[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Problems with anonymous escrow 1--response




I welcome Hal's comments. Between this meaty discussion of crypto anarchic
issues, along with the equally meaty comments by Eric and others about
financial instruments, maybe we've temporarily exorcised the run of
"cyphernukes" trivia postings. (Not that nukes are trivial...I understand
that even one of them can ruin your whole day.)

Hal split his post up into three parts (that I've seen so far), but my
response would probably not be split the same way, ideally. But I'll go
ahead and answer each of his posts in order, or at least get started.

First, let me clarify some points very briefly, points that would
ordinarily come up in the response to the second and third parts.

* I've never thought that anonymous escrow agents would be large
corporations, or even companies of several or more people. In fact, many
trading and investment services are handled today by a single person. Many
underworld financial services--e.g., offshore banks--are handled by a
single person. New computer technology makes this more feasible than ever.
Additional staff, especially at the spear carrier level (office workers,
clerical staff, etc.), are security leaks, as Hal notes.

* Family-based businesses are also common, where blood ties establish a
web-of-trust. Very common in Asia, the Middle East, and in other areas
where mistrust is a dominant concern. (The Mafia is known as the Family, of
course.) In many of these cultures, defections (in the game-theoretic
sense) are strongly disincentivized, by the blood ties and the
repercussions (ostracism at best, death in many cases).

* I agree strongly with Hal--and have argued this in several posts over the
past couple of years--that the "ecology of interacting anonymous agents"
merits much more study. We cite the fictional scenario of "True Names," and
we have limited exposure to such ecologies from the criminal underworld
(Triads, Mafia, Russians, Jamaicans, etc.), but few economic studies have
been done of such systems.

(My explicit focus in many of my posts on outlaw communities and outlaw
actions is not because I admire violent criminals, but because these
communities are obviously unable to use the legal systems of the modern
world and thus have developed and evolved their own legal codes of
sorts--sometimes with greater refinement than the so-called legal world.
David Friedman once agreed with me that much more study of underground
markets, criminal enterprises, and black markets in general is needed.)

On to Hal's comments. I'll only respond now to #1, then to #2, #3, etc.
later today.

>There has been some discussion here about how anonymity/pseudonymity
>can be applied to a wider range of relationships.  One possibility
>that Tim May and others have mentioned is to have escrow agents be
>anonymous.  (I will use "anonymous" and "pseudonymous" more or less
>interchangeably because the former term is more familiar.  But I am
>really referring to a case where the agents maintain a certain amount
>of continuity via secret keys and such.)
>
>(Let me make it clear that I am not arguing that there SHOULD NOT be
>anonymous escrow agents.  I am questioning whether they are likely to
>be viable entities due to the problems I am listing here.)

I'm not arguing, by the way, that such anonymous escrow agents (AEAs, for
brevity) will dominate conventional escrow agents, such as banks,
securities firms, etc. (all of which have certain escrow functions). But I
do expect that as more transactions leave the conventional "legal
world"--not because they are ipso facto illegal or criminal, but because
they are between parties who don't each others identities or nationalities
and hence are unlikely to agree that Afghani law, for example,
applies--that cyberspatial escrow/PPL agents will be more common. And if
they exist, outside the conventional legal structure for the reasons just
given, what reason is for them to be _non_-anonymous, that is, for them to
voluntarily reveal their phsysical identities, locations, etc.?

Hal mentions someplace that non-anonymity allows customers to check the
bona fides. Several points:

* Bona fides are easily faked. Cf. my posts on the 60,000 people in the
Witness Security Program (aka Witness Protection), most with
full-backstopped legends. The various governments of the world are expert
at creating such legends, including banks that meet their needs, transport
companies, and (probably) escrow services. So non-anonymity is not
necessarily what it's cracked up to be.

* Non-anonymity will likely expose the escrow agent to various pressures
and sanctions, including: lawsuits, subpoenas, threats by the parties
involved in an escrow, taxation, etc. Lots of complications. I can readily
imagine these pressures totally swamping the advantages of escrow. I
certainly know that any "non-anonymous" escrow agent will immediately be
beset by various pressures, legal, financial, and physical. I can't imagine
one operating for long in the U.S., for example.

* Non-anonymous escrow services in most jurisdictions (Hint: the operative
word is "jurisdiction") will of course not be able to handle transactions
that are illegal, e.g., information sales, drug money holding, etc. And
they likely face "know your customer" laws in many jurisdictions. [I
consider the idea of a non-anonymous escrow agent a non-starter, offering
essentially nothing of interest to identity-blinded users and instead
introducing unacceptable risks, pressures, and red tape.]

* If the customers, Alice and Bob, are anonymous (actually, pseudonymous,
of course), and are not associated with any jurisdiction, why should they
be interested in using a non-anonymous escrow agent, one who may be find in
favor of one party or another based on local law, based on pressures
applied by one party, etc.? Anonymous parties should be more comfortable
with AEAs, all other things being equal.


>The obvious problem I see with anonymous escrow agents is that it is
>much harder for them to become and stay trustworthy.  With an
>identified (non-anonymous) agency, you can have a lot of information
>on which to base your judgement.  You can look at its assets, at its
>employees and hiring procedures, at its record.  You look at the
>jurisdiction in which it operates and judge what protection the legal
>system may offer.  You can look at other agencies in that jurisdiction
>and what their track record has been.

Eric Hughes' "encrypted open books" protocol may be useful in verifying
assets. Pinging works, as do "reputation-rating services" which rate escrow
agents.

I look to the success of underworld escrow agents (a standard role for
criminal syndicates is to enforce certain transactions "fairly"). Granted,
they are not anonymous. But reputations do indeed build up, even with
pseudonyms (one might say _especially_ with nyms). Lots of issues.

>
>I would guess that most of that information would not be available
>from an anonymous escrow agent, at least not in a validated form.
>Perhaps some of it could be done with credentials (a blinded statement
>from a reputable accounting firm that (this?) escrow agency has assets
>of $X).  But generally thinking I think it will be very difficult to
>get nearly as much high-quality information about an anonymous escrow
>agent.

By the way, Hal several times talks about the "assets" of the escrow agent.
In general, a bonding is not needed, as the held items are *of no value* to
the escrow agent, in many cases I can see. There are two cases to consider:

1. Items held by AEA are unusable to the AEA, e.g., encrypted secrets and
money. (There's the issue that the AEA doesn't know if it's holding
worthless bits or valid digicash, for example. Again, ways of approaching
this, and the protocols will likely evolve with time.)

2. Items, or one half of them at least, are usable by the AEA. For example,
the equivalent of $100,000 is transferred to the AEA.

It's mostly this second situation I'm dealing with, as Hal is. But I
mention the first to give a hint about using protocols which blind the
transactions even from the AEA. How it all shakes out is, not surprisingly,
unclear.

Also, webs of AEAs, somewhat like "reinsurance" amongst insurers, can have
positive effects. A complicated point to discuss here, but related to the
difficulty of maintaining frauds consistenly in the presence of multiple
agents, all unknown to each other.

>
>This leaves the possibility of using its public record to judge
>trustworthiness.  It may be able to offer certified statements (again,
>credentials of a sort) from earlier customers to show that it behaved
>honestly.  Tim has suggested "pinging" such businesses, performing
>various dummy transactions to make sure that they are still behaving
>honestly.  All this can help establish a record, but how well can this
>be extrapolated into the future?

Bear in mind that an anonymous escrow agent (AEA) is effectively no
different from a _digital bank_! I thought this point was pretty clear, as
I was discussing AEAs in the context of being a slightly different kind of
bank, but maybe it wasn't.

Consider one's bank today, even a small, poorly-capitalized one. It can
always 'defect' and claim that one's money was already withdrawn, (Yes,
there are complicated crypto protocols designed to prevent this, or lessen
the chances. The crypto community is generally interested in mathematical
rigor, not surprisingly, but reputations are crucial as well. Time-binding,
evolutionary game theory, etc.)


>One of the problems with anonymity which has no underlying identity
>certification is that you are pretty much forced to adopt the stance
>that "the key is the identity."  Your only channel of communication
>with the agent is via its key, and any message signed with that key
>has to be assumed to be coming from the agent.  There is nothing else.

Yes, the purist stance. What else could there be and still act as we wish
it to? This is not to say that customers could not voluntarily arrange all
sorts of additional checks and balances, such as:

- biometric security (retinal, thumbprint, earlobe shape, voice, handwriting)

- protocol limits ($1000 a day withdrawal, required "co-signers," etc.)

(co-signers, time delays, guardians, all are possible, and may even be a
good idea...I, for one, would take steps to make sure that my total assets
are not accessible via a single number. Nothing unusual about this, just a
small matter of programming.)


>The problem with this is that keys are not people.  People, and
>businesses, have a certain continuity, a certain predictability.  Keys

Well, Hal, this argument applies to all pseudonymous exchanges, not just
the AEA idea. (A meta-point I've made in several ways is that parties to
these transactions will be "first-class" objects, that is, there is no
compelling reason to have a distinction between "customers," "merchants,"
"bankers," and "escrow agents." Such niche distinctions may evolve, as
agents fill various roles more than others, but the software structures
need not skew the transactions in any preferential way. I can imagine many
transactions in which agents fill several roles. Indeed, we all do this
with cash all the time: we act as buyers, sellers, holders of money in
trust, cashers of checks, etc.)


>do not.  A key may change its personality, literally overnight, and
>you will not have any warning about this.  In an identified business,
>if it changes hands, acquires new management, or has some other change
>which might lead to new behavior, you generally have some warning
>(especially if it is a business which is selling trustworthiness, in
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

A nice turn of phrase, and a key one. AEAs are nothing if not sellers of
trustworthiness. You all know the drill here.

>which case it will probably provide customers with an unusual degree
>of access to the business's internals.)  But with an anonymous
>business this is not the case.  An escrow agent who has been as steady
>as the sunrise for years may, without any warning, become totally
>dishonest.  Hidden behind the shield of anonymity there is no way for
>its customers to discover the change.

Webs of anonymous escrow, the "laying-off" of escrowed amounts to a set of
other AEAs (picked by customers, mutually, like a jury perhaps) could
further lessen risks. (My hunch: Sets of AES, picked this way by the
parties, could increase confidence exponentially. My hunch is that the math
of DC-nets and remailer networks is isomorphic. I'll think about this some
more.)


>What are the motivations for an anonymous escrow agency to stay in
>business, to not take the money and run?  Legal sanctions would
>presumably be ineffective.  One proposal is that as long as the
>expected future stream of income is worth more than the current value
>of all contracts being held by the agent, it is worthwhile for it to
>be honest.

This is a powerful incentive, history has shown. (On a tangent, one reason
'dishonesty' is now rampant, with people wiggling out of contracts and
finding ways to reneg on deals is that we've largely replaced local
sanctions--including things like tarring-and-feathering cheats--with
"governmental actions," which can take many years to reach justice, if
then.)

>
>There are a couple of problems with applying this.  First, it is
>necessary to know about how many contracts the agent is holding at one
>time.  But this will be complicated by the possible desire on the part
>of many customers to keep their activities secret (even beyond their
>presumed shield of anonymity).  So there must always be the worry that
>more contracts are in progress than you suspect.  This is especially
>true when you consider the possibility that other agencies may
>secretly be owned by this one.

Hence the use of multiple AEAs, picked by the customers "randomly" (or
based on private reasons) and mutually (protocol: each submits list of
acceptable AEAs, intersection is picked, or variants of this idea). Makes
collusion more difficult. (Anonymity helps becasue pressures cannot
directly be applied. Back channels exist, though, perhaps. Playing
"Anonymous Monopoly" might be a useful thought experiment.)

...
>But combine this with the ease with which a key can change its
>personality without warning and it suggests that even a long track
>record of stability could be fragile.  The business is passed from
>father to son, it is acquired, it is coerced away, the owner
>experiences a change of circumstances due to illness or other
>catastrophe, and suddenly the agency has changed.  Now, future income
>doesn't look so attractive compared to present money.  Now, the owners
>have an incentive to close the business and (I firmly think the word
>applies) cheat their customers.

Yes, this is a risk. But also a risk in non-anonymous transactions. (The
people boarding the jets to Brazil.)

Well, this ends on a minor comment rather than a major essay point, but
perhaps this is best.

Meanwhile, the best sunshine part of the day has passed without me getting
down to the beach, so I'll close now and try to get out and catch some
remaining rays.

The remaining posts from Hal I'll respond to tonight.


(ObNukeThread: Micronukes with yields of a kiloton or less are possible
with as little as 10 grams of Pu. The key is the computer-intensive design
and precise implosion sequenve. But such secrets will be amongst the first
high-value secrets sold in digital black markets. I'm not worried: so we'll
lose a couple of cities someday. Big deal. Six billion people and
more...they'll make more.)

--Tim May

..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,
[email protected]       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets,
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^859433 | Public Key: PGP and MailSafe available.
"National borders are just speed bumps on the information superhighway."