By Katie Haun and James Rathmell
Since our post last month, there have been some further developments in reaction to the Tornado Cash sanctions, from Coinbase’s lawsuit to Treasury’s clarifying guidance and Coin Center’s complaint. We’re glad to see a strong response from the industry because we believe foundational principles are at play in this case. Namely, can governments ban open-source technology with sanctions, proscriptions, or embargoes that aren’t narrowly tailored? OFAC is right that many criminals have misused the Tornado Cash platform, but the stakes here go beyond Tornado Cash. The real question is whether the government can target the architecture of a blockchain itself, because what can be done to one kind of open-source protocol can be done to any open-source protocol.
I say this as someone who spent a decade prosecuting money launderers: the fight against illicit finance must be done in a way that’s legally sound. There’s a tried and true playbook for addressing money laundering if there exists sufficient evidence of intent to subvert the law — bringing prosecutions, enforcement actions, seizures, and other steps against bad actors.
Here, OFAC sanctioned Tornado Cash based upon IEEPA, a federal law that gives it the authority to block “any property in which any foreign country or a national thereof has any interest,” alleging that the protocol had been “commonly used by illicit actors to launder funds, especially those stolen during significant heists.” OFAC’s concerns in this respect are undoubtedly legitimate. But in issuing broad, indiscriminate sanctions against an open-source protocol writ large, the agency overstepped its legal authority to sanction the foreign hackers and their property in a way that leaves it exposed to both statutory and constitutional attack. It’s also produced a chilling effect for plenty of builders in the space who are rightly concerned whether OFAC’s view is now the law.
We don’t think it is.
Today, we’re publishing a legal memo that open sources the core arguments as to why, which we hope will be used in existing cases and ones still to come. When we thought about who to collaborate with on these arguments, Steve Engel was the first person who came to mind. Steve and I were co-clerks at the Supreme Court and he went on to lead the Office of Legal Counsel, the office that reviews the President’s executive orders for legality and also effectively serves as outside counsel for all executive branch agencies, including Treasury (read: Steve doesn’t hang out on crypto twitter so I called him up, explained the situation, and we brainstormed a bit).
The bottom line is that we think that OFAC went too far as a statutory matter because it appears to have blocked open-source, self-executing software that isn’t a person or the “property” of any foreign national or entity. IEEPA doesn’t grant such broad, roving authority to target open-source software architecture, and that is true no matter how noble OFAC’s intentions may have been. As the Supreme Court said in a recent case, our system of government “does not permit agencies to act unlawfully even in pursuit of desirable ends.”
What’s more, the agency has exposed itself to constitutional attack on a few fronts. It’s likely a court may not even reach the constitutional questions, however, because of the doctrine of constitutional avoidance which instructs courts to avoid ruling on constitutional issues when a case may be resolved on other statutory grounds. As the Supreme Court noted recently, the constitutional-avoidance canon provides “extra icing on a cake already frosted.” But suffice it to say these sanctions resulted in an asset freeze that deprived some innocent Americans of their property—without due process of law. And the sanctions may have violated the Fourth Amendment’s prohibition on unreasonable seizures to boot. Finally, while OFAC’s recent guidance shows that it recognizes the First Amendment problems inherent in altogether banning the publication of and interaction with code, its prohibition on the use of Tornado Cash code burdens the ability of Americans to use the privacy-enabling application to facilitate anonymous speech. That itself raises a substantial First Amendment issue.
Speaking of extra icing, sanctioning open-source code is also bad policy. These sanctions are reminiscent of when the U.S. government attempted to curtail public access to encryption tools in the 1990s by banning the export of encryption technology. Had the U.S. criminalized the use of cryptography without a license, we would have a much less secure — and much less developed — internet today.
We think that OFAC has overstepped, and it should fix that sooner rather than later. The first Tornado Cash lawsuits have already been filed against OFAC in Texas and Florida, and these may not be the last. OFAC can and should focus its sanctions efforts on the bad actors who abuse open-source software, not on the tools themselves.
The full memo can be found here.