Analysis: The disappointing denial of Tornado dev’s motion to dismiss

Inconsistent choices amid overlapping law skips over the serious issues at play and sets up for a dangerous precedent

by 

Blog Financial Surveillance Innovation Policy Privacy & Autonomy BSA FinCen Litigation OFAC Treasury

Recently Judge Katherine Polk Failla offered her reasons for denying a motion to dismiss the charges against Tornado Cash developer Roman Storm. Storm has been charged in the Southern District of New York with conspiracy to do unlicensed money transmission, evade sanctions, and launder money. Last summer, the defense offered a motion to dismiss those charges on the grounds that the indictment insufficiently alleged criminal acts. Because of the larger policy issues at stake Coin Center filed an amicus brief supporting that dismissal. These motions are where many questions of law get resolved. Because the motion was rejected, Storm will proceed to trial where questions of fact will be argued and determined. That trial will be very important for Storm, but for the larger ecosystem seeking legal clarity, the rejection of the motion to dismiss might be more significant.

For expediency the court’s reasoning was offered in a conference call rather than a written opinion, so it has been under-reported and under-analyzed. The transcript of that call appears to be the full reasoning on the legal matters in question, and—unfortunately—Judge Failla has said she does not intend to publish a full written ruling. This also means it’s difficult to talk about the ruling. Judge Failla’s remarks outside of the unadorned motion denial may not yet have any binding effect outside of this case. As such, it’s unclear whether we should even refer to this reasoning as “the court’s reasoning” or “Judge Failla’s reasoning.” To avoid making these criticisms appear personal (they are not) we will use “the court” in this post, but do not take from that anything beyond courtesy on our part.

As we have discussed for the last year, the legal issues in this case are very important to anti-money laundering (AML) and sanctions policy for crypto developers generally, informing who must register as a money transmitter and what kinds of activities could trigger sanctions liability if, for example, North Korea uses your software or services. Therefore, this ruling is extremely consequential. Aspects will likely be appealed and there may be related challenges in other courts, but for now this is the most authoritative court interpretation of these laws we have yet had.

In this post I want to break down some of the court’s reasoning on the unlicensed money transmitting charge, the sanctions charge, and the constitutional defenses (First Amendment, Due Process, and Lenity). We will not look at the money laundering charges in this post because those issues are the most highly fact dependent and we will learn more about them when they are prosecuted at trial.

Substantive Questions depend on Statutory Questions

From a substantive public policy perspective, the most important parts of the court’s reasoning in the transcript are its proposed answers to the following questions:

The money transmission question: Is control over user funds a necessary element of charging unlicensed money transmission?

The lenity and due process questions: Is there sufficient ambiguity in the elements of unlicensed money transmission that would allow defendants to successfully argue that the rule of lenity and due process must prevent a conviction?

The sanctions question: Did the development and maintenance of Tornado Cash fit under the informational materials exemption from sanctions authority (the Berman Amendments)?

The free speech question: Did the development and maintenance of the Tornado Cash protocol qualify as protected speech? And, relatedly, are the criminal laws and regulations overbroad such that they unconstitutionally chill a substantial amount of protected expression? And what is the appropriate standard of scrutiny to evaluate the constitutionality of the law and regulations’ burden on speech?

But at root, many of these questions stem from a foundational question:

The statutory interpretation and administrative law question: Which words, specifically, create obligations and carry criminal penalties? Is it (a) the criminal law sections of the U.S. Code (USC), (b) the Bank Secrecy Act (BSA) sections of the USC, (c) the International Emergency Economic Powers Act (IEEPA) sections of the USC, (d) the implementing regulations for the Bank Secrecy Act in the Code of Federal Regulations (CFR), (e) the implementing regulations of IEEPA, and/or (f) the guidance documents from either the BSA regulator, FinCEN, or the sanctions regulator, the Office of Foreign Asset Control (OFAC)?

I know that is a lot of legal minutiae, but this is actually how these statutes and regulations work. There are disparate and overlapping authorities at play: from the U.S. Code to the regulations to the guidance. Exactly which text is authoritative and should be analyzed by courts is as important a question as the ultimate substantive question of what that text says. When you are charged with a crime it should be crystal clear which letter of which law it is that the government thinks you broke.

To start, the criminal code at 18 USC § 1960 creates an offense, unlicensed money transmission, but it includes three different ways to describe and charge that offense: 1960(b)(1)(A), (B), and (C). The prosecution is charging Storm with two of those: (1)(B) Failure to register according to the Bank Secrecy Act requirements, and (1)(C) knowingly transmitting criminal funds.

To charge (1)(B), the prosecution needs to show that the defendant is a regulated financial institution as defined within the BSA and that he has not registered. To charge (1)(C) the prosecution only needs to show that the defendant knowingly transmitted money as that term is defined in the criminal code rather than in the BSA. For those keeping score, that is two distinct definitions of the same term: money transmission. This textual complexity gets worse, however, because while there is a definition of money transmission in the BSA, there is also a different definition in the implementing regulations from FinCEN that includes a “facts and circumstances” test. And finally, there are also the 2019 guidance and several administrative rulings from FinCEN interpreting the regulations with respect to crypto. That’s roughly four definitions of the term “money transmission” to analyze. Which one matters? We will discuss the court’s answer and our disagreement with that answer below. For now here is a chart to review the overlapping authorities in money transmission charges:

For the sanctions charges, one of the most pertinent statutory interpretation questions is whether defendants are exempt from liability under the “informational materials” carve-out of IEEPA. Once again, there is a statutory definition of “informational materials” in the U.S. Code but there are also regulations from OFAC that narrow the category of “informational materials” in order to attempt to exclude software from those exemptions. Here is a chart for the sanctions statutory authorities:

Before we get to each of the substantive questions that we started with, we need to ask which text the court is bound to interpret. The answer to the question, Is the definition of “money transmission” impermissibly vague (triggering due process defenses), ambiguous (triggering lenity defenses), or overbroad (triggering First Amendment scrutiny)?, depends on which definition of money transmission is relevant. Similarly, the question, Are my activities exempt from sanctions liability because my transactions are solely for informational materials?, depends on which definition of “informational materials” the court is bound to interpret.

Which law is the law?

Our main concern with the court’s reasoning is that it has inconsistently and inappropriately chosen to interpret only the definitions that are less vague, ambiguous, or overbroad. As a result, it has rejected arguments that these laws are insufficiently definite to charge the alleged conduct. The court might say that in each case it has correctly identified only the binding legal definitions in the statutes, and that it is disregarding the non-binding regulatory rules and guidance. Even this, however, is not accurate. In the context of the unlicensed money transmission charge, it is true that the court identified the statutory definitions as determinative, however in the context of the sanctions charges it disregarded the statute and identified the regulations as determinative of what constitutes “informational materials.” The court may have good but unspoken reasons for making that choice. However, the outcome we can observe is simply that in each case it chose the text that is worse for the defendants rather than making a procedurally consistent choice (e.g., only looking at the statute).

Perhaps more importantly, with respect to the BSA-related money transmitting charge, looking only at the statute is inappropriate. The statute is not and cannot be binding on anyone but for the implementing regulations. That would suggest that only looking at the statute is the wrong choice. Let’s unpack that.

The BSA is not self-executing. That means it does not obligate anyone to do anything; it simply empowers the Secretary of Treasury to collect whichever reports it finds necessary from whichever financial institutions it chooses to define and obligate. Therefore, one cannot understand one’s own money transmitting licensing obligations simply by looking at the U.S. Code alone. Again, the BSA does not create any self-executing obligations on U.S. persons; it only empowers the Secretary of Treasury to create those obligations and describe them in regulations and guidance.

The collateral consequences of the way the BSA is structured are at the core of this case. They determine the outcome of substantive questions like “what is money transmission?” and also collateral defenses like lenity, due process, and overbreadth. If the BSA is not self-executing then the court must consider (a) whether control is a necessary element of money transmission as it is defined in the regulations rather than the statute, (b) whether the government is entitled to deference in their interpretation of the statute or the regulations, (c) how to interpret those regulations de novo if deference is inappropriate, and (d) whether the regulations are ambiguous (triggering the rule of lenity), vague (triggering due process concerns), or overbroad (triggering First Amendment scrutiny). One may also need to determine whether the statute is in fact an unconstitutional delegation of legislative power from Congress to the regulator, something we argued in a report last year (note however that the defense has not yet raised that claim in this case).

We agree with the court that the statute alone is not ambiguous. We have written extensively on this point: the statute is not ambiguous but rather horrifically broad in its delegation of power to the Treasury Department. The regulations implementing that statute, however, are exceedingly ambiguous. So the court would be right to reject ambiguity-dependent defenses about lenity, vagueness, and overbreadth if the statute was the law that actually created criminal liability. But the statute does not create the criminal liability; the regulations do that by defining who is obligated as a financial institution, and those regulations are indeed ambiguous. We believe the court should have interpreted the regulations to find whether they were sufficiently definite to charge Storm rather than looking at the statute alone.

Additionally, in the wake of Loper Bright Enterprises v. Raimondo overruling Chevron, the government’s interpretation of these laws gets no deference. Indeed, long before Loper Bright, Justice Scalia rightly pointed out that deference should never come into play when criminal liability, rather than mere administrative or civil penalties, are at stake, as is the case with Storm. He wrote that lenity should always be the standard of interpretation where administrative actions rather than Congress create criminal liability. As he wrote:

Legislatures, not executive officers, define crimes. … The rule of lenity requires interpreters to resolve ambiguity in criminal laws in favor of defendants. Deferring to the prosecuting branch’s expansive views of these statutes would turn their normal construction upside-down, replacing the doctrine of lenity with a doctrine of severity.

The court should therefore engage in a de novo interpretation of those regulations, and, as appropriate in any criminal context, resolve any ambiguities in the regulations in favor of the criminal defendant, as per the rule of lenity. Given the ambiguous nature of the regulations, we think the (1)(B) unlicensed money transmission charge should have been dismissed. The other unlicensed money transmitting charge, (1)(C) knowingly transmitting criminal funds, may still stand, as it is not dependent on any of those ambiguous regulations, but (1)(C) is a harder charge to prove at trial because it requires proof of the defendant’s state of mind. The government should be obligated to prove those facts rather than suggest that the mere failure to register with FinCEN (a regulator who fairly clearly said no registration was needed in this case) is somehow sufficient for criminal penalties to attach.

The BSA regulations as compared with the statute are also vague and vulnerable to arbitrary enforcement. The court should therefore reapply its due process analysis starting with those regulations rather than the statute. Similarly, the regulations are also overbroad and dubious on First Amendment overbreadth grounds. In all these areas the court conducted the correct legal analysis but it was analyzing the wrong text. If it serves them, we hope the defense will appeal the court’s reasoning on those grounds. A different but similarly situated potential defendant could also bring a civil suit challenging these interpretations, and we are exploring our options there. For now, however, we’ll leave the full due process and overbreadth analysis to another day. Let’s turn to the heart of the First Amendment discussion within the transcript of the ruling.

Code is Speech?

Storm’s free speech defenses revolve around whether publishing (on a website and a blockchain) and maintaining the Tornado Cash protocol is a protected speech act and whether it should be protected at a lower level of scrutiny (intermediate scrutiny) typical for content-neutral restrictions on expressive conduct, or a higher level of scrutiny (strict) typical for content-based restrictions on pure speech.

Based on the court’s somewhat fragmented remarks on Storm’s First Amendment defenses, we can assume that it would reject these claims irrespective of whether the underlying text for any of these charges was the statute or the regulation. In either case, the subject of the law would still be Storm’s activities in publishing and maintaining the Tornado Cash protocol, and Storm’s conduct, according to the ruling, is not constitutionally protected because:

The conduct charged in the indictment includes the functional capability of code … to the extent that the indictment alleges that Mr. Storm used computer code, it was to design a program that further [sic] money laundering and sanctions evasion scheme. … The use of computer coding or software to achieve these ends is far from the expressive sort of coding that would merit First Amendment protection.

The basis for the court’s distinction between functional and expressive code is a Second Circuit case from 2001, Universal Studios v. Corley. The problem with that basis, as we will detail below, is that Corley is no longer good case law in the Second Circuit and the Supreme Court. The court, in the transcript of the oral ruling, seems unaware of that change in First Amendment jurisprudence.

Corley was a case about DRM-circumvention software for copying copyrighted DVDs. The Second Circuit in Corley ultimately found that defendants posting and linking to that software could be banned from doing so because, while code is speech and gets First Amendment protections, the law only targeted the “functional capability” of that code and not its expressive qualities. The court invented this functional vs expressive code distinction in the Corley case and in an earlier ruling, CFTC v. Vartuli. This distinction was never before a part of the First Amendment analysis. In the intervening 23 years, the Supreme Court has never adopted that distinction as a threshold to doing First Amendment analysis in software cases.

Nine years after Corley, the Second Circuit was presented once again with a First Amendment claim by a party seeking to transact in computer data that was prohibited by law. That case was IMS Health v. Sorrell. Once again, the court had a clear opportunity to follow and indeed extend Corley’s functional vs expressive approach to the threshold question of First Amendment protection for computer data. It did not.

As the dissenting Second Circuit judge in Sorrell wrote, the court:

Does not even bother to engage in the fundamental First Amendment analysis our case law requires. The majority offers no cogent reason for why this ‘dry information’ falls into the category the First Amendment protects, nor any discussion of how this ‘dry information’ can be deemed to ‘advance’ the ‘values served by the First Amendment.’

The judge’s reference to the “values served by the First Amendment” is a quote from the section of Vartuli that formed the basis for Corley’s functional vs expressive analysis. The values Corley and Vartuli point us to are “the pursuit of truth, the accommodation among interests, the achievement of social stability, the exposure and deterrence of abuses of authority, personal autonomy and personality development, [and] the functioning of democracy.”

Setting aside for a moment the fact that this test is not even good case law, of all of the types of speech to consider in these various cases, Storm’s Tornado Cash software actually seems the most likely to advance the values served by the First Amendment. Here are the following different types of speech, roughly summarized:

  1. Corley: code that can be used to break cryptographic digital rights management controls
  2. Sorrel: data about which drugs doctors are prescribing
  3. Storm: code that can be used to obtain transactional privacy on blockchains

It is certainly arguable that DVD ripping and prescription drug marketing only dubiously or tendentiously support those values. But Tornado Cash software does it directly: Coin Center has used Tornado Cash to engage in protected political association. One of our co-plaintiffs has used it to maintain privacy over his paychecks. Another has used it to raise funds for the defense of democracy in Ukraine.

If the Vartuli values were the applicable standard, then Storm’s code is certainly more in keeping with First Amendment values than the marketing data in Sorrell or the circumvention software in Corley (which can promote fair use but plausibly undermines copyright—another constitutional provision to promote science and the arts). But that doesn’t even matter because Vartuli and Corley are no longer the applicable legal standard for First Amendment protections.

The value-based analysis of whether speech is “functional” or “expressive” has not been followed in the Second Circuit since 2001, and it was never followed by the Supreme Court. In Sorrell, the most recent case on point, the Second Circuit simply found and the Supreme Court affirmed that:

The creation and dissemination of information are speech within the meaning of the First Amendment. … If the acts of disclosing and publishing information do not constitute speech, it is hard to imagine what does fall within that category, as distinct from the category of expressive conduct. (Some internal quotation marks omitted).

At no point did these courts question, following Vartuli and Corley, whether the dry logs of prescriber information at stake in Sorrell expressed the correct values. Instead, merely because those logs were information, their buyers and sellers were entitled to First Amendment protections, indeed ultimately strict scrutiny of the laws that sought to limit their speech.

While not explicitly overruling Corley, the Second Circuit refused to follow its own precedent and the Supreme Court affirmed. To be as clear as possible, there is no longer any functional vs expressive analysis to be done in a First Amendment case about software. If people buying raw data to better market drugs are strictly protected by the First Amendment, so too is anyone publishing true scientific and engineering breakthroughs that can protect our privacy and autonomy. The court in this case seems to have neglected to analyze whether its Circuit still follows Corley in the wake of Sorrell. It does not, and for that reason among others the court’s rejection of a First Amendment defense should be set aside.

Nor would it be good policy for this court to return to the defunct standards in Vartuli and Corley. Those standards inappropriately put judges in the business of determining whether speech is sufficiently expressive of “First Amendment values” to even warrant protection. It asks judges to decide the very thing the First Amendment is meant to prevent the government from doing: picking which ideas, based on their content, should and should not be freely spoken.

Corley is a very old case in the age of the internet and the court at the time knew it was wading into uncharted waters, “one of our Court’s first forays into First Amendment law in the digital age.” It described its approach as “evolutionary” and cautioned that it would consider these issues “only to the extent necessary to resolve the pending appeal.” Nine years later, that same court’s opinion in Sorrell abandoned that “evolutionary” one-off approach to “functional” speech like software and data, and the Supreme Court affirmed. The court in Storm’s case must not and should not revive it.

What now?

The ruling is bad news, both for Storm personally and for crypto developers everywhere looking for clarity on what activities require a license. If control over customer funds isn’t the determining factor, as the 2019 FinCEN guidance led us and many others to believe, then what is? It’s also bad news for our First Amendment rights, presenting a values-based threshold to protections for software development. Fortunately, for the reasons we have outlined, there are many reasons to reject the conclusions reached by the court, and there will be several opportunities ahead to challenge those conclusions.