-----BEGIN PGP SIGNED MESSAGE----- I, Bryce <bryce@colorado.edu>, wrote:
Is there a scheme which will prevent this collusive payee identification, and if so where can I read about it?
The entity calling itself "Hal" <hfinney@shell.portal.com> allegedly wrote:
One proposal I have seen here is to have a "coin changer" service which turns the received coin in at the bank for you. Then the payer and the bank and the coin changer all have to collude to identify you. However you have to trust the coin changer not to steal your money. So it better be a pretty trustworthy organization.
Especially since you didn't want anyone to know that you had that coin in the first place. This makes it somewhat more difficult to announce to the world "Hey! He just stole my coin!". I, Bryce:
Now even if it were the case that the payee is always identifiable by a collusion of the bank and the payer (such as is the case in DigiCash Ecash), all this means is that you shouldn't accept a coin using one nym, and deposit it in the bank using another. You need one bank account per nym, as well as one bank account per anonymous transaction, and then you have complete control over revelation of your identit(y/ies).
"'Hal'":
It would still be less than perfect to have all of a given nym's transactions known. In an ideal electronic cash system no transactions are linkable if the participants don't want it.
Careful here. A given nym's transactions are known only if the person that they were dealing with chooses to collude with the bank and reveal it. Hopefully this would not be the status quo! (If the status quo is going to be non-privacy, then we will be using a different scheme in the first place...) I mean: it is always true that a person who gave you money can say "yeah, that's the guy I gave it to." The only way that this is different from tangible cash is that the payer can *prove* to the bank that you are the recipient of their money. And probably the bank and the payer together can prove it to the rest of the world. (Hm. Would they be able to prove it? Perhaps the only way they would be able to prove that would be to time-stamp all their coins!...) "'Hal'":
In such a system you don't need an "account" as such, but rather the bank simply allows used cash to be checked and exchanged for fresh cash via anonymous connections. This would be the most privacy-protecting system.
Again I see an opportunity for "polymorphism". A bank can use the very same, or at least a very similar protocol to service both account-holders and "check-in/check-out" customers. (Perhaps the only differences would be the speed with which the bank services the requests, and the rate at which the bank charges for the service.) I am excited about polymorphism (such as <a href="http://www.communities.com/paper/agnostic.html> Douglas Barne's "identity-agnostic" idea </a>) because of social-engineering, evolutionary reasons. Flexible protocols will encourage institutions to compete by offering as much privacy, security, off-line capability, efficiency, etc. as the customers want, rather than dictating their own terms and trying to define the market that way. To the degree to which each capability is economically beneficial, that capability will become the market standard. Regards, Bryce signatures follow "To strive, to seek, to find and not to yield." <a href="http://ugrad-www.cs.colorado.edu/~wilcoxb/Niche.html"> bryce@colorado.edu </a> -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.01 iQCVAwUBMIsaU/WZSllhfG25AQE4DgP7BoRHvHCXkS70z/612TW+QFxt8ZG5pN2t DDAlHGJrqmQarCwpOuYB9FuPFb4Nw2vNUgqWE30/q0oe0uJvkbgrFgMTvRPX9w0P KfKoboTP7LqpPMJzbtsp4eES8Rqw8IF3j5ZQnsXxln5sdpQwztOT9HfXF62VoLsm Ln3bmGb2vPc= =1RxY -----END PGP SIGNATURE-----