Should Tim Cook of Apple be thrown in jail for manufacturing a phone that’s used by criminals to plan heists? Should the CEO of Boeing be punished for building the planes that hijackers flew into the World Trade Center? Is the inventor of the pressure cooker criminally responsible for making something that can be turned into a bomb?
On Friday, news broke that Dutch authorities have arrested someone who allegedly contributed to the open-source Tornado Cash cryptocurrency tumbler on Ethereum. The full story is not yet known, though many crypto and privacy advocates were immediately troubled by the prospect of criminalizing code.
We know the person arrested was a 29-year-old male, and apprehended in Amsterdam. We know Tornado Cash is a service used to anonymize crypto transactions that was sanctioned by the U.S. Treasury Department on Monday. We know Dutch financial regulators opened a criminal investigation into that service in June.
– ADVERTISEMENT –
The coder, however, was only “suspected” of helping to code Tornado Cash. And, likewise, only “suspected of involvement in concealing criminal financial flows and facilitating money laundering,” according to the Dutch Fiscal Information and Investigation Service (FIOD).
We do not know the full implications of this move, how wide the probe is or what it might mean for crypto in future. “Multiple arrests are not ruled out,” the Dutch financial investigators said in a statement.
Depending on how things shake out, how Tornado Cash’s founders are “dealt with” by criminal investigators and for what justification, the case could have a significant chilling effect on crypto development – especially projects or updates related to privacy.
For years, crypto coders have acted under a cloud of uncertainty. There are real differences between how a truly decentralized program operates in the wild and other software projects, differences that are not yet fully understood under the law. But there’s also something like self-denial at play by the crypto industry, which may lead to a false sense of security or confidence.
There are certain things about writing code that are pretty cut and dry. At least in the U.S., merely publishing code on Github is almost always legal if it’s an original idea – even for controversial things like ghost guns and crypto mixers. That’s a legacy of the so-called cryptography wars 30 years ago: Code is a language, cryptography is speech and the government is constitutionally prevented from banning its production under, say, munitions regulation
The situation gets dicier when you move beyond the act of writing. “Without commenting on Tornado Cash specifically, acts like providing help to someone who wants to use the code, uploading a mixing smart contract to a protocol or operating a web app which can hook into a user’s MetaMask wallet strays into potentially criminal territory,” Preston Byrne, a lawyer who specializes in cybercrime and crypto, told Motherboard this week.
This is not the first time a privacy-app developer has been arrested. Last year, the U.S. Department of Justice arrested Roman Sterlingov, the owner and operator of crypto mixer Bitcoin Fog, for allegedly assisting money laundering. That was a few months after Larry Dean Harmon pleaded guilty for running the unlicensed money-transmitting business Helix and to conspiracy charges related to money laundering on the crypto mixer.
(The difference between Tornado and Helix or Bitcoin Fog is that the latter two were “custodial,” meaning they took possession of users’ funds – a distinction that may no longer matter when it comes to facilitating money laundering or operating a money transmitter.)
On Monday, the U.S. Treasury Department’s Office of Foreign Assets Control took the unprecedented step of designating a smart contract as a Specially Designated National. This is a classification typically reserved for terrorist organizations and nation-states. It’s a bit like arresting a robot – one that no one can power down or keep others from using.
Tornado Cash is an open-source protocol, meaning that anyone can contribute to or deploy its code. It’s non-custodial, meaning it doesn’t hold onto user’s funds, nor did it have administrators that could see who was using the application or freeze transactions. Its founders burned the cryptographic keys needed to decrypt anonymous transactions on the platform.
That doesn’t mean its founders didn’t attempt to comply with financial regulations, when asked. In April, Tornado began working with blockchain analytics firm Chainalysis to block addresses sanctioned by OFAC following a particularly high-profile hack orchestrated by the North Korea-backed Lazarus Group. But they were limited by what they could do beyond basically screening the protocol’s “front-end” website.
Once deployed on Ethereum, a smart contract is immutable. This is at least part of the reason why crypto boosters have been so enraged by the recent international actions taken against Tornado. MakerDAO’s Rune Christensen was right to call the sanctions “useless,” because anyone – smart enough to use the command line, and dumb enough to break the law – can still transact with the robot.