Base Layer Neutrality

Sanctions and Censorship Implications for Blockchain Infrastructure 1

Executive Summary

On August 8, 2022, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) added certain Ethereum addresses associated with Tornado Cash, an open-source privacy protocol on Ethereum, to the Specially Designated Nationals and Blocked Persons List (SDN List).2 Since the announcement, many participants in crypto’s base layer have expressed concern that they could be required to monitor or censor3 blocks involving SDN List addresses to comply with sanctions, jeopardizing the neutrality of the base layer and compromising its integrity and core functionality. However, we believe that under current OFAC guidance, base layer participants are not required to monitor or censor these addresses as part of a risk-based sanctions compliance program.

Specifically, while the application of sanctions law to decentralized blockchain systems and smart contracts presents novel legal issues, we believe the Tornado Cash sanctions and blockchain address sanctions imposed to date should not require blockchain technology infrastructure providers including builders, pool operators, relays, searchers, sequencers, and validators to monitor or censor transactions that involve blocked addresses.

The issue raised by the application of primarily financial and transaction-oriented economic sanctions is whether the actions of crypto’s block-producing base layer — even when involving sanctioned addresses — amount to “facilitating” a transaction, or dealing with or “contribut[ing] or provi[ding]...funds, goods, or services by, to, or for the benefit of any” sanctioned party or “interests” of a sanctioned party.4

We believe that the public recording of the order of data blocks at the infrastructure layer is no more “facilitating” a transaction, or dealing with, or contributing or providing services to sanctioned parties than the existing communications infrastructure that routes financial messages daily around the world, whether through internet service providers, routers, network switches, email and chat programs, DDoS filters and other network security protocols. In our opinion, the fact that crypto’s base layer infrastructure has been decentralized by distributing basic functions to independent participants makes each actor’s actions even less likely to meet this threshold.

In addition, requiring crypto’s base layer to monitor or censor blocks under threat of sanctions compliance obligations would likely cause network reorganizations and forks5 that threaten the viability of the ecosystem. Similar risks have long been recognized for traditional communications and internet infrastructure. The result would harm national security interests by pushing the development of blockchain technology offshore and impeding efforts to track and trace crypto transactions, a result contrary to OFAC’s stated goals6 and President Biden’s Executive Order issued in March.7

Sanctions are a tool for stopping adversarial actors, not fracturing technological infrastructure or public goods. This is as true for crypto as it is for other technologies. For example, it is widely accepted that the public switched telephone network and the switching centers that allow telephones around the globe to communicate are not expected to filter communications and exclude sanctioned persons. The same argument applies to the infrastructure of the internet, such as the Transmission Control Protocol/Internet Protocol (TCP/IP) and internet service providers (ISPs). Crypto’s base layer is no different.

It is our hope that the analysis in this article will ease uncertainty plaguing industry actors and provide clarity around the scope of sanctions compliance obligations.8 We begin with a description of crypto’s base layer and its participants (section 1), followed by a discussion of OFAC’s legal authorities (section 2). We then discuss the reasons we believe OFAC compliance obligations to date do not require base layer participants to monitor or censor the public recording of the order of data blocks (section 3), the unintended consequences of applying sanctions compliance obligations to base layer participants (section 4), and the historical treatment by U.S. regulators of other technological infrastructure (section 5).

1. The “base layer” of crypto

A blockchain can be viewed as a timestamping service that allows for the ordering of data in a canonical way. A fundamental feature is that anyone can submit a chunk of data to be timestamped and recorded to the blockchain. This can support a ledger for a digital asset like Bitcoin, as well as other applications including trust-free agreements that eliminate counterparty risk and new mechanisms for social coordination.

Like the telephone network, crypto’s base layer is at its core a communications protocol and technology infrastructure that serves as a public good. Its key function — publicly recording the order of data blocks — is similar to the role we expect the base layer of internet infrastructure to play, to freely and accurately disseminate information to the public. To maintain its utility, crypto’s base layer must also maintain its neutrality.

While blockchain’s key function is simple, the infrastructure to provide it in a distributed, scalable, and secure way has grown increasingly complex and is constantly changing as the ecosystem evolves and new technology is developed. Many blockchains have distributed the process amongst various base layer participants with specialized roles, including builders,9 pool operators,10 relays,11 searchers,12 sequencers,13 and validators14.

Each base layer participant performs a specific role in the ordering and attestation of new blocks. But as we explain further below, we do not believe the actions of these base layer participants should be interpreted as dealing with, or facilitating transactions with, sanctioned persons. As compared to traditional infrastructure like internet protocols, blockchain further decentralizes core computational functions by distributing them to actors that play specific roles. It is our opinion that decentralization makes the actions of each individual base layer actor even less likely to require censoring than traditional infrastructure.

2. The U.S. government has legitimate national security interests in enforcing sanctions in the digital asset space

Sanctions can be a critical tool for protecting the United States. In addressing threats of adversarial actors such as the Democratic People’s Republic of Korea (DPRK), OFAC has an important mandate to enforce “economic and trade sanctions based on U.S. foreign policy and national security goals.”15

At the same time, OFAC’s powers are not limitless and the standard for implementation of compliance programs is that they be a reasonable “risk-based approach,” not that all economic activity must be shut down if there is any chance for some sanctions violation.16 Based on authority granted to the President under the International Emergency Economic Powers Act (IEEPA)17 and the National Emergencies Act (NEA),18 President Barack Obama in 2015 issued Executive Order 13694 (E.O. 13694).19 E.O. 13694 empowered the Treasury Department to address malicious cyber-enabled activities harming the United States or its allies.20 Pursuant to this authority, OFAC implemented the Cyber-Related Sanctions Program under which it can identify certain “persons” or “entities” on the SDN List21 if they are deemed to be “responsible for or complicit in” or to have “materially assisted” or “provided financial, material, or technological support for” foreign cyber-enabled activities that pose a significant threat to the national security or economy of the United States.22

Once a party is identified on the SDN List, “U.S. persons”23 are prohibited from “engaging in transactions” with it, and all of the property and interests in property of the sanctioned party that are within the “possession or control” of a U.S. person or subject to U.S. jurisdiction may not be “transferred, paid, exported, withdrawn, or otherwise dealt in” by U.S. persons.24 Prohibitions also forbid facilitating transactions, including the provision of “services” to any such party.25

OFAC has a history of enforcing sanctions in the digital asset space. OFAC first sanctioned blockchain addresses in November 2018 when OFAC included several Bitcoin addresses controlled by Iranian nationals on the SDN List.26 OFAC also recently sanctioned Blender.io, a centralized and custodial cryptocurrency mixing service run and controlled by several identifiable actors.27

However, OFAC broke new ground in August by adding to the SDN List the Ethereum address where the Tornado Cash bytecode or smart contract (a specific, widely used copy of the Tornado Cash protocol) is stored on Ethereum.28 Previously, the blockchain addresses added to the SDN List were wallet addresses owned or controlled by sanctioned persons or entities.29 Blender.io is also, as noted above, operated under centralized control.

Since E.O. 13694 permits the Treasury Department to take action only against the property and interests in property of “persons” or “entities,”30 OFAC’s actions against a smart contract — at its core, just lines of bytecode — have been questioned by legal analysts and have been the recent subject of a lawsuit.31

3. Sanctions law should not require participants in crypto’s base layer to censor the public recording of the order of data blocks

In this section we analyze two potential sources of direct sanctions liability: (a) an enforcement action against persons subject to U.S. jurisdiction for transacting or facilitating a transaction, or dealing with a sanctioned party on the SDN List; and (b) a potential addition to the SDN List itself. We conclude that based on current OFAC guidance, a risk-based sanctions compliance program does not require crypto’s base layer to monitor or censor data blocks that may include sanctioned addresses.32

3a. Crypto’s base layer should not be the subject of an enforcement action for publicly recording the order of data blocks involving sanctioned addresses

When OFAC adds a party to the SDN List, any property or interest in property of such sanctioned party that is in the United States or comes within the “possession” or “control” of a “U.S. person” must be “blocked” and may not be “transferred, paid, exported, withdrawn, or otherwise dealt in.”33 IEEPA makes it unlawful to violate these prohibitions and also to “cause” another person to do so.34

Against this backdrop, OFAC has taken the position that “facilitating” a violation of sanctions is prohibited.35 This includes “the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any person whose property and interests in property are blocked.”36 OFAC reads these prohibitions broadly to include instances where a U.S. person “assists” or “supports” a non-U.S. person in transactions directly or indirectly involving sanctioned countries or parties.37

Despite OFAC’s broad authority, we believe participants in crypto’s base layer are not required to monitor or censor data blocks that may include sanctioned addresses as part of their risk-based compliance programs. At no point is any individual base layer participant in “possession or control” of property or an interest in property of a sanctioned person.38 These terms, which are not defined in OFAC’s implementing regulations or enforcement actions, and therefore are to be interpreted according to their plain meaning, require “holding property in one’s power” or power to “govern” or “manage” the property.39 However, base layer participants lack this influence or power over the digital assets.

Crypto’s base layer participants are also not able to “block” the property or interests in property of a sanctioned party. That certain participants could be forced to censor blocks does not mean they have the ability to restrict the underlying property. Censorship as applied to crypto’s base layer amounts to an inability to report a transaction; not an ability to “block” it. Whether a transaction is confirmed will depend on the broader, global network consensus regardless of the actions of any individual participant. For example, a transaction that is screened by one base layer participant could be picked up by a non-censoring participant anywhere in the world, or cause a network to fork as further discussed below.

Nor is any individual base layer participant transferring blocked property by playing their role in the public recording of the order of data blocks, even if involving a sanctioned address. As OFAC’s implementing regulations clarify, the prohibition on the “transfer”40 of blocked property is intended to capture acts that transfer or alter legal rights to property and has not historically included the operations of technological infrastructure (such as the telephone network).41 While certain participants in crypto’s base layer like miners receive fees from users for their actions, these fees are akin to internet network fees or telephone service fees.

We also believe that interpreting the actions of crypto’s base layer participants as dealing with blocked property, facilitating its transfer, or providing services to sanctioned parties is at odds with prior OFAC regulations and enforcement history. OFAC regulations have stated that “facilitating” does not include activities that are of a purely clerical or reporting nature and do not further trade or financial transactions.42 The core functionality of crypto’s base layer — the public and decentralized recording of the order of data blocks — should be treated the same. Furthermore, to our knowledge OFAC has generally brought enforcement actions that include a facilitation claim when the subject was also responsible for additional culpable actions like using a financial institution as an agent.43

For these reasons, we think that base layer participants are not required to monitor or censor data blocks involving sanctioned addresses as part of a risk-based sanctions compliance policy, and should not be the subject of a sanctions enforcement action for failing to do so. OFAC recommends in guidance that compliance programs be designed using a “risk-based approach.”44 OFAC has noted “there is no single compliance program or solution suitable to every circumstance or business… [and that] [a]n adequate compliance solution for members of the virtual currency industry will depend on a variety of factors, including the type of business involved, its size and sophistication, products and services offered, customers and counterparties, and geographic locations served.”45 Given the operational role that base layer participants play, which in most instances do not involve engagement with customers or counterparties, we believe that an appropriate risk-based compliance program does not require monitoring or censoring of data blocks involving sanctioned addresses.46

Although Financial Crimes Enforcement Network (FinCEN)47 guidance is not binding on OFAC, this view is supported by FinCEN’s determination that Bitcoin miners are not money services businesses “because these activities involve neither ‘acceptance’ nor ‘transmission’ of the convertible virtual currency and are not the transmission of funds,”48 and FinCEN’s finding that “a person is not a money transmitter if that person only: a) provides the delivery, communication, or network access services used by a money transmitter to support money transmission services.”49 Indeed, FinCEN has appropriately recognized that a miner’s function is to “verify the authenticity of a block of transactions” rather than execute transactions.50

3b. Crypto’s base layer activities do not meet the standard to be added to the SDN List

Crypto’s base layer operators should not be added to the SDN List for failing to censor data blocks that include a sanctioned address. OFAC adding base layer participants to the SDN List would require a finding that they were “persons” or “entities” that “materially assisted” or “provided financial, material, or technological support” to any persons engaged in sanctioned cyber-enabled activities.51

Such a finding is unlikely because, first, many base layer activities are not conducted by a “person” or an “entity” but rather by self-executing software code. In those instances, there is no basis to designate them because there is no “person” or “entity” taking any action.

As recent examples demonstrate,52 when OFAC has historically designated parties under the “material support” provisions of various executive orders, it has designated malicious actors who were taking extreme actions such as providing sensitive technology to designated parties or covertly funneling money on their behalf.53 That is distinct from the function of crypto’s base layer, which is to provide neutral, open-source software to validate and post information to a blockchain. Accordingly, base layer activities are different in kind from the actions OFAC has previously found sufficient to constitute material support.

3c. Crypto’s base layer operators are dealing in information, which is carved out from OFAC’s jurisdiction under IEEPA

There are also statutory limitations on the application of IEEPA to the importation or exportation of information that suggests the activities of crypto’s base layer are not intended to be covered by the sanctions regime. E.O. 13694 and the bulk of modern sanctions are promulgated under IEEPA, a 1970s-era federal law granting powers to the president in the event of a national emergency.

IEEPA is limited in several key ways, however, including with respect to the export of “information.” In 1988 and 1994, Congress passed a series of restraints on presidential powers known as the “Berman Amendments,” which collectively provided that OFAC cannot regulate “the importation from any country, or the exportation to any country…[of] any information or informational materials.”54 This limitation of powers exists “regardless of format or medium of transmission.”55

While OFAC has attempted to narrow the exemptions codified by Congress,56 recent decisions by U.S. courts suggest that OFAC’s narrow reading of the Berman Amendments is not supported by the statute’s text.57 Thus, along with the points above, it can be further argued that the work of crypto’s base layer is merely dealing in information — even if that information has value — and thus is exempted from U.S. sanctions promulgated under IEEPA.

4. Results of imposing sanctions compliance obligations at the base layer

In this section, we discuss the damaging and counterproductive consequences of forcing base layer participants to monitor and screen data blocks under the threat of sanctions compliance obligations.

The degree of network censorship resulting from base layer participants screening data blocks involving sanctioned addresses will depend on important technical nuances outside of the scope of this paper.58 Nonetheless, abandoning the neutrality of core operational features of blockchains risks breaking blockchain’s crucial consensus mechanism.

For example, if certain censoring validators take the position of refusing to attest to prior blocks that include transactions with sanctioned addresses, the network could fork. Censoring validators would disagree with non-censoring validators by denying the existence of transactions with sanctioned addresses, and the network would split into two conflicting realities. Alternatively, if users disagree with the decision of a supermajority of validators to censor transactions, users could “fork them out” by choosing not to utilize these validators. No matter its cause, a network fork would be highly disruptive and undermine the fundamental proposition of blockchain technology, which is to provide a universal record of the order of data blocks.

This sanctions-driven network splintering would ultimately harm U.S. national security interests. The fear of sanctions enforcement could result in base layer participants such as validators and miners going offshore. This would limit U.S. influence over the development of the technology and have negative effects on the U.S. economy and American hegemony. These consequences run counter to goals of President Biden who stated in his March Executive Order that the “United States has an interest in ensuring that it remains at the forefront of responsible development and design of digital assets and the technology that underpins new forms of payments and capital flows in the international financial system.”59

Further, such a reaction would increase the difficulty of monitoring base layer participants, including those that serve as on- and off-ramps. As more activity moves offshore, regulators will have decreasing visibility into exchanges and validators because they would be subject to fewer reporting obligations, making it harder for U.S. regulators to track and trace illicit funds. These services would be driven to other jurisdictions or captured by parties that may be antagonistic to national security interests of the U.S. and its allies.

Indeed, the precedent set here by the United States will likely be followed by other countries, including those whose values diverge from our own. If the United States applies censorship to the base layer, other countries may choose to do the same. This could result in foreign laws driving censorship of crypto in the United States or, alternatively, every country having its own “compliant” version of crypto that is operated by validators within that country and that is completely isolated from other countries’ versions. The present internet avoided this fate, with limited exceptions, to the benefit of us all.

5. The importance of maintaining the neutrality of technological infrastructure is widely recognized

An obvious analogy for crypto’s base layer is the infrastructure underlying the internet. ISPs collect and send packets of information between users leveraging protocols such as TCP/IP.60 Just as base layer neutrality is necessary for crypto to function efficiently,61 allowing for the uncensored flow of information at the bottom layer of communication networks is critical.

From an architectural standpoint, networks benefit from pushing discretion to the edges and keeping the core free from censorship so that information can flow freely. Therefore, maintaining network integrity is another reason to resist fracturing global communications through jurisdictional policy decisions, even if certain issues like sanctioning the DPRK have strong consensus. In the way that internet messaging functions today policy decisions have already been made to allow for balancing network integrity and national interests. In contrast, internet censorship through actions like “packet filtering” has been associated with oppressive and authoritarian regimes.62 For blockchain infrastructure, there are other places more appropriate to adjudicate transactions. U.S. regulators should be consistent in their approach and recognize that maintaining the neutrality of crypto’s base layer is of paramount importance.

6. Conclusion

OFAC’s identification of blockchain addresses to the SDN List should not require any base layer participants to censor transactions that involve sanctioned addresses. OFAC regulations require the implementation of risk-based compliance programs tailored to the specific activities of the base layer participants in question. Given that the role of crypto’s base layer is fundamentally the public recording of the order of data blocks, participants should not be required to screen blocks that include sanctioned addresses.

Applying sanctions compliance obligations at the base layer would also have counterproductive national security implications and push development of important technology offshore, thereby making it harder to track and trace crypto transactions core to protecting national interests.

Crypto holds great promise for America and the world. Over time, we are confident that industry and regulators can, by working together, fulfill American ideals of free speech, privacy, and financial freedom.

Acknowledgments

Special thanks to Angela Angelovska-Wilson, Katie Biber, Henley Hopkinson, Linda Jeng, Emily Meyers, Michael Mosier, Georgia Quinn, Rebecca Rettig, Gabriel Shapiro, Justin Slaughter, and Sheila Warren for their review and feedback.

Disclosure

This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. Circumstances vary, and one should consult their own advisers and attorneys for advice. Certain information contained herein has been obtained from third-party sources. While taken from sources believed to be reliable, the authors have not independently verified such information and make no representations about the current or enduring accuracy of the information or its appropriateness for a given situation. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services.