<100 subscribers
Share Dialog
Share Dialog
A take on open-source software and financial privacy in a centralized world
On August 8, 2022, Treasury’s Office of Foreign Assets Control (OFAC) decided to sanction the cryptocurrency mixer Tornado Cash. Considering, as per the Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson, that it has “… repeatedly failed to impose effective controls designed to stop it from laundering funds from malicious cyber actors on a regular basis and without basic measures to addresses risks.” Apart from emphasizing the mixer as a US national security issue, the Treasury’s Press Release further refers to it as a “…mixer that has been used to launder more than $7 billion worth of virtual currency since its creation in 2019.”
The news about the sanctions, and arrest of one of Tornado Cash’s contract developers, caused a lot of commotion throughout the web3 space - understandably so. Since then, people such as Vitalik Buterin (Co-founder of Ethereum), Peter Van Valkenburgh (Research director at Coin Center) and Tom Emmer (member of US Congress), have been vocalizing their concerns on Twitter and other mediums, as well as toward OFAC directly.
It seems that the sanction caught the community off-guard and by surprise as it somewhat undermines two essential and widespread notions, namely “Not your keys, not your money” and “Code is speech”. Let’s dive in.
Foundations
OFAC sanction and its effects
Tornado Cash as a sanctionable entity
Real use-cases for blockchain anonymity
Alternative solutions
Closing remarks
The whole basis that an open-source and decentralized blockchain such as Bitcoin is built upon is the premise of a trustless, yet peer-to-peer, and immutable infrastructure. To uphold the integrity of the network, synonymous to its immutability, every transaction is recorded and verified by the nodes constituting the network which also provides traceability. As a result, every on-chain transaction connected to an address, will be traceable for as long as the chain exists. There are, however, certain situations regarding privacy when this might not be favorable.
Tornado Cash is a virtual currency mixer that utilizes smart contracts on the Ethereum blockchain to provide a solution to this matter. It enables users to conceal the source and destination of their assets through its open source, decentralized and non-custodial infrastructure. The process utilizes zk-SNARK technology, where a cryptographic note is generated and received by the sender as a proof of the interaction. That same note can then be used to access the same amount of funds, without traces from the original wallet, from a new wallet address. Thus, it also provides one of the most advanced methods to launder fraudulent cryptocurrency.
Globally, money laundering is estimated yearly as 2-5% of global GDP or $800 billion to $2 trillion – making Tornado Cash’s $7 billion since 2019 close to a 1% fraction. Moreover, according to Chainalysis’ report on Tornado Cash (see figure 1, below), only 10.5% of the funds sent to Tornado Cash can be attributed as stolen which is closer to $700 million:
The sanction’s primary target is entities such as the North Korean state-sponsored Lazarus Group of hackers, involved in the $625 million breach related to the developer behind Axie Infinity, that use Tornado Cash illicitly. However, it affects all users, criminal and non-criminal alike, that have interacted with the Ethereum addresses constituting Tornado Cash on the Specially Designated Nationals (SDN) or received funds from such wallets. This translates into being blocked from transacting on US based exchanges and, for an example, utilizing Defi protocols such as Aave.
It also resulted in action from the global financial firm, and issuer of USD Coin (USDC), Circle. To abide legal obligations, as presented in the sanction, it froze USDC assets linked to the 44 SDN listed addresses. Another example is GitHub, an open source collaborative code hosting platform, that decided to remove Tornado Cash’s source code and ban contributors to it from its platform.
Additionally, two days after the sanction were made public, a developer behind the Tornado Cash software, Alexey Pertsev, was arrested in Netherlands on suspicion of “involvement in concealing criminal financial flows and facilitating money laundering”, according to Dutch financial crime authority (FIOD).
The U.S. Treasury’s Office of Foreign Assets Control (OFAC) decision to sanction on Tornado Cash is a first-of-its-kind targeting smart contracts, let alone “privacy-enabling” code. Unlike the sanction against Blender.io in May, the one against Tornado Cash deems its constituting smart contracts as sanctionable entities. Instead of targeting a specific set of individuals and/or company, which was the case with Blender.io, this sanction targets the self-executing code on a public blockchain where no singular individual or entity is responsible for its continuous operation.
There is a case to be made that this autonomous code is not “property in which some foreign country or national has an interest”, and thus, invalidating OFAC’s authority to execute this sanction through the International Emergency Economic Powers Act (IEEPA) legislation. However, the legislation still holds if one could argue software as intellectual property. In other words, per the sanction’s current designation, Americans can’t create nor use open source software (intellectual property) even if the authors have no economic interest in it.
Furthermore, Jerry Brito and Peter Van Valkenburgh at Coin Center presents arguments that this sanction deprives Americans of property as well as liberty, and in doing so, undermines the Fifth Amendment. Thus, the basis of the sanction could be regarded as unconstitutional.
As the world becomes increasingly integrated into web3 and more transactions become on-chain, there will be growing demand for solutions providing financial privacy. Below are various instances when blockchain anonymity could be appreciated:
Donations to support a cause
Firstly, crypto currency has shown repeatedly that it’s a viable and efficient way of raising funds if a country and/or its monetary system is in crisis. For example, to support Ukraine in its on-going war against Russia. However, anyone supporting one side of the war can become a target for the enemy, not only in terms of cybercrimes, and anyone on the receiving end could potentially end up in even worse situations if the donation isn’t anonymous (depending on who the sender is and its relation to the enemy). The latter is the reason Vitalik Buterin donated to this cause utilizing Tornado Cash:
Secondly, it can regard donations to support a political party during an election period or to charities of controversial topics. Not allowing anonymity can make a person think twice regarding its donation, if choosing to do it whatsoever, or change its decision based on risk of being excluded from its community and/or risk of other repercussions that could negatively impact its family and career. As such, indirectly affecting the outcomes of such endeavors negatively.
Personal reasons
The need for financial privacy could also purely be based on personal preferences to not be scrutinized and/or constantly observed on-chain, precisely as the discussions surrounding tracking on the internet. This could include risk of a person’s security, such as publicly exposing one’s total net worth, liabilities etc. Furthermore, it may be for reasons including embarrassment over unsuccessful investments and/or investments regarded as non-professional such as memecoins, controversial nfts etc.
With a world increasingly on-chain, as discussed earlier, finding solutions that comply with Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) obligations (US law) is of great necessity. There are, in fact, several potential solutions to this matter, if implemented.
One solution could be to clone the existing mixer and add a safelist that permits users on that list to call the deposit function on the mixer’s smart contract. The safelist, containing publicly recognized good actors, could be provided by OFAC and would exclude other users. However, then this safelist would undermine the anonymity aspect.
Another solution could be to utilize a DAO and a vetting process, put forward by a committee in cooperation with OFAC for an example, to gain entry and access to the mixer. This provides a higher level of accessibility, as all wallets theoretically can apply, but also a threshold for certain actors. Additionally, a measure could be set on users’ daily/weekly/monthly use of the mixer depending on the level of clearance the wallet has gained. These clearance-levels could be based on a framework provided by a DAO, in cooperation with OFAC.
In summary, a world increasingly on-chain demands legal solutions that ensure financial privacy for its users. The OFAC sanction’s primary intent is to target entities that use the protocol illicitly but affects all users alike. It also suggests that decentralized protocols, ensuing financial privacy for its users on open source and decentralized networks, may be subject to some of the compliance obligations to which centralized services are held.
However, there are many that question the basis on which this sanction was made. For one, the sanction designates the smart contracts, constituting Tornado Cash, as sanctionable entities. This translates into having essentially illegalized the use of autonomous software. Secondly, it implies open source software as intellectual property, and as such, it can’t be used by Americans, even though there is no economic incentive for the authors. Moreover, without any information prior to this sanction to protect law-abiding Americans from being affected, this could deem the sanction unconstitutional.
Again, it’s not a question if software ensuring financial privacy will exists, rather, it’s a question of when and how it can become compliant with US authorities or if it even must be, for it to be used legally. To facilitate this process, as Congressman Tom Emmer points out, more information must be provided from the OFAC. There are already many potential solutions, such as safelisting publicly recognized good actors, but without clarity it’s hard to implement nor use such services that the space so imminently needs.
In conclusion, there are legitimate intentions on both sides in this matter. To facilitate and nurture the continuous growth of this space, regulation should be welcomed as it provides clarification. However, as seen in the commotion against this sanction, there needs to be cooperation – in the interest of the continued growth of this space. My only wish, as the author of this article, is that the perception that “… technology is neutral, and expectation of privacy is normal.”, as Tom Emmer so eloquently put it, remains.
A take on open-source software and financial privacy in a centralized world
On August 8, 2022, Treasury’s Office of Foreign Assets Control (OFAC) decided to sanction the cryptocurrency mixer Tornado Cash. Considering, as per the Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson, that it has “… repeatedly failed to impose effective controls designed to stop it from laundering funds from malicious cyber actors on a regular basis and without basic measures to addresses risks.” Apart from emphasizing the mixer as a US national security issue, the Treasury’s Press Release further refers to it as a “…mixer that has been used to launder more than $7 billion worth of virtual currency since its creation in 2019.”
The news about the sanctions, and arrest of one of Tornado Cash’s contract developers, caused a lot of commotion throughout the web3 space - understandably so. Since then, people such as Vitalik Buterin (Co-founder of Ethereum), Peter Van Valkenburgh (Research director at Coin Center) and Tom Emmer (member of US Congress), have been vocalizing their concerns on Twitter and other mediums, as well as toward OFAC directly.
It seems that the sanction caught the community off-guard and by surprise as it somewhat undermines two essential and widespread notions, namely “Not your keys, not your money” and “Code is speech”. Let’s dive in.
Foundations
OFAC sanction and its effects
Tornado Cash as a sanctionable entity
Real use-cases for blockchain anonymity
Alternative solutions
Closing remarks
The whole basis that an open-source and decentralized blockchain such as Bitcoin is built upon is the premise of a trustless, yet peer-to-peer, and immutable infrastructure. To uphold the integrity of the network, synonymous to its immutability, every transaction is recorded and verified by the nodes constituting the network which also provides traceability. As a result, every on-chain transaction connected to an address, will be traceable for as long as the chain exists. There are, however, certain situations regarding privacy when this might not be favorable.
Tornado Cash is a virtual currency mixer that utilizes smart contracts on the Ethereum blockchain to provide a solution to this matter. It enables users to conceal the source and destination of their assets through its open source, decentralized and non-custodial infrastructure. The process utilizes zk-SNARK technology, where a cryptographic note is generated and received by the sender as a proof of the interaction. That same note can then be used to access the same amount of funds, without traces from the original wallet, from a new wallet address. Thus, it also provides one of the most advanced methods to launder fraudulent cryptocurrency.
Globally, money laundering is estimated yearly as 2-5% of global GDP or $800 billion to $2 trillion – making Tornado Cash’s $7 billion since 2019 close to a 1% fraction. Moreover, according to Chainalysis’ report on Tornado Cash (see figure 1, below), only 10.5% of the funds sent to Tornado Cash can be attributed as stolen which is closer to $700 million:
The sanction’s primary target is entities such as the North Korean state-sponsored Lazarus Group of hackers, involved in the $625 million breach related to the developer behind Axie Infinity, that use Tornado Cash illicitly. However, it affects all users, criminal and non-criminal alike, that have interacted with the Ethereum addresses constituting Tornado Cash on the Specially Designated Nationals (SDN) or received funds from such wallets. This translates into being blocked from transacting on US based exchanges and, for an example, utilizing Defi protocols such as Aave.
It also resulted in action from the global financial firm, and issuer of USD Coin (USDC), Circle. To abide legal obligations, as presented in the sanction, it froze USDC assets linked to the 44 SDN listed addresses. Another example is GitHub, an open source collaborative code hosting platform, that decided to remove Tornado Cash’s source code and ban contributors to it from its platform.
Additionally, two days after the sanction were made public, a developer behind the Tornado Cash software, Alexey Pertsev, was arrested in Netherlands on suspicion of “involvement in concealing criminal financial flows and facilitating money laundering”, according to Dutch financial crime authority (FIOD).
The U.S. Treasury’s Office of Foreign Assets Control (OFAC) decision to sanction on Tornado Cash is a first-of-its-kind targeting smart contracts, let alone “privacy-enabling” code. Unlike the sanction against Blender.io in May, the one against Tornado Cash deems its constituting smart contracts as sanctionable entities. Instead of targeting a specific set of individuals and/or company, which was the case with Blender.io, this sanction targets the self-executing code on a public blockchain where no singular individual or entity is responsible for its continuous operation.
There is a case to be made that this autonomous code is not “property in which some foreign country or national has an interest”, and thus, invalidating OFAC’s authority to execute this sanction through the International Emergency Economic Powers Act (IEEPA) legislation. However, the legislation still holds if one could argue software as intellectual property. In other words, per the sanction’s current designation, Americans can’t create nor use open source software (intellectual property) even if the authors have no economic interest in it.
Furthermore, Jerry Brito and Peter Van Valkenburgh at Coin Center presents arguments that this sanction deprives Americans of property as well as liberty, and in doing so, undermines the Fifth Amendment. Thus, the basis of the sanction could be regarded as unconstitutional.
As the world becomes increasingly integrated into web3 and more transactions become on-chain, there will be growing demand for solutions providing financial privacy. Below are various instances when blockchain anonymity could be appreciated:
Donations to support a cause
Firstly, crypto currency has shown repeatedly that it’s a viable and efficient way of raising funds if a country and/or its monetary system is in crisis. For example, to support Ukraine in its on-going war against Russia. However, anyone supporting one side of the war can become a target for the enemy, not only in terms of cybercrimes, and anyone on the receiving end could potentially end up in even worse situations if the donation isn’t anonymous (depending on who the sender is and its relation to the enemy). The latter is the reason Vitalik Buterin donated to this cause utilizing Tornado Cash:
Secondly, it can regard donations to support a political party during an election period or to charities of controversial topics. Not allowing anonymity can make a person think twice regarding its donation, if choosing to do it whatsoever, or change its decision based on risk of being excluded from its community and/or risk of other repercussions that could negatively impact its family and career. As such, indirectly affecting the outcomes of such endeavors negatively.
Personal reasons
The need for financial privacy could also purely be based on personal preferences to not be scrutinized and/or constantly observed on-chain, precisely as the discussions surrounding tracking on the internet. This could include risk of a person’s security, such as publicly exposing one’s total net worth, liabilities etc. Furthermore, it may be for reasons including embarrassment over unsuccessful investments and/or investments regarded as non-professional such as memecoins, controversial nfts etc.
With a world increasingly on-chain, as discussed earlier, finding solutions that comply with Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) obligations (US law) is of great necessity. There are, in fact, several potential solutions to this matter, if implemented.
One solution could be to clone the existing mixer and add a safelist that permits users on that list to call the deposit function on the mixer’s smart contract. The safelist, containing publicly recognized good actors, could be provided by OFAC and would exclude other users. However, then this safelist would undermine the anonymity aspect.
Another solution could be to utilize a DAO and a vetting process, put forward by a committee in cooperation with OFAC for an example, to gain entry and access to the mixer. This provides a higher level of accessibility, as all wallets theoretically can apply, but also a threshold for certain actors. Additionally, a measure could be set on users’ daily/weekly/monthly use of the mixer depending on the level of clearance the wallet has gained. These clearance-levels could be based on a framework provided by a DAO, in cooperation with OFAC.
In summary, a world increasingly on-chain demands legal solutions that ensure financial privacy for its users. The OFAC sanction’s primary intent is to target entities that use the protocol illicitly but affects all users alike. It also suggests that decentralized protocols, ensuing financial privacy for its users on open source and decentralized networks, may be subject to some of the compliance obligations to which centralized services are held.
However, there are many that question the basis on which this sanction was made. For one, the sanction designates the smart contracts, constituting Tornado Cash, as sanctionable entities. This translates into having essentially illegalized the use of autonomous software. Secondly, it implies open source software as intellectual property, and as such, it can’t be used by Americans, even though there is no economic incentive for the authors. Moreover, without any information prior to this sanction to protect law-abiding Americans from being affected, this could deem the sanction unconstitutional.
Again, it’s not a question if software ensuring financial privacy will exists, rather, it’s a question of when and how it can become compliant with US authorities or if it even must be, for it to be used legally. To facilitate this process, as Congressman Tom Emmer points out, more information must be provided from the OFAC. There are already many potential solutions, such as safelisting publicly recognized good actors, but without clarity it’s hard to implement nor use such services that the space so imminently needs.
In conclusion, there are legitimate intentions on both sides in this matter. To facilitate and nurture the continuous growth of this space, regulation should be welcomed as it provides clarification. However, as seen in the commotion against this sanction, there needs to be cooperation – in the interest of the continued growth of this space. My only wish, as the author of this article, is that the perception that “… technology is neutral, and expectation of privacy is normal.”, as Tom Emmer so eloquently put it, remains.
No comments yet