Is it reasonable to interpret OFAC's sanction against Tornado Cash from a legal perspective?
Original compilation: angelilu, Foresight News
Original compilation: angelilu, Foresight News
Tornado Cash is being sanctioned by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), and one of its developers was arrested in the Netherlands last week.
Does OFAC have the authority to disable Tornado Cash? Are OFAC's sanctions consistent with due process? How do Tornado Cash users withdraw their trapped funds? What regulatory signals did the sanctions send? How will the crypto industry respond in the future? Many professionals in the industry expressed their views on the problems fermented in this incident. Coin Center, a cryptocurrency think tank, analyzed the incident from a legal point of view after a week of in-depth research. From the analysis of Coin Center, we can get Answer.
Cryptocurrency think tank Coin Center is currently exploring challenges to the Tornado Cash sanctions in court. The following is its original analysis of the incident:Last Monday, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated Tornado Cash to be added to the list of Specially Designated Nationals and Blocked Persons (SDN) it administers. Hours after the incident, we issued a report on the operationinitial analysis
, and indicated that it may be legally and constitutionally flawed, we have conducted a more comprehensive legal analysis of it over the past week, and here are the results of that analysis.
As we have challenged, we believe that OFAC exceeded its legal authority to add certain Tornado Cash smart contract addresses to the SDN list, that this action may have violated our constitutional rights to due process and free speech, and that OFAC did not act adequately to mitigate the foreseeable impact of its actions on the innocent American people. We intend to cooperate with other digital rights advocates in seeking administrative relief. We are also now exploring challenging this action in court.
To understand the legal implications of OFAC's addition of the Tornado Cash smart contract to the SDN list, it is helpful to first understand that OFAC added Blender.io to the same list in May, when the sanctions were announced.Press releasePress release
say:
WASHINGTON – Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions on Blender.io (Blender), a virtual currency mixer used by the Democratic People’s Republic of Korea (DPRK) to support its malicious cyber activities and Money laundering of stolen virtual currency.The announcement drew no objection from the crypto community. This is because it is reasonable for OFAC to sanction Blender because it is a company or similar entity. That is, a Blender is a person or group of people (whether legally registered or not) that provides Bitcoin mixing services. According to the administrationOrder 13694
specified authorization, which defines a listed "person" as an "individual or entity" and an "entity" as a "partnership, association, trust, joint venture, company, group, subgroup, or other organization," and Blender Certainly eligible. When you send funds to the address provided by Blender, whoever runs Blender controls the coins. They then mix your coins with other customers' coins and, after deducting a fee, send you the same amount of coins.
The important thing to note here is that the entity is ultimately under the control of a natural person, whether they are identified or not. That is, someone can control the behavior of the Blender entity. They can decide whether to continue doing business, or change the way they do business. When they receive coins, they can decide whether to send mixed coins. They can choose to serve some customers and not others, etc.This also means that when Blender is added to the SDN list, the individual running the mixer (actually the Blender entity) can submitPetition to remove from SDN list
. As noted by OFAC on its petition web page.
The power and integrity of OFAC's sanctions stem not only from its ability to designate and add persons to the Specially Designated Nationals and Blocked Persons List (SDN List), but also from its ability to remove persons from the SDN List in compliance with the law.
Blender, because it is an entity ultimately under the control of certain individuals, has the ability to bring to OFAC's attention facts or arguments that may lead the agency to remove it from the list, such as:
It is effectively a US entity and therefore should not be subject to sanctions without due process
it changed its behavior and no longer engages in sanctioned activities
For some reason, the specification is wrong
For some reason, the designation is beyond the statutory or constitutional authority of the Ministry of Finance
If OFAC denies or does not respond to the petition, Blender can hire attorneys to represent it and challenge the designation in court. At the end of the day, Blender is a legal person and these are the things he can do.
With the above in mind, and now looking at the Tornado Cash event, OFAC's press release announcing its addition to the SDN list uses essentially the same language as Blender:
WASHINGTON – Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions against virtual currency mixer Tornado Cash, which has been used to launder more than $7 billion worth of virtual currency since its creation in 2019.
When OFAC Sanctions Blender, Directivenotifynotify
The entity is listed first ("TORNADO CASH, aka TORNADO CASH CLASSIC, TORNADO CASH NOVA), then "Website tornado.cash", and finally dozens of Ethereum addresses.There may exist an entity called Tornado Cash that is controlled by a natural person and can be the subject of reasonable sanctions. It could be the entity that owns and operates the tornado.cash website, or it could be the entity raising funds for the development of the mixer software. Funds raised via Gitcoin are sent toEthereum address
under the control of the entities listed in the designated notice. If so we would not comment on the appropriateness of sanctioning the entity, as we do not know all the facts leading up to this action. If there could be an entity behind the donation address, and that entity might be legally eligible to be listed, but if those people didn't do anything other than write the mixing software that is now running on the Ethereum blockchain, then They could be a strong First Amendment defense. We just don't know all the facts yet.
That said, the few Ethereum addresses listed cannot be said to be virtual addresses or property of the Tornado Cash entity. These are the Ethereum addresses of the mixer smart contract. They are addresses where users can find the software logic that, given the correct inputs, will execute and mix coins for the user. This is the mixer itself, but it's a completely different entity from the entity identified as Tornado Cash, although the name "Tornado Cash" is often used to refer to it as well. For clarity, we will refer to them as Tornado Cash Entity and Tornado Cash Application.
This is sometimes difficult to understand for those unfamiliar with decentralized blockchain technology, but applications (also known as smart contracts) can be installed on the Ethereum network, and once installed, the person who installed it no longer owns the any right to control it. After that, when any user in the world invokes it and gives it the appropriate input, it will execute automatically. In the case of the Tornado Cash Application, anyone in the world can send ETH directly to it, and it will mix the cryptocurrencies according to its code's instructions. As long as the Ethereum network continues to function, it will continue to function.
Presumably, the Tornado Cash Entity, which deployed the Tornado Cash Application, now has zero control over the application. Unlike Blender, Tornado Cash entities cannot choose whether or not the Tornado Cash Application participates in the blend, nor can they choose which "clients" to accept and which to reject. In the case of Blender, entities and applications are the same thing, but in the case of Tornado Cash, they are two completely different things. This is a subtle but important distinction that OFAC fails to recognize, treats the two as one (like Blender), and adds both to the SDN list.But in fact, other parts of the U.S. Treasury explicitly recognize this distinction. In itsMay 2019
In its guidance document on virtual currency business models, the Financial Crimes Enforcement Network (FinCEN) distinguishes between "anonymous service providers" (including "coin mixers") and "anonymous software providers." They make it clear that service providers are subject to bank secrecy obligations, while software providers are not. Regarding service providers, FinCEN explains:
[a] person (by himself, through an employee or agent, or by means of a mechanical or software mechanism) who provides an anonymous service, accepts value from a customer and transmits the same or other type of value to the recipient in a manner designed to obscure the transmitter's status as a money transmitter under FinCEN regulations.
The guide also states that
Anonymous software providers are not money transmitters in contrast to anonymous service providers...this is because suppliers of tools (communication, hardware or software) that may be used for money transmission, such as anonymous software, are in the trade rather than currency transmission.
FinCEN also distinguishes (one type) service providers who use anonymizing software to provide services to customers and are therefore subject to BSA obligations, and (another type) individuals who use anonymizing software on their own behalf. They call the latter group "users". 4
We acknowledge that OFAC is not subject to FinCEN regulations or interpretations. The fact is, however, that another division of the Treasury Department, and also responsible for money laundering and national security issues, has developed a reasonable definition of "mixer" that recognizes the existence of (1) mixers as entities and (2) A mixer is not an entity, but merely software, and individual "users" may use the mixer software for themselves and on behalf of themselves without the involvement of any third party. FinCEN's guidance suggests that what we propose here is not new or strange.Given this nuance between people and software, the uproar in the cryptocurrency community should make sense right now. How could it be justified to add to the sanctions list an automatic agreement not controlled by anyone, rather than a person or a person's property? OFAC in its applicationdelete page
and elsewhere the petition states:
The ultimate purpose of sanctions is not to punish, but to bring about positive changes in behaviour. Each year, OFAC removes hundreds of individuals and entities from the SDN list. Each removal is based on a thorough OFAC review.
Tornado Cash Entity, because it is an entity, can file a petition to be delisted, and if it believes its rights have been violated, it can hire a lawyer and file a lawsuit in federal court. The Tornado Cash Application cannot because it is not a person. And since the removal petition'sRegulationRegulation
Only entities can apply for themselves or their property, third parties cannot.
The Tornado Cash Entity is an entity, appropriately sanctionable, and the Tornado Cash Application is neither a person nor a personal property. The distinction is important not only because it shows that OFAC did what it did in this case contrary to its own stated goal of bringing about behavioral change, but also because of its statutory authority over what OFAC did and the constitutionality of its actions Sex matters.
OFAC Sanctions Certain Smart Contract Addresses Beyond Its Statutory Authority Under IEEPAOFAC's powers derive from a law passed by Congress: "International Emergency Economic Powers Act (50 USC § 1701 et seq.) (IEEPA)
. A related right, the National Emergencies Act (50 USC § 1601 et seq.) (NEA), empowers the President to declare a national emergency and then use his IEEPA powers to "prevent" any activity "involving any transactions in property in which a foreign country or its nationals have any interest". In this case, the emergency declared under the NEA is the "increasing prevalence and severity of malicious cyber activity initiated or directed by persons wholly or substantially located outside the United States," as in the aforementioned executive order issued by President Obama. The order cites statutory powers described in IEEPA that authorize the Treasury Department to block "property and interests in property" (defined broadly) related to those involved in cyberattacks. The powers that IEEPA gives to the President are broadly drafted, but it is still only a power to block property. What is blocked must be "property" and must be property in which some foreign country or national has an interest.
As stated above, the Tornado Cash Entity has no property interest in the Tornado Cash Application. It has no legal right to control the application, and more importantly, it has no physical ability to control the application. Furthermore, the app isn't even "property" in any reasonable sense. The application is non-proprietary software that simultaneously resides on everyone's computer around the world running the Ethereum open source client. It is not the property of the Tornado Cash Entity any more than the Phillips screwdriver in every American's home toolbox is the property of its inventor, Henry F. Phillips.
A Tornado Cash application cannot be properly added to the SDN list if it is not "property in which certain foreign countries or nationals have an interest" (50 USC §1702), nor under the specific powers vested in the President in IEEPA And was blocked. Someone (more on that later) should be able to challenge that sanction designation is outside the scope of the statute and therefore invalid.This is based on the text of the statute or "simple meaning"A strong argument for the explanation. The simple interpretation of IEEPA is that only property, which belongs toone or more items of someone
, and more specifically, only property belonging to foreign nationals or entities can be blocked. Simple readings can even extend to include intellectual property such as trade secrets or copyrights, and extend not just to foreigners but to any entity, whether incorporated or informal, including at least some foreigners. A simple reading of IEEPA, however, cannot be extended to include blocked lines of software code in general (ie, the arrangement of symbols and characters itself), and certainly not software in which sanctioned persons have no economic rights.
One could argue that the software is actually the intellectual property of the Tornado Cash Entity, and thus a legitimate blocking target under IEEPA. However, this would be a very different kind of sanction than in the past. Sanctions involving intellectual property often involve whether proprietary tools can continue to be licensed from sanctioned individuals, or whether trade secrets can be purchased from companies in enemy states. In the present case, in this case, the purpose of the sanction is very different; it is to say that Americans cannot even exploit intellectual property in which the authors have no financial interest. For one thing, the software in question is released under an open source license, so no American has ever paid, or will ever, pay any license to any author (whether those authors are sanctioned or not). Additionally, a copy of the software already exists on the home computer of anyone connected to the ethereum network. So an apt metaphor for this kind of sanctions is like an Iranian author is sanctioned so that Americans who already own his book must avoid reading it. Likewise, we believe that OFAC's designation is also unlawful because it exceeds the authority under the executive order because the address in question is not a "person" as defined in the order, for reasons we explain above.The above simplistic interpretation of the regulations may invalidate OFAC's decision to add to the SDN list Ethereum addresses associated with the Tornado Cash application, although it would not necessarily invalidate the addition of other addresses that may still be under the control of one entity Underneath, so to speak, is its property. In fact, within the judiciarymore and more
oversimplifies statutory interpretation and refuses to respect institutional interpretations that conflict with the simple meaning of the text. That aside, this narrow interpretation is made stronger by a substantive principle of statutory structure known as the "constitutional avoidance doctrine," whereby courts typically choose narrow statutory interpretation. In this case, a broader interpretation that allows ideas or software in the abstract to be the subject of the block raises at least two serious constitutional problems. If we or anyone else challenges the list on legal grounds, we need to interpret these constitutional arguments in favor of claims of statutory interpretation. Moreover, each of these constitutional arguments could constitute separate claims that could invalidate the order. So we're going to dig into these two points.
OFAC Sanctions on Certain Smart Contract Addresses Deprive Americans of Liberty and Property Without Due Process
The Fifth Amendment requires that any deprivation of an individual's life, liberty, or property by the federal government must allow for notice, an opportunity to be heard, and a decision by an impartial decision maker. As we've discussed, adding the Tornado Cash Application address to the SDN list means that Americans can no longer use the tool, even for perfectly legitimate reasons related to their personal privacy while online. This is a limit on the freedom of every American. There are also Americans who continue to lock funds in the application contract today because they deposited funds before the ban and have not withdrawn them. The Americans whose funds were locked have (yet) committed any crimes with Tornado Cash in the past. These Americans are the only ones who have the ability to withdraw funds from this address because they are the only ones who know the encrypted data that the Tornado Cash Application needs to create a valid withdrawal transaction. Nonetheless, these U.S. persons cannot conduct the transaction without prima facie violation of OFAC sanctions. Therefore, it is a deprivation of property and liberty. 7
For both groups of Americans, there are dispossessed rights, and the constitutional question is whether there is or will be notice, whether there is or will be notice, access to hearings, and decisions by neutral decision makers. Generally speaking, if the liberty and/or property of many Americans are restricted as a result of OFAC's action, that action is unconstitutional if these procedural protections are not provided.The administration could argue that OFAC policy does require an internal and confidential presentation of the facts and a collateral impact assessment prior to any addition to the sanctions list, and that these internal processes could Alternative to Public Hearings. In the present case, however, there is no indication that any such impact assessment was undertaken, and it is not known what procedures, if any, were followed. In fact, the DeFi Education Fund has alreadySubmitted a FOIA request
Hope to get a better understanding of what processes and safeguards are in place to limit the collateral impact of being on the SDN list. Even if certain procedures were followed, OFAC, to our knowledge, does not allow participation by any American who is disenfranchised, does not include opportunities to cross-examine witnesses or challenge the validity of evidence, and does not end with a neutral decision maker (eg , a judge of the Third Court).The government may also argue that advance notice and challenge rights are inappropriate given the potential for sanctions targets to be alerted and to take steps to transfer their property before the sanctions take effect. They might then argue that Americans continue to have recourse to satisfy due process, since they can now apply for general (for all Americans) or specific (for themselves) clearance, after the list is made public, to remove sanctions from address to recover their property. The government could even argue that there is no actual deprivation of liberty or property due to the availability of these licenses, but only a temporary obstacle to be overcome before property or liberty can be regained. This is a strong argument in the case of the more typical OFAC lists before, e.g. an international bank with criminal directors could fire those directors and restart operations, even Blender.io), while only a handful of U.S. People are affected. In fact, this is the least the administration has employed in previous due process challenges to OFAC orders.Partially successful defense.
However, the Tornado Cash case is not a typical OFAC initial order of regulation.
The Tornado Cash order is unique in that it affects the property of many Americans whose use of sanctioned instruments is perfectly legal. Only a few similar cases exist (such as where an international bank with part of the accounts held by Americans was added to the list). Address the AML/CFT risks that lead to listing, with a view to eventual delisting of the entity so that legitimate accounts, including those of U.S. persons, can be unfrozen. These efforts may also include, where specified, the publication of frequently asked questions (FAQs) to help innocent persons affected by the order understand their options, the provision of public or private non-executive letters, general or specific licenses, and other measures to ensure that the affected Innocent parties can continue to meet financial obligations such as mortgages during the freeze.
We believe that these typical steps were not taken in the Tornado Cash Application case because there was simply no bank or other entity that could work with OFAC to achieve these mitigations. Application smart contracts are not controlled by anyone. They will continue to operate as usual, and the only way to remove legitimate funds from these contract addresses is, and will always be, for affected Americans to directly interact with these addresses, something they are not allowed to do. Given these facts and distinctions, it is unlikely that the government's typical defense to a due process claim is inadequate. Unlike past cases, in which the deprivation was temporary and the limited procedure taken met some reduced constitutional requirements, the deprivation here appears to be permanent (the prohibition on granting Americans general license to continue to use the tool collateral damage mitigation measures that the government typically takes (cooperate with sanctioned banks to eliminate the need for sanctions and otherwise release the funds of non-sanctioned Americans) cannot actually be taken without financial institutions cooperating with them .
Arguably, if Americans are not given general permission to use the application contract (whether to extract currently locked property or for future privacy purposes), then such a refusal can be challenged on the grounds that the procedural due process requirements of the Constitution , the program provided is not sufficient.Mathews v. EldridgeIn cases involving national security, due process standards are more limited and the use of
The balance test described in:
Determining the specifics of due process generally requires consideration of three distinct factors: first, the private interests affected by the official action; second, the risk of such interests being wrongfully deprived by the process employed, and the likely value of additional or alternative procedural safeguards (if any); and finally, the benefits to the government, including the functions involved and the financial and administrative burdens that would be imposed by additional or alternative procedural requirements.
Even at this lowered standard, we do not believe that the government's actions will pass constitutional scrutiny. We need to uncover a lot of facts to be sure, but we suspect that in this case, the private interests affected are far greater than ever before, the risk of wrongful dispossession is greater, alternative safeguards are ineffective, and government interests are small.
Perhaps more importantly, the statutory issue at issue is not the ability of U.S. persons to obtain a license to use the tool, but the fact that adding only tools to the list (and not adding entities or property of entities) is not OFAC's law under IEEPA authority. Even if a general license was granted in this particular case, there is no legal way to prevent OFAC from simply adding new non-property, non-entity names other than the Tornado Cash Application to OFAC's list in the future, despite dubious statutory The justification for such unprecedented sanctions. OFAC could accidentally add various non-proprietary software tools to the list (such as the PGP software for email privacy, or even the whole of Bitcoin itself), and then they could create a de facto licensing regime that selectively allows the U.S. People use these tools again. This would be a very powerful tool of social control, and it appears to be out of touch with the text and purpose of the underlying statute upon which OFAC's powers rest. In general, IEEPA allows the president to prevent Americans from trading in the property of foreigners; it is not a system that dictates what types of software, books, music, or tools Americans should be able to use (assuming they otherwise follow the law and are not in the process enriching sanctioned persons).
So far we've mostly discussed how Americans challenged their inability to obtain a license from OFAC to use the Tornado Cash Application on due process grounds because it was available at an address listed on the SDN list. The lack of due process in this action, however, stems less from the future path for Americans to obtain licenses than from the fact that licenses are now required to use software that was not originally owned by those sanctioned. Thus, challenging the licensing process is not an appropriate way to address the statutory overrun problem discussed in the previous section. Conversely, challenging the licensing process is not an appropriate way to address the issue of statutory overreach discussed in the previous section. Rather, the due process flaw lies in the designation process itself and the inability of Americans to challenge that designation.
Here, we can again ask whether victimized Americans really have a procedural due process right to raise these challenges. In this case, it is clear that, according to OFAC, there is no procedural due process right. Under OFAC's guidance and regulations, the only person who can challenge a directive and remove an entity from the list is the sanctioned entity itself. There is no obvious way for third parties (such as ordinary Americans who just want to use these software tools) to challenge the listing of these tools. In fact, because the listings are only software and are not anyone's property, no one can apply to be removed from the list under OFAC's guidance. If lists of this type simply had no avenue to be presented, they would be unconstitutional under the procedural due process requirements of the Fifth Amendment.
We believe that, despite OFAC's lack of guidance regarding third-party challenges, U.S. persons who have used and/or intend to use the Tornado Cash Application may be eligible to challenge the listing under the Administrative Procedure Act (APA). Such plaintiffs could ask the court to vacate the sanction for a violation of the law because it exceeded OFAC's statutory authority and its authority under the executive order. Plaintiffs could also ask the court to view the agency's actions as arbitrary and arbitrary because it misunderstood the nature of the technology it oversees and failed to take into account the reliance interests of existing users of the technology. If OFAC argues that it does not allow such challenges, sticking to existing guidance that allows only listed entities to challenge designations, the due process argument for ordinary Americans becomes stronger.
Broad Interpretation of IEEPA Significantly Reduces First Amendment Protected Speech
If the SDN list becomes an ever-expanding list of specific open source protocols and "blocked" applications, isn't that a restriction on speech? The government could argue that ideas expressed in these particular pieces of software (identified by lists of smart contract addresses) are not blocked. It's just that the ability of Americans to send messages to these specific contracts and use the software is blocked. Restrictive acts (even expressive acts, like marching in protest) are less protected under the First Amendment than mere speech (like publishing a book).However, this argument would prove overblown if the intent of the list was simply to block the ability of Americans to interact with a specific open source application because it resides at a specific contract address on the Ethereum blockchain, then it cannot Effectively achieve any legitimate national security objective. software at this addressCan be copied and pasted to a new address by anyone in the world; in fact, the same and similar software and tools are already available on other addresses on the Ethereum blockchain. So it remains easy for people to continue to have access to these tools, including people ostensibly targeted by the cybersecurity executive order, which describes the activities those sanctions are designed to limit. But of course, just blocking one app is not the end. The intent is to send a message that any examples of this software should be avoided. The intent is to stifle speech so that Americans avoid interacting not only with these specific contract addresses, but with any protocol that is substantially similar to the code in those addresses. It's not just a ban on specific apps, but a class of technology, and according toBritish "Financial Times" reports
, in fact, Treasury officials have made it clear:
“We do believe that this action will send a very important message to the private sector that the risks associated with mixers are significant and that it is designed to inhibit Tornado Cash, or any form of restructured version thereof, from continuing to operate.”American software publishers and newsletter intermediaries got the message right away. Some open-source software developers not on the sanctions list haveClose their account on GitHub
, and removed their published software repositories or made them private. These actions already represent a significant curtailment of ongoing research and development into scientific and engineering ideas pursued for the betterment of humanity. While the Tornado Cash Application sanction designation does not order removal of the software and code, it does significantly suppress the expression of First Amendment protected speech, and does appear to be designed to suppress the expression of such speech.We're not saying that IEEPA itself creates an unconstitutional prior restriction on speech, but that its application in this context is manifestly overbroad. While typical OFAC actions limit expression (such as donating to specific Islamic charities), this action sends a signal — and indeed appears to be designed to send a signal — that Americans should not use certain types of tools and software Even for perfectly legitimate purposes. Even if this list were genuinely and entirely intended to deter North Korean hackers from using Tornado Cash, and even if OFAC could accept, in a collateral impact analysis, the chilling effect of Americans using the tool for legitimate reasons, it probably wouldn't be enough to go to court. as the Supreme Court inBroderick v. Oklahoma
found that sometimes "allowing some unprotected speech to go unpunished may do more harm to society than others' protected speech may be suppressed by overbroad regulations, and perceived discontent becomes more serious possibility."
what to do next
First, we will seek to engage with OFAC to share our views and would like to hear from them. We have also received inquiries from members of Congress about the situation, and we will continue to keep all parties involved informed.Second, we will do our best to assist U.S. residents whose funds are trapped at listed Tornado Cash addresses, and will do our best to assist them in applying to withdraw those funds.. In addition, the DeFi Education Fund hasAnnounceAnnounce
Original link
