Treasury’s Tornado Cash clarifications aren’t good enough: We need real protections on the right to code and the right to privacy

Posted September 14, 2022 at 9:00 PM

The following statement can be attributed to Lia Holland (they/she), Campaigns and Communications Director, Fight for the Future:

Yesterday the US Treasury released some clarifications on what its sanctions of Tornado Cash mean. As we’ve previously stated, Treasury created a chilling effect on the right to code and the right to privacy through the clumsy way it sanctioned Tornado Cash. Treasury listed certain Ethereum addresses that represented completely autonomous open-source code embedded in the blockchain, and by sanctioning that code it caused a freakout among people who write or publish open-source code—including its removal from Github.

Treasury’s Office of Foreign Assets Control (OFAC) clarified that activities not prohibited include “copying the open-source code and making it available online for others to view, as well as discussing, teaching about, or including open-source code in written publications, such as textbooks, absent additional facts.” They also said US persons are not barred from visiting the Internet Archive’s cache of

While this clarification is welcome, it is inadequate to address our concerns related to human rights, free expression, privacy, and the right to write open source software code. Treasury simply has not provided the guidance necessary to reverse the chilling effects on privacy-promoting tools and the right to code.

First, Treasury provided no clarification on how open-source and fully decentralized privacy-promoting projects can avoid becoming a target of sanctions when these projects by nature have no control over who uses them. This is a grave concern to private decentralized messaging systems, privacy-promoting cryptocurrencies, as well as a host of emerging technologies like decentralized browsers that design in powerful user privacy protections. Without additional clarification, code contributions and investment into such efforts continues to hang in the balance—with some of the brightest minds working toward a human rights-promoting internet asking themselves “if this project I’m building to help journalists or abortion patients or people under authoritarian regimes is used by a cybercriminal, will I be sanctioned as well?” Privacy-preserving technologies cannot first identify and verify who a user is without entirely defeating the point—creating a catch-22 that OFAC needs to address for the good of traditionally marginalized people online, and the rights of us all.

We also do not have sufficient clarity on whether new privacy pools could be created from Tornado Cash’s open source code. We need clarity on whether these sanctions cover only the Tornado Cash entity and the code that they published, or any instance of this code that will ever be published on a blockchain, even if by an entity that is not Tornado Cash. This new statement, if anything, makes it look more likely that OFAC has sanctioned code itself—and OFAC needs to stop being wishy-washy about answering that assertion directly amid the multiple suits that have been brought against such overreach.

Our First Amendment right to code is still being chilled and privacy projects still fear being criminalized. OFAC should stop being cagey and clarify that its intent is not to chill our free speech and privacy rights, and that it will not continue any such policies or double-down on missteps that do so in practice. Then, OFAC must have a real dialogue with the open source and decentralized developer communities about how such clumsy actions impact the future of the internet.