Welcome to the War on Code.

On August 8, 2022, OFAC sanctioned the Tornado.Cash protocol, which was used by the North Korea hackers to launder stolen funds.

OFAC Sanctions Tornado Cash: A New Frontier in Regulatory Action

Adding a protocol to the Specially Designated Nationals (SDN) list is a new and slippery slope. Historically, the SDN list is composed of individuals or businesses that are cut-off from the American economy because they are suspected to be terrorists or drug king pins. By treating autonomous code as a “person” OFAC may have exceeded its statutory authority.

Exceeding Statutory Authority?

OFAC only has the authority to sanction persons or entities. As Coin Center outlined in its recent article, when a person or entity is added to the SDN list, the individuals who run the entity can file a petition for removal from the SDN list. Since Tornado Cash is software, there’s nobody with standing to petition. In Fact, the 2015 executive order that granted OFAC the authority to sanction, “Certain persons engaged in significant malicious cyber-enabled activities” – it specifically defines a person as an individual or an entity. Tornado cash is neither, rather it’s a valuable, useful, and popular open-source software protocol.

This sanction raises concerns about the invasion of privacy and freedom of speech, because OFAC has, for the first time ever, prohibited American citizens from use their own money privately for legitimate and personal transactions. Code has never before been sanctioned.

Privacy Concerns and the Right to Financial Privacy

Privacy is a fundamental human right. In this emerging digital age, financial privacy is only achieved through technology like tornado cash. It’s not all that different from closing the blinds on your bedroom windows, and certainly shouldn’t create any insulation that the activity taking place behind the privacy blind is de facto suspicious.

Code as Speech: A First Amendment Issue

Code is Speech. In many previous cases, computer code has been proven as “speech” and protected by the First Amendment.

Bernstein v. Department of Justice

In the case of Bernstein v. Department of Justice 922 F. Supp. 1426 (1996), Daniel J. Bernstein, a Berkeley mathematics Ph.D. student, attempted to publish a mathematical paper and associated source code that he developed. The US government had placed the code on the United States Munitions List. The court eventually ruled that the export control laws on encryption violated Bernstein’s First Amendment rights, which were upheld by a later Supreme Court decision. This led to regulatory changes that made it easier to publish encryption software online without the approval of the US government. This is the first case that ruled code as speech. Ninth circuit Judge Patel stated, “This court can find no meaningful difference between computer language, particularly high-level languages as defined above, and German or French….Like music and mathematical equations, computer language is just that, language, and it communicates information either to a computer or to those who can read it…” Id.

Universal City Studios v. Corley

Another case that found code is speech was Universal City Studios v. Corley, 273 F.3d 429, 60 (2nd Cir. 2001). (“Communication does not lose constitutional protection as ‘speech’ simply because it is expressed in the language of computer code. Mathematical formulae and musical scores are written in ‘code,’ i.e., symbolic notations not comprehensible to the uninitiated, and yet both are covered by the First Amendment.”)

The court stated that “Limiting First Amendment protection of programmers to descriptions of computer code (but not the code itself) would impede discourse among computer scholars, just as limiting protection for musicians to descriptions of musical scores (but not sequences of notes) would impede their exchange of ideas and expression.”

Unconstitutional Prior Restraint on Speech?

The Tornado Cash code is no different from these cases and appears to be an unconstitutional prior restraint on speech.

Prior Restraint on Speech. Prior restraints on speech have typically been found unconstitutional. OFAC sanctions operate on a strict liability basis. There is no due process for whether someone is added to the list. There is no public showing of fact, prosecutor, or judge required to assess the threat. Once a name is listed, anyone who performs a transaction, whether they intend to or not, can face severe financial penalties. If code is speech, by banning these transactions, OFAC has essentially placed a prior restraint on every American’s ability to engage in transactions (speech) with these open source tornado cash smart contracts.

Content Restrictions and the Least Restrictive Means

Content Restrictions on Speech. The amount of protection afforded for speech depends on the content of the speech. Content restrictions are allowed for a “compelling” state interest, but must be imposed in the least restrictive means possible. A content restrictions should be narrowly tailored, “that the means chosen do not `burden substantially more speech than is necessary to further the government’s legitimate interests.’” See Turner Broadcasting System, Inc. v. FCC, 512 U.S. 622, 662 (1994).

Chainalysis recently published a graph showing only 10.5% of the Tornado Cash transactions involved stolen funds, meaning that 89.5% of the speech is being needlessly restricted. This does not appear to be the least restrictive means possible to achieve the government’s compelling interest.

Conclusion: The Slippery Slope of Sanctioning Code

Since this sanction is against code, and not a person or entity, and the code is still running – and the criminals can still use it – I am having trouble seeing the legitimate purpose of this novel and slippery slope type of sanction.

By Sasha Hodder, Crypto Attorney & Bitcoin Enthusiast

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *