Tornado Cash: why we all should be concerned for our freedoms

Tornado Cash: why we all should be concerned for our freedoms

Weekly stories are first featured in our Newsletter. Subscribe here to receive it directly in your mailbox every Monday.

Let’s face it: while our democratic authorities continue speaking of privacy as everyone’s right, in reality it is being methodically taken away from us, one bit at a time.

The US Treasury banning Tornado Cash, a crypto mixer, is just the latest in the series of governments’ liberticide actions, but this time the crypto community’s backlash is remarkable. Is it because the community itself has grown significantly, or because more people start to realize how precarious their freedoms have become?

Whatever the exact reasons, now is the good time to revise our basics: why do we need privacy, why do we need crypto, and what’s at stake if we abandon these notions. But first: what was the Tornado Cash scandal about?

What are crypto mixers?

Tornado Cash is a crypto mixer – a program designed to obfuscate the trace of crypto transactions. More specifically, in Tornado Cash case it is a smart contract using zk-SNARK technology that helps increase transactions’ privacy via a shared pool:

–          users can deposit fixed amounts of ETH into the pool,

–          upon deposit, Tornado Cash gives users a “private note” key, which they send to the intended beneficiary,

–          the beneficiary can use the private note to withdraw the funds after a 24h period

–          there’s no direct link between the sender and the beneficiary on-chain.

It is important to understand that Tornado Cash is not a company: it is a bunch of open-source smart contracts that exist on the Ethereum blockchain, which people access via a web interface. In the best traditions of crypto, the code was also deposited on Github, available for everyone to check and contribute.

What happened to Tornado Cash?

This Monday the US Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Tornado Cash for its role in laundering “more than $7 billion” ($1.5 billion according to Elliptic) of “proceeds of cybercrimes” since 2019, including over $455 million stolen in this year’s Ronin bridge hack allegedly performed by North Korean Lazarus Group.

Putting the mixer on the OFAC list means that no US citizen, no person residing on the US territory, no US-incorporated entity or its foreign branch cannot interact with Tornado Cash and a list of addresses allegedly linked to it.

No business wishes to mess up with the US government, and the ban triggered a wave of crypto addresses’ blockages across crypto platforms, both centralized, like a USDC stablecoin issuer Circle, and decentralized, like a derivative trading platform dYdX or a yield protocol Aave.

What’s more, even companies without exposure to the banned addresses have deemed necessary to distance themselves from the scandal: centralized on-chain data providers Infura and Alchemy have blocked RPC requests to Tornado’s front end, and Github has removed Tornado Cash’s source code, as well as personal accounts of all its contributors.

Things have escalated even further: two days after the ban, the Dutch Crime Agency announced the arrest of a Tornado Cash developer, “suspected of involvement in concealing criminal financial flows and facilitating money laundering”.

What’s wrong with the ban?

The ban and its consequences are intrinsically wrong. They will not help combat the cybercrime, but only endanger already frail personal freedoms and precipitate our common descent toward totalitarianism. These are some of the reasons why:

Privacy is important

Tornado Cash is a privacy tool,which can be used by anyone, whether they are well- or ill-intentioned. All crypto transactions can be consulted on a blockchain, and with enough means it could be possible to trace them to a particular IP address; in case of well-known addresses (belonging to celebrities for example), all their activity is de facto exposed to the public – and this can be problematic.

For example, donating crypto to Ukraine could cause unwanted repercussions even if the government where the donator lives is in full support: russian authorities have ways of making lives of dissenting people complicated.

The use of mixers in this case can be necessary to maintain privacy, and none other than Ethereum creator Vitalik Buterin said that he used Tornado Cash to donate to Ukraine. Vitalik has been rather vocal on this issue and does not seem to fear the russians, however he felt it was important to protect the recipient.

Crypto is permissionless

In the fiat world, a bank can refuse an incoming transaction from a flagged address. In the crypto world without intermediaries things do not work this way, and a recent stunt by an unknown user proved it vividly. A series of 0.1ETH transactions related to Tornado Cash were sent to famous ETH addresses, including those of TV presenter Jimmy Fallon, comedian Dave Chapelle, Coinbase CEO Brian Armstrong, digital artist Beeple…

According to the Treasury’s logic, now these addresses should be blocked, and any law-abiding US citizen should forever refrain from interacting with them. At the same time, it is quite clear this was pure trolling… but how can the authorities, leave alone the crypto services that try to stay compliant, distinguish one from another?

Soon after, Tron’s founder Justin Sun, who was also airdropped Tornado Cash-tainted ether, tweeted he has been blocked from Aave because his address was “associated with one or more blocked activities.”

The gag showed just how absurd and meaningless the regulation is.

Double standards

Crypto money laundering accounted for a mere 0.15% of all crypto transactions in 2021, amounting to $14 billion, most of which were crypto scams (source: Chainalysis). Of this money, just over $1 billion was sent to crypto mixers.

Global fiat money laundering is estimated at 2-5% of the global GDP, or somewhat between $800 billion and $2 trillion (source: UN). Most of it is done by the banks, and despite being repeatedly caught laundering huge amounts of money, none of them actually got banned. Most of the time they weren’t even prosecuted, settling on paying millions in fines for laundering billions in illicit money.

Freedom of speech

The very First Amendment to the US Constitution protects the freedom of speech, and in 1999 software code was ruled to be part of it.

Github removing Tornado Cash’s source code can be a precaution, or a reaction to the Treasury’s prohibition of “any contribution or provision of funds, goods, or services by, to, or for the benefit” of the mixer. In any case, it means that the Treasury has created a dangerous precedent of violating freedom of speech.

As to the arrest of the mixer’s developer, it is even more troubling: creating a privacy software does not equal engaging in money laundering, just as inventing dynamite does not equal mass murder.

What about real criminals?

The thing about criminals is that by definition they do not shy from using illegal means, be it weapons, violence, drugs or a mixer service that the Treasury is so afraid of.

How to combat them then? Just like the law enforcement is already fighting cyber crimes: with the help of on-chain and internet analytics, which allows, with enough means deployed, to follow the stolen funds even if they have used a mixer.

Defending personal freedom

The Tornado Cash incident has raised awareness of just how many of supposedly decentralized crypto services are actually not censorship-resistant. This will likely spur the creation of better privacy-enhancing alternatives and drive more users to the existing ones.

It is reassuring though that despite all the totalitarian measures the US government is deploying, it cannot kill Tornado Cash or other mixers: even if their web interface disappears, the code behind it is still alive and kicking, for it has been deployed on a blockchain. It means that anyone with enough technical skills can run it or replicate it, which likens fighting mixers to fighting windmills.

Some crypto services, like the Wasabi wallet for Bitcoin, use Tor network (open-source browser allowing anonymously navigate the internet) to connect users to random Bitcoin nodes, making its difficult to trace them. Also, Bitcoin’s layer-2 solution Lightning Network could be used to some extent to enhance one’s privacy for small transactions, for it does not store them on the blockchain.

Privacy-enhancing cryptocurrencies like Monero ($XMR) too get a whole new meaning in the actual context. Monero uses ring signatures hardcoded into its protocol, which obfuscates transactions.

Why should you be concerned?

If you believe that you have nothing to worry as long as you don’t do anything bad, you might be wrong.

Illegal and immoral are two different things: supporting Uyghurs or denouncing war in Ukraine are just some of the examples. Social credit system based on mass surveillance is already reality in China and russia (the latter less openly admitted, but no less true), and there’s no reason this could not happen elsewhere.

Many aspects of our lives, be it online, financial, medical… are already highly surveyed, and it takes only an unfortunate far-right (or far-left) election, or a skillfully created media buzz to justify using this information against us.

Orwellian dystopia is closer than you think, and crypto is one of the key tools that can prevent it.