Chaum on the wrong foot?
A lot of our discussion is influenced by the ideas of David Chaum. He pioneered technology which could protect individual privacy while allowing very flexible sorts of credentials and guarantees. He has also played a big role in the various proposals for digital cash. But I think that Chaum has gone off in the wrong direction in the last few years. More and more he is concentrating on protocols which rely on a tamper-proof, hardware implementation of a cryptographic protocol which he calls an "observer". This observer chip would sit in your computer (which could be a Newton-style PDA or a smart card) and would play an important part in the exchanges of information, cash, or credentials which you would make with others. The observer basically makes sure you are telling the truth in your transactions, that you are not double-spending your digital cash, or not claiming a credential which you don't have. Now, this approach has the obvious advantage that it allows solving certain problems which can't be solved otherwise. There appears to be no way to provide for secure, off-line digital cash, for example, other than with something like an observer. But it has the equally obvious problem of relying on a tamper-proof chip as a necessary part of the protocol. Recently it seems that many of the papers out of his group are designed to explore observer-based protocols. This means that these ideas are not useful for software-only implementations. One of the (relatively few) strengths that we and the forces we represent have is that free software can be spread very far and very fast, making it hard for those opposed to privacy to successfully stop our efforts. Any technology based on special chips is going to lose these advantages. Another problem with the observer is psychological. Although Chaum goes to great lengths to design his cryptographic protocols so that even a cheating observer can learn effectively NOTHING about the computer user that would compromise his privacy, people may still feel uncomfortable about having a mechanical "conscience" in their pocket. People want to feel in control of their computers, and I think supporting this control is a big part of the Cypherpunks philosophy. A related point is that there have already been comparisons on sci.crypt between Chaum's observers and the Clipper chip, in that both rely on tamper-resistant technology to implement features which are not entirely in their owner's best interests. Assuming we do manage to successfully defeat Clipper, the taint of this association may increase resistance to observers. I wish Chaum and his group would stop directing their efforts towards protocols which require an observer chip to be effective. Granted, there are some things that don't work as nicely without observers. But I think that a realistic appraisal of the pros and cons suggests that non-observer protocols are more likely to further our ultimate goal of personal privacy. Hal Finney hfinney@shell.portal.com
There is no silver bullet! Here are some comments about why there are no easy to use "digital coins," and why the digital money protocols are so complicated and involve banks, tamper-resistant modules, and other things that may not be make difficult some of our Cypherpunks goals. I agree with Hal Finney's basic point about David Chaum's current direction: it is not precisely the direction I'd like to see. However, in Chaum's defense, his is only one group and can only do so much. I don't see other groups pursuing digital cash with the same vigor and depth, save for the occasional paper about "electronic wallets" and so forth, and so Chaum is doing what he is doing. It is possible that someone here in Cypherpunks will develop some form of competing system. (Bear in mind, though, that these protocols are notoriously complicated, and involve issues of forgery, spoofing, denial (that a transaction occurred), tax laws, and so on.) One of Hal's points deserves special comment: (speaking of the observer protocol)
Now, this approach has the obvious advantage that it allows solving certain problems which can't be solved otherwise. There appears to be no way to provide for secure, off-line digital cash, for example, other than with something like an observer.
There are no digital coins. A physical piece of gold, the canonical piece of money, is essentially imposssible to counterfeit/forge, so coins can be passed from person to person, person to shop, to banks, to tax collectors, etc. It is the ultimate "bearer instrument." Importantly, the flow of such money is "conservative" in that the total amount of such money is constant...no amount of trickery or protocol complexity can increase the amount present, and only loss of the physical coins can reduce the amount. Paper currency is ostensibly a parallel to physical money (at least in countries on a gold or silver standard, which the U.S. is not any longer). Strong currencies (DM, yen, dollar, SF...though this is all debatable) still have some of the "conservative" nature, because the bills/notes are very difficult to counterfeit and are exchanged as physical items or tokens. I won't get into things like VISA transactions, promissory notes, etc., except to say they are quite a bit less "tangible" (anyone who has gotten unexpected VISA transactions, triggered by someone out there, understands that the transactions are much less straightforward and tangible). A problem with digital money has always been that there apparently is no close equivalent to a digital coin, a token which can be passed around freely, as a quarter or a dollar bill can be. The reasons are obvious: a cryptographic number can be trivially duplicated (counterfeited/forged) and presented to a second or third person. Thus, the receiver of such a piece of digital money must confirm that it has not already been spent, that some bank will redeem it for "real" money, etc. Digital coupons have this same problem. (Real coupons are made fairly counterfeit-resistant, as are such things as lottery tickets. Lottery tickets also use a clever scheme whereby the winning number, the thing that gets announced, is hashed/transformed into another number with a secret key, and this second number is also printed on the ticket, but would-be spoofers are unable to generate the second number.) The complicated Chaum protocols, which now are going in the direction of the tamper-resistant "observer" chips (in smartcards, PDAs, etc.), address these issues of spoofing, denial, counterfeiting, etc., in various ways. Later, Hal makes another good point:
A related point is that there have already been comparisons on sci.crypt between Chaum's observers and the Clipper chip, in that both rely on tamper-resistant technology to implement features which are not entirely in their owner's best interests. Assuming we do manage to successfully defeat Clipper, the taint of this association may increase resistance to observers.
I wish Chaum and his group would stop directing their efforts towards protocols which require an observer chip to be effective. Granted, there are some things that don't work as nicely without observers. But I think that a realistic appraisal of the pros and cons suggests that non-observer protocols are more likely to further our ultimate goal of personal privacy.
It seems likely to me that even now a group within the bowels of the NSA and NIST is developing a "digital money clipper" (a euphonious pun?), that is, a standard for digital money with similar sorts of backdoors, emergency doors, etc., that Clipper has. NSA/NIST surely knows of the pressures for digital money, and could plan to introduce their own standard. Instead of "LEAFs" for the FBI and other law enforcement, this one could have "IRS observers" and "money-laundering observers" (this is wild speculation, I'll grant you) which tie-in to currency exchange reporting, sales tax, and income tax law enforcement systems. It may be that Chaum, who is eager to actually get some sales to groups within Europe and elsewhere, is already responding to some pressures for "accountability" (the digital money version of "wire-tappability") by various European governments and the observer protocols are an effort to satisfy some of these concerns. (I am not accusing Chaum of anything, just speculating that some groups developing digital money--and Chaum is the clear leader here--may have market or legal constraints which are shaping their focus away from the digital money = untraceable cash = crypto anarchy direction many of us favor.) A "Cypherpunks digital money" system may be more urgent than ever. -Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. Note: I put time and money into writing this posting. I hope you enjoy it.
I applaud Hal's insight into Chaum. I was in Amsterdam last year for a few weeks working for/with him, and I can substantiate what Hal says. I was only there for six weeks, which was supposed to have been the start of a longer relationship, but I got out.
But I think that Chaum has gone off in the wrong direction in the last few years. More and more he is concentrating on protocols which rely on a tamper-proof, hardware implementation of a cryptographic protocol which he calls an "observer".
The observer, owned by the user, opens a communications channel to a chip and to a central computer, both controlled by some company. The observer then mediates the communication between the chip and the central computer to make sure that no privacy information leaks out.
There appears to be no way to provide for secure, off-line digital cash, for example, other than with something like an observer.
This statement, while certainly true in Chaum's mindset, I no longer believe to be true. The question hinges on what 'security' means. To Chaum, it means that fraud losses are a mathematically perfect zero. To a real business, however, the losses must be bounded. The smaller the bound, the better, of course, but real financial service companies can and do tolerate some loss due to (technological) fraud. If the cost of the perfect system is more than the losses from fraud, there's no point in deploying it. Make no mistake, the observer system is expensive. The reasons smart cards are not more widely deployed is that they're too expensive per card. The observer protocols requires both a smart card and a small hand-held computer!
This means that these [observer] ideas are not useful for software-only implementations.
Not only not useful, but totally inapplicable. The observer model relies upon the fact that the computations inside the chip are unknown to the user. This just can't be the case with a software-only system.
I wish Chaum and his group would stop directing their efforts towards protocols which require an observer chip to be effective.
This just won't happen. The observer protocols are *patented*, you see. Anyone can design and build observers, because the spec is public, but you've got to pay up. Chaum seems to be basing his whole strategy for the future on observers. I think it's a gross strategic mistake.
I think that a realistic appraisal of the pros and cons suggests that non-observer protocols are more likely to further our ultimate goal of personal privacy.
Amen. Eric
Tim:
There are no digital coins.
Gold obeys a mass conservation law. Information as such does not. Everything unique about digital money stems from this basic observation. Here is a thought problem to illustrate. If money were required to be able to be xeroxed, would you be able to make a monetary system? The answer is yes, but it doesn't act the same way as a coinage system.
A problem with digital money has always been that there apparently is no close equivalent to a digital coin, a token which can be passed around freely, as a quarter or a dollar bill can be.
It is a problem only if you want to design a digital coin. Once you rid your mind of the need for that, it's not a problem but a design constraint.
It may be that Chaum, who is eager to actually get some sales to groups within Europe and elsewhere, is already responding to some pressures for "accountability" (the digital money version of "wire-tappability") by various European governments and the observer protocols are an effort to satisfy some of these concerns.
No. This is way off the mark. Chaum's complete and overriding goal is privacy, sometimes to the exclusion of other desiderata. The observer protocols sacrifice nothing in the way of privacy, but perpetuate and reinforce the subservient economic relationships between individuals and large financial institutions. The system is assymetrical; the central computer talks to its chip through the observer. There is no room here for person to person interactions. The barrier to entry to deploy chips is high, as well. In other words, the observer protocols preserve chasm of relative size of Big Business over and above the individual. This is a benign oversight, to be sure; all the individuals look alike. (You thought you were a number before? Now you're a _random_ number!) Nevertheless, the observers are not egalitarian; they are the model of cable TV as opposed to the telephone network, of newspapers as opposed to electronic mail. Chaums got privacy down, but I don't want the rest of his world. No way. Eric
Eric Hughes says:
No. This is way off the mark. Chaum's complete and overriding goal is privacy, sometimes to the exclusion of other desiderata. The observer protocols sacrifice nothing in the way of privacy, but perpetuate and reinforce the subservient economic relationships between individuals and large financial institutions.
In what sense are you "subservient", Mr. Hughes? The institution and you have a contractual relationship in which they hold your money for you and in exchange handle all sorts of inconvenient tasks, in exchange for your having to pay them for performing these tasks by letting them lend out your money. You can usually touch your money at any time, though. Doesn't seem to be terribly abusive. What do they do to you that's so bad? Charge you for performing services? Shudder -- how horrible! Capitalism! Ohmygod! In any case I see no reason that small groups couldn't start digital cash issuing organizations, just as very small groups can also form banks -- you'd be suprised how small some credit unions are. Although the cost of the infrastructure is high to DESIGN, it will presumably be commercially available to any entity that wants to deploy it.
In other words, the observer protocols preserve chasm of relative size of Big Business over and above the individual.
What is wrong with large organizations per se? Perry
Charge you for performing services? Shudder -- how horrible! Capitalism! Ohmygod!
I count this comment as an intentional misreading of my position. I am not a libertarian, nor is it likely that I ever will be. I've also read E. F. Schumacher's _Small is Beautiful_ and thought much of it was just plain wrong, or, at best, unprovable. I read your words as an attempt to enforce a sort of libertarian political correctness, as insulting as that phrase will no doubt be to you. The agenda of privacy is orthogonal to most partisan political positions. As strong as the libertarian presence is on this list, it is by no means the only view. It is precisely because cypherpunk issues cut clean across the political spectrum that they are so powerful. I expect no one here to wear seamless garments of any cut or cloth. There are many on this list whose personal agendas call for making the world safe for greater accumulations of capital. This is not at all my agenda, yet I have put aside my repugnance at this in pursuit of a common goal. While I expect no one to hold to any particular view, I do expect that everyone here treat opposing views with respect, or better yet, with silence. The cypherpunks list is about creating privacy. We assume that everyone here wants the availability of more privacy than they currently have. We need not debate the particulars of these reasons, nor need we suppress the statements of these reasons. I am perfectly happy with individuals stating their own reasons for desiring privacy; these statements are powerful and useful, yet they should not engender debate on this list as to their propriety. Should anyone insist on debating belief, private e-mail is always available. I know that when the goals of personal privacy are achieved that the people and opinions that currently cohere on this list will fragment and splinter. I do not want this dispersal to happen, however, before our goals are acheived. Disrespect for each other, or, in other words, bone-headed stupidity, will certainly accomplish a premature dissolution. Let us work together while we need to, and no longer. Eric
What is wrong with large organizations per se?
This is way off-topic, but.... Large organizations have too much power. Take a look at the sorts of things Andrew Carnegie was able to do. Like running at a loss in order to squash small competitors. That's where the Sherman antitrust legislature comes from. Before you call me a government-lover, I have to say that I'm not sure which I find more abhorrent: "capitalist" companies engaging in unfair business practices, or government regulation. If someone wants to explain how we can get away without both (in personal email :-) I'd love to hear it. I think the "right thing" is somewhere in between purely individual transactions, with some sort of distributed trust model (the world is too big for that to be tractable, I think), and the current model of Huge Banks essentially controlling all money flow. Fact is, infrastructure costs money, and big organizations can amortize one-time costs over more customers. Marc
Eric Hughes says:
Charge you for performing services? Shudder -- how horrible! Capitalism! Ohmygod!
[...]
I read your words as an attempt to enforce a sort of libertarian political correctness, as insulting as that phrase will no doubt be to you.
There is no enforcement involved. If you truly feel that there is some sort of horrific "power relationship" between large banks and their customers, I would suggest that since the worst that they do to you is charge you for performing services that you are upset with the notion of banks charging for services.
The agenda of privacy is orthogonal to most partisan political positions.
I strongly disagree. The liberal and conservative agendas depend on control of the people in order to work. Privacy, cryptocash, etc. will all result in a strong shift towards a libertarian society -- without any need for people to try to produce such a society. When you can no longer trace money transfers, for example, taxation becomes difficult -- and any social programs you desire based on taxation become difficult. If you are truly a liberal, strong privacy rights are counter to what you truly want, and I would suggest that you reexamine whether or not you hold a consistant position, as your position in favor of privacy might be counterproductive to your position in favor of what now goes by the term "liberalism". I would be happy to see you favor strong privacy rights anyway -- but I am constrained by honesty to point out that I don't think strong privacy and a state based on coercive taxation are compatible. I do not feel that this list should be involved in discussions of libertarianism vs. any other political theory -- but I will point out that it was you, not me, that brought up the question of whether big banks are a good or bad thing, which is very much a political question. I'll happily steer clear of this entire topic if you will. Perry
Marc Horowitz says:
What is wrong with large organizations per se?
This is way off-topic, but....
Large organizations have too much power. Take a look at the sorts of things Andrew Carnegie was able to do. Like running at a loss in order to squash small competitors.
Never happened. Its a myth, plain and simple. "Predatory pricing" doesn't work -- any real business man can tell you that. Unfortunately, decades of propaganda tell us all sorts of garbage. Right now, some folks in Arkansas are suing Walmart for this very offense -- Wallmart's real crime, of course, is providing too much choice to the consumer at too low a price for the taste of their competitors. As for Andrew Carnegie's empire, U.S. Steel, which was formed by merging Carnegie's operations and all the other big steel producing operations in the U.S., controlled well over 95% of steel production in the U.S. when it was started -- and within a few years, was down to under 50%. Oh, and Standard Oil was dropping in market share as fast as a stone when it was broken up. Anyone REALLY believe Microsoft is a monopoly, please raise their hands. I hate MS-DOS, but no one is FORCED to use it -- its just, unfortunately, a standard.
That's where the Sherman antitrust legislature comes from.
Nah. The Sherman Antitrust Act and all its friends are based partially on myths, and partially on the desire of businessmen to get government ENFORCEMENT of cartels. The ICC, for instance, was created entirely to enforce cartel pricing on the railroads. Airlines scream loudly for regulation -- because they don't like the low prices competition has forced over the last decade. Most monopolies are things created by the government -- phone companies or utility companies being given exclusive franchises even though there is no real reason two or more sets of lines couldn't be run. I can name exactly one significant real monopoly -- that is, a monopoly that was not formed with the collusion of the government and that wasn't a trivial case like "only pizza parlor in the village" -- in U.S. history. The case in question was Alcoa, and the only reason they maintained an aluminum monopoly as long as they did was that they did everything they could to lower aluminum prices and maintained minimal profits -- had they tried jacking up profits, other companies would have appeared instantly.
Before you call me a government-lover, I have to say that I'm not sure which I find more abhorrent: "capitalist" companies engaging in unfair business practices, or government regulation. If someone wants to explain how we can get away without both (in personal email :-) I'd love to hear it.
Monopolies, cartels, etc, are all a myth. The longest any of J.P. Morgan's railroad cartels lasted was a matter of months (until he got the Interstate Commerce Commission created to get government to enforce his cartels for him -- but thats another story). Cartesls and monopolies are naturally unstable entities. OPEC was able to control prices for only a couple of years before things crashed -- oil now is near the same price it was in 1973 measured in real dollars (and OPEC has NO regulation of its activities at all.) Perry
Perry Metzger writes:
Never happened. Its a myth, plain and simple. Oh, and Standard Oil was dropping in market share as fast as a stone when it was broken up. Nah. The Sherman Antitrust Act and all its friends are based partially on myths, and partially on the desire of businessmen to get government ENFORCEMENT of cartels. Monopolies, cartels, etc, are all a myth.
You are objectively correct about all this. You're also being obnoxious and shouldn't have started this argument. Please stop. -- Eric S. Raymond <esr@snark.thyrsus.com>
Perry Metzger writes:
If you truly feel that there is some sort of horrific "power relationship" between large banks and their customers, I would suggest that since the worst that they do to you is charge you for performing services that you are upset with the notion of banks charging for services.
I wish it were so; banks may provide information on me that I don't want dispersed to the government, to other folks who know enough to use the Touch-Tone account info hotline, and to marketing folks. The Wall Street Journal had an article sometime in August 1991 (give or take a month; I don't have DJNR access or I'd give a real cite) about how banks make available payee and amount information from checks customers write, without customer notification or permission. Banks in general seem to have poorly considered or actively harmful (anti)privacy practices. How easy IS it to start a credit union? Perhaps what we need is the People's Sekrit Privacy Credit Union! 1/2 :) -- Greg Broiles greg@goldenbear.com Golden Bear Computer Consulting +1 503 342 7982 Box 12005 Eugene OR 97440 BBS: +1 503 687 7764
Perry Metzger writes:
Never happened. Its a myth, plain and simple. Oh, and Standard Oil was dropping in market share as fast as a stone when it was broken up. Nah. The Sherman Antitrust Act and all its friends are based partially on myths, and partially on the desire of businessmen to get government ENFORCEMENT of cartels. Monopolies, cartels, etc, are all a myth.
You are objectively correct about all this.
You're also being obnoxious and shouldn't have started this argument.
Please stop.
I don't think so. Perry's arguments were well-reasoned and not obnoxious at all. Perhaps some don't like to be proven they are wrong? -- Ed Carp, N7EKG erc@apple.com 510/659-9560 anon-0001@khijol.uucp If you want magic, let go of your armor. Magic is so much stronger than steel! -- Richard Bach, "The Bridge Across Forever"
participants (8)
-
greg@ideath.goldenbear.com -
hfinney@shell.portal.com -
hughes@ah.com -
khijol!erc@colossus.apple.com -
Marc Horowitz -
Perry E. Metzger -
snark!esr@gvls1.VFL.Paramax.COM -
tcmay@netcom.com