How do you ban an open-source software project and make it stick?
That’s the question facing the Treasury Department, which last week added open-source cryptocurrency mixer Tornado Cash to a US government list of individuals and entities blacklisted for violating punishments. In this case, Tornado Cash – which helps keep cryptocurrency transactions private – made the list of sanctions violations against North Korea.
But Tornado Cash is not a business. It is an open-source software project based on the Ethereum blockchain, maintained by people and servers spread around the world. As the team wrote in a 2020 blog post, “Now, Tornado.cash largely lives by the precepts that code is law. …No one can modify smart contracts and the protocol is decentralized and unstoppable, until Ethereum is modified or removed.
The US action raises a host of questions about whether a government can actually sanction open source code, rather than individuals, and what widespread effects that might have on not just future open source projects, but anyone who has used Tornado Cash. There were 12,243 unique user deposits to Tornado Cash, according to Dune Analytics, a blockchain analytics platform.
“They weren’t just sanctioning a specific entity or user like, in this case, North Korea,” said Seth For Privacy, the pseudonym of a privacy educator whose work focuses on the privacy ecosystem. cryptocurrency.
“Instead, they sanction the whole tool, the whole open source tool of decentralized smart contracts on [the cryptocurrency] Ethereum,” he said. “They went after the whole tool itself which had been used by a sanctioned entity. So that was a big, big change from when sanctions normally targeted an entity using a tool.
The Treasury Department has added Tornado Cash to the Sanctions List – known as the Specially Designated Nationals and Blocked Persons List (SDN List) – for allegedly facilitating millions of dollars in cryptocurrency transactions to the northern government. -Korean in the hands of government-affiliated hackers.
In its statement, the Treasury Department said Tornado Cash “has been used to launder more than $7 billion in virtual currency since its inception in 2019. This includes more than $455 million stolen from the Lazarus Group,” a state-sponsored North Korean hacking group. which was sanctioned by the United States in 2019, which the department described as the largest virtual currency theft known to date.
“Despite public assurances to the contrary, Tornado Cash has repeatedly failed to impose effective controls designed to prevent it from routinely laundering funds to malicious cyberactors and without basic measures to address its risks,” the report said. Under Secretary of the Treasury for Terrorism and Financial Intelligence. Brian E. Nelson in a statement. “Treasury will continue to aggressively pursue actions against mixers who launder virtual currency for criminals and those who assist them.”
Contrary to popular belief, few cryptocurrency transactions are private.
Public blockchains, which can be thought of as digital ledgers, keep a record of all transactions. While cryptocurrency wallets or alphanumeric addresses where funds are sent are pseudonymous, the people behind them can be identified.
This is because people publicly post their wallet addresses online, and blockchain analytics or analytics firms like Chainalysis and Elliptic have created comprehensive business models by opening the curtains and tracking cryptocurrency transactions. change.
They do things like identify, categorize and track addresses in real time, using modeling and visual representations to track changes on a blockchain and identify behaviors. In a sense, they follow the money.
Tornado Cash is a mixer, which means it helps hide the origins and destinations of cryptocurrency transactions and makes them harder to trace, even for law enforcement. People can send funds to a smart contract on the Ethereum blockchain, which then mixes the funds, which are then withdrawn to another address. This contract address was on the sanctions list even though no one had it; it is simply a series of ones and zeros performing a task.
Chainalysis, a blockchain analytics firm that has done multimillion-dollar deals with the US military and law enforcement, estimated that 18% of funds received by Tornado Cash came from sanctioned entities, but said “almost entirely, we must note, before these entities were sanctioned”.
Critics of the mixing service claim that it is only used by criminals for money laundering. Proponents tout the privacy-preserving feature, which is also used by a significant number of law-abiding people.
“While we and many others have worked alongside both sides down the aisle in a positive direction on crypto and privacy, this decision has blindsided everyone,” said Josh Swihart, senior vice president of growth, product strategy and regulatory affairs at Electric Coin Company, creators and proponents of anonymity-enhancing cryptocurrency Zcash.
After the government announced the sanctions against Tornado Cash, Microsoft removed the accounts of Tornado Cash contributors and the project itself from GitHub, a platform where developers collaboratively create and maintain open source software. It has over 83 million users.
“Thirty years of hard legal work to establish First Amendment protections around software distribution, blasted in a day by GitHub/Microsoft”, tweeted Matthew Green, professor of cryptography at Johns Hopkins University.
“Trade laws require GitHub to restrict users and customers identified as Specially Designated Nationals (SDNs) or other denied or blocked parties, or who may use GitHub on behalf of blocked parties,” a GitHub spokesperson said. in a press release. “At the same time, GitHub’s vision is to be the global platform for developer collaboration. We carefully review government sanctions to ensure that users and customers are not impacted beyond what is required by law.
The impact on open source
The decision to sanction a tool, rather than, say, a cryptocurrency wallet address directly affiliated with a national security threat, has sent shockwaves through the cryptocurrency community.
“The consequences of [the Treasury Department] adding the Tornado Cash protocol to the sanctions list was actually more important for the world beyond crypto than for crypto itself,” said Omid Malekan, an adjunct professor at Columbia Business School who teaches courses on crypto and blockchain.
The US government “took the drastic step of sanctioning an open-source, decentralized protocol — specifically adding the Ethereum addresses of the smart contracts where the code resides,” as well as the addresses to access the service, he said. .
It effectively criminalizes the act of seeking financial privacy, Malekan said, and opens a Pandora’s box around open source — for example whether the government will charge someone who wrote code because a criminal then used this code.
Seth For Privacy said there could also be risks for users of the Tornado Cash service. He wonders what will happen with one of their funds that interacted with Tornado Cash and if that money would face criminal charges.
On Friday, Dutch authorities announced they had arrested a 29-year-old man on “suspects of being involved in concealing criminal financial flows and facilitating money laundering by mixing cryptocurrencies through the decentralized mixing service Ethereum Tornado Cash”.
Authorities said several arrests could not be ruled out.
A slippery slope
Because crypto wallets cannot reject incoming transactions, an anonymous Twitter user to prove a point began sending a slew of incredibly small, unsolicited Ethereum transactions that had interacted with Tornado Cash to celebrity public wallets, theoretically implicating them in potential violations of sanctions laws.
Malekan did similar work public experience on Twitter by donating a small amount of Ethereum, via Tornado Cash, to Planned Parenthood and a secret group of Russians helping Ukrainian refugees. In both cases, he said, he committed a crime, but did so to illustrate that privacy itself should not be criminalized.
“There are 10,000 vanilla reasons why someone would want to use Tornado Cash for something completely mundane in a way that isn’t criminal or unlawful,” he said.
Hailey Lennon, shareholder of law firm Anderson Kill’s Technology, Media and Distributed Systems Group, said the more sanctions regimes stem from a direct link to aiding terrorists and covering the source of funds, the more you get” towards developers and open source getting really sticky.
She also pointed out that there is a tension between national security and privacy in this case, with national security being used as a justification for intruding on privacy. Similar debates are taking place around encrypted communications, for example.
“When 9/11 happened, it gave the Patriot Act sharper teeth,” she said. “It has changed the way we travel and the way financial institutions monitor transactions.”
Government actions have already made it harder for Tornado Cash users to access the service, but it remains to be seen whether the sanctions can actually eliminate an open source project. In addition to Microsoft removing code and contributors from GitHub, two major application programming interface and framework vendors, Alchemy and Infura, have blocked API access to the Tornado Cash frontend. This means that users trying to access it through these APIs – software intermediaries that allow applications to talk to each other – cannot see Tornado Cash. Users can still access the Tornado Cash service, but it will become increasingly difficult and complicated over time.
“I think the main thing a project should be prepared for when building their project is to make sure it’s built for conflicting environments,” Seth said for the privacy. “Let’s not assume that the current environment will last forever, or that their tool itself will always be considered above board and OK.”
Thanks to Lillian Barkley and Alicia Benjamin for writing this article.