Complaint Illustrates Existential Fight Over OFAC’s Ability to Sanction Open-Source Code – and OFAC Responds (?) By Issuing FAQs on Tornado Cash Use
Last month, the Office of Foreign Assets Control (“OFAC”) sanctioned Tornado Cash, a virtual currency “mixer” operating on the Ethereum blockchain which allegedly has been used to launder the virtual currency equivalent of more than $7 billion since its creation in 2019, by adding it to the Specially Designated Nationals and Blocked Persons List (the “SDN List”). The initial response from certain elements of the crypto community was, not surprisingly, negative: for example, an 8/15 Coin Center whitepaper and an 8/23 letter from Congressman Tom Emmer to Treasury Secretary Janet Yellen argued that OFAC lacked the legal authority.
In the intervening month, things have heated up considerably. Last week, six plaintiffs filed a complaint against OFAC and the Treasury Department, as well as Secretary Yellen and OFAC Director Andrea Gacki in their respective official capacities, in the Western District of Texas (Waco Division), seeking declaratory and injunctive relief – specifically, that the court declare OFAC’s addition of Tornado Cash to the SDN List as unlawful, and permanently enjoin the enforcement of the designation and any sanctions stemming therefrom. Plaintiffs allege that venue is proper due to Plaintiff Joseph Van Loon’s residence in Cedar Park, TX, within the Western District. Plaintiffs’ decision to opt for the Waco Division, rather than the Austin Division, may be intentional, because the Waco Division has only one judge, who until recently has been the go-to choice for patent litigation plaintiffs.
The complaint has and will continue to draw considerable attention. It lays out the framework for a fascinating question: under existing law, can OFAC act directly against a piece of technology such as open-source code? Or, must OFAC pursue enforcement, through a more difficult, piece meal and time-consuming process, only against specific individuals and specific legal entities? Presumably, both sides will invoke broad policy-related and equity-related arguments regarding “privacy,” “transparency,” and the need to fight crime. However, the key issue may come down to a more traditional and rather dry legal issue of parsing the meaning of statutory language.
The Plaintiffs and Their Claims
Plaintiffs each have various professional affiliations to the cryptocurrency industry beyond simply owning crypto assets and utilizing the Ethereum blockchain. Two of the six plaintiffs are current employees at major cryptocurrency exchange platform Coinbase. Three of the six plaintiffs allege that they have Ether (ETH) crypto assets which are now “trapped” in Tornado Cash smart contracts by OFAC’s sanctions. One plaintiff also alleges that he was the target of “dusting,” the term for being sent unsolicited nominal amounts of virtual currency (though he does not allege an explicit nexus between this and OFAC’s sanctions). “Standing” – that is, the ability of a particular plaintiff to bring a lawsuit in federal court by showing a legally cognizable harm – clearly will be a contested issue, and the complaint attempts to detail the alleged harms visited upon each plaintiff by OFAC’s action.
Plaintiffs’ claims consist of three counts:
The first claim, brought under the Administrative Procedure Act (“APA”), 5 U.S.C. Section 706(2)(A) and (C), is likely the most promising claim for the Plaintiffs — certainly, it is the most concrete and straight-forward. It alleges that OFAC’s designation of Tornado Cash was ultra vires, or beyond the explicit terms of its precise statutory authority. Plaintiffs acknowledge that OFAC was delegated the authority ultimately stemming from the International Emergency Economic Powers Act (“IEEPA”) “to regulate certain activities involving ‘any property in which any foreign country or a national thereof has any interest by any person, or with respect to any property, subject to the jurisdiction of the United States.’” Plaintiffs allege that Tornado Cash, as open-source code, does not fall under any of the categories in the statute – that it’s neither “property,” nor “a foreign country or a national thereof,” nor a “person” – and thus is not subject to OFAC’s regulatory authority under the governing statute. Rather, it’s just open-source code. The complaint draws a distinction between the sanctions against Tornado Cash and the sanctions previously issued against Blender.io, described as “operated under central control.” Stated otherwise, the sanctions against Blender.io were permissible, because Blender.io constituted a legal entity — a “person” — that fell within the definition of OFAC’s legal authority to issue sanctions.
The second claim, brought under the First Amendment and the previously-cited section of the APA, argues that OFAC’s sanctions constitute prohibition on protected speech – specifically, that “[b]y providing a certain degree of privacy, Tornado Cash allows Plaintiffs to engage in important, socially valuable speech[,]” and that one effect of the sanctions is that Plaintiffs can’t “use Tornado Cash to make donations to support important, and potentially controversial, political and social causes.”
While the background provided for each Plaintiff indicates his or her interest in maintaining transactional anonymity – a value which generally is antithetical to the values of transparency and accountability both embraced and demanded by BSA/AML laws – the sole allegation in support of this “political speech” argument is that Plaintiff Almeida, seeking to support the Ukrainian war effort while avoiding “target[ing] by Russian state-sponsored hacking groups[,]” used Tornado Cash to “anonymize his donation and prevent his financial history from being associated with his political views[.]” The count goes on to say that “Plaintiffs are also unable to develop code related to Tornado Cash to facilitate improved uses of Tornado Cash and the Ethereum network[,]” the free speech consequences of which are left to the reader’s imagination, and that Plaintiffs “are unable to use Tornado Cash to develop future business ventures, which themselves will engage in socially valuable speech.” It adds that these actions prohibit “many others” from engaging in the same activities, meaning that OFAC’s sanctions prohibit “a substantial amount of protected speech” and are thus “contrary to constitutional right under the APA.”
The third count, brought under the Due Process Clause of the Fifth Amendment, argues that the three Plaintiffs with “trapped” Ether have been deprived of their property without “any process prior to that deprivation . . . let alone due process of law.” It further alleges that such denial of process “is unjustified by any national security interests,” and is thus “contrary to constitutional right[.]” As we explain below, OFAC likely has attempted to blunt this claim by making clear that affected persons do have access to some degree of legal process – however inconvenient. Specifically, persons having an interest in blocked assets can seek to obtain specific licenses from OFAC.
Five days after the filing of the suit, on September 13, OFAC issued four new “Frequently Asked Questions” (“FAQ”) posts in the category of “Cyber-related Sanctions” – all of which deal with Tornado Cash, and several of which appear to directly address issues of the type raised by Plaintiffs in their Complaint.
In FAQ 1076, OFAC specifies that, although engaging in a Tornado Cash-connected transaction is prohibited, “interacting with open-source code itself, in a way that does not involve a prohibited transaction with Tornado Code, is not prohibited”, and goes on to identify copying the code, making it available online, and including it in publications as generally permissible activities. This seems to directly address the portion of Count 2 of the Complaint, wherein Plaintiffs allege that the sanctions prevent them from developing Tornado Cash-related code to facilitate improved uses of the Ethereum network, as well as to push back more generally against free speech concerns.
Likewise, in FAQ 1078, OFAC addresses concerns about whether individuals targeted by unsolicited “dusting” are subject to reporting obligations. OFAC acknowledges that “technically” its regulations would apply to such transactions, but clarifies that “[t]o the extent, however, these ‘dusting’ transactions have no other sanctions nexus besides Tornado Cash, OFAC will not prioritize enforcement against the delayed receipt of initial blocking reports and subsequent annual reports of blocked property from such U.S. persons.”
Finally, and arguably in direct response to Count Three of the Complaint, in FAQ 1079 OFAC provides a roadmap for extracting crypto assets “trapped” by the sanctions on Tornado Cash, declaring that any U.S. persons (or, significantly, “persons conducting transactions within US jurisdiction”) are able to request (via a dedicated Treasury website) a specific license to recover virtual currency from Tornado Cash-involved transactions initiated prior to August 8, 2022, the day Tornado Cash was designated to the SDN List. After presenting an itemized list of the “minimum . . . relevant information” required about the transactions – wallet addresses for both remitter and beneficiary, transaction hashes, dates and times for any transactions, and amount of virtual currency at stake – OFAC states that it “would have a favorable licensing policy towards such applications” – with the obvious caveat that the transaction not involve any otherwise sanctionable conduct.
These FAQs not only clarify OFAC’s regulatory approach; they also seek to peel off the “innocent bystanders” who may have otherwise felt actually or potentially harmed by the imposition of sanctions on Tornado Cash, leaving in opposition only those persons and entities who are fundamentally opposed, whether on principle, out of self-interest, or both, to regulation of the cryptocurrency space. Additionally, and perhaps more tactically, OFAC’s professed willingness to assist crypto asset holders in recovering their “trapped” assets may be a way to flush out bad actors – the detailed information required to recover those assets could and would assist OFAC in fleshing out considerably the picture of Tornado Cash transactions in the days and weeks leading up to the imposition of sanctions, including identifying the virtual wallets of many individuals or entities who have not applied for special licenses (but transacted with people who did). That failure to apply for a special license may itself serve as a red flag, as it may mean (paradoxically, as it turns out) that the wallet holder does not wish to draw the government’s attention to his account.