There has been some discussion on sci.crypt of digital cash and its facilitation of kidnapping, extortion, etc. Here is a posting I made when mentions an on-line paper on the topic. I had met the author, Markus Jakobsson, at Crypto 95, but I only had a chance to check out his web site yesterday. awc@slcawc.aug.ipp-garching.mpg.de (Arthur Carlson TOK ) writes:

[In response to a discussion of whether digital cash could be used to provide anonymous collection of ransom money]

Is there really no technical fix for this? To enable the prevention of double spending in off-line systems, the ID of the withdrawer is coded into the coins in a way that is verified by the bank. If the victim's relatives can undo enough of the code to satisfy the bank, why can't they undo the rest to detect when the coins are spent? Alternatively, why can't the bank put an identifier on the coins (in a way that isn't destroyed by the unblinding) that amounts to a message encoded in the public key of the withdrawer? Then the withdrawer can make the destination of the ransom money visible by revealing his private key (after the victim has been released, of course). (He also reveals every dime he spent in the last year and all his kinky love letters, but, hey, we're trying to catch a kidnapper here.)

There has been considerable discussion of this problem in the literature recently. A paper I found yesterday on the net is by Markus Jakobsson and Moti Yung: Revokable and Versatile Electronic Money, at <URL:http://www-cse.ucsd.edu/users/markus/revoke.ps> (postscript format). It has references to other work as well. The specific attack I discussed earlier applies to the current DigiCash scheme (or at least how it is assumed to work). Offline cash systems would be more complicated. The references in the paper mentioned above describe how these attacks would work on such systems and some ways of avoiding them. However there is a more powerful attack, which the Jakobsson paper addresses, in which the bank as a whole is coerced. Maybe terrorists threaten to blow up the World Trade Center unless Citibank engages in a specific protocol which will leave the terrorists with millions of dollars in fully blinded electronic cash. Even if the normal withdrawal protocol has signatures, etc. which would prevent this, Jakobsson shows that there is a corrupted protocol which if the bank is forced to follow it will leave the criminals with valid but untraceable electronic cash. The solution in the paper is to make it so that none of the ecash issued by the bank is untraceable. Under normal use it is anonymous, but if necessary the authorities can break the anonymity. This is sometimes called "Clipper cash" after the U.S. Clipper chip proposal which had similar privacy properties. With Jakobsson/Yung's approach even the more powerful attack can be defeated because the cash is traceable, and no amount of coercion will allow the attacker to create valid but untraceable cash. While these approaches are technically interesting, the political implications are more ominous. While Jakobsson labels the entity who has the power to break the anonymity an "ombudsman", implying that he defends the interests of the cash holder, he could equally well be called a "policeman" because he is the one who catches the criminals. It is all a matter of how you look at it. The question is whether these various threats of kidnapping, blackmail, extortion, etc. are good enough reasons to go to a cash system where privacy is protected only at the sufferance of government agencies. There are plenty of precedents for governments misusing supposedly- private information, such as the use of phone records to track down those who resisted the German regime during World War II. One of the attractive aspects of electronic cash has been its immunity to this form of governmental coercion. The overwhelmingly negative response to the Clipper chip proposal (other than in the cryptographic and law enforcement communities) may apply to Clipper cash as well. A related issue is the possible competition of rival cash systems. As with Clipper, where it would apparently be necessary to forbid the use of alternatives, so with Clipper cash it would seem that people would prefer true anonymity over conditional protection, even if you call the cash tracer an "ombudsman". So there would seem to be a need for governments to criminalize the use of fully anonymous electronic cash in order to force people to use the ones which the government could track. Whether this will even be possible in an increasingly global financial system remains to be seen. Hal Finney hfinney@shell.portal.com