6cbc1d98 33f9 44a5 9011 b55a987770d9

🎙 Jake Chervinsky on Tornado Cash Sanctions: The Rightful Outrage and the Need to Further Decentralize DeFi

This week on The Defiant Podcast we speak to Jake Chervinsky, the executive vice president and head of policy at Blockchain Association, a non-profit trade association representing the crypto industry in Washington DC. Jake is one of the most qualified to discuss the US Treasury Department sanctioning Tornado Cash, a development that’s caused shockwaves through crypto.

We talk about what these actions are, who is at risk and what is the significance of it all. Tornado Cash got sacntioned because it was used to launder funds, specifically by North Korea’s Lazarus Group. Still, Chainalysis found that 23% of all activity was linked to illicit funds — a large percentage but also not the predominant use of the platform. We discuss all the legitimate reasons why individuals may want to use a mixer.  

There is an indication that these sanctions go against not just the right to privacy, but potentially also free speech, as an Amsterdam-based Tornado Cash developer recently being arrested for, what looks like, just writing code. Jake provides context to this arrest and on whether constitutional rights were infringed with these sanctions.

The ramifications have been quick and widespread. DeFi users have found themselves locked out of their Tornado Cash accounts while many dApps have blacklisted all wallets with any prior contact to the Tornado Cash smart contract. Jake discusses what the alternatives are for developers and users in DeFi, and what the next steps are.

🎙Listen to the interview in this week’s podcast episode here:

📺 Watch the video here:

🙏 Thanking our podcast sponsors:

1inch is a DEX aggregator that finds the best rates across multiple networks. Why use a single DEX when you can use them all? Find your best deal at 1inch.

Pods stETHvv allows you to accumulate more ETH in only one click. Every time ETH price bounces, up or down, the vault earns more ETH. In this market it’s not a matter of IF price will move, but WEN.

ZenGo a crypto wallet that uses biometric encryption, 3FA authentication and MPC  wallet cryptography instead of private keys.

👀 Only paid subscribers have access to the full interview transcript below.

Cami Russo: Okay, here we are with Jake Chervinsky. Jake, thank you so much for coming on The Defiant Podcast, it’s a pleasure to have you here.

Jake Chervinsky: Thanks for having me, glad to be here.

CR: Jake is the executive vice president and head of policy at Blockchain Association — a nonprofit trade association representing the crypto industry in Washington, DC, and he was formerly general counsel for Compound Labs. I’m thrilled to have Jake on the podcast this week because I think he’s probably one of the best-suited individuals in this space to talk about probably one of most significant things that has happened in crypto so far this year, with the U.S. Treasury Department sanctioning Tornado Cash. And this has had massive implications and ramifications across the industry, which we’ll get into right now. But Jake, if we can just start from the very basics. So recently, I think it was August 8th, the U.S. Treasury Department imposed these sanctions on Tornado Cash, a mixer which allows individuals sending and receiving transactions with crypto to obfuscate where those funds come from. It’s kind of like putting coins into a black box and mixing them up, literally, so what comes out can’t be traced back to the original center. And this has been used, in some cases, for illicit purposes, so that has [precipitated] the sanctions. So can you walk us through what this means? What are these sanctions? Who’s at risk here? And why is this significant?

Understanding the U.S. sanctions targeting Tornado Cash

JC: Happy to do that. Before I jump in, though, let me first start with my usual disclaimer, which is I am a lawyer, but I’m not your lawyer, and I don’t represent anyone who’s listening to this podcast. So although I will discuss some legal issues, nothing I say here is intended as legal advice. If you do have any concerns about liability or you have questions about your own legal situation, find your own lawyer and get your own advice about that — don’t do or not do anything because you heard it on a podcast.

So with that introduction, let me first give a little bit of background about U.S. sanctions law, and then I can explain what happened last week with Tornado Cash. U.S sanctions, first of all, are a tool of foreign policy that the United States government uses to influence the behavior of foreign nationals, and other persons and entities outside of the United States, typically, when they are doing something that the U.S. government does not like. And the way that sanctions work is first, the president has to authorize sanctions, usually under an executive order, or Congress has to authorize a particular package or program of sanctions deciding a target in general of how those sanctions will apply. And then the Office of Foreign Assets Control (OFAC), which is an agency within the Treasury Department, designates specific persons or entities or their property for sanctions. And they do that by adding persons, entities, or property to something called the SDN list, the Specially Designated Nationals list.

The way that sanctions work is that anyone on the SDN list is illegal for a U.S. person to transact with. In other words, if you are a U.S. citizen, it is illegal for you to provide goods or services, or have any other type of financial transaction with any person, entity, or property listed on the SDN list. So to give you a typical example, after Russia invaded Ukraine, Vladimir Putin and a bunch of other oligarchs and other folks in the Russian Federation who were involved with the invasion were added to the SDN list — essentially as a punishment for the invasion of Ukraine saying because you have done something that we, the United States government disapprove of, we are going to cut you off from the U.S. economy, we’re going to make it illegal for you to transact with U.S. persons, with the intent of changing [your]behavior, trying to encourage the Russian Federation to change their policy so that they can get access to the U.S. economy again. That’s how sanctions typically work.

So let’s now talk about how it was applied to Tornado Cash, which is a very different and very unique and novel situation. So, as you said, last Monday, OFAC added Tornado Cash to the SDN list, saying that it is illegal for U.S. persons to transact with Tornado Cash. The weird thing about this is Tornado Cash is not a person, it’s not an entity, it’s not property — it’s code. It is a decentralized protocol that runs on the Ethereum blockchain. Nonetheless, OFAC has said it is illegal for U.S. persons to transact with Tornado Cash. So what this means is if you are a U.S. person, a U.S. citizen, or U.S. company, you are no longer allowed to transact with Tornado Cash. And if you do so you are breaking the law, potentially committing a crime that is punishable by fines or time in prison. So this completely cuts off Tornado Cash the protocol, it seems from all U.S. persons who are using it — that includes people who already were using Tornado Cash and perhaps had assets that were supplied to the protocol who are now prohibited from withdrawing those assets from the protocol, and also anyone else who seeks to use Tornado Cash to preserve their privacy on the Ethereum blockchain is no longer allowed to do so. So that’s sort of the basics of what happened last week and happy to get into any more details that you find. Interesting.

CR: So first, just to clarify, the implications for users of Tornado Cash. Those who have funds in Tornado Cash, what recourse do they have? Is there money simply trapped in these smart contracts? What can they do?

JC: So again with the disclaimer that I’m not trying to give anyone legal advice, I think it’s fair to say that because the smart contract address for the Tornado Cash protocol was listed in the designation by OFAC, it is illegal for a U.S. person to transact with that protocol, including if they already have assets supplied to the protocol. So I think if you put some Ether into Tornado Cash eight days ago, right before the designation, it would now be illegal for you to withdraw those assets from the protocol. So what can those people do? Again, without giving legal advice, the main way that any U.S. person can get an exception to a sanction is by applying for a license. And the way that works is basically you go to OFAC and you say ‘I understand that there is some sanction and I want to carry out some type of conduct that I believe would violate the sanction, but for policy reasons, I think that you should create an exception to the sanction for me, for the specific instance’. It’s called a specific license. And I think, at this moment, anyone who wants to transact with Tornado Cash who is a U.S. person, has to go and apply for a license in order to do that.

Now, another option, and something that we at the Blockchain Association are thinking about doing ourselves on behalf of all of the law-abiding users who have been using Tornado Cash or want to use Tornado Cash, is to apply for something called the general license. So instead of every single user of Tornado Cash having to go ask OFAC individually for an exception, we could get a blanket exception that would say ‘in these types of cases, it is acceptable for U.S. persons to use the Tornado Cash protocol’. That’s one way that we in the industry broadly are thinking about trying to address the unintended consequences of these sanctions. Cami, maybe it would make sense to talk a little bit about why we think that the sanctions came down and what the Treasury Department’s explanation for that was?

CR: For sure.

The role of North Korea’s Lazarus Group

JC: So this all relates to, unfortunately, North Korea using Tornado Cash. So Tornado Cash itself, as I said, is just code; it’s a decentralized protocol that runs on the Ethereum blockchain. It allows users to get privacy over their transactions, and privacy is a good thing, right? We all talk all the time about how on these public blockchains like Ethereum, all of our transactions are public at all times. They can be seen by anyone, anywhere. There are some benefits to that transparency, but there are also some drawbacks. We obviously don’t want everyone in the world to know every single financial transaction that we make. And the purpose of Tornado Cash is to provide privacy in the environment of one of these public and transparent blockchains. The thing is, although everybody could use that tool to get privacy, one group of people who decided to use it was a hacking group in North Korea called the Lazarus Group.

The Lazarus Group has been responsible for a lot of the very large hacks that we’ve seen in crypto over the last year or so. The one that many people may know was the hack of a bridge called Ronan. The North Korean group Lazarus stole, I think it was over $600 million from Ronin, and there are many other hacks that they’ve perpetrated as well where they’ve stolen assets from bridges, or from DeFi protocols, or other places. And they have been using Tornado Cash to launder the proceeds of those crimes. And so the Treasury Department’s explanation for sanctioning Tornado Cash is to say ‘this is a quote-unquote service’ — this is how they described it. Although I think that’s probably not an accurate way to describe a decentralized protocol, but the Treasury says this is a service that is providing privacy for the Lazarus Group, allowing them to launder the proceeds of illicit activity. And in order to stop them from using this protocol, we are going to put it on the SDN list. So that’s how the Tornado Cash sanctions came to be in the first place.

CR: I think this point is what’s so interesting, and what has caused, I think, so much outrage in the crypto industry. Because it’s about sanctioning this protocol that, yes, it is providing a tool for different people to do something — in this case to transact privately which, is a desirable thing that the traditional financial industry provides — it’s not something that’s illegal, per se, to transact privately, everyone does that outside of crypto.

I’d like to understand how unusual it is for U.S. regulators to do this and sanction an actual tool, instead of what I think would be logical — to go after the users who are using Tornado Cash, go after the Lazarus Group, don’t go after Tornado Cash. I saw this example somewhere, [it’s like] going after an email provider because people are using email for phishing — you go after whoever’s doing the scam, you don’t go after the email provider. So in this case, they’re going after the provider. So why do you think they chose this route, and how unusual is it? Do you remember any other instance where something like this has happened?

JC: It’s a great question, it’s very unusual. As far as I know, this is the first time that OFAC has ever designated a piece of software for the SDN list in its history. Typically, as you said, sanctions apply to people, or to entities, or to property that belongs to a person or an entity — it’s Vladimir Putin, or it’s the North Korean regime, or it’s a terrorist group like Hamas or Al Qaeda, or it’s some other specific person or entity who, again, can be influenced in their behavior. In some way, as I said, sanctions are a tool of foreign policy.

The purpose of sanctions is to influence the behavior of the target of the sanctions, to bring their conduct in line with what the U.S. government wants them to do in order to get access again to the U.S. economy, because while sanctions are enforced, those people are cut off from the U.S. economy. And that can be a very effective tool in a lot of those circumstances. Most people in the world, if they want to do global business, want access to the U.S. economy. And it’s very damaging to them to not be able to interact in any way with U.S. persons, to not be able to buy U.S. goods or to sell U.S. services to U.S. persons or things of that nature. This is very different.

Tornado Cash is not a person that can be influenced by sanctions, it’s just a piece of code. It’s an inanimate object. Now, I will say there are other inanimate objects that have been listed on the SDN list. For example, there are aircraft that are listed on the SDN list. There are vessels like yachts, or tankers, or other boats, and things of that nature that are designated, even some other types of personal property or goods like diamonds have been designated on the SDN list. But in each of those cases, those objects are designated with reference to some foreign national, some person or entity that has a property interest in that inanimate object.

So if an aircraft gets designated it’s because the aircraft is owned by some bad actor, and it’s the bad actor that the Treasury Department is trying to influence here. Tornado Cash is not owned by anyone. It is just a smart contract that runs on a public blockchain. So this is really very unusual. I think there is this element of North Korean use of Tornado Cash, and I think that if you were to ask folks over at the Treasury Department — we’ve had several conversations with officials who are part of the decision-making process and I won’t divulge any specifics of those conversations — but I think it’s fair to say the reasoning behind this was Tornado Cash was viewed as a tool being used predominantly to obscure ill-gotten gains by the Lazarus Group, and the purpose and the goal of the Treasury Department was to deprive that enemy of the United States from a tool that it was using to launder money. And while that’s understandable to a degree, just as you said, it makes no sense to sanction a neutral tool that can be used by anyone, just because a particular bad actor happens to decide to use that tool to some degree that the U.S. government finds is too much.

I think there’s sort of two specific problems here. One, I’ll give you the example that Peter Van Valkenburgh and Jerry Brito over at Coin Center have been using, and they’ve been doing phenomenal work on this issue, so I recommend everyone follow them. The way they put this was it’s like seeing that someone used a hammer [as] a tool to commit an assault and then sanctioning the maker of the hammer who had absolutely nothing to do with the actual assault. That’s sort of a similar analogous situation to what’s going on here.

The other thing is it creates this degree of uncertainty that is very new for the crypto industry about where the line is of which tools the Treasury Department thinks are just too dangerous for U.S. persons to use. Really, the impact of this sanction is to prevent us U.S citizens from having privacy on the Ethereum blockchain, just because North Korea happened to also use that tool. Well, what if North Korea starts using the Ethereum blockchain more, or the Bitcoin blockchain more, or some other decentralized service, even unrelated to crypto? Where is the line where the Treasury Department will say just because North Korea is using this, it’s now off limits for everyone? In a way, we’re almost empowering our enemy to prevent us from using these tools, just if they decide to use it themselves. And I think that as a matter of policy, that’s taking us in the wrong direction.

Legitimate uses for Tornado Cash

CR: That’s a great point, where is that line? And also, I don’t know how effective that is in actually stopping money laundering. Just to get a sense of how big that problem was on Tornado Cash itself, I looked at a Chainalysis report, and it looks like a big percent, but not the majority of [its] use was by illicit addresses. The analysis found that 23% of funds sent to mixers came from addresses that were deemed involved in some illicit activity. So, that means about 80% of the activity on Tornado Cash was actually legitimate. That kind of goes even one step further, the majority of people using Tornado Cash were doing it just to protect themselves [and] use blockchains privately, which is, as we said before, completely fine. Just to highlight that point, can you go into what are some legitimate use cases for Tornado Cash? Why would people want to obscure their transactions?

JC: The purpose of Tornado Cash is to have privacy, and I think it shouldn’t be too hard to understand why privacy matters. First of all, here in the U.S., privacy is a fundamental right enshrined in the fourth amendment to the U.S. constitution. We all value our privacy, the right of privacy is the right to decide who knows what about us and our business. And sometimes that’s something that could be controversial, like membership in a particular religious group or making donations to a particular political candidate, sometimes it could be making purchases that you don’t want everyone to know about — maybe you are buying a birth control test and you don’t want your family to know that you’ve done that, or for your neighbors to know about that. I mean, there’s any number of reasons why privacy is a fundamental right, that is one of the most core elements of human dignity that we get to decide the most sensitive and personal information about us [and] who gets access to that information. And Tornado Cash is simply a way to have privacy in financial transactions on the Ethereum blockchain.

I think there are many political candidates who take contributions in Ether. The Ukrainian government was taking donations to fund its defense against the Russian invasion. Somewhat famously, Vitalik Buterin came out to say that he had used Tornado Cash because he wanted to donate to Ukraine and he didn’t want Vladimir Putin to know that he had done that. And I think that that is an absolutely valid use of Tornado Cash. And I think, importantly, Tornado Cash is simply one of many different ways to have privacy in the blockchain space. But as you said, privacy is not unique to crypto in any way. Cash is the oldest and most used private payments technology. And indeed, most criminal activity that occurs now is done in paper cash, U.S. dollars. And we are not moving toward banning cash just because of that illicit use, because again, the overwhelming majority of use of cash is legitimate, just like the majority of use of Tornado Cash was legitimate. So it shouldn’t be too hard for us to explain why privacy matters, but unfortunately we do find ourselves having to explain that more often than we should.

CR: To get a sense of the percentage of money laundering that happens with crypto, do you have a sense of how much is done via cash or fiat, and how much is done with crypto?

JC: Obviously it’s somewhat difficult to get firm numbers on how much illicit activity there is in any different asset, because obviously the people who are using those assets are payment technologies are trying to hide what they’re doing. But the best estimates that we have place illicit use of cash somewhere in the range of 2% to 8% of all cash transactions. Now, you also have to consider that the volume of total cash transactions in the world is in the many, many trillions — much larger in general than the amount of transactions in crypto. If you look at the use of crypto, Chainalysis, which is one of the leading [blockchain] forensics firms in the world, puts out a report every single year… analyzing how much use of crypto was illicit. And in their most recent report, [Chainalysis] said that less than 0.5% of all crypto transactions were illicit in nature. That figure has been going down and down every single year since Bitcoin was first invented, and I expect it will continue to go down as time goes on. So overall, crypto, it seems, is used less on average by a matter of percentage for illicit activity than cash is today.

CR: I’d say by just the percentage point itself, it’s less. But like you said, in net kind of dollar amount, I’d imagine that that comparison crypto versus cash crypto would be a negligible amount, because if it’s 8% of all cash transactions and that volume is in the trillions versus crypto, that’s a fraction of that, then it seems like there’s this misperception with all these headlines, that crypto is kind of predominantly being used as a way to hide illicit activity, and it’s just not. It’s such a shame that we keep having to fight this misperception.

JC: Yeah, I agree. I will say though, this is where the North Korean element of this whole story comes back into play. And I think it is important to consider this from the perspective of a government official who isn’t working in crypto every day and isn’t thinking about all of the amazing innovative uses of decentralized technology. For them, they’re thinking about how we limit access to finance for North Korea, and North Korea really can’t launder large amounts of money using cash, nor can they create a business model of robbing traditional financial institutions and then making off with those assets. So you do have to consider that these hacks that have happened over the last 12 months or so are a significant new source of funding for North Korea. And I think that really is what changed this calculus for the U.S. government.

I do not think that we would’ve seen these sanctions just because there was some illicit use of Tornado Cash. I really think this comes down to even a political population here in the U.S. of exactly wanting to go after North Korea and wanting to find ways to cut off sources of funding for one of the largest, not the largest, but one of the most dangerous in terms of perception for an adversary to the United States. And I think we do have to be mindful of those very legitimate concerns that U.S. government officials have. None of us, I think, in crypto are supportive of the North Korean regime. It is a brutal dictatorship, and we should be looking for ways to limit the regime’s ability to fund their bad activity. It’s just that we don’t want an extraordinarily broad decision by the U.S. government that not only punishes North Korea, but also punishes U.S. citizens and other legitimate users of this technology who just want their constitutionally guaranteed right to privacy in the crypto space

CR: Right. This is obviously overly simplifying things, but I just can’t help wondering why [the U.S. government doesn’t] use all the super sophisticated chain analytics systems that the U.S. has to track down wallets, and just ban specific wallets that are related to the Lazarus Group, instead of going after Tornado Cash. Was it just easier to just go after Tornado Cash itself than just directly [target] the wallets? Or is this approach not very helpful?

The differences between Blender.io and Tornado Cash

JC: It’s a good question, I wish I knew. And I think that’s one of the problems, or one of the concerns that I think we all have with this sanctions designation, is we don’t really understand what the logic or the rationale was that went into this. To put a fine point on that, when the designation came out, it referred to Tornado Cash as an entity. And again, as I said, Tornado Cash is not an entity, it’s a piece of software. And that begs the question, is it possible that folks at the Treasury Department misunderstood the nature of the designation? In the past, they have sanctioned other mixers that are somewhat similar in a sense to Tornado Cash, except that they were centralized mixers.

Not long ago, they sanctioned a mixer called Blender.io. And Blender, unlike Tornado Cash, was an entity. It was a group of people running a business in a fully custodial way where if you wanted privacy, you would send them your Bitcoin, they would take custody of that Bitcoin, they would then mix it with other people’s Bitcoin, and then they would send it back to you at some other address. And nobody in the crypto industry had a problem with the Treasury Department designating Blender.io for the sanctions list, because it’s just a centralized entity that was indeed performing this service of providing anonymity to potentially bad actors. When the Treasury sanctioned Tornado Cash, they used the exact same language to describe Tornado Cash as they did to describe Blender.io. And again, that makes me wonder, is it possible that they didn’t fully understand the distinction between a centralized company offering a business on the one hand, versus a decentralized protocol that no one owns or controls on the other hand, in the form of Tornado Cash?

I think that’s sort of an open question, and that’s one of those things where I think as hard as it may be, we need to give the benefit of the doubt to the officials who made this decision to let them explain themselves to understand what it was that they were trying to do here. They have some other understanding about Tornado Cash, and perhaps we can explain to them why this was the wrong decision and get this fixed. That’s at least one thing that I think is worth doing before we decide that this is an attack on all of crypto, privacy, and the right of free speech — maybe that is what this is, but I think there’s more information that we need from Treasury before we can fully understand what the implications of this decision are.

CR: [What are] the main differences between Blender.io and Tornado Cash? Was Blender.io performing KYC on its users? Did it have the ability to restrict certain users from its service, while Tornado Cash is decentralized [and] noncustodial — [it] doesn’t have any KYC on its users? [What] exactly is that difference between the two?

JC: Yeah, that’s exactly right. So, I don’t think that Blender.io was doing KYC, but as a centralized custodial service, they certainly could. They have the ability to decide who they want to do business with, and if you have that ability, then it’s incumbent on you to decide not to do business with the North Korean regime, if you are subject to U.S. law. And if you do decide to do business with the North Korean regime, I think it’s fair for you to expect the U.S. government to disapprove of what you’re doing and to assume that they may decide you should be a target of sanctions. Tornado Cash is totally different. It’s just a piece of code. It cannot decide who gets to use it or not. It has no power to determine who the wallets that are interacting with it are owned or controlled by; it’s just a piece of software.

When we start down the road of saying we’re gonna decide which tools people are or are not allowed to use, again, it’s a very slippery slope because North Korea also uses the internet — they use TCP/IP, and I don’t think that the Treasury Department is going to sanction TCP/IP and prohibit all Americans from using the internet. But again, it opens this question of ‘where is the line?’ And the problem is if we don’t know where the line is, then we can’t figure out number one, how do we build credibly neutral, decentralized tools that anyone can use? And how can we do that in a way where the U.S. government will not try to take action like this? And maybe the last point here is it implicates important constitutional rights. There’s a difference between a company deciding who to do business with versus infringing the right of all U.S. persons to use a tool that guarantees to them some constitutional right that they should be able to enjoy. It would be like saying you’re not allowed to use the internet even if you are doing it to exercise your right of free speech — that’s sort of similar here. What we’re saying is you’re not allowed to use Tornado Cash, even though what Tornado Cash does is allows you to exercise your constitutionally guaranteed right to privacy. So that’s the distinction, I think a very important one, between a centralized company on the one hand and a decentralized protocol on the other.

CR: For sure, I’ve seen the free speech argument applied to Tornado Cash as well. Do you think this is also infringing on a user’s rights to free speech or a developer’s right to free speech?

Code as both speech and conduct

JC: It might, it depends on what the sanctions mean. And again, I think we just lack enough information from Treasury to know whether this is the type of action that will infringe on the right of free speech and the right to free expression. Code is speech, there’s no question about that. That’s been well established for a number of decades in case law from U.S. federal courts. The thing is, just because code is speech, doesn’t mean that it can’t be regulated or is always immune from any type of sanction in every circumstance specifically, although code itself can be expressive. And so the engineers who are writing this code are expressing themselves when they write the code, they’re sending a message. They’re conveying information, they’re providing their viewpoint to the public that is a first amendment-protected activity. However, when someone uses code to achieve some type of activity or conduct, if you use code to send a payment or to trade an asset or something of that nature, then courts might say your use of the code is functional, not expressive. In other words, you’re engaged in conduct, not in speech. And in that case, your use of the code, even though it itself is speech, your use of the code may not be protected by the first amendment. And I think there’s an open question here as to whether the sanctions on Tornado Cash are restricting speech, or if they’re only restricting conduct.

If the sanctions mean that you are not allowed to publish the code that comprises the Tornado Cash smart contracts, I would absolutely say that is a violation of the first amendment. I think if the sanction is only to say you are not allowed to interact with a Tornado Cash pool which is composed largely of North Korean assets, I think the argument is at least harder to make under the first amendment, but there are other constitutional rights that might come into play then. There’s the fourth amendment, the right to privacy. There’s the fifth amendment, the right to due process. So just because free speech may not be infringed in that instance, doesn’t mean that there isn’t an important constitutional right that’s at stake.

CR: So it seems that, for now, there’s more indication that these sanctions go against conduct and not against speech. But there was this additional development where a Tornado Cash coder was arrested in Amsterdam, so I don’t know where exactly this fit. Is this a separate process from what happened with the U.S. Treasury? It was very odd — we got this announcement and then days later this developer was arrested, but not in the U.S., [they were] arrested by Dutch regulators. So where does this fall? And do you think if a developer was arrested, is that kind of an indication that speech is being targeted, at least by whatever entity made that decision to arrest this developer?

JC: So this, to me, is the most frightening aspect of what’s happened in the last week. I will say also [that] we do not know exactly what’s going on right now in the Netherlands, where one of the Tornado Cash developers was arrested by Dutch police. Let me just say this in as clear and blunt a way as possible, we cannot have software developers arrested solely for writing code, that is unacceptable here in the United States. There is no question in my mind that that would be a violation of the first amendment. Now, granted, the first amendment doesn’t apply in the Netherlands, but as a matter of policy, I think that all countries in the world, especially all Western democracies, should respect the right of free speech. So if indeed what happened is a Tornado Cash developer was arrested because he happened to write code that down the road was used by a bad actor, and thus writing code is a crime, that is absolutely unacceptable, and everybody in the crypto world should be incensed and outraged, and engaged in trying to correct that error.

Now, I will say we don’t know exactly what the allegations are… I have no reason to believe this is true, [but] it could be that the developer who was arrested was engaged in some other type of illicit activity. Perhaps there’s some other connection to North Korea — we just don’t know. There was a press release that was issued related to the arrest [and] it didn’t suggest anything like that. All it said really was that this developer had been part of the decentralized autonomous organization that was Tornado Cash, that he was part of the project. And again, let me say very clearly, no software developer should be arrested under any circumstance simply for writing code. I don’t know where this is gonna go, but I think we need to watch this very carefully, because that would definitely cross the line in a way that we cannot accept.

CR: It’s so frightening. It was really frightening to see that happening, a developer arrested just for writing code. But again, is this different from what happened in the U.S.? Is the Netherlands doing its own investigation? Or is there any kind of reason to think that the two governments are working together to crack down on Tornado Cash?

JC: So also very unclear, but I’ll speculate and give you at least my best guess, although I’ll qualify that by saying I am only speculating and guessing. I don’t really know what’s going on behind the scenes, my best guess is there was not coordination between the U.S. government and Dutch authorities behind this arrest. The reason I say that is for at least two reasons. The first is the sanctions did not specify any developers. So if the U.S. government viewed the developers behind Tornado Cash as part of some criminal enterprise or as bad actors who were assisting North Korea to launder money, you would’ve expected that the designation of Tornado Cash when OFAC did the sanctions would have said the names of those developers and added them individually to the SDN list as well. Again, as I said, most sanctions apply to persons or entities, so that’s what we would’ve expected. And I think we can read something into the fact that at least Treasury understood the difference between Tornado Cash the project, whatever they think that means, and the developers who are writing the code that comprise the Tornado Cash protocol.

The second thing is often there is intergovernmental coordination when arrests like this are made. In other words, law enforcement in both countries will work together to arrest all of the people who are involved in a criminal conspiracy at the same time… There’s good reason for that — as soon as one person is arrested, the others, if indeed they are bad actors or criminals, are likely to flee. So usually you would see all of the arrests happening at once. In fact, as an example of that, you may remember, I guess it was a couple years ago now, BitMEX was indicted for violating the Bank Secrecy Act and the individual executives of BitMEX were also targeted. All of them were arrested at essentially the same time with the exception of Arthur Hayes, who was overseas and then ended up surrendering himself to the authorities later.

We did not see arrests of any other Tornado Cash developers, which means either there was not intergovernmental coordination on this arrest, or possibly there was some other calculation again about what this particular developer who was arrested was doing. Perhaps there was some other type of illicit activity that was suspected or alleged that did not apply to the other developers. Again, we just don’t know. But I think, again, if I had to give my best, guess, what I would say is I’m guessing that authorities in the Netherlands saw the sanctions and misinterpreted them and then made the mistake of going far beyond what U.S. authorities would’ve expected or would’ve wanted with the sanctions by making this arrest. And my hope is that that will become clear very quickly and this developer will not be charged. And sadly he’ll have had to spend quite a bit of time in detention, but that there will not be any prosecution or criminal charges. But again, we just won’t know until there’s a decision made over there.

CR: Okay, so I guess we should take it as a good sign that that’s the only arrest that’s happened, and that no arrests have happened in the U.S.?

JC: Yes, it’s hard to call it good because obviously this whole situation is pretty bad from the start, but yes, I think if this was really an attack on software developers by the U.S. government, then I think it would’ve looked different than how it looked. So I’m holding out hope that this was a misunderstanding of the nature of the technology, or perhaps something that happened because of political pressure, again, to be tough on North Korea and to try to deprive our enemies of this tool without understanding the unintended consequences that this type of designation would have for the rest of the crypto ecosystem. And until I’m proven wrong, I’ll stay optimistic and hope that that’s what’s going on.

The impacts of DeFi front-ends complying with U.S. sanctions

CR: So obviously the Netherlands government wasn’t the only one to react to this, there were a few other entities that also blocked addresses that had been using Tornado Cash. So everything from GitHub banning or blocking Tornado Cash accounts, to the different blocking node providers for Ethereum — Infura, Alchemy — to even DeFi applications and protocols restricting these addresses. dYdX, Balancer, Aave, and even Uniswap are some of the protocols that have restricted Tornado Cash addresses; it was this kind of snowball that continued to grow last week, it’s like this huge attack on decentralization is happening. It’s not just the U.S. coming after this mixer, but having implications all over DeFi — the biggest, best-known DeFi protocols are also responding to censorship, and actually self-censoring. So it just seems like a huge shift in this space.

I’m wondering what your thoughts are. I mean, from the perspective of someone who obviously thinks that DeFi, web3, and decentralization is the future and the right direction for the financial system and the web to see this happening is awful. I would just say, you are supposed to be decentralized, this is where you’re supposed to show what DeFi actually means, just let people transact with your smart contracts, but we’re seeing these important protocols take the other direction. Again, I think it’s kind of overly simplifying things, I don’t know if the teams behind these protocols have a choice. So yeah, I would love your thoughts on these ramifications.

JC: Sure, so I think it’s really important here to distinguish between protocols on the one hand, and front-end interfaces — which are operated by specific companies, which may be U.S. persons on the other hand. The protocols themselves, as I said, are just software, they are decentralized and they run on a public blockchain like Ethereum. To my knowledge, none of them are excluding any particular wallet addresses from interacting on-chain with the smart contract. What’s happening instead is companies that are subject to U.S. law are blocking certain wallet addresses from their front-end interfaces. Again, that’s the impact of sanction, that’s what U.S. sanctions laws require — it requires you as a U.S. person not to provide any good or service to a sanctioned party or to interact in some way with a sanctioned entity or something that is listed on the SDN list.

So if you’re a U.S. company and you’re looking at the sanctions that came out last week, there really isn’t much choice. To say I am no longer allowed to facilitate transactions with this particular specially designated national, no matter how silly it may seem to you to call Tornado Cash, a smart contract or a decentralized protocol, a specially designated national nonetheless, that is what the law requires. And I think this does raise this sort of important element of DeFi, which is there are still important points in the DeFi market structure [and] ecosystem that are centralized, that are controlled by or offered by specific entities that are subject to U.S. law, or to the law of whatever sovereign nation where they may be located. And I don’t think it is fair for us to say that in order for you to be a good DeFi developer or a good software development company building in DeFi [that] you should break the law. I don’t think we want any of our friends who are building these protocols or running these user interfaces to go to prison.

As a matter of principle, I think what we want is the Treasury Department to make good decisions as a matter of policy about what sanctions should or should not apply and how far those should go. And then we want to increasingly decentralize this market structure, we want to build as many decentralized tools as possible so that they are resilient to nation-state attacks. And I don’t just mean by the U.S. government. What I mean is in places like China, Russia, Venezuela, or Iran — where the government is the bad actor — we are trying to build tools that the Chinese communist party or the Russian Federation cannot stop. Where those tools are accessible to average citizens or to freedom fighters in those jurisdictions, we want to build tools that are resilient to censorship by those types of regimes. And in order to do that, we want software developers not necessarily to break the law, but rather to exercise their constitutional rights to exercise their freedom of speech, to build protocols that cannot be controlled by anyone. And that I think is the future of the DeFi space.

CR: I think what’s become clear is that the kind of central point of potential failure or where these DeFi protocols can be censored is at the front-end layer, kind of how users can access these smart contracts. So these front-ends are what’s actually controlled by a U.S. entity, so that’s where authorities have the power to crack down on. So… I think… the front [is] also a hugely important piece of infrastructure — that’s become clear… Maybe how we move forward is making sure that there’s alternatives to those more centralized aspects of DeFi.

JC: I think that’s fair. In the case of Circle, I would be shocked if Circle was happy about what they were forced to do.

CR: They say in the statement that they’re begrudgingly doing this, so definitely not. But like you said, they’re forced to [and] they’re not gonna go to jail for this.

JC: Right, exactly, and we shouldn’t expect them to. Jeremy Allaire is a really smart guy and I think that his principles are pretty well aligned with the rest of us. But again, he’s running a business and we shouldn’t ask Jeremy to go to prison on principle. So we have to understand that.

There’s at least two things that we should focus on doing. One is for those of us who are working on policy, we need to try to get clarity around this decision. And we need to try to explain to the Treasury Department and other stakeholders in government, why decisions like this are the wrong decisions so that we don’t put people like Circle or other good U.S. actors in this position in the future where they have to take action that they would rather not take.

The second thing is not for the policy professionals, but for the builders in this space, I think we do need to find these points, I guess you could describe them as points of weakness — like the front-end interface — and we need to decentralize them further. And this is something that has been a project, I think, within the DeFi space for quite a long time, it’s something that I’ve talked about somewhat regularly over the years. Frankly, I’m a little bit surprised that we haven’t made more progress in building decentralized front-ends. Maybe this is just what had to happen for folks to realize that this is a priority, but I think we need to see decentralized front-ends that are downloadable rather than hosted on a centralized server. I think it’s fair to say, [and] again I don’t want to give anyone legal advice, but I think if a software developer writes a wallet and makes that wallet available for download, then in all likelihood, that is a first amendment protected activity. That is an exercise of free speech, they are expressing themselves in the form of code by writing that wallet and making it available for download. I think that would give us a pretty strong first amendment argument to defend against a sanction of the downloadable wallet. Whereas if you’re a company and you’re running a front-end interface and you have total control over it, you can take it off of a server at any moment and you can decide who can or can’t access it — then I think it’s very hard to make those types of first amendment arguments.

CR: Yeah, I’m excited to see what comes out of this. I think we’ll see innovation result from this, and hopefully it brings this space forward in a way that makes it more censorship resistant.

JC: Yeah, I think that’s right.

The implications of celebrities involuntarily receiving ETH from Tornado Cash 

CR: Right. Okay, so one detail that I don’t think we cleared up, there was this reaction to what happened where I think anonymous users were sending kind of very famous addresses Ether that had come from Tornado Cash, [for example] the Jimmy Fallon address, and so on. So is just randomly receiving a fraction of ETH that came from Tornado Cash, does that make you vulnerable to anything [like] being on that list?

JC: First of all, it’s another example of how weird and unusual a designation of a decentralized protocol is. It would be sort of like your example of sanctioning email — does that mean if someone sends you an email that you all of a sudden, through no fault of your own, violated sanctions? We all understand how email works, you can’t choose which emails you get or don’t get. And this is sort of a similar situation. I think it is unclear whether someone who receives a transaction from Tornado Cash without their own consent or through no fault of their own, whether they would be in violation of sanctions. Again, without intending to give legal advice, I think the mere fact that you control a wallet and assets from Tornado Cash are sent to that wallet, I do not think that that should subject you to liability. I think that generally speaking, the sanctions laws apply to transactions that the actor who is being looked at as a potential violator decides to carry out. If you involuntarily receive assets, I don’t think as a matter of law that you would be liable for a violation.

Perhaps more importantly as a practical matter, I think we do have to give the benefit of the doubt to folks at the Treasury Department and at the Department of Justice. They’re not crazy, they’re not trying to prosecute random people who received transactions from Tornado Cash even though they didn’t ask for them. I don’t really think that is a direct concern.

But again, I do think it raises this weird question about how that type of liability might play out. I also think that if you decided to transact on some asset that was sent to you — if you received one Ether from Tornado Cash and then you decided ‘well, that was free money, I guess I’ll use it to buy an NFT or convert it to dollars’ — then I think absolutely you would have some serious concerns for civil and maybe even criminal liability. And the weird thing about how Ethereum works is once you receive an asset in your wallet, if you then do another transaction, it’s not so clear which portion of assets in your wallet you were transacting with. So it may be that if you received some asset from Tornado Cash, there’s some risk in transacting at all with that wallet without first applying for a license from OFAC. And again, that just doesn’t make a whole lot of sense.

So I think it’s up to the Treasury Department to clarify what it expects from your ordinary law-abiding user of the Ethereum blockchain who either had assets in Tornado Cash or received assets from Tornado Cash without their consent. And until that’s clarified, I think we’re gonna live in this world of uncertainty about how the sanctions should be implemented.

Looking forward

CR: Just starting to wrap up, what’s next? Beyond waiting for Treasury to clarify exactly what this means, is there anything more proactive that industry participants can do? Is there a recourse? What are the next steps?

JC: I think, first of all, we’re all still working through this together and I don’t think the path forward is perfectly clear yet, again, because of how much uncertainty was introduced by this sort of novel and unprecedented decision by the Treasury Department. But here’s what I can say, at least for now.

This is August 15th at 5:30 PM Eastern time, things may change by the time folks listen to this. But first of all, I think that those of us who work in policy are going to spend a lot of time in the coming weeks and months talking to folks at the Treasury Department to try to understand what logic and rationale was behind this decision, and trying to educate them more to the extent that they may misunderstand what they’ve done [regarding] those uncertain and unintended consequences, and trying to get some clarity about what this really means.

I think that could take the form of one of these general licenses, which I mentioned, which would be the Treasury Department explicitly saying something like ‘if you’re a law-abiding U.S. user of Tornado Cash, it is okay for you to withdraw your assets from Tornado Cash’. Just to get clarity for the sort of low-hanging fruit, simple situations like that, it also might be in the form of frequently asked questions. And this is actually how OFAC typically clarifies sanctions going back to the beginning of the sanctions program, they have FAQs listed on their website, which explain what their expectations are. The FAQs aren’t necessarily legally binding, but it is common practice for how OFAC explains sanctions. I think there should be some FAQs forthcoming on what the Tornado Cash sanctions mean. So we can try to help request and then maybe provide some insight into what the FAQs should say beyond that.

There is still the question of whether litigation is appropriate here. And we talked early in this conversation about this issue of whether Tornado Cash is a person or an entity. As a matter of law, OFAC can only designate persons, entities, and their property, and it may be that they believe something incorrect about Tornado Cash. And this is an opportunity for us to bring this issue to court, to try to get some legal clarity from a federal judge that explains that OFAC has gone over the line here, that OFAC does not have authority to designate decentralized protocols under the sanctions laws. I’m not sure yet whether that may play out, [but] that’s something that we at the Blockchain Association, also at the DeFi Education Fund, along with friends like those at Coin Center are trying to sort through right now. Coin Center put out a really amazing analysis just this morning on some of these legal issues [and] whether litigation might make sense. So I think folks should stay tuned for that.

And then lastly, and maybe most importantly, is the developer Alexey Persev who was arrested in the Netherlands. I think we all should be thinking of him. And as we may have concerns about what’s happening. I’m recording this in my home office, you mentioned you were traveling freely today, Cami — Lexi can’t do that, he’s being detained, he does not have his freedom. He is the person who we should be thinking about most. It may be that he needs our help to fund his defense, and I know that there are folks who are working on that right now. But first and foremost, we have to look out for the developers who are building this technology. So I think folks should stay very closely attuned to what’s going on in Amsterdam to see how we can help Alexey to deal with the situation that he’s in.

And otherwise, I think those of us who are building out there, keep building. That really is always my answer for folks in the industry who ask me ‘what can we do?’ And the answer is keep doing what you’re doing. Keep building this technology, keep making progress, keep doing the work, and hopefully, in the end, the value of this technology will win out. As I think we all agree that ultimately it will.

CR: Absolutely, what a great call to action! I just have one follow-up question. If there was litigation involved, who would be responsible for doing it?

JC: That’s a great question, and it’s one that we need to sort out at the highest level. The answer is the person who has standing to bring the suit is someone who has suffered or will imminently suffer some injury as a result of the decision that the government has made. So for example, it could be a user who has some assets locked in Tornado Cash who is legally not allowed to withdraw those assets — they may have standing. It could be a developer who wants to launch some version of Tornado Cash and they think that the sanction may apply to them [by] restricting what I would say is their first amendment protected right to deploy a new instance of Tornado Cash. It could be some other person who had some business idea or had some desire to use Tornado Cash to preserve their privacy and can’t do that because of the sanctions. You always have to look for a plaintiff who has standing, meaning that they have suffered or will suffer some injury. At this point, I’m not sure who the right plaintiff would be. I know that Coin Center is thinking deeply about this, and so are we at the Blockchain Association. Although my role is head of policy, sometimes I think I might be head of litigation, and we are willing when the time is right to lead the charge in that way. So I’m not sure yet what will happen in this case, but stay tuned for more as this all plays out.

CR: Interesting. Awesome, Jake, I really appreciate you taking the time to walk me through all of this and talk about the important implications that this is having. I guess everything is still in flux, but what we can hope is obviously just more clarity on this, hopefully a resolution for Alexey, and clarity for developers. Like I said before, I think if one silver lining can come out of this, it’s just a more censorship-resistant DeFi. Hopefully, builders in the space are encouraged to build these decentralized front-ends and minimize these kinds of points of weakness. So, Jake, thank you again, it really was a pleasure having you on the podcast!

JC: My pleasure, thanks for having me.



, ,