Stefan Brands writes:
> This is to comment on the rumour circulating here that I strongly
> oppose payee anonymity. Some of the "Fuck this and/or Stefan"
> - type remarks suggest that there is a misunderstanding.
In fairness we should note that those who claim that Stefan has changed
his position need only refer to the excerpt from his thesis that was
posted here a few days ago. At that time Stefan wrote strongly in favor
of privacy, but described a number of measures short of full two-party
anonymity in order to combat money laundering. There is no reason to
believe that his current views are different from those he has held in
the past.
At the same time the case against payee untraceability is not as strong as
Stefan suggests. In many of the points below he fails to differentiate
between untraceability and anonymity. Untraceability is consistent
with pseudonymity. Many of the points Stefan makes can be addressed in
the context of pseudonymous but untraceable payees (sellers).
> -- Payee traceability protects consumers against remote extortion,
> since they can always cooperate with the bank to allow tracing of
> their payments to the account of the recipient. (This account may
> be anonymous, by the way.)
This is true, but is a common security/privacy tradeoff. If fighting
crime were really our highest priority, we would not allow privacy
to anyone. Traditionally we have chosen to sacrifice some safety in
order to achieve greater freedom.
There are other methods of dealing with extortion than by eliminating
privacy for sellers. We face a world that will be so full of surveillance
technology that much physical crime will become impossible. We must
therefore fervently protect our privacy in cyberspace if we are to have
any left at all.
> -- As a 1996 NSA report points out, ``The ideal situation (from the
> point of view of privacy advocates) is that neither payer nor payee
> should know the identity of the other. ... It turns out that this
> is too much to ask: there is no way in such a scenario for the
> consumer to obtain a signed receipt. Thus we are forced to settle
> for payer anonymity.''
If the payee is pseudonymous, he can issue a signed receipt based on
his pseudonym, even if he is untraceable. A pseudonymous seller is
motivated to behave honestly in order to guard his reputation. (BTW it
is good to know that the NSA is so concerned about safeguarding privacy.)
> -- On a related note, if the payee is anonymous to the payer, the
> latter cannot complain about bad goods or service. Even though a
> fraudulent or negligent payee may be able to repudiate the claim,
> in many applications it is desirable that consumers can at least
> make warn others about the behavior of an unscrupulous payee, or
> that an investigation can be instigated.
Again this does not apply to a pseudonymous payee. An unhappy consumer
can warn others against an unscrupulous nym and damage his reputation.
At the same time frivolous complaints are ignored because they come from
complainers without good reputation.
> -- Absent payee traceability, it is unclear how to the payer can
> recover when the connection with the payee is permanently lost.
> (Likewise, payment disputes cannot be settled, but payment dispute
> settlement reduces payment finality and therefore is not necessarily
> a desirable property. Most cash payments cannot be repudiated either.)
Payer untraceability also complicates these kinds of problems. A good
approach is to create some kind of transaction ID at the beginning of
the exchange, that can be used to maintain state during the protocol
and can be used to resume after an interruption.
> -- Payee untraceability requires the cooperation of the bank at the
> time of the payment, not for clearing/authorization but to issue
> electronic money from account. It does not work in off-line payments.
There may still be ways of achieving effective payee untraceability.
If the bank allows anonymous exchanges of old coins for new then a
payee can receive payment and later do an exchange. It is true that
if the payer in the meantime notifies the bank, it can interrupt the
exchange and prevent the payee from receiving value. This does not reveal
anyone's identity, but does represent a complication in the offline case.
Even with these difficulties, it does not alter the desirability of
engineering in payee untraceability where possible.
> -- In a system in which users hold smartcards or the like, the presence
> of an internal clock may be hard to detect, yet it would likely be
> sufficient to defeat any measures for payee untraceability.
Again, where technical problems arise, the system can still be designed
to provide as much privacy as possible. Smartcard based cash appears to
be at least several years off in the U.S.
> Note that most of these concerns relate to security for users. To
> evaluate he importance of these concerns it is important to note
> that:
>
> -- with payee traceability, third parties do *not* have the power
> to trace a designated payment (or deposit) to the payer. The only
> party to have this power is the payer, who hereto needs / may need
> the assistance of the bank.
This still allows "sting" operations, where thugs buy unapproved goods
and attack the sellers. In many countries this would be sufficient to
prevent the distribution of goods and information which most enlightened
Western readers would support.
> -- Moreover, it is possible to ensure that the payer on his/her own
> cannot learn the "identity" of the payee, and the payee can even
> prevent the payer from linking different payments to it.
Stefan Brands' technology is flexible. Certainly if we have to have
payee traceability, the ability to weaken this dangerous power would
be welcome. But it still appears that a fully private system would be
superior to one which provides lesser degrees of privacy.
> -- All that a third party can do is formally approach a person and
> request access to his or her transaction log. Each consumer is
> at all times in full control over his or her own privacy; the consumer
> can fully control how much is disclosed, and can refuse to cooperate
> by challenging the court order or search warrant. In extreme situations
> the consumer can destroy or hide the device.
Again, this seems to ignore the possibility of buyers who are agents
of those who wish to suppress such transactions. Even if that is not
possible for some reason, for people to destroy or hide evidence is a
crime in itself. Expecting average users to take such risks would be
a weak foundation for a privacy system.
> In closed systems the above concerns will generally not be sufficiently
> important to protect against payee untraceability. I am not opposed to
> full anonymity in all circumstances.
This seems to recognize that ultimately the decision about whether full
or partial anonymity is best should be left to the people involved.
Keep in mind, too, that we could have a system with a mix of sellers,
some who are fully identified, some who are pseudonymous, and some who
are completely anonymous. This allows each individual to balance the
risks against the benefits of participating in any given transaction.
It is easy to come up with arguments against any given form of privacy.
There is always a tradeoff. The question is, do we live in a world with
too much privacy already, and is our world moving in a direction in which
even more dangerous privacy will be common? The answers to both of these
questions certainly seem to be in the negative. Quite the contrary,
our privacy is constantly being eroded.
Cryptographically protected electronic payment and credential systems
seem to be our last and best hope to preserve any privacy at all.
We must adopt as strong a stance as possible in favor of privacy in
order to protect our freedom. Abandoning support for payee privacy is
unnecessary and highly premature.
