From: eric@remailer.net (Eric Hughes)

The situation is thus. Ian Goldberg et al. have developed a protocol for simultaneous payer and payee anonymity. It appears to be novel, albeit not entirely unanticipated. The protocol works with the existing bank signing oracle and could interoperate with Mark Twain's current system. [...] It is foolishness itself to deceive a public which is substantially in favor of the program of complete privacy. We must appeal to the public that finally will decide, not to some officials today who have power and tomorrow who will not. Clipper itself was not defeated by constructive engagement with the Clinton wiretap administration. Clipper was defeated by a general call to arms.

Therefore, shout out to the world that payee anonymity is possible with ecash(TM)!

As is well known, Chaum has been saying that one of the good features of ecash (from the point of view of regulators and law enforcement) is that payee anonymity is not supposed to be possible. This means that if someone sets up a shop to sell something illegally, they can be caught. (I suspect that is at least part of the reason why you have to fill out a multi page form to open an ecash account, so they have enough information to arrest you if you break the law.) It also means that various kinds of crimes would be prevented as well, such as theft of funds or extortion. Imagine that someone starts lobbing mailbombs at the cypherpunks list, and demands a payment of $1 a week from each subscriber to keep him from doing it, said payments to be posted to some newsgroup encrypted with a specified PGP key. Right now he could be caught when he tries to deposit his ill-gotten riches. But with payee anonymity that could be avoided. As a remailer operator I unfortunately see more of the seamy side of anonymity than most people. I do think there are people who will take advantage of this technology in harmful ways. So payee anonymity will certainly make life more interesting. However, Mark Twain Bank presumably went into this business with the expectation that they were providing a non-payee-anonymous payment system. They have already shut down at least a couple of merchants who were selling materials not to MTB's taste. So if they find out that they are now providing the perfect payment system for criminals, I would not be surprised to see them suspend the ecash trial and demand that Chaum redesign the system to truly make it non-anonymous for payees, if that is possible. So while I admire Eric's ethical concern about making relevant information about the properties of ecash available, it is also important to understand the possible outcome. One thing I notice that was missing from Eric's posting was a description or reference to exactly how the payee anonymity is achieved. Is it his intention to tell people that it is possible, yet to keep secret how it is done? This way there might be a debate about the desirability of full anonymity, while not actually putting these tools into the hands of those who would misuse them. And it might lessen the chance of precipitate action by MTB and other ecash issuers. But on the other hand it's not clear that keeping it secret is possible or desirable. A full discussion of the issue will require understanding of technical aspects. How effective is the payee anonymity? How about a timing/amount coincidence attack, where payments of X dollars to anonymous person A are always followed a few moments later by deposits of X dollars to account B? Does the payee need to trust a "broker" who serves as an intermediary with the bank? Is there any way the bank can distinguish a payee-anonymous deposit from a normal one, and are there any countermeasures the bank could take to prevent payee anonymity? These questions would seem to require understanding of how the scheme works. Also, there were a number of postings a few months ago by people who had ideas about how payee anonymity could be done. They mostly had drawbacks and may not be as nice as what Ian has come up with, but could perhaps serve as a starting point for re-creating something similar to Ian's ideas. So keeping it secret may not be a practical possibility. Hal