Is the Office of Foreign Assets Control's Sanctioning of Tornado Cash a Threat to the Future of Financial Privacy?

Listen & Download

Tornado Cash is an open source, decentralized cryptocurrency tumbler that was introduced in 2019.  The service allows users to mix identifiable Ethereum cryptocurrency funds with others, thus obscuring the trail back to the funds original source.  On August 8, 2022, the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Tornado Cash, making it illegal for United States citizens, residents, and companies to receive or send money through the service.  OFAC claims that Tornado cash is responsible for laundering more than $7 billion in virtual currencies, including money believed to be stolen by North Korea and criminal groups.

As opposed to sanctioning people, organizations, or particular addresses associated with rogue regimes, OFAC has sanctioned the code of Tornado Cash itself, causing critics to claim that OFAC has exceeded its statutory authority .

Join our experts as they discuss OFAC’s blacklisting of Tornado Cash, potential litigation from opponents, and the broader implications for financial privacy, national security, and free speech.



Paul Brigner, Head of U.S. Policy and Strategic Advocacy, Electric Coin Company.

Michael Mosier, General Counsel, Espresso Systems

Kevin Werbach, Professor of Legal Studies and Business Ethics at the Wharton School, University of Pennsylvania

Moderator: J.W. Verret, Associate Professor of Law, Antonin Scalia Law School, George Mason University 



As always, the Federalist Society takes no position on particular legal or public policy issues; all expressions of opinion are those of the speaker.

Event Transcript



J.W. Verret:   I want to thank everybody for joining today. Just to give a brief introduction of the topic and of our panelists. First, what are we about today? The Office of Foreign Assets Control decision to sanction something called Tornado Cash. What is Tornado Cash? If you're interested in cryptocurrency -- if you're not, I'll give a basic discussion of it and then I'll give our panelists a chance to clean up my basic introduction with their expertise and their knowledge of what's going on here.


If you use Ethereum, if you use Bitcoin, if you use other cryptocurrencies, you might be familiar with the idea behind them. They are tokens. You can trade them on public blockchains, essentially public ledgers. The thing about cryptocurrency, particularly Bitcoin, is it's public. The public keys are public. And it is something called pseudonymous. That means that your transactions are associated with a public key. A public key is a string of numbers and letters. If no one knows your public key, then they don't know the things you're doing on the blockchain, if you're making payments, if you're taking payments from other people, if you're storing assets on the blockchain. People don't know, if they don't know your public key, what you're doing. But the moment they learn the identity of your public key, then they have the equivalent of access to your bank account and access to your credit card statement because they can use that public key, their knowledge of your public key, to then see on the public record of the blockchain everything you've ever done with assets on the blockchain. They can see the assets that you currently hold.


So in order to solve this problem, this privacy problem, a number of tools have been invented by people, by developers, by coders working on blockchains. One of these tools was something called Tornado Cash. The idea behind Tornado Cash is Tornado Cash is smart contract code. It was attached to the Ethereum blockchain. It was implemented on the Ethereum blockchain and you could take Ethereum, you could take ETH, that you might have bought let's say at FTX or at Coinbase or wherever, and you could take it to the Tornado Cash smart contract code. And when you did so, when you sent it to that smart contract address, you were given in exchange a note. And then you could give back that note in exchange for Ethereum.


But the key function of the Tornado Cash smart contract code was it would cut the transaction history from your future transactions. So it's like if somebody gave you a US dollar that was associated with you for some reason. You could exchange it with someone else for a different dollar. Dollars are fungible. And you could have this property of fungibility going forward. Now, of course, you still had, in the future, a new public key associated with that Ethereum. If anybody could learn it, then they could learn your transactions. But that transaction history cutting was helpful because if you onboarded in some way through some central intermediary like a central exchange, they have your information as you register with that platform.


But you could use the Tornado Cash smart contract code to cut that transaction history and therefore those exchanges couldn't monitor your future transactions or anyone who learned by way of those exchanges. Including, we've recently learned one way in which exchanged information can become public, or intermediary information can become public -- we've seen the bankruptcy of an intermediary called Celsius in which the transaction history on the exchange was included in the bankruptcy filing. So in the future that risk is becoming apparent to all of us that if we're buying and selling crypto on a central exchange, that could be one way in which the public learns about your public key and therefore these privacy tools are more and more necessary.


So the other thing about Tornado Cash is it was used by bad guys to some extent including prominently North Korea. I think the estimates from forensics firms like Chainalysis are somewhere between 10 to 20 percent of the transactions on Tornado Cash involve North Korean hackers trying to wash their money. But the Tornado Cash smart contract code was also used by legitimate individuals, and I think at one point one of the largest users was Vitalik Buterin, one of the founders of Ethereum. And he used it to maintain privacy in his use of ETH.


So along comes the Treasury Department. The Office of Foreign Assets Control sanctions Tornado Cash. And not only did they sanction addresses associated with Tornado Cash, but they sanctioned "Tornado Cash." What does that mean? It seems like, I think the best interpretation of what they were trying to do, is they were sanctioning code itself. Which is kind of like if OFAC came along and said, "You know what? We hereby sanction Microsoft Excel." And therefore anybody using Microsoft Excel is sanctioned. Any money that is -- or sanctioning Quicken let's say. Some program that handles and manages money. Anybody whose money was managed by Quicken, that money is frozen. Kind of a ridiculous outcome.


There is litigation going on against the Treasury Department at OFAC right now. Some employees at Coin Center have brought litigation. And the -- sorry. Some employees at Coinbase have brought litigation and Coin Center has brought litigation both challenging the OFAC's authority to sanction Tornado Cash. There are free speech issues involved. There's also statutory authorization issues involved because the statute and executive order give OFAC the power to sanction individuals and groups of individuals and entities -- business entities. But there's nowhere in the statute that the OFAC gets the authority to sanction smart contract code -- to sanction code language itself. So we'll see how those litigation issues play out.


This is an interesting topic to me because it's also one of those topics where groups very active in The Federalist Society tend to disagree. We've often had debates between libertarians and conservatives within The Federalist Society as a debating society. So this is one of those interesting topics. I first came up in The Federalist Society just after 9/11. And I remember there were a lot of -- at the National Lawyers Convention and student chapters -- a lot of debates about the Patriot Act and particularly the financial surveillance provisions of the Patriot Act. A lot of interesting debates between libertarians and conservatives about the Patriot Act.


I think this brings up some of the same issues. And that's why I thought, "You know what? You know what would be a great idea? Let me find the smartest people I know on this issue, put them all on a webinar, and we'll talk about this issue and kind of flesh out all the issues involved from financial privacy, the legal issues, AML & KYC," which is short for Anti-Money Laundering and Know Your Customer rules that have traditionally applied to banks but are now being increasingly applied to cryptocurrency in ways that don't quite fit. Particularly because so much of what happens in cryptocurrency is decentralized and doesn't involve centralized institutions. And those AML & KYC issues are kind of corollary to these OFAC issues. These two agencies at the Treasury Department that do different things but are oftentimes focusing on the same -- a lot of the same policy issues.


So that's where we are. That's my introduction. Probably inartful. Hopefully tees up our panelists coming in and kind of telling me where I missed a little bit in that description. But that's the basics of where we are. So I want to introduce our terrific panel. I'm so excited to have y'all to have a discussion today.


Paul Brigner joins us from the Electric Coin Company. Paul is the head of strategic and global advocacy for the Electric Coin Company. The Electric Coin Company is a company that helps to build and develop the Zcash ecosystem, one of my favorite privacy -- some people call it a privacy token, but I think the explanation is a little bit bigger than that. It's a fork of the -- let me just basic say, it's a fork of the Bitcoin blockchain that is privacy focused, that has privacy at its core, and some of the founders, including Zooko Wilcox, were originally very involved in the early days -- the very earliest days of Bitcoin. And its founder indeed, I think, was often proud to say he was the first to blog about Bitcoin. So it's great to have your perspective here, Paul, today.


Michael Mosier joins us from Espresso Systems. Michael was the former acting head of FinCEN. So the point person at the treasury department for AML & KYC and on the other hand, he's a crypto guy. So a perfect perspective to have today. Knowledgeable about the internal workings of treasury, AML & KYC issues, and OFAC issues from serving as active head of FinCEN but also developing privacy respecting but also compliance programs within the crypto native economy. So we'd love to learn more about that today, Mike.


Professor Kevin Werbach joins us from the Penn Business School. The Department of Business and Legal Ethics at the University of Pennsylvania Wharton Business School. Kevin is one of my favorite professors. I'm a graduate of his online program in the economics of blockchain. And I've learned a terrific amount from that program, and I recommend all our listeners take it.


All right. So here we go. We've got everyone. Let me jump in and just give folks a chance. Do y'all want to jump in and just kind of maybe clean up my initial discussion -- my initial framing? I'm sure I missed some pieces. Let me turn it over to Mike. Is there anything that, on the technical side, that our audience needs to learn a little more about?


Michael Mosier:  Actually, J.W., no. I thought it was perfect. That was a perfect laydown of it. And the thing that I might draw some attention to just from the having been in treasury for some of this illicit finance work is, I think you noted appropriately that the blockchain analytics companies assessed that the identifiably North Korean illicit amounts were maybe maximum 20 to 30 percent which is certainly, at a gross level of value, is meaningful to the North Korean regime. But it's also important to look at collateral impact when you're looking at easily 70 percent of the use being legitimate or at least not identifiably a threat or supporting an authoritarian regime or something like that.


So I think it's that collateral impact piece that set off a lot of the debate including, I think, in some way proving the use case that privacy is a really important thing to folks operating on the blockchain with public ledgers where even what treasury deems as really horrible, which -- and certainly supporting an authoritarian regime is an issue -- had 70 plus percent use that didn't seem identifiably bad. And I think that's a meaningful statement that we absolutely have to have privacy in this space, full stop. And we can have lots of discussion about how the weighing should have been on the collateral impacts, and was this even the right tool to use? But I just think it's important to level set up front about that piece.


J.W. Verret:  Let me turn it over to Paul. Paul, I play around with all the privacy technology. I try to grab it all, play around with it and I've fallen in love with some of them, like Zcash. Should I be worried about Zcash? How is the position of privacy tokens a little bit different perhaps than privacy tools? Tornado Cash was a privacy tool. And some privacy tools have identifiable intermediaries like bitcoin mixers. Some don't. Even on Bitcoin, like Bitcoin Whirlpool, kind of has an intermediary but kind of not. It kind of could take on a life of its own even if the various wallets associated with it were no longer working. How worried should I be? How worried are you? And what other perspective can you share with us?


Paul Brigner:  Well, first, thank you, J.W., for allowing me to be here. Thank you to The Federalist Society. This is quite a treat to be on this webinar with really distinguished panelists. So thank you for this opportunity.


And should you be worried? I think absolutely you should be worried. We should all be worried. This is what I perceive as a direct attack on the ability to have privacy in the brand-new cryptocurrency economic world. And this tool, as has been pointed out, was used by a lot of legitimate actors and that's some of the situations that are being highlighted in the cases that Coin Center is bringing, for example, with the ability for Coin Center to accept donations anonymously through tools like this or for individuals to be able to raise money for the war effort to support Ukraine such that they would not be identified and that might have retribution from the Russian government.


This has a lot of very important legitimate uses, and it goes to a very central issue and that is whether or not privacy is required to have economic freedom. And I think that is something that would resonate with a lot of Federalist Society members. And it's actually at the core of our mission at Electric Coin Company is to develop Zcash to contribute -- to support a fair and open currency to protect the freedom, dignity, consent, and security of all people. So what we have tried to do is to create a digital cash that has the privacy mechanisms similar -- different, as you pointed out -- but quite similar to what was available through Tornado Cash. In fact, the Electric Coin company is kind of -- well, we are the pioneer of zero-knowledge proof technology, the technology that was used in Tornado Cash. And in fact, they borrowed our coin base -- I mean our source code -- our source code base in order to create that.


So absolutely, should you be worried. And we can get into this in more detail, but the reason that it is even more concerning is that this is, in legal terms, in my view, an ultra vires action on the part of this government agency. If there's no authority to back up this action, then what is the limit to their power? Where will they stop? Will they come after Zcash, or will they come after something else citing this power that they have that is actually not, in their view, constrained to entities and persons and foreign actors as the statute outlines? So that's a nice start. So thank you.


J.W. Verret:  Yeah. Thanks, Paul. And this brings in -- I've heard a lot of folks who are leaders in specifically, not only crypto privacy, but just generally encryption, have drawn an analogy to the encryption wars of the '80s and '90s. And for folks that don't know that history that goes back a long way, essentially it boils down to this. It used to be that the NSA and the government had a monopoly on encryption, the process of encrypting information, of secret codes. Codes are cool, right? We all like codes. And we all -- a lot of people probably have played around with a basic Caesar cipher. You know, A becomes B, B becomes C, D becomes E. When you're a kid, you do this cipher, and you send messages to your friends. I don't know. Maybe I was the only nerd who did that.


But the federal government took a position in the '80s and '90s saying, "Look, more sophisticated encryption than that" -- encryption for computer communications, the emerging internet. The federal government said, "Encryption is a" -- what is it? It's an armament. It's treated like an armament -- a munition. Sorry. Munition, that's right. And went after Phil Zimmermann and made his life very difficult for a number of years. And eventually he won, and now, the government is flipped. And the government says, "Look, if you're going to have sensitive information about kids, about financial stuff, you got to have encrypted communications. You got to use encrypted communications."


Do you think we're headed for the same kind of thing? That eventually the government will flip and say, "Okay. Fine. We get it. It's a national security issue. You need encrypted, secure, private transactions on chain to protect you from North Korean hackers who are trying to steal your crypto." Do you think we'll eventually get there?


Paul Brigner:  I certainly have hope that we will. And that is what I fight for every day. Many others do as well. In fact, just last week was Global Encryption Day. And it's sponsored by a large coalition of many international organizations. On October 21st every year, we celebrate this day to remind ourselves that we still have to fight for encryption. And there are places around the world, other governments, that are still fighting the crypto wars that we fought here in the US back in the '90s trying to have ways -- have access to backdoors like in end-to-end encryption or other methods. But what we're seeing is some of the ways that governments are doing this are not exactly asking for the backdoor, but a little more subtle than that. And I see the Tornado Cash sanctions as in fact, that happening here in the US. I think that it is like a direct attack, in my view, on the ability to use encryption, end-to-end encryption, in financial transactions. So from that perspective, it's very disturbing.


And by the way, I spent half of my career writing software. Before I went to law school and started working in policy, I was a technical person. And so these technical issues are very important to me -- and the ability to write code and how that code can be also viewed as freedom of speech. There's so many different angles and ways that this action is really disturbing that I think there's just a lot for us to continue to dig into here.


J.W. Verret:  If they can sanction this code -- you see, the proponents of this like to say, "Well, North Korea. Therefore, let's raise our hands and let the treasury do whatever they need to do." But it's a lot -- I hear you saying it's a lot more subtle than that. If they can sanction this code, they can sanction any code. And if they can sanction any code, then our online personalities, our online anonymity, our online security is under threat.


Paul Brigner:  That's exactly right. There's an incredible amount at risk here.


J.W. Verret:  And they could have -- they could have sanctioned particular addresses associated with North Korea and not sanctioned Tornado Cash itself.


Paul Brigner:  And in fact, that has happened. And the crypto community had no issue with that, as far as I'm aware.


J.W. Verret:  Kevin, I want to go to you. You've been studying crypto for a long time. You've been writing about crypto for a long time. You've seen the dream that is crypto, the use cases that, some of which have been proven, some of which are aspiring. The idea that maybe crypto can take over finance and decentralize finance. It's finance for the people. Intermediary rent seekers can be replaced.


DeFi has been very powerful and kind of shows that they're pretty -- lots still to do -- but pretty far along in that. The idea of NFTs, of digitizing art and creating markets for art, and art as identity, and art as gatekeeper to social communities. The idea of decentralizing social media. More of an aspiration at this point. It's hard to -- it's a long way to go for decentralized crypto based technology to overtake Twitter and TikTok. But who knows? Maybe that will be possible. And lots of other ideas around what blockchain could do -- what public blockchains can do.


If we take away the aspect of anonymity or pseudonymity protected by privacy tools -- if we take away that kind of anonymity, the essentialist nature of blockchains, particularly Bitcoin, if we take out that puzzle piece of the Jenga game, does it all fall apart? What do you think are the broader implications for the dream that is crypto?


Kevin Werbach:  Yeah. I'd like to take a step back a little and maybe push back on some of these things. I absolutely agree that there are some real concerns about the OFAC action on Tornado Cash, and it raises some hard questions. But I don't see this as entirely analogous to what happened in the encryption wars. And I definitely don't see it as clearly an effort to eliminate all privacy in financial transactions.


The first general point is technologies have affordances. Technologies create certain capabilities, and they impose certain limitations. And what is so exciting and so promising about blockchain technology is the potential that it creates. It allows for, what I call in the book that I wrote, a new architecture of trust. A way to trust in transactions without having to trust a central intermediary and that is valuable economically. That's valuable ethically. It's valuable from a business standpoint and in all sorts of other ways. There's all sorts of efficiencies to be gained from having systems that don't rely on central intermediation points. But it's not the same as saying, "Everything is good. There's no limitations." And that trust goes away as a consideration. There are tradeoffs.


So for example, there's a fundamental trade off which is right there if you go back to the original Satoshi Nakamoto white paper about Bitcoin. It very clearly says there's a privacy security tradeoff. When you have a bank, the bank keeps your information secret, but the bank knows who you are. The bank knows your identity and you're trusting the bank. With a blockchain system like Bitcoin, there's no central entity in the middle but then the responsibility is on you to maintain security of your information. And that's a tradeoff.


So one reason that we've had hack after hack -- billions of dollars that have been lost in hacks on blockchain systems. Most of them are not because the system is insecure, it's because that private cryptographic key, which you started talking about at the beginning, that’s you. And if someone steals my key, with a basic system like Bitcoin, then they're me. And I have to keep the key secure. It's not a bank that keeps it in a vault with all of their security. It's me. Now, there's lots of ways to improve on the technology and enhance the technology to address those issues. There are ways to make the technology more private. Things like Zcash. There are things to make it more usable. But these are all about engineering design tradeoffs that are partly about functionality, partly about usability, and partly about implications for regulation in public policy.


So the first thing is, there's a whole set of choices here, and Tornado Cash is a particular set of choices about how to implement the technology. Second thing is regulation. That a lot of this technology has grown up with the assumption that it's a total free space to experiment with new kinds of financial technology primitives. That's wonderfully exciting in a lot of ways. The degree of experimentation all around the world is incredible. It has allowed for tremendous innovation. But that doesn't mean that regulation is totally unnecessary. That doesn't mean that if someone commits fraud -- you mentioned Celsius. There also was the Terra Luna collapse. $40 billion disappeared in a matter of days in a system that claimed to be decentralized and actually wasn't. Billions and billions of dollars have been lost through fraud and scams in cryptocurrencies. That doesn't mean we should just say to users, "Well, too bad. Now we just have to deal with fraud."


The same issue comes up in the question that Tornado Cash raises, which is the question of illicit finance. So I always have said to people from the beginning, is what we are saying and advocating for the privacy value here, which I agree is real and important, that I should say, "You know what? We need to give up on interdiction against terrorism financing, child sex trafficking, illicit activity. We just have to say it's going to be easy for North Korea to get funds because that's necessary to have the benefits we get out of blockchain." And no, that's not the case. We don't want to say there's no concern. It's a very legitimate concern. We need to -- back to my first point -- have the discussion about what are the ways to implement the technology? How is it influenced by regulation? How is it influenced by private actions that happened by various other parties in the chain? And then let's weigh pros and cons that way. So that's really the issue here. Tornado Cash puts the issue very starkly.


There's really two sets of issues. There's a relatively easier set of issues around centralized entity. So what information does Coinbase have to collect from me as a user or FTX as a user? They're not a bank but they're somewhat similar to a bank. Or if I go and trade on E-Trade or Robinhood or something, it's a centralized entity I'm interacting with where it's easy to see who they are, where they're located, who their management is, and say maybe let's decide about what they should have to collect. That's actually a challenging issue but there's been lots of work going on.


The harder issue is the Tornado Cash issue which is a decentralized system. It's software code that uses what are called smart contracts. It's code that is immutable once it has been uploaded to the blockchain. That is a harder issue, but I would suggest it's still the same issue. Let's say that I could write some software code that is wired up on the blockchain that if someone calls a smart contract, it will launch a nuclear missile, and it's immutable. I burned the key associated with the smart contract. So I can't touch it. I can't make that contract go away. It's up there. And then I create a website that says -- big red button -- "Push here to launch the missile." I don't think anyone would say I have no responsibility or government should say, "I guess we just have to stop being worried about the missile being launched. It's going to happen." No. We should say, "That is terrible. We want to see how to prevent that."


Now, Tornado Cash is not that. But if you agree there is some point at which we need to think about what code allows for once it is implemented on a blockchain, and think about how we legitimately address those problems, then we can get into a debate. And I think that's what we need to do with Tornado Cash, not start with the extremes. Either we have no regulation at all of illicit activity, or we have massive total surveillance over all financial transactions. Those are both bad. We can agree on that. Let's talk about the specifics here.




J.W. Verret:  Great way to frame the discussion. So thanks for that, Kevin. And you've described one guard rail for the discussion. I would say, one of the things I often try to mention in debates about AML & KYC even that predated crypto is, I often ask law enforcement people this. I say, "If we made a law -- if we added to the KYC & AML laws that your bank account log in and credit card log in was given to the Treasury Department, then we all have to give our bank account and credit card account log ins to the Treasury Department and they have the option to peruse it without a warrant and will, we could definitely stop more child trafficking." We could interdict terrorist finance easier. We could get a lot of bad guys. But I don't think we would ever take that privacy tradeoff. To be honest some of them -- the hypo is intended to be the ridiculous hypo. They would say, "Of course, we wouldn't do that." Some law enforcement are like "Yeah. We actually would like that." But I would say that's on the other end. That society would never accept that privacy tradeoff. So we have to accept, at some point, that we're willing to accept even really bad consequences to protect financial privacy. So that's kind of maybe sets us some guard rails.


Mike, if you were at Treasury and the rule came down as it seems like happened here from higher levels of State Department, of Treasury, of the white house, that it seems like from what I understand, the line level people at OFAC and at FinCEN get it. They really -- they've gotten really smart about blockchain technical issues, gotten educated. They have ongoing conversations with people in the community. But it seems like the ruling came on high, take this down. Too much North Korean activity. Take it down. And it seems like we ended up there because of that overarching push. If you were at Treasury, that happened, you're trying to figure out a more surgical solution. What would you have done?


Michael Mosier:  Yeah. Actually, that's such a great question, J.W. Yeah. I mean, I think, and I'm saying this with respect to the folks who were at the line level at OFAC because I don't have all the information that they were presented with, but I think from externally and from my experience in that space including at OFAC before FinCEN, to me -- and I don't want to put Tornado Cash in a financial institution bucket specifically because I think there's legitimate arguments that there's a VPN aspect of this that's providing a very clear functional privacy and security format. It's not a trading platform or something like that. But I think I would look at well, every other designation that OFAC has done which required a collateral impact analysis. And I think, given that collateral impact analysis, you would say, "Okay. On the high side, 20 to 30 percent that seems identifiable elicit." On the other side, you've got 70 to 80 percent that seems licit. This is going to be a blunt instrument that could have significant collateral impact. Now, let's look at the impact on US persons who have their own due process rights, and how does that play out?


I think part of that analysis would certainly involve open-source research, which I'm sure they did, and you would see wait a minute, a few months ago Tornado Cash, whatever that is, however we're configuring that, implemented I think it was Chainalysis's free API for sanction screening. Somebody did something and some folks have made some moves towards managing the risk of at least designated addresses. We think that's short of what needed to happen. If this were a bank -- if JP Morgan had 20 to 30 percent illicit going through it, something would happen, I'm sure. I don't think they would get designated. They're a US bank. So there's all sorts of other issues around that. But I think even a foreign bank at that level probably wouldn't be designated as a first step.


It would be an engagement of some sort given the amount of collateral impact because you would -- in the past when OFAC has designated a bank, like in, I think it was Honduras was the first, there's a team on the ground, you're doing collateral impact mitigation immediately with wind down licenses. You've got people that have to pay mortgages, people have their salaries. And I think as you discuss, there were people that were getting their salaries through Tornado Cash and nothing illicit. It's just that you didn't want to have -- once somebody knows your wallet address, now they can track every time Paul gets a bonus. "Hey congrats, Paul. We'll put it on Twitter." That's just not a -- and if you're a merchant or a business of any sort, you also can't have everybody reverse engineering "Oh, they've sold a lot this week but not so much last week." That's just not functional.


So I think to me, being there, it would be an engagement with "Okay. We see personalities out there including, by the way, on Twitter even. There's supposedly enough of a DAO that's been considered in control in a form to be listed as a designated entity. So let's engage with them." I mean, the CFTC just served Ooki DAO which I think has all sorts of questions around that. But clearly, they're reachable from a government perspective. So I think given the fact that Tornado Cash had taken a step, you would engage given the clear collateral impacts on it. That's my perspective.


J.W. Verret:  Yeah. That's interesting because that goes back to the distinction that Kevin just drew in his hypothetical that was based on the design of Tornado Cash. So just so listeners understand. The first thing that the creators of Tornado Cash did was they wrote the code, code that makes this thing happen. You put in your Ethereum and then it gets jumbled up with other Ethereum, then it comes out. That smart contract code that does that. And they so called burned the admin keys which is to say, take away the ability to come in and change the code. So it's truly immutable code attached to the Ethereum blockchain. And the founder of it can't change it anymore. That's it. It's there.


So the second thing they did was they created a website that would link you to that smart contract code. Now, if you're smart enough, you can go access the Ethereum blockchain directly and access the Tornado Cash code directly. Developers know how to do it, but most everyday retail users wouldn't know how to do that. You can still do that with Tornado Cash. I don't recommend it because it would be a violation of sanctions and a lot of liability associated with it, but some people are still using Tornado Cash. But most people access it through a website that someone sets up that helps make it easier. So if you Google -- back in the days when this was still available, the website was still up pre sanction -- if you Google Tornado Cash, you would get sent to, I think, Tornado.Cash, a website, that was a so-called front end. And the front end would take you to the smart contract code that could do your privacy feature for you.


Now, as I understand what happened in an attempt to mitigate issues, the front end, the website, implemented some sort of a maybe a whitelist or a blacklist. Some way to prevent North Korean and other sanctioned addresses from coming through that end to get to the Tornado Cash code. But the one thing they couldn't do was -- North Korea's hackers are smart enough. They don't need the front end. They can go directly to the smart contract code. They know how to get there. And there was no way because of the design of that -- there was no way for the initial creators of Tornado Cash to stop that from happening. And that was by design. They wanted that. That's why they burned the admin keys. They wanted to be able to say, "Look, we can't change it now." Paul --


Kevin Werbach:  It's actually a lot more complicated even than that. I mean, one thing to make sure people understand, Tornado Cash is not the only anonymizing tool on blockchain. So for example, Zcash and there are coins that are explicitly designed to be privacy protecting. There are other mechanisms of various kinds. Tornado Cash has become one of the more prominent ones. But the OFAC designation came after a prior designation of something called Blender which was from, the user standpoint, very similar to Tornado Cash, but it was a centralized entity. There was an organization behind it. So similar issues about financial privacy but not similar issues about a smart contract.


There's a lot more going on with Tornado Cash. There were a group of developers who were talking about developing this technology for some period of time. They got a grant from a funding agency -- a decentralized Ethereum based grants organization to promote it around financial privacy. They created a DAO, a decentralized autonomous organization, which had its own token, the TORN token, that was somehow associated with the project. Now, it doesn't have control -- it has some sort of governance rights -- it doesn't have control over the smart contracts.


But my point is, again, there's a lot of different pieces here, and if we want to ask the narrow question about, how does one evaluate this particular OFAC action, that's one issue and Mike's points are very good ones. But if we want to step back and ask the more general question which is, what should be going on here? We really should have had more engagement broadly speaking between people in the community who have a legitimate desire for financial privacy and people in the government who have a legitimate desire to prevent illicit transactions to try to figure out what the various solutions are.


That's starting actually to happen more because there -- even with Tornado Cash, there is a mechanism in Tornado Cash that you can, as a user transacting, produce a receipt which has a cryptographic proof that you can then show and identify to someone what the source of the funds are. Now, you don't have to do that. And that's dependent on you voluntarily doing it and would be dependent on some other entity that's say, receiving the funds saying, "No. I'm going to require that of you. That you have to prove to me that this is not coming from or to a sanctioned entity," which is not something that Tornado Cash itself does. But this is the larger debate which, again, is a similar debate to what we're having around the centralized what are called VAS, virtual asset service providers, how to create a regime that appropriately balances these interests.


J.W. Verret:  Paul, do you want to speak to the design of Zcash? And one of the things I think is so neat about Zcash, the flexibility for users to use transparent addresses or shielded addresses in a way that allows even the most KYC compliant exchange to list Zcash but at the same time, if I want absolute privacy transacting with you or with anyone else, I can do shielded to shielded transactions and maintain absolute privacy both in my owning assets and in my interacting with others who have shielded Zcash addresses. And I can also send you, by the way -- one of the cool features I often send to my family -- shielded memos on Zcash. I love that one too. Do you want to get into a little bit about my favorite privacy coin?


Paul Brigner:  Sure. I'd love to. So with Zcash, as you point out, there is the ability to send a transaction in a transparent manner which is just like Bitcoin. In fact, we started out as a fork -- are using the Code base of Bitcoin to create Zcash. So we still have that capability. But you do have the option to move into the shielded address pool. So then if you move your transactions shielded to shielded -- a shielded address to another shielded address -- you essentially have complete privacy in those transactions or all of the details around them are completely encrypted, essentially, on the blockchain. And a zero-knowledge proof is assigned to each of those transactions so that it still works as a blockchain normally would which is pretty amazing. It's very, very powerful technology.


I just want to point out by the way though, that the ability to have that shielded transaction really does not have an impact on whether or not you can be KYC & AML compliant or not with exchanges. In fact, Jim and I, for example, and others allow for shielded transactions in and out of their exchanges because the AML & KYC is about the on and off. It's the ability to look at your customer and judge them based on their risk profile and determine if they're an illicit actor or not. So I just want to make it very clear that this is a tool for privacy. It's a tool for economic freedom that is compliant and can be compliant with the system that we work in today and is actually used broadly in that way.


I want to just step back for a minute and point out that, as I see this, as putting my former software developer hat on, this is kind of a perfect storm because we have this really  innovative blockchain technology cryptocurrency technology that's come along about the same time that all of our internet architecture has come along over the last few decades. But as it did, it was never secured properly and there wasn't the incentive to secure it because the hacks that occurred were mostly data breaches that -- yes, they were very bad. We all knew they were very bad. But it was very hard to put a dollar amount on those data breaches because well, the data was still -- individuals were impersonated -- the harms related to that were very widespread.


But now, with cryptocurrency and the ability you can -- to use cryptocurrency as a tool for ransomware, suddenly we have this ability to put a very specific price on these hacks. And the criminals are doing that. This is really the source of the problem that we're dealing with. And I don't think that that is being addressed is that this is not a problem with cryptocurrency. This is a problem with cybersecurity. It's a problem that has been building up for decades. It's a problem that the people in cybersecurity have been well aware of for a very long time. And now it's come to a head.


So now, we're at this point where we have the choice as people who are in the policy world to determine well, are we going to focus on the tool that is going to potentially empower an internet like revolution in finance over the next decade or so and pull that back and limit its use and restrict it so that you can't use it effectively? Or are we going to fix the root problem which is cybersecurity and making sure that the hacks that are leading to these major breaches don't occur in the first place. And I just think it's so critical that that point not be lost because if we go towards the path of regulating cryptocurrency so it is no longer effective, we are going to miss out on an entire revolution that was similar or potentially even greater to what we've experienced in the internet because the ability to have financial inclusion and to eliminate so many intermediaries and inefficiencies in our financial ecosystem is just massive. And I'm very hopeful that we'll take that path.


J.W. Verret:  Well, that's inspiring. We've got one question coming into the Q&A function. I want to mention just to our audience, send those questions in and we'll get to them. I want to give each panelist one more chance to have some points and then we'll move to audience questions. We've got one question and I'm hoping we'll get more. So please send in your questions and they might be informational. They might be challenging. We'd love to get more of them in here. Mike, do you want to tell us about what you're developing at Espresso Systems and how you balance privacy and security and compliance?


Michael Mosier:  Sure. Yeah. Thanks, J.W. And it's really in many ways drawing on the work that Paul and the folks at Zcash have done for quite a while. And in fact, the cofounders are from out of Stanford's cryptography program. And one of them, Benedikt Bünz, was part of the team that created Bulletproofs which is what Monero was based on actually. But our technology is closer in Zcash in many ways. And it's really drawing on that for the optionality. And Paul really well explained, it's an optionality piece.


And I think coming out of FinCEN even, it was -- this is the opportunity, as Paul was laying out, to create technical solutions to policy issues which, as Kevin was saying, it's going to persist forever. There's going to be a dynamic tension between privacy in a protective sense and anonymity in a "we can't hold accountable people kidnapping" sense. And there's always going to be that dynamic tension. And the point is to constantly go back and forth but get closer to a better place. And a lot of that is debate, and this is an absolutely key time for engagement, as Kevin said. I think this is -- it's really important that we're having these conversations. You can even imagine the Tornado Cash situation coming out differently had OFAC and Tornado Cash, whatever that means, but whoever is involved, whether it’s the DAO or whomever, was in more conversation. And the whole point is to not get to a point of sanctions when you can have other ways of engaging on that.


And so what Espresso Systems is building is configurable privacy so that you can take any digital asset, wrap it in a zero-knowledge private wrapper but you could have zero-knowledge proofs that just say, "This person was KYCed by Coinbase period. Yes or no or whomever." And that's it. And we don't do KYC or anything like that. Actually, the point is to actually move government away from collecting lots of PII, personal identifying information, and get to the point where there's a much more frictionless internet, as Paul was talking about, that also secures people and isn't sending your social security number everywhere. But you're allowing parties in different ways to manage their counterparty risk whether it's "Hey, we want this lending pool to actually be undercollateralized not overcollateralized. So can we have a threshold score that's zero-knowledge established of prior history and lending and credit history that's aggregated -- something like that?"


So it's like Kevin was saying. It's managing risk in different ways and giving people the optionality to do that, that's also protecting them. And that comes out of much of what we were working on at FinCEN at the time, which was actually us saying, not necessarily policy makers that weren't implementing it, but us saying, "Guys, in 2020, here's an advanced proposed rulemaking on the AML effectiveness. We'd like this to be a lot more effective and not just data dumps of personal information." And then in 2021, we did a -- personally led an innovation program workshop on privacy and enhancing technology to saying, "Guys, please," --specifically calling out zero-knowledge proofs and homomorphic encryption -- "Please start using this stuff more. We don't want just everyone's data everywhere. That just creates victims."


And I think that's the sort of thing -- we brought on a digital identity advisor, in fact, to specifically drive digital identity and zero-knowledge proofs. I think it's important to remember that the mission is not the tool. The mission is preventing exploitation. Data collection is one tool of that, but it's not -- that doesn't help if everybody is putting everyone's credentials everywhere and they're getting exploited. So I think that's what we're doing at Espresso, but it's really carrying the lineage of Zcash and the others. And I think it's also why, even though there's going to be this persistent tension, we have to keep having that engagement, so everyone's clear it's not just the extremes, as Kevin was laying out. There's a lot of optionality in there.


J.W. Verret:  So I think it was Arthur C. Clark, wrote something about how, in the modern age, scientific innovation is indistinguishable from magic. And to me, I feel that when I learn -- the more I learn about zero-knowledge proof cryptography. The ability to verify a piece of information -- the veracity of a piece of information -- without seeing the information, it's -- I've seen Zooko do a description of it that looks like a magic trick. It looks like he's doing a magic trick. There's a great a16z video of Zooko teaching what zero-knowledge proof cryptography is and the -- I can't do it justice. But it's like a cool magic trick.


And I love these applications for compliance issues where it's like if you show someone your license and the person looking at it can verify that the license is authentic, but they only get to look at a specific piece of information on the license and not anything else like what state you're from or your last name or maybe some derived attribute of it without even any direct of the license. Like, you are a US person, but they don't even know anything about you. That offers up so many opportunities to -- tradeoffs Kevin mentioned that we might have had to weigh in the past, we don't even have to weigh anymore because of the technical improvements.


So I want to -- we only have one question still. I really want to push -- y'all need to send in some more questions for our listeners. But we've got one question. Let me read it out and give everybody a chance to speak to it. And this will let us talk a little bit more about maybe even the litigation against Tornado Cash. "Do we know how effective the Tornado Cash sanctions have been? Can we expect a report from OFAC on that?" And I'll add to that that we have had, after the sanction and after a lot of noise made about the sanctions by a lot of people including me, OFAC did release, I think, some guidance, some Q&A guidance that answered some questions -- left a lot of questions still open. So yeah. How effective have the sanctions been? Does anybody have better data than I do on use of Tornado Cash? It's obviously come down quite a lot, but some people are still using it. Anybody want to speak to that?


Kevin Werbach:  Yeah. I can't speak to that. Maybe other people can. But I think there's a broader issue. So effectiveness is not just about "What's the usage of Tornado Cash?" Effectiveness or the question is, what are the consequences of this action? And certainly, one criticism is, as you've said and others have said is, it's a club. It's not just saying, "We're going to fine you for violating the law." It's saying, "Anyone who touches Tornado Cash is at risk of sanctions and action against them by the US government." And that's very strong stuff. And so there certainly are legitimate concerns about chilling effects.


I guess, I will say, while I think that's a legitimate concern, you look around and I don't see open-source software development projects and blockchain shutting down after this. I don't see privacy protecting services all saying, "Oh, the government is now a raid against us." I see a lot of activity and a lot of concerns and including some legal action like the litigation you're talking about, but it's easy to say -- to overstate the chilling effects. But they're real, and we should be concerned about them.


The other thing that has happened is, this has certainly instigated private activity to avoid touching these sanctioned addresses and touching things that go through Tornado Cash. So I won't get into the technical details. But Ethereum now, a very substantial percentage of Ethereum blocks are not mined through the basic process that you read about. There's a second layer of activity that's based around dealing with something called MEV which is maximal extractable value. Again, why is -- would take more time, but it's an auction mechanism around who's going to be the one that actually gets to arrange those blocks which what it does is, it introduces a new kind of intermediary process into a decentralized system like Ethereum. Ethereum being the most valuable and most active blockchain other than Bitcoin, and in some ways, much more significant as the foundation for DeFi and all of the decentralized application activity.


And the services like FlashBox that are involved in this additional layer are starting to include sanctions checking and include checking for Tornado Cash in blocks. Now, that's not anything that OFAC mandated. That is private actors deciding we're going to, maybe under the advice of counsel or maybe just as a matter of prudence, implement mechanisms that keep us away from this. Now, there's good and bad there. Again, I'm not saying that this is inherently a great thing, but going back to the point I made earlier, we need to have more serious conversations here on both sides. And the government certainly, in various ways, should have been more aggressive in the past in having those conversations. People like Mike, when they were at Treasury, were at the forefront of trying to do that but there were not enough people like him, unfortunately.


I think this is a shot across the bow that in some ways has had a salutatory effect of getting people to the table -- of getting people who are in these organizations that have generated a huge amount of returns and have significant billions of dollars in some of these treasuries starting to say, "Let's think through." I would think, for companies like Paul's and Mike's, that are actually trying to address these problems in a helpful way, I think it's presumably caused a lot more interest in what they're doing and that's not a bad thing. So again, I wouldn't say, "And therefore, we shouldn't be worried about what's wrong with Tornado Cash," but if you start to look at the implications, it goes way beyond what's going to happen because of this one mixer.


J.W. Verret:  Doesn't it also invite useful, helpful, welcome conversations about the extent of financial surveillance that is embedded in the financial system? I think that one of the difficulties in trying to be an evangelist for privacy is that the current generation just takes for granted that they don't have privacy when 30 years ago, I remember my parents paying for things with cash all the time in a totally anonymous way. And we've gone toward increasing encroachments on privacy with ever growing AML & KYC compliance requirements. Those don't -- there's a one-way ratchet to that regime, both in terms of reporting cash transactions that individuals engage in, in terms of reporting by banks.


And the challenging nature, I think, of blockchain transactions is, if you decentralize, then that centralization assumption behind this entire regime could be challenged. I mean, it was all a function of the Supreme Court's third-party doctrine. If there's no more third party or if the third party is a Dao or is an autonomous smart contract code in a decentralized exchange, then maybe that doctrine doesn't apply anymore. And then there are substantial parts of KYC & AML that go by the wayside.


Kevin Werbach:  Yeah. If I can just say briefly, then I'll let the others. I don't think there's anyone who has significant experience dealing with our Bank Secrecy Act and illicit finance rules who actually knows how they work and who thinks that those are good and successful and functional regimes that we would adopt today. So we need to roll up our sleeves and figure out what's a better approach to get to the goals that presumably we all agree on, which are on the one hand, dealing with the bad stuff, and on the other hand, promoting privacy given the world that we have today. So that's absolutely necessary. It's a political problem and a challenge but hopefully, these debates will get more people on all sides to really engage in that.


Michael Mosier:  Yeah. Can I just -- oh, sorry. Go ahead, Paul. No. I just want to say real quick and I feel like I could make a career just underlining things Kevin says. But I just want to say FinCEN agrees with Kevin. And not just take my word for it. Like, 2020, we put out, "Hey, we want this to be more effective. We don't just want your -- hears a notice for roles rule making. We don't just want all your personal data. Let's get more effective and let's prioritize. Let's set out priorities to give the industry." And then an RFI in December of 2021, again, "Hey, we want to modernize the VSA."


I think you're always going to have policy makers and legislators that see this as a way to message something but that isn't necessarily what the folks that are getting it want. And I think that's an important distinction too. And that's why I think the engagement right now is so critical because we have to find a way to say, "Stop with the -- we don't just want more stuff and neither does FinCEN." We just want to find ways that we're protecting people but also on both sides of it, basically. We want to -- we have to be able to find kidnappers, but it doesn't mean we need everybody's social security number at all times.


And I think finding that -- and now, it's also important -- OFAC literally this morning just designated the Iranian officials and entities that were involved in internet censorship in Iran and reiterated their general license D2 which was built on the D1 license that said, "You can provide all this information technology to Iran, to Iranian citizens, including VPNS and privacy and security tools." Now is a fresh moment to go into OFAC and say, "Yes," shout about Tornado Cash in, I guess, filings but to have a really calm conversation that's like "Hey, actually, we're really aligned here in the way that you want to support the people of Iran with censorship resistance technology that allows them to operate under an authoritarian regime and potentially bring democracy, that's what we do. And we're here to help." And I think finding a way, like, how we can work together in that and show the alignment too -- it's a critical moment.


J.W. Verret:  That's a fascinating contrast because I've seen some OFAC guidance suggesting that firms should be very wary of anybody using a VPN who's accessing their site and you should use that as a risk factor. So one thing to note about just the legality of OFAC's actions, I could see one strategy being they say, "You know what? We know we're going to get sued and we know we're eventually going to lose in a couple of years, but let's just do it anyway." Because the thing about privacy -- most privacy tools is it's about the anonymity set. The more -- the only way to hide private transactions is to hide them under a large group of people. So we'll scare away lots of people from using Tornado Cash and therefore, if you're the only actor using -- major actor using a privacy tool, you're no longer private. You no longer have privacy because the anonymity set in which you hide of other transactions will be scared away -- will be scared off.


So they achieve what they want, and they don't care that they lose in court a few years later. That might be a cynical approach -- cynical view, but it's one that I've heard from quite a few sanctions lawyers. And speaking of anonymity set, the other question I have -- this will be my last question and then I'll let panelists have a last word after answering these. We've talked a lot about flexibility in terms of transparency versus shielded, in terms of the various options mike has. Is there a tradeoff there? Are flexible privacy protocols facing a tradeoff? In other words, a lot of folks in the Monera community look at Zcash and they say, "The option for transparent transactions decreases the anonymity set and therefore limits the privacy power of the technology." A lot of the die-hard Bitcoin people have the same view about the stuff that Mike is developing. So is there that tradeoff between flexibility and maintaining a solid anonymity set for privacy? So answers to that and then final words from every panelist. Does anybody want to jump in on that one?


Paul Brigner:  I'll just point out that we are not strictly about providing privacy. We are about providing economic freedom. We're about providing consent and choice to the users. And I think having options is a good thing. There is obviously a certain amount of activity you need to have in an anonymity set to be effective, but user choice and economic freedom are the goal here and I don't think we should ever lose sight of that.


Michael Mosier:  Yeah. It's the same. I mean, I think that's very well said. Like at Espresso Systems too, the point -- there isn't an arrow. It already exists. Great. Use it. This is to have greater optionality for people to make their own choices. I mean, it's about personal sovereignty and personal choice. You should have the choice how much to disclose when, how much counterparty risk you're up for. And that brings more people. More optionality brings more people into the anonymity set as you say than just having the seven hardcore people that are like "I don't want the government to know what my latte choice is." The government doesn't care what your latte choice is. But we need enough people in the overall set for privacy and optionality that does grow it enough so that there's also -- there are also voters.


J.W. Verret:  Any last words? Final thoughts you didn't get to elaborate on?


Paul Brigner:  I just wanted to point out --


Kevin Werbach:  I want to know what Mike's latte choice is, but I guess we'll find that out after the panel. A couple things. One is, I would encourage people to look at the executive order that came out of the Biden administration in March on what they called responsible innovation around digital assets which is much broader than this set of issues but was I think a salutary effort to get agencies across the federal government to engage with these questions and then there was a framework that came out about a month or so. It's a starting point.


And there's certainly reasons for criticizing some of those approaches, but what I find when I talk to people in government is you'll have a few who say, "This stuff is all evil. We want to shut it down." They're in the minority. You have a lot more though who say, "Look, if I'm in an agency whose mission is to interdict financial crime, then that's what I want to focus on is, how do we do that? And yeah. I care about privacy too but tell me how my legitimate problem and my mission can get addressed." And I think we're moving forward, and the private sector has come to the fore a lot too in terms of not just saying, "Well, the whole point of this is anonymity and the whole point of this is to get government out. And so therefore, it's not an issue." I think we're having a lot healthier conversations like the one that we're having now that are talking through what those issues are but there's still a long way to go.


And the last thing I'll throw out at the end is, perhaps controversially, if you ask me, what is the most important privacy protective financial technology in the world today? I would say the answer is China's ECNY -- their central bank digital currency. Because it actually is used by 100 million people already and it has a mechanism for providing transactional privacy. I can be certain with certain transactions that the counterparty, the merchant, the site I'm dealing with does not know my personal identifiable information which I can do with any system on the internet today.


Now, of course, the People's Bank of China the Chinese Communist Party can get access to all my information. I'm not advocating that China is more privacy protective but what China has done that we have not yet done in this country is think through these issues and design a system that meets their societal objectives. Our societal objectives are different. We should absolutely be more privacy protective. I'm totally in favor of that. But if we don't raise this to the level of debating about where are the margins we make these hard choices, then we're not going to have a seat at the table. And so I would encourage people to get beyond the extremism on both sides and to try and work through things.


Paul Brigner:  Wow. That was a twist, Kevin. I didn't see that coming. That was good. So I just wanted to point out, I think that was great that we focused on the silver lining in this discussion. And that is that this is an opportunity to take a hard look at all of the regimes around financial surveillance -- KYC & AML as well as OFAC. Some of what I've seen about OFAC recently I think is really interesting and I don't know that I've ever thought about it before this happened, but OFAC is, and the sanctions that they have available to them, are just amazingly blunt and powerful. And if you think about how that relates to our American values, there's really a very -- there's just a massive inconsistency there.


And the fact that we can sanction an entire country of millions and millions of people such that I cannot transact with the good citizens, some of those good citizens perfectly good people, and I might have a reason to transact with them, who knows, if I could. But we can't because the entire country is under sanction. That is just a little bit hard to believe that that's the kind of sanction that we would put in place in this day and age. I think that what Erik Voorhees wrote just very recently in his blog about OFAC I thought was very enlightening. So I think people should take a look at that and just let's all take a hard look at these issues and try to find something better going forward.


J.W. Verret:  And on that note, we have unfortunately run against our hard time stop today. But I would like to thank our panelists for the benefit of their valuable time and expertise today, and I would like to thank our audience for joining us and participating in the conversation. You can submit questions or other feedback by email to [email protected]. And be sure to check your emails and our website for other information about upcoming programing. With that, thank you all for being with us today. We are adjourned.