Base Layer Neutrality

Sanctions and Censorship Implications for Blockchain Infrastructure¹

Executive Summary

On August 8, 2022, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) added certain Ethereum addresses associated with Tornado Cash, an open-source privacy protocol on Ethereum, to the Specially Designated Nationals and Blocked Persons List (SDN List).² Since the announcement, many participants in crypto’s base layer have expressed concern that they could be required to monitor or censor³ blocks involving SDN List addresses to comply with sanctions, jeopardizing the neutrality of the base layer and compromising its integrity and core functionality. However, we believe that under current OFAC guidance, base layer participants are not required to monitor or censor these addresses as part of a risk-based sanctions compliance program.

Specifically, while the application of sanctions law to decentralized blockchain systems and smart contracts presents novel legal issues, we believe the Tornado Cash sanctions and blockchain address sanctions imposed to date should not require blockchain technology infrastructure providers including builders, pool operators, relays, searchers, sequencers, and validators to monitor or censor transactions that involve blocked addresses.

The issue raised by the application of primarily financial and transaction-oriented economic sanctions is whether the actions of crypto’s block-producing base layer — even when involving sanctioned addresses — amount to “facilitating” a transaction, or dealing with or “contribut[ing] or provi[ding]...funds, goods, or services by, to, or for the benefit of any” sanctioned party or “interests” of a sanctioned party.⁴

We believe that the public recording of the order of data blocks at the infrastructure layer is no more “facilitating” a transaction, or dealing with, or contributing or providing services to sanctioned parties than the existing communications infrastructure that routes financial messages daily around the world, whether through internet service providers, routers, network switches, email and chat programs, DDoS filters and other network security protocols. In our opinion, the fact that crypto’s base layer infrastructure has been decentralized by distributing basic functions to independent participants makes each actor’s actions even less likely to meet this threshold.

In addition, requiring crypto’s base layer to monitor or censor blocks under threat of sanctions compliance obligations would likely cause network reorganizations and forks⁵ that threaten the viability of the ecosystem. Similar risks have long been recognized for traditional communications and internet infrastructure. The result would harm national security interests by pushing the development of blockchain technology offshore and impeding efforts to track and trace crypto transactions, a result contrary to OFAC’s stated goals⁶ and President Biden’s Executive Order issued in March.⁷

Sanctions are a tool for stopping adversarial actors, not fracturing technological infrastructure or public goods. This is as true for crypto as it is for other technologies. For example, it is widely accepted that the public switched telephone network and the switching centers that allow telephones around the globe to communicate are not expected to filter communications and exclude sanctioned persons. The same argument applies to the infrastructure of the internet, such as the Transmission Control Protocol/Internet Protocol (TCP/IP) and internet service providers (ISPs). Crypto’s base layer is no different.

It is our hope that the analysis in this article will ease uncertainty plaguing industry actors and provide clarity around the scope of sanctions compliance obligations.⁸ We begin with a description of crypto’s base layer and its participants (section 1), followed by a discussion of OFAC’s legal authorities (section 2). We then discuss the reasons we believe OFAC compliance obligations to date do not require base layer participants to monitor or censor the public recording of the order of data blocks (section 3), the unintended consequences of applying sanctions compliance obligations to base layer participants (section 4), and the historical treatment by U.S. regulators of other technological infrastructure (section 5).

1. The “base layer” of crypto

A blockchain can be viewed as a timestamping service that allows for the ordering of data in a canonical way. A fundamental feature is that anyone can submit a chunk of data to be timestamped and recorded to the blockchain. This can support a ledger for a digital asset like Bitcoin, as well as other applications including trust-free agreements that eliminate counterparty risk and new mechanisms for social coordination.

Like the telephone network, crypto’s base layer is at its core a communications protocol and technology infrastructure that serves as a public good. Its key function — publicly recording the order of data blocks — is similar to the role we expect the base layer of internet infrastructure to play, to freely and accurately disseminate information to the public. To maintain its utility, crypto’s base layer must also maintain its neutrality.

While blockchain’s key function is simple, the infrastructure to provide it in a distributed, scalable, and secure way has grown increasingly complex and is constantly changing as the ecosystem evolves and new technology is developed. Many blockchains have distributed the process amongst various base layer participants with specialized roles, including builders,⁹ pool operators,¹⁰ relays,¹¹ searchers,¹² sequencers,¹³ and validators¹⁴.

Each base layer participant performs a specific role in the ordering and attestation of new blocks. But as we explain further below, we do not believe the actions of these base layer participants should be interpreted as dealing with, or facilitating transactions with, sanctioned persons. As compared to traditional infrastructure like internet protocols, blockchain further decentralizes core computational functions by distributing them to actors that play specific roles. It is our opinion that decentralization makes the actions of each individual base layer actor even less likely to require censoring than traditional infrastructure.

2. The U.S. government has legitimate national security interests in enforcing sanctions in the digital asset space

Sanctions can be a critical tool for protecting the United States. In addressing threats of adversarial actors such as the Democratic People’s Republic of Korea (DPRK), OFAC has an important mandate to enforce “economic and trade sanctions based on U.S. foreign policy and national security goals.”¹⁵

At the same time, OFAC’s powers are not limitless and the standard for implementation of compliance programs is that they be a reasonable “risk-based approach,” not that all economic activity must be shut down if there is any chance for some sanctions violation.¹⁶ Based on authority granted to the President under the International Emergency Economic Powers Act (IEEPA)¹⁷ and the National Emergencies Act (NEA),¹⁸ President Barack Obama in 2015 issued Executive Order 13694 (E.O. 13694).¹⁹ E.O. 13694 empowered the Treasury Department to address malicious cyber-enabled activities harming the United States or its allies.²⁰ Pursuant to this authority, OFAC implemented the Cyber-Related Sanctions Program under which it can identify certain “persons” or “entities” on the SDN List²¹ if they are deemed to be “responsible for or complicit in” or to have “materially assisted” or “provided financial, material, or technological support for” foreign cyber-enabled activities that pose a significant threat to the national security or economy of the United States.²²

Once a party is identified on the SDN List, “U.S. persons”²³ are prohibited from “engaging in transactions” with it, and all of the property and interests in property of the sanctioned party that are within the “possession or control” of a U.S. person or subject to U.S. jurisdiction may not be “transferred, paid, exported, withdrawn, or otherwise dealt in” by U.S. persons.²⁴ Prohibitions also forbid facilitating transactions, including the provision of “services” to any such party.²⁵

OFAC has a history of enforcing sanctions in the digital asset space. OFAC first sanctioned blockchain addresses in November 2018 when OFAC included several Bitcoin addresses controlled by Iranian nationals on the SDN List.²⁶ OFAC also recently sanctioned Blender.io, a centralized and custodial cryptocurrency mixing service run and controlled by several identifiable actors.²⁷

However, OFAC broke new ground in August by adding to the SDN List the Ethereum address where the Tornado Cash bytecode or smart contract (a specific, widely used copy of the Tornado Cash protocol) is stored on Ethereum.²⁸ Previously, the blockchain addresses added to the SDN List were wallet addresses owned or controlled by sanctioned persons or entities.²⁹ Blender.io is also, as noted above, operated under centralized control.

Since E.O. 13694 permits the Treasury Department to take action only against the property and interests in property of “persons” or “entities,”³⁰ OFAC’s actions against a smart contract — at its core, just lines of bytecode — have been questioned by legal analysts and have been the recent subject of a lawsuit.³¹

3. Sanctions law should not require participants in crypto’s base layer to censor the public recording of the order of data blocks

In this section we analyze two potential sources of direct sanctions liability: (a) an enforcement action against persons subject to U.S. jurisdiction for transacting or facilitating a transaction, or dealing with a sanctioned party on the SDN List; and (b) a potential addition to the SDN List itself. We conclude that based on current OFAC guidance, a risk-based sanctions compliance program does not require crypto’s base layer to monitor or censor data blocks that may include sanctioned addresses.³²

3a. Crypto’s base layer should not be the subject of an enforcement action for publicly recording the order of data blocks involving sanctioned addresses

When OFAC adds a party to the SDN List, any property or interest in property of such sanctioned party that is in the United States or comes within the “possession” or “control” of a “U.S. person” must be “blocked” and may not be “transferred, paid, exported, withdrawn, or otherwise dealt in.”³³ IEEPA makes it unlawful to violate these prohibitions and also to “cause” another person to do so.³⁴

Against this backdrop, OFAC has taken the position that “facilitating” a violation of sanctions is prohibited.³⁵ This includes “the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any person whose property and interests in property are blocked.”³⁶ OFAC reads these prohibitions broadly to include instances where a U.S. person “assists” or “supports” a non-U.S. person in transactions directly or indirectly involving sanctioned countries or parties.³⁷

Despite OFAC’s broad authority, we believe participants in crypto’s base layer are not required to monitor or censor data blocks that may include sanctioned addresses as part of their risk-based compliance programs. At no point is any individual base layer participant in “possession or control” of property or an interest in property of a sanctioned person.³⁸ These terms, which are not defined in OFAC’s implementing regulations or enforcement actions, and therefore are to be interpreted according to their plain meaning, require “holding property in one’s power” or power to “govern” or “manage” the property.³⁹ However, base layer participants lack this influence or power over the digital assets.

Crypto’s base layer participants are also not able to “block” the property or interests in property of a sanctioned party. That certain participants could be forced to censor blocks does not mean they have the ability to restrict the underlying property. Censorship as applied to crypto’s base layer amounts to an inability to report a transaction; not an ability to “block” it. Whether a transaction is confirmed will depend on the broader, global network consensus regardless of the actions of any individual participant. For example, a transaction that is screened by one base layer participant could be picked up by a non-censoring participant anywhere in the world, or cause a network to fork as further discussed below.

Nor is any individual base layer participant transferring blocked property by playing their role in the public recording of the order of data blocks, even if involving a sanctioned address. As OFAC’s implementing regulations clarify, the prohibition on the “transfer”⁴⁰ of blocked property is intended to capture acts that transfer or alter legal rights to property and has not historically included the operations of technological infrastructure (such as the telephone network).⁴¹ While certain participants in crypto’s base layer like miners receive fees from users for their actions, these fees are akin to internet network fees or telephone service fees.

We also believe that interpreting the actions of crypto’s base layer participants as dealing with blocked property, facilitating its transfer, or providing services to sanctioned parties is at odds with prior OFAC regulations and enforcement history. OFAC regulations have stated that “facilitating” does not include activities that are of a purely clerical or reporting nature and do not further trade or financial transactions.⁴² The core functionality of crypto’s base layer — the public and decentralized recording of the order of data blocks — should be treated the same. Furthermore, to our knowledge OFAC has generally brought enforcement actions that include a facilitation claim when the subject was also responsible for additional culpable actions like using a financial institution as an agent.⁴³

For these reasons, we think that base layer participants are not required to monitor or censor data blocks involving sanctioned addresses as part of a risk-based sanctions compliance policy, and should not be the subject of a sanctions enforcement action for failing to do so. OFAC recommends in guidance that compliance programs be designed using a “risk-based approach.”⁴⁴ OFAC has noted “there is no single compliance program or solution suitable to every circumstance or business… [and that] [a]n adequate compliance solution for members of the virtual currency industry will depend on a variety of factors, including the type of business involved, its size and sophistication, products and services offered, customers and counterparties, and geographic locations served.”⁴⁵ Given the operational role that base layer participants play, which in most instances do not involve engagement with customers or counterparties, we believe that an appropriate risk-based compliance program does not require monitoring or censoring of data blocks involving sanctioned addresses.⁴⁶

Although Financial Crimes Enforcement Network (FinCEN)⁴⁷ guidance is not binding on OFAC, this view is supported by FinCEN’s determination that Bitcoin miners are not money services businesses “because these activities involve neither ‘acceptance’ nor ‘transmission’ of the convertible virtual currency and are not the transmission of funds,”⁴⁸ and FinCEN’s finding that “a person is not a money transmitter if that person only: a) provides the delivery, communication, or network access services used by a money transmitter to support money transmission services.”⁴⁹ Indeed, FinCEN has appropriately recognized that a miner’s function is to “verify the authenticity of a block of transactions” rather than execute transactions.⁵⁰

3b. Crypto’s base layer activities do not meet the standard to be added to the SDN List

Crypto’s base layer operators should not be added to the SDN List for failing to censor data blocks that include a sanctioned address. OFAC adding base layer participants to the SDN List would require a finding that they were “persons” or “entities” that “materially assisted” or “provided financial, material, or technological support” to any persons engaged in sanctioned cyber-enabled activities.⁵¹

Such a finding is unlikely because, first, many base layer activities are not conducted by a “person” or an “entity” but rather by self-executing software code. In those instances, there is no basis to designate them because there is no “person” or “entity” taking any action.

As recent examples demonstrate,⁵² when OFAC has historically designated parties under the “material support” provisions of various executive orders, it has designated malicious actors who were taking extreme actions such as providing sensitive technology to designated parties or covertly funneling money on their behalf.⁵³ That is distinct from the function of crypto’s base layer, which is to provide neutral, open-source software to validate and post information to a blockchain. Accordingly, base layer activities are different in kind from the actions OFAC has previously found sufficient to constitute material support.

3c. Crypto’s base layer operators are dealing in information, which is carved out from OFAC’s jurisdiction under IEEPA

There are also statutory limitations on the application of IEEPA to the importation or exportation of information that suggests the activities of crypto’s base layer are not intended to be covered by the sanctions regime. E.O. 13694 and the bulk of modern sanctions are promulgated under IEEPA, a 1970s-era federal law granting powers to the president in the event of a national emergency.

IEEPA is limited in several key ways, however, including with respect to the export of “information.” In 1988 and 1994, Congress passed a series of restraints on presidential powers known as the “Berman Amendments,” which collectively provided that OFAC cannot regulate “the importation from any country, or the exportation to any country…[of] any information or informational materials.”⁵⁴ This limitation of powers exists “regardless of format or medium of transmission.”⁵⁵

While OFAC has attempted to narrow the exemptions codified by Congress,⁵⁶ recent decisions by U.S. courts suggest that OFAC’s narrow reading of the Berman Amendments is not supported by the statute’s text.⁵⁷ Thus, along with the points above, it can be further argued that the work of crypto’s base layer is merely dealing in information — even if that information has value — and thus is exempted from U.S. sanctions promulgated under IEEPA.

4. Results of imposing sanctions compliance obligations at the base layer

In this section, we discuss the damaging and counterproductive consequences of forcing base layer participants to monitor and screen data blocks under the threat of sanctions compliance obligations.

The degree of network censorship resulting from base layer participants screening data blocks involving sanctioned addresses will depend on important technical nuances outside of the scope of this paper.⁵⁸ Nonetheless, abandoning the neutrality of core operational features of blockchains risks breaking blockchain’s crucial consensus mechanism.

For example, if certain censoring validators take the position of refusing to attest to prior blocks that include transactions with sanctioned addresses, the network could fork. Censoring validators would disagree with non-censoring validators by denying the existence of transactions with sanctioned addresses, and the network would split into two conflicting realities. Alternatively, if users disagree with the decision of a supermajority of validators to censor transactions, users could “fork them out” by choosing not to utilize these validators. No matter its cause, a network fork would be highly disruptive and undermine the fundamental proposition of blockchain technology, which is to provide a universal record of the order of data blocks.

This sanctions-driven network splintering would ultimately harm U.S. national security interests. The fear of sanctions enforcement could result in base layer participants such as validators and miners going offshore. This would limit U.S. influence over the development of the technology and have negative effects on the U.S. economy and American hegemony. These consequences run counter to goals of President Biden who stated in his March Executive Order that the “United States has an interest in ensuring that it remains at the forefront of responsible development and design of digital assets and the technology that underpins new forms of payments and capital flows in the international financial system.”⁵⁹

Further, such a reaction would increase the difficulty of monitoring base layer participants, including those that serve as on- and off-ramps. As more activity moves offshore, regulators will have decreasing visibility into exchanges and validators because they would be subject to fewer reporting obligations, making it harder for U.S. regulators to track and trace illicit funds. These services would be driven to other jurisdictions or captured by parties that may be antagonistic to national security interests of the U.S. and its allies.

Indeed, the precedent set here by the United States will likely be followed by other countries, including those whose values diverge from our own. If the United States applies censorship to the base layer, other countries may choose to do the same. This could result in foreign laws driving censorship of crypto in the United States or, alternatively, every country having its own “compliant” version of crypto that is operated by validators within that country and that is completely isolated from other countries’ versions. The present internet avoided this fate, with limited exceptions, to the benefit of us all.

5. The importance of maintaining the neutrality of technological infrastructure is widely recognized

An obvious analogy for crypto’s base layer is the infrastructure underlying the internet. ISPs collect and send packets of information between users leveraging protocols such as TCP/IP.⁶⁰ Just as base layer neutrality is necessary for crypto to function efficiently,⁶¹ allowing for the uncensored flow of information at the bottom layer of communication networks is critical.

From an architectural standpoint, networks benefit from pushing discretion to the edges and keeping the core free from censorship so that information can flow freely. Therefore, maintaining network integrity is another reason to resist fracturing global communications through jurisdictional policy decisions, even if certain issues like sanctioning the DPRK have strong consensus. In the way that internet messaging functions today policy decisions have already been made to allow for balancing network integrity and national interests. In contrast, internet censorship through actions like “packet filtering” has been associated with oppressive and authoritarian regimes.⁶² For blockchain infrastructure, there are other places more appropriate to adjudicate transactions. U.S. regulators should be consistent in their approach and recognize that maintaining the neutrality of crypto’s base layer is of paramount importance.

6. Conclusion

OFAC’s identification of blockchain addresses to the SDN List should not require any base layer participants to censor transactions that involve sanctioned addresses. OFAC regulations require the implementation of risk-based compliance programs tailored to the specific activities of the base layer participants in question. Given that the role of crypto’s base layer is fundamentally the public recording of the order of data blocks, participants should not be required to screen blocks that include sanctioned addresses.

Applying sanctions compliance obligations at the base layer would also have counterproductive national security implications and push development of important technology offshore, thereby making it harder to track and trace crypto transactions core to protecting national interests.

Crypto holds great promise for America and the world. Over time, we are confident that industry and regulators can, by working together, fulfill American ideals of free speech, privacy, and financial freedom.

Acknowledgments

Special thanks to Angela Angelovska-Wilson, Katie Biber, Henley Hopkinson, Linda Jeng, Emily Meyers, Michael Mosier, Georgia Quinn, Rebecca Rettig, Gabriel Shapiro, Justin Slaughter, and Sheila Warren for their review and feedback.

Disclosure

This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. Circumstances vary, and one should consult their own advisers and attorneys for advice. Certain information contained herein has been obtained from third-party sources. While taken from sources believed to be reliable, the authors have not independently verified such information and make no representations about the current or enduring accuracy of the information or its appropriateness for a given situation. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services.

Footnotes

1. A position paper drafted by the Crypto Council for Innovation (CCI) and Paradigm. This paper should not be relied on as legal advice. ↩

2. This action prohibited any U.S. person without a license from sending to, or receiving crypto from, the listed addresses, including the addresses where the Tornado Cash bytecode or smart contract (a specific, widely-used program that implements the Tornado Cash protocol) is stored on Ethereum. ↩

3. “Censoring” by a base layer participant would entail either excluding any transactions that involve sanctioned addresses in blocks they propose, or refusing to attest to any blocks that include such transactions. ↩

4. To be clear, our analysis solely addresses the infrastructure layer composed of the blockchain network that underlies on-chain transactions. ↩

5. A “fork” occurs when the community of a particular blockchain’s protocol makes changes to the basic set of rules, such that the chain splits. This creates a new version of the blockchain that shares history with the original, but additional blocks are no longer backward-compatible with earlier rules. ↩

6. OFAC, “Sanctions Programs and Information,” available here (noting OFAC administers sanctions “based on US foreign policy and national security goals”). ↩

7. Executive Order 14067, 87 Fed. Reg. 40881 (2022), available here. ↩

8. This paper is limited to analysis of U.S. sanctions laws. It does not address the applicability of other statutes, such as 18 U.S.C. §§ 1956, 1957, to base layer activities. ↩

9. Builders construct full blocks and send them (or their headers) to validators. ↩

10. Mining pool operators collect transactions into blocks and distribute the block headers to miners. Miners on some chains, including Bitcoin, typically do not choose what transactions they mine, and only see the block headers, not the individual transactions. See, e.g., Gert-Jaap Glasbergen, “Who is Monitoring Mining Pools?” (Aug. 21, 2020), available here. ↩

11. Relays collect bundles from searchers or builders and send them to builders or validators. ↩

12. Searchers collect transactions and bundle them together to submit to builders or relays. ↩

13. Sequencers act like builders for “rollups,” which are blockchains that are built on top of another blockchain. ↩

14. Validators include miners in proof-of-work blockchains and stakers in proof-of-stake blockchains. ↩

15. OFAC, “Sanctions Programs and Information,” (last visited Sept. 7, 2022), available here. ↩

16. See, e.g., Department of the Treasury, “A Framework for OFAC Compliance Commitments,” available here, and OFAC, “Sanctions Compliance Guidance for the Virtual Currency Industry,” (Oct. 2021), available here. ↩

17. 50 U.S.C. § 1701 et seq. ↩

18. 50 U.S.C. § 1601 et seq. ↩

19. Executive Order 13694, 80 Fed. Reg. 18077 (2015), available here. ↩

20. See Executive Order 13757, 82 Fed. Reg. 1 (2017), amending E.O. 13694, available here. ↩

21. E.O. 13694 specifically defines these terms: “the term ‘person’ means an individual or entity…the term ‘entity’ means a partnership, association, trust, joint venture, corporation, group, subgroup, or other organization.” See § 6(a)-(b). ↩

22. Id., § 1(a)(ii)(A). ↩

23. A U.S. person is generally defined as “any United States citizen, permanent resident alien, entity organized under the laws of the United States or any jurisdiction within the United States (including foreign branches), or any person in the United States.” See, e.g., 31 C.F.R. § 560.314. ↩

24. E.O. 13694 § 1(a). ↩

25. Executive Order 13694, 80 Fed. Reg. 18077 (2015), available here, as incorporated in Executive Order 13757, 82 Fed. Reg. 1 (2017) amending the E.O., available here. See also, Stefan Reisinger, The Facilitation Prohibition (Dec. 2013), available here. ↩

26. U.S. Department of Treasury, “Treasury Designates Iran-Based Financial Facilitators of Malicious Cyber Activity and for the First Time Identifies Associated Digital Currency Addresses,” (Nov. 28, 2018), available here. ↩

27. U.S. Department of the Treasury, “U.S. Treasury Issues First-Ever Sanctions on a Virtual Currency Mixer, Targets DPRK Cyber Threats,” (May 6, 2022), available here. ↩

28. U.S. Department of the Treasury, “Cyber-related Designation: Specially Designated Nationals List Update,” (Aug. 8, 2022), available here (listing website, ETH addresses, including smart contract addresses, USDC addresses and “Organization Established Date 2019,” although no information was provided as to “what” the organization is). ↩

29. See, e.g., U.S. Department of Treasury, “Treasury Designates Iran-Based Financial Facilitators of Malicious Cyber Activity and for the First Time Identifies Associated Digital Currency Addresses,” (Nov. 28, 2018), available here; U.S. Department of Treasury, “Cyber-related Designations and Designations Updates,” (Nov. 8, 2021), available here (designating individuals and associated virtual currency addresses). ↩

30. E.O. 13694, as amended. ↩

31. Coin Center, “Analysis: What is and what is not a sanctionable entity in the Tornado Cash case,” (Aug. 15, 2022), available here. On September 8, a group of plaintiffs filed a federal complaint against OFAC in the Western District of Texas, challenging the sanctions of the Tornado Cash smart contracts and asking the Court to remove them from the sanctions list. In a blog post announcing Coinbase’s funding of the litigation, Coinbase CEO Brian Armstrong wrote, “Sanctioning open source software is like permanently shutting down a highway because robbers used it to flee a crime scene.” Coinbase, “Defending Privacy in Crypto,” (Sept. 8, 2022), available here. ↩

32. This paper is limited to U.S. sanctions laws. It does not address the applicability of other statutes, such as 18 U.S.C. §§ 1956, 1957, to base layer activities. ↩

33. E.O., § 1(a). ↩

34. 50 U.S.C. § 1705(a). ↩

35. See, e.g., U.S. Department of the Treasury, “A Framework for Compliance Commitments at 9-10,” (May 2, 2019), available here (identifying a common root cause of sanctions violations as “Facilitating Transactions by Non-U.S. Persons”). See also, 31 C.F.R. § 578, effective as of Sept. 6, 2022. U.S. Department of the Treasury, “Amendment to the Cyber-Related Sanctions Regulations and Associated Administrative List Updates,” (Sep. 2, 2022), available here. ↩

36. Executive Order 13694, 80 Fed. Reg. 18077 (2015), available here. See also Executive Order 13757, 82 Fed. Reg. 1 (2017) amending E.O. 13694, available here. ↩

37. See, e.g., Stefan Reisinger, “The Facilitation Prohibition,” (Dec. 2013), available here. ↩

38. E.O. 13694, § 1(a). ↩

39. “Possession” means “1. The fact of having or holding property in one’s power; the exercise of dominion over property. 2. The right under which one may exercise control over something to the exclusion of all others; the continuing exercise of a claim to the exclusive use of a material object.” POSSESSION, Black’s Law Dictionary (11th ed. 2019); see also Merriam-Webster Dictionary (“control of the ball or puck”), available here. “Control” means “[t]he direct or indirect power to govern the management and policies of a person or entity, whether through ownership of voting securities, by contract, or otherwise; the power or authority to manage, direct, or oversee .” CONTROL, Black’s Law Dictionary (11th ed. 2019). In the context of traditional banking transactions, OFAC has explained that banks, for instance, are required to block an “opening deposit” from an SDN or a request from a customer to send money to a relative on the SDN list. U.S. Department of Treasury, “Frequently Asked Questions No. 42,” (Aug. 11, 2020), available here. In other words, “[y]ou might think of the analogy of a bouncing ball,” and “[o]nce the ball starts moving, you must stop it if it comes into your possession.” Id. ↩

40. “The term ‘transfer’ means any actual or purported act or transaction, whether or not evidenced by writing, and whether or not done or performed within the United States, the purpose, intent, or effect of which is to create, surrender, release, convey, transfer, or alter, directly or indirectly, any right, remedy, power, privilege, or interest with respect to any property.” 31 C.F.R. § 578.316. ↩

41. While OFAC has brought enforcement actions against companies that provided technology services to sanctioned parties, the penalized actions amounted to direct assistance to sanctioned parties as opposed to enabling the fundamental operation of a network. See, e.g., OFAC, “OFAC Settles with SAP SE for Its Potential Civil Liability for Apparent Violations of the Iranian Transactions and Sanctions Regulations,” (April 29, 2021), available here (noting that “violations arose from SAP’s exportation of software and related services from the United States to companies in third countries with knowledge or reason to know the software or services were intended specifically for Iran”) and OFAC, “Enforcement Action against Société Internationale de Télécommunications Aéronautiques SCRL,” (Feb. 26, 2020), available here (noting that SITA knowingly provided commercial services and software that benefitted specially designated global terrorists). ↩

42. 31 C.F.R. § 538.407(a). We note that the Sudan sanctions are no longer in effect. ↩

43. See, e.g., OFAC, Enforcement Release - Sojitz (Hong Kong) Limited (Jan. 11, 2022) (finding Sojitz HK caused “multiple U.S. financial institutions to (i) engage in unauthorized financial transactions related to goods of Iranian origin in violation of § 560.206 of the ITSR and (ii) facilitate Sojitz HK’s Iran-related financial transactions that would have been prohibited if performed by a U.S. person in violation of § 560.208 of the ITSR”), available here; and OFAC, Enforcement Release - PT Bukit Muria Jaya (Jan. 14, 2021) (finding PT BMJ “caused U.S. banks to: (i) deal in the property or interests in property of a Specially Designated National or Blocked Person; (ii) export financial services to the DPRK; or (iii) otherwise facilitate export transactions that would have been prohibited if engaged in by U.S. persons in apparent violation of §§ 510.201, 510.206, and 510.211 of the NKSR”), available here. ↩

44. See, e.g., Department of the Treasury, “A Framework for OFAC Compliance Commitments,” available here, and OFAC, “Sanctions Compliance Guidance for the Virtual Currency Industry,” (Oct. 2021), available here. ↩

45. OFAC, “Sanctions Compliance Guidance for the Virtual Currency Industry,” (Oct. 2021), available here. ↩

46. We note that OFAC has stated in guidance that “All companies in the virtual currency industry, including technology companies, exchangers, administrators, miners, and wallet providers, as well as more traditional financial institutions that may have exposure to virtual currencies or their service providers, are encouraged to develop, implement, and routinely update, a tailored, risk based sanctions compliance program. Such compliance programs generally should include sanctions list and geographic screening and other appropriate measures as determined by the company’s unique risk profile.” OFAC, “Sanctions Compliance Guidance for the Virtual Currency Industry,” (Oct. 2021), available here. This guidance, which by its own admission does not have the force of law, overtly states that it is a summary of general guidelines to companies. It does not demand firms follow specific protocols, but merely states that firms are “encouraged” to build compliance programs, ones that “generally” should include “appropriate measures.” It would be a mistake to read this broad but brief language as requiring a specific action such as the destruction of the base layer. ↩

47. FinCEN, along with OFAC, is a Treasury bureau that protects the financial system from illicit use of funds and money laundering to promote national security. See FinCEN, “What We Do,” (last visited, Sept. 7, 2022), available here. ↩

48. FinCEN, “Application of FinCEN’s Regulations to Virtual Currency Mining Operations,” (Jan. 30, 2014), available here. ↩

49. FinCEN, “Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies,” (May 9, 2019), available here. ↩

50. Id. ↩

51. E.O. 13694, § 1(a)(ii)(B). ↩

52. In October 2017, for instance, three entities were designated pursuant to E.O. 13224 for providing material support in the form of military equipment — including radar systems, missile design components, and navigation-related gyrocompasses — to designated Iranian entities. U.S. Department of the Treasury, “Treasury Designates the IRGC under Terrorism Authority and Targets IRGC and Military Supporters under Counter-Proliferation Authority,” (Oct. 13, 2017), available here. Similarly, in May 2018, OFAC designated the Chairman and Chief Executive of a bank for providing material support to the IRGC by using the bank to enable the IRGC to move funds from Tehran to Hizballah. Treasury Department, “Treasury Targets Iran’s Central Bank Governor and an Iraqi Bank Moving Millions of Dollars for IRGC-Qods Force,” (May 15, 2018), available here. And in June 2018, OFAC designated three entities under E.O. 13964 — at issue here — for (1) working on a project to increase the Russian FSB’s offensive cyber capabilities, (2) being a research institute with “extensive ties” to the FSB, and (3) procuring underwater equipment and diving systems for Russian agencies. U.S. Department of Treasury, “Treasury Sanctions Russian Federal Security Service Enablers,” (Jun. 11, 2018), available here. ↩

53. As of the release of new cybersecurity regulations last week, “the term ‘financial, material, or technological support,’ as used in this part, means any property, tangible or intangible, including currency, financial instruments, securities, or any other transmission of value; weapons or related material; chemical or biological agents; explosives; false documentation or identification; communications equipment; computers; electronic or other devices or equipment; technologies; lodging; safe houses; facilities; vehicles or other means of transportation; or goods. ‘Technologies’ as used in this section means specific information necessary for the development, production, or use of a product, including related technical data such as blueprints, plans, diagrams, models, formulae, tables, engineering designs and specifications, manuals, or other recorded instructions.” 31 C.F.R. § 578.306. See “Amendment to the Cyber-Related Sanctions,” (Sep. 2, 2022), available here. ↩

54. 50 U.S.C. § 1702(b)(3). ↩

55. Id. ↩

56. 31 C.F.R. § 510.213(c)(2). ↩

57. TikTok Inc. v. Trump, 507 F. Supp. 3d 92, 108–09 (D.D.C. 2020), appeal dismissed sub nom. TikTok Inc. v. Biden, No. 20-5381, 2021 WL 3082803 (D.C. Cir. July 14, 2021). ↩

58. See, e.g., Bitmex Research, “OFAC Sanctions & Ethereum PoS - Some Technical Nuances,” (Aug. 19. 2022), available here. ↩

59. Executive Order 14067, 87 Fed. Reg. 40881 (2022), available here. ↩

60. Rus Shuler, “How Does the Internet Work?” (2002), available here. ↩

61. Wired, “The WIRED Guide to Net Neutrality,” (May 5, 2020), availablehere. ↩

62. Berkman Klein Center, “The Shifting Landscape of Global Internet Censorship,” (2017), available here (analyzing global internet content restrictions, especially state-sponsored filtering through technical means). ↩