Dining with the cryptographer
For Chaum, the politics and the
technology reinforce each other. He believes that as far as privacy is
concerned, society stands at a crossroads. Proceeding in our current direction,
we will arrive at a place where Orwell's worst prophecies are fulfilled. He
delineated the problem in an essay called "Numbers Can Be a Better Form of
Cash Than Paper." "We are fast approaching a moment of crucial and
perhaps irreversible decision, not merely between two kinds of technological
systems, but between two kinds of society," says the article, published in
1991. "Current developments in applying technology are rendering hollow
both the remaining safeguards on privacy and the right to access and correct
personal data. If these developments continue, their enormous surveillance
potential will leave individuals' lives vulnerable to an unprecedented
concentration of scrutiny and authority."
In the early 1980s, Chaum
conducted a quest for the seemingly impossible answer to a problem that many
people didn't consider problematic in the first place: how can the domain of
electronic life be extended without further compromising our privacy? Or - more
daring - can we do this and increase privacy?
In the process, he figured out
how cryptography could produce an electronic version of the
dollar bill.
In order to appreciate this, you
have to consider the apparent obstacles to such a task. The most immediate
concern of anyone attempting to produce a digital form of currency is copying.
As anyone who has copied a program from a disk to a hard drive knows, it is
totally trivial to produce an exact duplicate of anything in the digital
medium. What's to stop me from taking my one Digi-Buck and making a million, or
a billion, copies? If I can do this, my laptop, and every other computer,
becomes a mint, and infinite hyperinflation makes this form of currency
worthless.
The answer to the problem of
digital duplication lies in using digital signatures to verify the authenticity
of bills. Only one serial number would be assigned to a given "bill"
- the number itself would be the bill - and when the unique number was
presented to a merchant or a bank, it could be scanned to see if
the virtual bill was authentic and had not been previously spent. This would be
fairly easy to do if every electronic unit of currency was traced through the
system at every point - but that would bring about exactly the kind of
surveillance nightmare that gives Chaum the chills. How could you do this and
unconditionally protect one's anonymity?
Chaum began his solution by
coming up with something called a "blind signature," a process by
which a bank, or any other authorizing agency, can authenticate a
number so that it can act as a unit of currency - yet the bank
itself does not know who has the bill, and therefore cannot trace it. This way,
when the bank issues you a stream of numbers designed to be accepted as cash,
you have a way of changing the numbers while maintaining the bank's imprimatur.
One of Chaum's most dramatic
break-throughs occurred when he managed to come up with a proof - though for a
different application - that this sort of anonymity could be provided
unconditionally, with all the assurance of mathematical proof that no one could
violate it. The idea came when he was driving his Volkswagen van from Berkeley
to his home in Santa Barbara, where he taught computer science at the
University of California in the early '80s. "I was just turning this idea
over and over in my head, and I went through all kinds of solutions. I kept
riding through it, and finally by the time I got there I knew exactly how to do
it in an elegant way."
He presented his theory with a
vivid example: a scenario of three cryptographers awaiting the
check after finishing their meal at a restaurant. The waiter appears. Your
dinner, he tells the cryptographers, has been prepaid. The
question is, by whom? Has one of the diners decided to anonymously treat his
colleagues - or has the National Security Agency paid for the meal? The dilemma
was whether this information could be gleaned without compromising the
anonymity of the cryptographer who might have paid for the
dinner.
The answer was fairly simple. It
involved coin tosses hidden from certain parties. For example, A and B could
flip a quarter behind a menu so C couldn't see it - and then each write down
the result and pass it to him. The key stipulation would be that if one of them
was the culprit who paid for the meal, that person would write down the
opposite result of the coin toss. Thus if C received contradictory reports of
the coin toss - one heads, one tails - he would know that one of his fellow
diners paid for the meal. But without further collusion, he would have no way
of knowing which one. By a collection of coin tosses and combined messages, any
number of diners could play this game. The idea could scale to a currency
system.
"It was really important,
because it meant that untraceability could be unconditional," he says.
Meaning mathematically bulletproof. "It doesn't matter how much computer
power the NSA has to break codes - they can't figure it out, and you can prove
that."
Chaum's subsequent work, as well
as the patents he successfully applied for, continued to build upon those ideas,
addressing problems like preventing double-spending while preserving anonymity.
In a particularly clever mathematical twist, he came up with a scheme whereby
one's anonymity would always be preserved, with a single exception: when
someone attempted to double-spend a unit that he or she had already spent
somewhere else. At that point the second bit of information would allow a trace
to be revealed. In other words, only cheaters would be identified - indeed,
they would be providing evidence to law enforcement of their attempt to commit
fraud.
This was exciting work, but Chaum
received little encouragement for pursuing it. "For many
years, it was very difficult for me to have to work on this sort of subject
within the field, because people were not at all receptive to it," Chaum
says. For several years in the early 1980s, Chaum attempted to personally
contact the leading lights in privacy policy and share his ideas with them.
"The uniform reaction was
negative," he says. "And I couldn't understand this. It made it all
the harder for me to keep pushing on this, because my academic advisors were
saying, 'Oh, that's political, that's social - you're out of line.' Even the
department head at Berkeley said, 'Don't work on this, because you can never
tell the effects of a new idea on society.' I acknowledged him in my
dissertation, saying it was the rethinking and finally the rejection of this
principle that caused me to do this work."
Eventually, Chaum decided that
the best way to spread the ideas would be to start his own company. By then he
was living in Amsterdam. On a visit with his Dutch girlfriend, he had
fortuitously met up with some academics at CWI, Centrum voor Wiskunde en
Informatica, the nationally funded Dutch Center for Mathematics and Computer
Science in Amsterdam, where he subsequently formed the cryptography
research group. So, in 1990, he launched DigiCash b.v., a subsidiary of the US
company DigiCash Inc., with his own capital and a contract from the Dutch
government to build and test technology to support anonymous toll payments on
highways. Chaum developed a prototype by which smart cards holding a certain
amount of verified cash value could be slipped into a gadget affixed to the
windshield, and high-speed scanning devices would subtract the tolls as the
cars whizzed by. The cards could also be used to pay for public transportation
and eventually other items. Of course, the payments would be anonymous. After
completing that contract (the system has not yet been implemented), Chaum kept
his company active in smart-card applications; some of the projects focused on
cash systems that would be used in a building or complex of buildings. The
DigiCash headquarters, along with several businesses and agencies around the
Netherlands, use the system currently. But to date, the company's operations
have been relatively small-scale, even as the world has now come around to
seeing the significance of the ideas Chaum hatched in isolation. DigiCash
remains independent, without a close alliance with a large partner in banking
or financial services. Chaum feels that in time such partners, at least
licensees of DigiCash technology, will emerge; if so, his paradigm will be a
crucial factor in maintaining privacy in the age of e-money. This is an idea
Chaum believes is worth holding out for.
Some people interpret this as
stubbornness, or at the least poor business practice. "People wanted to
buy David's patents but he asked for too much - he wanted control," says a
former DigiCash employee. "The real problem is that privacy isn't what the
banks want, it isn't what the stores want. They want something easy to use,
fast, and very cheap." (Still, this source guesses that Chaum "has
hung on for so long that he will probably succeed.")
Frustrated by not being able to
use Chaum's patents, some companies have devised their own schemes for
anonymity, which may or may not infringe on Chaum's. More recently, Stefan
Brands, formerly at CWI, has come up with an alternative scheme that has drawn
considerable interest. Brands contends the system absolutely does not infringe
Chaum's patents; Chaum's carefully worded response is, "He's not convinced
me that it doesn't."
The topic of patents is touchy;
Chaum bridles at any talk that equates him with the robber-baron set. In his
mind, the revenues are secondary to the potential effect on society. "It's
my mission to do this, because I had this vision that stuff like this might be
possible, and felt it was my responsibility to do it. No one was working on
this for the good half-dozen years I was; they all thought I was nuts. They
gave me a hard time. We couldn't license, really, without the patents; the
whole purpose of them is to get this stuff out there."
(See also the part I and the part
II)
Comments
Post new comment