The Importance of Digital Privacy
Why the Tornado Cash sanctions are a big deal
👋 Welcome to the 31st issue of The Syllabus from Invisible College — a weekly newsletter that helps you navigate the fast-moving world of web3. To get this newsletter delivered to your inbox, subscribe here:
Before we begin, a disclaimer — nothing in this piece should be construed as financial or legal advice. With that, let’s dive in.
We’ve got some great events coming up:
Fri. 8/26 @ 9 am PT: Learn about the latest updates from Invisible College at Town Hall*
Tues. 8/23 @ 2 pm PT: Get up to speed on what’s happening in the NFT space during NFTuesday*
*To access these events, you’ll need to hold at least one Decentralien NFT.
Now onto this week’s post…
What do the curtains in your home, the door to the conference room at your office, and the padlock icon in your web browser all have in common? They’re all forms of privacy.
Most people would likely agree that privacy is one of the most important rights they have. This is part of why the recent sanctions levied by the U.S. Treasury’s Office of Foreign Assets Control (OFAC) on Tornado Cash are so troubling.
What is Tornado Cash?
Tornado Cash is a crypto mixing service built using a smart contract on the Ethereum blockchain. Users plug potentially identifiable cryptocurrency funds into the protocol where they’re then mixed with a large pool of other funds. One important point is that users get exactly the same funds back, not anyone else’s. Their funds are held for a long period of time and distributed at random times so as to make them difficult to trace.
If you had heard of Tornado Cash before OFAC’s decision, you probably read about one of the many times it was used by nefarious hackers to launder crypto.
In fact, this is exactly what OFAC references in their press release, writing that Tornado Cash “has been used to launder more than $7 billion worth of virtual currency since its creation in 2019. This includes over $455 million stolen by the Lazarus Group, a Democratic People’s Republic of Korea (DPRK) state-sponsored hacking group…” Then they go on to mention several other instances where lower amounts were laundered.
There’s no doubt that $7 billion is a staggering number. And there’s no doubt that money laundering is an important problem that should be taken seriously by government agencies.
But, as with most things, the more legitimate (i.e. boring) uses of the technology don’t garner the headlines.
According to Chainalysis, as of last month, “Illicit addresses account for 23% of funds sent to mixers so far in 2022, up from 12% in 2021.” Despite year-over-year the increase, the data clearly show that the vast majority of mixer use is above board, and most of it comes from centralized exchanges and DeFi protocols.
Who exactly is in trouble here?
Perhaps the most striking aspect of the OFAC sanctions is that they imposed them on a smart contract, which is essentially just open source code. Typically, they add people who are tied to illegal activity—and, in the case of crypto, their wallet addresses—to the Specially Designated Nationals (SDN) list, not the software program they used.
Coin Center, a non-profit crypto advocacy group, believes this is a massive overreach by the U.S. government and they’re considering challenging it in court:
In Amsterdam, a 29-year-old developer who worked on Tornado Cash was arrested in conjunction with his work on the protocol and “suspected involvement in concealing criminal financial flows and facilitating money laundering through the mixing of cryptocurrencies.”
To be clear, he was arrested in The Netherlands, not the U.S. But the timing of the arrest, mere days after the OFAC press release, and the implications of a developer being arrested for building open-source privacy software sent crypto Twitter reeling.
This tweet from Greg Osuri, founder of the Akash Network, sums it up well:
RYAN SΞAN ADAMS - rsa.eth 🦇🔊 @RyanSAdamsThey arrested the developer of tornado cash. 🚨 I repeat: a man was arrested for writing code that served as a public good for people to maintain their privacy online. They put a man in jail because bad people used his open source code. This cannot stand in any free society.
The arrest made finding out the answers to these questions feel all the more pressing: What happens to people who interacted with Tornado Cash, even if their reasons for doing so weren’t illicit? What happens if you sent funds into it or received funds that came from it?
Could this hilarious shitpost actually come true?
The Importance of Digital Privacy
A common retort you’ll hear when stories of this nature come out is, “Well, I’m not worried because I’m not planning on doing anything illegal.”
It’s an understandable stance to take. Most people won’t get involved with state-sponsored hacking groups and find themselves with the need to launder millions of dollars worth of crypto. But keep in mind Tornado Cash is (was?) also used by everyday people who wish to keep their financial activity private given the transparent nature of the blockchain.
Dan Finlay from MetaMask outlined a bunch of non-illicit reasons someone might want financial privacy in this Tweet thread:
And other users sounded off in the replies with even more ideas. Yet, the most important takeaway is that nobody should have to justify why they want to keep their financial activity private in the first place.
As more and more of our financial lives move online, we have to figure out ways to address the cost of criminals being able to use these new technologies for nefarious purposes without undermining our fundamental right to privacy.
Other Recommended Reads and Listens
The Death of Crypto Privacy?
Lawyer and head of policy for the Blockchain Association, Jake Chervinsky, joins the Bankless podcast to dive deep into the Tornado Cash situation
The Case for Modular Maxis
David Phelps uses apt analogies to explain the complex topic of modular blockchains
NFT Investing Lessons
Matt Kim writes a tweet thread with 19 helpful NFT investing tips
Invisible College, is a school that helps people learn to build and invest in web3. To access our courses, events, and learning community, you’ll need to hold at least one Decentralien. You can get yours on Magic Eden.