The Fight for Privacy
Last week Web3 privacy was dealt a significant blow by a US regulator when the SEC sanctioned the Tornado Cash service that runs on Ethereum.
Web3 Comes Under Attack
Tornado cash is a mixing service which allows holders of Ether to anonymise their holdings. When you hold a cryptocurrency such as Ether in a crypto wallet, all transactions associated with that wallet are visible on the blockchain. Hence if someone is able to link a wallet with an individual, details of that user's transactions are public knowledge.
Mixing services provide a facility to anonymise crypto holdings. A user sends crypto from their wallet to the service, which then mixes those funds with other funds and allows the user to specify a new wallet(s) for the funds to be transferred to.
Once the funds leave the mixing service, the link with the original user's wallet is severed allowing the holders to deploy the funds as they see fit without them being traced back to their original source. If the source of these funds was some illicit activity such as hacking a DeFi protocol, this gives the perpetrators a way to get their ill-gotten gains to a safe location where they are free to use them as they please.
The users of such services are not all illicit, some users simply want to ensure that all of their crypto holdings are not public knowledge. For instance, if you registered an ENS address such as ericcartman.eth and paid for it using funds from another wallet with a significant balance of Ether, the fact you have a decent chunk of crypto change is now public knowledge. Sites such as .eth Leaderboard and Etherscan demonstrate who some of the well-known Ethereum wallets are.
You may wish to sever details of these holdings which is where a mixing service can help. You'd still need to be a good citizen and report details of the new wallets to your tax authority but the mixer will help anonymise these funds. In other instances, people use mixer services to be anonymous donors. For instance, Vitalik Buterin used Tornado Cash to donate funds to help the people of Ukraine so, there are very legitimate reasons for making use of mixer services. But they were on the SEC's radar due to their usage by both criminal and sanctioned groups, such as the Lazarus Group, a Democratic People’s Republic of Korea (DPRK) who had stolen $455 million and used Tornado Cash to launder these funds.
The SEC's actions were followed by a number of significant responses by some key Web3 companies:
- Coinbase & USDC restricted access to addresses associated with Tornado cash, Circle also froze all USDC held by Tornado Cash
- The Infura and Alchemy Web3 gateway services blocked access
- The Tornado Cash front-end was taken down at tornado.cash.
This effectively locked out a number of Web3 services and users from accessing Tornado Cash. However, as Tornado Cash exists as a set of smart contracts on the Ethereum blockchain, it's still possible to use the service, but given avoiding the US sanctions can result in 30 years in prison, it's a risk that very few would be willing to take.
Those Web3 companies mentioned above are all U.S. companies, hence they had to respond to the action by the SEC. Whilst the technology of Web3 continues to remain sound, these events go to demonstrate how vulnerable it is to decisions by regulators.
It's understandable why the SEC does not like services that enable criminals to launder their funds, but there are very legitimate reasons for making use of mixing services. In the days following the initial announcement, events appear to have taken a further turn for the worst with a dutch developer being arrested for their work on Tornado Cash.
What's not clear at this time is if they were just a code contributor to the service, or working with or assisting groups performing criminal actions on the platform. However, there is widespread concern that they were just undertaking the former.
If this is the case, someone being arrested for writing code is very concerning. This is akin to a knife manufacturer being arrested when someone takes one of their knives and attacks someone with it. The specifics will become clear over time, but currently, there is widespread concern about where this could lead if web3 developers are targeted by the authorities.
Aside from the widespread concern and criticism by the Web3 community, there have also been some other responses.
Clones of Tornado Cash's front-end have been spun up. These are accessible via IPFS, so cannot be taken down as such. This is similar to what has happened with Piratebay which allows people to download digital content for free via torrents.
Someone has also started trolling well-known Ethereum wallet addresses sending gifts of 0.1 ETH to people such as Brian Armstrong, Snoop Dogg and Jimmy Fallon from Tornado Cash to result in these wallets becoming blacklisted. This activity is unlikely to cause issues for the recipients of these funds with the SEC, but it does create challenges with them accessing any US-hosted Web3 applications.
Privacy is an essential component of not just Web3, but the Web more generally. Users need to have a way to protect their funds from prying eyes. Centralised exchanges do offer this using a model that is more akin to TradFi, but users of Web3 should have ways of doing this when they are custodians of their own funds.
It is important that there are ways that criminal activities can be prevented or tracked using Web3, but the sanctioning of a widely used mixer service is a heavy-handed approach. In some respects, it is similar to encryption being treated as a weapon in the early days of the web, where it was illegal to export strong encryption software outside of the US.
One hopes that this isn't an indication of what's to come with respect to regulation of Web3, but at this point, the main takeaway is that using mixing or privacy focussed crypto services going forwards is risky, regardless of how ethical your underlying motivations may be.