1. Tornado: Is writing open source code now illegal?
In early August, the U.S. Treasury sanctioned the Tornado Cash smart contracts, linking them to an alleged $7 billion in illicit transactions, including by North Korean hackers.
For those readers who are not familiar with Tornado Cash, it is a simple yet powerful tool that helps shield transactions on the Ethereum blockchain, which by default shows both the sender’s and receiver’s wallet address for every transaction. Users send a transaction to the Tornado Cash smart contract which then anonymizes it and forwards it on to the destination address.
Tornado Cash is an open-source project: Tornado’s leads decided to open source their front end, which turned the platform into a 100% autonomous dApp.
Two days after the OFAC sanctions were announced, on August 10, the lead Tornado Cash Developer Alexey Pertsev was arrested by Dutch authorities. Even though formal charges are still pending, he was accused of facilitating money laundering.
This sets an alarming precedent by which contributing to an open source smart contract project might lead to developers getting accused of (in this case) money laundering. Whilst we don't have details yet about the actual accusations in this particular case, the legal analysis is that the arrest opens the door for potential criminal liability for any person who uses blockchain and interacts with a smart contracts.
From the announcement, it seems OFAC decided to sanction Tornado only after Lazarus - a North Korean state-sponsored hacking group that was sanctioned by the U.S. in 2019 - deposited the hacked funds of the Ronin bridge.
Only an estimated 30% of people who ever used Tornado Cash were related to some criminal organization such as the Lazarus group. Since it is an open-source dApp, anybody can use it due to the uncensored nature of the public blockchain. Yet, following the sanctions, thousands of users are now at risk of being accused.
OFAC recently announced that if you are a U.S. citizen, you need a license to withdraw from Tornado Cash, using the Tornado Cash Compliance app. However this app is currently not working so some people’s funds are stuck.
On Sept. 8, Coinbase announced it would be supporting a lawsuit brought by Tornado Cash users against the Treasury Department, alleging it illegally sanctioned the crypto mixer’s smart contract addresses. In a parallel development, on the 12th of October, Coin Center, a U.S. not-for-profit crypto industry group, together with a number of named and unnamed plaintiffs filed a lawsuit against OFAC.
The courts’ decisions in these cases may have wide implications for open source software development.
Following a clarification by the U.S. Treasury that “U.S. persons would not be prohibited by OFAC sanctions from visiting the Internet archives for the Tornado Cash historical website, nor would they be prohibited from visiting the Tornado Cash website if it again becomes active on the Internet,” there its some hope - and precedent - that open source code generally remains out of the crosshairs.
Meantime, Ethereum developers – believing that computer code is protected speech under the First Amendment of the U.S. Constitution – have called on GitHub to reverse its ban of the Tornado Cash code repository it hosts, which happened on September 22nd.
2. Ooki DAO: DAO members are not out of shot
On 22 September 22, The Commodities Futures Trading Commission (CFTC) imposed a $250,000 Penalty Against bZeroX, LLC, the developer company of Ooki DAO, together with its founders for offering illegal, off-exchange digital-asset trading, failing to register with the CFTC, and failing to comply with the Bank Secrecy Act.
The CFTC did so because they believed Ooki DAO is used by U.S. citizens and the DAO doesn’t have a license from the CFTC to provide future trading services to retail users.
In this respect, the case shows little novelty: regulatory action would arguably have been taken against any provider of CFTC-licensable services found in breach of its regs, DAO or not.
What is novel is that (1) the CFTC Order finds that Ooki DAO itself is liable as an Unincorporated Association, and (2) how the CFTC sought court permission to serve the entire DAO at once by posting the lawsuit on a public forum and through a help bot.
The charges were settled at the same time the Order was issued. However, the settlement only relates to BZeroX, operating as a Limited Liability Company, and its Founders, and left the charges against Oki DAO, a successor to bZeroX that operated the same software protocol as bZeroX—with violating the same laws as the respondents.
In a number of Amicus briefs (a filing by “friends of the court”), a group of crypto lawyers urged the court to directly serve any people it believes has violated federal law rather than the DAO as an entity.
They also claim that DAOs are not “associations” as defined in statute.
The CFTC is still to respond to above briefs, which it is obliged to do before 7 November.
Note that Ooki DAO, which is essentially software, is global in its reach and it can be argued that as such it was not providing services to U.S. citizens. Unfortunately, the courts and regulators do not seem to grasp the nature of immutable smart contracts.
Hopefully the Amicus briefs will help elucidate and educate these points.
As a general point, if a DAO can be found liable and authorities seek to enforce charges against it, the default analysis is that DAO Members are jointly and severally liable as partners in an unlimited partnership.
This could leave token holders in a DAO individually exposed.
3. Regulations from Europe
As per our earlier blog in The Otonomist of May 2022, the E.U. is now in the process of adopting extensive regulations with regards to crypto transactions in Europe, which will also drag crypto transactions that originate or terminate outside Europe in its regulatory net.
Adoption of these new regulations have now come a step closer after the European Parliament’s Committee on Economic and Monetary Affairs (ECON) on 10 October voted to support the MiCA (Markets in Crypto Assets) Regulation provisional agreement reached on 30 June. The lawmakers from the Parliament’s ECON and LIBE committees also voted on the same day to support the Transfer of Funds Regulation (or TFR, also known as the Travel Rule).
The further steps towards adoption include a final vote at the EU Parliament Plenary, translation of the final text into EU official languages, and publication in the Official Journal.
This means that, provided there are no further bumps on the road, both MiCA and TFR are expected to enter into force in 1Q 2023.
However, the actual rules regarding stablecoins will kick in 12 months after the entry into force of the new regs, i.e. earliest by 1Q 2024. All other rules, including licensing of crypto asset service providers and the TFR, will start 18 months after the new regs enter into force, i.e. earliest by 3Q 2024.
With the new rules, the E.U. claims it seeks to protect investors and preserve financial stability while allowing innovation and fostering the attractiveness of the crypto-asset sector.
However, there is reason for concern, given the large role given to various European regulators, most notably the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA) which are captured by TradFin, and the recent heavy-handedness by Dutch authorities in the Tornado Cash case, arresting one of its lead developers without charges so far (see 1 above).
There is a widely held opinion by crypto practitioners and legal experts in Europe and beyond that Europe’s TradFin is capturing the E.U. legislative process to kneecap crypto in Europe, in various ways:
Stablecoins
Stablecoin issuance in Europe will for all intents and purposes be limited to E.U.-licensed entities, i.e. banks and financial institutions. Algorithmic stablecoins would be out of the question altogether.
AML
Beyond stablecoins, in its stated goal of unifying AML policies within Europe, sending or receiving a cryptocurrency to an E.U- based centralized exchange or crypto asset service provider (as defined) will be subject to restrictions that go further than fiat transactions, resulting in lower speeds and higher costs.
DeFi
Whilst the final texts currently exclude DeFi, that is, crypto asset services provided in a “fully decentralized manner without any intermediary”, it is not clear if existing DeFi protocols would meet this definition.
Even if they do, the E.U. Commission is already working on an assessment of the development of DeFi and whether the regulatory treatment of DeFi is adequate. That will take the form of an interim report in Q1 2025 and a full report in Q1 2027, and the result are likely to lead to new rules for DeFi.
E.U. presence required
Already, if a DeFi protocol is deemed a crypto asset service provider under the new regulations, it will be obliged to have a presence in one of the E.U. Member States (whatever this means for a dApp…!). New DeFi projects will also need to file a white paper.
Personal information
In addition, if the travel rule were to apply to DeFi, this could mean that any DeFi user, even when based outside the E.U., would be asked to provide identifying information when receiving or sending crypto from/to any individual or organization in Europe.
These rules carry the risk of serious infringement of the right to privacy and financial freedom. As a reminder why financial privacy is fundamental, below is a slide shared by Kurt Opsahl, General Counsel of the Electronic Frontier Foundation, during the closing ceremony of DevCon VI.
When living in the wrong regime, even those who have nothing to hide may find that soon they have nowhere to hide.
The time for action is now
Since Europe is first out of the block on comprehensive crypto regulations, its regulatory model based on massive surveillance could inspire other countries to follow.
There is still time to influence the debate and educate lawmakers on the benefits of DeFi, why financial freedom is fundamental and how Europe risks missing the economic opportunity of Web3.
However, the time to gear up for action is now if we are to avoid sleepwalking into a massive surveillance regime seeking to censor our fundamental freedoms.
With this in mind, Otonomos is one of the drivers behind an E.U. Action DAO which, together with exiting industry groups such as the European Crypto Initiative, is exploring various way to influence the debate, including a crowdfunded LitigationDAO to test the legality of Europe’s new regulations in court.
With special thanks to analybits.xyz.
> Join the E.U. Action DAO official Telegram channel today.