From: jim@bilbo.suite.com (Jim Miller)
Date: Tue, 14 Dec 93 17:00:29 PST
To: cypherpunks@toad.com
Subject: anonymous video rental store
Message-ID: <9312150059.AA15316@bilbo.suite.com>
MIME-Version: 1.0
Content-Type: text/plain




I couldn't sleep last night and, as is often the case, my brain gets a  
mind of its own and starts thinking irrelevant thoughts.  The irrelevant  
thought that occupied my brain's mind last night was "anonymous video  
rental store - Is it possible?"

Ignoring for the moment the "fact" that video rental stores will some day  
go the way of the dinosaurs, would it be possible to structure a video  
rental store with the following properties:

1) The store could not track which customers rented which tapes.

2) The store *could* tell which tapes get rented and which tapes do not  
get rented.  The store would adjust it's selection of tapes based in this  
information. (get more of the popular tapes, remove the unpopular ones)

3) The store could some how penalize customers that returned tapes late,  
or not at all.  The nature of the "penalty" is flexible.  This implies  
that the store could somehow verify that the tape a customer returned is  
the same tape the customer rented, but without discovering which tape it  
is.  (I believe this is the hard part)


I have a partial solution.  Here it is:

The store is arranged like a Blockbuster video store in that there are a  
bunch of shelves with videos on them.  For each video, there is a box  
describing the video and a variable number of tapes co-located with the  
box.  In a Blockbuster video store, the tapes are in plastic cases that  
identify the video on the tape. In the AVRS (Anon Video Rental Store), the  
plastic cases would not contain any identification.  However, the tapes  
themselves *would* contain some kind of identification (stickers with  
video name and bar code, for example)

When a customer enters the AVRS, it (the customer) grabs a random handful  
of tokens from an "available" bin.  These tokens each contain a unique  
identifier.  The customer walks around the store searching for videos.   
When the customer finds a video, it takes one of the plastic cases  
(opening it to verify it really is the movie it wants).  The customer  
inserts one of the tokens into a pocket that exists on the outside of the  
plastic case.  The pocket is transparent and the token's identification  
number can be seen.

The customer selects the videos it wants, inserting tokens into pockets.   
When the customer is done, it returns the unused tokens to the "available"  
bin and proceeds to the check-out counter.

The customer hands the clerk an AVRS id card.  The AVRS id card contains  
information about the customer (TBD).  The clerk at the checkout counter  
scans the id card and the tokens that were placed in plastic case pockets.   
From this information, the AVRS knows that the customer identified by the  
AVRS id card has rented N tapes on a given day.  (Actually, all the clerk  
*really* knows is that the customer has rented N tokens.)  The clerk  
collects some money, the customer leaves with the plastic cases, tapes,  
and tokens.

The customer returns to the store a couple of days later.  The customer  
removes the tokens from the case pockets.  The customer places the plastic  
cases (with tape inside) in a "tape return" bin and places the tokens in a  
"token return" bin, and then leaves.

Periodically throughout the day, a clerk examines the tapes in the "tape  
return" bin.  The clerk opens each case and scans the bar code on the  
tape.  This way the AVRS can track which tapes get rented and which tapes  
do not get rented.  The clerk returns the plastic cases (with tapes) to  
the shelves.

At the end of the day, a clerk collects the tokens from the "token return"  
bin and scans them.  The computer marks the tokens as returned and clears  
the appropriate customer record.  The clerk places the tokens in the  
"available" bin.

----

The most obvious problem with this scheme is that the store has no way of  
knowing if the tape the customer returned is the same tape the customer  
rented.  A customer could return a blank tape without getting caught.

(A less obvious problem with the scheme is that the store could use  
surveillance cameras to identify which tapes the customer selected, but I  
chose to ignore that problem.)

The problem to solve, then is: how can the store catch dishonest  
customers, yet be unable to track which customer rented which video?

There needs to be an additional step at the time a customer returns a  
tape.  The store needs to be able verify that the tape a customer is  
returning is a tape that was rented from that store and is not overdue.   
The store doesn't need to know what tape it is, or who is returning it,  
just that it came from that store and is not overdue.  If the tape *is*  
overdue, then the customer must personally return the tape to a clerk and  
pay a fine. (and risk a bit of anonymity)

Perhaps we could embed some electronics in the tape cassette (or sticker)  
that would enable a clerk to store a signed "due-back" timestamp on the  
cassette without being able to store any information that would identify  
the tape.  The signed timestamp would have to be transferred through the  
plastic case, since opening the case would reveal the tape inside.  Sounds  
sort of like a blind signature.

Needless to say, it should be difficult for the customer to tamper with  
the information on the cassette.

Any comments or better ideas?


Jim_Miller@suite.com