This is an opinion editorial by Kudzai Kutukwa, a passionate financial inclusion advocate who was recognized by Fast Company magazine as one of South Africa’s top-20 young entrepreneurs under 30.
Privacy is an essential human right that is now being taken for granted. It’s not about having something to hide, but about exercising the power to selectively reveal yourself to the world and thus securing autonomy over your own life. Doors, locks, windows, safes and drapes are some of the devices we use in the physical realm to guard our privacy. Unfortunately we now live in a society in which privacy has been overcome by the compulsion for sharing and transparency. The internet in its current form is deficient in user privacy and was not developed with strong privacy protections from the onset. Our personal data is the “new oil” and is ripe for exploitation by the state, Big Tech and hackers. Sharing has become the default thanks to the availability of digital tools that allow one to share everything from precious moments to exact locations.
While social media platforms have made communication over long distances much easier, the digital footprints being generated online, every day by billions of people compromise their privacy — and by extension their personal security — in numerous ways. Data hacks, online stalking, cyberbullying and phishing attacks are all but a few examples. However, thanks to the aforementioned sharing culture, the desire to maintain privacy is frowned upon and deemed suspicious. After all, why would you need privacy if you have nothing to hide? Without privacy we continue to live under the false illusion of freedom, while our decision-making is remotely controlled by those collecting our data. Privacy is neither illegal nor is it a luxury. Privacy is a necessary prerequisite for freedom.
Until recently financial privacy was the default due to the extensive use of commodity money such as gold and later on after that, cash. You could freely transact without revealing any personal information to merchants or exposing any of your purchases to the bank. In recent years, however, the use of cash has been gradually declining (and financial privacy along with it) due to the rise of alternative digital payment channels and in some cases due to legal restrictions. The idea behind these restrictions being that they are a tool for combating tax evasion, money laundering and organized crime. Despite the fact that digital payment channels are less private than cash, there are laws and limitations on who can access your financial information, and there are legal processes that have to be followed before any disclosure of your financial information to a third party by a financial institution. While not foolproof, they did deliver basic financial privacy protection. As a pseudonymous currency, Bitcoin transactions are public by default and can be viewed by anyone and everyone. If your identity can be tied to a specific Bitcoin “wallet address” your financial life (insofar as that bitcoin wallet is concerned) is now permanently in the public domain, with no legal processes required to access that information. This is the major reason why applications and services that protect the privacy of cryptocurrency transactions are being targeted by governments globally.
On 8 August 2022, the US Treasury’s Office For Assets Control (OFAC) sanctioned Tornado Cash (TC), an Ethereum smart contract mixer, that allows people to protect their financial privacy online, and added it to the Specially Designated Nationals (SDN) List. This effectively means that American citizens, residents and entities are banned from interacting with TC in any way. Privacy-enabling tools like TC allow people to transact without exposing their entire financial activity. In other words they are useful for the preservation of financial privacy where transactions on-chain are concerned. According to OFAC, TC was allegedly used to launder cryptocurrency worth $455 million that was hacked from Axie Infinity’s Ronin Bridge protocol by the North Korean government-backed hacker organization the Lazarus group. OFAC had previously sanctioned the Lazarus group in 2019 and further points out that TC also received funds that were hacked from the Harmony bridge in June as well as the Nomad bridge.
Traditionally, individuals or entities were the target of OFAC sanctions, however what’s odd about this particular scenario is that TC is neither a natural person or a juristic person, it’s open-source code. Code is speech (Bernstein v. DOJ) and is thus protected by the First Amendment. In the same way that a written musical score is useful for communication among musicians, code is also “an expressive means for the exchange of information and ideas,” among computer programmers (Junger v. Daley). Therefore, the creation and sharing of open-source code is protected by the First Amendment, just like the creation and sharing of music, books and films.
Open-source code is free for use by anyone and because no commercial gain accrues to its publishers, it’s therefore a public good. The banking system, internet and roads are all public goods that are used by law-abiding citizens and criminals alike, but bad actors are the ones that are targeted, not the infrastructure. Even SWIFT acknowledges this fact according to a statement on their website’s FAQ section. In response to the questions, “What is the role of SWIFT in relation to financial sanctions that are imposed by regulators?” and “Does SWIFT comply with all sanctions laws?” they state the following:
“SWIFT does not monitor or control the messages that users send through its system. All decisions on the legitimacy of financial transactions under applicable regulations, such as sanctions regulations, rest with the financial institutions handling them, and their competent international and national authorities. As far as financial sanctions are concerned, the focus of SWIFT is to help its users in meeting their responsibilities to comply with national and international regulations. SWIFT is only a messaging service provider and has no involvement in or control over the underlying financial transactions that are mentioned by its financial institutional customers in their messages.”
In other words they are suggesting that as a neutral communications network they are not subject directly to the likes of OFAC and therefore the responsibility for the enforcement of sanctions lies directly with the financial institutions processing them. As far as I can tell the same reasoning can be applied to neutral, privacy enhancing open-source protocols like TC that can be utilized by law abiding citizens and criminals alike. It’s against this background that any rational person observing the absurdity in all this would be forgiven for thinking that perhaps the intent of this action is more about sending a message to not only discourage the use of mixers but to also curtail their development. OFAC’s sanction by default implicitly pre-supposes guilt on the part of anyone seeking financial privacy and by default compels full disclosure of a user’s information (i.e., their entire on-chain financial history). This is not just a sanction on TC alone but a slow creep towards outlawing all privacy enhancing open-source software, or any software deemed illegal by The State.
According to a recent article in the Financial Times, a senior unnamed Treasury official commenting on the sanction of TC said:
“‘We do believe that this action will send a really critical message to the private sector about the risks associated with mixers writ large,’ adding that it was ‘designed to inhibit Tornado Cash or any sort of reconstituted versions of it to continue to operate. Today’s action is the second action by Treasury against a mixer, but it will not be our last.’”
If that is not an open declaration of war against financial privacy then I don’t know what is. This action by OFAC of sanctioning an open-source protocol sets a precedent for indirectly criminalizing the act of seeking financial privacy. Furthermore, it also creates uncertainty within the open-source community, as developers may be held liable for writing code that may be used by criminals later on. Despite the fact that open-source code creators have zero control over how their code will be used, one of TC’s contributing developers, Alex Pertsev was arrested by Dutch authorities and he is being accused of money laundering. Apart from being a contributor to TC’s code no evidence has been disclosed that ties Alex to the laundered funds nor have any official charges against him been made and he is still in police custody, as of time of writing this article. This is the slippery slope that we find ourselves in. This is why censorship resistance and decentralization are necessary.
Following the sanction of TC, “fragility contagion” ensued, which saw Github deleting the entire software repository of TC. Ethereum’s two largest node infrastructure providers Infura and Alchemy restricted access to data on Tornado Cash smart contracts, Defi Protocols’ like Aave, DYDX and Uniswap blocking access to TC and stablecoin issuers like Circle immediately freezing assets connected to TC. All of these companies went above and beyond the requirements of the sanctions law. They didn’t just obey an unjust order, they went out of their way to inflict further damage without even putting up a fight — so much for being “in this together.” Without censorship resistance and decentralization as your first line of defense, you have nothing. Anything that is “decentralized in name only” (DINO) is the low hanging fruit that state attacks will be directed at first, and as we have already seen with the TC fallout, it doesn’t take much to rattle the cage. Over time I expect all these DINO projects to either be sanctioned out of existence like TC or be co-opted into centralized finance.
The million dollar question of the day is how does this affect Bitcoin? Given that Bitcoin is fully decentralized and censorship resistant, why should Bitcoiners pay attention to any of this? Firstly, Bitcoin isn’t private by default, and as such every transaction is recorded on the blockchain in perpetuity. This is further compounded by the fact that most of the Bitcoin trading volume is attributable to a few centralized exchanges like Binance, FTX and Coinbase; as a result, the majority of new entrants end up buying their bitcoin from these exchanges. The problem with that is that one has to provide personal information to these exchanges in order to satisfy know your customer (KYC) requirements. Thus, any Bitcoin purchased through these exchanges becomes tied to your real identity. This creates three major problems, namely:
- Your personal information sitting on an exchange’s centralized database is vulnerable to hacks and data leakages. This information can be shared with the government on request and make you a potential target for an “EO 6102 attack.”
- Exchanges can become a choke point for the enforcement of regulatory actions like OFAC’s sanctions and they are obliged to comply.
- The loss of financial privacy as your transactions can be tracked ad infinitum by the exchange, even in the event of a withdrawal of the bitcoin from the exchange.
These are some of the risks posed by utilizing centralized exchanges and they will not hesitate to do The State’s bidding when called upon. The best way to begin to bypass these vulnerabilities is to start with getting your bitcoin off exchanges and self-custodying your bitcoin in a hardware wallet. Self-custody should be the norm as it’s likely that over time, third-party custodial services will be another regulatory choke point. The next step is to buy bitcoin from non-KYC peer-to-peer exchanges like Bisq and Hodl-Hodl. In addition to this, regular CoinJoining for transactions is another step that can be taken to improve privacy.
A CoinJoin is when two or more parties batch their transactions into one transaction, with the intention of obfuscating who owns which coin after the transaction. The CoinJoin is forward-looking privacy in that it severs the historical links attached to your bitcoin from any future transactions, thus preventing blockchain data watchers from tracing the origin of the bitcoin. It is highly recommended especially for bitcoin that was bought from centralized exchanges in order to maintain basic transactional privacy. Unlike mixers like TC, CoinJoin coordinators never at any point take custody of your bitcoin — they are not money transmitters and are only message transmitters like SWIFT. It is important to note however, that some centralized exchanges reject and flag deposits containing “mixed coins” thus representing another choke point that can be used to clamp down on Bitcoin privacy.
Running your own node coupled with CoinJoins and buying non-KYC bitcoin adds an additional layer of privacy to your Bitcoin transactions. As a gateway to the Bitcoin ecosystem your node is responsible for broadcasting transactions, verifying the legitimacy of the bitcoin you receive and thus protecting your privacy. Without your own node you have to rely on a random public Bitcoin node to tell you your balance and to broadcast/receive transactions on your behalf. The danger with this is that you reveal information that can be used to identify you such as your IP address, wallet balance as well as all your current and future addresses. Worse still, surveillance companies also run some of these nodes, and the last thing you want is this information in their hands. Running your own node ensures that you are insulated against these network-level privacy leaks. Mining is also an option that can be utilized to access non-KYC bitcoin while also resulting in a far more decentralized hash rate for the network. All things considered, the best solution would be earning bitcoin as opposed to buying it and spending bitcoin as opposed to selling it. A bitcoin circular economy removes the need altogether to use fiat on/off ramps thus gradually obsoleting the role of centralized exchanges and over time dampening the volumes of bitcoin flowing through them.
While Bitcoin is undoubtedly censorship resistant at the protocol level, it still remains vulnerable at the individual level due to lack of strong privacy guarantees. The steps outlined above are measures that can be taken in the short-term to enhance financial privacy and by extension insulate against coordinated state attacks. While these may seem inconvenient and tedious, the extra effort is worth it all things considered. In the long-term, more user-friendly privacy tools need to be built at the application layer in order to make using bitcoin privately the rule, not the exception. Financial freedom is one of the most crucial pillars for securing individual freedom. Outlawing financial privacy, directly or indirectly, severely undermines that freedom by erecting a digital panopticon that powers the surveillance state. In a society where the constant threat of financial censorship is a present reality, it would be dangerous to have a system where every transaction you make is analyzed, monitored and controlled by The State (think CBDC’s).
As the war on financial privacy heats up it’s wise to remember the words of cypherpunk Phil Zimmermann in his essay, “Why I Wrote PGP”:
“If we do nothing, new technologies will give the government new automatic surveillance capabilities that Stalin could never have dreamed of. The only way to hold the line on privacy in the information age is strong cryptography.”
Bitcoin not only gave us a head start in maintaining financial privacy but in the eventual separation of money and state. It’s incumbent upon us to defend our financial privacy, because without it we will probably be doomed to central banking imposed serfdom.
This is a guest post by Kudzai Kutukwa. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc. or Bitcoin Magazine.