So I've been talking with Stefan about this discussion, and I would like to
elaborate on my earlier comment:
> I also comment that it might be possible to have users choose whether
> they want to be able to make payee anonymous payments when they sign
> up. If you buy a card with your real name, (as opposed to a
> pseudonym) and you are worried about blackmail, you fill the form in
> with "no payee anonymous payments over $50k/year" or whatever your
> limit you expect to spend is. Then this presents another (weak)
> barrier for the blackmailer, he has to provide the user with another
> card, but at least it presents the user with a choice.
I use "payer untraceable" to mean payer untraceable but payee traceable, and
"fully untraceable" to mean both payer and payee untraceable.
A smart card based cash system based on Stefan's secret key credentials can
be built which offers a full set of choices to users, in terms of payer and
payee untraceability.
The cards could be tied to traditional bank accounts, or operation could be
accountless, with new coins being issued for valid spent coins. Or a mix of
both accountless and tied to an account. Accounts could be anonymous
(perhaps with an is-a-person cert presented to obtain the account).
The user would have a choice of making payments with full untraceability, or
with payer untraceability only. Payees could chose to accept payee
untraceable payments only, or to accept both payer and payee untraceable
payments (or indeed to insist on payer tracability as Tim notes).
User chosen limits per time period (eg. per year) could be placed on the
number and volume of payee anonymous payments to protect themseles against
extortion or theft if the user wishes, or no limit could be placed if the
user prefers. (eg. When I set my account and card up I select these options:
volume limit on payer untraceable payments (which could include no limit),
and volume limit on payee untraceable payments (which could include no
limit).
Any payment (payee or payer untraceable) to an anonymous card would count as
a payee untraceable payment for volume limits. ("tracing the payee" makes
little sense if what is identified is an "anonymous card holder").
The obvious interactions of the two types of anonymity apply:
eg. a user who has exceeded his self chosen payee untraceable limit can't
make payments to someone who will only accept payee untraceable payments
during this time period. Or a user who set his payee untraceable limit to 0
(ie no payee untracable payments) can not make payment to someone who will
only accept payee untraceable payments, during this time period.
We could envisage that the user may want to change their limits over time.
However there would be reduced protection against extortion if the user can
instantly change their payee untraceability limit. The user could therefore
chose their own notice period for increasing that limit. (eg. 1 years
notice, 1 month notice, instant as they see fit).
This covers the full spectrum of privacy concerns. Payees and payers can
achieve as much or as little anonymity as they agree to between themselves.
Users concerned with the risk of extortion, theft etc. can place limits on
their card. And users who are not concerned can setup cards and accounts
with no limits at all. (An implicit spending limit is how much money you
have in your account, or can transfer into that account).
There are a generic class of attacks which apply to any money system, even
with full traceability; clearly this is the case because intermediaries can
be used.
Stefan suggested one more way that an extortionist can obtain payee
anonymity: he can demand that the payer physically mails him his smart card
loaded with the chosen value.
Stefan has been discussing the distinction between "purely digital extortion"
and "extortion involving some physical risk, or trust of other parties",
because the latter are generic attacks and unavoidable.
Purely digital extortion is possible with digicash protocol as implemented
because you can use the double blind protocol.
Purely digital extortion is not possible with Stefan's ecash system using
smart cards. (This is because the double blind protocol doesn't work with
it).
The user either has to buy a card in someone elses name (as I described),
which involves some physical element of risk, or the user has to rely on
moneychangers or a mix-net of money changers, in which case his risk is that
the money changers collude with the payer and the bank, or that the payer
physically mails him his smart card, which also involves physical risk in
collecting the card.
Putting the control of payer and payee limits in the users hands provides
payee anonymity to all who want it (and personally I expect most will) and
provides limits on what can be lost due to theft or extortion which can be
selected if the user desires.
This appears to also provide as much protection against extortion as one can
provide in a system retaining unconditional payer anonymity. Extortion is
still possible at some cost, and risk, but this is always ultimately the
case, and is already the case with physical money, bank accounts etc. And
the user is given the tools to reduce this risk as much as is possible within
this framework, if they care.
If a biometric authentication device is included on the card this makes some
of the generic attacks harder. eg. The street persons thumbprint is required
to operate the card. The blackmailer can not use the payers card if he
demands it is mailed to him.
The only way to provide more protection against extortion is to move towards
escrowed payer untraceability (as opposed to unconditional payer
untraceability). And I think this would be rejected by the market, and is
not politically acceptable. Doubtless some governments will argue for it.
Adam
note: my comments are not my employers
