Conviction of Tornado Cash programmer: Privacy is not a crime
patrick-breyer.deShould have used Monero.
How long until Monero is given the same untouchable status as Tornado Cash?
I can’t fathom what’s wrong with Tornado Cash when I can have the same privacy with real cash. Just because my transaction is on the internet, I shouldn’t be forced to de-anonymize
No, privacy is not a crime... But money laundering is.
Was he, specifically, laundering money?
People launder money through Spotify, why aren't the creators of Spotify being raked across the coals like this?
It occurred to me once, years ago, that drug dealers could take credit card payments by setting up a porn site and accepting subscription payments through it. Then it occurred to me that a drug dealer probably already thought of that…
Porn sites have questionable reputation. This is why your very legit hairdresser also has completely bald clients and why gangs ask for protection money especially in mom and pop shops.
I’m guessing the payment processors of Spotify are at least routing through KYC and basic control.
Tornado is flagrantly mixing with known offenders, and even indicated them as such in the UI.
Tornado Cash doesn't maintain accounts for those users. They are using Ethereum accounts created completely independently of Tornado Cash.
The contracts are permissionless. Any Ethereum account can call the "deposit" function. That same account can generate a zk-proof of the deposit. Any Ethereum account can withdraw, provided they have a proof of deposit.
The proof of deposit could be communicated in any number of ways that have nothing to do with Tornado Cash - mail, email, Signal, whatever.
If the account into which you are receiving a withdrawal doesn't have money to pay for the transaction, you can send your proof to a relayer who submits the transaction for a portion of the withdrawal amount. Because it's a zero-knowledge proof, the relayer does not know which account made the initial deposit.
The whole system is private and permissionless. I don't know what Tornado Cash could do other than simply indicating that a known bad actor made a deposit.
> The whole system is private and permissionless. I don't know what Tornado Cash could do other than simply indicating that a known bad actor made a deposit.
Not exist.
Like, this is the fundamental disjoint between this complaint and reality. "Your system behaves enough like a pattern that is core to how society works" is the filter here, not "have I cleverly designed it to not perfectly fit the pattern". The law isn't applied via robot.
If I were a money launderer, I would take the libre Tornado Cash smart contracts, the libre Tornado Cash zk circuits, and the source-available Tornado Cash relayer, and run the whole thing myself. I would pay someone to operate relayers using cash, gold, diamonds... something hard.
Does that mean the creator of the mathematical concept and the code should be punished?
I understand what you are saying, though. My complaint is really that the authorities are willing to stifle such radical innovation to continue to maintain control. Even that shouldn't be a surprise, but I continue to feel outrage when I see this kind of thing.
> I would pay someone to operate relayers using cash, gold, diamonds... something hard.
Side remark: diamonds are not hard, see
Have You Ever Tried to Sell a Diamond?
> https://www.theatlantic.com/magazine/archive/1982/02/have-yo...
> https://web.archive.org/web/20240510011736/https://www.theat...
> Does that mean the creator of the mathematical concept and the code should be punished?
Code isn't an idea, code's a thing you make. There are entire classes of thing that are illegal for a citizen of many countries to make or possess or both. While I don't particularly care about this case except in the general "cryptocurrencies appear to exist for grift and need to actually prove their value to society or be stomped" sort of way I view all of it, it isn't legally outlandish.
> My complaint is really that the authorities are willing to stifle such radical innovation to continue to maintain control.
I don't think a system of blind drops but, in fine patent-office-esque fashion, With A Computer are particularly innovative at all, so this is begging the question.
> Does that mean the creator of the mathematical concept and the code should be punished?
You mean the guy that launched the service? Yeah.
Signal? Protonmail? Personal safes? Https? Car window tinting/privacy films? Government mints? What reason is there to use cash today except to engage in crime?
If cash, tobacco, or motorcycles were in invented this century they'd have been outlawed. Digital encryption barely squeeked through due to popping up before 9/11.
Digital encryption was heavily restricted (at least in the US) until the 1990s. Its genesis during the Cold War likely played a part in that, which may be to your point.
Hmm plenty of people on low incomes or in market trades stunt have been accounts. Plenty of lie income people can't get credit cards. Plenty of people simply object to being forced to use a system that can and had refused to hand over their own cash on a whim (see Lebanon recently). So yeah, there are lots of reasons.
I'm going to imagine because when the government tells Spotify that people are laundering money through their platform they kill the account and hand over data to investigators?
They don't deliberately run a service explicitly built to enable money laundering.
Basic things you can think about if you try really.
You do notice in your example Spotify doesn't shut down? Afaik, nobody is allegeding that Tornado Cash maintained user accounts for money launderers.
It'd be more akin to if you had say McDonalds and people used your parking lot for Craigslist transactions (some of which were fradualent). Should you be required to close that McDonalds?
Spotify doesn't shut down because they're primarily providing a legitimate service to legitimate people. The money laundering traffic there has to be absolutely miniscule compared to the legitimate traffic. It makes basically no sense as a money laundering avenue, and the only source for this (that I could find with quick Googling) is an "anonymous police officer" who just clainms that it's happening, but can't even put a number on the magnitude.
But if it really were happening at any kind of volume, it's obvious that Spotify would be quite willing to make their KYC requirements for artists stricter. Any payments they'd made would obviously be made through the banking system, and the law enforcement would be able to trace them to the next hop, which again would have done their KYC due diligence.
The crypto mixer, on the other hand, has no real use case except money laundering. They are also obviously unwilling to do any KYC, and unable to manage their system in a way that would prevent it from being used for money laundering. And it wasn't by accident. It was fully intentional and by design.
> The crypto mixer, on the other hand, has no real use case except money laundering
Is that true though? What if I am in a country which disapproves of $activity that is legal in most of the world but not in my country. I might simply want anonymity in my Bitcoin transactions.
So your argument is "What if I'm not money laundering, but simply breaking the law in some other way?"
Yeah, they probably should've stopped mid sentence where you can argue "I just want to watch pornography".
It's a bit weird how much scrutiny there is over obscuring the transaction history for cyrpto. Like you money launder via houses you get a slap on the wrist first [1] but if you aren't actually directly involved in the transactions you get 5 years. The guy's not running a server; he published a contract that other people's computers are paid (by also other people) to run. Afaik, there wasn't even an allegation that he profited per transaction.
[1]: https://bc.ctvnews.ca/anti-money-laundering-agency-imposes-5...
Tornado Cash is permissionless. Any data the creator of Tornado Cash could hand over, the government would already have because Ethereum and EVM-based blockchains are public by default.
The only service being run is a web client and relayers to permissionless smart contracts. I believe these are/were being run by a foundation.
Also some things you can discover if you try, really.
If you make a system that by design can't meet the legal requirements for preventing money laundering, that's not actually a good defense. It's the opposite.
How can conceiving of such a system and building it be a crime? It's like labelling thought a crime.
I would accept that operating such a system is indefensible.
But it's not as if the creator of Tornado Cash was solely maintaining servers that made this possible. Everyone running an Ethereum node (even if they aren't mining) is running the infrastructure that Tornado Cash runs on.
So why is the guy who quite brilliantly conceived and executed this idea being punished like this?
That's a great idea! I'd be totally up for prosecuting anyone running a Ethereum node used for laundering money too. At this point they really have no excuse; they know what they're doing is illegal, and are still continuing to execute the smart contracts.
> So why is the guy who quite brilliantly conceived and executed this idea being punished like this?
I mean, you say it yourself. They're the ones who actually executed on the idea. They didn't write a paper on this being theoretically possible. They wrote the code. They deployed the code. They marketed it. They continued operating the system for years, and profited monetarily from it.
That there are other people who are also culpable for other things related to the mixers doesn't remove the culpability of the original creators.
And again: if you implement a system that's doing something illegal, and by design you make it impossible to turn that system off, that's not a defense.
Should we also shut down the internet backbone because people are committing crimes with it? At this point they really have no excuse, we know the internet is used for illegal activity, yet they still continue to route packets.
Should we jail Rivest, Shamir, and Adleman because their work is used to encrypt illegal data? They wrote the paper. They published it. It's impossible to turn that system off, and as you said, that's not a defense.
There are legal uses of "the internet backbone" that greatly outweigh the illegal ones.
Non-KYC money transfer systems do not have such a raison d'etre.
There is no difference between mathematics and code.
Certainly via a slippery slope argument there is no difference between mathematics and code.
I think we are at a point where we just have such different world views that we are unable to communicate meaningfully about this. Any society that decides to adopt your view is a society that would imprison me for simply operating a node.
Anyway, I enjoyed Linjat.
> The only service being run is a web client and relayers to permissionless smart contracts. I believe these are/were being run by a foundation.
They didn't build a service because it's "just" a web client and relayers is an interesting take but sadly, very stupid.
There was nothing explicit in the linked court document AFAICT, and I sincerely hope the judge isn't making decisions based on gut feeling and "common sense".
I don't think you understand how courts work
Did he just create the code or also manage the infrastructure and services through which the transactions happen?
The former - I don’t think anyone could convict him. It’s just code in a git repo somewhere. The latter - he is responsible for kyc like all other financial applications.
My understanding is that he wrote the code for the smart contracts and open sourced it on GitHub. The contracts were compiled and deployed to the Ethereum network. There was no infrastructure/service controlled by him responsible for running the code or processing the transactions. The core contract, once deployed to Ethereum; could not be modified or deleted by anyone.
The only "infrastructure" in the traditional sense operated by him was a static website hosted somewhere online (which was eventually taken down at the request of law enforcement). The static website offered an optional interface to the Ethereum network for convenience in interacting with the deployed smart contract. The network requests from this website were made to a public Ethereum API provider specified by the end user through their own general-purpose Ethereum wallet browser extension.
I think deploying to the etherium network and providing the api is probably the murky area. Who is responsible for knowing the users - etherium or the provider of the contracts.
If he had not deployed anything and it was just code in his repo I would have said this is a really dangerous ruling. It opens up every open source dev to be on the hook for any use of their software.
On the other hand if this was something deployed then it becomes much more subjective.
It sounds like he got convicted for designing, writing, distributing, and promoting a system whose primary usage facilitates money laundering.
For an extreme example of the same concept: creating an open-source terrain-following and target-tracking drone software that accepts plugins for “cameras”. People are using it to make hunter-killer weapons and you know about it. You’re going to have a very bad day when federal police come knocking.
Software isn’t created in a vacuum. How you react when the police come will often determine your outcome. If you immediately take it down upon being informed, then you have the defense you didn’t know it was illegal. You’re unlikely to be charged. Fighting for “your rights” is proof you intended to facilitate illegal use of the software and people will be wanting to make an example out of you.
(Note, this is in reference to criminal law, not civil law like copyright.)
Privacy is a grey area.