Some Musings About Online Financial Privacy Services
Why have they remained a minor niche?
Online privacy-oriented services as such have had very little success. I suggest this is due to the following reasons:
- The public does not care about financial privacy. Worse yet there are relatively few who do, not enough to support these services. This is easy to loose sight of in our narrow community, but it’s a fact we have to confront. The cypherpunk theory that “Build an anonymous digital currency and they will come” is a fantasy.
- They are difficult to use. They require managing many passphrases of effective length and complexity, hand/eye translation of ‘turing numbers’, moused combination locks, one-time tokens, usually several of these things at once. It’s is even more hassle than using credit cards online. This will never come into general use, not even to the point of a profitable niche.
- Those that offer effective privacy and achieve sufficient volume of business to attract the attention of the authorities are harried out of existence.
- They ultimately depend on channels of exchange with national currencies which require the exchange business to be fully identified and subject to regulation that extends these requirements to their customers.
- The conflict between trust and anonymity creates a barrier to widespread use of effectively pseudonymous transactions.
The current markets for these services fall into the following categories:
- Geeks and radicals motivated by politics and techno appeal.
- Serious denizens of an underground economy with significant income and assets to conceal from authorities (eg PTs).
- Consumers of porn, online gambling, and the like seeking to avoid legal constraints on these things.
- HYP programs, and other forms of fraud.
- Tax avoidance and money laundering.
(A) Geeks and radicals are a small population only a fraction of which is both concerned with these issues and aware of the alternatives. (B) is an even smaller population who have the ideological orientation, have developed the methodologies, skills, and personal infrastructure for the lifestyle, and are successful enough at it to have something to protect. (C) is by far the dominant category. I suggest this is because the porn and gambling markets are huge and their users have strong economic, social, and legal motivations to hide their activity. (D) is small because it’s a sucker game and most folks have better sense. (E) is potentially huge, the largest of all but is currently limited because the general public is unaware of the alternatives, and the alternatives are not very effective solutions due to reasons (2,3,4,5) above.
What would be the characteristics of a financial privacy services market winner?
Based on the above analysis I suggest this idealized recipe:
- Targets the gambling, porn, and tax-avoidance markets. I define this more generally as those seeking to enjoy widely popular but generally illegal activities, and those seeking to protect assets from legally sponsored predators. What a lightning rod. Oh, well. No guts, no glory. See III and IV below.
- Is easier to use than credit cards and more secure from theft or fraud.
- Offers true user pseudonymity, with cheap, discardable pseudonyms, unlinkable to physical identity or location.
- Offers true service provider pseudonymity, unlinkable to physical identity or location.
- Includes an untracable, ‘gov-proof’ means of transferring value to/from the transparent, regulated banking world, or barring that, at least to national currencies.
Let’s get specific.
Sell DBCs (Digital Bearer Certificates, digital coins) for DGCs (digital gold currencies), redeem, verify, and reissue hem. This is similar to what 1MDC does, but with DBCs instead of centrally managed accounts. Provide this at a web site and via an API. Provide a Shopping Cart Interface merchants can use to accept payment in these DBCs. As with current DGCs, several levels of merchant interface will be provided from a simple banners to a full-blown HTTP/XML API. Deal only in non-repudiable digital currencies, no bonds, commercial paper, or national currencies. Charge nominal seigniorage for issuance and redemption. Make an open trading market (LESE) initially among these DBCs only. Provide a storage and payment system (ALTA) initially for these DBCs only, as an alternative to privately holding and transferring them.
I propose to eventually reduce all authentication to a single passphrase-protected file on a physical USB key, containing a client authentication SSL certificate and a app to present it, then cleanup after itself. It may also include a ‘wallet’ application. This will take the place of elaborate painful authentication schemes currently used by DGCs and credit card payment systems and will work exactly the same wherever these DBCs are accepted. The requirement of a physical item plus knowlege of a passphrase will provide better security than credit cards now have. The USB key contents are easily backed up, unlike a card. Copies are useless to a thief without the passphrase. The owner of the wallet can create pseudonyms at will, even temporary disposables.
The USB key solution works if you have a computer handy (or a PDA). But most folks don’t walk around with these things, your circle of friends notwithstanding. What _do_ most folks walk around with these days? Right, a phone. You can write java apps for many phones today. Now get this: most phones have a video screen and a camera. Can you guess where this is going? I had an old PDA once that downloaded address files by watching the computer screen’s video signal with a simple dumb optical sensor. A PC app modulated the screen video with horizontal bars to get the effect of a 1-way serial optical data link. If you and I hold our phones so they can see each other’s screens, we can D/H a secure connection and transact DBCs. Bingo. Turn everybody’s phone into a ubiquitous private P2P digital wallet.
User and provider pseudonymity.
In the long term, we will want the user, merchant, and service providers ‘wallets’ to run a node of some TOR, I2P or other anonymizing network that is completely decentralized and supports the advertisement of untracably anonymous services as well as users. On top of this is a layer that impliments generic DBCs, providing for their creation, destruction, redemption, verification, and reissuance as either the issuer or the user. Over that is a’ wallet’ API and GUI that can connect with other ‘wallets’ and negotiate transfer, exchange, redemption, verification, etc. In the short term, wallets will connect via SSL over the plain old internet. In the long term, service provider anonymity will be required to protect the system from the inevitable Gov attack.
The exchange problem, and the heart of my proposal.
In and out exchange with national currencies has been the historical Achilles-heel of anonymous payment systems. It favors the fraudster in the legal arena, and is a choke-point where authorities can easily force regulatory compliance or shut down a service entirely. I believe this to be the central challange in operating an anonymous payment system. I propose to address this with three strategies: decentralization, compartmentalization, and layered defense.
Layered defense: DGCs and other more-or-less anonymous payment systems have lived on the brink of the fiat/digital divide and found it a perilous locale. Successful ones have found it necessary to submit to identification and regulatory requirements in order to survive attacks by government and fraud. I propose to follow the example of 1MDC, but carry it further. Our service will not sell DBCs for national currencies, only in exchange for popular DGCs such as E-gold. In this way, we establish two layers of external defense, the DGC exchange-maker compartment, and the DGC operator compartment. We let them handle the risks of dealing with fraud and repudiation. We let them handle the compromises required by dealing with national currencies and the regulated banking environment. They have a good track record of doing so. Our actual DBC accounts can have corporate owners-of-record registered and domiciled in jurisdictions with strong financial privacy laws. Initially DGC/fiat exchange costs will make it more expensive to get fiat in and out of the neo-DMT system than it was before, for transfers over about $2000US. The upside is much faster transfers, potentially instant.
Alternatively we can bypass the whole fiat currency exchange problem by purchasing London Good Delivery Bars, bailing them directly into e-gold or other DGC, and issuing DBCs against them. DMT can do this to get DBCs to loan at interest to other ‘banks’, thus playing the role of a central bank.. Those with large in-transfers can purchase DBCs from perfectly legitimate regulated businesses for fiat, businesses that handle the purchase and bailment of metal wholesale. Who would operate such businesses? Maybe you.
Compartmentalization: A well-known principal in the security and financial areas, this means separating a trust-critical activity into several independent subtasks. Fraud then requires collusion, which is less likely across organizational boundaries, especially if the flow can be structured such that there is little benefit in doing so to at least one of the parties. In our case, we will separate the functions of DBC issuance and management, DBC sales, payment processing, and currency exchange. As I will explain below, we could start with a single operation, then expand, stepwise, into multiple compartments, actually encouraging competition to create additional decentralization and compartmentalization.
Decentralization: Rather than having a single channel for fiat exchange, the open-source, decentralized payment network will enable multiple exchangers to easily interoperate without special arrangement. In fact, anyone could sell our DBCs for fiat, in the same way that anyone can make change for a dollar. With many formal and informal sources of exchange, it becomes difficult to regulate or attack.
At some point in the future.
Practical financial privacy in general, and tax avoidance in particular have to address the issue of physical assets. It’s all well and good to transact almost pure abstract value like gold certificates packaged as information. But the anonymous ownership of physicals like cars, buildings, land is harder to reconcile with the established legal structure. At some point, after the payment system is well established (a user count in 5-6 figures) we will need a service like this to complete the financial privacy toolkit:
Sell or exchange DBCs for physical assets, redeem, verify, and reissue them. Assets can be jewelry, art, cars, titles and deeds, stocks and bonds, gold bars, antiques, any non-hazardous objects or materials (perhaps even those by special arrangement). Items are stored in Sealed anonymously numbered containers with RFID. Exact warehouse location is optionally encoded in the DBC and may be known to no-one after placement, requiring both the DBC and the service’s key to discover. The DBCs contain sufficient description to establish the worth of the asset they represent. But in some cases actions may be requested of the service by the DBC bearer at an extra charge, such as when legal proceeding regarding real estate are involved, ie a non-paying tennant must be evicted. There is a provision for multiple signatures of a DBC by expert appraisers and witnesses (for an extra charge) when further proof of asset identity and worth are desirable. This is further discussed in “Phase III” below. There are some obvious challenges in this. For exmple, what’s to keep someone from checking in a bomb? I suggest there will be operational and technical solutions to most of these.
An evolutionary path.
All this is too much to construct at once, and too much to expect users to accept in a single step. So we start out with:
Phase I – A DGC <—> DBC Issuer.
We accept payments in multiple DGCs. We issue DBCs denominated in the DGC tendered. This totally anonymizes the not-so-anonymous DGCs and puts the gold and information regarding its use completely in the control of the user, not some website. In this phase, we are both the issuer and seller/redeemer. Our income is derived from seigniorage, the optional use of ALTA for storage and payment, and commisions on LESE trades among these DBCs. Use of DBCs is via the USB key authentication and wallet mechanism described above with a provision for import/export in several forms. In this phase, your wallet can only connect you to our site, though you can export your DBCs and pass them around in other ways.
Why will people pay for this? So thay can own and use digital gold without any ID hassles whatsoever. So they can avoid the atrocious authentication protocols of DGCs without sacrificing safety. So they can transfer payments without any records whatsoever. So they can use anonymous electronic money in a manner more like the forms of money they are familiar with. So they can keep their money in their pocket, in a box, on a disk, on paper in their billfold, just like national currencies.
Phase II – A P2P money network.
At the time of this writing, neither TOR, nor I2P are quite ready for prime-time as financial transaction carriers.It would not take much capital sponsorship to complete the necessary areas of the I2P (my personal favorite) development roadmap. A large I2P network would be ‘highly resistant’ to a determined attack even by governments in terms of privacy and interference. It is fully decentralized so it can’t be shut down by force. It supports advertisement of anonymous services, who’s public endpoints are not traceable to a physical IP address, same as with the service consumers.
Over some network with these attributes, we layer our wallet app and add the capability to connect to any other wallet, those used as merchant interfaces by goods and service providers, and those used by other private individuals. There is the interesting possiblity to port these applications to Blackberry/Palm/SmartPhones/ etc. The capability to make payments between handhelds would be powerfully enabling, but the security issues would require careful study.
Why will people pay for this? They won’t have to pay for it. But with a fully P2P environment, users can transact directly, without going through a service provider. And that will attract more users. Since the environment is open, it should attract other service providers, creating a synergy that again attracts more users. Expanding the market is only one reason we should invest in this. The other is long term survival. If we are successful beyond our own limited community, service provider anonymity will be the only barrier to death-by-Gov.
Phase III – A physical asset <—> DBC Issuer.
With a decentralized P2P payment network in place, and a currency to use on it, and secure wallets users and merchants can pay each other with, hopefully some other DBC issuers and financial service providers will hop on board. If at first they don’t, it will be necessary to invent them. At this point, we break out our DBC issuance and management, and our DBC sales and redemption into separate businesses and sell off one or the other. Now the DBC seller pays some seigniorage to the issuer, and the DBC buyers pay some more seigniorage to the seller/redeemer. Why would we want to do such a thing? First, to realize capital for further expansion. Second, to gain trust which in theory would pay off in increased volume. In theory.
Now, with the capital from the sale of the DBC Issuance unit, we develop and deploy a service that does for physical assets, what we are already doing with DGCs, ie. we monetize them. See above under ‘Let’s get specific/Service description’ for a discussion of how this works in detail. The short story is that people give us their stuff. We give them DBCs in exchange. Then anybody can redeem the DBCs for the stuff. We are the owner of record in the eyes of nation state law. But the holder of the DBC is the owner for all practical purposes.
Why will people pay for this? Because this is the last piece to the puzzles of financial privacy and tax avoidance. You can now own and use expensive assets without setting off the ‘fat goose’ alarms down at the tax office. And the ability to safely and privately transact value in the form of information is now extended to physical assets. You can make money buying and selling large capital items without leaving a paper trail.
Where’s the Risk?
All over the place.
Maybe we put out our shingle to sell e-gold DBCs and the public stays away in droves despite agressive marketing.
Maybe the authorities stomp us with new legislation targeting the DGC operators.
Maybe the tax dodgers are too chicken-shit to try us (Just another marketing problem I think).
Too few competing or companion services and merchants appear (again I think this is a marketing problem with a Madison Avenue solution).
Nation-state law finds or constructs a way to attack our ‘Darkside Storage’ unit.
We put up our DBC Issuance unit for sale but nobody offers.