Does Tornado being sanctioned mean that everyone who has contributed in the past also needs to be blocked? (It’s not clear from the thread whether the people blocked contributed after, or only before, the sanction.)
For what it’s worth, I don’t see much evidence of people being upset at GitHub in the thread. There’s talk about decentralized alternatives, but not much actual pinning the blame on them.
This is the crux of the issue in my opinion. It seems ridiculous that the sanctions should apply retroactively to anyone who has dealt with a sanctioned entity at any time in the past - if the people contributed before the sanctions, they were not contributing to a “blocked person”, as the project was not blocked at the time.
Imagine if, say, A foreign electronics company is sanctioned by the government - does this mean that anyone who has previously worked with them or bought their electronics has done so illegally? If so, that sounds like a significant impediment to commerce, since nobody can predict who will be sanctioned in the future.
I agree with your analysis. Ex post facto criminal laws are barred by the constitution for good reason. Retroactive punishment leaves people guessing what actions might or might not be punished.
Well, Github blocking an account is not considered "punishment" according to criminal law or constitution, only standard contract law would apply and I believe Github has the right to terminate such contracts if they wish.
This consideration would apply if and only if the government would actually pursue criminal charges against someone who contributed to TornadoCash - which they possibly would if someone would do stuff after these sanctions e.g. try to circumvent this GitHub block, make and advertise a replacement service, etc; do not do this if US laws apply to you.
No. I disagree. Github should not be able to block anyone they want. We went through this about a century ago with railways, antitrust, and Standard Oil. I won't step through the details, but can provide more background if anyone cares.
We landed with the concept of a "common carrier."
Railways, as well as telecommunications companies, ISPs, public airlines, bus lines, taxicab companies, phone companies, cruise ships, motor carriers, freight companies, and others CANNOT discriminate.
As an individual or a small business, ones does not have an alternative to Microsoft Word, github, or Facebook.
If these companies are allowed to discriminate, we'd be in a position where, again, monied entities can shut down individual small businesses, or ostracize individuals, as they see fit.
Once you provide a sufficiently central service, you should not be allowed to discriminate.
Disagreed. They are de-facto mandatory to use. A former university I was at, for instance, published some required information on facebook. Saying "well, they should not do that" is as correct as it is useless and futile in practice.
I believe the information was visible to either all logged-in users or just all visitors, but that still requires facebook to serve the page to me.
You can say this about anything, though. "My university requires us to use Blackboard, therefore it's a de facto monopoly." "My work email account is through Gmail, therefore it's a de facto monopoly." They're still not. If another party requires you to use a service for some reason, that's between you and the other party.
Let me make this simpler, since there are a lot of comments like yours:
1) If I want to exchange redlined documents with lawyers, I need Microsoft Word. I cannot run a successful business which deals with law firms without Microsoft Word. Most businesses need to deal with law firms. If Microsoft shuts me out of Word, I cannot have a business.
2) If I want to promote my local business, I need to be on social media platforms which my likely customers use.
3) The same goes for niches. If I'm supporting K-12 writing teachers, I need to support Google Docs.
It's not a question of alternatives, best-in-class, or anything else. It's pure network effects. If a platform is >50% dominant in my market, I need to support it, or I'm out-of-business. No one will switch from Twitter to Mastodon or Parler for the sake of doing business with one small business. They'll go next door.
Once a firm has that level of market power, I think it ought to be regulated, both for the same reasons and in the same ways as railways were in the days of Standard Oil.
These companies can literally just kill a small business if they chose to. That's not healthy.
> 1) If I want to exchange redlined documents with lawyers, I need Microsoft Word. I cannot run a successful business which deals with law firms without Microsoft Word. Most businesses need to deal with law firms. If Microsoft shuts me out of Word, I cannot have a business.
I find your reasoning here disingenuous. I have been running a business for almost 2 decades, dealing with law firms and everything and I haven't used Word since I was in high school.
Took a consulting gig with RedHat once. RedHat asked for a document. I gave them a LibreOffice .odt doc (that I wrote on Fedora). They rejected that doc due to inability to access it. I sent them a LibreOffice exported .docx file and they again rejected it due to formatting issues. At that point they specifically requested I use Word and send them a Word document.
Microsoft Word makes the world go round. Sure I can use Wordpad and export a docx file, but no tables, no special effects, etc
> Railways, as well as telecommunications companies, ISPs, public airlines, bus lines, taxicab companies, phone companies, cruise ships, motor carriers, freight companies, and others CANNOT discriminate.
Funnily enough, several of the things you have listed (I believe, actually, most of them) are not common carriers but contract carriers. That means they can discriminate, except against the enumerated prohibited classes.
The thing about Git is that it's free software. Anyone can run their own server for very little money. If you get banned from the railroad, you can't just get your own train.
Thing is, if I got banned from github, I couldn't contribute to pytorch or many other projects I've contributed to. And if I ran my own server, no one would contribute to mine.
That's between you and the maintainers of those projects. You can contribute to different projects, or they can use a different forge. Your argument is basically "GitHub shouldn't be allowed to deny me service because I want to use it," but you're not entitled to something just because you want it.
The reason we have antitrust regulations is because the world ended up in a very bad place without them.
This: "GitHub shouldn't be allowed to deny me service because I want to use it" isn't a fair paraphrasing of my argument. I don't think it's likely that github would ban me specifically.
My argument is Microsoft (and Google, Facebook, etc.) shouldn't be allowed to cancel/bankrupt/ostracize competitors, critics, political opponents, or others they don't like. That means we should all be able to access those platforms under equal RAND terms.
If Microsoft is allowed to play dirty, the major impact on me is indirect, in that we will have fewer checks-and-balances in society (people and organizations will be afraid to criticise them), less competition, less innovation, more political corruption, etc.
Antitrust hasn't kept up with technology. In this case, though, we developed perfectly good mechanisms (and learned what happens without them) a century ago.
With Standard Oil, prices didn't go down, except in the very short term. Monopoly can seek out higher profits once monopoly is obtained.
The pricing of LinkedIn, of dating web sites (almost all now owned by match.com), and of many other services is astronomically high, mostly because they can.
> many other services is astronomically high, mostly because they can
interesting... i guess i never thought about that because of the plethora of "free" services out there, but for payed options i guess maybe you have a point ^^)
In that case use your company provided account. Just like all tools I would expect that to be provided by the company and as such availability of these tools wouldn't be my problem.
Also, use a private account for private stuff, if that wasn't obvious
That’s between you and your boss, and likely your GitHub account rep. It’s still not a monopoly just because someone voluntarily chooses not to use alternatives.
An organization doesn't become a monopoly just because they are large. Otherwise you might as well claim McDonalds has a monopoly on food and Nike has a monopoly on shoes. There are tons of competitors to GitHub out there.
What matters is notthe list of competitors, but instead the market share.
I don't think anyone can say Nike has 20% of all US customers of shoes.
But its almost certain that Github has > 20% of all US customers in software development.
Here lies the point. In order to enforce antitrust, there should be a clear line that once crossed, you are deemed a common carrier or something to that effect.
I think even as low as 10% of the US market for a given good or service sounds like a reasonable threshold where you automatically lose rights as a US company to determine who you associate with arbitrarily (because your lobbying power and market power are so great at 10% of market, you need to be neutered in some fashion once you reach that size)
Nike has >30% of the revenues of the sports clothing industry. I guess Nike is a common carrier, they have to let me in their stores and the government must force them to sell their shoes at government regulated prices. If there's not a store near me, they must build one for me or offer me shipping at equal prices to everyone else. After all, they can't discriminate just because I'm far away from their closest distributor, they're a common carrier. Oh yeah, guess they need to build a store, because I don't have internet and I don't have a phone, so not making it available to me as someone who only walks through uninhabited deserts would be discriminating against a customer.
I truly don't understand the logic of stating every organization with 10% market share of any kind of product is now instantly a "common carrier". To me that's massively watering down the meaning of "common carrier" past the point of usefulness. A common carrier classicially is when there's realistically no possible alternative. There's really only going to be one or two railways going through a city or town. It doesn't make sense for there to be a dozen different water systems or coax telecommunications providers or fiber providers or electrical providers in a city. But if Nike doesn't want to sell me shoes I can just go to Sketchers. Or Addidas. Or Vans. Or Footlocker. Or Journeys. Or Kohls. Or any other of a dozen different department stores. Or Target/Walmart/other big box store. If Nike doesn't want to sell me shoes, there's tons of other options. Even just buying Nikes at a different retailer! And that's just in person shopping, never mind the literally thousands of retailers online willing to ship me shoes!
But no. Nike is now a common carrier. They must do everything they can to ensure I can buy their shoes at a government-ensured fair price. So they must build a store in the middle of nowhere to ensure I can easily walk there, look at their wares, and decide I'd rather just buy from TOMS.
Then the idea that GitHub is a common carrier is even more distant. There's lots of options out there. You could use GitLab, Bitbucket, Team Foundation Server, JetBrains Space, Beanstalk, AWS CodeCommit, Google Cloud Source, Sourcehut, and so many others. They're all right there on the internet. You don't have to sell your house and move to the next county over to use Bitbucket. You just change your remote and push.
Can I use Nike to design shoes that they will make for me or something? What makes them common carrier like?
On the other hand, they are a common carrier - they aren't limiting which countries or streets I'm allowed to wear their shoes on, nor what kinds of sports I choose to play with them.
I don't think anyone would be favourable to giving Nike more control over how people use their products
> On the other hand, they are a common carrier - they aren't limiting which countries or streets I'm allowed to wear their shoes on, nor what kinds of sports I choose to play with them.
That's...not a common carrier at all. Traditionally, a common carrier is "a person or company that transports goods or passengers on regular routes at set rates." So traditionally, a rail line is a common carrier. A pipeline is a common carrier. Air freight and truck shipping, kind of, but you're then getting away from that "regular routes" kind of thing. This was then logically expanded to things like telecommunications, since they're essentially transmitting data along regular routes aka the actual telephone wires.
A big thing about becoming "common carriers" was this idea of regular routes. Competition gets challenging/impossible when there's really a single route for some things. There's really only going to be one set of rails connecting towns. There's not going to be a bunch of different companies stringing telephone wires to everyone's houses. There aren't going to be a lot of fiber runs through a neighborhood. These things are all common carriers and are natural monopolies.
I can go buy an apple at the grocery. I can eat that apple raw. I can turn it in to apple sauce. I can bake it in a pie. I can juggle with it. I can give it to a friend. I can donate it to charity. The fact I can do all these things with it does not make the apple producer or the grocer a common carrier. It's entirely unrelated.
The person I was replying to was stating any company with 10% market share in any kind of metric should be considered a common carrier. Nike has more than a 10% market share in total revenue of sport clothing. So they say Nike should be a common carrier. This makes no sense to me.
i didnt say revenue for a reason, but even thwn i highly doubt nike sells 30% of all US shoes
Notice im talking about shoes, not sneakers. theres a ton of womens wear that probably is a significant share of the whole market, of which nike has exactly 0%
Lets make it simple so there is no misunderstanding. Any company ownning at least x % of a given NAICS or SIC code. There.
So what are GitHub's NAICS or SIC codes? 7379 Computer Related Services? Think GitHub makes up 20% of all "Computer Related Services"? Does GitHub control 20% of 504500000 "Computers, peripherals, and software"?
Also, expanding out to "all shoes" or all apparel is like making GitHub "all developer-focused Software-as-a-Service". Can I really use Prada Satin platform sandals with crystals in the same way as Nike React Infinity Run Flyknit 3's? No, their utility is very different and they're not really interchangeable. Can I use Sendgrid in the same capacity as I use GitHub? No, their utility is very different and they're not really interchangeable. You need a tighter market segment to point to, such as at least "sports clothing" or "fashion clothing" or "source-code management" or "external communications tools".
Even then, I'm not so sure GitHub definitely has 20% or more of that whole market. It definitely has deep penetration in some parts of the market and it wouldn't surprise me if it does have 20% or more, but I wouldn't just necessarily just assume that. Do you have any information to share on actual marketshare? I don't and I did briefly look for it.
If what you say is true then Hacker News cannot remove any submission or any comment.
Unless some content is more “freedomtastic” than others but then that leads to determining what is acceptable speech and what is not. That is more dangerous than allowing private entities complete control because the central tenet of freedom of expression is that all expression is equally free.
In actuality no speech is more or less valid— you just have no obligation to propagate it no matter how important or unimportant it is.
And the scale argument, what most people fall back to when they realize that their initial position is indefensible, is irrelevant.
A single word written on a scrap piece of paper read by one person is just as important as a mass-messaging appeal that is vital to the billions.
An organization, vital to the very existence of all human beings on earth has the same rights to control their property as a single homeless person whose only possessions are the things he carries on his person.
Or at least, they should. Perfection is unattainable but we should strive for it so that systems where a homeless person doesn’t have the same protections as a multibillion-dollar corporation should not see calls for the large entity to have its rights curtailed but instead should see calls for the small entity to have its rights enhanced.
As far as I’m aware the only exceptions to this, broadly speaking, have been those made for health and safety purposes or when entities have been granted a license or permission to own finite public resources like the radio spectrum, or if criminal law has been violated.
I agree that GitHub’s actions are not regulated by the constitution or criminal.
Additionally I imagine Guthub’s contract terms are such that they can cancel at any time for any reason.
What I intended to say is “I agree the poster who complains of retroactive account deletion. We can look to the constitutional process for some reasons why retroactive punishment might be a bad idea.”
I did not mean to imply that GitHub’s actions were unconstitutional. They were bad actions for the same reasons that the constitution bars retroactive punishment. It’s hard to guide current behavior based on future law. They were likely legal.
>Ex post facto criminal laws are barred by the constitution for good reason.
I think your analysis is flawed. They didn't come up with some new law and apply it to these people ex post facto. These accounts were contributing to the money laundering (per accusations, albeit indirectly).
Another way to look at it: if these people were contributing knowingly to a project that was laundering money, should they be punished? Of course.
This is a anonymous token. It can be used for a plethora of things, including earning passive income. If we apply this line of thinking, everyone who has ever contributed to Monero and Tor should be punished because both are widely used for criminal activity.
Unless, of course, GitHub considers every single contributor to Tornado to be part of the sanctioned entity due to the decentralized nature of git? Seems like a very dangerous interpretation for open source in that case…
If you really want to lose some sleep look up partnership law.
Everyone who has ever contributed to an open source project _could_ be (in the absence of the project setting up proper legal structures) considered a membership of a general partnership, and thereby become jointly and severally subject to unlimited liability for the actions of the partnership.
I think it would be a fairly novel interpretation of "persons carrying on a business in common with a view to profit" required to catch out contributors to an open source project.
Outside of a project that takes contributions / donations without a legal entity to receive them and parcels those out amongst the contributors, I can't think of a reasonable situation that would enable such a definition.
Seems unlikely to me too but that's what I've read. If you ask a lawyer "what are the risks of doing X" they'll give you a list, and some will be more likely than others. It's up to the client to decide what level of risk they're happy with.
I managed to dig up the mailing list thread where I read about this risk: https://groups.google.com/g/linux.debian.vote/c/Nl-J8h2pO9A/... for context, Sam Hartman is a former Debian Project Leader and I assume his opinion is formed by advice from SPI's lawyers.
> Imagine if, say, A foreign electronics company is sanctioned by the government - does this mean that anyone who has previously worked with them or bought their electronics has done so illegally? If so, that sounds like a significant impediment to commerce, since nobody can predict who will be sanctioned in the future.
That's not what's happening here. What you're seeing is a US company evaluating its ongoing business relationships, and making the decision that continuing to associate with principals of a designated company isn't worth any potential legal risk.
Sanctions do not apply retroactively, so this is overreach on Microsoft’s behalf. However Microsoft is a private business and can choose whom they do not business with. This is not protected by freedom of speech or any legal right.
> Imagine if, say, A foreign electronics company is sanctioned by the government - does this mean that anyone who has previously worked with them or bought their electronics has done so illegally?
My understanding of the American justice system says you cannot do this, our founding fathers did not want any witch hunts, laws should deter future abuse, otherwise people might as well never do anything, ever.
> seems ridiculous that the sanctions should apply retroactively
Anyone contributing to Tornado after it became public knowledge that it was used to launder money put themselves at risk. The sanctions are the enforcement action. A wanted poster. The crime, laundering money, was committed a while ago.
> does this mean that anyone who has previously worked with them or bought their electronics has done so illegally?
If you knew they were doing sanctionable things, yes. If you didn’t, no.
What if we said "Anyone contributing to *HTTPS* after it became public knowledge that it was used to launder money put themselves at risk." ?
Tornado is a super basic privacy layer that has been used as such for many years for countless legitimate purposes. Transaction privacy is obviously something that is in high demand by the general public, and they have it. Of course criminals might use it too, but doesn't the general public deserve the ability to make transactions without the world watching? The idea of making privacy tech illegal is absolutely outrageous, and it blows my mind that any reasonable person would take any other stance.
What is not used to launder money? What separates pre-sanctions Tornado from any other tech that can feasibly be used for something evil (e.g. cash money, PayPal, any cryptocurrency, e2ee messengers)?
Should we ask the government to publish a registry of approved technologies to ensure own safety?
> What separates pre-sanctions Tornado from any other tech that can feasibly be used for something evil (e.g. cash money, PayPal, any cryptocurrency, e2ee messengers)?
I don’t have the technical answer. But from the instant tumblers became a thing everyone with AML experience saw the endgame. It’s providing, as a service, a function directly analogous to real-world layering. It does nothing else. And nobody involved seems to have taken the prospect of criminals using their product seriously.
Messengers are not money, so laundering goes out the window. PayPal is regulated. And crypto does other things. Tornado just served to hide the origin of money. And it was used to launder illegally-gotten gains.
The fundamental problem is that "money laundering" is an oxymoron, because money is fungible. So the government has created an always-applicable law, pinky-swore to only use it to prosecute "bad guys" (like many federal add-on laws), and is now expanding their scope to persecute a project that mitigates a general security vulnerability that exists in most cryptocurrencies, because the existence of that vulnerability hinders criminals.
The definition of money laundering is concealing the origin of money obtained from an illegal source. You may not like the fact that this is illegal, but it has a clear definition and most people want it to be outlawed, so it is. It's obviously not "always applicable": I've never taken steps to conceal ill-gotten gains and neither have the vast majority of people.
Sure, the requirement for an "illegal source" is what made for an "add on" charge - something else illegal had to have been going on for it to apply. But here it is being used by itself to go after a piece of software that provides general financial privacy to anybody, and not merely financial privacy for criminals. So that detail of its definition isn't particularly relevant any more, and it makes sense to talk about the contradictory framing of the concept.
A traditional banking analog would be if the feds went after brick and mortar banks for allowing customers to deposit checks from named payors and withdraw cash or create a new check. A law-abiding customer might take advantage of this property to receive a paycheck from an abortion clinic and then make a donation to their church. Whereas a criminal might use the same scrubbing to receive a payment from a known drug dealer and then turn around and pay their mortgage. Yet the bank's whole business isn't declared a priori illegal due to concealing the origin of the funds on the outgoing payment.
> it is being used by itself to go after a piece of software that provides general financial privacy to anybody, and not merely financial privacy for criminals
The archetypal laundromat also does normal folks’ laundry. It just also launders money for criminals. I’m sure they would happily layer money for non-criminals but nobody does that.
> banking analog would be if the feds went after brick and mortar banks for allowing customers to deposit checks and withdraw cash
If they did that without checking anyone’s identity and then, after learning—from law enforcement no less—that criminals were using them to launder money, kept going, business as usual, hell yes they’d be shut down and arrested.
> I’m sure they would happily layer money for non-criminals but nobody does that.
This thread is full of these blind assertions that nobody except criminals wants financial privacy. They are patently false.
> If they did that without checking anyone’s identity and then, after learning—from law enforcement no less—that criminals were using them to launder money, kept going, business as usual, hell yes they’d be shut down and arrested.
You're basically saying that once a service gets used by a criminal, then operating that service becomes illegal because it is furthering criminal acts. This seems like yet another Godelesque everything-is-criminalized result, and your appeal that one can avoid persecution by electing to perform blanket investigation on all one's customers isn't particularly redeeming.
Like sure I get the traditional banking industry has been practically inundated with these type of invasive heavyhanded regulations to make things easier for law enforcement, but that's not a particularly compelling argument.
> You're basically saying that once a service gets used by a criminal, then operating that service becomes illegal because it is furthering criminal acts.
If the operators know that people are using their service to launder money, and they keep operating their service without doing anything to prevent that, then… yes? What do you think should happen? They just get to keep doing crime?
Try applying your argument to the electric company. If a service operator has knowledge of a specific crime being committed one can make the argument that they're obligated to report the known details. But in general knowing that nonspecific criminals may be using your service does not imply that you have to shut your service down to hinder those criminals.
Tornado Cash isn't an electric company, though. There are different rules. Financial institutions are often subject to KYC rules that require them to proactively vet their customers.
You're writing as though this were uncharted legal territory, trying to reason from first principles when you can truly consider a business a criminal enterprise, but we've had laws on the books for decades for the express purpose of stopping people from doing exactly what Tornado Cash does.
The traditional financial system has coasted along on having two different sets of rules - one for consumer-facing things where you can do whatever you want with anonymous cash up to a certain amount, and one for Big Serious Transactions. The distinction between those two regimes is breaking down, and I don't want to see consumer privacy get left behind. Thus it's appropriate to reason from first principles about what ought to be, and not simply what regulations law enforcement has been able to get pushed through to make their own jobs easier. Individuals should not have everything we purchase be permanently recorded in order to convince us to buy more crap or price discriminate or whatever. Financial privacy is a key part of that.
I do not see a meaningful difference between e2ee messengers and mixers. Both aim to support anonymity. Both can (and do) enable bad things. If you (unlike me) believe that cryptocurrency should be legal, I don't see why you would think mixers should not.
Now it is moot after sanctions are in effect. What we are discussing is mental world model of software engineers before Tornado sanctions were announced and their accounts wiped. It might be hard to see in hindsight.
A government can pretty much do whatever it wants in the realm of foreign relations, things it can't usually do to it's citizens (such as retroactively applying sanctions). If you have a problem with it, take it up with the government.
It's called covering your ass. Github/MS need to protect themselves, which means taking all actions reasonably possible to fend off charges of obstruction or collusion.
We are talking about an entity that according to the treasury has laundered more than 7 Billion USD, assisted criminals and neglected complying to Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) obligations willingly and repeatedly. Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors, regularly and without basic measures to address its risks.
This according to the treasury goes on for years since its creation, so everyone who actively contributed to the entity is considered a threat to national security and often, if you look at the sanctions list of OFAC sanctioned entities, rightfully so.
Retroactively, and to my knowledge, there is not a single investigation and OFAC sanction that got lifted by a court because the accusations themselves were wrong. And it's not like you don't have the right to appeal those sanctions. Entities and sanctioned people quite often do so, and fail.
Tornado Cash is not just a foreign electronics company that stumbled into an OFAC sanction because it accidentally sold a Toaster to Kim Jong-un, so he can enjoy a crispy morning toast.
Where you are right is, that OFAC sanctions are a significant impediment to commerce because you cannot predict who will be sanctioned in the future. That's why, as a company or even individual, you need to do due diligence on who you get in business with.
If you import fruits and someone gives you 5k per box of Avocados extra to import them from Mexico to the US asap, you can bet there are not just Avocados in those boxes. You can pretend you didn't know, but if you don't want to end up in jail for providing service to a cartel, you need to make sure there are only Avocados in those boxes and the premium is for extra fast shipping.
Everyone knows that virtual currency mixers are commonly used by illicit actors to launder funds, especially those stolen during significant heists. This is at least common knowledge since the Silk Road days.
So if you contribute to such a project, that has the potential to harm your fellow citizens and contribute to financing of terrorism, without making sure it is complying to Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) obligations one hundred percent, you can't just cry foul play and say I didn't know anything of this. Especially if you understand code and the inner workings of said project or have a direct line to the people in charge if you frequently contribute.
So, in my opinion it's more than ok if everyone who contributed to Tornado Cash and enabling it to do what it is accused of, their life should turn to sh*t immediately and everything they touch from here on. Because getting people harmed or financing terrorism or foreign state actors is not a trivial offense. Laundering virtual currency for criminals hurts real people.
Anyone who has ever contributed to privacy or security technology should “have their life turned to shit” too under this logic. All the evil terorrist money launderers probably used VPNs or Tor too. Maybe they posted on HN, making you part of an internet terrorist club. Maybe they asked a question on StackOverflow that you answered. You’re waving around some acronym that the government made up 20 years ago to describe normal human activity (transacting without approval from a central authority) like it’s some deadly ancient sin.
The difference here is that a cryptocurrency mixer serves exactly one purpose: to be used to provide a financial service. You're not going to be able to plausibly argue that you didn't know what it was going to be financial service, and you're probably not going to be able to plausibly argue that you didn't know it was going to violate applicable financial regulations.
When you're working on other privacy/security technologies, they have substantial enough other uses that you are plausibly able to argue that you were ignorant of its use in illegal steps.
>to obscure cash flows, something which is specifically illegal.
It's only illegal under 18 U.S. Code § 1956 to conduct transactions to obscure the source of "the proceeds of some form of unlawful activity." There's no law against obscuring the sources of cash flows in general. And on an otherwise completely public blockchain, there was a major use case for obfuscating flows for the sake of user privacy.
The phrase 'according to the treasury' and Ctrl-V are doing a lot of work there. The government says a lot of things. The other day the Secretary of State claimed Tornado Cash was a DPRK sponsored hacking group before deleting the tweet. Not everyone in authority has a real great understanding of the technology involved.
> We are talking about an entity that according to the treasury has laundered more than 7 Billion USD, assisted criminals and neglected complying to...(AML/CFT) obligations willingly and repeatedly.
The Tornado Cash mixer contracts have been immutable since May 2020. It's a dumb piece of software that can't be modified or upgraded. Its authors have no control over who uses it on the blockchain.
It's kind of a strange accusation to say that someone has 'willingly and repeatedly' neglected to comply with legal obligations by failing to do something that's technically impossible to accomplish. All the GitHub users did was write code, and simply writing code, while not executing it to do something illegal, seems like it would be pretty well protected by the First Amendment, since code is speech. Turning people's lives to shit over what a software tool they invented gets used for later, after it's completely out of their hands, is pretty wild.
You copied and pasted Brian E. Nelson's complaint:
> Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks.
But what Nelson fails to mention is that a) everyone involved has failed to impose 'effective' controls because it's physically impossible for anyone to, and b) basic measures to block sanctioned entities were actually implemented by the operators of the Tornado Cash website (which just got added to the SDN list anyway). So the complaint is that the control measure in place isn't an 'effective' control measure against entities that don't use the website.
And not that the exact number matters, but the Treasury is alleging an obviously maximally exaggerated amount of money laundering. $7 billion is the total value of deposits into Tornado Cash over all time. For that to be $7 billion laundered, 100% of all deposits, ever, put into the mixer would have to have come from illegal sources, which is obviously false. Depositing legally earned money into a privacy smart contract isn't money laundering. A sizeable portion of deposits are illicit, but far from a majority.
>Since becoming active in August 2019, Tornado Cash has received over $7.6 billion worth of Ethereum, a sizable portion of which have come from illicit or high-risk sources.
You make an excellent point. The entire point of Tornado Cash is[0]:
"Tornado Cash is a cryptocurrency platform. It is a Cryptocurrency tumbler, a service that mixes potentially identifiable or "tainted" cryptocurrency funds with others, so as to obscure the trail back to the fund's original source."
From a legal standpoint, such functionality has few (if any) purposes other than to circumvent the law.
As such, preventing such activities is likely a societal good.
I expect you won't get a lot of love from some folks here, as they aren't interested in societal good. They seek license to do what they want whenever they want, without regard to the impact on the society in which they live or those they live alongside.
And in most cases, that's just fine. I strongly value liberty myself. I'm not as dogmatic as some, but I strongly believe that the only actions which should be proscribed are those that limit the liberty of others.
In order to maintain that liberty, it must needs be an ordered liberty that discourages activities that cause harm to others.
All that said, what governments decide is "criminal activity" is often arbitrary and unfairly/unevenly applied.
This creates distrust in the legal system, which Tornado Cash circumvents. Which is why not a few law-abiding folks (especially in the age of surveillance capitalism[1] want the capabilities (anonymization of financial transactions) offered by Tornado Cash.
What's more, the legal system in the US actually works pretty well, as compared with other nations around the world.
It's not the best, nor is it free of flaws, but it's definitely better than nothing.
This (how to make our ordered liberty as broad and as fair as possible) is a complicated and nuanced topic. I haven't done it justice in this comment.
While I do appreciate the value of a platform like Tornado Cash (how, and with who, I effect financial transactions shouldn't be of concern to anyone other than those involved in a particular transaction), it's pretty clear that without appropriate controls (AML/CFT regulations) enormous harm can be done. In fact, this episode shows that enormous harm was done in the absence of the implementation of those regulations.
Github will comply with the law when it is required of them.
I'm assuming that the problem for Github is that they can't reliably know which of the contributors are "currently part of" TornadoCash and which ones are unrelated people who just contributed code some time ago, and since they absolutely must block the former, in the case of uncertainty the only safe option was to block everyone who seems related.
None of the Tornado developers are anonymous. They are all well known and respected members of the security/privacy community, and I have personally hung out with them multiple times in the US at public events, where they often speak etc. This isn't some shadowy cabal, they are programmers and mathematicians who think sometimes people might not want the world to see where they are spending their money. Crazy right?
> ...they are programmers and mathematicians who think sometimes people might not want the world to see where they are spending their money. Crazy right?
The IRS and bodies responsible for enforcing laws like those against "funding terror" (remember that?) certainly think that is crazy.
This is chilling for me. I've contributed to plenty of projects during my 10 years of using GH. Little PR's here and there, sometimes just typos, sometimes just issues. If one of those projects runs into trouble with the law or with GH, will GH delete my account? This would be disastrous for me.
> Does Tornado being sanctioned mean that everyone who has contributed in the past also needs to be blocked?
I'd say that this is a significant risk that people doing DeFi need to have a long, hard think about. Without a clear organization, without clear leadership, one cannot draw a bright line around those who deserve sanctioning. In court, efforts made towards plausible deniability might pay off. But github is not the courts, its interest is its own liability.
It's not decentralized in any practical manner when everyone's local clone is pointing to the same, now no longer available, origin.
This could have been mitigated by having a pre-determined fallback origin (which could very well be something they had in place - I'm not familiar with this project).
Some form of distributed authority could have been implemented as a more practical alternative to the scattered remnants that they might be left with now.
You're right, of course. My previous post was written up a bit too hasty :)
For what it’s worth, I don’t see much evidence of people being upset at GitHub in the thread. There’s talk about decentralized alternatives, but not much actual pinning the blame on them.