[Cryptography] Privacy, Code, and the Future

Andrew Lee andrew at joseon.com
Thu Aug 7 11:56:12 EDT 2025 

Howard,

Thanks again for continuing this conversation. I appreciate your clarity
even when we disagree.

Here's where I think we need to zoom out.

This case started with the assertion that Tornado Cash was operating a
profitable service that failed to comply with financial regulations.

Fine.

That's a reasonable interpretation... if that's where it ended.

But it didn't.



Let's look at the government's own words:

"The government alleges that while it was possible to access the smart
contracts powering Tornado Cash directly, most users relied on the native
interface, and 98% of users utilized the optional relayer network, which
was set up and operated by relayers manually whitelisted by Tornado Cash's
co-founders until March 2022."

They said it was a service with a UI, and that nobody used the smart
contract directly.  Fine.


Then the prosecution says:

"Though the Tornado Cash developers implemented a UI change to screen out
OFAC-sanctioned wallets, the government alleges this action was
insufficient to prevent illicit activity by the Lazarus Group, a North
Korean hacking organization."

So even after Tornado Cash attempted to comply with sanctions, suddenly, it
wasn't enough.  The goal post moved.

The issue became about failing to prevent misuse of code that is, by
design, immutable.


The implication is that even autonomous, decentralized code, post
compliance, is criminal if the government believes its existence enables
unwanted behavior.

That should concern anyone building at the edges of technology.  That
should concern cypherpunks.


It sets a precedent that the mere existence of infrastructure outside the
traditional financial system is a liability, regardless of how it's used,
how it's governed, or whether attempts were made to comply.


Privacy preserving financial infrastructure threatens their ability to
monitor, intervene, and ultimately, shape how value moves.

We all know this is the real issue. We've been fighting this battle, even
outside financial systems, for some time. What do you think DJB went to
court for?

The short term justification may be about compliance gaps which clearly
have achieved some level of narrative success based on some of the
responses I've seen here.

However, the point I am making is const. I'm not moving goal posts.

And, to be clear, welcome to the mud.

This is the front-line battlegrounds that cypherpunks have been continually
fighting therein, and we will continue to fight until we win.

- Andrew

P.S.: To be clear, Lazarus and many other criminal groups continue to use
VISA, Mastercard, ACH, SWIFT, FEDWIRE, Discover, AMEX, Checks, EBT,
Bitcoin, Ethereum, and many other methods for moving money and/or storing
value.

When are we going to go after these vicarious enablers? :P </sarcasm>




On Thu, Aug 7, 2025 at 8:20 AM Howard Chu <hyc at symas.com> wrote:

> Howard Chu wrote:
> > Andrew Lee wrote:
> >> Howard, Peter and all readers,
> >>
> >> Respectfully, I think we should be very careful about the precedent
> this case sets.
> >>
> >> The core issue here isn’t whether privacy tools are sometimes used by
> bad actors as any powerful technology carries that risk.
> >>
> >> The deeper concern is assigning criminal liability to the people who
> build foundational infrastructure, especially when it’s open source and
> autonomous.
> >
> > That is not what is happening here. You're still stirring sensationalist
> nonsense. Quit amplifying a false narrative.
> >
> >> Roman Storm wrote code.
> >>
> >> That code was deployed and became immutable, operating independently on
> a decentralized network.
> >>
> >> Hard stop.
> >
> > The authorship of the code is irrelevant to the case.
> >
> > Roman is being prosecuted because he operated a commercial enterprise,
> profiting off use of that code. It is brazenly
> > a for-profit enterprise, backed by venture capitalists. As such, that
> enterprise was subject to the regulations that
> > apply to businesses that deal in transferring money for customers.
> >
> > None of this has anything to do with the fact the code is open source.
> >
> >> With all due respect, let’s be thoughtful.
> >
> > Let's also be truthful. The facts of the case are already outlined in
> the article I linked previously.
>
> To be completely clear:
>
> "The government argues that characterizing Semenov’s alleged crime as
> merely writing code obscures his role in promoting and maintaining the
> Tornado Cash
> service, even when he knew it was being used to launder illicit proceeds
> from hacks.
>
> The prosecutors’ motion asserts that the Tornado Cash service was a
> “commercial enterprise carried on for profit or finanancial [sic] gain” and
> that Semenov
> himself profited from its operation through his control, along with
> others, of key components of the service.
>
> ...
>
> The government further alleges that actions taken by Semenov and his
> co-founder Roman Storm to keep Tornado Cash running, such as payments to
> host the site,
> paying gas fees for blockchain transactions, “refusing” to implement
> proper anti-money laundering programs, maintaining the relayer network, and
> developing new
> features to enhance anonymity, are part of the charged conspiracy."
>
> It's not about writing code. It's not about code running autonomously.
> It's about explicitly funding and operating a commercial service.
>
> > They are not what your fear-mongering states. Your attempt to conflate
> the issue of open source development here
> > is the only thing that could cause harm to software developers. Stop
> muddying the water.
>
> --
>   -- Howard Chu
>   CTO, Symas Corp.           http://www.symas.com
>   Director, Highland Sun     http://highlandsun.com/hyc/
>   Chief Architect, OpenLDAP  http://www.openldap.org/project/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20250807/3979cb7c/attachment.htm>

More information about the cryptography mailing list