Hacker News new | past | comments | ask | show | jobs | submit login
GitHub deleted accounts of people who contributed to Tornado Cash repos (twitter.com/bantg)
392 points by ETH_start on Aug 9, 2022 | hide | past | favorite | 501 comments



The commenters saying be reasonable, they were sanctioned, GitHub had to do this, should look into the last time code was made illegal or similar turmoil and what the developer community did in response…It was not accepting sanctions or govt failures to understand code as “well that’s that.”

- Phil Zimmerman (PGP) was under criminal investigation for arms exports by releasing the code for consumer encryption. The case escalated and was eventually dropped, included POTUS attention.

- Aaron Swartz passed away via suicide in 2013 under threat of 35 years in prison and a lot else for downloading from JSTOR programmatically

- Clifford Stole spent several years being ignored by every govt agency under the Sun, except for CIA, for finding, attributing and then exposing a widespread KGB hack of govt systems in the 80s

- L0pht testified in front of congress to expose significant internet security risks that were otherwise ignored.

I’m not saying Tornado Cash and related devs were doing a purely moral action. But the automatic siding with the heavy hand of govt sanctions on code the govt doesn’t really understand is pretty shameful for a nuanced technical audience.


I think its important to make a distinction between GitHub attempting to ensure they are in legal compliance with a sanction and approving of the sanction happening at all.

You can disagree with the sanction while still being understanding of GitHub trying to cut ties with the sanctioned entity. Or be critical of them being heavy handed in their compliance but agree with the sanction in general.


You’d be on the “be reasonable” side of this I suppose.

Plenty of organizations in the past have chosen what side of this conceptual line to stand on.

One can end up looking like the EFF with a long term, very strong reputation of standing up for clear boundaries of what’s right in the legal<>code context and go to court over it, or you can end up looking like GitHub.


EFF doesn't have >$100Bn of profits per year.

When you're a donation based non-profit, it's easy to "stand up for clear boundaries". In fact, it's literally your purpose.

When you've got >$100Bn of profits on the line, it's a little harder - and you have a different purpose (i.e. to make money).


I don’t think it was particularly easy for Phil Zimmerman, random computer programmer who built something but could also go work for MSFT instead, to standup to big time jail Arms Export laws over his something he built.


So you're saying that microsoft has more money to work with? Everything I know about the legal system shows that the more money you have, the easier it is to get your way.


Their way is to make money - not to fight for political issues.


What grounds would there be to fight? I don't think GitHub has any standing to fight the sanctions themselves. And if an entity is sanctioned all US persons and companies must stop providing them services. Hosting a git repo for them certainly counts as a service, doesn't it?

Perhaps there is some grey area as to what qualifies as a service being provided to that entity. Is my fork still a service being provided to them? Or is it a service being provided to me? But that is still something useful to the sanctioned entity, so am I now providing them a service? In which case GitHub is still a party to providing them a service.


> One can end up looking like the EFF with a long term, very strong reputation of standing up for clear boundaries of what’s right in the legal<>code context and go to court over it, or you can end up looking like GitHub.

There's a massive difference between "nope, I won't comply with the law" and "I think this law is a bad idea, let's go to the courts to see if we can do something about it". And GitHub has done the last, too, to restore access to Iranian developers for example.


Honestly, I don’t care what happens to crypto bros. They put profit before environment. Fuck em.


This type of opinion is so sad to see, especially here on HN that tends to be relatively level-headed.

I don't agree with a lot of things in the world, but the only thing I wish for them is for things to get better, not worse.


If you look at his submissions and comment history, I don't worry so much, it's all hyper partisan politically influenced hot takes.

The funny part is he's contributing to the problem, as in not realizing it's the working class vs the rich, not the left vs the right.


PoW uses less energy than global dishwasher usage. Do you feel similar sentiments against Home Depot and dishwasher users? Facebook data centers aren’t pretty either in this regard.

Edit - additionally, tornado runs on eth, which is soon to be env-friendly PoS.


The whole point of the energy critique is that it's being wasted on something either useless or deleterious. You can argue with that take, but all you're doing with the "but what about dishwashers?!" response is asking them to pass a moral judgment on dishwashers, which isn't relevant to this discussion.

Also, Ethereum has been "soon to be env-friendly PoS" for years now. Let's revisit that if and when it actually happens.


Cryptocurrencies are our only counter yet against the abuses of the financial system by the governments. In some countries this abuse is only potential, on others - already very real.

In a country where a dictator can make you starve with a snap of the fingers, cryptocurrencies are vital to survival. So even 10x more energy 'wasted' on such an indespensable service would still be a bargain I'd take.


Protecting the wealthy from the government isn't exactly a cause many want to fight for. Using the government to reign in the wealthy is much more popular

In a country where a dictator can make you starve with the snap of the finger, what are you going to do, eat your virtual coins from your jail cell? Technology is notably not a solution to social problems


Protecting the wealthy? You have no clue about real problems of people resisting the dictatorship. Right now cryptocurrencies are the only reliable and untraceable way for Russian dissidents and underground to fund themselves. The key features are anonymousness and permission lessness, and Bitcoin/Monero can be turned into hard cash quite easily. Oh and it also allows you to receive funds from abroad with zero oversight, avoid paying taxes, etc.

If there will ever be an uprising, it'll be funded with nothing else but cryptocurrency.

So yes, cryptocurrencies are worth every watt of energy they use.


Well the merge has hit test chains so it’s coming for eth main chain.

Yes, you’re correct, the judgement is about what the energy is used for.


So I'm actually interested in these figures.

Bitcoin alone is estimated to use 150 terawatt-hours of electricity annually.

The US Department of Energy estimates that there are 80 million households with dishwashers in the US (although they believe 16m never use them, but we will ignore that). It appears that the average dishwasher uses 251kWh annually (at the avg of 215 cycles per year).

So this would put the US annual dishwasher power consumption to around 20 terawatt-hours. This would mean that the rest of the world would need approximately 518 million household dishwashers used 215 times a year each, to make up the rest of the power usage for just Bitcoin.

When you start factoring in the size difference in dishwashers between countries, the power usage differences between 120v and 220v in different parts of the world, the overall adoption rate of dishwashers etc... it makes it hard to believe that they could compete with crypto power usage.


518 million seems reasonable to low for the entire world and you are leaving out commercial places.


Remember, dishwashers are more efficient at using resources than washing them by hand.

Bitcoin just consumes extra energy, not makes an existing process more efficient.


Will have to find the dishwasher one but this is a good start/reputable source. Btc comes in under fridges.

https://ccaf.io/cbeci/index/comparisons


A world where proof-of-work meant "prove that you cleaned your/my/someone's kitchen" would be a much better world.


> eth, which is soon to be env-friendly PoS.

The switch has been delayed 6(!) times since 2017. It‘s perpetually happening “soon”. I believe it when it’s actually live.


It’s live on testnests now so coming for main chain.


Dishwashers(especially newer ones) save energy(and definitely money if you're a restaurant) compared to handwashing though. And washing dishes is useful. Mining bitcoin arguably isn't in the sense that if bitcoin(and all other cryptocurrency) disappeared today, the world would be completely fine.


Are you seriously claiming crypto is more useful than dishwashers?


It depends on what you consider "useful". I live in the west and I don't take our financial freedom as granted. There are many places in the world where decentralized consensus for financial transactions is valued.

I'm grateful to live in a society where this is not a "problem", but I don't take it for granted


How often do angry articles hit HN ranting about Visa/MC cutting of spending to XYZ source based on moral judgments or investor pressure. Yes, free access to digital payments as an anchor of civil society beats clean dishes I don’t have to do by hand.


It’s amazing how well the media is able to reprogram the minds of the masses into mindlessly regurgitating its talking points. “Crypto bad” seems to be a big one for 2022.


In what way has 'the media' pushed crypto is bad?

Seems like every celebrity and talk show host was pushing NFT's, be it Kardasians, Kimmel, Fallon, even Bill Murray released a collection 1 month ago. Ultra stars like Tom Brady to Mark Cuban were investing and (still) talking about crypto companies they are heavily invested in. Half the superbowl ads this year were advocating for people to waste money on crypto.


There being next to nothing positive so far from cryptocurrencies for the past decade doesn't make it hard for the media to "reprogram" the minds of the masses. It's easy to convince somebody that something is bad when it's been overwhelmingly useless to negative on every single front except for speculative investment.


> still being understanding of GitHub trying to cut ties with the sanctioned entity

What is the name of this sanctioned entity that GitHub supposedly cut ties with?

You'll note that none of the developers who had their accounts suspended were themselves sanctioned.


Tornado Cash, which had an organization on GitHub and the developers were members of that organization. I don't know if I agree with the decision but I certainly understand why it would be made by a lawyer trying to ensure they are in compliance with a sanction as soon as possible.


GitHub organizations are not legal entities.

As far as I know, Tornado Cash is not a legal entity either.


I think shutting down the repo would be more than enough.


Has it ever been the case that the majority of the developer community stand behind this kind of resistance to government power?

It seems like it's always been a tiny minority of idealists who put their own lives on the line to do what they believe is right in the face of the beast bearing down on them.

The majority has always been (and probably will always be) weak minded corporate yes men.

What is distasteful is the so called "hacker" community being filled with corporate yes men.


Yes this is usually it, and then the whole ecosystem benefits from it down the line. Very distasteful.


So, money laundering, fraud and enabling cyber criminal activity is 'idealism'?

Also: GitHub is a private company. It's their real estate, they can do what they want with it. If they wanted to keep it up, they could have.

They didn't want to.


> - Phil Zimmerman (PGP) was under criminal investigation for arms exports by releasing the code for consumer encryption. The case escalated and was eventually dropped, included POTUS attention.

A legitimate example of free speech. Zimmerman published his code in the appendix of scholarly book, in addition to posting online in source & binary form.

> - Aaron Swartz passed away via suicide in 2013 under threat of 35 years in prison and a lot else for downloading from JSTOR programmatically

A terrible example, and not comparable to your first example. Swartz gained physical access to a network room he was not supposed to be, inside a building he was not supposed to be, connected a laptop to a LAN he was not granted access.... When you say programmatically, you must mean the parts where he proceeded to download JSTOR using his laptop? Has was criminally trespassing, accessing a network he knew he wasn't allowed to access. The tragic outcome was due to... hate to say it, he had well known mental issues that amplified the stress he felt when being indicted for a crime he knew he was guilty.

So I get what you're saying, but you might want to limit your examples to abjectly reasonable ones that withstand scrutiny. Otherwise it might look like a bandwagon, generalization, or even false dichotomy.


Actual prison time wasn't on the table until the federal prosecutors took over and tried to make an example of him [1]. Until then, everyone expected a slap on the wrist.

I remember those events clearly and even JSTOR, the "victim" in the case, backpedaled on the prosecution before he committed suicide. He was driven to suicide by an overzealous federal prosecutor trying to make a career for themselves.

[1] https://www.cnet.com/tech/tech-industry/swartz-didnt-face-pr...


He made the choice. No one else.

Or, if you blame the prosecutor for driving him, do you also blame his friends and family for not being supportive enough?


The primary responsibility falls on the prosecutor. The prison sentence they sought for Swartz was not by any stretch justified. This injustice seriously endangered not just Swartz's mental health, but his prospects for a fulfilling life, even had he lived.


A prosecutor doesn’t seek a sentence until after the defendant is found guilty.

Moreover, judges don’t care about prosecutors or what they think. And, sentences are largely determined by sentencing guidelines.

Rich white kids with no prior convictions don’t go to prison for stealing library books.


The prosecutors choose the charges, and did not have to choose charges that carried a maximum sentence of 35 years, which is almost a death sentence.


What judge would have given the max sentence for this case?


The judge doesn't have to give the max sentence for the charges the prosecutor chooses impacting the sentence given.


No-one exists in a vacuum.


I don't find "facilitating mass money laundering" to be as compelling as the other cases, frankly.

This doesn't mean that any/all measures taken against them are automatically justified, but it's large-scale crime, and it's not in the realm of "information wants to be free", it's actual money laundering, for actual criminal cartels and actual rogue states.


It's not comparable to money laundering. When you launder money by registering sales that did not happen you'll get taxed and you can then spend that money wherever you'd like. If you try to use funds coming from Tornado Cash most people won't accept them because they'll assume they were stolen or they come from some type of illicit activity.


Counterpoint:

The automatic opposing of govt sanctions is pretty shameful for a nuanced technical audience.


Automatic, or nuanced view as a result of on understanding the tech pretty deeply?


DMCA and similar nonsense got forced to the rest of the world :-(


> on code the govt doesn’t really understand

But they do understand it, quite well. It launders money, there is no legal use for a money laundering machine.


Its use is offering a level of privacy that is at least as good as the one a credit card offers. On the Ethereum blockchain anybody you transact with can see your transaction history.


because your average citizen needs anonymity when buying everyday items? So much so that we need to allow money laundering?

No, this still isn’t a valid use.


Yes, for example a teenager with religious parents might not want them to know that they're buying contraceptives, or a buyer of illegal drugs might not want the government to know it. As long as there are anonymous payment methods such as cash, money laundering remains a possibility. Besides, getting ETH from Tornado Cash is not comparable to money laundering because whoever will be paid with those funds will have a strong suspicion that they were stolen or came from some other type of illicit activity.


They can use cash for these cases. So no, still not a valid use case to allow for blatant money laundering.


If they don't know a dealer for the drugs they want they might decide to buy them online with cryptocurrency, and that's where a service like Tornado Cash is useful. Cash can be laundered too.


So teens buying drugs there parents don’t want them using. This is your use case for TornadoCash?

Cash cannot be so easily laundered as literally sending coins to an address and waiting a few minutes. Laundering cash requires physical infrastructure which can be tracked and monitored.

People like you are why crypto is dying. Not everybody needs to anonymously buy drugs online. When non-crypto bros here things like this they mark you and your project as criminal.


Teenagers are not the only ones who might want to buy drugs online


Isn't it hypocritical to celebrate when platforms kick off the people we don't like, then mourn when they kick off the ones we do?


No it isn't.

Here's an analogy: Is it hypocritical to say "we shouldn't punish people who sell marijuana," but also say "we should punish people who sell heroin?"

Maybe you disagree with the person's preference for what should be punished, but saying "we should punish this behavior but not that behavior" doesn't make a person a hypocrite.


Free speech is free speech though. Either it's free or it's not free. You are arguing for "not free". I am not a fan of that ideology. This isn't shouting "fire" in a crowded theatre. This is restricting access to speech (code) simply because the gov doesn't approve of what the code does.


Let's say we, as a nation, through our elected representatives, decide to pass a law against trojans. Then let's say there's a site hosting a trojan repo, open to the public, and they refuse law enforcement's demands to remove access to the code. So the FBI goes through the court and gets a warrant to seize the site and prevents access to the code.

Would you stop the above chain of events at the very first link? Would you say: "We can't ban trojans because it's code, and code is speech, and speech is either free or its not?"


> when platforms kick off the people we don't like

Is not a comment on free speech or not. There are rumors of government sanctions for this specific case, but the typical deplatforming is more like getting kicked out by the bouncer.


I don't think so. If someone's making the community worse I'll be happy to see them go. If I value someone's contributions, I will miss them.


Is it hypocritical to celebrate when murderers are sent to prison, but mourn when innocents are?


People on Twitter are either wilfully dumb or simply ignorant.

GitHub had to do this. It was required of them by law. Tornado was sanctioned.

> These prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person and the receipt of any contribution or provision of funds, goods, or services from any such person.

This is, unambiguously, directed toward entities such as GitHub providing them service.

I'm not a fan of GH these days but they did the only thing they could do in this situation. You can be upset about it, but you can't be upset at GitHub about it.


Does Tornado being sanctioned mean that everyone who has contributed in the past also needs to be blocked? (It’s not clear from the thread whether the people blocked contributed after, or only before, the sanction.)

For what it’s worth, I don’t see much evidence of people being upset at GitHub in the thread. There’s talk about decentralized alternatives, but not much actual pinning the blame on them.


This is the crux of the issue in my opinion. It seems ridiculous that the sanctions should apply retroactively to anyone who has dealt with a sanctioned entity at any time in the past - if the people contributed before the sanctions, they were not contributing to a “blocked person”, as the project was not blocked at the time.

Imagine if, say, A foreign electronics company is sanctioned by the government - does this mean that anyone who has previously worked with them or bought their electronics has done so illegally? If so, that sounds like a significant impediment to commerce, since nobody can predict who will be sanctioned in the future.


I agree with your analysis. Ex post facto criminal laws are barred by the constitution for good reason. Retroactive punishment leaves people guessing what actions might or might not be punished.


Well, Github blocking an account is not considered "punishment" according to criminal law or constitution, only standard contract law would apply and I believe Github has the right to terminate such contracts if they wish.

This consideration would apply if and only if the government would actually pursue criminal charges against someone who contributed to TornadoCash - which they possibly would if someone would do stuff after these sanctions e.g. try to circumvent this GitHub block, make and advertise a replacement service, etc; do not do this if US laws apply to you.


> Github blocking an account is not considered "punishment" according to criminal law or constitution

I understand this to be the case. I don’t understand how anyone considers this to be even remotely sane.


Sanctions are orders to cease providing service, aid, goods or funding. Which part is unclear?


I agree - GitHub can block whoever they want. But doing so despite not being required to by law is a valid reason to criticize them.


No. I disagree. Github should not be able to block anyone they want. We went through this about a century ago with railways, antitrust, and Standard Oil. I won't step through the details, but can provide more background if anyone cares.

We landed with the concept of a "common carrier."

Railways, as well as telecommunications companies, ISPs, public airlines, bus lines, taxicab companies, phone companies, cruise ships, motor carriers, freight companies, and others CANNOT discriminate.

As an individual or a small business, ones does not have an alternative to Microsoft Word, github, or Facebook.

If these companies are allowed to discriminate, we'd be in a position where, again, monied entities can shut down individual small businesses, or ostracize individuals, as they see fit.

Once you provide a sufficiently central service, you should not be allowed to discriminate.


> As an individual or a small business, ones does not have an alternative to Microsoft Word, github, or Facebook.

Google Docs, gitlab or bitbucket, and as for social network there's plenty out there.

None of those are real monopolies. They _might_ be best in class, but there's no rule that says you must be allowed to use the best in class service.


Disagreed. They are de-facto mandatory to use. A former university I was at, for instance, published some required information on facebook. Saying "well, they should not do that" is as correct as it is useless and futile in practice.

I believe the information was visible to either all logged-in users or just all visitors, but that still requires facebook to serve the page to me.


You can say this about anything, though. "My university requires us to use Blackboard, therefore it's a de facto monopoly." "My work email account is through Gmail, therefore it's a de facto monopoly." They're still not. If another party requires you to use a service for some reason, that's between you and the other party.


Common carrier is a more useful limit function.

   Common Carrier <= Monopoly


Replace "monopoly" with "common carrier" and my comment still reads the same.


Let me make this simpler, since there are a lot of comments like yours:

1) If I want to exchange redlined documents with lawyers, I need Microsoft Word. I cannot run a successful business which deals with law firms without Microsoft Word. Most businesses need to deal with law firms. If Microsoft shuts me out of Word, I cannot have a business.

2) If I want to promote my local business, I need to be on social media platforms which my likely customers use.

3) The same goes for niches. If I'm supporting K-12 writing teachers, I need to support Google Docs.

It's not a question of alternatives, best-in-class, or anything else. It's pure network effects. If a platform is >50% dominant in my market, I need to support it, or I'm out-of-business. No one will switch from Twitter to Mastodon or Parler for the sake of doing business with one small business. They'll go next door.

Once a firm has that level of market power, I think it ought to be regulated, both for the same reasons and in the same ways as railways were in the days of Standard Oil.

These companies can literally just kill a small business if they chose to. That's not healthy.


> 1) If I want to exchange redlined documents with lawyers, I need Microsoft Word. I cannot run a successful business which deals with law firms without Microsoft Word. Most businesses need to deal with law firms. If Microsoft shuts me out of Word, I cannot have a business.

I find your reasoning here disingenuous. I have been running a business for almost 2 decades, dealing with law firms and everything and I haven't used Word since I was in high school.


Took a consulting gig with RedHat once. RedHat asked for a document. I gave them a LibreOffice .odt doc (that I wrote on Fedora). They rejected that doc due to inability to access it. I sent them a LibreOffice exported .docx file and they again rejected it due to formatting issues. At that point they specifically requested I use Word and send them a Word document.

Microsoft Word makes the world go round. Sure I can use Wordpad and export a docx file, but no tables, no special effects, etc


> Railways, as well as telecommunications companies, ISPs, public airlines, bus lines, taxicab companies, phone companies, cruise ships, motor carriers, freight companies, and others CANNOT discriminate.

Funnily enough, several of the things you have listed (I believe, actually, most of them) are not common carriers but contract carriers. That means they can discriminate, except against the enumerated prohibited classes.


> As an individual or a small business, ones does not have an alternative to

- Microsoft Word — Google Docs? Apple Pages? Zoho Docs? OpenOffice?

- GitHub — GitLab? sourcehut? Bitbucket? Gitea?

- Facebook — Twitter? Instagram? TikTok? SnapChat?

The thing about Git is that it's free software. Anyone can run their own server for very little money. If you get banned from the railroad, you can't just get your own train.


Thing is, if I got banned from github, I couldn't contribute to pytorch or many other projects I've contributed to. And if I ran my own server, no one would contribute to mine.

The value comes from the network.


That's between you and the maintainers of those projects. You can contribute to different projects, or they can use a different forge. Your argument is basically "GitHub shouldn't be allowed to deny me service because I want to use it," but you're not entitled to something just because you want it.


The reason we have antitrust regulations is because the world ended up in a very bad place without them.

This: "GitHub shouldn't be allowed to deny me service because I want to use it" isn't a fair paraphrasing of my argument. I don't think it's likely that github would ban me specifically.

My argument is Microsoft (and Google, Facebook, etc.) shouldn't be allowed to cancel/bankrupt/ostracize competitors, critics, political opponents, or others they don't like. That means we should all be able to access those platforms under equal RAND terms.

If Microsoft is allowed to play dirty, the major impact on me is indirect, in that we will have fewer checks-and-balances in society (people and organizations will be afraid to criticise them), less competition, less innovation, more political corruption, etc.

Antitrust hasn't kept up with technology. In this case, though, we developed perfectly good mechanisms (and learned what happens without them) a century ago.


  > Antitrust hasn't kept up with technology.
im not sure its so much a technology issue as much as an ideology shift...?

(a.k.a robert bork and the "its not consumer harm if prices keep going down" school of thought with regard to anti-trust)


It's very much technology.

With Standard Oil, prices didn't go down, except in the very short term. Monopoly can seek out higher profits once monopoly is obtained.

The pricing of LinkedIn, of dating web sites (almost all now owned by match.com), and of many other services is astronomically high, mostly because they can.


  > many other services is astronomically high, mostly because they can
interesting... i guess i never thought about that because of the plethora of "free" services out there, but for payed options i guess maybe you have a point ^^)


So what if the company you work for requires github?


In that case use your company provided account. Just like all tools I would expect that to be provided by the company and as such availability of these tools wouldn't be my problem.

Also, use a private account for private stuff, if that wasn't obvious


That’s between you and your boss, and likely your GitHub account rep. It’s still not a monopoly just because someone voluntarily chooses not to use alternatives.


Create a new GitHub account that you use for work.


> Once you provide a sufficiently central service, you should not be allowed to discriminate.

- git by design completely decentralized.

- crypto by design and inherent in its philosophy decentralized

"GOVERNMENT SHOULD MAKE GITHUB GIVE ME AN ACCOUNT!"


No one said that


> As an individual or a small business, ones does not have an alternative to github

Why do you say that?


Because all the projects I contribute to are on github.

And that's where all the developers who contribute to my projects have accounts.

There's nothing magical about the github system, but it's where the network of projects and developers lives.


Have you been banned from GitHub?


An organization doesn't become a monopoly just because they are large. Otherwise you might as well claim McDonalds has a monopoly on food and Nike has a monopoly on shoes. There are tons of competitors to GitHub out there.


What matters is notthe list of competitors, but instead the market share.

I don't think anyone can say Nike has 20% of all US customers of shoes.

But its almost certain that Github has > 20% of all US customers in software development.

Here lies the point. In order to enforce antitrust, there should be a clear line that once crossed, you are deemed a common carrier or something to that effect.

I think even as low as 10% of the US market for a given good or service sounds like a reasonable threshold where you automatically lose rights as a US company to determine who you associate with arbitrarily (because your lobbying power and market power are so great at 10% of market, you need to be neutered in some fashion once you reach that size)


Nike has >30% of the revenues of the sports clothing industry. I guess Nike is a common carrier, they have to let me in their stores and the government must force them to sell their shoes at government regulated prices. If there's not a store near me, they must build one for me or offer me shipping at equal prices to everyone else. After all, they can't discriminate just because I'm far away from their closest distributor, they're a common carrier. Oh yeah, guess they need to build a store, because I don't have internet and I don't have a phone, so not making it available to me as someone who only walks through uninhabited deserts would be discriminating against a customer.

https://csimarket.com/stocks/competitionSEG2.php?code=NKE

I truly don't understand the logic of stating every organization with 10% market share of any kind of product is now instantly a "common carrier". To me that's massively watering down the meaning of "common carrier" past the point of usefulness. A common carrier classicially is when there's realistically no possible alternative. There's really only going to be one or two railways going through a city or town. It doesn't make sense for there to be a dozen different water systems or coax telecommunications providers or fiber providers or electrical providers in a city. But if Nike doesn't want to sell me shoes I can just go to Sketchers. Or Addidas. Or Vans. Or Footlocker. Or Journeys. Or Kohls. Or any other of a dozen different department stores. Or Target/Walmart/other big box store. If Nike doesn't want to sell me shoes, there's tons of other options. Even just buying Nikes at a different retailer! And that's just in person shopping, never mind the literally thousands of retailers online willing to ship me shoes!

But no. Nike is now a common carrier. They must do everything they can to ensure I can buy their shoes at a government-ensured fair price. So they must build a store in the middle of nowhere to ensure I can easily walk there, look at their wares, and decide I'd rather just buy from TOMS.

Then the idea that GitHub is a common carrier is even more distant. There's lots of options out there. You could use GitLab, Bitbucket, Team Foundation Server, JetBrains Space, Beanstalk, AWS CodeCommit, Google Cloud Source, Sourcehut, and so many others. They're all right there on the internet. You don't have to sell your house and move to the next county over to use Bitbucket. You just change your remote and push.


Can I use Nike to design shoes that they will make for me or something? What makes them common carrier like?

On the other hand, they are a common carrier - they aren't limiting which countries or streets I'm allowed to wear their shoes on, nor what kinds of sports I choose to play with them.

I don't think anyone would be favourable to giving Nike more control over how people use their products


> On the other hand, they are a common carrier - they aren't limiting which countries or streets I'm allowed to wear their shoes on, nor what kinds of sports I choose to play with them.

That's...not a common carrier at all. Traditionally, a common carrier is "a person or company that transports goods or passengers on regular routes at set rates." So traditionally, a rail line is a common carrier. A pipeline is a common carrier. Air freight and truck shipping, kind of, but you're then getting away from that "regular routes" kind of thing. This was then logically expanded to things like telecommunications, since they're essentially transmitting data along regular routes aka the actual telephone wires.

A big thing about becoming "common carriers" was this idea of regular routes. Competition gets challenging/impossible when there's really a single route for some things. There's really only going to be one set of rails connecting towns. There's not going to be a bunch of different companies stringing telephone wires to everyone's houses. There aren't going to be a lot of fiber runs through a neighborhood. These things are all common carriers and are natural monopolies.

I can go buy an apple at the grocery. I can eat that apple raw. I can turn it in to apple sauce. I can bake it in a pie. I can juggle with it. I can give it to a friend. I can donate it to charity. The fact I can do all these things with it does not make the apple producer or the grocer a common carrier. It's entirely unrelated.

The person I was replying to was stating any company with 10% market share in any kind of metric should be considered a common carrier. Nike has more than a 10% market share in total revenue of sport clothing. So they say Nike should be a common carrier. This makes no sense to me.


i didnt say revenue for a reason, but even thwn i highly doubt nike sells 30% of all US shoes

Notice im talking about shoes, not sneakers. theres a ton of womens wear that probably is a significant share of the whole market, of which nike has exactly 0%

Lets make it simple so there is no misunderstanding. Any company ownning at least x % of a given NAICS or SIC code. There.


So what are GitHub's NAICS or SIC codes? 7379 Computer Related Services? Think GitHub makes up 20% of all "Computer Related Services"? Does GitHub control 20% of 504500000 "Computers, peripherals, and software"?

Also, expanding out to "all shoes" or all apparel is like making GitHub "all developer-focused Software-as-a-Service". Can I really use Prada Satin platform sandals with crystals in the same way as Nike React Infinity Run Flyknit 3's? No, their utility is very different and they're not really interchangeable. Can I use Sendgrid in the same capacity as I use GitHub? No, their utility is very different and they're not really interchangeable. You need a tighter market segment to point to, such as at least "sports clothing" or "fashion clothing" or "source-code management" or "external communications tools".

Even then, I'm not so sure GitHub definitely has 20% or more of that whole market. It definitely has deep penetration in some parts of the market and it wouldn't surprise me if it does have 20% or more, but I wouldn't just necessarily just assume that. Do you have any information to share on actual marketshare? I don't and I did briefly look for it.


And tons of people who don’t use GitHub, despite claims that you have no choice but to use it. It’s been years since I touched it.


If what you say is true then Hacker News cannot remove any submission or any comment.

Unless some content is more “freedomtastic” than others but then that leads to determining what is acceptable speech and what is not. That is more dangerous than allowing private entities complete control because the central tenet of freedom of expression is that all expression is equally free.

In actuality no speech is more or less valid— you just have no obligation to propagate it no matter how important or unimportant it is.

And the scale argument, what most people fall back to when they realize that their initial position is indefensible, is irrelevant.

A single word written on a scrap piece of paper read by one person is just as important as a mass-messaging appeal that is vital to the billions.

An organization, vital to the very existence of all human beings on earth has the same rights to control their property as a single homeless person whose only possessions are the things he carries on his person.

Or at least, they should. Perfection is unattainable but we should strive for it so that systems where a homeless person doesn’t have the same protections as a multibillion-dollar corporation should not see calls for the large entity to have its rights curtailed but instead should see calls for the small entity to have its rights enhanced.

As far as I’m aware the only exceptions to this, broadly speaking, have been those made for health and safety purposes or when entities have been granted a license or permission to own finite public resources like the radio spectrum, or if criminal law has been violated.


Well, you misunderstood me.

I agree that GitHub’s actions are not regulated by the constitution or criminal.

Additionally I imagine Guthub’s contract terms are such that they can cancel at any time for any reason.

What I intended to say is “I agree the poster who complains of retroactive account deletion. We can look to the constitutional process for some reasons why retroactive punishment might be a bad idea.”

I did not mean to imply that GitHub’s actions were unconstitutional. They were bad actions for the same reasons that the constitution bars retroactive punishment. It’s hard to guide current behavior based on future law. They were likely legal.


Well, you misunderstood me.

I meant to offer the constitutional reasoning as a source for why retroactive punishment is problematic. Not as the binding legal principle.

I agree GitHub CAN do this.

My post offered the opinion GitHub should NOT do this.


>Ex post facto criminal laws are barred by the constitution for good reason.

I think your analysis is flawed. They didn't come up with some new law and apply it to these people ex post facto. These accounts were contributing to the money laundering (per accusations, albeit indirectly).

Another way to look at it: if these people were contributing knowingly to a project that was laundering money, should they be punished? Of course.


I agree with this analysis.

If they are being punished for money laundering committed in the past while money laundering was illegal, that’s good enforcement.

If they are being punished for previous lawful contribution to an entity that was in the future sanctioned, that’s bad enforcement.


This is a anonymous token. It can be used for a plethora of things, including earning passive income. If we apply this line of thinking, everyone who has ever contributed to Monero and Tor should be punished because both are widely used for criminal activity.


Unless, of course, GitHub considers every single contributor to Tornado to be part of the sanctioned entity due to the decentralized nature of git? Seems like a very dangerous interpretation for open source in that case…


If you really want to lose some sleep look up partnership law.

Everyone who has ever contributed to an open source project _could_ be (in the absence of the project setting up proper legal structures) considered a membership of a general partnership, and thereby become jointly and severally subject to unlimited liability for the actions of the partnership.

(IANAL this is just what I've read online)


I think it would be a fairly novel interpretation of "persons carrying on a business in common with a view to profit" required to catch out contributors to an open source project.

Outside of a project that takes contributions / donations without a legal entity to receive them and parcels those out amongst the contributors, I can't think of a reasonable situation that would enable such a definition.


Seems unlikely to me too but that's what I've read. If you ask a lawyer "what are the risks of doing X" they'll give you a list, and some will be more likely than others. It's up to the client to decide what level of risk they're happy with.

I managed to dig up the mailing list thread where I read about this risk: https://groups.google.com/g/linux.debian.vote/c/Nl-J8h2pO9A/... for context, Sam Hartman is a former Debian Project Leader and I assume his opinion is formed by advice from SPI's lawyers.


IANAL either, but I have taken business law courses. And what you said is simply not true. At all.


> Imagine if, say, A foreign electronics company is sanctioned by the government - does this mean that anyone who has previously worked with them or bought their electronics has done so illegally? If so, that sounds like a significant impediment to commerce, since nobody can predict who will be sanctioned in the future.

That's not what's happening here. What you're seeing is a US company evaluating its ongoing business relationships, and making the decision that continuing to associate with principals of a designated company isn't worth any potential legal risk.


Sanctions do not apply retroactively, so this is overreach on Microsoft’s behalf. However Microsoft is a private business and can choose whom they do not business with. This is not protected by freedom of speech or any legal right.


> Imagine if, say, A foreign electronics company is sanctioned by the government - does this mean that anyone who has previously worked with them or bought their electronics has done so illegally?

My understanding of the American justice system says you cannot do this, our founding fathers did not want any witch hunts, laws should deter future abuse, otherwise people might as well never do anything, ever.


> seems ridiculous that the sanctions should apply retroactively

Anyone contributing to Tornado after it became public knowledge that it was used to launder money put themselves at risk. The sanctions are the enforcement action. A wanted poster. The crime, laundering money, was committed a while ago.

> does this mean that anyone who has previously worked with them or bought their electronics has done so illegally?

If you knew they were doing sanctionable things, yes. If you didn’t, no.


What if we said "Anyone contributing to *HTTPS* after it became public knowledge that it was used to launder money put themselves at risk." ?

Tornado is a super basic privacy layer that has been used as such for many years for countless legitimate purposes. Transaction privacy is obviously something that is in high demand by the general public, and they have it. Of course criminals might use it too, but doesn't the general public deserve the ability to make transactions without the world watching? The idea of making privacy tech illegal is absolutely outrageous, and it blows my mind that any reasonable person would take any other stance.


What is not used to launder money? What separates pre-sanctions Tornado from any other tech that can feasibly be used for something evil (e.g. cash money, PayPal, any cryptocurrency, e2ee messengers)?

Should we ask the government to publish a registry of approved technologies to ensure own safety?


> What separates pre-sanctions Tornado from any other tech that can feasibly be used for something evil (e.g. cash money, PayPal, any cryptocurrency, e2ee messengers)?

I don’t have the technical answer. But from the instant tumblers became a thing everyone with AML experience saw the endgame. It’s providing, as a service, a function directly analogous to real-world layering. It does nothing else. And nobody involved seems to have taken the prospect of criminals using their product seriously.

Messengers are not money, so laundering goes out the window. PayPal is regulated. And crypto does other things. Tornado just served to hide the origin of money. And it was used to launder illegally-gotten gains.


The fundamental problem is that "money laundering" is an oxymoron, because money is fungible. So the government has created an always-applicable law, pinky-swore to only use it to prosecute "bad guys" (like many federal add-on laws), and is now expanding their scope to persecute a project that mitigates a general security vulnerability that exists in most cryptocurrencies, because the existence of that vulnerability hinders criminals.


The definition of money laundering is concealing the origin of money obtained from an illegal source. You may not like the fact that this is illegal, but it has a clear definition and most people want it to be outlawed, so it is. It's obviously not "always applicable": I've never taken steps to conceal ill-gotten gains and neither have the vast majority of people.


Sure, the requirement for an "illegal source" is what made for an "add on" charge - something else illegal had to have been going on for it to apply. But here it is being used by itself to go after a piece of software that provides general financial privacy to anybody, and not merely financial privacy for criminals. So that detail of its definition isn't particularly relevant any more, and it makes sense to talk about the contradictory framing of the concept.

A traditional banking analog would be if the feds went after brick and mortar banks for allowing customers to deposit checks from named payors and withdraw cash or create a new check. A law-abiding customer might take advantage of this property to receive a paycheck from an abortion clinic and then make a donation to their church. Whereas a criminal might use the same scrubbing to receive a payment from a known drug dealer and then turn around and pay their mortgage. Yet the bank's whole business isn't declared a priori illegal due to concealing the origin of the funds on the outgoing payment.


> it is being used by itself to go after a piece of software that provides general financial privacy to anybody, and not merely financial privacy for criminals

The archetypal laundromat also does normal folks’ laundry. It just also launders money for criminals. I’m sure they would happily layer money for non-criminals but nobody does that.

> banking analog would be if the feds went after brick and mortar banks for allowing customers to deposit checks and withdraw cash

If they did that without checking anyone’s identity and then, after learning—from law enforcement no less—that criminals were using them to launder money, kept going, business as usual, hell yes they’d be shut down and arrested.


> I’m sure they would happily layer money for non-criminals but nobody does that.

This thread is full of these blind assertions that nobody except criminals wants financial privacy. They are patently false.

> If they did that without checking anyone’s identity and then, after learning—from law enforcement no less—that criminals were using them to launder money, kept going, business as usual, hell yes they’d be shut down and arrested.

You're basically saying that once a service gets used by a criminal, then operating that service becomes illegal because it is furthering criminal acts. This seems like yet another Godelesque everything-is-criminalized result, and your appeal that one can avoid persecution by electing to perform blanket investigation on all one's customers isn't particularly redeeming.

Like sure I get the traditional banking industry has been practically inundated with these type of invasive heavyhanded regulations to make things easier for law enforcement, but that's not a particularly compelling argument.


> You're basically saying that once a service gets used by a criminal, then operating that service becomes illegal because it is furthering criminal acts.

If the operators know that people are using their service to launder money, and they keep operating their service without doing anything to prevent that, then… yes? What do you think should happen? They just get to keep doing crime?


Try applying your argument to the electric company. If a service operator has knowledge of a specific crime being committed one can make the argument that they're obligated to report the known details. But in general knowing that nonspecific criminals may be using your service does not imply that you have to shut your service down to hinder those criminals.


Tornado Cash isn't an electric company, though. There are different rules. Financial institutions are often subject to KYC rules that require them to proactively vet their customers.

You're writing as though this were uncharted legal territory, trying to reason from first principles when you can truly consider a business a criminal enterprise, but we've had laws on the books for decades for the express purpose of stopping people from doing exactly what Tornado Cash does.


The traditional financial system has coasted along on having two different sets of rules - one for consumer-facing things where you can do whatever you want with anonymous cash up to a certain amount, and one for Big Serious Transactions. The distinction between those two regimes is breaking down, and I don't want to see consumer privacy get left behind. Thus it's appropriate to reason from first principles about what ought to be, and not simply what regulations law enforcement has been able to get pushed through to make their own jobs easier. Individuals should not have everything we purchase be permanently recorded in order to convince us to buy more crap or price discriminate or whatever. Financial privacy is a key part of that.


I do not see a meaningful difference between e2ee messengers and mixers. Both aim to support anonymity. Both can (and do) enable bad things. If you (unlike me) believe that cryptocurrency should be legal, I don't see why you would think mixers should not.

Now it is moot after sanctions are in effect. What we are discussing is mental world model of software engineers before Tornado sanctions were announced and their accounts wiped. It might be hard to see in hindsight.


https://docs.github.com/en/site-policy/acceptable-use-polici...

I think this is probably an AUP question. The sanctions are a big enough "hey these users broke the law" signal.


A government can pretty much do whatever it wants in the realm of foreign relations, things it can't usually do to it's citizens (such as retroactively applying sanctions). If you have a problem with it, take it up with the government.


It's called covering your ass. Github/MS need to protect themselves, which means taking all actions reasonably possible to fend off charges of obstruction or collusion.


Your perspective on this is distorted.

We are talking about an entity that according to the treasury has laundered more than 7 Billion USD, assisted criminals and neglected complying to Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) obligations willingly and repeatedly. Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors, regularly and without basic measures to address its risks.

This according to the treasury goes on for years since its creation, so everyone who actively contributed to the entity is considered a threat to national security and often, if you look at the sanctions list of OFAC sanctioned entities, rightfully so.

Retroactively, and to my knowledge, there is not a single investigation and OFAC sanction that got lifted by a court because the accusations themselves were wrong. And it's not like you don't have the right to appeal those sanctions. Entities and sanctioned people quite often do so, and fail.

See https://www.cadc.uscourts.gov/internet/judgments.nsf/C2B2FFF... for example.

Tornado Cash is not just a foreign electronics company that stumbled into an OFAC sanction because it accidentally sold a Toaster to Kim Jong-un, so he can enjoy a crispy morning toast.

Where you are right is, that OFAC sanctions are a significant impediment to commerce because you cannot predict who will be sanctioned in the future. That's why, as a company or even individual, you need to do due diligence on who you get in business with.

If you import fruits and someone gives you 5k per box of Avocados extra to import them from Mexico to the US asap, you can bet there are not just Avocados in those boxes. You can pretend you didn't know, but if you don't want to end up in jail for providing service to a cartel, you need to make sure there are only Avocados in those boxes and the premium is for extra fast shipping.

Everyone knows that virtual currency mixers are commonly used by illicit actors to launder funds, especially those stolen during significant heists. This is at least common knowledge since the Silk Road days.

So if you contribute to such a project, that has the potential to harm your fellow citizens and contribute to financing of terrorism, without making sure it is complying to Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) obligations one hundred percent, you can't just cry foul play and say I didn't know anything of this. Especially if you understand code and the inner workings of said project or have a direct line to the people in charge if you frequently contribute.

So, in my opinion it's more than ok if everyone who contributed to Tornado Cash and enabling it to do what it is accused of, their life should turn to sh*t immediately and everything they touch from here on. Because getting people harmed or financing terrorism or foreign state actors is not a trivial offense. Laundering virtual currency for criminals hurts real people.


Anyone who has ever contributed to privacy or security technology should “have their life turned to shit” too under this logic. All the evil terorrist money launderers probably used VPNs or Tor too. Maybe they posted on HN, making you part of an internet terrorist club. Maybe they asked a question on StackOverflow that you answered. You’re waving around some acronym that the government made up 20 years ago to describe normal human activity (transacting without approval from a central authority) like it’s some deadly ancient sin.


The difference here is that a cryptocurrency mixer serves exactly one purpose: to be used to provide a financial service. You're not going to be able to plausibly argue that you didn't know what it was going to be financial service, and you're probably not going to be able to plausibly argue that you didn't know it was going to violate applicable financial regulations.

When you're working on other privacy/security technologies, they have substantial enough other uses that you are plausibly able to argue that you were ignorant of its use in illegal steps.


Even so, Tornado Cash is functionally and conceptually quite different from a mixer. It's non-custodial, for starters.

There's a plausible argument that none of the sanctioned individuals were or are involved in running any kind of financial service.

This is closer to sanctioning developers of cryptographic libraries than it is to operators of a coin mixer.


Tornado is specifically run to obscure cash flows, something which is specifically illegal.

This equivocation is as saddening as it is predictable.


>to obscure cash flows, something which is specifically illegal.

It's only illegal under 18 U.S. Code § 1956 to conduct transactions to obscure the source of "the proceeds of some form of unlawful activity." There's no law against obscuring the sources of cash flows in general. And on an otherwise completely public blockchain, there was a major use case for obfuscating flows for the sake of user privacy.


The phrase 'according to the treasury' and Ctrl-V are doing a lot of work there. The government says a lot of things. The other day the Secretary of State claimed Tornado Cash was a DPRK sponsored hacking group before deleting the tweet. Not everyone in authority has a real great understanding of the technology involved.

https://web.archive.org/web/20220808155413/https://twitter.c...

> We are talking about an entity that according to the treasury has laundered more than 7 Billion USD, assisted criminals and neglected complying to...(AML/CFT) obligations willingly and repeatedly.

The Tornado Cash mixer contracts have been immutable since May 2020. It's a dumb piece of software that can't be modified or upgraded. Its authors have no control over who uses it on the blockchain.

https://tornado-cash.medium.com/tornado-cash-is-finally-trus...

It's kind of a strange accusation to say that someone has 'willingly and repeatedly' neglected to comply with legal obligations by failing to do something that's technically impossible to accomplish. All the GitHub users did was write code, and simply writing code, while not executing it to do something illegal, seems like it would be pretty well protected by the First Amendment, since code is speech. Turning people's lives to shit over what a software tool they invented gets used for later, after it's completely out of their hands, is pretty wild.

You copied and pasted Brian E. Nelson's complaint:

> Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks.

But what Nelson fails to mention is that a) everyone involved has failed to impose 'effective' controls because it's physically impossible for anyone to, and b) basic measures to block sanctioned entities were actually implemented by the operators of the Tornado Cash website (which just got added to the SDN list anyway). So the complaint is that the control measure in place isn't an 'effective' control measure against entities that don't use the website.

https://www.coindesk.com/tech/2022/04/15/tornado-cash-adds-c...

And not that the exact number matters, but the Treasury is alleging an obviously maximally exaggerated amount of money laundering. $7 billion is the total value of deposits into Tornado Cash over all time. For that to be $7 billion laundered, 100% of all deposits, ever, put into the mixer would have to have come from illegal sources, which is obviously false. Depositing legally earned money into a privacy smart contract isn't money laundering. A sizeable portion of deposits are illicit, but far from a majority.

>Since becoming active in August 2019, Tornado Cash has received over $7.6 billion worth of Ethereum, a sizable portion of which have come from illicit or high-risk sources.

https://blog.chainalysis.com/reports/tornado-cash-ofac-desig...


>Your perspective on this is distorted.

You make an excellent point. The entire point of Tornado Cash is[0]:

"Tornado Cash is a cryptocurrency platform. It is a Cryptocurrency tumbler, a service that mixes potentially identifiable or "tainted" cryptocurrency funds with others, so as to obscure the trail back to the fund's original source."

From a legal standpoint, such functionality has few (if any) purposes other than to circumvent the law.

As such, preventing such activities is likely a societal good.

I expect you won't get a lot of love from some folks here, as they aren't interested in societal good. They seek license to do what they want whenever they want, without regard to the impact on the society in which they live or those they live alongside.

And in most cases, that's just fine. I strongly value liberty myself. I'm not as dogmatic as some, but I strongly believe that the only actions which should be proscribed are those that limit the liberty of others.

In order to maintain that liberty, it must needs be an ordered liberty that discourages activities that cause harm to others.

All that said, what governments decide is "criminal activity" is often arbitrary and unfairly/unevenly applied.

This creates distrust in the legal system, which Tornado Cash circumvents. Which is why not a few law-abiding folks (especially in the age of surveillance capitalism[1] want the capabilities (anonymization of financial transactions) offered by Tornado Cash.

What's more, the legal system in the US actually works pretty well, as compared with other nations around the world.

It's not the best, nor is it free of flaws, but it's definitely better than nothing.

This (how to make our ordered liberty as broad and as fair as possible) is a complicated and nuanced topic. I haven't done it justice in this comment.

While I do appreciate the value of a platform like Tornado Cash (how, and with who, I effect financial transactions shouldn't be of concern to anyone other than those involved in a particular transaction), it's pretty clear that without appropriate controls (AML/CFT regulations) enormous harm can be done. In fact, this episode shows that enormous harm was done in the absence of the implementation of those regulations.

Github will comply with the law when it is required of them.

They have a business to run.

[0] https://en.wikipedia.org/wiki/Tornado_Cash

[1] https://en.wikipedia.org/wiki/Surveillance_capitalism


> So if you contribute to such a project, that has the potential to harm your fellow citizens and contribute to financing of terrorism,

The currency that finances terrorists the most is the US Dollar.

if you believe the biggest terrorist is the US Govt and State Department than it's your morale due to use crypto.


I'm assuming that the problem for Github is that they can't reliably know which of the contributors are "currently part of" TornadoCash and which ones are unrelated people who just contributed code some time ago, and since they absolutely must block the former, in the case of uncertainty the only safe option was to block everyone who seems related.


None of the Tornado developers are anonymous. They are all well known and respected members of the security/privacy community, and I have personally hung out with them multiple times in the US at public events, where they often speak etc. This isn't some shadowy cabal, they are programmers and mathematicians who think sometimes people might not want the world to see where they are spending their money. Crazy right?


> ...they are programmers and mathematicians who think sometimes people might not want the world to see where they are spending their money. Crazy right?

The IRS and bodies responsible for enforcing laws like those against "funding terror" (remember that?) certainly think that is crazy.


This is chilling for me. I've contributed to plenty of projects during my 10 years of using GH. Little PR's here and there, sometimes just typos, sometimes just issues. If one of those projects runs into trouble with the law or with GH, will GH delete my account? This would be disastrous for me.


> Does Tornado being sanctioned mean that everyone who has contributed in the past also needs to be blocked?

I'd say that this is a significant risk that people doing DeFi need to have a long, hard think about. Without a clear organization, without clear leadership, one cannot draw a bright line around those who deserve sanctioning. In court, efforts made towards plausible deniability might pay off. But github is not the courts, its interest is its own liability.


> Does Tornado being sanctioned mean that everyone who has contributed in the past also needs to be blocked?

It looks like it was just the three creators. If they’re smart, this is a prelude to announcing a legal defence fund.


isn't git decentralized already?


Git is not GitHub


A Github repository is decentralized among everyone who has cloned it, nothing about Github changes that.

The other parts, like issue tracking, obviously are not.


It's not decentralized in any practical manner when everyone's local clone is pointing to the same, now no longer available, origin.

This could have been mitigated by having a pre-determined fallback origin (which could very well be something they had in place - I'm not familiar with this project).


> It's not decentralized in any practical manner when everyone's local clone is pointing to the same, now no longer available, origin.

On the contrary, removing the common, centralized origin makes the project decentralized by definition.


Some form of distributed authority could have been implemented as a more practical alternative to the scattered remnants that they might be left with now.

You're right, of course. My previous post was written up a bit too hasty :)



Issues not, unless you use git-bug


Then the thread has shifted tone from when I first read through it.


> GitHub had to do this.

They only had to block accounts that contributed after establishing the sanction. It's not clear that they limited themselves to those. It would in fact seem to be hard to contribute in the limited time range between establishing the sanction and removing the project.

There is also the collateral damage of removing unrelated projects that happened to be owned by these people. Couldn't github preserve such projects while putting them in some ownerless state?


> only had to block accounts that contributed after establishing the sanction

The people who built Tornado Cash are already in trouble. The crime--facilitating money laundering--has already been committed. OFAC is an enforcement office. Its lists are more like wanted posters than rules.

GitHub is cutting ties with people likely to be charged with federal crimes. If some of them are going to continue contributing to the project, GitHub doesn't want to be the conduit through which it is done. This is all standard sanctions compliance.


> The crime--facilitating money laundering

Did the people who built blockchains with built-in mandatory mixing (Monero) or optional completely obscured transaction inputs (ZCash) also facilitate money laundering? If not, what is the crucial difference? Am I myself in trouble for having (co-)designed a mixing service [1]?

[1] https://forum.grin.mw/t/mimblewimble-coinswap-proposal


> Did the people who built blockchains with built-in mandatory mixing (Monero) or optional completely obscured transaction inputs (ZCash) also facilitate money laundering? If not, what is the crucial difference?

Probably not? Tornado Cash provided one service: mixing. (In AML parlance, layering.) We know it was used to launder the proceeds of crimes. The developers knew that too, and they kept working on it. Semenov styled himself as a co-founder and the group advertised open positions on its website. All that looks much more like an enterprise knowingly facilitating laundering than a developer publishing interesting code.

ZCash and Monero look like cash. Tornado (and every mixer I’ve seen) looks like a layering service. Those aren’t illegal per se. But you’re at risk if a criminal uses it. (You’re in deeper shit if it becomes known a criminal used it and you do nothing about it.)


According to the company developing it, there is no evidence of "substantive use of Zcash for money laundering, terrorism financing or trade in illicit goods and services."

So I guess what made Tornado Cash criminal, is that there was evidence of such...


>Did the people who built blockchains with built-in mandatory mixing (Monero) or optional completely obscured transaction inputs (ZCash) also facilitate money laundering?

Yes

>Am I myself in trouble for having (co-)designed a mixing service [1]?

Possibly? Depends on the details.


> Yes

Then american banks should be sanctioned, they are also involved in money laundering too.


When they fail to take steps to prevent it, they are often punished. Here’s a few big ones from 2021 alone: https://www.forbes.com/sites/forbestechcouncil/2022/03/24/le...

Why aren’t these banks put on the sanction list where it’s a crime to do business with them? Because the vast majority of what they do is not money laundering and when they are discovered money laundering, they generally stop. And when they don’t, they are added to this list: https://www.treasury.gov/ofac/downloads/sdnlist.txt

Whereas Tornado Cash is a service that is known to enable huge amounts of money laundering, and nothing was done to stop it.


> and nothing was done to stop it.

What could be done to stop it? It's just a contract run on the blockchain. I suppose they could limit throughput, but not much else?! Similarly, what could the Monero or ZCash developers do to stop money laundering on their blockchains? Here, not even throughput can be limited since amounts of transactions are completely hidden.


Well, there's a lot of obvious strategies that money processors in similar positions employ. They could confirm the identity of their users so that known criminals can be filtered and blocked. They could manually audit large transactions and require documentation demonstrating that they're legitimate. I understand why they don't want to do things like this, but I'm just not sympathetic; it sounds to me like a group of bankers in 2012 announcing their strong ideological commitments that LIBOR manipulation is good and they should be allowed to continue doing it.


I don't see how blockchain devs can do any of these things. Nodes and miners run the network, not devs.


Tornado Cash in particular is (was?) a smart contract, so they could straightforwardly have built in an auditing service as an oracle.


Huh. A system of oracles that vouch for wallets. And then maybe a voting mechanism for adding and removing oracles?

Does this exist?


The fact that you seem to be so brain-boggled about this is... it's just that a lot of very smart people have been warning for years that crypto-currencies are going to run into trouble. That the things they were building were simply parallel (with new names DAO etc) to the global financial system and that previous system has all kinds of controls and regulations that crypto lacked. That if crypto didn't get their shit straight there were going to be some very serious people showing up on their doorsteps.

But crypto-bros will be crypto-bros, wether they are the minnows hoping against hope that they can somehow move from greater fools to slightly less foolish or the sharks grifting all the minnows for every penny they have.. just kept living in denial or .. selling denial in the case of the sharks.. and now here we are.

It turns out that when you ask the global financial systems what they call a service that does what a mixer does, they reply 'a money laundering operation operating in plain sight'.


Yes, I've seen various variations and implementations of such schemes. It's mostly as straight-forward as it sounds (with the usual gotchas).

More interesting and recent is zkKYC (2021): https://eprint.iacr.org/2021/907


> What could be done to stop it?

Dunno. If you learn your product is being used to commit crimes and can’t figure out how to counter it, you should stop building it. (Or at least pause and call a lawyer.)


Banks make good faith efforts to prevent money laundering. (KYC and SARs in particular). If tornado had KYC, this wouldn't be an issue. :)


"I'm the compliance officer for a crypto mixer" sounds like a job you do in purgatory.


I mean probably not, but given what has come to pass, if I were you, I’d be looking for an actual, reputable lawyer in this area to ask, not some randoms on the Internet.


> GitHub is cutting ties with people likely to be charged with federal crimes.

This is a far different standard. If we're talking about banning people because they seem like they might get charged with something, that's just a blacklist.

> If some of them are going to continue contributing to the project, GitHub doesn't want to be the conduit through which it is done.

That's why you delete the repositories. These are not sanctioned persons, this is a sanctioned project.


Any chance the blocked accounts had forks of the repository? That'd be an unsurprising heuristic.


I would expect they all did. Typically I have my fork and PR from the fork in anything I contribute to.

Edit: Unless it was members of the organization who had direct write access to the repos? Which I saw mentions of in other comments.


> People on Twitter are either wilfully dumb or simply ignorant.

You'd think after 16 years I'd be used to it, but it still kinda blows my mind that the social network designed for context- and detail-free hot takes is the one people use for political discussion.


Most political discussion fits your description perfectly, so of course it does.

Having to explain yourself long form leads to people attacking you and often being correct.


> Having to explain yourself long form leads to people attacking you and often being correct.

Typically, people just take a paragraph or so of a long form political argument out of context and use it to call the person making the argument evil. Which is basically the same principle as the typical political attack ad where you take a sentence your opponent said out of context to make your opponent look like a crazy extremist.

With a short form discussion platform, you can just go straight to the personal attacks, name-calling and out of context distortions of the other side's beliefs. Then we wonder why we suddenly live in a country where the 2 political parties can't compromise on anything and where one of the top political priorities for both parties is prosecuting and jailing their political opponents. I think its very dangerous to view most political discussion being short form context free hot takes as either inevitable or healthy for a government based on free and fair elections (such a norm, however, is probably beneficial to the long term stability and security of a dictatorship). In a society with a democratically elected government, you need free, civil and respectful discussion of issues and a basic level of respect for those who disagree with you. Remove those things and democracy dies just like a plant dies if you deprive it of water and dirt.


You’re missing the forest for the trees. What actually happened was social media allowed the weaponisation of microtargeted psychological warfare.

Read the books “mindfucked” and “targeted” for the detail on Cambridge Analytica (actually Strategic Communications Laboratory or SCL group) how it was a cognitive warfare firm developed for counter terrorism which was unleashed on the American, British (and now presumably Brazilian, Italian and French public).

People are not polarized just due to social media - social media is now a cognitive warfare battleground where cognitive heuristics are the trenches.


I have no sympathy for crypto whatever and I really don't care about who sanctioned whom and for what reason, but...

Sanctioned project's contributors must be deleted from the server - where is that written in the list of things Microsoft has to do since you went out of your way calling everyone on the reply train ignorant?


Because others are answering you in much more detail, I’ll give them more generalized answer –

This is quite simply not how a sanctions regime works. The US government does not make a list of all the sanctioned persons’ assets, then start going after those in court.

Instead, it goes the other way: any company with a US nexus watches those sanction lists carefully. When someone is listed they look at their internal records for hits and denies them service. So no one told Microsoft anything; they self-enforced a sanction that applies to everyone in the US. And I mean everyone: if an individual knowingly violates these sanctions they’re breaking federal law - it’s not just companies.


Be that as it may, isn't this still an unacceptable collateral damage?

So when you contribute code to an open source project, you generally do so under an open source license. All of them generally contain something akin to the following:

    IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE
    LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
    SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(this particular excerpt is from the BSD license)

I can understand taking action against the people who run the code. I can even understand taking action against people who were hired to contribute. But why kick some random open source contributor in the guts? What did they do wrong?

Are there open source licenses that protect the contributors from such unforeseeable damage? Or are we to watch our step from now on as open source contributors?


> What did they do wrong?

The argument probably is that they assisted a sanctioned entity by providing a contribution i.e. service to it. Quoting US Treasury "These prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person and the receipt of any contribution or provision of funds, goods, or services from any such person."

However, the major factual question is whether they did violate any sanctions since the contributions generally were made before the sanctions were in effect - it's not that Github had to do it, but that they chose to be safe rather than sorry (in order to ensure that Github themselves don't violate the sanctions) and if they aren't absolutely sure they blocked people. [edit: apparently not everyone, some contributors are not blocked, so they apparently did some review before choosing whom to block]

The key issue is that any collateral damage is considered acceptable, but any false negatives are absolutely not. If Github leaves even one actual agent of TornadoCash unblocked, Github has committed a crime, if they block a hundred unrelated accounts, that doesn't violate anything.

> Are there open source licenses that protect the contributors from such unforeseeable damage?

No, a contract or license can't absolve you from this prohibition if it applies to you.

> Or are we to watch our step from now on as open source contributors?

Yes, but not "from now on" but since before open source existed. There are entities you are not allowed to contribute to, and it's your responsibility to know and check who you are dealing with.


> The key issue is that any collateral damage is considered acceptable, but any false negatives are absolutely not.

Even though “better 100 guilty persons should escape than that one innocent person should suffer”. Not that this was ever uncontroversial, but how did it ever go so wrong, that the very problems of government that modern laws sought to correct are gleefully recreated using private companies as enforcement proxies?


Companies try not to break laws in general. If they think doing business with you will create a liability for them, they have a freedom of association right to deny you service.


Giving a legal answer to a moral question is backwards, I think. I understand the mechanics of how it works, but I’m asking how it should, not whether it does. (Franklin’s opinions on how trials ought to go are also hardly representative of the legal practices of the late 18th century.) It is not at all a universal opinion that non-natural persons should have freedom of association at all or in this manner.

I’m not trying to directly argue that they shouldn’t, though (as long as we allow that there is no moral principle that a non-natural person’s rights follow a natural one’s). I’m saying that it’s generally accepted to be a good thing that a (branch of) government can’t directly take away your livelihood without a good reason, and if you think the reason was not good there are reasonably unbiased ways to have your disagreement considered. For the most part, this applies to a government doing it by prohibiting a private party to deal with you. On the other hand, if the same state of affairs is reached by that government merely making it potentially very expensive for a private party to deal with you, somehow none of these standards apply anymore (or maybe they nominally do but nobody’s ever succeeded at enforcing them, which amounts to the same thing). That is what gives me the chills here.


>government can’t directly take away your livelihood without a good reason, and if you think the reason was not good there are reasonably unbiased ways to have your disagreement considered

OFAC sanctions can be appealed.


> The argument probably is that they assisted a sanctioned entity by providing a contribution i.e. service to it.

And what if they did so before the sanctions? Is the US so happy to retroactively punish people who literally did nothing wrong?


> people who literally did nothing wrong?

What on earth did people think a tumbler like Tornado Cash was going to be used for and by?


You ask this as if there are only non-legitimate uses. Do you think businesses often give away their revenue data to their competitors for free? Of course not, so if you want to do business on an open ledger then you have to have a way to obscure transactions so that your competition doesn't get to know exactly what your revenue stream looks like.

There's nothing sinister about privacy. It would be a logical fallacy to assume that just because sinister things happen in private that privacy itself is sinister.


> nothing sinister about privacy

Totally agree. One damning aspect of Tornado is we know it was used to launder money. Criminals used it. This was publicly reported and certainly known to the Tornado team.

If you know your product is being used by criminals to do crime and you respond by shrugging your shoulders, I’m not sure what the expected outcome is supposed to be other than getting dinged.


> If you know your product is being used by criminals to do crime and you respond by shrugging your shoulders, I’m not sure what the expected outcome is supposed to be other than getting dinged.

You are aware that criminals use all the same thing as you an me right? They use toothbrush too... should Coldgate not shrug their shoulders? Sure they don't commit crime with them, but they do use them. Want something they use to commit crime? Guns to kill, cars to evade, bags to carry the money, etc... what should all theses companies do? Let's go even closer, about privacy, what about balaclava manufacturer, it's the default thing considered for banks robbers, yet they still sell them!

I don't have all the details in this case, my guess is that Tornado Cash were aware that it was used by theses countries and could have stopped theses specific accounts (it would keep going for sure without their knowledge using alternative accounts obviously, just like many of theses countries still are able to get Windows illegally, but at least they would no longer be aware of theses accounts). In that case it does makes sense and I agree with the direct sanction of Tornado Cash. I would still disagree with the blanket sanction over the open source contributors, as they might have contributed without knowing it was used by sanctioned country.

Writing all that made me think of a question: do you believe contributor to Windows should be sanctioned too knowing that Windows is used in some of the sanctioned countries?


> would still disagree with the blanket sanction over the open source contributors

No contributors have been sanctioned. Three leaders had their GitHub accounts deleted, from what I can tell, and are trying to misrepresent that as a threat to everyone who ever touched the project.


I like to ask myself what money laundering even is and whether it makes sense and ideally it wouldn't even be illegal. Money laundering isn't the crime - it's just a convenient tool to dissuade crime. Ideally there would be no crime without violence and there is nothing but consenting individuals involved in money laundering. The crime happened before the laundering and that's what we should be preventing.

Otherwise you end up in situations like this where innocent people are going to get screwed over because they utilized a tool that criminals utilized. This isn't fair or just by any standard and I personally don't accept the collateral damage as worthy.

This doesn't even begin to touch on the vast majority of laundering that happens in fiat across international banks . That would take a while just to list all the infractions that are constantly happening, yet those entities are still not only operating in the free market, but they have federal insurance and backing.


> what money laundering even is

Hiding illegal gains.

> crime happened before the laundering and that's what we should be preventing

Covering up a murder is a crime because we don’t want people helping murderers cover up.

> like this where innocent people are going to get screwed over because they utilized a tool that criminals utilized

People who used Tornado Cash aren’t getting screwed. Even the developers aren’t. They aren’t personally sanctioned. Their work, which has been used to launder money, is.

Third parties, like Microsoft, are choosing not to associate with them. (The developers who knew about the laundering, e.g. through the public announcements law enforcement made, and kept working on it are far from innocent.)

> doesn't even begin to touch on the vast majority of laundering that happens in fiat across international banks

Yes, there are other crimes.

People laundering money through banks get sanctioned and jailed. When banks make a habit of laundering money, they too get sanctioned. There is ample historical record of all of this.


> People who used Tornado Cash aren’t getting screwed.

Incorrect, as per sanctions putting the onus on private entities to get things right, circle has blacklisted any USDC address that has been owned by the tornado cash protocol, which means anyone using tornado cash for legit purposes will lose every dollar they had in USDC. I'm really not sure how you came to the conclusion innocent people weren't getting screwed here, but it's irrefutable that they are, unless of course your definition of guilty is someone that used tornado cash, which would be a silly definition. I've used mixers plenty for completely legit reasons. I don't want people knowing how much crypto I have and I don't want to manage tons of addresses so when I transact in open ledgers I have at times had people pay me via mixers to hide the addresses I own and thus hide how much crypto I own from people doing business with me. All completely white market business dealing with buying/selling electronics too, for that matter.

> People laundering money through banks get sanctioned and jailed. When banks make a habit of laundering money, they too get sanctioned. There is ample historical record of all of this.

Incorrect, they pay fines that rarely even cover the profits they made to begin with.


> circle has blacklisted any USDC address that has been owned by the tornado cash protocol, which means anyone using tornado cash for legit purposes will lose every dollar they had in USDC

Wasn’t aware of that. Fair enough. Innocent people will get harmed.

That said, innocent users whose USDC was frozen haven’t lost their money. They’ll have to show they weren’t laundering money. When they do, they should be able get it unfrozen. If that doesn’t work they can pursue legal remedies, though the law in all of this is obviously undeveloped. We are in dire need of stablecoin legislation; something to add might be controlled redemption for users the issuer no longer wishes to associate with.

Their situation is analogous to getting money stuck at PayPal. If you don’t want to take that risk, don’t use PayPal. If you don’t want to run the risk of your stablecoin getting stuck, don’t use mixers. Particularly after they’ve been publicly identified for laundering money.

People have been talking about all of this for years. It was continuously shouted down, or claimed to be impossible because blockchains are above the law or something. I get that there was a lot of noise above that signal. But like, it’s North Korea. On the balance of harms, of course this is what happens. There was never another endgame. The wheels of justice just turn slower than bullshitters spin yarn.


> They’ll have to show they weren’t laundering money. When they do, they should be able get it unfrozen.

I hope you're right, but the process to make this happen will be painful and slow and the damages will not be compensated I suspect.

> If you don’t want to run the risk of your stablecoin getting stuck, don’t use mixers. Particularly after they’ve been publicly identified for laundering money.

Following this logic, should people stop using HSBC or any of the top international mega-banks? We're talking about banks that didn't "accidentally" let money laundering happen. They actively facilitated it. HSBC specifically laundered money for one of the most violent cartels in the world and not a soul went to jail.

Bit of a rant, but my point is that exactly where should people keep their money that is safe from being caught up in laundering? Such a place doesn't exist as far as I'm aware.


Morally speaking? Yeah, you should probably not use those banks if you care about the ramifications of money laundering.

Practically speaking? HSBC laundered $881 million in 2012 – but they had trillions of dollars of assets under custody. They may have to pay a big fine, but your ability to get at your money will not be impacted.

And even if you deposited your money into your account at "Money Laundering Bank N.A." where everyone but you was a specially designated national, you still have legal recourse to those funds backed by decades of case law. That same case law might help you if you keep money from a mixer in stablecoin that becomes frozen, but it's going to get way hairier.


Not sure, thoughtcrime is a thing now in modern America?


> thoughtcrime is a thing now in modern America?

Nothing wrong with writing code. Code is speech, that's settled law. But the Tornado Cash team wasn't just publishing. They were building a tool. Semenov styled himself as a co-founder and the group advertised open positions on its website.


Okay, how does that relate to open source contributors? Can you retroactively read their minds and determine their intent? Why does their intent even matter? What they were doing was not illegal at the time, and now they are being punished by the US.


> Why does their intent even matter?

It doesn’t. Tornado was used to launder money. That’s all that matters.

My guess is the only people in real legal jeopardy are those who kept working on it after its involvement in laundering was exposed. (I’m assuming they weren’t in on the laundering.) For GitHub, figuring out who those people are is impossible. So they’re being cautious and cutting ties more broadly.

There is a creep problem to sanctions. Some companies in Russia are banned. Suddenly everyone from Cyprus is under extra scrutiny, since you don’t want to be the dupe they used to launder their money. Tornado and its developers were those dupes. But it has been illegal to help North Koreans launder money since before Tornado was founded. It remained illegal when it became known North Korea used Tornado to launder money. Anyone going into money services knows, or is negligent in not knowing, that these laws apply to them. It’s tough to have sympathy for anyone who kept ties. Particularly when the punishment, so far, is simply ostracism.


> now they are being punished by the US.

The US didn't mandate deletion of their Github account. The US isn't punishing them – you can tell because they didn't put them explicitly on the SDN list.

Microsoft made the choice to remove their accounts. Their compliance team likely looked and said "$ we make from these devs < $$$ we'd pay to our lawyers to simply decide if we should keep them on our platform."


Is that settled law? Have the anti-circumvention parts of the DMCA been struck down?


As an example, it seems plausible to me that a person who wants to enter the cryptocurrency sector could send a pull request and actually work with them to get merged to put it in their resume.

This person can be totally oblivious to the illegal stuff that's happening behind the scenes. After all they were just trying to prove that they actually have experience with cryptocurrency code to potential future employers.

It also can be some random security researcher who is preventing open source developers from shipping vulnerable code. I know for a fact that Github themselves employ such people that send security-related patches from time to time to open-source projects.

You can work up more examples -- my point is that people who definitely have nothing to do with any illegal activity whatsoever could exist in the list of contributors of these repositories.

It's nice that they didn't just nuke the whole contributors list, but it's still a bit unsettling.

> it's your responsibility to know and check who you are dealing with.

What can I say, duly noted.


The unfortunate reality is that there are no guarantees. I once inadvertently helped someone commit suicide. I had no idea until after he did the deed and there's no realistic way I could have known beforehand.

Sometimes you just have to assume that everyone's operating in good faith.


Software licenses are a civil agreement between a developer and anyone who uses the code. So for instance, if someone uses code with that disclaimer, and it deletes their files, you cannot sue them for that damage.

But, you can’t just put anything in one of these agreements; the law overrides anything you might state in a contract.

Furthermore, software licenses govern the use of your code by other people. It doesn’t govern your use of the GitHub service.

Your use of GitHub is governed by the GitHub ToS. Under that agreement, they can terminate service for any reason they want. They can cancel your account if they wake up grumpy on a Tuesday and just feel like it. Or, they can terminate service because they don’t want to touch anything that might be sanctioned with a 10 foot pole.


That license binds people who use the code you wrote & protects you from their legal claims. OFAC isn’t using your code. No open source license is going to protect you from US sanctions.

From the Twitter thread it appears that the devs whose accounts were nuked were core contributors to a sanctioned entity. That feels fairly sensible & what a company who wants to comply with sanctions would do.


> What did they do wrong?

They wilfully contributed to the upkeep of a money laundering service. They should be thankful losing their GitHub account is the extent of the fallout, take it as a lesson that code can cause real harm, and act more judiciously in future when it comes to contributing labour to suspect projects.


There are so many other applications for Tornado Cash than “money laundering.” What if I don’t want my employer or friends to see what I do with my known wallet on a fully traceable public blockchain?

Privacy is not illegal.


You should be able to achieve this without also enabling terrorism, child pornography and extortion. Because of this Tornado Cash was never the right solution - it requires you to permit these things just in order to have privacy. In other words it is a bullshit technology and deserves to be replaced with something better. If blockchain in turn requires a solution like Tornado Cash in order to offer any privacy, mandatorily fused with the aforementioned radioactive side effects, then blockchain itself is a bullshit technology.

Just because you find a use for a technology doesn't make the technology good. Nuclear weapons are a highly effective alternative to insect repellent, but that does not justify the general purpose use of nuclear weapons for repelling insects.


The problem with this line of reasoning is that any general purpose technology can be used for all those evil things. Hell, should we sanction the Linux kernel project, because all of those nasty people use it?


If Linux were a focal point for enabling North Korea and Iran to develop nuclear weapons, then yes, sanction the hell out of it. But sanctioning Linux would have such dramatically negative societal effects that it would outweigh any benefit - the same is not true of a mixer. Mixers in my view have absolutely no legitimate use, their exclusive purpose is the enablement of deviant behaviour in one form or another free of societal accountability, and it'd be a red flag for me just to know someone used one regardless of knowing why they used it.

It's like saying the local brothel can't be shut down because the building could potentially be used to teach the word of the lord while the employees aren't otherwise busy. The exclusive purpose of the brothel's existence is enabling trafficking and sex work, and the benefit of any potential imaginary supplementary uses are grossly outweighed by the benefit to society of closing it down.


I agree, I feel this is a bad line of argumentation. If we take it a little further it's clear that the human brain can be used for extortion, money laundering and cybercrime - and therefore it should also be placed in the same sanctionable category as all the nasty people use it.


I love how you blew through my reply from 15 minutes earlier clarifying the obvious concept of the balance of societal benefit to post a me too comment. Do better


Well, no matter what other applications for Tornado Cash may exist, since yesterday it is illegal to interact with Tornado Cash or assist them in any way for anyone within reach of USA jurisdiction. That's it.

Privacy as such is not illegal, but that does not mean that government may not prohibit certain specific ways of achieving privacy.


Yes what you are saying is true and it is our right and duty to protest that decision. When will they sanction something you do like and need like Signal or cryptography? Are they aware of all the bad that comes about via http? Or cash?


Well, the big legal limitation for these sanctions is that they apply only 'across borders' as OFAC can only sanction foreign entities (e.g. in this case asserting that TornadoCash-as-organization/project is controlled by North Korea), prohibiting U.S. citizens and companies from dealing with or assisting that foreign entity.


> OFAC can only sanction foreign entities

There are a variety of sanctions mechanisms. Tornado didn’t have to be controlled by North Korea (it isn’t), just used by them to fall afoul of U.S. law.


Turns out privacy now is illegal in the US of A.


This is breathless but misleading. With recent conservative judicial decisions the notion of general privacy is on the ropes, but KYC has always precluded financial privacy at any scale other than unstructured cash transactions, and you're still supposed to report those in your taxes. This is in line with the treatment of other entities that fail to maintain KYC compliance.

The state has the power to levy taxes and prevent transactions with entities that it considers harmful (OFAC is effectively this); this is the state taking steps to do so, while GitHub is deciding that people who are attempting to evade those laws are outside the risk profile of "who we want to provide services to".


Everyone is free to use cash if they want to make a transaction that isn't "permanently" recorded in a distributed digital database.

I hear the US government actually supports this method.


What’s the largest cash transaction you think you could make that isn’t recorded?


When it comes to financial transactions, KYC laws mean that privacy is, in fact, illegal.


Third party doctrine is nothing new and was a direct result of money transfer becoming easier (not sending gold bars around that could be seized). https://en.wikipedia.org/wiki/United_States_v._Miller_%28197....

Cryptocurrency enthusiasts like to think that just because their transactions are done inefficiently on a blockchain, banking laws don't apply to them. Of course they apply. The only difference is their transactions are more expensive.


Privacy is not illegal.

Operating an illegal money transmitter that demonstrates no capability/intent to actively filter OFAC specified sanction targets, however, is.


No, there are no other real applications for these mixers. The only reason you even need to do that on a public blockchain is because the design of them is so bad that there's no other practical way to have privacy without enabling large amounts of criminal activity. If you really care about privacy, and you don't like criminals, then just don't use any blockchains or cryptocurrency.


This is not the level of comment quality I would expect on HN. You can do better.


Sorry but I try to avoid dumping huge amounts of information on people in every comment, that often doesn't go down well either if you can imagine. If you want more I'll elaborate. There is no possible way you can deploy this service anywhere while effectively complying with AML laws. It isn't going to work. But it's also the only real effective way you can obscure the source of transactions on a blockchain that's forced to be public. There's no reason transactions need to be forced public in the first place, other than how blockchain designers insisted it was a fundamental design parameter, when you probably agree that it isn't and that some transactions should be private by default. The simple solution is to avoid all blockchains and cryptocurrency altogether. Yes, they are that bad. I wish it wasn't true and I could say something good about them, but I just can't after watching 13 years of bad things happen.

And no, things like monero and zcash aren't a working solution to this problem either, that's a whole different discussion though.


I mean, if you really think about it distributed public transaction ledgers were really primarily beneficial to those looking to actually understand more about where/how money flows. It's the classic problem of Networks. If there is enough information to ensure that something gets to one endpoint, and not others, that de facto becomes a tracking lever for surveillance and signal analysis. It's part of the package. There is no escaping it. As it giveth, so to does it take away.

Things like the Bank Secrecy Act are only there to guarantee a level of secrecy/protection from other customers. Law enforcement, government, and third party service providers are not counted there realistically. If you want financial privacy, you keep your own books. By that same token though, you don't get to act surprised when the authorities come a knocking with a warrant to crack open your books when they find out you made a poor decision of people to work/transact with.


Why is Monero not a solution either? As far as I know, it is not public which seems to be what you complain about, right?

Surely you accept that illegal trade happens through cash and even through banks, so you will agree that there is some level at which you cannot ban an entire system.


There's a solution for that: use a regular bank account denominated in a fiat currency. Your payments will clear in a reasonable amount of time, with minimal fees, and will be private to all but the spooks[0], who don't really give a fuck about you.

[0] FBI/CIA/etc


Probably not to GitHub or the courts. If in a few years it is discovered that GitHub missed something they can tell the courts "We did our best to comply, look at all the accounts we killed [and other evidence], so go easy on us for an honest mistake." In general the courts look kindly on someone who tried their best to obey the spirit of the law but missing one hidden detail.

If you are affected you could take this to court, and might even be able to convince them that the law went too far in incentivizing GitHub to delete your account. It seems very unlikely, but with a good lawyer courts can do weird things. If you do pull this off, then that would change court precedent, and when combined with a few dozen other cases eventually make it so courts will not accept deleting all accounts as a useful to to prove attempting to comply with the law. (Let me be clear, I doubt you could win this case, but it is theoretically possible so I offer it for completeness sake)


> Probably not to GitHub or the courts. If in a few years it is discovered that GitHub missed something they can tell the courts "We did our best to comply, look at all the accounts we killed [and other evidence], so go easy on us for an honest mistake." In general the courts look kindly on someone who tried their best to obey the spirit of the law but missing one hidden detail.

This matters a great deal when it comes to OFAC sanctions. The value of sanctions isn't "OFAC chasing down people on the SDN list", it comes from companies following federal law and blocking transactions that legally need to be blocked. And OFAC recognizes this – just look at their enforcement actions[0] and you can see examples where companies that build internal compliance programs and self-disclose violations come out with limited to no penalty[1], whereas companies that skirt compliance regimes place themselves at much more risk[2].

[0]: https://home.treasury.gov/policy-issues/financial-sanctions/...

[1]: https://home.treasury.gov/system/files/126/20220721_midfirst...

[2]: https://home.treasury.gov/system/files/126/20201020_berkshir...


Two things I see here, a copyright declaration doesn’t protect you from law enforcement actions and publishing source code is a clear example of free speech.

So you have to figure out for yourself if exercising your right to free speech is worth having the government blowup your life for the time it takes to “prove your innocence“. Because, I can assure you, they don’t care even a little bit about violating your constitutional rights if it gets in the way of whatever witch-hunt they are currently on. It’s the court’s job to sort those details out.


Why is it unacceptable?


The US Constitution provides protection against ex post facto laws. A retroactive punishment is unconstitutional. It may be argued that these github accounts did not belong to us citizens and thus were not protected. Or it may be argued that Microsoft was doing this of their own freewill and therefore the constitutional prohibition does not apply. But there is generally within the American psych a distaste for retroactive punishments such as this.


This is not an act of ex-post facto lawmaking by a legislature. This is the executive doing what it has been tasked with doing under a mandate supplied by Congress in accordance with it's role as laid out by the Constitution. The Courts are not likely to be swayed by this argument. I doubt the legislature will touch anything that enables money laundering with a 12 foot pole.

The novelty here is that prople are being forced to realize how destructive getting sanctioned is due to bearing witness to the power of the network effects involved. This was inevitable, no matter which way you cut it.


I was not making an argument in front of courts, I was stating why many Americans may find this action distasteful.

As far as I can tell, the executive branch was not mandated to delete anyone who contribted to/was a "member" of the github tornado dev group.


The executive was mandated to produce a list of individuals that can be consumed in oan actionable way by industry, such that it can prevent access to the U.S. financial system.

It did exactly that.

These companies got that list, their legal, risk, and compliance departments got in a huddle, and they laid out an action plan to try to get ahead of the regulatory action, while minimizing any risk of contamination or liability.

The government did not tell them to do that. Note, this is by design. The government telling them to would be unconstitutional. Rather, they acted in their own way, which to them rang as reasonable.

That is how it rolls. Is it fair? No. Is it right? Arguably not. Is it concerning? Hell yes.

It is what it is though.


Lots of things that some find distasteful are accepted though. Recently, along a similar vein, the whole "they're private companies, they can censor who they like" crowd made that clear. Hopefully none of them will be surprised or upset by this action.


It's written in the definition of the sanction given by the Department of the Treasury [0], i.e. at the level of US federal law, of which Microsoft must follow as a US company.

> Sanctions Implications

> These prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person and the receipt of any contribution or provision of funds, goods, or services from any such person.

[0]: https://home.treasury.gov/news/press-releases/jy0916


> US federal law, of which Microsoft must follow as a US company.

One interesting and under-appreciated fact about OFAC: they take an, ahem, expansive view of where US law applies.

CSE TransTel was a company based in Singapore who was sanctioned in 2017[0]. They had a bank account with a Singapore bank. TransTel did business with Iran, in violation of US sanctions. But neither the company nor the bank were in the US; how did OFAC make that fly?

Because TransTel did transactions with a US dollar account, OFAC argued the settlements of that account caused banks inside the US to incidentally violate sanctions. Essentially the presence of US dollars created a nexus and allowed OFAC to enforce US sanctions against what would appear to be an entirely foreign entity.

Any wonder MS is treading lightly?

[0]: https://home.treasury.gov/system/files/126/20170727_transtel...


Is this the first time the US has sanctioned a cryptographic protocol? The quote you pulled specifically refers to "blocked person" but in this case they are not sanctioning a person - they are sanctioning a mathematical protocol that happens to have a popular open source implementation.


I'm not familiar with the industry history but a look at the Treasury website suggests there's been similar past precedents:

https://home.treasury.gov/policy-issues/financial-sanctions/...

https://home.treasury.gov/system/files/126/virtual_currency_...


I don't see a past precedent that targets an open protocol. Imagine the US sanctioning the open Matrix protocol.


No they aren't. They are sanctioning a software project and service that runs on Blockchains not a protocol.


Tornado Cash is a protocol. It targets EVM, and has been deployed on Ethereum, Optimism, Avalanche, Polygon and other networks. It happens to be open source, the code was mirrored on GitHub for research and contributions.

They are setting a precedent that any forks or similar implementations of this protocol will also be sanctioned.

A comparison would be sanctioning the Matrix protocol because it facilitates end-to-end encrypted communication for terrorists.


If the matrix project was run by terrorists then your comparison would be accurate. It is not however. Tornado Cash however is run by a group with the express purpose of money laundering which is a crime. This difference is important and is why they are now sanctioned and Matrix is not.


WTF are you talking about? I know them personally and have made my own various contributions to Tornado over the years. They're a group of people who think public blockchains put people at risk of privacy violations, so they built tools to help people transact on blockchains in a way more similar to cash.

It's basically an HTTPS layer. You roll up some set denomination of ETH or whatever into a zero knowledge note, which can then be treated like cash. Anyone who has the private key can generate a request to send the note somewhere else, and there's nothing linking the creator of the note to the spender of the note.

Never once has it been marketed towards criminals, or have any of the team made any indication that it was build for criminal purposes. It appears it was actually in heavy use for three years or so before Lazarus apparently used it for the first time, which is why the sanctions were slapped on it. Fuck Lazarus, but also the idea that anything tech they use becomes illegal is insanity.


If we want to talk about important differences, then you need to understand the difference between money-laundering and privacy.

In short, if you are not concealing the source of your funds to conceal a crime being committed, you are not guilty of money-laundering. It's that simple. KYC laws apply to banks and corporations, not individuals and not protocols and not code.

Privacy is not against the law, and neither is deploying a privacy tool that happens to be used by criminals. The comparison to matrix is surprisingly apt here. I have no doubt that criminal activity is facilitated by matrix, but the idea that they are responsible for that is ridiculous.


If you are mixing your money with known criminals so that they can hide their money then you are money laundering even if you have other legitimate reasons for hiding your own money. The creative fiction that you can't know you are mixing it with known criminals is just that. A fiction. It has been known for a long time now that these mixers are used by known criminals. Continuing to use and contribute to that means you are knowingly helping to launder their money.


It is known that criminals use E2EE, ergo anybody using this technology is knowingly helping a criminal. what a bad take.


Those aren't remotely equivalent, given that mixers mix up their inputs to obscure their outputs. By using E2EE yourself, you are not actively giving cover in the same way.


E2EE and onion routing protocols use similar cryptography to "mix" and "obscure" inputs and outputs. It is very much the same approach, just that we don't call it "message laundering" because we as society have come to appreciate private communication.

I would tell you to just look at the Tornado Cash code yourself to verify this, but alas...


E2EE generally doesn't obscure who is talking to who AFAICT.

Onion routing does, sure.

Ethically I find that area very much a double-edged sword. It's great for privacy and people evading speech-hostile regimes, but it does also enable trading and propagation of CSAM etc. It's why I've never run a Tor or Freenet (does that still exist?) node, I don't want to support that stuff with my resources.


E2EE obscures everything, that is why it is called end-to-end. If Alice and Bob and John and Piper are all communicating with pseudonymous names in a Matrix room, you do not know who is talking to who or what they are talking about.


> E2EE obscures everything, that is why it is called end-to-end

No, it just encrypts between the ends, hence it being called "End to End Encryption". You're going beyond that if you're talking about hiding the fact that the origin and destination are talking to each other at all.

> If Alice and Bob and John and Piper are all communicating with pseudonymous names in a Matrix room, you do not know who is talking to who or what they are talking about.

Maybe so, but in other E2EE products the fact of communication is not obscured to someone who has access to the traffic. E2EE just means there isn't a server in the middle that decrypts everything before relaying, or any sort of master key they could use to do that with.

Matrix looks like a great system, but it's not the only E2EE product, nor does it define the term.


When I and a friend use E2EE between us neither of us are helping to hide a criminal's conversation regarding their criminal activity. The same can not be said about a mixer. They are not at all equivalent.


Sure you are, in two ways:

1. You are using and supporting the same protocol that they are also using. As the application grows and improves because more people are using and supporting it, the criminals are also being helped.

2. You are creating cover. The more people that use Tor and Matrix, the more secure it becomes for all users within the network.

If you and a criminal are both using the same Matrix server, neither you nor the host would know. Your plain text messages are going into the protocol, getting mixed and encrypted, and then spit out the other end.


You seem to be arguing as if this is an all or nothing proposition. Instead there are definite degrees of intent and interaction here. In the E2EE case the degree of interaction and intent is quite low. In the mixer case the degree is quite high. The line I believe should be drawn somewhere in the middle. But the Mixer case definitely is on the wrong side for me.


E2EE is all-or-nothing. You don't see Matrix adding a special case in the encryption technique to notify authorities if the phrase "nuclear" or "minor" appears in a message. The intent of E2EE and Tornado Cash is exactly the same: privacy. The line you draw here is arbitrary based on your own subjective view of the space.


E2EE has to terminate somewhere, likely before the screen unless you can decrypt and encrypt in your head


Tornado cash is not run by terrorists. The express purpose of the tool is privacy, and that is what it is being used for.

The express purpose of an end to end encrypted chat protocol is to provide privacy. If users of it engage in criminal behavior that does not mean the express purpose of the protocol is also criminal.


You can still use the Tornado protocol for handling double-blind experiments in a lab without fear of being sanctioned.

You cannot launder money, though. This is forbidden regardless of which method you use (crypto, art, car washes, etc). These sanctions are saying "we consider this specific use of this specific algorithm to be illegal, so if you interact with it via these wallets you will be sanctioned too". But they are not saying "this algorithm is illegal".


Maybe, but you will need to prove to the courts that labs actually use that algorithm that way. I don't think any are doing that, though I'll admit to not knowing much about how double blind studies are run in the real world.

Even then, the algorithm and Tornado are not the same thing. It seems unlikely you can use Tornado itself for this purpose, even if the algorithm itself is useful.


I think if the algorithm were deployed alongside a processes for combating money laundering.

The press release specifically calls out a lack of efforts to block known bad actors and illegal funds from using their system:

> Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks.

So you probably can provide a mixing service if you can find ways to reasonably limit money laundering on it. This would probably be antithetical to the decentralization principles built into Tornado, but might allow continued legal operations.


Prohibiting can simply mean deleting the git repo, the forks and contributions from your database.

This is just "deleting people because sanctions need to be severe and hurtful".


> These prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person and the receipt of any contribution or provision of funds, goods, or services from any such person.

It's pretty cut and dry.


Cut and dry if the open-source contributors are "blocked persons", but are they?

They'd no longer be allowed to contribute to the project, but does someone having contributed in the past mean the sanction on the project extends to their person? Github themselves provided hosting to the project.


It's quite possible these contributors had forks, which is why they were blocked.


More importantly, these contributors are likely to have local forks when they can quickly upload under a different name. They can still create new accounts though.


And GitHub can continue to ban them under OFAC compliance?


Yes it almost certainly does.

Sanctions work because they are virulent.


>>People on Twitter are either wilfully dumb or simply ignorant.

I don't know but there are some comments asking for an distribute alternative to GitHub. That was pretty funny.


"GitHub had to do this. It was required of them by law. Tornado was sanctioned."

This makes no sense. They could have just blocked the Tornado project. Suspending individual accounts and contributors seems punitive. I was banned on github https://github.com/ransom1538 (unrelated) - it is pretty devastating. No recourse. Just gone. If something involves your lively hood (uber,grubhub,paypal,github, etc) you should be able to state your case.


>GitHub had to do this. It was required of them by law. Tornado was sanctioned.

Does anyone know if this sanction, "contribution or provision of funds, goods, or services by, to, or for...", applies also to individual human persons not associated with a corporate or institutional entity? Is there somewhere I can read about what sactions are, what they mean, and who they apply to?

If it's just a Microsoft problem and not a human person problem then the solutions are many and obvious for any tool that's useful. git itself is already pretty distributed friendly.


Tornado is code, not an entity. AFAIK it isn't a corporation, group, or anything else - it is a smart contract address and a website.

The people who wrote the code were not sanctioned. The repo hosting the code was not sanctioned.

GitHub did not have to do this. This is Microsoft's legal department and the concept of "an abundance of caution".

Nothing about hosting open source code is at issue here. Tornado (the smart contract) was financially sanctioned; it is still fine to host source code.


> People on Twitter are either wilfully dumb or simply ignorant.

I think it's the culture of reacting to 240 characters or less. People already know what they want to feel and finding a quick and completely baseless confirmation bias on twitter is easy and rewards you greatly with dopamine.

Smart, mature people gather information before making a decision. Dumb people knee-jerk react based on low information. Twitter heavily encourages the latter by making the former very difficult to do.


The people were not sanctioned only the onchain addresses of Tornado were. Github was not providing any service to the onchain addresses.


The first two lines in the list were not ETH addresses:

> TORNADO CASH (a.k.a. TORNADO CASH CLASSIC; a.k.a. TORNADO CASH NOVA);

> Website tornado.cash;


Which is a company name and a website, not people. A company name listed in this manner does not extend to its employees unless they are acting on behalf of the company; any sanctions against individuals specify the individual's name.


That’s correct. But given that GitHub is a publicly available website, the only way they can prevent employees of that company from being aided by the GitHub website is to remove that company’s code from their website. And because users can create accounts freely without proving employment information, their only way of determining which users could be affiliated is by activity.


GitHub is, by their own choice, a massive global library or bookseller of code. They effectively made the choice to take books off their shelves and cease accepting new ones from specific authors, because the US government made them afraid. This should not happen in a country governed by our First Amendment. And, having chosen to take on this responsibility, GitHub/Microsoft’s attorneys should have to courage to stand up for those principles and be rightly criticized if they fail to.

Note that hosting code and free developer accounts does not require GitHub to accept or pay money to the developers (who are not named explicitly in the sanctions order, by the way.)

ETA: Big tech companies have a lot of resources and freedom to devote those resources to defending their users (see Google and Twitter lawsuits.) But they’re self-interested and won’t do that if they think their user-base won’t hold them responsible for doing that. I think GitHub is responsible here and I wish the HN commentariat would recognize that their opinion matters. By excusing the company’s cowardice here, we are incentivizing more of it in the future.


> People on Twitter are either wilfully dumb or simply ignorant.

The nicest way i'd choose to describe the people of twitter.


If taken literally, this would mean that the founders could not even do their groceries any more, right?


I don't think so. The sanctions are against Tornado Cash the entity, as well as specific ETH addresses associated with it. No individuals are cited in the sanction that I am aware of.


"People on Twitter" are the exact same people that are also on HN, Reddit, Facebook, TikTok etc etc etc.


> GitHub had to do this. It was required of them by law. Tornado was sanctioned.

You just gave the best 3-sentence argument for not using GitHub.

Given how capricious US government has become, it's unreasonable to host your code in Github.


> People on Twitter are either wil[l]fully dumb or simply ignorant.

Can't repeat that often enough. No matter how much I think I have internalized this, it is a continuing lesson.


To be clear, they did it proactively, not because they were ordered to. For example, many organizations and conferences make exceptions for students from Iran


So making a PR to some project the US government might decide to sanction means github is going to delete my account?


Yes, pretty much.

This is why I'm surprised more people aren't way more terrified about OFAC than there are. It's probably one of the nastiest diplomatic tools the U.S. has in its arsenal.


I think this thread has a lot of today's 10,000 finding out what it's like to interact with the US gov't as non-citizens by way of this tiny tiny little taste.


Nice, what's next? Jailing everyone who ever had an abortion? Why aren't y'all americans doing that yet, if it's apparently acceptable to punish people for things they did before the supposed crime was made illegal?


Look, the legal system, and political edifice is scary as all hell to anyone actually paying attention. It's literally a game where those in power have a large warchest with which to ruin people's lives, with the only limiting factor being that someone has to do the paperwork, and that paperwork will be checked.

With technology obviating the burden of actually doing paperwork, and essentially cranking the efficiency of the bureaucratic state sky high, as well as equipping it with the tools it needs to keep the checkers/whistleblowers at bay, you've got a frightningly powerful tool poised to crush anything in it's way. These aren't the days of "no man can do much damage in 4 years" anymore.

One of the great Checks, is becoming much less of one every day. It's scary as hell.


> before the supposed crime was made illegal

The laws against money laundering aren't new.


Writing software isn't illegal. Timeline goes like this:

1. Developers write open source software

2. Open source software is deployed for money laundering purposes by other people

3. Developers who wrote software at point (1) are now being punished for something they did before the US deemed it to be illegal.

Let's say the speed limit is being decreased. Would it be fair to jail everyone who went over the speed limit in the past, before this decrease was even announced?


The 3 owning accounts of the github tornado cash org were banned or suspended. This is not a legal punishment for a crime, but github covering their own ass legally.

Github banning someone is categorically different from the US government jailing someone. You are conflating two entirely different things.

You seem to have taken the outrage bait that this tweet presented and ran with it without verifying the situation.

There are interesting things to discuss around both the precedent of the sanctions and the ability of large corporations to terminate accounts at will. However the "github is banning people who just contributed to open source and this is wrong because what they did wasn't illegal when they did it" outrage meme is misinformed, confused about how law works, and is generally distracting from all the actually important topics.


The amount of people replying "Code is free speech! You can't do this!" shows you about how much Twitter understands laws.


Well... that's an old argument (the PGP book) and there's even support from the courts.

https://en.wikipedia.org/wiki/Junger_v._Daley https://en.wikipedia.org/wiki/Bernstein_v._United_States


Ok, I have to admit I learned about these cases in this thread and it threw me for a second.

After reading them carefully I think my earlier statement is correct - there is no law which considers source code as free speech, and several legal frameworks which actively oppose the idea (ITAR, IP and copyright, etc). The idea seems pretty silly to me.


> several legal frameworks which actively oppose the idea (ITAR, IP and copyright, etc). The idea seems pretty silly to me.

IP and copyright do apply to (otherwise free) speech. That's the whole point of them. The Supreme Court famously called copyright 'an engine of free expression'.

Code is fundamentally ideas, explanations, instructions on how to calculate something, written down in rigid, formalized language. I don't see how it couldn't be a form of "speech", just like books, poems and music are.

Speech is regulated of course, e.g. bomb-building instructions are illegal to publish in the US.

Maybe you could make a case this crypto shuffling method is similar and spreading the know-how on how to do it should be forbidden, but that doesn't make it not speech.


Let's step back for a second because we are losing focus. The original Twitter thread had people claiming that Tornado could not be removed from GitHub because it is protected constitutionally. My original comment was pointing out that this is not even remotely true. I think we can agree on that?

Second, and this is just my opinion, but if I had to make two sets with the nouns 'book', 'poem', 'manual', 'hammer', 'jacket', and 'program', the partitions would be thus: book and poem would be together, with manual, hammer, jacket, and program in the other category. I'm having trouble describing it but in my mind the purpose of the first category is to communicate an idea (speech) whereas the purpose of the second is to enact a reality (tools). A program doesn't express something specifically human any more than a toroid, or the wave equation, or a chemical bond, but a poem about love certainly does.


The law says that people are allowed to have opinions about the laws. Twitter is not some kind of law school test


You can understand the law and still disagree with it for the same reason. Laws are not set in stone.


That’s a pretty uncharitable interpretation.


> This is a law.

> No, it is not.

> That's a pretty uncharitable interpretation.


Honest question: was GitHub legally obligated to delete the accounts of anyone who had contributed to the repos?

I get that contributing to the repos would be a violation of the sanctions, but it's not clear to me when the project was sanctioned and whether all the contributors were aware that they were contributing to a sanctioned project. Would it have been enough for GitHub just to remove the projects?

I ask as someone who has a lot of developer friends from Cuba who run into problems with accounts on platforms being deleted all the time. IIRC there was an episode awhile ago when accounts were being deleted simply for logging in from Cuba.

It seems like the legal obligation would be to block logins from Cuba (and/or Cuban people), but deletion of accounts seems more like a CYA move than a strict obligation.


It’s a gray area. These sanctions went against Tornado Cash, the entity. Does that extend to core devs? Anyone who did a PR? That’s the question GH’s counsel has to interpret.

> deletion of accounts seems more like a CYA move than a strict obligation.

Microsoft is prohibited from giving any good or service to a blocked entity. It’s very possible their lawyers will say “the easiest way to meet this obligation is to delete accounts related to the blocked entity.”

The legal system is CYA, after all.


I’m not sure that there’s been a ton of cases exactly like this that have made it to court. If someone asked you to pick between [maybe going to prison] or [definitely not going to prison], which button would you press?


Probably not, but it is in their best interest. By blocking all these accounts, if it is later discovered they missed something else related to this they can bring all those blocked accounts up as evidence they were trying to obey the law and this was an honest mistake. The courts understand mistakes happen, but you need to prove it was a mistake and not an attempt to evade the law by ignoring something. The more you do to ensure mistakes don't happen, the more likely the courts are to decide you weren't trying to evade the law, but just made a mistake.


> Honest question: was GitHub legally obligated to delete the accounts of anyone who had contributed to the repos?

Tornado Cash is on the SDN list [1].

From [2]:

> Business transactions of any sort with SDNs are expressly prohibited and U.S. persons must block any property in their possession or under their control in which an SDN has an interest.

IANAL but it doesn't sound like much of a leap to say using GitHub falls within "business transactions of any sort".

Clarification question: Did GitHub delete the accounts of anyone who contributed to the repos? My guess would be owners and maintainers? Officially, Tornado Cash, the entity, is what's on the list, so I would think at the very least anyone who is formally tied to the entity.

[1]: https://home.treasury.gov/policy-issues/financial-sanctions/...

[2]: https://www.visualofac.com/resources/sanctions-and-embargoes...


It's hard to say, but sanctions violations are often heavily penalized. I don't think I go as far as saying it's simply CYA, but it is playing it on the safe side. Banning a few developer accounts is way less costly then the potential hit from violating sanctions.


GitHub has the right to do whatever it wants, and it makes sense they would take this action to avoid getting into legal concerns.

But it is deeply concerning. Whether or not you like crypto, you should not be supporting this if you are a researcher, academic, technologist, cryptographer, or privacy advocate. The code for Tornado Cash is a series of cryptographic and mathematical functions that can be repurposed for a variety of applications unrelated to privatizing user wallets.

Having it open source and accessible is a net benefit for the entire world.

EDIT: A comparison would be that US decides to sanction the open Matrix protocol and any developer that has contributed to it, as it can facilitate end-to-end encrypted terrorist communication.


Absolutely. Just because it is legal doesn't mean that it is not absolutely morally deplorable. Which in this case - it obviously is.


It’s morally deplorable to demand office workers risk jail time just because you want a free service.

If you want to run git for free, run it on your own computer.


I am not demanding anything. I am just saying they have clearly done the wrong thing.


There is no moral obligation for someone to provide web services for free for any reason.

There’s definitely no moral obligation for someone to do the same at risk of prison time.

They do have a moral obligation to follow the laws of the country they operate in, though.


> They do have a moral obligation to follow the laws of the country they operate in, though

Why?


Without diving too deep into political philosophy, government power is derived from the consent of the governed. To respect the law of a willfully elected government is to respect the wishes of the people.

Of course morality is a complicated topic with many factors.

But for Pete’s sake, we’re talking about a free account on a website, not a war crime.


```Record or rewind any change to your code to keep you and your team in sync. Host it all for free with unlimited public and private repositories.``` - https://github.com/

Once again, just because they were legally obliged to do it it doesn't mean the action is not immoral. Oh god, will I do it... Okay, I think I must, because my point is not going through I see. Think of Nazi Germany. It was illegal to try to save jews. Was it moral not to do it?


Godwin’s Law strikes again. Free git repository hosting is not comparable to the holocaust.

If you want some quotes from their website, here’s another:

> GitHub has the right to suspend or terminate your access to all or any part of the Website at any time, with or without cause, with or without notice, effective immediately. GitHub reserves the right to refuse service to anyone for any reason at any time.

> This Agreement supersedes any proposal or prior agreement oral or written


> Free git repository hosting is not comparable to the holocaust.

Where did I compare it to the holocaust?! I was trying to pinpoint that your previous statement: "They do have a moral obligation to follow the laws of the country they operate in, though." is clearly invalid.


It is possible to have two competing and contradictory moral obligations, that does not mean that either moral obligation ceases to exist. I think "save lives if possible" out weighs "follow the law", but that doesn't mean that the moral obligation to abide by the law goes away. I do think it is often moral to break the law, but it has to be in service to a greater morality.

Your are equating the morality of opposing the Holocaust with the morality of opposing sanctions in that you assert that they both out weigh the moral obligation to follow the law.


Are you suggesting the right thing would have been to refuse and risk going to jail?


HN post title is misleading. GitHub suspended (and not deleted) the 3 accounts of the org owners of the tornadocash org on GitHub. Going through the commit history, I have not found a single contributor (i.e. other than the 3 owners) which got suspended or deleted.


This is a good time time for EFF to step in.

This is open huge so many terrible ways for abuse.

  1. Make some random crypto project.
  2. Motivate people contribute to it, see DigitalOcean hacktoberfest.
  3. Replace the code with Tornado.Cash source.
Everyone's account is banned by Microsoft. Also I wonder what happen if you didnt sent PR yourself, but someone crafted git commit with your email and added it to such repository.


GitHub didn't remove the account of everyone who ever contributed to the repository; if you go to the Web Archive many of the people listed under "contributors" still have accounts. Presumably, they just removed the people who were a member of the organisation.


Ok this makes alot more sense. I can totally see how they would nuke every member of the org in an attempt to CYA. It sounded like they nuked every contributor which would have been insane.


It looks like only three accounts were affected, all three were org owners.


This should be the top comment and the title should be changed. The title and other comments made me wonder if GitHub deleted the account of all contributors to that repo, which is more serious than deleting the account of members in an organization.


>2. Motivate people contribute to it, see DigitalOcean hacktoberfest.

Can skip this step. Just make fake commits (https://github.com/asizikov/gang/graphs/contributors).


Always sign your commits! gpg is a pain but once you set it up you never have to think about it again.


or don't sign your commits and then you have plausible deniability about commits in your name


Yeah and leave your wifi open so that you have plausible deniability for downloading CP.


You can use ssh keys to sign commits too, since git version some-time-last-year. GitHub should have support for it sometime this month (not that this is required to verify signatures).


> Replace the code with Tornado.Cash source. Everyone's account is banned by Microsoft.

Code is speech, that's settled law. It's the entity and wallets that are sanctioned. If someone is a member of the Tornado Cash group on GitHub, it’s safe to say they’re in at least legal jeopardy. GitHub puts itself at risk by knowingly continuing to facilitate their work.


Unless they enabled PGP signed commits, can't you just forge their commits?


Yeah you can and I mentioned I curios who exactly Github has banned. It's possible they only banned people who created PRs under their own account.


I would encourage everyone on both sides of this argument to watch this [1] video from Peter van Valkenburgh at ZCON. It lays out a very clear argument why this is really much more serious than just a sanction against a bad actor.

1. https://www.youtube.com/watch?v=XpTrCA3tEKM


What would be the motivation to pull off that heist?


To prove a point I assume? Nothing else comes to mind.


What motivation do someone have for swatting people?

Problem is that Microsoft is certainly overreaching here and this precedent will be abused by malicious actors. One day someone will come to work and find out that whole organization was banned on github just by forging to commits.


Chaos, ransom etc.


Good ole trolling


OP - more context in the title next time please. Some of us have no idea which "tornado" this refers to and or were unaware of a crypto project called "Tornado".


The title is literally just the content of the tweet, which seems like it was deliberately crafted to stoke outrage through being misleading.


I am by no means a fan of Tornado and what it represents in the crypto community - I think crypto has enough cretins already.

But this is definitely a bit of a stretch to go after the creator(s) in this way. Reminds me of the US Gov trying to ban/limit all encryption. Didn't seem okay then and this doesn't seem okay now.


Not after the creators. The contributors. People who were submitting code changes to an absolutely legal piece of software.


AFAIK, it is indeed just the three creator accounts that got suspended.


...that enabled nefarious people to go about their deeds unpunished.


The nefarious people were probably on a unix system or a windows system. Should we go about and delete their contributors accounts as well?

I’m not at all pro crypto but this enforcement does seem extreme. I do understand that Microsoft is just following the sanctions.


This is disingenuous. It's like responding to someone arguing for gun control with "all the shooters drank water, should we ban that?".

We can argue about the legit/legal uses of Tornado Cash and whether it deserves to be sanctioned - but do so in good faith rather than pretending like it is equivalent to a general purpose tool like Microsoft Windows.


The tweet is very low information for me to comment. I can't tell whether these people contributed to Tornado cash before/after the sanctions were in place.

I think a fairer analogy would be, some devs contributed to signal, signal or a derivative of it got used by North Korea/Terrorist/current enemy of choice of the political class. Do we go around and delete the developers GitHub accounts?

Having never used tornado.cash or much of crypto (apart from making some money doing spot trades) I can't comment on what the good use cases are. Here's a sample thread of Vitalik claiming to use Tornado.cash to donate to people in Ukraine https://twitter.com/VitalikButerin/status/155692560223356928.... I can find some other threads like this on Twitter.

This is just another case of Government choosing "security" over privacy and should be scary to folks on HN than be cheered upon.

As a side, I am not sure whether Tornado.cash was marketed specifically for "bad" use cases. In the example below I'd support the DoJ in fining & imprisoning a software engineer for his visit to Pyongyang https://www.justice.gov/opa/pr/us-citizen-who-conspired-assi...


It's noone's responsibility not to make things that are helpful to criminals.


I know right! Just like the browser you are using to post this comment.


That's a false equivalence and you know it. A browser and a coin mixer have 2 very different core audiences, aiming to do very different things. I don't know anyone who has legitimate uses for a coin mixer other than laundering/covering their tracks.


> I don't know anyone who has legitimate uses for a coin mixer other than laundering/covering their tracks.

Thank you for writing "I don't know anyone" instead of a more typical "no one ever".


Your vitriol against Tornado is misplaced, though not surprising given the general ignorance regarding the blockchain industry on HN.


I don't have particular vitriol against Tornado itself, they do offer compliance tool and seem to have just been an eventual outcome in crypto.

I do however have an issue with the incredibly high rate of money laundering etc that flows through crypto. Particularly so with Tornado cash. It's the 'go-to' for easy money laundering.

And no that's not a 'general ignorance' it's just a bi-product of having decentralized systems, it's not for me. That doesn't mean people are ignorant of it.

Edit: It really irks me this "oh you just don't get it" from some people. It's unproductive and from my own experience, incorrect. They give crypto supporters a bad name.


Tornado cash is not money laundering. It just isn't. Please stop claiming that.

If it were money laundering, you would be able to purchase a house with the money you made from drugs and then mixed through tornado. You can't. It's indistinct from having cash you made from selling drugs.

You still need to create a fake business to launder your money the old fashioned way if you want to have a legitimate origin for your money. Tornado does not launder your money. Claiming the origin of your money is tornado and nothing else is akin to claiming the origin of your money is cash you found on the street or something.

Tornado is just an anonymity tool.


> Tornado cash is not money laundering. It just isn't. Please stop claiming that.

If I deposit 200k USD into my bank account which came from Tornado.cash - They will ask for proof it came from there.

Tornado cash will confirm this with their compliance tools etc. However as to where it came from before is in practice today impossible to identify.

The bank // IRS whoever may suspect something bad, but unless they can prove it, and I pay taxes on it, then that money is considered clean.

All one would need to say is - I lost my original wallet(s) when I slowly dripped it from a few old accounts I had when I was mining back in the day into Tornado.

I'm sure there are other clever ways cretins will come up with too but thats just off the top of my head. A very effective annonomizing tool helps that.

I'm not condoning it, I just don't think you should be too naive to believe its not happening.


> I do however have an issue with the incredibly high rate of money laundering etc that flows through crypto.

Incredibly high relative to what exactly? The total exchange volume of the cryptocurrency industry? Can you show some figures to back that assertion? OR are you talking relative to the global economy? In that case, it's not even a drop in the bucket.

Clearly the Tornado Cash team should have simply started a bank instead, then they would only need pay a fine and carry on.


Incredibly high rate of money laundering in relation to the entire flow of cyrpto.

You should know comparing traditional fiat against crypto doesn't make sense.. But I guess I'm the one who's ignorant.

There is a good paper overviewing a lot here : https://www.unive.it/pag/fileadmin/user_upload/dipartimenti/...

It's more of an essay but all all stats are referenced.

Also another good read : https://ciphertrace.com/q3-2018-cryptocurrency-anti-money-la...

You simply can't argue that money laundering isn't rampant on cypto currencies.

Also just another clarification from your earlier comment :

> Your vitriol against Tornado is misplaced, though not surprising given the general ignorance regarding the blockchain industry on HN.

Blockchain != Crypto


> You simply can't argue that money laundering isn't rampant on cypto currencies.

Actually, I can quite easily argue that. Neither of your sources give evidence or numbers that justify your assertion.

In fact, less than 1% of transactions are shown to be illicit activity, and the majority of that is scams, not money laundering. Here's a report from your 2018 source, CipherTrace, only using more recent data: https://ciphertrace.com/2020-year-end-cryptocurrency-crime-a...

I quote:

> Cryptocurrency, with its similar characteristics, may likewise struggle to ever completely shake its bad reputation, despite illicit transactions making up less than 0.5% of Bitcoin’s yearly volume in 2020.

A more important clarification, which is precisely the reason I used blockchain instead:

Crypto != cryptocurrency.

You conflate the two several times across this thread, they are not the same.

With that aside, I'll ask again. Can you show some figures that back your assertion that there is a "high rate of money laundering flowing through crypto[currency]"? I would assume not, given that the very firms actively working with regulators and monitoring this activity disagree with that assertion.

Here's a nice, sourced writeup for you so that you can spread accurate information and not assumption construed as fact in the future: https://blog.coinbase.com/fact-check-crypto-is-increasingly-...


I'm not going to be argumentative here, but the last article you referenced. Clearly coinbase would have a bias to promote userbase.

That said :

> Of that small portion, scams make up the overwhelming majority of cryptocurrency related crime.

How do you think those scams will cash out ? Next step - Places like Tornado.

> From 2017 to 2020, criminal economic activity was overwhelmingly conducted through traditional financial institutions.

This is apples and oranges. But a good number to put on paper when promoting a cryptocurrency exchange for sure.

There is just an incomparable amount of traditional fiat currency compared to crypto currency so how someone would even make that argument says a lot.

> Myth #2: More illegal activity takes place using cryptocurrency than with cash.

I have no idea what sincere person would say that myth was true unless it was said as a joke. So no argument there but again, not adding any value. See above comment.

> Myth #3: Cryptocurrency makes it harder for law enforcement to investigate malfeasance.

And the 'Facts' given ignore services like Tornado.cash. Conveniently wouldn't you agree ?

My personal opinion of the CoinBase article is "Shill out of Ten".


> I'm not going to be argumentative here

It does help when you check the numbers before making your assertions.

> Clearly coinbase would have a bias to promote userbase

You discount the post because it is from Coinbase, yet every point made is backed up with up-to-date sources from firms you have already deemed appropriate, such as CipherTrace and Chainalysis. That's an... interesting perspective to hold. A bit of cognitive dissonance going on there, methinks?

> How do you think those scams will cash out ? Next step - Places like Tornado.

From your own sources, usually exchanges which implement KYC/AML policies equivalent to traditional banks. Did you actually read them or do you just plop a few keywords in Google and hope for the best?

> And the 'Facts' given ignore services like Tornado.cash. Conveniently wouldn't you agree ?

You think so, do you? Yet in your other source (https://www.unive.it/pag/fileadmin/user_upload/dipartimenti/...), we get this nugget:

> However, in spite of the money laundering risk associated with cryptocurrency mixing services, tumblers are used for lawful activities more often than for illegal ones.

You don't seem interested in a rational or data-driven discussion so there's little fruit to harvest here, I'll leave you to your imaginings.


Just to comment one thing lastly.

I think we have two different opinions on a side topic of Money laundering in regards to Tornado.

The original OP is the US Gov and GH overreaching and on that I fully agree.

I don't think your comments should be downvoted to oblivion at all. You definitely make some good points. I don't have all the real data in front of me so I'm just suspicious when there's a tool like Tornado.


Related discussions:

>GitHub suspends Tornado Cash developer account

https://news.ycombinator.com/item?id=32389706

>U.S. Treasury sanctions virtual currency mixer Tornado Cash

https://news.ycombinator.com/item?id=32386189


This is an overreach, and it is going to backfire.

The target here is a software package, essentially speech so, one step down That hill.

At least congress isn't deluded, corrupt, and senile enough to try this.

Edit: further, it seems they're going to have to shut down Ethereum too, because Tornado Cash's contract is a person, and subgroup of Ethereum under the definition of entity which falls under the definition of person. [1]

Apparently Treasury is also accusing this tiny piece of code of being engaged in activities that form "... a significant threat to the national security, foreign policy, or economic health or financial stability ..."

[1]: https://obamawhitehouse.archives.gov/the-press-office/2015/0...


If the software is performing actions that are illegal, such as money laundering, for an entity that is a threat to national security, that is no longer covered by free speech. Right? Having or writing the code may be covered by free speech but actually using it to do something is not the same thing.

I don't believe that EO is related to this case. These are OFAC sanctions against the entity Tornado Cash and its related ETH addresses. A US person or Entity cannot interact with them any more. But that does not sanction the entire ETH network. That would be like shutting down an entire bank, or the entire banking network, because a couple accounts were sanctioned. That's not what happens.

Or are you more concerned with additional sanctions against the entire ETH network coming in the future?


If the software is performing actions that are illegal

But no software is performing any action; A system running said software could, but the software by itself cannot.

And regarding a system performing actions: didn't the USPTO similarly declare that an AI (=software system) can never be qualified as an inventor, because it has no agency?


A bit of an over simplification on my part. The comment I responded to said "the target here is a software package, essentially speech" I was trying to point out that the speech part of the software wasn't the target. The facilitation of illegal actions was. Having or writing code is one thing but actually using it to do something illegal is different.


The EO is the authority which Treasury is invoking, stated explicitly in the Treasury release.

To rephrase, since Ethereum network, which is an person in the context of the EO, facilitates Tornado Cash's contract, it is "complicit" with the activities as well.


I seem to have gotten the EOs mixed up and thought they were different. You are correct.

EO 13694 was amended by EO 13757. [1] And section 1.a.ii reads: "any person determined by the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to be responsible for or complicit in..." and 1.a.iii has similar wording.

It requires the Treasury and Attorney General to make a determination on the entities being sanctioned. It does not expand the sanctions beyond the entities that are named. So as it stands I can't see how it would require shutting down the ETH network. Sanctioning a sub group does not mean the sanction applies to the parent group. The sanction means US entities cannot interact with the named entities and nothing more. It does not apply to any parent groups and it does not mean other non US entities cannot interact with it. And I don't think the ETH network would count as a US entity.

If the argument is that they could further sanction the entire ETH network, then I suppose they could do that. But that isn't what this sanction does.

[1] https://home.treasury.gov/system/files/126/E.O.%2013694%2C%2...


If it is used by e.g North Korea to evade sanctions then that claim isn't that much of a stretch.

However it is clean that we, the programmer community, needs some way to stop projects from being sanctioned (as opposed to companies or specific persons). One obvious way would be to amend open source licenses to not permit them to be used by the US government if it attacks any other project in that group or something similar.

I am sure something better could come up, but we have lots of power if we were willing to come together and use it.


>and it is going to backfire

it isn't. the sheep have been bleating "corporations can do whatever they want" for 10 years now. the pigs will be fine.



In this case, maybe on the administrator with Monero holdings, or by drawing attention to this still-effective system.


Plenty of them in this very thread even.


Mods please change "tornado" to "tornado cash". People explaining in the thread that some tornado was sanctioned got me confused even more.


Not to mention Tornado is a very popular open source Python web server.


It's ironic, Tornado cash is something closer to the true spirit of "crypto" currency.

guess only rich insiders are allowed to launder money.


Lately real estate has been the favored avenue for money laundering, as it retains all the necessary loopholes. Or did, last I checked. Houses in Vancouver BC have, e.g., been favored among mainland Chinese. Dunno the current status.


I imagine it helps to launder money in countries that done honour the predicate crime's illegality


You have to go through the big banks so that they can get their fees (but you have to launder huge amounts, too).


This probably protects those users. Contributing to the project at this point opens one up to the international reach of U.S. law enforcement.


You are going to open a huge can of worms if you are going to start prosecuting people for software pull requests.

Are we going to prosecute people who manufacture phosphor bombs for the US military as well now?


Honestly, that sounds like a good idea. White phosphorous munitions are generally illegal under the Convention on Certain Conventional Weapons.


Here is where the missunderstanding seems to keep happening (regarding White Phosphorous and Tornado Cash). The mere existence of tools like Tornado Cash or White Phosphorous is not illegal (at least wasn't until yesterday), but illegal use of those always was.

The distinction is important, but seems to have been lost somewhere along the way.


Providing `White Phosphorous` manufacturing service for people who you know use it for illegal acts is also illegal.


Reading through "The Convention on Certain Conventional Weapons" again, since it was a long time ago, I don't find anything supporting this.

Its main purpose is to ban/restrict usage of inhumane weapons, not the production of such. But I might have missed something. If so, mind pointing me to the right section?


It's illegal (1) against civilians, (2) against military targets in concentrations of civilians if delivered by air attack, (3) against military targets in concentrations of civilians by non-air attack unless the military targets are separated from the civilians and you take all reasonable precautions to limit incidental damage to the civilians, and (4) to use it on forests or plant cover unless they are being used to cover or conceal or camouflage military targets.

I don't think I'd describe that as "generally illegal" since it leaves a heck of a lot of situations where it is legal to use it.


Given the US military’s demonstrated lack of precision over the past few decades I’m sticking with generally illegal.


Other non-US countries wouldn't hesitate to do this if they had a list of people working in US chemical weapons factories.


> going to open a huge can of worms if you are going to start prosecuting people for software pull requests

Tornado is sanctioned, not the underlying code. Contributing to the project is legally tantamount to coding for a North Korean entity. This isn’t a start to anything, it’s established law and practice.

Simply pulling shouldn't be a problem. But I can see law enforcement getting a subpoena for a list of accounts that pulled that repo to find and stop copycats.


What would be the legal consequences of forking the project and create a new project with the code?

And speaking of code - North Korea has their own os which is essentially a reskinned version of Linux. Does that mean that the US government could go after people who contributed to the Linux project?


> Does that mean that the US government could go after people who contributed to the Linux project?

No. You’re comparing money laundering, which has stricter controls, to exporting software, which doesn’t. (If you knowingly provide support to Pyongyang, probably.)


No, because the US will invade and then perform war crimes on you if you imply that one of their soldiers has maybe performed war crimes and deserves to be tried for it.


In my experience in Afghanistan, it was other countries that performed more "war crimes" than the US (as in violating Geneva Conventions). Why do you think they make it such a big deal when the USA does it? Is it only because the US just prosecutes their own and doesn't recognize the international court? The international court does a much better job of keeping their decisions and the soldiers being punished, private. The US makes quite an example of theirs.


But the US does not prosecute its own. Instead they go after the messenger e.g. Julian Assange. They also usually find the lowest scapegoat they can get instead of having the responsibility be at the command level.

Edit: Spelling of scapegoat


In my personal experience, I've seen a captain go back to a 2nd lieutenant (and I think some other punishments) just for giving an illegal order trying to cover up a "small" oil spill, still cost several million dollars to repair the damage to the ecosystem.

I don't know about Julian Assange, personally. However, Julian isn't a US citizen or in a military, so a different set of laws and standards apply.

Before Abu Grab, interrogators were allowed to "do anything as long as it didn't cause 'permanent' damage to their body." It is pretty clear people took that to mean they were allowed to do some pretty fucked up shit. Now the laws are much more stringent. AFAIK, those whistleblowers weren't hunted down.

But in more general, if you murder someone in self-defense, you still murdered someone. A court probably won't prosecute you, but you still did the act, even if it was self-defense. The same applies to "government secrets." Even if the secret is disgusting and terrible, it was still a secret. Whether anyone will convict them for revealing those secrets is a gamble, and probably better to run away instead of taking that chance.

In my experience, there are some pretty fucked up people everywhere, it doesn't matter which country they are from.


I'll likely get downvoted straight to Hell for this, but grammatical errors going uncorrected become common errors as they spread to others… This particular one is already extremely common.

https://www.vocabulary.com/articles/pardon-the-expression/sc...


Thanks, I don't know why I wrote "escape goat" when I know it's "scapegoat".


I hope so.


Can someone edit the title of this to say “tornado cash“? As a one-time contributor to the python tornado web framework, I had a bit of a scare waking up to see this!


This should be a wake-up call for all Russian Github users. If Github suspects you're Russian (e.g. like me you sponsored using a card with Russian billing address), today you are frozen out from all paid features, tomorrow your acc may be gone.

And since creating more than one acc is against Github ToS, the best move is to stop using it ASAP except if required for work.


Is there a decentralized git service off of ipfs or something?


Git is decentralized per default.


But Git hosting isn't. As in the server/infra.


What is git "infra" to you?


An internet accessible reliable service that is always available for the public (others).


not really, it’s very inconvenient to use git without a centralized server


You can pull and push to pretty much anywhere, including directly to another person or workstation, over SSH. It's admittedly harder to have a single source of truth by doing so but it is still very possible to use in a decentralised fashion if you needed to.


Yes, this is a pretty common problem with decentralized services and I'm not sure we can fault git for at least making it viable.


Radicle

Not that it's very functional, but it exists


There are other version control systems that can work in P2P mode, e.g Monotone.


Regardless of what you think about github or tornado... If you are going to build software that has a huge feature set that will be used for money laundering or other sanction-able activities, host your own git server somewhere.


Nothing stops these folks from hosting their own Git repo somewhere. It’s supposed to be decentralised after all.


Replies to the tweet saying "we need a decentralized git" strike me as bafflingly dense. Do these people think that the website, Github is the only way to interact with a repository?

Are they entirely unaware of git's default decentralized nature, or even that there are other central repository sites?


I wonder how they know if they actually contributed, or if someone just used their info in the commits?


This would be fine if it only affected developers that live in US. I suspect it doesn’t though, and this means it’s yet another proof that we need companies that are outside the US jurisdiction, same reason we need those outside Russian jurisdiction.


I mean. If the US wants to sanction math and code, what's stopping them froM sanctioning Encryption projects that don't submit to the NSA?


It’s worth pointing out that “tornado” in this context is a crypto project, NOT the popular Python web server/event loop library.


What is Tornado? Some context would be useful.


I can't find a definitive answer: did they also ban people that _only_ contributed pre-sanction?


Any constitutional law experts care to comment?

If the US government put pressure on Github to remove the code and delete their accounts, it seems like a clear violation of the developer's first amendment rights – "code is speech" being precedent.


Not all speech is legal. If I write a virus and unleash it on the internet it's not unconstitutional to arrest me.


It could be argued the sole intent of unleashing a virus on the internet is malicious. The sole intent of publishing a privacy protocol on GitHub is not. Look at Tor for comparison.

GitHub has a section on this[1]. There should be no problem with allowing this software online for research and educational purposes.

[1] https://docs.github.com/en/site-policy/acceptable-use-polici...


Does anyone want to dispute that Tornado Cash is a money laundering tool? When at least 20% of the money that has moved through it is already known to be ill-gotten gains, with the rest being indeterminant, it's kind of hard to say it's a anything but a money laundering tool. I've only seen childish arguments that "money laundering is a fake crime", not that Tornado Cash isn't a money laundering tool.


I will dispute that. It's a privacy tool. Just because you don't want the world to know what you spent your money on, doesn't mean you are doing anything illegal.


It is a tool for privacy, full stop. Criminals can use this for criminal activity, law abiding citizens can use this for law abiding activity. Also see end-to-end encrypted chat apps, VPNs, onion routing and other privacy tools that are widely used by criminals.

also consider applications that might be illegal but often considered moral like paying for an abortion with tornado cash ETH in a state where abortion is illegal, or donating to a state that your current regime is at war with.


So "privacy of money movement" is not "money laundering". I see.

Y'all always wanna talk about what people could use the system for and never what people actually are using it for.

Well, if it's just about privacy, then I guess those people could use other forms of money laundering. Aherm, I mean "privately moving large sums of money around to avoid regulatory oversight".


People are using the system for these reasons. Vitalik himself has gone on record saying he has used Tornado Cash to donate large sums of money anonymously to Ukraine.


Conveniently no way to actually verify that


lol, the goalposts have shifted from “nobody uses it for this” to “we can’t know if people use it for this.”

Imagine applying this logic to E2EE chat: we can’t know if anybody is using it for legitimate reasons, because we can’t see their messages.

Besides, you can check the chain yourself - if Vitalik is truthful, you should see at least that some tornado linked funds have been donated to Ukraine after the point he placed them in the protocol.


When governments are not able to know wth you're doing all the time they get worried.

Remember the Patriot act? Or that it went after Phil Zimmermann (creator of PGP)? I see some parallels here.

PGP can be used for law abiding private communication as well as non-law abiding private communication. Maybe we need to rethink the use of https?

A little of a stretch, but you can say that there are law abiding gun owners and non law abiding gun owners. What should we do about that?

I tend to raise an eyebrow, when the government uses the excuse kids/guns/terrorist/criminals to intrude into my privacy.


What if it's a virus that targets politicians?


Then it would be malicious?


IANAL; even in the USA not all speech is protected under the law. See libel laws.

Here it is less about the code as speech, but code as an illegal business and product. It's not an either//or situation. Code is more than just one thing.


Code is never an illegal business. You have to run the code to do an illegal business. In this case running the mixer is apparently illegal (wonder if at all or with just some specific cases), but maintaining and improving the code to run such a mixer certainly not.

crypto wars 2.0


Working for an illegal business (tornado cash isn't just some code repository, it's basically a SaaS business backed on a chain), on its product, usually makes you liable. That's why people working for cartels are prosecutable.

edit: I believe the term is "criminal facilitation."


Not a lawyer, but there is a difference between providing a service (GitHub) and "code is speech". This has nothing to do with code.

GitHub are no longer legally able to provide the service, and so those people no longer have access to GitHub the service. Nothing code-related.


How is code speech? To me it is the equivalent to nuts and bolts of a machine.


https://en.wikipedia.org/wiki/Bernstein_v._United_States

> After four years and one regulatory change, the Ninth Circuit Court of Appeals ruled that software source code was speech protected by the First Amendment and that the government's regulations preventing its publication were unconstitutional.


The 9th Circuit has also ruled that bees are fish[1], and has regularly bucked precedent that to most of the country is settled jurisprudence. [2] This escalating to a point one of the Circuit's own judges began lambasting the Circuit itself. [3]

https://www.cnn.com/2022/06/06/us/california-bees-fish-court...

https://www.courthousenews.com/carrying-guns-in-public-is-no...

https://reason.com/2022/01/26/a-federal-judges-satirical-opi...

You'll understand if what the 9th Circuit declares has lost a touch of automatic deference from an intellectual, rational consistency, and linguistic abuse point of view, I hope.


Hopefully the next time something like this gets trounced it is congress turning the IRS into like, 20k LOC, instead of ... a bureau.


The US has expansive view of what is speech. A theater play satirizing the US congress is definitely a political statement, yet it also just code for actors, right?


Perhaps for the greater good as this is some crypto bullshit.


We need a decentralized and permissionless github


We need a decentralized replacement for GH.


Happy to see this! I’ve been disturbed by GitHub hosting financial infrastructure optimized for criminal activity.


It could be used for privacy purposes also...


Be careful what you cheer for.


For those wondering Tornado here appears to refer to Tornado Cash [1].

[1]: https://www.aljazeera.com/news/2022/8/8/us-announces-sanctio...


Oof. The confusing title could do with some editing then (capitalize 'Tornado' for one).


I thought they were contributing to the Python web framework called Tornado (quite popular especially before asyncio caught on, but still well-known nowadays).


I was like "what's a tornado repo? a reference I don't know about to a whirlwind of activity? maybe a bot attack of some kind."

+1 disambiguation needed


Some of my repos look like they were hit by a tornado and frankly deserve to be deleted


When your code is so bad that the US Government sanctions you, specifically


i thought it was like a tornado warnings repo


Just reading the comments, I also was thinking this was about Python's tornado library until I recognized it wasn't that. The title needs improvement.

CC @dang


I emailed a title suggestion switching to "... Tornado Cash ..." for clarification.

I wish typing "cc @dang" did something, but to the best of my knowledge it does not / isn't monitored vs email.


Same. Confusing title.


@dang could be worth a s/tornado/Tornado Cash/ in the title


Ya, really need to change the title. Tornado is known to many as the python web server.


Yeah... and you know... a natural weather phenomenon. I thought this was about storm chasers or something.


We've put that in the title now.


tornado repos sounds like some kind of evil financial product


[flagged]


“Money laundering” is a fake crime designed to make it easier to prosecute people who may or may not also have committed real crimes.


Sorry to disappoint but money laundering is very much a real, federal offense. (most other jurisdictions have equivalent laws)

https://en.wikipedia.org/wiki/Money_Laundering_Control_Act


I’m reminded of the scene in the movie Blow when he is arguing with the judge that its not a real crime.

Judge: Unfortunately for you, the line you crossed was real and the plants you brought with you were illegal, so your bail is twenty thousand dollars.


The point that went right over the head of you and the head of the other authoritarian that he is responding to is that there is no victim, not even a risk of a victim or any other bad "externality" (to use a word I know you people love) to money laundering just as a standalone act. The crime is defined in statute as a matter of convenience for the state because having privacy regarding where money comes from/goes makes it harder for them to prosecute other "real" crimes so they define that privacy as criminal in and of itself. But there is nothing inherently bad about the act of laundering in and of itself (unless you believe in guilt/badness by association) hence why he is referring to it as a "fake crime". Obscuring the sources of one's money is no more of a standalone crime than encrypting one's data is.


IANAL, not a US citizen and I have no intention to dig into how the US defines money laundering.

That said, when I hear "money laundering", I exclusively interpret this as the act of whitewashing money aquired by illegal means (e.g. drug sales, extortion, fencing stolen goods etc.) in order to make it appear legitimate. In that regard, there is nothing that is not bad about money laundering (IMHO).

Of course you could argue that it should be possible to hide the source of your money or even the money itself from the government, but as a consequence, you would have to accept that at the very least, your country would have no longer any means to fight crime.


>Of course you could argue that it should be possible to hide the source of your money or even the money itself from the government, but as a consequence, you would have to accept that at the very least, your country would have no longer any means to fight crime.

Conflating having one less specific statute to prosecute people for violating with "no longer having any means to fight crime" brings to mind a famous Churchill quote about the electorate.


The money they are laundering doesn't come from nowhere. It's the proceeds of other crimes, with real victims.

A person laundering is an accessory to other crimes.


>The crime is defined in statute as a matter of convenience for the state because having privacy regarding where money comes from/goes makes it harder for them to prosecute other "real" crimes so they define that privacy as criminal in and of itself.

Of course and that's a very understandable thing. Legibility and transparency are the basis of prosecuting almost any crime. it's why companies are forced to keep records and do accounting, why there's limits on anonimity and so on. That didn't go over my head at all, it's perfectly reasonable. Tools that exist almost exclusively to facilitate criminal activity and render impossible the capacity of the state to detect such activity are 'inherently pretty bad'. Imagine if someone tried to sell a vehicle that's invisible and that would stop border security from doing its job. Pretty unpopular I'd bet.

Are you also surprised that forgery is a crime despite the fact that harm is usually done when that forgery is used? What is this, the "guns don't kill people" of bookkeeping?


That's a bit like saying there is nothing inherently wrong with cleaning up a dead body, you don't want to just leave dead bodies to sit around and rot, so therefore "tampering with a crime scene" is a "fake crime".


It’s a bit absurd to prosecute a murderer for trying to conceal their crime, no?


Yet, it is done. Just not always. Obstruction of Justice is a crime. As is failing to report income from a crime, on your taxes.

But the woman who ordered the videotapes of US torture sessions erased was appointed head of CIA, instead of being prosecuted. Meanwhile, the whistleblower Jeffrey Skilling was charged with mishandling information that was only classified after he last touched it.


No…


There is absolutely no reason to downvote OP for stating an opinion. He didn't say it was the law.

I will equally say that being busted for smoking weed is a fake crime, and that doesn't mean you don't get arrested for it. It means that you _shouldn't_ get arrested for it.


Yeah, sure, and taxation is theft. Got it.


Yeah, sure, and sending money to protestors means you are a terrorist. Got it.


Please don't respond to a bad comment by breaking the site guidelines yourself. That only makes things worse.

https://news.ycombinator.com/newsguidelines.html


Would you please stop breaking the site guidelines like this? We've had to ask you several times before.

https://news.ycombinator.com/newsguidelines.html


This is about how private companies work now that the project has been officially declared a “toxic entity”.

But really did anyone really expect working on a money laundering project would be a good idea? Sure it was a new method of money laundering but it’s pretty obviously money laundering




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: