One of the key issues in designing new electronic payment systems is balancing the privacy of transaction counterparties (which may be a social good, even if neither of the counterparties cares one way or the other) with the legitimate requirements of law enforcement. But the article on Money Laundering says that the biggest recent boost to global money laundering is not hawala or pre-paid mobiles, but the euro. The fact that launderers can stuff 500 euro notes in their underpants, and zoom around Europe spending and depositing, helps them enormously.
I tried to write a comprehensive response to this important question, but it is too hard -- that is, long, involved. I suppose that is one point -- it is not possible to separate out the issues of privacy and law enforcement and present them as a balance, not in any cohesive fashion. Simplifying the question to that of a balance between these two factors will not help.
Having said that, there are some easy pithy things to say:
1. the "legitimate requirements" of law enforcement are handled by the law and the courts. Read the law, attend to court issued warrants. Don't get trapped in the marketing of LEOs and regulators who try to make their jobs easy at the expense of everyone else.
2. privacy is not an absolute, and users don't demand it in the general sense. What they do demand is a deal that doesn't change, and a deal that has no secret traps. So whatever you do in a payment system, do it openly. Likewise to the above, don't get trapped in the marketing of the privacy nuts who insist that assassination-grade secrecy is necessary for everyone.
3. the political move to monitor everything is way beyond logic or sense. Pointing out that paper notes are not controlled to the same extent is asking the political/bureaucratic body to start thinking logically and economically. To employ risk-based analysis, that is. That may happen one day (see #4 below), but it isn't likely to help any consumer or payment system in the forseeable future.
4. In time, the economists will get around to pointing out how all the tracking, tracing, monitoring and seizures is causing costs for little return. We the people already feel it, in trying to get simple transactions through recalcitrant payment systems, but it takes serious studies to point out the transaction costs to those who's interests are limited by guaranteed salaries.
5. The notion that a digital system does not involve tracking, tracing, monitoring is difficult to fathom. Even if we were not subject to external pressure and CYA behaviour at all levels of the business, we have substantial internal reasons to have in place sophisticated controls. How do I as an issuer know that I have issued exactly X? Only by looking at every transaction and counting them all up!
6. A full analysis of any system will reveal many requirements and many factors. To revisit the earlier point, privacy and such interests quickly become just more ticks on the box, and not essential ones at that. For e.g., a far more important thing to people is the reliability of the money as a money, and this tends to dwarf privacy issues. That is, privacy is what's left over when all the other things have been dealt with.
Having said all that, I know what Dave is saying -- the balance offered by "legitimate requirements" of law enforcement and the regulators is all wrong. It creates strains that can ultimately break a system (examples abound). Is there a way to get all the various external parties interested in tracking, tracing, monitoring and ultimately seizing everything to back off and stop breaking systems before they are fielded? How do we let financial cryptographers put in place systems that serve society?
Posted by iang at August 18, 2006 11:56 AM | TrackBack"How do we let financial cryptographers put in place systems that serve society?"
I think what we need is for the "authorities" to indulge in rational requirements analysis and then let the cryptographers work on the design. "We must monitor every transaction" is not a rational requirement.
Personally, I think that cryptographers can deliver systems that provide both more monitoring and more privacy, if you see what I mean. So, it ought to be uneconomical for someone to trawl through and decode transactions records but straightforward to provide decoded transaction records given a warrant (to give one quickly thought of example).
Posted by: Dave Birch at August 21, 2006 11:44 AMHi All,
As one who designs and relys upon "assasination grade" type systems, let me add that the ultimate marketability of a system is if the "street" accepts same this is why systems like Halwa became popular, "they" cant afford to screw you over(like the local dealer) for fear you will rat out the actors, and the ethnicity of halwa doesnt hurt for security reasons either.
I DONT give a DAMN about LEOs interest, its possible to bootstrap anonymous digital cash systems, if one is personally immune to being coerced oneself(for reasons of legality or anonymity(think VONU))
regards
gwen
Dave: yes, all that is possible. Rational requirements arise from those who have to pay for the service, and that might be a lot to expect. In terms of designs that I have seen, the quality of information for precise and valuable monitoring can't be beat -- because we design it to protect ourselves from both insider and outsider attack. But if we were to interpret non-paying parties' desires as requirements, the quality of information available generally drops, as well as the survivability of the system. There's no way that I know to have that dialogue.
Gwen is of course right. The ultimate test of any system is if it street acceptable, or more generally opens up an arbitrage or efficiency benefit. This is more important than it seems as it speaks to the survivability of the system.
E.g., few pure digital payment systems are acceptable on the street, smart crooks won't touch anything they don't understand and can't audit by themselves. This is one of the reasons (factors) in the failure of smart card money; the street universally rejected them so there was no early adopter market. Without being able to compete with cash, it had no support base.
The same thing is true in other markets -- videos and iPods being canonical cases. Again, there's no way to have this dialogue....
Posted by: Iang at August 22, 2006 05:21 AM