On Mon, Nov 19, 2001 at 11:46:45AM -0800, Tim May wrote: | On Monday, November 19, 2001, at 10:29 AM, Adam Shostack wrote: | > | 6. The failure to get true digital money. Call it what you like, | > | "digital cash" or "ecash" or even one of Hettinga's pet names, but the | > | fact is that for both political and technical reasons we don't have | > | digital cash. This has ripple effects for nearly all of the constructs | > [...] | > | This failure to get workable untraceable digital cash (true 2-way | > | untraceable, not the bastardized, banker-friendly, government-friendly | > | one-way untraceable form) is the _deep_ reason things are stagnating. | > | > Sad as it makes me, I don't know of any system which allows 2-way | > untracability and fraud prevention. Can you point me to one? With | > trustworthy reputation systems, you might be able to get away from | > this problem. I don't know of any reputation system that I'd trust | > for a multi-hundred dollar transaction today. | | | Doesn't the Barnes/Goldberg "moneychanging" protocol effectively | symmetrize the untraceability? Yes. I think there are reasonably simple, and unblockable ways to make 2-way untracable any "open" ecash system, where, like cash, everyone is a merchant. But not that I said untracability and fraud prevention, and its really the latter half that I think is hard to solve. | There are issues of one party receiving part or all of the items being | transferred and then burning the other party. And if the items, whether | ecash or software or whatever, require later authorization/turn on to | complete the transaction, there are further burning opportunities. (Note | that this is not a problem unique to digital cash. There are always | prospects for a merchant taking the money and then saying "Bye," or "I | already gave you the stuff." Or delivering defective products. This is a | kind of "handover deadlock" which, nonetheless, has not halted commerce | of various kinds. Even at flea markets, where the sellers and buyers are | largely anonymous. I realize that digital commerce systems have higher | requirements, for the same (basic ontology of the world) reasons that | security flaws in digital systems may be exploited far more rapidly and | devastatingly than, for example, a security flaw at my house.) This is the risk; we disagree on the solution. Buyers and sellers at flea markets are not untracable or unlinkable in the sense that is possible with a MIX. If I give you money at a flea market, I can stand there and yell and scream if you then don't give me the goods. Its hard to abandon your table of stuff and flee if you don't want to settle. Thats not the case with a bi-directional, fully anonymous market. | My _intuition_ is that an ecology of agents each exchanging digital | money, even if the system in only uni-directionally untraceable, with | "anyone a mint," goes a long way toward solving the problem. Squares the | circle, so to speak. Throw in escrow agents and intermediate holders, | bonded with nyms, and I see no particular reason why two-way | untraceability is not feasible. I'm very fond of market solutions for problems. When dealing with money, the fundamental things that you can trade are liquidity and risk. Banks loan money and accept a risk of non-payment. They set their interest rates such that, having spent time evaluating the risk, they expect to make money. (Dan Geer wrote a nice essay on this subject for a talk at DCSB in November 98). Banks use a multitude of methods to control and manage risks, and at the end of most of those methods is that, with sufficient energy, you can track down a person or legal entity to get a refund of your payments. Thats not generally how they work; usually they try up front to ensure that the inbound money is good, via tools like certified transfers and letters of introduction and credit, etc. (Frank Abagnale exploited this, and tells his story in the enjoyable and worthwhile "Catch me if you can.") Over time, or with collateral, a bank will loan you money. Some will loan you money sight unseen, based on a risk calculation. But back to ecash. Who will assume risk for an anonymous merchant? (No one needs to assume risk on the withdrawl; in all systems, you withdraw from an account, and in the good systems, blind the coins so the bank doesn't know what coins came from what account. The bank can decide if its going to let you get valid coins.) The risk is not that the merchant is getting bad money; thats controllable; the risk is that the merchant is not delivering the goods. Given the merchants ability to completely disappear, who can sensibly offer a risk guarantee? There are ways that someone might be able to offer a guarantee; for example, require that the merchant post a bond. However, that doesn't work; complete anonymity incurs delays and bandwidth costs, and it will be possible to scale an attack such that the merchant walks off with more than the value of the bond. Now, the people who understand this best are the ones that Chaum chased and Hettinga just spent so much time with. They get that they want to be able to manage risk; its what they do, and they can't do that with two-way untracable money. So, does that means it is not possible to have anonymous merchants? Well, that depends what you mean by anonymous. If you mean the sort of complete anonymity that Chaum showed was possible, I don't think that it can be deployed. If you mean that your merchant takes his cash through traditional privacy measures like a private bank on Vanuatu, then sure. However, thats not what I think you were asking for. How different are these? In normal practice, I don't think they're substantially different. There's a different level of trust to be placed in laws and tellers, and that makes many people uncomfortable as we see those laws bend and break. However, it makes others, the bankers, very comfortable, that they have a risk management strategy that they can construct. They can chase the company, its bank, or the beneficial owners in various combinations in the event of fraud. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume