From: nobody@rosebud.ee.uh.edu
To: cypherpunks@toad.com
Message Hash: 2cdf6533cdc573af7dc61808e93d331e8e7a6c3e9ae93bcb9c6d644603b94fa4
Message ID: <9308180700.AA20607@toad.com>
Reply To: N/A
UTC Datetime: 1993-08-18 07:00:53 UTC
Raw Date: Wed, 18 Aug 93 00:00:53 PDT
From: nobody@rosebud.ee.uh.edu
Date: Wed, 18 Aug 93 00:00:53 PDT
To: cypherpunks@toad.com
Subject: Physical to digital cash, and back again
Message-ID: <9308180700.AA20607@toad.com>
MIME-Version: 1.0
Content-Type: text/plain
> A simpler variation...
> Customer sends cash or money order to digital bank, along with a floppy
> with an anonymous email address (via a remailer) and a public key.
For any real business, the customer comes from the 99.99%
of the population that are not hacker/cypherpunks, not the one or two
dozen people who are. These protocols aren't at all simple for the
customer, unless the vendor (the same or another vendor) provides some
free software on the net or by mail to automate the process (eg PGP with
a user-freindly shell for generating the key, and a script for creating
an anon e-mail address). But then we have several steps:
(1) customer reads ad about cool net.service
(a) they contact directly (but this ruins privacy)
(b) they contact independent distributor of
PGP key and anon-remail address generating software.
(but how does customer trust _them_?)
(2) vendor sends key & address generators (via e-mail or floppy),
and physical-mail-security instructions
(3) customer sends in money order (from mail drop or without
return address!) along with chosen anon e-mail address and public
key.
(4) vendor sets up account and e-mails the d-cash.
(5) we still need a physical mail drop or bearer bank
account for withdrawals, refunds, etc. of physical cash.
Pretty exhausting for the typical service industry. Most customers
will pick the service that's easier to sign up for, even if some
ivory-tower critics criticize its security. Security and privacy
are very easy to hype, but often difficult to prove to the layman,
who doesn't know or care about the math. Digressing a bit,
we could use some sort of independent (not government-run please!)
certification company, which takes (perhaps in alliance with
liability insurance providers) responsibility for examining the
service's computer programs and protocols and giving out "privacy ratings".
Secure vendors could then use "Whit Diffie certified, top privacy
rating" in their ads.
Also, the issue of which parts of these schemes are *legal*
is critical, but being completely overlooked. Any lawyers
out there with comments on this? The best protocols for legal and
illegal operations may be very different, legality of digital cash
will vary between jurisdictions, etc. And what about
certifying agencies that call a protocol "insecure"
simply because it supports activities illegal in their jurisdiction,
not for any reasons of physical or software privacy?
The cases of illegality and physical/software security are
both important risk factors for the vendor, customers, and
liability insurers to consider, but ratings for each should
be quite distinct.
But this discussion is too abstract. We need a real, visceral example.
The enclosure below illustrates some of the some legal and privacy
issues of a Mom & Pop BBS operation in the pre-d-cash era. This
service could use some privacy -- it's an on-line football game
with a $35 sign-up fee and cash "prizes." I don't know whether or not
it's legal for the vendor, but it's certainly illegal for a significant
subset of potential net.customers. There will be thousands of these
little on-line services springing up in the near future, if there
aren't already. The BBS# is area code (802), but I've lost the rest
of it, sorry. You can call their voice# toll-free for more info.
Sports Spectrum Ltd. (800) 639-3719 (voice)
-----------------------------
P R I V A C Y N O T I C E
-----------------------------
Pursuant to the Electronic and Communications Privacy Act of 1986, 18
USC 2510 et. seq., Notice is Hereby Given that There are NO FACILITIES
PROVIDED BY THIS SYSTEM for SENDING or RECEIVING PRIVATE OR
CONFIDENTIAL ELECTRONIC COMMUNICATIONS. ALL Messages Shall be Deemed to
be Readily Accessible to the General Public.
Do NOT Use this System for ANY Communication for Which the SENDER
Intends ONLY the Sender and the Intended Recipient(s) to read. Notice
is Herby Given that ALL Messages Entered into this System CAN and MAY
Be READ by the Operators of this System, WHETHER OR NOT they
are the Intended Recipient(s).
By Your Use of this System, You Agree to HOLD HARMLESS the
Operators Thereof Against ANY and ALL CLAIMS Arising Out of Said Use
NO MATTER THE CAUSE OR FAULT.
]
....
Please remember that this password is protecting yourself against the
unauthorized use of YOUR credit card. Please take all necessary precautions
to guard it. Since all communications between customers and Sports Spectrum
Ltd. occur via computer-to-computer, the password is the only way for Sports
Spectrum Ltd. to verify that it is actually you on the other end of the
phone connection. Gaining access to Sports Spectrum Ltd.'s service by
invoking your password at logon time implicitly authorizes the use of your
credit card to pay for any subsequent purchases during that particular
session.
-----------------------
Return to August 1993
Return to “nobody@rosebud.ee.uh.edu”
1993-08-18 (Wed, 18 Aug 93 00:00:53 PDT) - Physical to digital cash, and back again - nobody@rosebud.ee.uh.edu