[Sorry, I typed "algebra.net" instead of "algebra.com" when I changed the
list address used from the out of date "toad.com" address to a more current
address.]
At 3:14 PM -0800 3/1/00, Stefan Brands wrote:
>What I said in my interview with Declan last week at FC2000 was
>that I (personally!) believe that fully anonymous electronic cash
>is likely not acceptable in a large-scale electronic cash system
>*** intended to be a replacement for tangible cash ***. Here are
>the main reasons why I believe this to be the case:
>
>-- Payee traceability protects consumers against remote extortion,
>since they can always cooperate with the bank to allow tracing of
>their payments to the account of the recipient. (This account may
>be anonymous, by the way.)
Both payer and payee traceability are no doubt desirable to some...and
those who want either one can make contractual arrangements for this. A
vendor of a CD or DVD, for example, may wish payer traceability...so that
he knows _who_ has a particular copy of a CD or DVD. Or piece of software.
Whatever.
Absolutely nothing new in this. Some payers want to know whom they are
paying. Some payees want to know whom is paying them. In some transactions
both are desired, in others neither is desired.
(That there are cases where mutual untraceability is desired should be
obvious to us all. Flea markets, or other cash-and-carry, bazaar-type
environments, are usually mutually untraceable. Yeah, it _may_ be possible
to get a vendor name at a flea market, even a receipt, but this is often
not possible. Caveat emptor. Cash settlement often involves no paperwork,
no traceability, and no warranties.)
There are no fundamental reasons to believe there is any asymmetry between
buyers and sellers, between payers and payees. Think of a pure "swap meet."
The distinction between payers and payees is nonexistent. "Cash" has no
mystical properties...it is just another object being swapped.
>
>-- As a 1996 NSA report points out, ``The ideal situation (from the
>point of view of privacy advocates) is that neither payer nor payee
>should know the identity of the other. ... It turns out that this
>is too much to ask: there is no way in such a scenario for the
>consumer to obtain a signed receipt. Thus we are forced to settle
>for payer anonymity.''
I recall this NSA report, even though I rarely rely on the NSA for advice
on such matters.
The NSA report showed unawareness of many options. First, that some parties
to a transaction _want_ receipts is orthogonal to the properties of cash.
(Just as some parties want proofs of age, or marital status, or medical
condition....these are aspects of a purchase agreement or contract, not
properties of a money mechanism!)
Second, the NSA report ignored the role of third party escrow services.
(See the discussion of "You slay, we pay" escrow services, early 90s,
Cypherpunks list, and in many articles written by myself, Hal Finney, Robin
Hanson, and others.)
Third, the report ignores the "agnostic" approaches of Barnes and the
"everyone a mint" approaches of Goldberg.
A receipt is just another aspect of a transaction. Sometimes sellers want
receipts (which would, by NSA logic, imply payer untraceability),
sometimes buyers want receipts, sometimes neither wants receipts, sometimes
both want receipts. And sometimes even the government wants receipts.
So does this mean that the form of digital cash must encompass providing
receipts for the government? Clearly not. Receipts, age credentials, etc.,
SHOULD NOT BE BUILT INTO THE MONEY PRIMITIVES.
And given that there is no reason, technically, why such capabilities
"must" be built into the form of the money primitives, to build them in is
to make a choice about which party is more deserving of receipts. Or to put
this more clearly, to build a "government-friendly" money system.
Why not add such things as the abiity to instantly freeze the money if
government wishes to? (And freeze it at the payer level, too.) And so on.
Tax collection features, receipts for local government, etc.
However, if a simpler system without these government-friendly features is
possible (and even Chaum acknowledged this, despite his qualms), both kinds
will circulate. Which will win depends on many factors.
>-- On a related note, if the payee is anonymous to the payer, the
>latter cannot complain about bad goods or service.
Yes, so? If the payer is anonymous to the payee, the latter cannot track
who has which purchased software items. (Think of electronic books with
watermarks...if we have payer anonymity, then the payer can make as many
copies and distribute them as he wishes, because the payee does not know
who the payer was.)
I am not making an argument for payer traceability, just noting that there
is a fundamental symmetry involved. Some payers want to know who they are
paying, some payees want to know who has paid them. For many reasons,
including copyright protection, warranty work, notification of payers when
product defects are found, customer profiling, age credential issues (e.g.,
selling porn online), and so on.
The point is simple: these wishes are NOT FUNDAMENTAL to the form of money.
Arguing that payers have some more basic need to be untraceable than payees
have is ludicrous.
I called Chaum on this several years ago. He was citing his usual
Corporation tracing the purchases of Customers example, and why Customers
need untraceability to protect them from the Corporation (or Merchant, or
Bank, whatever). I pointed out that, aside from the basic issue of payers
and payees being fundamentally indistinguishable from each other in a rich
trading environment (think: many purchases, many trades, like a bazaar, or
the "silk road" that Tribble and Hardy write about), there are also
plentiful examples of where the payee has a very real need, in some cases,
for untraceability.
Example: "Mustapha's Birth Control Bazaar." Online. Operating in
cypherspace. (Data havens, a la my own Blacknet, but with anticipated
refinements.) So the Ayotollah Fatami sends his agents out to buy birth
control information. Since they have payer untraceability, Mustapha doesn't
know who they are or where they are, etc. But since payee traceability is
lacking, Mustapha is traced and the Ayotallah sends his Army of God to
whack Mustapha.
This is quite clearly a case where payee untraceability is JUST AS
IMPORTANT as payer untraceability.
One can readily construct many such real-world examples. The sellers of
texts of "The Satanic Verses" (in a few years, when texts are primarily
online), the sellers of pornography in all of its many forms, and the
sellers of drug, health, or other types of information.
Basically, again, there is no compelling distinction between the
privacy/traceability concerns of buyers and sellers, payers and payees. And
in more complext trading environments, a la EBay and future versions of
such markets, the Chaumian notion of a Customer and a Merchant will vanish
completely.
> Even though a
>fraudulent or negligent payee may be able to repudiate the claim,
>in many applications it is desirable that consumers can at least
>make warn others about the behavior of an unscrupulous payee, or
>that an investigation can be instigated.
Warning others, or selling credit/trust information, is indeed an important
issue. But it can be handled with conventional digital signatures (modulo
some evolution, of course). If "Mustapha's Birth Control Emporium" is
selling bogus information, or whatever the problem is, and Sally B. Fertile
is unhappy with what he sold her, she can announce this (with whatever
proof she can can find, including his digitally signed offers, what she
claimed to have received, etc.).
Building such repudiation/blame things into the form of money is a
shortsighted, and wrongheaded, decision. For the reasons I've been
outlining.
(The general issue of who agreed to what, and what contracts they digitally
signed, is a large issue. The company Eric Hughes was associated with,
Signet Assurance, has some essays on this issue of contracts at
www.sac.net. What contracts may have existed between Mustapha and Sally,
and who burned whom, is a complicated matter to resolve, typically
involving--in meatspace--lawyers, escrow agents, arbitrators, and courts.
What form these disputes will take in cyberspace or cypherspace is unclear,
but attempting to build the resolution mechanism into the form of money is
absurd.)
>-- Absent payee traceability, it is unclear how to the payer can
>recover when the connection with the payee is permanently lost.
>(Likewise, payment disputes cannot be settled, but payment dispute
>settlement reduces payment finality and therefore is not necessarily
>a desirable property. Most cash payments cannot be repudiated either.)
Yep, most cash-and-carry transactions cannot be repudiated either. Caveat
emptor.
If one wants more protections, the parties can negotiate. With escrow, with
special forms of repudiable cash, and so on. This is the way it should be
done: with side arrangements. Not by attempting to build resolution into
the atomic form of the money.
>-- Payee untraceability requires the cooperation of the bank at the
>time of the payment, not for clearing/authorization but to issue
>electronic money from account. It does not work in off-line payments.
Agreed, based on what we've known so far. Hence the role of online
clearing. Fortunately, with dramatically higher bandwidths--including the
"permanent bandwidth" that ZKS itself will be effectively buying--the
concerns of 10 years about online clearing are becoming non-issues.
(I expect a mix of offline and online clearing, based on needs and costs.)
>-- with payee traceability, third parties do *not* have the power
>to trace a designated payment (or deposit) to the payer. The only
>party to have this power is the payer, who hereto needs / may need
>the assistance of the bank.
And the Ayotollah's agents who purchased the demonic birth control
pamphlets at Mustapha's Birth Control Emporium will no doubt seek the
assistance of the bank.
(Unless the bank is itself an ephemeral, "anyone a mint" entity, practicing
forward secrecy of the sort described by Goldberg, Barnes, etc. In which
case payee untraceability has just appeared. Might as well go with it in
the first place, as it's going to emerge anyway. See the last paragraph for
how this will emerge quickly.)
In closing, your claims that payer untraceability occupies a preferred
position in the Ptolemaic world of digital money over payee untraceability
is unsupported. Parties to transactions sometimes want traceability,
sometimes want untraceability, sometimes symettrically, sometimes
unsymmetrically. Nothing new in this.
And governments and churches would usually like to know all they can about
both sellers and buyers.
These desires are expected...but they are not a basic part of what money is.
These desires may be negotiated, arranged for. If both parties agree, then
options exist for traceability (cf. the above about escrow agents, contract
trails, even special forms of digital money with traceability built in to
the payer side, the payee side, or both sides).
But these desires are no more central to the form of money than are age
credentials, religious credentials, or even credit credentials.
Payers and payees are the same. If this is not immediately clear, imagine
the payer purchasing digital money from the payee. Voila, the roles have
just been exactly symmetric. And money changing has been invented. Ergo,
Goldberg.
Attempting to contort the mathematics into some Ayotollah-friendly form is
both unseemly and, quickly enough, pointless.
--Tim May
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May | Crypto Anarchy: encryption, digital money,
ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets,
"Cyphernomicon" | black markets, collapse of governments.
