
and this is something that like folks who are concerned about this should read more about
from actual Dutch legal experts or experts in the Netherlands.
From what I understand,
the Netherlands has a negligent money laundering charge that they can bring against people,
which is unusual.
There is no similar criminal statute in the U.S.
Money laundering is definitely illegal in the U.S.,
but it is a specific intent crime,
which means you need to prove,
that the person you're accusing
a money laundering had
knowledge and specific intent
to obfuscate
or hide evidence
about some specific
flow of funds
related to some specific criminal enterprise.
You can't just say,
because you built tools
and anyone could use them for anything
and you didn't stop people from using it for bad things,
you're negligently laundering money.
And I don't know if that's the predicate
of the Dutch.
statute but when I hear negligence I hear there was no intent the the barrel fell out of the
warehouse and hit the person on the street you didn't intend for that injury to happen but
because you didn't have a railing in place you're liable as the owner of the factory like
if that's actually the way the Dutch statute works then that's very frightening and I'm
surprised that there's a criminal statute like this in the Netherlands because yeah I
I don't know how you defend against that.
It seems to create an extraordinary obligation on people who are engaged in commerce or trade or other activities.
Like, always make sure that the person you're transacting with isn't trying to move money through you
because they're trying to hide it from criminal dealings.
It's like, really am I supposed to just like when I go down to the corner store, be like,
hey, guys, I know you mostly sell bananas, but I've seen some shady looking Russian.
in your back room, are you actually a front?
Because if so, I don't want to buy your bananas.
Like, that's nuts.
But that is in some ways like an extreme version of a negligent money laundering claim.
So I don't have a good answer.
But I hope that the law isn't as bad as it looks from my untrained eye.
We're totally over time.
And it's been a rather solemn episode because it's such a.
it's such an all-encompassing topic, right, privacy and the right to privacy.
We recently had Brad Scott on who wrote a book, Cloud Money, about basically his hypothesis is that big finance and big tech kind of merge and kind of leave us all without privacy squeezing out the last remaining pillar of privacy.
and, you know, transactions for regular people, namely cash.
And I mean, yeah, so I mean, I would actually say that cash very much falls in the same category for me as privacy preserving cryptocurrencies.
To me, they're kind of the same bucket.
So, yeah, and he also had to really die a take on where we're at and where we're headed.
Yeah, I started reading Cloud Money.
It's excellent.
I was actually reading it on the plane to ZCon.
And then at ZCon is when the tornado cash thing dropped.
And so I haven't gotten more than halfway through it.
But Brett's great.
Brett's a straight shooter.
And his analogy between cash and tools that protect privacy is dead on.
Because, you know, the only reason,
we have this massive surveillance apparatus and the massive power of OFAC and sanctions law is because
we've mostly abandoned cash as the main tool for settlement, you know, since the 1960s and onward.
And I, the thing I always like to point out to people is like, you think that I'm some sort of,
like people who are critics, you think that I'm some sort of anarchist who wants to see the world
burn or something. And that by advocating for privacy, I'm secretly advocating for chaos.
the world of like the early 20th century for all of its injustice with respect to individual rights and like especially the rights of minority persons and women at the very least though like people were allowed to use cash and it's not as if we had like manifestly more crime than we do today like there's lots of reasons why I'm glad I live now and not then but like
random crime and criminal acts is not necessarily one of them, at least not in the U.S.
or in Europe or in a lot of industrialized nations.
And so I don't think that a return to that transactional architecture where most transactions
are made peer to peer using hopefully what we call electronic cash.
Jerry wrote a good paper about this, like Zcash and even Eath, if you're using it through
tornado cash.
I don't think that is a return to some lawless hell.
It, like, the world was very ordered back then.
In some ways, the order was bad for other reasons, but not because of cash.
So, I think Brett's right.
The world has changed radically and not for the better with respect to that aspect of our liberty.
Yeah, I think these are good closing words.
Peter, if people want to find out more about the work you guys do at Coin Center or donate,
maybe even privately.
Where can they do that?
So we're just, our website's coincenter.org.
We have a donate page that has anonymous donations as a, as a possibility.
It's just an Ethereum address.
So you can send money to that address.
We also accept other cryptocurrencies.
And if you want to find out more about our efforts to challenge this action and
and other work we've been doing to challenge 60-50I,
a whole other legal challenge we've already brought against the Department of Treasury.
Our website's the best resource,
but if you have questions that you want specifically addressed,
you should feel free to email me,
peter at coincenter.org.
I don't mind just having an open inbox and I try to get to things quickly.
Perfect. Thank you, Peter. Thank you for coming on again.
Thanks, Frederica.
Thank you for joining us on this week's episode.
We release new episodes every week.
You can find and subscribe to the show on iTunes, Spotify, YouTube, SoundCloud, or wherever
you listen to podcasts.
And if you have a Google Home or Alexa device, you can tell it to listen to the latest episode
of the Epicenter podcast.
Go to Epicenter.tv slash subscribe for a full list of places where you can watch and listen.
And while you're there, be sure to sign up for the newsletter, so you get new episodes
in your inbox as they're released.
If you want to interact with us, guests, or other podcast listeners, you can follow us on
Twitter.
and please leave us a review on iTunes.
It helps people find the show,
and we're always happy to read them.
So thanks so much,
and we look forward to being back next week.