At 2:58 PM -0500 3/10/00, Adam Back wrote:
>
>User chosen limits per time period (eg. per year) could be placed on the
>number and volume of payee anonymous payments to protect themseles against
>extortion or theft if the user wishes, or no limit could be placed if the
>user prefers.
As with strategies for mutually assured destruction, this approach
only works to the extent other agents really and truly believe this
is an ironclad limit. Most kidnappers or extortionists will simply
not _believe_ that artificial limits on cash transfers prevent their
target from finding a way to transfer cash (though they will probably
believe that a poor person cannot raise the cash, which is why poor
people are seldom the targets of either kidnappings or extortion, or
blackmail, for that matter).
You see, targets of extortion, kidnapping, and blackmail REALLY WANT
TO PAY. If they didn't _want_ to pay, they simply wouldn't.
Sure, they'd rather they not be faced with the situation in the first
place, but once the predicate has been established, they WANT to pay.
This is why many countries, including the U.S., attempt to block
targets of such actions from paying. Game theory and all.
The extortionist when faced with the Back Defense simply says: "Then
open another account."
This is so obvious, but the talk of "defenses" misses this point.
(There are game-theoretic defenses, possibly. If one is believed by
others to be a militant non-negotiator, prepared to see one's child
executed or whatever the extortionist/kidnapper is threatening if his
demands are not met, then perhaps this is a deterrent. As I said, a
lot like MAD. Dr. Strangelove and the RAND folks would understand
these points implicitly.)
>
>Stefan suggested one more way that an extortionist can obtain payee
>anonymity: he can demand that the payer physically mails him his smart card
>loaded with the chosen value.
>
>Stefan has been discussing the distinction between "purely digital extortion"
>and "extortion involving some physical risk, or trust of other parties",
>because the latter are generic attacks and unavoidable.
There are many obvious ways to arrange extortion which entails no
physical risk whatsoever with a nominally "payee traceable" system.
Here's just one:
Ed the extortionist demands payment from Vic the victim. In a
nominally payee traceable system, Vic pays Ed his extortion demand
and then goes to the bank (or some similar variant) and colludes with
them to reveal the account of Ed. Ed the extortionist is also Ed the
payee, so payee traceability means Ed is identified.
However, instead of doing this, Ed tells Vic to have his bank or
merchant (an officially approved Merchant, no less) sell an item of
value equal to the extortion demand to someone he says will be
approaching the merchant. For example, a million dollars worth of
data. Call the buyer Alice, for Alice the accomplice. Alice pays one
dollar and receives the million dollars' worth of product.
(Yes, this all assumes digital products...if _physical_ goods are
being shipped, then even payer untraceability is largely lost.
Luckily for this scenario, the emphasis we have placed has always
been on cyberspatial goods...information, data, access to other
information, etc. Including even digital money, in some versions,
which is the money changer scenario, basically.)
Since Alice the accomplice has payer untraceability, natch, her
purchase cannot be traced.
The fiction of her making a token dollar payment is not needed, of
course. The scenario works equally well if Vic the victim is simply
instructed to buy a million dollars's worth of some digital property
and then send it untraceably to an account specified by Ed. Perhaps
via remailers, perhaps via BlackNet. Etc. Likewise, Alice the
accomplice need not be a separate person (duh) from Ed the
extortionist. All of this "syntactic sugar" drops away. I suppose it
can be argued that this is no longer a case of "digital cash" in any
reasonable sense, as Ed the extortionist is simply demanding payment
in some digital property form. But it shows how other channels solve
many of the problems of not having full two-way untraceability. Put
more abstractly, payer untraceability combined with conventional
money laundering techniques results in an untraceable "reverse"
channel.
[This is a terribly important point. So long as prices are not set by
third parties, these "back channels" are effectively payee
untraceability. I called this "conventional money laundering" because
it's the familiar method of over- or under-paying for goods. Or of
buying an art work for pennies on the dollar. Consult the usual
papers on methods of money launderers and extend to cyberspace.]
I'm presenting this scenario, one of many, to dispense with the
notion that "payee traceable" digital cash does much to stop
extortion, kidnapping, contract killing markets, blackmail, etc.
I haven't tried to convert these arguments into stuff about blinded
coins, returned values, exponentiations, etc. At the level of
"chunking" I'm dealing with here, it seems to be enough to accept the
notion of "payer untraceable" and "payee untraceable" and such and
then reason from these chunked levels. "Assume a payer-untraceable
mechanism exists."
(Detailed interpretation into Chaum- or Brands-levels of detail is
certainly important, even critical, for some types of discussions.
Especially if anyone, including me, is making unfounded claims about
specific properties of Brands-type mechanisms. But one does not have
to describe automobiles at the level of firing sequences in cylinders
and cam motions in order to reason about traffic problems. I spent a
while some years back drawing pictures and diagrams and reading
Chaum's papers, enough to give me the gist of his system. Endless
diagrams drawn by Ian Goldberg and Doug Barnes and others at
Cypherpunks meetings conveyed some more info. I confess to not having
learned the Brands stuff in any detail. I'm staying at the chunking
level I outlined. It will be up to others to analyze his protocols in
gory detail and find ways to subvert them to our ends.)
I claim that a payer untraceable system produces results largely
indistinguishable from a true two-way untraceable system. With some
work, of an amount to be determined by the surrounding infrastructure.
--Tim May
--
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May | Crypto Anarchy: encryption, digital money,
ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets,
"Cyphernomicon" | black markets, collapse of governments.
