If you design software to do a thing and then the software is used to do that thing, it follows that you’re responsible. Whether you believe that the sanctions make sense or not is one thing, but to argue that the developer of tornado cash is not responsible for… the behaviour tornado cash… feels like a hard sell.
By that logic why haven’t the developers of Metasploit also been arrested? It’s hard to argue that the behavior of the software isn’t/couldn’t be used for nefarious purposes and to commit crimes.
Anonymizing spending on it’s own is not a crime. Clearly the line is crossed if the developer is promoting the use of the software for illegal purposes. I’m only vaguely familiar with Tornado cash, was that the case? If not, how do we as a society/community draw the line on determining a developers intentions?
Software doesn’t come to be through immaculate conception: the authors created it, knowing it could be used in this way.
If a company releases software that is used nefariously, there are very common legal actions to hold them accountable. For example, Facebook has extensive legal obligations to meet to do with behaviour on their platform.
I am not arguing that tornado cash should be illegal (or that encryption should be illegal) rather I am arguing that people are responsible for the software they have created.
If I commit a crime, my intent is absolutely a part of the equation when determining legal action. Why should it be any different with software?
If you wish to argue that the right to privacy is so great that it exceeds any risk of criminal activity, and thus the developers of tornado cash were doing something for the greater good, so be it (that’s probably the position I would take) but it doesn’t absolve them of responsibility.
Taken to the extreme, if I build a piece of software that can save the lives of murder victims by killing the murderer: I am responsible for the killing of (intended) murderers. We might decide that the activity is justified, that the software is operating for the greater good and is therefore permissible, but that doesn’t change my responsibility.
>I am arguing that people are responsible for the software they have created.
So, is your answer to the asked question yes, the developers of Metasploit should be arrested and jailed?
How about the developers of Bitlocker? It's used to encrypt illegal content, impeding police discovery efforts. Every person who developed a file-sharing website should probably also be arrested. Lots of illegal/pirated/etc. content out there.
The point being that almost every software on the planet can potentially used for malicious and illegal activities. Seems like if we indefinitely held developers responsible for what other people do with their software, the smart person would never develop any software.
Law isn’t a binary based on responsibility, it’s reductive to suggest that by arguing for responsibility we are also arguing for prison for software developers. I can be responsible for your death and spend no time in prison.
Every other industry deals with this challenge — why should software be any different?
You can take the word "jailed" out of my comment, replace it with "responsible for", and I still think my point stands...
You said:
>If a company releases software that is used nefariously, there are very common legal actions to hold them accountable
If you believe that, it follows that you believe that every developer of encryption algorithms should be "held accountable" (be it jail, or "responsible without prison", etc.) because other people use encryption to hide illegal activity. Developers of internet protocols should be accountable for the actions other people take on the internet, because lots of illegal things happen on the internet.
Metasploit, Kali, 7-zip, FileZilla, Word/Excel, Putty, OpenVPN... Should I go on? All of these are used for nefarious things all the time. Are you really suggesting that the developers of these should be responsible for the nefarious things that their users do? If not jail, what responsibility are you suggesting?
>Every other industry deals with this challenge — why should software be any different?
Most other industries have protections against this type of liability, not responsibilities. See knives, guns, planes, cars, etc. Unless their is gross negligence, which isn't just "it was used nefariously", the maker of X is generally not responsible for what some user of X does with X.
Edit for clarification:
You can argue about purpose-built nefarious software, sure. If I develop ransomware, and advertise it as ransomware, and there's no legitimate use other than ransoming... I should probably be held responsible for the ransomware attacks that occur using that tool (at least, I accept that argument). The problem with applying this to all software is that most everything that is used nefariously was originally designed for and used for legitimate uses. When that's the case, the person who committed the crime with the legitimate tool should be held responsible, not the maker of the legitimate tool.
Most industry protections against liabilities are predicated on compliance with expectations about responsibility: the protection against liability is earned. For example, firearm manufacturers are protected from being held liable for actions taken with their firearms as long as they comply with their legal responsibilities, like not selling firearms to children. If a firearms manufacturer sold firearms to children, they would absolutely be held liable for the outcomes.
If you knowingly build software that can be used for money laundering and make no effort to prevent money laundering then, if software was treated like other industries, you’d absolutely expect to be held liable.
>If you knowingly build software that can be used for money laundering
You've retreated back to money laundering, but that is not what you originally were talking about.
You were pretty clear that you were talking about any software which is used nefariously. Which I pointed out that pretty much any software can be used nefariously (e.g. ssh, browsers, hosting software, etc.), but you keep avoiding that.
I’m not avoiding it. There’s nuance. A piece of software that is specifically designed to enable a behaviour that is core to money laundering is different from a piece of software that can be used to engage in money laundering.
A web browser can be used to access a banking website through which you might engage in money laundering, sure, but that’s very different to a piece of software that can be used to hide the origin of funds.
The difference is like a kitchen utensil manufacturer vs. a gun manufacturer. A kitchen knife can be used to kill, a gun can be used to kill, but we hold gun manufacturers and kitchen utensil manufacturers to different standards because intent is an important aspect.
Your argument is predicated on the idea that intent doesn’t matter, but intent does matter, intent is a significant component of criminal law.
>If a company releases software that is used nefariously, there are very common legal actions to hold them accountable
There is no mention of intent. Just that if a software is used nefariously, the creators of that software should be legally accountable.
You later talk about your intent, when you commit a crime, but that's very different. I agree that if someone commits a crime with X software, their intent should be considered. What I don't agree with is holding Tatu Ylönen accountable for someone else's nefarious use of ssh.
I’m not familiar with the money laundering laws. But do they state that you can’t buy something anonymously and without an audit trail? Because spending legally obtained cash seems anonymous to me. Is anonymizing your digital spend with legally obtained capital that different?
I can't speak for the US, but in Germany, transactions between countries over 10k€ must be reported to the Bundesbank. There are similar limits for inner-country transactions with businesses, especially financial ones. I assume the USA has similar rules. So small cash transaction are fine, but as soon as larger sums are involved it's going to be very problematic.
Since crypto currencies, nearly by definition, don't care about country borders and the mixers don't trace the amount put in by each user, they almost certainly allow you to circumvent money laundering registration requirements. It's even worse if they frame the mixer as financial institution, in which case it directly violates its reporting requirements.
Should knife makers be held responsible if someone stabs someone? TC was designed for privacy and bad actors _also_ took advantage of that. Prosecutors basically need to prove that privacy is bad, good luck with that.
>Should knife makers be held responsible if someone stabs someone?
Not a valid comparison.
Courts and law have long held the completely reasonable position that if the main intent of a product is not to commit crime, that those using it for a crime are held responsible, not the producer.
Conversely, if a product is designed to facilitate crime, or is used significantly more for crime than not, then the liability starts to shift to the producer (as well as the users).
This is the latter case. If the courts show that the producers knew the product was used for crime and added features to assist that on purpose, then they should be held liable.
According the to article, 14% of money moved through the mixer was of criminal origin. If any bank did that, they'd rightfully get hammered by the law (and they do, for vastly smaller ratios of criminal activity).
There are laws about facilitating criminal money laundering.
> According the to article, 14% of money moved through the mixer was of criminal origin.
I’m pretty sure the majority of duffel bags sold in cartel controlled areas of Mexico are used to transport drugs or drug money, that doesn’t mean selling them should be a crime.
And again , not equivalent. If local duffel bag makers knew duffel bags were used significantly for crime, and added features to facilitate crime, and ignored laws requiring tracking criminals (which is what money processors have to follow), then the duffel bag maker would be criminally liable.
In the cast at hand, the company processes the transactions for criminals. That is vastly different than selling a duffel bag. And it runs afoul of criminal money laundering laws that all processors have to follow, and for good reason.
This is why the courts are the place to hash such stuff out - internet opinions are vastly inferior to people performing investigations using evidence.
Tornado cash could have (for example) implemented AML or KYC policies to achieve the same without coming under the suspicion of assisting criminals.
Given the high data protection requirements warranted by operating a financial service, users could be reasonable sure that their Pepsi purchase remains private.
Of course such measures would run counter the intended use of Tornado cash, including money laundering, but that is their problem and no one's else.
What could "features to facilitate crime" be in this particular case? Tornado is a simple contract with a singular purpose, to provide financial privacy for its users. It simply doesn't have any features that facilitate a more specific use case, be it money laundering, personal safety, or anything else.
I think you're missing the intent part of crime. Someone selling a duffle bag or producing one for production is likely not selling it for the purpose of facilitating crime, they just are selling a bag. The question with guns/knives/Tornado Cash is "what is the motivation behind the producers/service provider once put under scrutiny?"
A textile mill producer who gets an order for 5000 duffle bags likely has no vision in mind for the use of the bag beyond "sell to N stores at X price for profit". The storeowner who buys the duffle bag likely also has no criminal motive and instead just wants to sell inventory at profit.
Tornado Cash devs will be scrutinized to understand their main goals, and their communications/advertising strategies, likely as well as any correspondences will be considered for this determination.
You're stating this as if it's fact when it's really not. Tornado Cash was certainly not designed with the intent of criminal activity, but for privacy - and as for "significantly more for crime than not", I've not seen any actual evidence for this, only evidence to the contrary. People claim it's mostly used for crime, but those are purely conjecture, at least the ones I've seen are.
>Tornado Cash was certainly not designed with the intent of criminal activity, but for privacy
Again, claims of privacy is not enough magic to make them free from legal requirements for money laundering laws. Privacy claims do not make banks immune from money laundering. Privacy claims do not make anyone free from meeting legal requirements.
>those are purely conjecture
The above states ~1/7 of all money flowing through can be tied to criminal behavior. If true, that's an astounding ratio that would rightfully put a bank out of business and key players in prison.
>Should knife makers be held responsible if someone stabs someone?
Only if you made and advertised a "human killing knife", so in this case I have no idea how this software was advertised by the devs and community.
I think the intention is important in this case, what was the purpose and who benefited the most , if 99% of knives are used for bad things then you would probably have some ideas about that issues.
I've seen (but never used) TC before. The site was totally neutral with minimal explanation. I've made the comparison because both are really simple tools.
I would be hesitant to get into the knife/gun comparisons.
The charge isn't the anonymization of the money, it's specifically the concealment of money produced by criminal activity, and whether or not that's something that is allowed based on NL law is really the question, as is the motive of the developer/service providers.
This next part is from a US perspective, but remember that there are multiple aspects to law besides just the actual act. There has to be a motive as well.
The reason as I understand it that knife/gun manufacturers aren't really held responsible is because (arguably) their goal is not for persons to commit illegal acts.† Thus the illegal act is an exception and independent of the intention of why the product is produced, and there is not a motivation to empower illegal activity from the manufacturers.
With Tornado cash, it becomes a bit murkier I think and I suppose this is why it's being sent for examination as opposed to outright finding the person guilty. I would imagine what the judge wants to find out are things like:
1. Who was the primary audience/user for Tornado Cash (TC)? Not generalized, but who was actually using it?
2. Were there communications between the team behind TC and other entities that can be identified or no?
3. Did the TC team have awareness of who their main customers were and where the coins mainly came from?
4. Was there any campaigning by the TC team that can be found which shows they were specifically catering to people doing illegal activities?
5. Likely, a court and FIOD would want to investigate if any regional activity can be tied to Tornado Cash††, and if a known sanction region was utilizing the service, were actions taken to prevent this.
I understand that the goals of cryptocoins and the goals of Governments are opposed by design, and likely there will be constant conflicts like this for a long time with cryptocoins and governments; one wants to circumvent monetary rule, the other imposes the monetary rule. I have no personal judgement on TC or cryptocoins, but the court decisions will be interesting to read.
† - I do realize that this line blurs a lot depending on the type of knife being sold, and even worse with gun manufacturers. Unironically, the Borat movies (I forget which one) show this pretty well when Borat asks which gun is best for "stopping Jews", and the gun owner doesn't blink. Gun manufacturers I would suggest walk a fine line in their advertising, as do proponents of gun rights. I know responsible gun owners so I'm not here to case a wide net on all things gun related, but my take on a lot of weapons advertising is that it sells a violence fantasy.
†† I'm not as familiar with ETH or even how probable it is that they can find who used a service, but it's something that the teams will try to figure out. Whether or not this is a good idea long term is not the point I want to make, it's more that I think this is something governments will be interested in. Very likely, there is a vested from these governments in ensuring specific sanctioned countries cannot use cryptocoins to circumvent sanctions. I don't really agree with this ultimately, but it is important to understand the entire thought process beyond just "governments hate cryptocoins".
Knife/gun is completely unrelated in the grand scheme of things.
In finance, you are required to maintain the chain of provenance in an unobfuscated form. If you can't, or won't, your license to operate is revoked. If you didn't have one in the first place, you're already in hot water. You cannot play in the sandbox anymore. That's the civil side. Just like not being willing to help with airline emergency exit doors probibits you from taking up that row of seats.
Second, if you are connected to willful facilitation of criminal activity, that's when the fangs really come out, because the criminal with the technical expertise to facilitate is a much rarer thing, and the perfect subject for being made an example of ad a warning to others.
This is why I have repeatedly told anyone who'd listen. Peer-2-Peer payment technologies without control/auditing paired with them will never be tolerated once they are widely known about. Hell, things like World of Warcraft Gold or game currencies have been used as money laundering vehicles long before blockchain, and even they got law enforcement scrutiny from time to time.
Do not publish that which you don't want to eventually run the chance of being held responsible for.
I hope they'll find and arrest the developers of web browsers and Google, because both tools were used to find information (about how to murder people and dispose of corpses).
