WASHINGTON, DC – The US Department of the Treasury’s Office of Foreign Assets Control recently sanctioned a technology called Tornado Cash, on the grounds that it “has been used to launder more than $7 billion worth of virtual currency since its creation in 2019.”
Such enforcement measures are nothing new. But what makes this case unique is that Tornado Cash is a piece of open-source software.
Essentially an automated tool, Tornado Cash mixes digital assets and redistributes them to preserve privacy. While we don’t know everything about Tornado Cash or why it was created, we do know that large sums of digital assets linked to illicit activity have moved through the protocol since it was launched, including millions stolen by North Korean hackers. Any American who uses the service now faces up to 20 years in prison.
Some believe that such sanctions are necessary to prevent money laundering, while others see them as a sign of government overreach. But whatever one’s perspective, it’s worth asking why there was a need for a protocol like Tornado Cash in the first place. The short answer is that our financial system is failing to balance privacy and security. Fortunately, this is a challenge that web3 (blockchain) technologies could help to resolve.
As a senior adviser to two US secretaries of state, I spent time in dozens of countries examining how different systems affect individual rights and democracy, and helping to design technologies and applications to strengthen open societies. In the course of this work, I have seen today’s finance systems failing by virtually every measure. More than a billion people worldwide – including millions in the US – lack access to basic financial services. Many cannot pay their bills or send money to family because they don’t have a bank account or identification, and others simply don’t trust financial institutions.
These suspicions are often legitimate. Carrying out transactions of any size requires us to share sensitive information like birth dates, addresses, and Social Security numbers. Regardless of whether you’re renting an apartment or a car, that information is routinely abused and compromised. Identity thieves have reportedly been hijacking accounts at Experian – one of the three major credit bureaus – simply by signing up for new profiles using the victims’ personal information. Another credit bureau, Equifax, exposed the data of 150 million people (or roughly the entire US workforce) in 2017.
The current system works just fine for criminals. A 2011 report by the United Nations found that 99.8% of money laundering worldwide goes unpunished. But we can redesign our financial infrastructure to offer more privacy and security, without enabling dictators and fraud, by harnessing web3 technologies to unlock new approaches to confidentiality and identity verification.
In most of the world, digital privacy is effectively nonexistent. Either you live in a country like China, where the government knows everything about you and uses that information to manipulate your behavior for political purposes, or you live in a place like the US, where Big Tech manipulates your behavior for commercial purposes. Over the long term, neither arrangement is compatible with a healthy, open society. But web3 could provide a third way, by allowing us more control of our digital identities and information, while adding a layer of accountability to help stop bad actors.
To be sure, most web3 protocols have operated at either extreme of the privacy continuum. Cryptocurrencies like Bitcoin and Ethereum provide full transparency into transactions through public records, while protocols like Tornado Cash attempt to achieve total anonymity by mixing assets from legitimate users alongside those belonging to criminals and rogue regimes.
Fortunately, developers are now gravitating toward a middle ground that protects privacy and upholds basic democratic principles. But designing these systems is too important to leave to government, the private sector, or civil society alone. The right solutions require a team effort focused on a few key issues.
First, we need clear objectives. At a minimum, these should include giving people more control over their information; ensuring greater accountability concerning how that information is used; and expanding access to financial services generally.
Second, we need technical standards that make it easier and less expensive to establish and secure our digital identities. American and Canadian banks currently spend over $30 billion per year on identity verification but still usually fail to prevent money laundering. The same web3 tools that enable secure, inexpensive transactions between digital wallets can make it easier and less costly to prove that we are who we say we are. Open standards for validating digital IDs can ensure healthy competition, reducing costs for consumers and encouraging a race to the top for handling data.
Finally, we need financial regulations that can micro-target bad actors while still enabling the secure movement of money to dissidents and others in closed societies. Having spent time with survivors of North Korean slave labor camps, I would never argue that my right to private transactions is more important than their right to freedom. But the two are not mutually exclusive. With creative policies and well-designed web3 tools, we can promote civil liberties and prevent abuse.
Tornado Cash is just computer code. Trying to shut these protocols down will most likely trigger a never-ending game of Whac-A-Mole. Instead, we need a new approach to building digital financial infrastructure that protects individual privacy without undermining security.
By Tomicah Tillemann
Tomicah Tillemann, a former senior adviser to Secretaries of State Hillary Clinton and John Kerry, is Chief Policy Officer of Haun Ventures and a former member of the Professional Staff of the Senate Foreign Relations Committee under Joe Biden.