Maybe it's time to consider deploying anonymous payment mixes.
This is an idea from Ron Rivest for achieving anonymity on top of a
traceable payment system. It uses exactly the same idea as the Chaum mix,
which is the foundation for the cypherpunk remailers.
The idea is that you would have financial remailers whose job it was to
forward payments rather than messages. If Alice wanted to pay Zelda
$100 anonymously, she would send a message to remailer operator Bob,
paying him $100 using the traceable payment system. She would also
include an encrypted forwarding block.
Bob would decrypt it and find that the next step is to remailer Carol.
He would pay Carol $100 and pass her the remaining encrypted forwarding
block.
At each step the remailer would receive payment using the traceable
system, decrypt the forwarding instructions, and pass the payment on
to the next remailer in the chain along with the remaining encrypted
forwarding info.
At the last step remailer Yeltsin would pay Zelda the $100 and the
anonymous payment would be complete.
Now obviously the underlying non-anonymous payment system has the ability
to trace this chain of messages. It sees Alice pay Bob, Bob pay Carol,
and so on until Yeltsin pays Zelda. It can therefore figure out what
has happened.
The point is, though, that if there are multiple messages moving through
the remailer system at a time, the tracks will not be so clear. If Bob
gets paid by ten clients before he forwards requests onward, then the
system will not be able to tell which of those people were responsible
for the next payments in each of the ten chains. With a heavy enough
usage level there will be considerable confusion about how the payments
are flowing. Particularly for people who want to achieve "plausible
deniability" in terms of which payments they have made, even a limited
amount of confusion may be sufficient.
If all payments are for different amounts, then this would no longer
work, as a chain of $123.45 payments would be easy to track. It would
therefore be necessary for the system to use a single standard payment
size. If people wanted to pay more, they would send multiple messages.
If these can be spread out over a period of time, it should be possible
to hide who has paid whom.
This system would naturally lend itself to a model where remailers
take a cut of the payments to fund themselves. Bob receives $100 and
pays out $99.90; Carol receives $99.90 and pays out $99.80, and so on.
This idea of paying the remailers does not work, though, if everyone uses
a different chain, because then the amounts coming into a remailer are
no longer all the same. Carol might get some payments for $100, some for
$99.90, and so on. This would again allow message tracking by amounts.
In the original Chaum mix concept, the order in which the remailers were
used was fixed. Everyone used Bob-Carol-...-Yeltsin as their chain.
This can be beneficial in terms of providing a lot of confusion at each
step, and would also allow the remailers to be paid. The amounts would
decrease as we move through the chain but at each step they would all
be the same.
Current remailer networks are not very reliable. A system like this
would obviously increase the temptation for remailer operators to receive
payment for some messages but not pass them on. Remailers could profit
by cheating. Chaum proposed making remailers publish logs of the messages
they had handled, such that it would be possible to see that each remailer
sent all the messages it received, and the next remailer in the chain
received all the messages it was sent. This would reveal the source of
any problems, narrowing it down to the interface between two remailers,
which should allow for a fix.
With systems like e-gold, paypal/x.com, and goldmoney starting up,
we are finally at a point where person-to-person payment is becoming
both possible and economical. Payment mixes would be an attractive and
relatively easy way to implement anonymity on top of these systems.
