STATEMENT: Treasury’s clumsy approach to Tornado.cash is a threat to the future of financial privacy

This statement can be attributed to Lia Holland (they/she), Campaigns & Communications Director at Fight for the Future.

“In an effort to punish hackers and cybercriminals, Treasury just made a clumsy attempt to sanction Tornado.cash, an open source protocol. Tornado.cash was a mixing protocol that worked by letting many people send Ethereum to a specific address, mixing all the cryptocurrency it holds together, then letting those who had sent funds withdraw better-anonymized money. Services like Tornado.cash exist because the permanent, public, and immutable records kept on blockchains like Ethereum aren’t inherently privacy-preserving. But after Treasury’s actions, the open source code used to run this protocol has been censored, and developers contributing to the protocol are reporting that their GitHub accounts have been deleted.

Let us be clear, hackers and cybercriminals, as well as those that support them, are deplorable and should be stopped—but not in a way that compromises human rights and the first amendment.

Treasury’s sanctions were meant first as a tire-slash to the Lazarus Group, cyberthieves affiliated with North Korea, who used Tornado.cash to anonymise stolen Ethereum, and prevent them (and, it seems, anyone else who was using it) from being able to withdraw from the service anonymously.

It also seems that Treasury’s sanctions were meant as a warning shot to projects attempting to build anonymous digital assets, and an attack on the first amendment right to code.

Treasury did not only sanction the individuals or corporations involved with the Lazarus Group; they sanctioned all the mechanisms—ethereum addresses—by which the Tornado.cash protocol provides its blending service, because that service was used by bad actors. This is a rough equivalent to sanctioning the email protocol in the early days of the internet, with the justification that email is often used to facilitate phishing attacks. Tornado.cash is code, and rather than identify those who were aiding and abetting criminals the Treasury simply sanctioned that code. Code is speech.

Already, the Internet is feeling the chilling effects of this choice: the open source code used to run Tornado.cash has been taken down from Github. And unfortunately it seems that such an effect is exactly what the US government was seeking.

In yesterday’s press release announcing sanctions against Tornado.cash, Treasury states clearly that “while most virtual currency activity is licit, it can be used for illicit activity”—essentially a statement that could be made about cash. But as Politico reports “The Biden administration wants cryptocurrency companies to voluntarily adopt internationally agreed-upon technologies for combating money laundering, including collecting all users’ personal information. The senior Treasury official said the sanctions on Tornado Cash would send a strong message to companies that still haven’t done this.” (Bolded emphasis is our own.)

Anonymity is not a crime, and there are many legitimate reasons to seek anonymity in financial transactions. Privacy tools are important to, for example, activists in authoritarian states where revealing financial information could get someone jailed or executed. Anonymity, particularly financial, may soon become essential for pregnant people seeking abortions in the US, as well as supporters in states that criminalize donations to abortion funds or Planned Parenthood. Simply not wanting your financial history surveilled by governments, corporations, stalkers, or other bad actors is a legitimate reason to seek privacy-preserving technologies online.

We ask that the Treasury focus more carefully on targeting bad actors—rather than attempting to criminalize building and using privacy tools or the simple act of writing or running open source software code.”