12.1 copyright
   THE  CYPHERNOMICON: Cypherpunks FAQ and More, Version 0.666,
   1994-09-10, Copyright Timothy C. May. All rights reserved.
   See the detailed disclaimer. Use short sections under "fair
   use" provisions, with appropriate credit, but don't put your
   name on my words.

12.2 - SUMMARY: Digital Cash and Net Commerce
12.2.1. Main Points
  - strong crypto makes certain forms of digital cash possible
  - David Chaum is, once again, centrally involved
  - no real systems deployed, only small experiments
  - the legal and regulatory tangle will likely affect
     deployment in major ways (making a "launch" of digital cash
     a notrivial matter)
12.2.2. Connections to Other Sections
  - reputations
  - legal situation
  - crypto anarchy
12.2.3. Where to Find Additional Information
  - http://digicash.support.nl/
12.2.4. Miscellaneous Comments
  - a huge area, filled with special terms
  - many financial instruments
  - the theory of digital cash is not complete, and confusion
     abounds
  - this section is also more jumbled and confusing than I'd
     like; I'll clean it up in fufure releases.

12.3 - The Nature of Money
12.3.1. The nature of money, of banking and finance, is a topic that
   suffuses most discussions of digital cash. Hardly surprising.
   But also an area that is even more detailed than is crypto.
   And endless confusion of terms, semantic quibblings on the
   list, and so on. I won't be devoting much space to trying to
   explain economics, banking, and the deep nature or money.
12.3.2. There are of course many forms of cash or money today (these
   terms are not equivalent...)
  + coins, bills (presumed to be difficult to forge)
    - "ontological conservation laws"--the money can't be in
       two places at once, can't be double spent
    - this is only partly true, and forgery technology is
       making it all moot
  - bearer bonds and other "immediately cashable" instruments
  - diamonds, gold, works of art, etc. ("portable wealth")
12.3.3. Many forms of digital money. Just as there are dozens of
   major forms of instruments, so too will there be many forms
   of digital money. Niches will be filled.
12.3.4. The deep nature of money is unclear to me. There are days
   when I think it's just a giant con game, with value in money
   only because others will accept it. Other days when I think
   it's somewhat tied to "real things" like gold and silver. And
   other days when I'm just unconcerned (so long as I have it,
   and it works).
12.3.5. The digital cash discussions get similarly confused by the
   various ideas about money. Digital cash is not necessarily a
   form of _currency_, but is instead a transfer mechanism. More
   like a "digital check," in fact (though it may give rise to
   new currencies, or to wider use of some existing
   currency...at some point, it may become indistinguishable
   from a currency).
12.3.6. I advise that people not worry overly much about the true and
   deep nature of money, and instead think about digital cash as
   a transfer protocol for some underlyng form of money, which
   might be gold coins, or Swiss francs, or chickens, or even
   giant stone wheels.
12.3.7. Principle vs. Properties of Money
  - Physical coins, as money, have certain basic properties:
     difficult to counterfeit, pointless to counterfeit if made
     of gold or silver, fungibility, immediate settling (no need
     to clear with a distant bank, no delays, etc.),
     untraceability, etc.
  - Digital cash, in various flavors, has dramatically
     different properties, e.g., it may require clearing, any
     single digtital note is infinitely copyable, it may allow
     traceability, etc. A complicated mix of properties.
  + But why is physical money (specie) the way it is? What
     properties account for this? What are the core principles
     that imply these properties?
    - hardware (specie like gold) vs. software (bits, readily
       copyable)
    - immediale, local clearing, because of rational faith that
       the money will clear
    - limits on rate of transfer of physical money set by size,
       weight of money, whereas "wire fraud" and variants can
       drain an account in seconds
  - My notion is that we spend too much time thinking about the
     _principles_ (such as locality, transitivity, etc.) and
     expect to then _derive_ the properties. Maybe we need to
     instead focus on the _objects_, the sets of protocol-
     derived things, and examine their emergent properties. (I
     have my own thinking along these lines, involving "protocol
     ecologies" in which agents bang against each other, a la
     Doug Lenat's old "Eurisko" system, and thus discover
     weaknesses, points of strength, and even are genetically
     programmed to add new methods which increase security.
     This, as you can guess, is a longterm, speculative
     project.)
12.3.8. "Can a "digital coin" be made?"
  - The answer appears to be "no"
  + Software is infinitely copyable, which means a software
     representation of digital money could be replicated many
     times
    - this is not to say it could be _spent_ many times,
       depending on the clearing process...but then this is not
       a "coin" in the sense we mean
  - Software is trivially replicable, unlike gold or silver
     coins, or even paper currency. If and when paper currency
     becomes trivially replicable (and color copiers have almost
     gotten there), expect changes in the nature of cash.
     (Speculation: cash will be replaced by smart cards,
     probably not of the anonymous sort we favor.)
  + bits can always be duplicated (unless tied to hardware, as
     with TRMs), so must look elsewhere
    + could tie the bits to a specific location, so that
       duplication would be obvious or useless
      - the idea is vaguely that an agent could be placed in
         some location...duplications would be both detectable
         and irrelevant (same bits, same behavior, unmodifiable
         because of digital signature)
  - (this is formally similar to the idea of an active agent
     that is unforgeable, in the sense that the agent or coin is
     "standalone")
12.3.9. "What is the 'granularity' of digital cash?"
  + fine granularity, e.g., sub-cent amounts
    - useful for many online transactions
    - inside computers
    - add-on fees by interemediaries
    - very small purchases
  + medium granularity
    - a few cents, up to a dollar (for example)
    - also useful for many small purchases
    - close equivalent to "loose change" or small bills, and
       probably useful for the same purposes
    - tolls, fees, etc.
    - This is roughly the level many DigiCash protocols are
       aimed at
  + large granularity
    - multiple dollars
    - more like a "conventional" online transaction
    -
  - the transaction costs are crucial; online vs. offline
     clearing
  - Digital Silk Road is a proposal by Dean Tribble and Norm
     Hardy to reduce transaction costs
12.3.10. Debate about money and finance gets complicated
  - legal terms, specific accounting jargon, etc.
  - I won't venture into this thicket here. It's a specialty
     unto itself, with several dozen major types of instruments
     and derivatives. And of course with big doses of the law.

12.4 - Smart Cards
12.4.1. "What are smart cards and how are they used?"
  + Most smart cards as they now exist are very far from being
     the anonymous digital cash of primary interest to us. In
     fact, most of them are just glorified credit cards.
    - with no gain to consumers, since consumes typically don't
       pay for losses by fraud
    - (so to entice consumes, will they offer inducements?)
  - Can be either small computers, typically credit-card-sized,
     or  just cards that control access via local computers.
  + Tamper-resistant modules, e.g., if tampered with, they
     destroy the important data or at the least give evidence of
     having been tampered with.
    + Security of manufacturing
      - some variant of  "cut-and-choose" inspection of
         premises
  + Uses of smart cards
    - conventional credit card uses
    - bill payment
    - postage
    - bridge and road tolls
    - payments for items received electronically (not
       necessarily anonymously)
12.4.2. Visa Electronic Purse
12.4.3. Mondex

12.5 - David Chaum's "DigiCash"
12.5.1. "Why is Chaum so important to digital cash?"
  - Chaum's name appears frequently in this document, and in
     other Cypherpunk writings. He is without a doubt the
     seminal thinker in this area, having been very nearly the
     first to write about several areas: untraceable e-mail,
     digital cash, blinding, unlinkable credentials, DC-nets,
     etc.
  - I spoke to him at the 1988 "Crypto" conference, telling him
     about my interests, my 'labyrinth' idea for mail-forwarding
     (which he had anticipated in 1981, unbeknownst to me at the
     time), and a few hints about "crypto anarchy." It was clear
     to me that Chaum had thought long and deeply about these
     issues.
  - Chaum's articles should be read by all interested in this
     area. (No, his papers are _not_ "on-line." Please see the
     "Crypto" Proceedings and related materials.)
  - [DIGICASH PRESS RELEASE, "World's first electronic cash
     payment over computer networks," 1994-05-27]
12.5.2. "What's his motivation?"
  - Chaum appears to be a libertarian, at least on social
     issues, and is very worried about "Big Brother" sorts of
     concerns (recall the title of his 1985 CACM article).
  - His work in Europe has mostly concentrated on unlinkable
     credentials for toll road payments, electronic voting, etc.
     His company, DigiCash, is working on various aspects of
     digital cash.
12.5.3. "How does his system work?"
  - There have been many summaries on the Cypherpunks list. Hal
     Finney has written at least half a dozen, and others have
     been contributed by Eric Hughes, Karl Barrus, etc. I won't
     be including any of them here....it just takes too many
     pages to explain how digital cash works in detail.
  - (The biggest problem people have with digital cash is in
     not taking the time to understand the basics of the math,
     of blinding, etc. They wrongly assume that "digital cash"
     can be understood by common-sense reasoning about existing
     cash, etc. This mistake has been repeated in several of the
     half-assed proposals for "net cash" and "digi dollars.")
  + Here's the opening few paragraphs from one of Hal's
     explanations, to provide a glimpse:
    - "Mike Ingle asks about digicash.  The simplest system I
       know of that is anonymous is the one by Chaum, Fiat, and
       Naor, which we have discussed here a few times.  The idea
       is that the bank chooses an RSA modulus, and a set of
       exponents e1, e2, e3, ..., where each exponent ei
       represents
       a denomination and possibly a date.  The exponents must
       be relatively prime to (p-1)(q-1).  PGP has a GCD routine
       which can be used to check for valid exponents..
       
       "As with RSA, to each public exponent ei corresponds a
       secret exponent di, calculated as the multiplicative
       inverse of ei mod (p-1)(q-1).  Again, PGP has a routine
       to calculate multiplicative inverses.
       
       "In this system, a piece of cash is a pair (x, f(x)^di),
       where f() is a one-way function.  MD5 would be a
       reasonable choice for f(), but notice that it produces a
       128-bit result.  f() should take this 128-bit output of
       MD5 and "reblock" it to be an multi-precision number by
       padding it; PGP has a "preblock" routine which does this,
       following the PKCS standard.
       
       "The way the process works, with the blinding, is like
       this.  The user chooses a random x.  This should probably
       be at least 64 or 128 bits, enough to preclude exhaustive
       search.  He calculates f(x), which is what he wants the
       bank to sign by raising to the power di.  But rather than
       sending f(x) to the bank directly, the user first blinds
       it by choosing a random number r, and calculating D=f(x)
       * r^ei.  (I should make it clear that ^ is the power
       operator, not xor.)  D is what he sends to the bank,
       along with some information about what ei is, which tells
       the denomination of the cash, and also information about
       his account number."  [Hal Finney, 1993-12-04]
12.5.4. "What is happening with DigiCash?"
  - "Payment from any personal computer to any other
     workstation, over email or Internet, has been demonstrated
     for the first time, using electronic cash technology. "You
     can pay for access to a database, buy software or a
     newsletter by email, play a computer game over the net,
     receive $5 owed you by a friend, or just order a pizza. The
     possibilities are truly unlimited" according to David
     Chaum, Managing Director of DigiCash TM, who announced and
     demonstrated the product during his keynote address at the
     first conference on the World Wide Web, in Geneva this
     week." [DIGICASH PRESS RELEASE, "World's first electronic
     cash payment over computer networks," 1994-05-27]
  - DigiCash is David Chaum's company, set up to commercialize
     this work. Located near Amsterdam.
  + Chaum is also centrally invovled in "CAFE," a European
     committee investigating ways to deploy digital cash in
     Europe
    - mostly standards, issues of privacy, etc.
    - toll roads, ferries, parking meters, etc.
  - http://digicash.support.nl/
  - info@digicash.nl
  - People have been reporting that their inquiries are not
     being answered; could be for several reasons.
12.5.5. The Complexities of Digital Cash
  - There is no doubt as to the complexity: many protocols,
     semantic confusion, many parties, chances for collusion,
     spoofing, repudiation, and the like. And many derivative
     entities: agents, escrow services, banks.
  - There's no substitute for _thinking hard_ about various
     scenarios. Thinking about how to arrange off-line clearing,
     how to handle claims of people who claim their digital
     money was stolen, people who want various special kinds of
     services, such as receipts, and so on. It's an ecology
     here, not just a set of simple equations.

12.6 - Online and Offline Clearing, Double Spending
12.6.1. (this section still under construction)
12.6.2. This is one of the main points of division between systems.
12.6.3. Online Clearing
  - (insert explanation)
12.6.4. Offline Clearing
  - (insert explanation)
12.6.5. Double spending
  - Some approaches involve constantly-growing-in-size coins at
     each transfer, so who spent the money first can be deduced
     (or variants of this). And N. Ferguson developed a system
     allowing up to N expenditures of the same coin, where N is
     a parameter. [Howard Gayle reminded me of this, 1994-08-29]
  - "Why does everyone think that the law must immediately be
     invoked when double spending is detected?....Double
     spending is an informational property of digital cash
     systems. Need we find malicious intent in a formal
     property?  The obvious moralism about the law and double
     spenders is inappropriate.  It evokes images of revenge and
     retribution, which are stupid, not to mention of negative
     economic value." [Eric Hughes, 1994-08-27]  (This also
     relates to Eric's good point that we too often frame crypto
     issue in terms of loaded terms like "cheating," "spoofing,"
     and "enemies," when more neutral terms would carry less
     meaning-obscuring baggage and would not give our "enemies"
     (:-}) the ammunition to pass laws based on such terms.)
12.6.6. Issues
  + Chaum's double-spending detection systems
    - Chaum went to great lengths to develop system which
       preserve anonymity for single-spending instances, but
       which break anonymity and thus reveal identity for double-
       spending instances. I'm not sure what market forces
       caused him to think about this as being so important, but
       it creates many headaches. Besides being clumsy, it
       require physical ID, it invokes a legal system to try to
       collect from "double spenders," and it admits the
       extremely serious breach of privacy by enabling stings.
       For example, Alice pays Bob a unit of money, then quickly
       Alice spends that money before Bob can...Bob is then
       revealed as a "double spender," and his identity revealed
       to whomver wanted it...Alice, IRS, Gestapo, etc. A very
       broken idea. Acceptable mainly for small transactions.
  +  Multi-spending vs. on-line clearing
    - I favor on-line clearing. Simply put: the first spending
       is the only spending. The guy who gets to the train
       locker where the cash is stored is the guy who gets it.
       This ensure that the burden of maintaining the secret is
       on the secret holder.
    - When Alice and Bob transfer money, Alice makes the
       transfer, Bob confirms it as valid (or verifies that his
       bank has received the deposit), and the transaction is
       complete.
    - With network speeds increasing dramatically, on-line
       clearing should be feasible for most transactions. Off-
       line systems may of course be useful, especially for
       small transactions, the ones now handled with coins and
       small bills.
  -
12.6.7. "How does on-line clearing of anonymous digital cash work?"
  - There's a lot of math connected with blinding,
     exponentions, etc. See Schneier's book for an introduction,
     or the various papers of Chaum, Brands, Bos, etc.
  - On-line clearing is similar to two parties in a transaction
     exchanging goods and money. The transaction is clearled
     locally, and immediately. Or they could arrange transfer of
     funds at a bank, and the banker could tell them over the
     phone that the transaction has cleared--true "on-line
     clearing." Debit cards work this way, with money
     transferred effectively immediately out of one account and
     into another. Credit cards have some additional wrinkles,
     such as the credit aspect, but are basically still on-line
     clearing.
  - Conceptually, the guiding principle idea is simple: he who
     gets to the train locker where the cash is stored *first*
     gets the cash. There can never be "double spending," only
     people who get to the locker and find no cash inside.
     Chaumian blinding allows the "train locker" (e.g., Credit
     Suisse) to give the money to the entity making the claim
     without knowing how the number correlates to previous
     numbers they "sold" to other entities. Anonymity is
     preserved, absolutely. (Ignoring for this discussion issues
     of cameras watching the cash pickup, if it ever actually
     gets picked up.)
  - Once the "handshaking" of on-line clearing is accepted,
     based on the "first to the money gets it" principle, then
     networks of such clearinghouses can thrive, as each is
     confident about clearing. (There are some important things
     needed to provide what I'll dub "closure" to the circuit.
     People need to ping the system, depositing and withdrawing,
     to establish both confidence and cover. A lot like remailer
     networks. In fact, very much like them.)
  - In on-line clearing, only a number is needed to make a
     transfer. Conceptually, that is. Just a number. It is up to
     the holder of the number to protect it carefully, which is
     as it should be (for reasons of locality, or self-
     responsibility, and because any other option introduces
     repudiation, disavowal, and the "Twinkies made me do it"
     sorts of nonsense). Once the number is transferred and
     reblinded, the old number no longer has a claim on the
     money stored at Credit Suisse, for example. That money is
     now out of the train locker and into a new one. (People
     always ask, "But where is the money, really?" I see digital
     cash as *claims* on accounts in existing money-holding
     places, typically banks. There are all kinds of "claims"--
     Eric Hughes has regaled us with tales of his explorations
     of the world of commericial paper. My use of the term
     "claim" here is of the "You present the right number, you
     get access" kind. Like the combination to a safe. The train
     locker idea makes this clearer, and gets around the
     confusion about "digimarks" of "e$" actually _being_ any
     kind of money it and of itself.)

12.7 - Uses for Digital Cash
12.7.1. Uses for digital cash?
  - Privacy protection
  - Preventing tracking of movements, contacts, preferences
  + Illegal markets
    - gambling
    - bribes, payoffs
    - assassinations and other contract crimes
    - fencing, purchases of goods
  + Tax avoidance
    - income hiding
    - offshore funds transfers
    - illegal markets
  - Online services, games, etc.
  + Agoric markets, such as for allocation of computer
     resources
    - where programs, agents "pay" for services used, make
       "bids" for future services, collect "rent," etc.
  + Road tolls, parking fees, where unlinkablity is desired.
     This press release excerpt should give the flavor of
     intended uses for road tolls:
    - "The product was developed by DigiCash TM Corporation's
       wholly owned Dutch subsidiary, DigiCash TM BV. It is
       related to the firm's earlier released product for road
       pricing, which has been licensed to Amtech TM
       Corporation, of Dallas, Texas, worldwide leader in
       automatic road toll collection. This system allows
       privacy protected payments for road use at full highway
       speed from a smart card reader affixed to the inside of a
       vehicle. Also related is the approach of the EU supported
       CAFE project, of which Dr. Chaum is Chairman, which uses
       tamper-resistant chips inserted into electronic wallets."
       [DIGICASH PRESS RELEASE, "World's first electronic cash
       payment over computer networks," 1994-05-27]
12.7.2. "What are some motivations for anonymous digital cash?"
  + Payments that are unlinkable to identity, especially for
     things like highway tolls, bridge tolls, etc.
    - where linkablity would imply position tracking
    - (Why not use coins? This idea is for "smart card"-type
       payment systems, involving wireless communication.
       Singapore planned (and perhaps has implemented) such a
       system, except there were no privacy considerations.)
  + Pay for things while using pseudonyms
    - no point in having a pseudonym if the payment system
       reveals one's identity
  + Tax avoidance
    - this is the one the digicash proponents don't like to
       talk about too loudly, but it's obviously a time-honored
       concern of all taxpayers
  + Because there is no compelling reason why money should be
     linked to personal identity
    - a general point, subsuming others

12.8 - Other Digital Money Systems
12.8.1. "There seem to be many variants....what's the story?"
  - Lots of confusion. Lots of systems that are not at all
     anonymous, that are just extensions of existing systems.
     The cachet of digital cash is such that many people are
     claiming their systems are "digital cash," when of course
     they are not (at least not in the Chaum/Cypherpunk sense).
  - So, be careful. Caveat emptor.
12.8.2. Crypto and Credit Cards (and on-line clearing)
  + Cryptographically secure digital cash may find a major use
     in effectively extending the modality of credit cards to
     low-level, person-to-person transactions.
    - That is, the convenience of credit cards is one of their
       main uses (others being the advancing of actual credit,
       ignored here). In fact, secured credit cards and debit
       cards don't offer this advancement of credit, but are
       mainly used to accrue the "order by phone" and "avoid
       carrying cash" advantages.
    - Checks offer the "don't carry cash" advantage, but take
       time to clear. Traveller's checks are a more pure form of
       this.
    - But individuals (like Alice and Bob) cannot presently use
       the credit card system for mutual transactions. I'm not
       sure of all the reasons. How might this change?
    - Crypto can allow unforgeable systems, via some variant of
       digital signatures. That is, Alice can accept a phoned
       payment from Bob without ever being able to sign Bob's
       electronic signature herself.
  - "Crypto Credit Cards" could allow end users (customers, in
     today's system) to handle transactions like this, without
     having merchants as intermediaries.
  - I'm sure the existing credit card outfits would have
     something to say about this, and there may be various
     roadblocks in the way. It might be best to buy off the VISA
     and MasterCard folks by working through them. (And they
     probably have studied this issue; what may change their
     positions is strong crypto, locally available to users.)
  - (On-line clearing--to prevent double-spending and copying
     of cash--is an important aspect of many digital cash
     protocols, and of VISA-type protocols. Fortunately,
     networks are becoming ubiquitous and fast. Home use is
     still a can of worms, though, with competing standards
     based on video cable, fiber optics, ISDN, ATM, etc.)
12.8.3. Many systems being floated. Here's a sampling:
  + Mondex
    - "Unlike most other electronic purse systems, Mondex, like
       cash, is anonymous.  The banks that issue Mondex cards
       will not be able to keep track of who gets the payments.
       Indeed, it is the only system in which two card holders
       can transfer money to each other.
       
       ""If you want to have a product that replaces cash, you
       have to do everything that cash does, only better,"
       Mondex's senior executive, Michael Keegan said.  "You can
       give money to your brother who gives it to the chap that
       sells newspapers, who gives it to charity, who puts it in
       the bank, which has no idea where it's been.  That's what
       money is."" [New York Times, 1994-09-06, provided by John
       Young]
  + CommerceNet
    - allows Internet users to buy and sell goods.
    - "I read in yesterday's L.A. Times about something called
       CommerceNet, where sellers and buyers of workstation
       level equipment can meet and conduct busniess....Near the
       end of the article, they talked about a proposed method
       for  exchanging "digital signatures" via Moasic (so that
       buyers and sellers could _know_ that they were who they
       said they were) and that they were going to "submit it to
       the Internet Standards body"" [Cypher1@aol.com, 1994-06-
       23]
  + NetCash
    - paper published at 1st ACM Conference on Computer and
       Communications Security, Nov. 93, available via anonymous
       ftp from PROSPERO.ISI.EDU as /pub/papers/security/netcash-
       cccs93.ps.Z
    - "NetCash: A design for practical electronic currency on
       the Internet  ... Gennady Medvinsky and Clifford Neuman
       
       "NetCash is a framework that supports realtime electronic
       payments with provision of anonymity over an unsecure
       network.  It is designed to enable new types of services
       on the Internet which have not been practical to date
       because of the absence of a secure, scalable, potentially
       anonymous payment method.
       
       "NetCash strikes a balance between unconditionally
       anonymous electronic currency, and signed instruments
       analogous to checks that are more scalable but identify
       the principals in a transaction.  It does this by
       providing the framework within which proposed electronic
       currency protocols can be integrated with the scalable,
       but non-anonymous, electronic banking infrastructure that
       has been proposed for routine transactions."
    + Hal Finney had a negative reaction to their system:
      - "I didn't think it was any good.  They have an
         incredibly simplistic model, and their "protocols" are
         of the order, A sends the bank some paper money, and B
         sends A some electronic cash in return.....They don't
         even do blinding of the cash.  Each piece of cash has a
         unique serial number which is known to the currency
         provider.  This would of course allow matching of
         withdrawn and deposited coins....These guys seem to
         have read the work in the field (they reference it) but
         they don't appear to have understood it." [Hal Finney,
         1993-08-17]
  + VISA Electronic Purse
    - (A lot of stuff appeared on this, including listings of
       the alliance partners (like Verifone), the technology,
       the plans for deployment, etc. I regret that I can't
       include more here. Maybe when this FAQ is a Web doc, more
       can be included.)
    - "PERSONAL FINANCE - Seeking the Card That Would Create A
       Cashless World. The Washington Post, April 03, 1994,
       FINAL Edition By: Albert B. Crenshaw, Washington Post ...
       
       "Now that credit cards are in the hands of virtually
       every living, breathing adult  in  the  country-not to
       mention a lot of children and the occasional family  pet-
       and  now  that  almost  as  many people  have  ATM cards,
       card companies are wondering where future growth will
       come from.
       
       "At *Visa* International, the answer is: Replace cash
       with plastic.
       
       "Last month,  the  giant  association  of  card issuers
       announced it had formed a coalition of banking and
       technology companies to develop technical standards  for
       a  product it dubbed the "Electronic Purse," a plastic
       card meant to replace coins and bills in small
       transactions."  [provided by Duncan Frissell, 1994-04-05]
    - The talk of "clearinghouses" and the involvement of VISA
       International and the Usual Suspects suggest
       identity-blinding protocols are not in use. I also see no
       mention of DigiCash, or even RSA (but maybe I missed that-
       -and the presence of RSA would not necessairly mean
       identity-blinding protocols were being planned).
       
       Likely Scenario: This is *not* digital cash as we think
       of it. Rather, this is a future evolution of the cash ATM
       card and credit card, optimized for faster and cheaper
       clearing.
       
       Scary Scenario: This could be the vehicle for the long-
       rumored "banning of cash." (Just because conspiracy
       theorists and Number of the Beast Xtian fundamentalists
       belive it doesn't render it implausible.)
    - Almost nothing of interest for us. No methods for
       anonymity. Make no mistake, this is not the digital cash
       that Cypherpunks espouse. This gives the credit agencies
       and the government (the two work hand in hand) complete
       traceability of all purchases, automatic reporting of
       spending patterns, target lists for those who frequent
       about-to-be-outlawed businesses, and invasive
       surveillance of all inter-personal economic transactions.
       This is the AntiCash. Beware the Number of the AntiCash.
12.8.4. Nick Szabo:
  - "Internet commercialization in itself is a _huge_ issue
     full of pitfall and  opportunity: Mom & Pop BBS's,
     commercial MUDs, data banks, for-profit pirate and porn
     boards, etc. are springing  up everywhere like weeds,
     opening a vast array of both needs of privacy and ways to
     abuse privacy.  Remailers, digital cash, etc. won't become
     part of this Internet commerce way of life unless they are
     deployed soon, theoretical flaws and all, instead of
     waiting until The Perfect System comes along.  Crypto-
     anarchy in the real world will be messy, "nature red in
     tooth and claw", not all nice and clean like it says in the
     math books.  Most of thedebugging will be done not in any
     ivory tower, but by the bankruptcy of businesses who
     violate their customer's privacy, the confiscation of BBS
     operators who stray outside the laws of some jurisdication
     and screw up their privacy arrangements, etc. Anybody who
     thinks they can flesh out a protocol in secret and then
     deploy it, full-blown and working, is in for a world of
     hurt.  For those who get their Pretty Good systems out
     there and used, there is vast potential for business growth
     -- think of the $trillions confiscated every year by
     governments around the world, for example." [Nick Szabo,
     1993-8-23]
12.8.5. "What about _non-anonymous_ digital cash?"
  - a la the various extensions of existing credit and debit
     cards, traveller's checks, etc.
  + There's still a use for this, with several motivations"
    * for users, it may be _cheaper_ (lower transaction costs)
       than fully anonymous digital cash
    * for banks, it may also be cheaper
    * users may wish audit trails, proof, etc.
    * and of course governments have various reasons for
       wanting traceable cash systems
      - law enforcement
      - taxes, surfacing the underground economy
12.8.6. Microsoft plans to enter the home banking business
  - "PORTLAND, Ore. (AP) -- Microsoft Corp. wants to replace
     your checkbook with a home computer that lets the bank do
     all the work of recording checks, tallying up credit card
     charges and paying bills.... The service also tracks credit
     card accounts, withdrawals from automated teller machines,
     transfers from savings or other accounts, credit lines,
     debit cards, stocks and other investments, and bill
     payments." [Associated Press, 1994-07-04]
  - Planned links with a consortium of banks, led by U.S.
     Bancorp, using its "Money" software package.
  - Comment: Such moves as this--and don't forget the cable
     companies--could result in a rapid transition to a form of
     home banking and "digital money." Obviously this kind of
     digital money, as it is being planned today, is very from
     the kind of digital cash that interests us. In fact, it is
     the polar opposite of what we want.
12.8.7. Credit card clearing...individuals can't use the system
  - if something nonanonymous like credit cards cannot be used
     by end users (Alice and Bob), why would we expect an
     anonymous version of this would be either easier to use or
     more possible?
  - (And giving users encrypted links to credit agencies would
     at least stop the security problems with giving credit card
     numbers out over links that can be observed.)
  - Mondex claims their system will allow this kind of person-
     to-person transfer of anonymous digital cash (I'll believe
     it when I see it).

12.9 - Legal Issues with Digital Cash
10.8.1. "What's the legal status of digital cash?"
  - It hasn't been tested, like a lot of crypto protocols. It
     may be many years before these systems are tested.
10.8.2. "Is there a tie between digital cash and money laundering?"
  - There doesn't have to be, but many of us believe the
     widespread deployment of digital, untraceable cash will
     make possible new approaches
  - Hence the importance of digital cash for crypto anarchy and
     related ideas.
  - (In case it isn't obvious, I consider money-laundering a
     non-crime.)
10.8.3. "Is it true the government of the U.S. can limit funds
   transfers outside the U.S.?"
  - Many issues here. Certainly some laws exist. Certainly
     people are prosecuted every day for violating currency
     export laws. Many avenues exist.
  - "LEGALITY - There isn't and will never be a law restricting
     the sending of funds outside the United States.  How do I
     know?  Simple.  As a country dependant on international
     trade (billions of dollars a year and counting), the
     American economy would be destroyed." [David Johnson,
     privacy@well.sf.ca.us, "Offshore Banking & Privacy,"
     alt.privacy, 1994-07-05]
10.8.4. "Are "alternative currencies" allowed in the U.S.? And what's
   the implication for digital cash of various forms?
  - Tokens, coupons, gift certificates are allowed, but face
     various regulations. Casino chips were once treated as
     cash, but are now more regulated (inter-casino conversion
     is no longer allowed).
  - Any attempt to use such coupons as an alternative currency
     face obstacles.  The coupons may be allowed, but heavily
     regulated (reporting requirements, etc.).
  - Perry Metzger notes, bearer bonds are now illegal in the
     U.S. (a bearer bond represented cash, in that no name was
     attached to the bond--the "bearer" could sell it for cash
     or redeem it...worked great for transporting large amounts
     of cash in compact form).
  + Note: Duncan Frissell claims that bearer bonds are _not_
     illegal.
    - "Under the Tax Equity and Fiscal Responsibility Act of
       1982 (TEFRA), any interest payments made on *new* issues
       of domestic bearer bonds are not deductible as an
       ordinary and necessary business expense so none have been
       issued since then.  At the same time, the Feds
       administratively stopped issuing treasury securities in
       bearer form.  Old issues of government and corporate debt
       in bearer form still exist and will exist and trade for
       30 or more years after 1982.  Additionally, US residents
       can legally buy foreign bearer securities." [Duncan
       Frissell, 1994-08-10]
    - Someone else has a slightly different view: "The last US
       Bearer Bond issues mature in 1997. I also believe that to
       collect interest, and to redeem the bond at maturity, you
       must give your name and tax-id number to the paying
       agent. (I can check with the department here that handles
       it if anyone is interested in the pertinent OCC regs that
       apply)"  [prig0011@gold.tc.umn.edu, 1994-08-10]
    - I cite this gory detail to give readers some idea about
       how much confusion there is about these subjects. The
       usual advice is to "seek competent counsel," but in fact
       most lawyers have no clear ideas about the optimum
       strategies, and the run-of-the-mill advisor may mislead
       one dangerously. Tread carefully.
  - This has implications for digital cash, of course.
10.8.5. "Why might digital cash and related techologies take hold
   early in illegal markets? That is, will the Mob be an early
   adopter?"
  - untraceability needed
  - and reputations matter to them
  - they've shown in the past that they will try new
     approaches, a la the money movements of the drug cartels,
     novel methods for security, etc.
10.8.6. "Electronic cash...will it have to comply with laws, and
   how?"
  - Concerns will be raised about the anonymity aspects, the
     usefulness for evading taxes and reporting requirements,
     etc.
  - a messy issue, sure to be debated and legislated about for
     many years
  + split the cash into many pieces...is this "structuring"? is
     it legal?
    - some rules indicate the structuring per se is not
       illegal, only tax evasion or currency control evasion
    - what then of systems which _automatically_, as a basic
       feature, split the cash up into multiple pieces and move
       them?
10.8.7. Currency controls, flight capital regulations, boycotts,
   asset seizures, etc.
  - all are pressures to find alternate ways for capital to
     flow
  - all add to the lack of confidence, which, paradoxically to
     lawmakers, makes capital flight all the more likely
10.8.8. "Will banking regulators allow digital cash?"
  - Not easily, that's for sure. The maze of regulations,
     restrictions, tax laws, and legal rulings is daunting. Eric
     Hughes spent a lot of time reading up on the laws regarding
     banks, commercial paper, taxes, etc., and concluded much
     the same. I'm not saying it's impossible--indeed, I believe
     it will someday happen, in some form--but the obstacles are
     formidable.
  + Some issues:
    + Will such an operation be allowed to be centered or based
       in the U.S.?
      - What states? What laws? Bank vs. Savings and Loan vs.
         Credit Union vs. Securities Broker vs. something else?
    + Will customers be able to access such entities offshore,
       outside the U.S.?
      - strong crypto makes communication possible, but it may
         be difficult, not part of the business fabric, etc.
         (and hence not so useful--if one has to send PGP-
         encrypted instructions to one's banker, and can't use
         the clearing infrastructure....)
    + Tax collection, money-laundering laws, disclosure laws,
       "know your customer" laws....all are areas where a
       "digital bank" could be shut down forthwith. Any bank not
       filling out the proper forms (including mandatory
       reporting of transactions of certain amounts and types,
       and the Social Security/Taxpayer Number of customers)
       faces huge fines, penalties, and regulatory sanctions.
      - and the existing players in the banking and securities
         business will not sit idly by while newcomers enter
         their market; they will seek to force newcomers to jump
         through the same hoops they had to (studies indicate
         large corporations actually _like_ red tape, as it
         helps them relative to smaller companies)
  - Concluson: Digital banks will not be "launched" without a
     *lot* of work by lawyers, accountants, tax experts,
     lobbyists, etc. "Lemonade stand digital banks" (TM) will
     not survive for long. Kids, don't try this at home!
  - (Many new industries we are familiar with--software,
     microcomputers--had very little regulation, rightly so. But
     the effect is that many of us are unprepared to understand
     the massive amount of red tape which businesses in other
     areas, notably banking, face.)
10.8.9. Legal obstacles to digital money. If governments don't want
   anonymous cash, they can make things tough.
  + As both Perry Metzger and Eric Hughes have said many times,
     regulations can make life very difficult. Compliance with
     laws is a major cost of doing business.
    - ~"The cost of compliance in a typical USA bank is 14% of
       operating costs."~ [Eric Hughes, citing an "American
       Banker" article, 1994-08-30]
  + The maze of regulations is navigable by larger
     institutions, with staffs of lawyers, accountants, tax
     specialists, etc., but is essentially beyond the
     capabilities of very small institutions, at least in the
     U.S.
    - this may or may not remain the case, as computers
       proliferate. A "bank-in-a-box" program might help. My
       suspicion is that a certain size of staff is needed just
       to handle the face-to-face meetings and hoop-jumping.
  + "New World Order"
    - U.S. urging other countries to "play ball" on banking
       secrecy, on tax evasion extradition, on immigration, etc.
    - this is closing off the former loopholes and escape
       hatches that allowed people to escape repressive
       taxation...the implications for digital money banks are
       unclear, but worrisome.

12.10 - Prospects for Digital Cash Use
12.10.1. "If digital money is so great, why isn't it being used?"
  - Hasn't been finished. Protocols are still being researched,
     papers are still being published. In any single area, such
     as toll road payments, it may  be possible to deploy an
     application-specific system, but there is no "general"
     solution (yet). There is no "digital coin" or unforgeable
     object representing value, so the digital money area is
     more similar to the similarly nonsimple markets in
     financial instruments, commercial papers, bonds, warrants,
     checks, etc. (Areas that are not inherently simple and that
     have required lots of computerization and communications to
     make manageable.)
  - Flakiness of Nets. Systems crash, mail gets delayed
     inexplicably, subscriptions to lists get lunched, and all
     sorts of other breakages occur. Most interaction on the
     Nets involves a fair amount of human adaptation to changing
     conditions, screwups, workarounds, etc. These are not
     conditions that inspire confidence in automated money
     systems!
  - Hard to Use. Few people will use systems that require
     generating code, clients, etc. Semantic gap (generating
     stuff on a Unix workstation is not at all like taking one's
     checkbook out). Protocols in crypto are generally hard to
     use and confusing.
  - Lack of compelling need. Although people have tried various
     experiments with digital money tokens or coupons (Magic
     Money/Tacky Tokens, the HeX market, etc.), there is little
     real world incentive to experiment with them. And most of
     the denominated tokens are for truly trivial amounts of
     money, not for anything worth spending time learning. No
     marketplace for buyers to "wander around in." (You don't
     buy what you don't see.)
  - Legal issues. The IRS does not look favorably on
     alternative currencies, especially if used in attempts to
     bypass ordinary tax collection schemes. This and related
     legal issues (redemptions into dollars) put a roadblock in
     front of serious plans to use digital money.
  - Research Issues. Not all problems resolved. Still being
     developed, papers being published. Chaum's system does not
     seem to be fully ready for deployment, certainly not
     outside of well-defined vertical markets.
12.10.2. "Why isn't digital money in use?"
  - The Meta Issue: *what* digital money? Various attempts at
     digital cash or digital money exist, but most are flawed,
     experimental, crufty, etc. Chaum's DigiCash was announced
     (Web page, etc.), but is apparently not even remotely
     usable.
  + Practical Reasons:
    - nothing to buy
    - no standard systems that are straightforward to use
    - advantages of anonymity and untraceability are seldom
       exploited
  - The Magic Money/Tacky Tokens experiment on the Cypherpunks
     list is instrucive. Lots of detailed work, lots of posts--
     and yet not used for anything (granted, there's not much
     being bought and sold on the List, so...).
  - Scenario for Use in the Near Future: A vertical
     application, such as a bridge toll system that offers
     anonymity. In a vertical app, the issues of compatibility,
     interfaces, and training can be managed.
12.10.3. "why isn't digital cash being used?"
  + many reasons, too many reasons!
    + hard issues, murky issues
      - technical developments not final, Chaum, Brands, etc.
    + selling the users
      - who don't have computers, PDAs, the means to do the
         local computations
      - who want portable versions of the same
    + The infrastructure for digital money (Chaum anonymous-
       style, and variants, such as Brands) does not now exist,
       and may not exist for several more years. (Of course, I
       thought it would take "several more years" back in 1988,
       so what do I know?)
      - The issues are familiar: lack of standards, lack of
         protocols, lack of customer experience, and likely
         regulatory hurdles. A daunting prospect.
      - Any "launches" will either have to be well-funded, well-
         planned, or done sub rosa, in some quasi-legal or even
         illegal market (such as gambling).
  - "The american people keep claiming in polls that they want
     better privacy protection, but the fact is that most aren't
     willing to do anything about it: it's just a preference,
     not a solid imperative.  Until something Really Bad happens
     to many people as a result of privacy loss, I really don't
     think much will be done that requires real work and
     inconvenience from people, like moving to something other
     than credit cards for long-distance transactions... and
     that's a tragedy."[L. Todd Masco , 1994-08-20]
12.10.4. "Is strong crypto needed for digital cash?"
  - Yes, for the most bulletproof form, the form of greatest
     interest to us and especially for agents, autonomous
     systems
  + No, for certain weak versions (non-cryptographic methods of
     security, access control, biometric security, etc. methods)
    - for example, Internet billing is not usually done with
       crypto
    - and numbered Swiss accounts can be seen as a weak form of
       digital cash (with some missing features)
    - "warehouse receipts," as in gold or currency shipments
12.10.5. on why we may not have it for a while, from a non-Cypherpunk
   commenter:
  - "Government requires information on money flows, taxable
     items, and large financial transactions.....As a result, it
     would be nearly impossible to set up a modern anonymous
     digital cash system, despite the fact that we have the
     technology.....I think we have more of a right to privacy
     with digicash transactions, and I also think there is a
     market for anonymous digicash systems. " [Thomas Grant
     Edwards. talk.politics.crypto, 1994-09-06]
12.10.6. "Why do a lot of schemes for things like digital money have
   problems on the Net?
  + Many reasons
    - lack of commercial infrastructure in general on the
       Net...people are not used to buying things, advertising
       is discouraged (or worse), and almost everything is
       "free."
    - lack of robustness and completeness in the various
       protocols: they are "not ready for prime time" in most
       cases (PGP is solid, and some good shells exist for PGP,
       but the many other crypto protocols are mostly not
       implemented at all, at least not widely).
    + The Net runs "open-loop," as a store-and-forward delivery
       system
      - The Net is mostly a store-and-forward netword, at least
         at the granularity seen by the user in sending
         messages, and hence is "open loop." Messages may or may
         not be received in a timely way, and there is little
         opportunity for negotiaton on a real-time basis.
      - This open-loop nature usually works...messages get
         through most of the time. And the "message in a bottle"
         nature fits in with anonymous remailers (with
         latency/delay), with message pools, and with other
         schemes to make traffic analysis harder. A "closed-
         loop," responsive system is likelier to be traffic-
         analyzed by correlation of packets, etc.
      - but the sender does not know if it gets through (return
         receipts not commonly implemented...might be a nice
         feature to incorporate; agent-based systems
         (Telescript?) will certainly do this)
      - this open-loop nature makes protocols, negotiation,
         digital cash very tough to use--too much human
         intervention needed
      - Note: These comments apply mainly to _mail_ systems,
         which is where most of us have experimented with these
         ideas. Non-mail systems, such as Mosaic or telnet or
         the like, have better or faster feedback mechanisms and
         may be preferable for implementation of Cypherpunks
         goals. It may be that the natural focus on mailing
         lists, e-mail, etc., has distracted us. Perhaps a focus
         on MUDs, or even on ftp, would have been more
         fruitful...but we're a mailing list, and most people
         are much more familiar with e-mail than with archie or
         gopher or WAIS, etc.
    - The legal and regulatory obstacles to a real system, used
       for real transactions, are formidable. (The obstacles to
       a "play" system are not so severe, but then play systems
       tend not to get much developer attention.)
12.10.7. Scenario for deployment of digital cash
  - Eric Hughes has spent time looking into this. Too many
     issues to go into here, but he had this interesting
     scenario, repeated almost in toto here:
  - "It's very unlikely that a USA bank will be the one to
     deploy anonymous digital dollars first.  It's much more
     likely that the first dollar digital cash will be issued
     overseas, possibly London.  By the same token, the non-
     dollar regulation on banks in this country is not the same
     as the dollar regulation, so it's quite possible that the
     New York banks may be the first issuers of digital cash, in
     pounds sterling, say.
     
     "There will be two stages in actually deploying digital
     cash.  By digital cash, here, I mean a retail phenomenon,
     available anybody. The first will be to digitize money, and
     the second will be to anonymize it.  Efforts are already
     well underway to make more-or-less secure digital funds
     transfers with reasonably low transaction fees (not
     transaction costs, which are much more than just fees).
     These efforts, as long as they retain some traceability,
     will almost certainly succeed first in the marketplace,
     because (and this is vital) the regulatory environment
     against anonymity is not compromised.
     
     "Once, however, money has been digitized, one of the
     services available for purchase can be the anonymous
     transfer of funds.  I expect that the first digitization of
     money won't be fully fungible.  For example, if you allow
     me to take money out of your checking account by automatic
     debit, there is risk that the money won't be there when I
     ask for it.  Therefore that kind of money won't be
     completely fungible, because money authorized from one
     person won't be completely identical with money from
     another.  It may be a risk issue, it may be a timeliness
     issue, it may be a fee issue; I don't know, but it's
     unlikely to be perfect.
     
     "Now, as the characteristic size of a business decreases,
     the relative costs of dealing with whatever imperfection
     there is will be greater. To wit, the small player will
     still have some problem getting paid, although certainly
     less than now.  Digital cash solves many of these problems.
     The clearing is immediate and final (no transaction
     reversals).  The number of entities to deal with is greatly
     reduced, hopefully to one.  The need and risk and cost of
     accounts receivables is eliminated.  It's anonymous.  There
     will be services which will desire these advantages, enough
     to support a digital cash infrastructure. [Eric Hughes,
     Cypherpunks list, 1994-08-03]

12.11 - Commerce on the Internet
12.11.1. This has been a brewing topic for the past couple of years.
   In 1994 thing heated up on several fronts:
  - DigiCash announcement
  - NetMarket announcement
  - various other systems, including Visa Electronic Purse
12.11.2. I have no idea which ones will succeed...
12.11.3. NetMarket
  - Mosaic connections, using PGP
  + "The NetMarket Company is now offering PGP-encrypted Mosaic
     sessions for securely transmitting credit card information
     over the Internet.  Peter Lewis wrote an article on
     NetMarket on page D1 of today's New York Times (8/12/94).
     For more information on NetMarket, connect to
     http://www.netmarket.com/  or,  telnet netmarket.com." [
     Guy H. T. Haskin , 1994-08-12]
    - Uses PGP. Hailed by the NYT as the first major use of
       crypto for some form of digital money, but this is not
       correct.
12.11.4. CommerceNet
  - allows Internet users to buy and sell goods.
  - "I read in yesterday's L.A. Times about something called
     CommerceNet, where sellers and buyers of workstation level
     equipment can meet and conduct busniess....Near the end of
     the article, they talked about a proposed method for
     exchanging "digital signatures" via Moasic (so that buyers
     and sellers could _know_ that they were who they said they
     were) and that they were going to "submit it to the
     Internet Standards body"" [Cypher1@aol.com, 1994-06-23]
12.11.5. EDI, purchase orders, paperwork reduction, etc.
  - Nick Szabo is a fan of this approach
12.11.6. approaches
  - send VISA numbers in ordinary mail....obviously insecure
  - send VISA numbers in encrypted mail
  + establish two-way clearing protocols
    - better ensures that recipient will fulfill service...like
       a receipt that customer signs (instead of the "sig taken
       over the phone" approach)
    - various forms of digital money
12.11.7. lightweight vs. heavyweight processes for Internet commerce
  - Chris Hibbert
  - and the recurring issue of centralized vs. decentralized
     authentication and certification

12.12 - Cypherpunks Experiments ("Magic Money")
12.12.1. What is Magic Money?
  - "Magic Money is a digital cash system designed for use over
     electronic mail. The system is online and untraceable.
     Online means that each transaction involves an exchange
     with a server, to prevent double-spending. Untraceable
     means that it is impossible for anyone to trace
     transactions, or to match a withdrawal with a deposit, or
     to match two coins in any way."
     
     "The system consists of two modules, the server and the
     client. Magic Money uses the PGP ascii-armored message
     format for all communication between the server and client.
     All traffic is encrypted, and messages from the server to
     the client are signed. Untraceability is provided by a
     Chaum-style blind signature. Note that the blind signature
     is patented, as is RSA. Using it for experimental purposes
     only shouldn't get you in trouble.
     
     "Digicash is represented by discrete coins, the
     denominations of which are chosen by the server operator.
     Coins are RSA-signed, with a different e/d pair for each
     denomination. The server does not store any money. All
     coins are stored by the client module. The server accepts
     old coins and blind- signs new coins, and checks off the
     old ones on a spent list."
     [...rest of excellent summary elided...highly recommended
     that you dig it up (archives, Web site?) and read it]
     [Pr0duct Cypher, Magic Money Digicash System, 1992-02-04]
  + Magic Money
    - ftp://csn.org/pub/mpj/crypto_XXXXXX (or something like
       that) 
    - ftp:csn.org//mpj/I_will_not_export/crypto_???????/pgp_too
       ls  
12.12.2. Matt Thomlinson experimented with a derivative version called
   "GhostMarks"
12.12.3. there was also a "Tacky Tokens" derivative
12.12.4. Typical Problems with Such Experiments
  - Not worth anything...making the money meaningful is an
     obstacle to be overcome
  - If worth anything, not worth the considerable effort to use
     it ("creating Magic Money clients" and other scary Unix
     stuff!)
  - robustness...sites go down, etc.
  - same problems were seen on Extropians list with "HEx"
     exchange and its currency, the "thorne." (I even paid real
     money to Edgar Swank to buy some thorned...alas, the market
     was too thinly traded and the thornes did me no good.)

12.13. Practical Issues and Concerns with Digital Cash
12.13 - Practical Issues and Concerns with Digital Cash
12.13.1. "Is physical identity proof needed for on-line clearing?"
  - No, not if the cash outlook is taken. Cash is cash. Caveat
     emptor.
  - The "first to the locker" approach causes the bank not to
     particularly care about this, just as a Swiss bank will
     allow access to a numbered account by presentation of the
     number, and perhaps a key. Identity proof *may* be needed,
     depending on the "protocol" they and the customer
     established, but it need not be. And the last thing the
     bank is worried about is being able to "find and prosecute"
     anyone, as there is no way they can be liable for a double
     spending incident. The beauties of local clearing! (Which
     is what gold coins do, and paper money if we really think
     we can pass it on to others.)
12.13.2. "Is digital cash traceable?"
  - There are several flavors of "digital cash," ranging from
     versions of VISA cards to fully untraceable (Chaumian)
     digital cash.
  - This comes up a lot, with people in Net newsgroups even
     warning others not to use digital cash because of the ease
     of traceability. Not so.
  - "Not the kind proposed by David Chaum and his colleagues in
     the Netherlands. The whole thrust of their research over
     the last decade has been the use of cryptographic
     techniques to make electronic transactions secure from
     fraud while at the same time protecting personal privacy.
     They, and others, have developed a number of schemes for
     UNTRACEABLE digital cash." [Kevin Van Horn,
     talk.politics.crypto, 1994-07-03]
12.13.3. "Is there a danger that people will lose the numbers that
   they need to redeem money? That someone could steal the
   number and thus steal their money?"
  - Sure. There's the danger that I'll lose my bearer bonds, or
     forget my Swiss bank account number, or lose my treasure
     map to where I buried my money (as Alan Turing supposedly
     did in WW II).
  - People can take steps to limit risk. More secure computers.
     Dongles worn around their necks. Protocols that involve
     biometric authentication to their local computer or key
     storage PDA, etc. Limits on withdrawals per day, etc.
     People can store key numbers with people they trust,
     perhaps encrypted with other keys, can leave them with
     their lawyers, etc. All sorts of arrangements can be made.
     Personal identification is but one of these arrangements.
     Often used, but not essential to the underlyng protocol.
     Again, the Swiss banks (maybe now the Liechtenstein
     anstalts are a better example) don't require physical ID
     for all accounts. (More generally, if Charles wants to
     create a bank in which deposits are made and then given out
     to the first person who sings the right tune, why should we
     care? This extreme example is useful in pointing out that
     _contractual arrangements_ need not involve governmental or
     societal norms about what constitutes proof of identity.)

12.14 - Cyberspace and Digital Money
12.14.1. "You can't eat cyberspace, so what good is digital money?"
  - This comes up a lot. People assume there is no practical
     way to transfer assets, when in fact it is done all the
     time. That is, money flows from the realm of the purely
     "informational" realm to the physcial realm Consultants,
     writers, traders, etc., all use their heads and thereby
     earn real money.
  - Same will apply to cyberspace.
12.14.2. "How can I remain anonymous when buying physical items using
   anonymous digital cash?'
  - Very difficult. Once you are seen, and your picture can be
     taken( perhaps unknown to you), databases will have you.
     Not much can be done about this.
  - People have proposed schemes for anonymous shipment and
     pickup, but the plain fact is that physical delivery of any
     sort compromises anonymity, just as in the world today.
  - The purpose of anonymous digital cash is partly to at least
     make it more difficult, to not give Big Brother your
     detailed itinerary from toll road movements, movie theater
     payments, etc. To the extent that physical cameras can
     still track cars, people, shipments, etc., anonymous
     digital cash doesn't solve this surveillance problem.

12.15 - Outlawing of Cash
12.15.1. "What are the motivations for outlawing cash?"
  - (Note: This has not happened. Many of us see signs of it
     happening. Others are skeptical.)
  + Reasons for the Elimination of Cash:
    - War on Drugs....need I say more?
    -  surface the underground economy, by withdrawing paper
       currency and forcing all monetary transaction into forms
       that can be easily monitored, regulated, and taxed.
    - tax avoidance, under the table economy (could also be
       motive for tamper-resistant cash registers, with spot
       checks to ensure compliance)
    + welfare, disability, pension, social security auto-
       deposits
      - fraud, double-dipping
      - reduce theft of welfare checks, disability payments,
         etc....a problem in some locales, and automatic
         deposit/cash card approaches are being evaluated.
    - general reduction in theft, pickpockets
    - reduction of paperwork: all transfers electronic (could
       be part of a "reinventing government" initiative)
    +  illegal immigrants, welfare cheats, etc. Give everyone a
       National Identity Card (they'll call it something
       different. to make it more palatable, such as "Social
       Services Portable Inventory Unit" or "Health Rights
       Document").
      - (Links to National Health Care Card, to Welfare Card,
         to other I.D. schemes designed to reduce fraud, track
         citizen-units, etc.)
    + rationing systems that depend on non-cash transactions
       (as explained elsewhere, market distortions from
       rationing systems generally require identification,
       correlation to person or group, etc.)
      - this rationing can included subsidized prices, denial
         of access (e.g., certain foods denied to certain
         people)
12.15.2. Lest this be considered paranoid ranting, let me point out
   that many actions have already been taken that limit the form
   of money (banking laws, money laundering, currency
   restrictions...even the outlawing of competing currencies
   itself)
12.15.3. Dangers of outlawing cash
  - Would freeze out all transactions, giving Big Brother
     unprecedented power (unless the non-cash forms were
     anonymous, a la Chaum and the systems we support)
  - Would allow complete traceability....like the cellular
     phones that got Simpson
  - 666, Heinlein, Shockwave Rider, etc.
12.15.4. Given that there is no requirement for identity to be
   associated with money, we should fight any system which
   proposed to link the two.
12.15.5. The value of paying cash
  - makes a transaction purely local, resolved on the spot
  - the alternative, a complicated accounting system involving
     other parties, etc., is much less attractive
  - too many transactions these days are no longer handled in
     cash, which increases costs and gets other parties involved
     where they shouldn't be involved.
12.15.6. "Will people accept the banning of cash?"
  - There was a time when I would've said Americans, at least,
     would've rejected such a thing. Too many memories of
     "Papieren, bitte. Macht schnell!" But I now think most
     Americans (and Europeans) are so used to producing
     documents for every transaction, and so used to using VISA
     cards and ATM cards at gas stations, supermarkets, and even
     at flea markets, that they'll willingly--even eagerly--
     adopt such a system.

12.16 - Novel Opportunities
12.16.1. Encrypted open books, or anonymous auditing
  - Eric Hughes has worked on a scheme using a kind of blinding
     to do "encrypted open books," whereby observers can verify
     that a bank is balancing its books without more detailed
     looks at individual accounts. (I have my doubts about
     spoofs, attacks, etc., but such are always to be considered
     in any new protocol.)
  - "Kent Hastings wondered how an offshore bank could provide
     assurances to depositors.  I wondered the same thing a few
     months ago, and started working on what Perry calls the
     anonymous auditing problem.  I have what I consider to be
     the core of a solution.
     ...The following is long.... [TCM Note: Too long to include
     here. I am including just enough to convince readers that
     some new sorts of banking ideas may come out of
     cryptography.]
     
     "If we use the contents of the encrypted books at the
     organizational boundary points to create suitable legal
     opbligations, we can mostly ignore what goes on inside of
     the mess of random numbers.  That is, even if double books
     were being kept, the legal obligations created should
     suffice to ensure that everything can be unwound if needed.
     This doesn't prevent networks of corrupt businesses from
     going down all at once, but it does allow networks of
     honest businesses to operate with more assurance of
     honesty." [Eric Hughes,  PROTOCOL: Encrypted Open Books,
     1993-08-16]
12.16.2. "How can software components be sold, and how does crypto
   figure in?"
  + Reusable Software, Brad Cox, Sprague, etc.
    - good article in "Wired" (repeated in "Out of Control")
  - First, certainly software is sold. The issues is why the
     "software components" market has not yet developed, and why
     such specific instances of software as music, art, text,
     etc., have not been sold in smaller chunks.
  + Internet commerce is a huge area of interest, and future
     development.
    - currently developing very slowly
    - lots of conflicting information...several mailing
       lists...lots of hype
  + Digital cash is often cited as a needed enabling tool, but
     I think the answer is more complicated than that.
    - issues of convenience
    - issues of there being no recurring market (as there is
       in, say, the chip business...software doesn't get bought
       over and over again, in increasing unit volumes)

12.17 - Loose Ends
12.17.1. Reasons to have no government involvement in commerce
  - Even a small involvement, through special regulations,
     granted frachises, etc., produces vested interests. For
     example, those in a community who had to wait to get
     building permits want _others_ to wait just as long, or
     longer. Or, businesses that had to meet certain standard,
     even if unreasonable, will demand that new businesses do so
     also. The effect is an ever-widening tar pit of rules,
     restrictions, and delays. Distortions of the market result.
  + Look at how hard it is for the former U.S.S.R. to
     disentangle itself from 75 years of central planning. They
     are now an almost totally Mafia-controlled state (by this I
     mean that "privatization" of formerly non-private
     enterprises benefitted those who had amassed money and
     influence, and that these were mainly the Russian Mafia and
     former or current politicians...the repercussions of this
     "corrupt giveaway" will be felt for decades to come).
    - An encouraging sign: The thriving black market in Russia-
       -which all Cypherpunks of course cheer--will gradually
       displace the old business systems with new ones, as in
       all economies. Eventually the corruptly-bought businesses
       will sink or swim based on merit, and newly-created
       enterprises will compete with them.
12.17.2. "Purist" Approach to Keys, Cash, Responsibility
  + There are two main approaches to the issue:
    - Key owner is responsible for uses of his key
    - or, Others are responsible
  + There may be mixed situations, such as when a key is
     stolen...but this needs also to be planned-for by the key
     owner, by use of protocols that limit exposure. For
     example, few people will use a single key that accesses
     immediately their net worth...most people will partition
     their holding and their keyed access in such a way as to
     naturally limit exposure if any particular key is lost or
     compromised. Or forgotten.
    - could involve their bank holding keys, or escrow agents
    - or n-out-of-m voting systems
  - Contracts are the essence...what contracts do people
     voluntarily enter into?
  - And locality--who better to keep keys secure than the
     owner? Anything that transfers blame to "the banks" or to
     "society" breaks the feedback loop of responsibility,
     provides an "out" for the lazy, and encourages fraud
     (people who disavow contracts by claiming their key was
     stolen).