Tornado Cash

Several years ago, the Tornado Cash contracts were placed onto the OFAC sanctions list, effectively preventing any U.S. citizen from using them to attain privacy for their onchain transactions. This week, however, the United States Court of Appeals for the Fifth Circuit reversed that ruling. The court argued that "because these immutable smart contracts are not “property” under the word’s common, ordinary meaning or under OFAC definitions, we hold that OFAC exceeded its statutory authority."

This decision allows Ethereum users to withdraw their trapped money from Tornado Cash contracts without violating U.S. sanctions. More importantly, it reopens the Overton Window for potential privacy applications and products. The challenge with privacy tools is that they are a magnet for government attention. If you build a truly private tool without backdoors, it will inevitably attract bad actors. This creates a stigma for those who, like the plaintiffs, have valid personal reasons for wanting to maintain anonymity.

Although this ruling was a win for privacy advocates, there is still work to be done to implement usable privacy for the Ethereum ecosystem. The courts findings apply to a narrow subset of privacy solutions – namely immutable contracts.

Six Tornado Cash users sued the Department under three theories. Their primary theory, and the only one advanced on appeal,22 asserts that OFAC violated the Administrative Procedure Act. They claim that OFAC lacked the authority to designate Tornado Cash as an SDN because (1) Tornado Cash is not a foreign “national” or “person,” (2) the immutable pool smart contracts are not “property,” and (3) Tornado Cash cannot have a property “interest” in the immutable smart contracts.

The crux of the argument hinges on whether an immutable contract can be considered property. The court examined the definition of the term and found that "the immutable smart contracts at issue in this appeal are not property because they are not capable of being owned."

Where a statute leaves terms undefined, we accord those terms their ordinary, "contemporary, common meaning". And the “ordinary” or “plain” meaning of “property” compels summary judgment in Van Loon’s favor. [...] And “one of the most essential sticks in the bundle of rights that are commonly characterized as property” is “the right to exclude others."

So, where does that leave us?

While Tornado Cash's immutable contracts are no longer restricted, the chilling effect on the industry has been noticeable. Aztec Connect shut down their privacy product last year. Nocturne pivoted before they truly got started due to fear of regulatory scrutiny. And existing privacy tools like RAILGUN remain challenging for non-technical users.

Although the ruling lifts the restriction on the deployed contracts, it remains to be seen whether similar enforcement will be taken against individuals and companies who choose to build on top of them. Anyone building in this space needs to be aware of the legal and regulatory risk that makes a hard technical and product problem even harder.

On the other hand, onboarding to crypto has never been easier thanks to cheap transactions on L2s and simplified account management. And the incoming American administration seems favorable to crypto, but it remains to be seen whether this extends to the right to privacy.

It feels like a path towards usable onchain privacy is possible. But it won't happen automatically – we need to build it.