> all property and interests in property of the entity above, Tornado Cash, that is in the United States or in the possession or control of U.S. persons is blocked and must be reported to OFAC.
I understand that GitHub is just taking immediate actions in a way they perceive as being compliant with the law. The question is more existential: since source source code is speech, can the government even sanction it? And should GH fight this if they want to remain a reliable platform for publishing code? What even is GH required to do in response to this sanction, or are they just being overly cautious since we’re in uncharted waters?
I am not talking about what GH is at liberty to do; clearly they can do whatever they want. I’m asking about what they’re legally bound to do as a result of these sanctions. I find the precedent here more fascinating and troublesome (as an open source author myself) than the instance of the code in question.
As we've seen with Alex Jones even free speech is not absolute (for the record I agree with the rulings against Jones). If the code is designed to facilitate illegal activity I can see how that could be shut down by the government.
Alex Jones got sued. It’s very different. The government did not pass a law saying he can’t share conspiracy theories directly or that certain theories are off-limits. He just conducted himself in such a way as to cause enough other problems and thus give people grounds to sue him (and win).
Code is a form of speech. It’s the way the code was used that frightened the authorities. Just the way certain forms of cryptographic code were reframed as a ‘munition’ in the first crypto war.
Code is just documents or written speech, and should be regulated as such. So code vs written documents shouldn't be legally different.
So I guess a good question is: should it be illegal to tell people how to launder money? I would say no because I think laws should regulate behavior not speech.
I think for example that people should be able to make arguments why punching a Nazi should not be illegal, say, and maybe the best way to do it. But punching is clearly illegal, and threatening a Nazi directly should also be illegal.
However with abortion, some states that have made abortion illegal are trying to make it illegal to talk about where to get abortions, or how an abortion is performed. So if that is deemed legal by SCOTUS, then expect all kinds of laws to restrict speech in that manner.
Encryption beyond a particular strength has long been an ITAR restricted export.
Now everybody gets to learn that the United States regulatory policy machine will lean very hard on anything that'll threaten it's ability to flex soft power against its opponents.
>What even is GH required to do in response to this sanction, or are they just being overly cautious since we’re in uncharted waters?
Letter of the law is don't do financial transactions with those addresses.
The quiet part is: this technology is now associated with being a channel for money laundering, and will open up any parties hosting or making it available a potential subject of accessory to wire fraud/money laundering charges. As a publically funded company, I assure you, the legal, risk, and compliance departments are now erecting 100 foot poles between the company and this project.
You see, big business and government have a bit of an incestuous relationship. The bigger the market actor, the easier it is for the government to apply sufficient pressure where the easy way out is for said large actor to just "stop associating with that thing".
This is why OFAC is aptly named. You end up on it, and you basically fall out of the economy. The last sound you hear is the subject in question going O, FAC-<signal lost>.
Oh, actually, no, slight exaggeration, the truth is far more chilling.
You see, financial institutions will still process deposits. They just stop allowing withdrawals, turning the business relationship into a one-way trap for funds.
In theory, it may be possible to get off the OFAC list if you end up on it, however, financial institutions are instructed not to inform customers that they are sanctioned if asked. You're only told that a technical error precludes them from completing the transaction. If you mistakenly show up on OFAC, (like by sharing a name with someone who is on it), there are ways to get off of it by providing proof you are not the individual in question. In fact, most times, if you reach out, the service personnel you get are trained to get as much personal info as possible to try to determine whether or not you are actually the individual targeted by OFAC.
Companies will generally dig into it, and resolve it while playing coy. In this case though, it looks like businesses are taking the message to heart and just noping out of supporting it.
> Encryption beyond a particular strength has long been an ITAR restricted export.
I'm not sure what you mean by "restricted," but publishing open source encryption software on the internet only requires that the BIS be notified. No review or approval is required.
Technically, you're supposed to have to ask, and BIS can say no. That's restricted. There is the possibility of extra friction. I've never administered or experienced the compliance process myself, mind. I just know it's a thing.
Can you link the section where it says you’re supposed to ask? In my experience you don’t get assigned anything, you tell them what you are classified as and of course they can disagree but there’s no “tell me my export classification” part unless you fall under a restriction and can’t claim any exemption. Only then do you submit anything. And from my reading of those hellish documents, encryption software for which the source code is publicly available is exempt.
And courts often put a stop to it. Regarding source code, federal courts told the government it couldn't restrict the publishing of strong cryptography, which it considered a munition.
> Regarding source code, federal courts told the government it couldn't restrict the publishing of strong cryptography, which it considered a munition.
?
you mean after Phil Zimmerman spent years in court, and then published a physical book of the source code?
and the US government then sucessfully restricted export of actual software with above 56-bit keys for years[1]? to the extent that Debian and OpenBSD did all their opensource crypto work outside the US to avoid trouble?
and they still explicitly ban export to "rogue states" and "terrorist organisations" in 2022[2]?
things have improved since the 90s but it's still not unencumbered by the US government and the changes mostly happened to make US tech companies more competitive, not due to a desire to free anyone's speech.
From your link: "the BIS must be notified before open-source cryptographic software is made publicly available on the Internet, though no review is required."
Is GitHub sanctioning just the accounts that they consider to be directly associated with the sanctioned organization, or, are they also sanctioning the upload of that open source code by unassociated third parties?
This is the first time open source tool/software (not even a business) has been put on the SDN list. Previous entries have all been either people or businesses. I don't live in the US, but if I were, I'd reconsider publishing OSS right now. I don't know all the users of my software, and I wouldn't want to risk being put on any lists like the SDN.
> Be realistic here, are you distributing oss that exists for the sole purpose of money laundering?
I am not, and neither are the authors of Tornado Cash. There is legitimate purposes to use privacy-preserving services. As long as I file my taxes correctly, I should be able to use them as I wish.
> but it's obvious that it violates US law
Since they got added to the SDN list, it's obvious yes. But before that, why it is obvious? Again, as long as I file my taxes correctly with the IRS, there shouldn't be a problem with using services like this.
Unfortunately a large percent of the population believes the false narrative of "nothing to hide, nothing to fear" so they believe only criminals have the desire for privacy
these are the same people that will be SHOCKED when something they use, love, or do is ruled illegal or "obvious" violation of US Law,
>Similarly if you distribute OSS viruses don't act shocked if people want to harass you over it - distributing viruses is illegal in some places
Plenty of legitimate software can be used for nefarious things (and sometimes the legitimate code is indistinguishable from malicious code, e.g. remote viewers).
We should probably focus on the people and the actions those people take, rather than code itself, or we might end up in a bit of a pickle. Ban encryption because it's used in ransomware. Ban tech-support software like TeamViewer or QuickAssist because it is used in scams.
Tornado Cash exists for money laundering. That's the thing it does. You can believe money laundering should be legal, or that there are legitimate uses for the software, but the fact is that the software appears to be against US law, so nobody should be surprised that the authors got sanctioned.
The vast majority of OSS software does not have this hazard and it does everyone a disservice to pretend that the situation is identical. There are a bunch of other things OSS maintainers should be worrying about before US sanctions.
Maybe you don't know exactly what "money laundering" is. That you want to hide whatever you are doing doesn't mean that what you're doing is illegal, which is a prerequisite for something to be "money laundering". Just like E2E doesn't exists solely for hiding criminals doing criminal things.
>You can believe money laundering should be legal, or that there are legitimate uses for the software, but the fact is that the software appears to be against US law, so nobody should be surprised that the authors got sanctioned.
I'm not sure if you understood my comment. I don't care about the authors and whether or not they were sanctioned. My point was about the code itself. If we started to force GH and the like to remove any code that has been used in an illegal activity, there's going to be very little code left on GH.
Right, and also note that plenty of "nefarious" software can be used for legitimate things.
Just think of malware analysis or feeding malware to the machine-learning monster.
In the end, it's just information and can be interpreted in a myriad of ways and for all kinds of purposes, including the good ol' simple satisfaction of intellectual curiosity. But many people in this thread seem to have a zero bit mind. By that I mean that they have a single bit dichotomy good(allow)/bad(ban) world that invariably has the value "bad(ban)".
Yes, the government considered strong cryptography to be a munition and said it was illegal to put the source code of PGP on the internet. Courts ruled against the government in Bernstein vs. United States, saying source code was speech protected by the First Amendment. That's why we can all use strong cryptography today.
“U.S. Treasury Sanctions Virtual Currency Mixer Tornado Cash” https://news.ycombinator.com/item?id=32386189
Specifically:
> all property and interests in property of the entity above, Tornado Cash, that is in the United States or in the possession or control of U.S. persons is blocked and must be reported to OFAC.