OFAC Overstepped Authority: Tornado Cash Case Redefines Tech-Law Boundaries
Colin Wu . 2024-11-27 . New article

Arthur | ZHIXIONG PAN

Can immutable smart contracts become the target of sanctions? This is the core issue faced by the U.S. Fifth Circuit Court of Appeals in the Tornado Cash case.

Yesterday, the court ruled that the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) exceeded its authority in sanctioning Tornado Cash. This decision not only marks a victory for the plaintiffs but also sparks discussions about technological neutrality and the boundaries of law.

The rise of blockchain technology has brought a revolution in privacy and decentralization, accompanied by regulatory challenges. When the privacy tool Tornado Cash became the focus of money laundering controversies, the U.S. Treasury imposed strict sanctions on it.

However, the court pointed out that Tornado Cash’s immutable smart contracts do not align with the traditional legal definition of “property.” These smart contracts are decentralized, self-executing, and uncontrolled code, which cannot be owned or exclusively used. Therefore, listing them on the Specially Designated Nationals and Blocked Persons List (SDN List) was deemed beyond the scope of legal authorization.

The impact of this ruling extends far beyond this specific case. It not only concerns the legality of blockchain privacy tools but also touches on significant issues of technological neutrality and the adaptability of laws. This decision provides a direction for future legislation and regulation — emphasizing the need to distinguish the inherent attributes of technology from the actions of malicious users, thus avoiding excessive expansion of administrative power due to the neutrality of technology.

In fact, the judgment document in this case contains a wealth of details and content worthy of attention.

Who Are the Plaintiffs?

The plaintiffs identify themselves as users of Tornado Cash, and more broadly, as participants in the Ethereum and crypto ecosystem. They hail from backgrounds including security audit teams, Coinbase, client developers, hardware wallet providers, and are supported by Coinbase’s legal team. The plaintiffs are:

1. Joseph Van Loon (Auditware, formerly Apple)

2. Tyler Almeida (Coinbase)

3. Alexander Fisher (Angel Investor)

4. Preston Van Loon (Ethereum core developer and Offchain Labs/Arbitrum)

5. Kevin Vitale (GridPlus)

6. Nate Welch (formerly zkSync, Coinbase)

Who Are the Defendants?

1. The U.S. Department of the Treasury and its Secretary, Janet Yellen.

2. The Office of Foreign Assets Control (OFAC) and its Director, Andrea M. Gacki.

Why Did the Plaintiffs File a Lawsuit?

The plaintiffs filed a lawsuit against the defendants, challenging their actions as exceeding legal authority by designating Tornado Cash’s immutable smart contracts as “property” and imposing sanctions. They argue this violates the International Emergency Economic Powers Act (IEEPA) and the Administrative Procedure Act (APA).

The plaintiffs contend that these contracts are decentralized, self-executing code that cannot be controlled or owned, and therefore should not be subject to sanctions.

Which Court Issued the Ruling?

The United States Court of Appeals for the Fifth Circuit issued the ruling. This court is an intermediate appellate court within the federal judiciary system. Above it is the Supreme Court of the United States, which sits at the top of the federal judiciary as the final authority. Only a small number of cases reach the Supreme Court, either through appeals or special permissions such as a writ of certiorari.

What Was the Court’s Ruling?

The court ruled that the defendants (OFAC) violated the International Emergency Economic Powers Act (IEEPA) by sanctioning Tornado Cash, as immutable smart contracts do not meet the definition of “property.”

The court determined that these smart contracts are decentralized, self-executing, and uncontrollable code, and therefore should not be subject to sanctions. While acknowledging that technology can be misused, the court emphasized that administrative agencies do not have the authority to expand the scope of sanctions beyond what the law permits. Ultimately, the court overturned the sanctions and urged legislative bodies to address legal gaps related to emerging technologies.

Why Did the Plaintiffs File a Lawsuit on Behalf of Tornado Cash?

Although none of the six plaintiffs are Tornado Cash developers, they all stated that they are users of Tornado Cash and emphasized their reliance on it to enhance privacy for legitimate purposes.

For example, Tyler Almeida used Tornado Cash to anonymously donate to support Ukraine, fearing potential retaliation from Russian hacker groups if his transactions were traced. Similarly, Kevin Vitale turned to Tornado Cash for privacy protection after discovering that someone had linked his cryptocurrency activities to his physical address. The other plaintiffs cited similar reasons for their use of Tornado Cash.

What Does “Immutable” Mean, and Why Is It a Core Keyword?

The case involved extensive discussions, definitions, and analyses surrounding the term immutable, effectively recognizing the unique characteristics of decentralized systems and smart contract technology. The court acknowledged that the distinct nature of decentralized technologies poses unique challenges to the existing legal framework.

The court’s final ruling stated:

Because these immutable smart contracts are not ‘property’ under the word’s common, ordinary meaning or under OFAC definitions, we hold that OFAC exceeded its statutory authority.

It further clarified:

The immutable smart contracts at issue in this appeal are not property because they are not capable of being owned.

And as a result, no one can ‘exclude’ anyone from using the Tornado Cash pool smart contracts.

The court defined immutable smart contracts as follows:

A mutable smart contract is one which is managed by some party or group and may be changed.

An immutable smart contract, on the other hand, cannot be altered or removed from the blockchain. Importantly, a mutable contract may be altered to become immutable. But that is an irreversible step; once a smart contract becomes immutable, no one can reclaim control over it.

But Hackers Are Using Tornado Cash for Money Laundering. What’s the Solution? For Now, There Isn’t One.

The North Korean hacking group Lazarus Group has reportedly stolen nearly $1 billion worth of cryptocurrency through cyberattacks and used mixers to obfuscate the origin of the funds, completing the laundering process. OFAC accused Tornado Cash of enabling money laundering, alleging that more than 65% of Lazarus Group’s illicit funds in 2021 were laundered using mixers, with Tornado Cash being one of the primary tools.

As a result, Tornado Cash was indirectly linked to Lazarus Group’s laundering activities and placed on the sanctions list.

The court acknowledged that, while Lazarus Group did use Tornado Cash, this does not constitute a lawful basis for sanctioning the entire protocol. Immutable smart contracts do not fall under the traditional definitions of “property” or “services,” and sanctioning the entire protocol based on the misuse by certain users, such as Lazarus Group, is unjustified.

Thus, OFAC’s actions exceeded its legal authority. The court emphasized that resolving this issue requires updating legislation rather than expanding the current sanctions framework.

The IEEPA Was Enacted in 1977, Long Before the Modern Internet

OFAC’s primary legal basis for sanctioning Tornado Cash was the International Emergency Economic Powers Act (IEEPA). However, the court noted that “IEEPA was enacted in 1977, long before the invention of the modern Internet.”

IEEPA grants the U.S. President the authority to impose economic sanctions on foreign-related “property” in response to “unusual and extraordinary threats” to national security, the economy, or foreign policy. OFAC classified Tornado Cash as an “entity” and designated its smart contracts as tools linked to cybercriminal organizations like North Korea’s Lazarus Group.

However, the court emphasized that adapting laws to address challenges posed by new technologies is the responsibility of Congress, not the judiciary. The court rejected the Treasury Department’s attempt to expand administrative powers through judicial interpretation and refused to fill legislative gaps by stretching the scope of existing laws.

Conclusion

The significance of this ruling goes beyond the legality of Tornado Cash’s privacy tools. More importantly, it establishes clear legal boundaries for the blockchain industry and the development of decentralized technologies. The unique characteristics of immutable smart contracts were deeply examined in this case, and the court’s decision provides crucial judicial support for the legitimate use of similar technologies in the future.

At the same time, this presents a new challenge for regulators: how to strike a balance between protecting technological innovation and privacy while effectively curbing its potential misuse for illegal purposes.

Ultimately, this is a technology of great appeal, as highlighted by these two sentences from the court’s decision, which succinctly capture its uniqueness:

Simply put, regardless of OFAC’s designation of Tornado Cash, the immutable smart contracts continue operating.

Even with the sanctions in place, “those immutable smart contracts remain accessible to anyone with an internet connection.”

Follow us
Twitter: https://twitter.com/WuBlockchain
Telegram: https://t.me/wublockchainenglish