A First Amendment fight for the future of the internet
The Tornado Cash case puts the claim that "code is speech" to the test
Hey there. Today we’re re-publishing an article by Mike Orcutt that first ran last week on Boston Globe Ideas.
Is computer code speech? The case against Roman Storm is putting that question to the test.
On April 14, 2022, Roman Storm posted a link to a news article in an encrypted group chat he shared with his two fellow creators of Tornado Cash, a software application that lets people exchange cryptocurrency with extra layers of privacy.
“Guys we are fucked,” Storm wrote, according to the US Department of Justice.
The news story revealed that the FBI had pinpointed the Lazarus Group, North Korean state-sponsored hackers, as the perpetrators of a recent $600 million cryptocurrency heist. According to the government, Storm knew that whoever had pulled off that heist had been using Tornado Cash to throw the cops off their tracks. It wasn’t the first time criminals had used the app. But this time, the criminals were affiliated with a nuclear-armed US adversary.
Storm was right about what it meant for him and his fellow creators of the app. That August, the US Treasury Department put Tornado Cash under harsh sanctions. Days later, officials in the Netherlands arrested codeveloper Alexey Pertsev. And a year later, the US Department of Justice indicted Storm and a third developer, Roman Semenov. They are charged with money laundering, violating US sanctions law, and operating an unlicensed money transmitter.
This May, a Dutch court found Pertsev guilty of money laundering and sentenced him to more than five years in prison. Semenov remains at large. Storm’s trial is scheduled to begin in December in New York. He faces up to 45 years behind bars.
Federal prosecutors say Storm helped the Lazarus Group launder money, even though they have presented no evidence he gave direct assistance. Storm’s defenders, who include blockchain technology advocates and the internet freedom group Electronic Frontier Foundation, say all he did was help create a software tool.
Storm’s lawyers say the First Amendment protects his actions, as for nearly three decades US courts have recognized software code as protected speech. “At its heart, this prosecution represents an unprecedented attempt to criminalize the development of software,” Storm’s lawyers argued in March in a motion to dismiss the indictment.
The dispute is technically and legally complex. But at its center is a long-running debate over whether software code is protected by the First Amendment. And the outcome could determine whether a new class of software is effectively off-limits for Americans.
‘The bad things people do with the software you write’
In 1995, mathematician Daniel Bernstein sued the US Department of State. He said the government violated his First Amendment rights by requiring him to register as an arms dealer and apply for an export license before he could publish the source code for Snuffle, his encryption algorithm. A district court judge agreed with Bernstein, rejecting the government’s argument that Snuffle’s code was conduct, not speech.
The Ninth Circuit Court of Appeals affirmed the lower court’s decision in 1999. Several other lower court decisions in the late 1990s reached the same conclusion as in the Bernstein case. Judges viewed code as being like speech because it is written in a language and is a mode of communication—it’s “expressive.”
But contrary to what many in the tech world seem to think, this legal matter isn’t settled. In a dissent to the Ninth Circuit’s decision in Bernstein, Judge Thomas G. Nelson raised a compelling point: “The basic function of encryption source code is to act as a method of controlling computers,” he wrote. “This functional aspect of encryption source code contains no expression; it is merely the tool used to build the encryption machine.”
The code that runs Tornado Cash may be expressive, but it also functions. It instructs a blockchain network to anonymize cryptocurrency transactions by using advanced cryptography to untraceably transfer cryptocurrency from one software “wallet” to another. While the crypto is in the first wallet, it is linked to every transaction the wallet has ever participated in. In the second wallet, all that history is wiped away.
Crypto and privacy advocates are steadfast that encrypting transactions in this way has legitimate uses—anonymous donations to a sensitive political cause, for instance. Like real cash, though, Tornado Cash also has illicit uses. The Lazarus Group used it to sweep away digital breadcrumbs that let investigators track criminal funds on blockchains.
What makes Tornado Cash new in the eyes of the law is that although Storm and the other developers knew the cryptocurrency thieves were using Tornado Cash, they couldn’t stop the criminals. The core of the privacy tool is a set of smart contracts (a crypto term for software that runs on a blockchain) that no one, not even Tornado Cash’s creators, can modify or shut down.
This is the whole point of blockchains: They operate free of the control of any single entity or person. Blockchain-based software can have built-in kill switches and ways for developers to make upgrades, but the Tornado Cash developers chose to relinquish all control over the core application in 2020. They say their intention was to give cryptocurrency users privacy, not to help criminals.
“It’s really a question of whether you can be held criminally culpable for the bad things people do with the software you write, even if you didn’t intend for them to do those bad things with that software,” says Peter Van Valkenburgh, director of research at the policy advocacy group Coin Center, based in Washington, D.C.
In the Netherlands it appears the answer is yes, and Alexey Pertsev must spend more than five years in prison for it. The US Constitution makes Roman Storm’s case more complicated.
When parallels break down
The sanctions law Storm allegedly broke is called the International Emergency Economic Powers Act (IEEPA). Passed in 1976, it gives the president powers to regulate international commerce in the name of national security. In 1988, Congress amended IEEPA to clarify that the president cannot block the international exchange of First Amendment-protected items including books, music, artwork, and other “informational materials.” This update became known as the Berman Amendments.Storm’s defense team has argued that the Tornado Cash software qualifies as informational materials under the Berman Amendments. And even if that law doesn’t protect Storm, they argue that the First Amendment does.
The government responds that much of Storm’s defense rests on a simplistic notion: that “he should not be held criminally liable because his conduct involved computer software.” That idea “would have breathtakingly broad implications,” prosecutors wrote in April in a filing with the court. For example, they said, it would keep the president from blocking an American bank with a foreign branch from doing business with a sanctioned person or group over banking software.
But the bank parallel doesn’t work, argues Van Valkenburgh. Banks have legal relationships with their customers—promises, guarantees, terms of service, etc. Those relationships are “conduct” (and not expressive conduct, like flag burning), he says, and the First Amendment doesn’t prevent the government from regulating that conduct. The Tornado Cash developers had no such relationships with their users, Van Valkenburgh says. Crucially, they never took control of any user funds. As Van Valkenburgh sees it, the developers’ only conduct, in the legal sense, was publishing software without a backdoor that would let them control its use once it was out in the world.
The problem with ‘code is speech’
The complexity of the Tornado Cash case makes it challenging to parse the arguments. But ultimately it is about who is responsible when a novel piece of software is used to break the law.
Therein lies the problem with the claim that “code is speech.”
If we assume all code is speech, any regulation of software will be vulnerable to a First Amendment challenge. Given the role that software plays in so many of our interactions today, that’s not workable, says Xiangnong (George) Wang, a staff attorney at the Knight First Amendment Institute at Columbia University.
In a 2021 article in the Wisconsin Law Review, Wang argued that whether code is speech is no longer the right question for lawyers, judges, and lawmakers to consider. “It’s really about how it’s used,” he says. “What are the actual values at stake?” Is it an attempt to participate in democratic discourse? To disseminate useful information to the public? Or is it to distribute a product? There won’t always be clear-cut answers, Wang says. But as software becomes even more pervasive and complex—even autonomous—the public will have to decide what exactly the First Amendment should protect.
Decentralized software applications and AI make things even less clear-cut. But Storm’s lawyers are still betting they can lean hard into the First Amendment.
Van Valkenburgh’s organization, Coin Center, has argued that Storm’s choice to write and publish Tornado Cash “is the expression of a powerful political and scientific viewpoint in and of itself.” In other words, it’s arguing that systems like Tornado Cash should be allowed despite the government’s distaste for them.
“Some in the US Government may strongly have preferred that (the developers) would have published their code with a secret vulnerability or a ‘backdoor’ for law enforcement, or simply not published their viewpoints at all,” Coin Center said in brief supporting Storm. It added: “The defendants cannot and should not be held liable for having merely published software as they saw fit.” —Mike Orcutt
Follow us on Twitter or get corporate with us on LinkedIn—if you want.