We Are Currently Losing This Battle | Tornado Cash

Why the Tornado Cash sanction is the most important event in Web3/Blockchain/Crypto right now. We talk about what happened with Tornado Cash and the US Treasury / OFAC (Office of Foreign Assets Control), why it’s such a big deal, and what we can do about it.

Original Image from mshch of Getty Images

Tornado Cash UI IPFS Hash for educational purposes: QmU3j1B1UagFbfqgwWBu3yk1La657y8hoGoA24fG3QpPjf

Introduction

The Tornado Cash sanction is the most important thing in web3 right now.

In this article, we will cover:

1. What happened
2. Why it’s a big deal
3. What you can do

It’s a big deal because:

• Privacy & Freedom of Speech are prerequisites to a successful free nation/state
• The sanction on Tornado Cash violates both privacy and freedom of speech
• It sets a terrifying precedent for the future of web3

So, let’s get into it.

1. What happened?

Tornado Cash is a privacy-preserving protocol deployed to Ethereum and other EVM blockchains. It uses encryption and zero-knowledge technology to take your money, put it into a pool of money, mix it up, and allow you to take it out the other side anonymously.

Users send cryptocurrency to the Tornado protocol and mixes it up with everyone else’s crypto. It will also output a key that only the original users know. Later, that key can be used to pull out the cryptocurrency to a fresh wallet, essentially anonymizing where the cryptocurrency came from.

For example, let’s say you wanted to donate to Ukraine but don’t want to get put on Russia’s shit list. All you’d have to do to protect yourself is funnel your money through Tornado Cash which would anonymize it, and then send your money to Ukraine.

Poof! You’ve now helped out Ukraine without Russia ever knowing it’s you!

Maybe you want to donate to a cause you care about, but don’t want to have to be harassed.

However, on August 7th, 2022 the US Treasury (OFAC) sanctioned the Tornado Cash Ethereum addresses as well as a number of other addresses and sections of the protocol. This sanction made it illegal for US citizens to interact with the code at those specific addresses. If you own a wallet that sends or receives money from tornado cash, you could be fined up to $1M or placed in jail for 20 years.

The rationale for this sanction was that Tornado Cash is used to launder over $7 billion, including hacks from the infamous Lazarus group, a hacking group associated with North Korea.

Most experts have debunked this, pointing to the number being something like 30% of the protocol, or $2 billon.

From the US Treasury press release

Right after the ban, GitHub removed the code and accounts of those associated with building Tornado Cash. Alchemy, Infura, and other node-as-a-service providers started blocking transactions associated with Tornado Cash addresses, and the Tornado Cash site was removed from the internet.

One of the original developers was placed in jail without being charged with a crime in Amsterdam.

USDC and other centralized coins blacklisted addresses associated with interacting with Tornado Cash.

And hordes of trolls decided to send thousands of Ethereum addresses money coming from Tornado Cash to show how ridiculous this rule is to enforce.

Tweet from josephdelong

OFAC released an FAQ clarifying some points, like how small amounts of money flowing through Tornado would not be enforced (due to the mass “dusting” that was happening). And clarifying that hosting the Tornado code or teaching about the code is not illegal.

And finally, Coinbase is footing the bill for a lawsuit against the US Treasury.

Up to speed? Good.

2. Why this is such a big deal

Privacy and freedom of speech are prerequisites for a free nation

There is an argument of “You don’t need privacy if you have nothing to hide”, which, as a kid, I used to think. But let’s unpack that a little. I’d argue, that you always have something to hide, and sometimes hiding stuff is good.

Scenario: Let’s say you are a Jewish person in, I don’t know the 1930s. Let’s say for a random example your government hates Jewish people and wants to round them up and kill them. Would privacy of religion be a good thing in this scenario?

Vitalik saying he used Tornado Cash to donate to Ukraine

Scenario: You live in a country surrounding Russia in 2022, and you’re not a big fan of the war going on in Ukraine. You want to send Ukraine money for the war efforts, but you don’t want to end up on Russia’s shit list. Is privacy good here?

Scenario: It’s the 1960s You think that black lives are just as important as everyone else’s, and you want to vote for and support removing Jim Crow laws. The town you live in loves Jim Crow laws and wants to kill anyone who disagrees, do you think privacy is important here?

In order to be able to congregate and express dissenting opinions without the threat of being crucified for it, privacy is essential to a free nation. In order to come to the best conclusion on anything, you need to be able to freely talk about dissenting opinions. I gave some scenarios on why privacy is so important because people tend to understand why freedom of speech is important, but not privacy.

The topic of why privacy and freedom of speech are so important has been done a hundred times, and if you’re curious you can check out those links or do a quick web search as well.

So now, let’s talk about how this sanction destroys both privacy and freedom of speech.

This Sanction Destroys Online Privacy & Freedom of Speech

Image from fotoyy of Getty Images

Privacy

Tornado Cash is a privacy-preserving lump of code. Yes, we want to stop all the bad guys, but this ban actually doesn’t stop them. They can and will just keep using Tornado Cash. Instead, it makes it harder for average citizens to protect their online information.

Imagine if every bank was forced to publicly expose how much money was in everyone’s bank account, and all interactions with your bank. In a way, that’s what has happened here. The US is saying they want to make sure they can track everyone’s financial information, but in doing so, so can the bad guys.

Image from ready.gov

Identifying a target is the #1 step in any hacker's plan for an attack. In fact, the United States government itself tells us to limit information on the internet for this exact reason! They know that the more information out there about you, the easiest you are to attack.

Without a way to anonymize your financial information, how are you going to protect yourself against these hackers? The answer is, you can’t.

The US is saying the advantages of stopping malicious users are worth the privacy damage it causes to people who use these protocols. But this sanction doesn’t do anything to stop malicious users and everything to stop average users from defending their privacy.

Freedom of Speech

The landmark case of Bernstein vs the Department of Justice set the precedent that code is a form of freedom of speech, and the arrest of Alex Pertsev sets a precedent that you can go to jail for writing code. Granted Alex was arrested outside the US, but it still shows the chilling effect the US Sanction has on the rest of the world.

Image from change.org

We need to remember that once a contract is deployed to the blockchain, it’s there for good. Are you responsible for who interacts with your immutable uncensorable code? Do we want to push people back from making discoveries (including mathematical and cryptographic) and advancements in the fields of academia?

If you have to be afraid that you can be put in jail for the math or code you write, that’s the kind of world we would have to live in.

It sets a terrifying precedent for web3

This sanction shows a great misunderstanding of how web3 technology works and sets a dangerous precedent for anyone working in web3.

Tornado Cash isn’t an entity, it’s a lump of code on the Ethereum blockchain. It’s a math equation. Tornado Cash was quoted by OFAC to be sanctioned because it “failed to curb money laundering”. So you’d think that the solution we chose to do should curb money laundering right? But the sanction itself doesn’t even curb laundering!

It is really funny if you think about it. Tornado Cash code is immutable, which means, it “can’t be changed”. The way it’s programmed is money comes in, anon money comes out. The United States asking developers to change this is sort of the same as the US asking math to make 2 + 2 = 5.

So what did OFAC want here? To have them change how the algorithm works? You can’t do that. So they went with outlawing it totally. Coinbase paraphrased this well by saying in their blog that OFAC used a “hammer instead of a scalpel”.

Chilling Effect

Image from svetlanafoote

What’s even scarier to me, is how the industry has responded. GitHub removed all their code, Alchemy and Infra are blocked transactions, and USDC blocked addresses.

We are trying to build a censorship-resistant incorruptible system, and we have so many people in the industry going back on the very precedent that makes this space useful. If we have all this trust maximization enabled, to me, everything we make becomes worthless. If the blockchain is run by a community of people bowing to the whims of any nation-state actor, to me, this technology becomes useless.

Is this an attack on all of web3?

Web3 is the world of trust minimization. The USA coming in and saying they have the power to ban interacting with neutral technology is a radical stance. The purpose of web3 is to enable interaction without a centralized entity corrupting the interaction. Preventing promises from being broken. We know this means that contracts include protection from the United States government. But if they decide they need that backdoor, they need to be able to be the centralized middle body, then it threatens everything we are doing in web3. Creating backdoors defeats the purpose of the technology.

And if that’s what the US is going for here, in a way, it sounds like they might be against web3 in general — or at least at the moment not understand how good it can be.

If it becomes illegal to build trust-minimized software, all our smart contracts, our solidity, and our vyper code could be illegal to work on. Or at least, it would all need to be done in hiding or in a country that hasn’t outlawed it. The good thing about what we are building is that once built, it’s unstoppable.

In web3, we are building a world where people can interact without having centralized intermediaries, allowing for trust-minimized agreements and unbreakable promises. But it’s hard to build that world if centralized intermediaries outlaw building such technologies.

3. What you can do

The EFF’s header image from their stance on the Tornado Cash events.

I want to stay in my lane and just “be a dev”, but if rules like these are left in, there is potential for our industry to be completely eroded away. If we aren’t allowed to interact with trust-minimized agreements or unbreakable promises, this whole space is sort of for nothing. We need to have privacy in our worlds that are rapidly becoming primarily online.

For us normal developers and web3 people, there are 4 things that you can do right now to help right this wrong.

1. Donate to organizations like the EFF, CoinCenter, and Lobby3
2. Write an Email to Senators & OFAC
3. Pay attention to industry leaders & events like the Coinbase lawsuit
4. Vote

I personally have donated to the EFF. I’ve written a letter to my senators and OFAC. At the bottom of this post, I’ll leave links a link that you can click to get your senators' contact information (if you live in the US) and send them an email. As well as the information to contact the OFAC reconsiderations email.

If you don’t know what to put in the email, I made two for you! One short, and one long.

It’ll take a few minutes, but it can be the difference.

Contact Information

Find your senator’s contact information:

https://sengov.com/email/

A short email to senators:

Dear Honorable <SENATOR_NAME_HERE>,

The recent sanctions against Tornado Cash were done with good intentions but have catastrophic consequences on privacy, freedom of speech, and overall freedom. I think that the sanction has come from an incredibly dangerous misunderstanding about how the technology works.

The action item of this letter is that I am asking for your help to revoke the sanction on Tornado Cash as soon as possible, by either signing a petition to remove Tornado Cash from the sanctions list or creating one.

I agree with the standpoints taken by Coin Center and the EFF on this matter.

Thank you

Long email to senators & OFAC.Reconsideration@treasury.gov

Dear OFAC,

The recent sanctions against Tornado Cash[1] were done with good intentions but have catastrophic consequences on privacy, freedom of speech, and overall freedom. I think that the sanction has come from an incredibly dangerous misunderstanding about how the technology works.

The action item of this letter is that I am asking for your help to revoke the sanction on Tornado Cash as soon as possible, by either signing a petition to remove Tornado Cash from the sanctions list or creating one.

I agree with the viewpoints that Coin Center[2] and the EFF[15] have come to on this matter and ask you to work with them on fixing this.

In this letter, I aim to:

Summarize the problem that the US treasury was trying to solve with the sanction

Summarize how the sanction doesn’t actually solve the problem, and clarify technological misunderstandings

Introduce how sanctioning Tornado Cash violates privacy & free speech

Explain the network effects that have occurred as the result of this sanction

I’m not here to talk about whether or not the sanction was legal or not. I refer to the work Coin Center[2] has done on that aspect, but I’m here to express my opinions on how it affects us as a free nation. The fact that the sanction is also likely illegal is a nice bonus.

Additionally, by “Tornado Cash” I am referring to the Ethereum addresses that run the Tornado code, and not the website itself.

Money laundering is something we all want to stop, and Tornado has been accused of helping launder $7 billion in the press release by OFAC[1], including money laundered by the infamous Lazarus Group[3].

According to the statement by the US Tresury[1] release, Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson said:

“Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks.”

Paraphrased:

“Tornado Cash didn’t prevent this money laundering, that’s why we are sanctioning them. ”

We all want to catch people doing bad things, and money laundering is something we want to prevent, no one is arguing that. So to prevent more money laundering, OFAC banned the use of specific Ethereum addresses associated with having the Tornado Cash code/algorithms.

The sanction doesn’t help & clarifying technological misunderstandings

So we know the sanction is to prevent people from money laundering, however, banning its use is similar to banning using a particular math equation. Let’s take Ethereum address 0x910Cbd523D972eb0a6f4cAe4618aD62622b39DbF[4] which has shown up on the sanctions list for Tornado Cash[5]. This address on the Ethereum blockchain has a lump of code on it that facilitates the anonymization of money. You can think of this address in that regard, to that of a math equation. If you take the number 2 and add two to it, you will always get the result of 4. If you send ETH to this specific address, you will always get the anonymization of funds. The kicker here, and the main difference between this sanction and that of the blender.io sanction[6] is that there is no centralized entity that touches and/or anonymizes the funds, and there is no one who can know where the funds are going to or coming from, other than the person who initialized it.

The reason this anonymization happens is due to encryption & cryptography. Encryption is the same technique used to secure messages over the internet. It’s essentially a math equation to hide information from anyone other than the recipient. Encryption is the foundation of what makes the internet secure today, and it’s this technique that is being applied to funds at this address. So here we run into our first major misunderstandings of the technology:

You cannot alter tornado cash to be de-anonymized in the same way you cannot alter 2 + 2 to equal 5

In the same way that you can’t stop someone from doing basic addition, you cannot stop people from using this math equation.

This isn’t an “entity”, it’s a math equation.

People sometimes do math. It would be very odd (and poor for society) to ban specific math equations. We’d lose any knowledge and research associated with math. There is a precedent for situations like this as well. We saw that in the 1990s we moved encryption from the munitions list to the commerce controls list[7] in an effort to allow citizens to use the privacy-preserving technology (some parts still remain on the munitions list, but seem like they are difficult to enforce). This shift ware because it’s very confusing to ban the use of a math equation, especially one that helps protect so many people.

Now, let’s get back to how this ban doesn’t actually solve the problem of stopping money laundering. If tornado cash is banned, anyone can still interact with it, including criminals. Additionally, banning this one protocol doesn’t stop anyone from copy-pasting the code to another address and creating a new address, or creating a similar privacy-preserving protocol. You could ban all privacy-preserving protocols, but I’ll explain why that is bad later in this letter.

We can see that many people are still interacting with tornado cash[4] even after the ban. You can’t stop math from working from putting everyone who worked on Tornado in jail. You can’t force math to do something other than what math returns. Telling United States citizens they are not allowed to protect themselves only means only the bad guys can protect themselves (more on this later).

Additionally, the US press release got it wrong saying all $7 billion that flowed through tornado cash was for illicit means. According to research from ChainAnlysis, only 30% of the money flowing through Tornado Cash[9] was done for illicit purposes, and the rest, was people trying to preserve privacy.

Sanctioning tornado cash doesn’t solve anything. In fact, it hurts citizens, a lot.

How sanctioning Tornado Cash violates Privacy & Free Speech

There is a popular argument for gun control that is analogous here, however, your view on gun control doesn’t really matter here. If guns are banned, people without guns are powerless to defend themselves. Similarly, if privacy-preserving protocols like tornado cash are banned, people without privacy-preserving protocols like tornado cash are powerless to defend themselves. The big difference here is that I can’t kill anyone with an encryption algorithm. Privacy is defensive, while guns can be offensive.

When you sanction privacy protocols on cryptographic networks, you force people to be public about all their information. According to ready.gov[8] (an official site by the USA government), the first recommendation it makes in order to stay secure online is to “Limit the personal information you share online.”. If I am unable to keep my financial information private due to not being allowed to use privacy-preserving mechanisms, how can I stay safe? Keeping your information private is the first step to staying safe, sanctioning privacy-preserving protocols (especially financial ones) is actively putting people in danger, in the same way, that having encryption on the munitions list was actively putting people in danger.

Removing privacy-preserving protocols like Tornado also means that if you wish to support special interest groups, you have to do it in a public manner. Cryptocurrency is an amazing payment method for helping out causes you believe in without having to self-identify from malicious interests. One such example is the Ukrainian/Russian war going on right now. Many people wished to give aid to Ukraine[10] without being put on a Russian list of supporters, where Russia might target you as an enemy for sending aid. Or supporters of abortion rights who wanted to anonymously donate to planned parenthood[11]. In this regard, we are forcing people to publicly self-identify themselves and their views, which could be potentially dangerous by groups against such views.

In a weird way, by removing privacy-preserving protocols like Tornado Cash, you are forcing people to announce to the world information about the protocols they use, the groups they support, wealth information, and more.

In sanctioning a privacy-preserving protocol like Tornado Cash, you don’t stop the “bad guys” from using it, and you actively put citizens in harm’s way. There isn’t a group you can take down and all of a sudden the math equation doesn’t work anymore. If you put everyone who touched working on Tornado Cash in jail, the protocol would continue to work without them. The team doesn’t run the servers (bar the front end, but I’m not referring to the front end/website) for the addresses, they don’t own the algorithm, and they can’t pull the contract addresses from Ethereum.

Privacy is a prerequisite for a free nation. Privacy is a massive differentiator between the United States and countries that live under authoritarian rule, and is a foundational belief that we as citizens hold dear as shown in the fourth amendment. Without privacy, self-censorship would run rampant or fear of voicing opinions would crush new ideas and unpopular opinions that lead to a better world. Or, voicing your opinion where a self-interested group disagrees with you put a target on your back.

Freedom of speech is a prerequisite for a free nation, and code has been established to be a form of speech. By sanctioning these addresses, you are sanctioning the use of code, which in turn, means you are sanctioning the use of free speech. I feel I do not need to explain why sanctioning free speech is a bad thing.

Explain the network effects that have been the result of this sanction

Now that these sanctions are out, a chilling effect has taken place. GitHub has removed all Tornado Cash code[12] and removed all users’ accounts associated with the original Tornado Cash writers. Alchemy and other blockchain network services suspended interactions with Tornado addresses[13]. One of the original researchers of the Tornado Cash protocol was arrested[14] without a charge (as of writing). We could go into details about each of these situations, but the chilling effect is clear, people are afraid that if they do anything with Tornado Cash, the United States will come after them.

It is with all this that I please ask you to work with Janet Yellen, the US Treasury, and OFAC to revoke this ban.

Thank you.

1. https://home.treasury.gov/news/press-releases/jy0916

2. https://www.coincenter.org/analysis-what-is-and-what-is-not-a-sanctionable-entity-in-the-tornado-cash-case/

3. https://home.treasury.gov/news/press-releases/sm924

4. https://etherscan.io/address/0x910cbd523d972eb0a6f4cae4618ad62622b39dbf#internaltx

5. https://sanctionssearch.ofac.treas.gov/Details.aspx?id=38499

6. https://home.treasury.gov/news/press-releases/jy0768

7. https://www.govinfo.gov/content/pkg/FR-1996-11-19/pdf/96-29692.pdf

8. https://www.ready.gov/cybersecurity

9. https://blog.chainalysis.com/reports/tornado-cash-sanctions-challenges/

10. https://twitter.com/VitalikButerin/status/1556925602233569280?s=20&t=xvjDrGnuF2kFaNdvAoooPg

11. https://twitter.com/malekanoms/status/1557340762068631552?s=20&t=enof439_Bkfs5PeNl_7_-Q

12. https://insidebitcoins.com/news/github-removes-tornado-cash-source-code-researchers-re-upload-it

13. https://insidebitcoins.com/news/alchemy-blocks-access-to-tornado-cash

14. https://www.kitco.com/news/2022-08-23/Tornado-Cash-sanction-to-have-a-chilling-effect-on-the-crypto-industry-Ran-Neuner-and-Steven-Sidley.html

15. https://www.eff.org/deeplinks/2022/08/code-speech-and-tornado-cash-mixer