Did the US Treasury censor code or illegal actions?

As is well-documented elsewhere, the US Government has chosen to apply financial sanctions to the Tornado Cash project.

This is not the first action the US Treasury has taken against use of a cryptocurrency mixer. It’s a clone of the sanctions applied to Blender.io in May which was clearly responding to money laundering by North Korea. That case was clearly an action against an entity.

However, it is not clear to us whether the sanctions US Treasury is imposing here relate only to an entity (namely the people and resources causing the website tornado.cash to operate) of which illegal actions are alleged, or also to software code (namely the source code of the smart contract used by the entity). The name “Tornado Cash” is used both by the Open Source smart contract (an autonomous distributed software program) and a notorious instance of that software. But the sanctions merely give the shared name and a list of ethereum addresses that relate to the collection of the proceeds of the instance: Is the intent of the US Government to outlaw the instance alone or both the instance and the software generally? We approached the US Treasury in mid-August but have not yet received a response.
Update: On September 13 they posted an FAQ answer indicating that their action is not an act of prior restraint against first amendment protected source code but is intended as action against an instance they deem illegal.

If the intent of this action is to shut down an illegal entity (namely tornado·cash) being operated without adequate oversight and consequently used by criminals and terrorists – as appears to be the assumption behind the accompanying press release – then it seems reasonable action. If however it goes deeper than this and also applies to the source code then the EFF are right to be raising concerns, whether this is an intentional act of prior restraint or ambiguous framing.

Software is inherently non-rivalrous, and the Open Source approach to developing it effectively prevents artificial barriers and other attempts to make it rivalrous. A consequence of this is the use made by one person will be unrelated to the use made by another unless they choose to collaborate. Even if they do choose to collaborate, that does not link their separate enterprises – it merely leads to the software becoming anti-rivalrous.

Government officials and policymakers need to be very careful to distinguish deployments of software from the source code. This can be especially challenging where the code is deployed in source form, and this case is additionally complicated by the fact the software itself runs autonomously as a “smart contract”. But it’s vital that every effort is made to be clear who and what is being sanctioned. You wouldn’t sanction a driver because a criminal used the same model of car for a crime; you probably wouldn’t do so simply because they both used the same garage for servicing. If the garage was set up specifically for service getaway cars and you happened to be a law-abiding customer, the situation would be marginal (but you would probably be well advised to use a different garage).

This case is further complicated by the intentional gaming of both privacy and free speech by the communities involved in cryptocurrencies. “Evading The Authorities” is part of an irregular verb family: I value my privacy, you keep your questionable actions secret, they illegally evade the authorities. It’s not a surprising response of US Treasury officials if their response to the game is to sanction the whole thing. They are right to act even if their actions need to become more nuanced. Also, the cryptocurrency community needs to stop pretending it is immune to consequences and hiding behind libertarian sympathies to disguise a reluctance to engage in normal know-your-customer and anti-money-laundering due diligence. The days when “pioneering” justified “lawless” are long behind America.