TLDR: Coinbase is funding a lawsuit brought by six people challenging the US Treasury Department’s sanctions of the Tornado Cash smart contracts and asking the Court to remove them from the U.S. sanctions list. The lawsuit explains that OFAC exceeded its authority from Congress and the President in sanctioning open source technology, rather than sanctioning the bad actors who used it or the property of those bad actors.
Today, Brian Armstrong shared why Coinbase is funding and supporting a challenge by six individuals (including two Coinbase employees) against the Treasury Department’s novel sanctions of open source software associated with Tornado Cash. I wanted to take a moment to share a little more detail about this legal action. At its core, this legal challenge is about how the Treasury Department exceeded the authority Congress and the President granted it in sanctioning open source technology, rather than sanctioning the bad actors who used it or the property of those bad actors. No one wants criminals to use crypto protocols, but blocking the technology entirely (which is what this sanction essentially does) is not what the people’s elected representatives authorized — especially when there are effective routes to more narrowly target bad actors. These sanctions represent a significant unauthorized expansion of OFAC’s authority, and they have harmed innocent people seeking to legitimately protect their privacy and security using this technology, as the stories of these six individuals make clear.
On August 8, 2022, Treasury’s Office of Foreign Assets Control (“OFAC”) sanctioned Tornado Cash, an open source software project that uses smart contracts to allow users to send assets privately on the Ethereum network. As part of this action, OFAC added to its Specially Designated Nationals and Blocked Persons List (“SDN List”) Tornado Cash’s smart contracts, which are publicly available, open source tools that anyone can access to send assets from their private accounts and withdraw them to a different crypto address. Smart contracts are essentially code that is not controlled by any individual or group and is executed by the Ethereum network according to strict rules that cannot be modified.
While prior OFAC sanctions against individuals or entities sometimes listed crypto addresses owned or controlled by these bad actors, OFAC has never before sanctioned an open source technology like the Tornado Cash smart contracts. For example, when OFAC sanctioned the North Korean Lazarus Group, it added eight Ethereum addresses to the sanctions list — each were accounts controlled by the Group where they held their assets.
In this case, by adding the Tornado Cash smart contracts to its SDN List, OFAC made it illegal for any U.S. person to use this privacy protocol — banning this technology for all.
Unlike in traditional finance, ETH transactions are transparently recorded on the Ethereum blockchain. That means anyone with a computer can view the transaction history and balances associated with a particular user’s address. So, when users send ETH from their address to a recipient’s address, anyone can use a public blockchain explorer to look up that sender’s prior transactions, learn about their spending habits, and check their account balance.
While this transparency is important for auditability and verification, it poses privacy challenges for Ethereum users who reasonably want to protect their personal financial information. For the same reasons that you’d be reluctant to publicly share all your private bank statements that detail your spending history, a person who receives their salary in ETH does not necessarily want everyone knowing how much they make or how they spend their funds.
The Tornado Cash privacy protocol allowed users to regain that privacy. Using smart contracts, a user could deposit assets from one crypto address and withdraw crypto assets to a completely different address, severing the otherwise clear connection to their prior transactions. Once withdrawn, the user could transfer those assets without fear of exposing their entire financial history or net worth to third party strangers. The plaintiffs in this lawsuit represent a cross section of crypto users and developers who used Tornado Cash to protect their privacy and security for various legitimate reasons — from wanting to safely donate to Ukraine war relief without risk of Russian retaliation, to concealing salary deposits that would show how much they earn, to preventing malicious actors from targeting their homes to try to steal large quantities of crypto assets held in their wallets. By creating new, private crypto addresses when sending funds to strangers, these plaintiffs could avoid disclosing their personal accounts, which they use to hold their assets and send personal transactions.
In this way, crypto privacy protocols are not only critical to the development of the crypto ecosystem, they are an important tool to protect individuals against hackers and thieves who may otherwise target owners of crypto addresses that hold significant assets. The sanctions against Tornado Cash have not only blocked this open source technology to U.S. persons, but cryptographers and developers have also been scared away from contributing to other important privacy projects, fearful that their code will be sanctioned in the future.
Coinbase is fully committed to combating illicit activity and sanctions evasion. We regularly partner with and advise law enforcement and regulators on a range of cryptocurrency topics, support critical law enforcement investigations, and respond to many thousands of subpoenas a year. We fully support OFAC’s overarching national security objectives and greatly appreciate the important work it does to sanction bad actors and block the property those actors control. However, in the Tornado Cash action, OFAC did not target the bad actors or the property controlled by those actors; instead, it took the unprecedented step of sanctioning open source technology — a tool legitimately used by many innocent people even if also by some bad actors. We do not believe Congress authorized this, and for good reason. After all, we do not shut down email or the internet code because among its many users are some criminals. That is why we are funding and supporting this challenge by six crypto users seeking to regain critical tools needed to protect their privacy and security.
*50 U.S.C. § 1702(a)(1)(B). **American Heritage Dictionary of the English Language 1412.
About Paul Grewal
Paul Grewal is the Chief Legal Officer of Coinbase where he is responsible for Coinbase’s legal, compliance, global intelligence, risk management and government relations groups. Before joining Coinbase, Paul was Vice President and Deputy General Counsel at Facebook. Prior to Facebook, Paul served as United States Magistrate Judge for the Northern District of California. Paul was previously a partner at Howrey LLP, where his practice focused on intellectual property litigation. Paul served as a law clerk to Federal Circuit Judge Arthur J. Gajarsa and United States District Judge Sam H. Bell. He received his JD from the University of Chicago Law School and his BS in Civil and Environmental Engineering from the Massachusetts Institute of Technology.