You want to send someone a message that nobody else can read. The solution is encryption, some way of scrambling the message before you send it that the recipient can reverse. To do that he will need a key, a description of how to unscramble the message.
There is a problem with this solution if we are talking not about communications between a government and its embassies but between ordinary people, including ones who have never met each other. If I do not have a safe way of sending a message I may not have a safe way of sending a key. If someone intercepts the key en route and copies it, he will be able to read my future messages.
The solution, invented some decades ago, is public key encryption. It depends on a mathematical procedure that generates a pair of keys with a special relationship: A message encrypted with one key requires the other to decrypt it. One of them, your public key, you send to all and sundry, publish online, make as widely known as possible. The other, your private key, never leaves your control.
Anyone can now write a message that only you can read by encrypting it with your public key, to be decrypted with the private key that only you have. If a spy has a copy of your public key, he can send you secret messages too. But he cannot read messages other people send you, even if he succeeds in intercepting them, because doing that requires the private key.
Public key encryption not only solves the problem of secure communication over channels that may be monitored by other people, it also solves the problem of proving your identity at long distance. Suppose I want to send a message to a stranger and prove that it is really from me. I encrypt the message with my private key, add an unencrypted note saying that it is encrypted with my private key, encrypt message plus note with his public key, and send it to him. He decrypts with his private key, reads the note, then decrypts the message using my public key. He now knows that the message was encrypted by someone who possessed the private key that matches my public key, hence that it is from me. That is the essence of how digital signatures work.
Suppose the intended recipient does not know my public key but does have the public key of some organization that both of us consider reliable—American Express, the Catholic Church, the Electronic Freedom Foundation. I go to that organization, show them my public key and my identification documents. They write me a digital certificate stating that this public key belongs to the David D. Friedman who teaches at Santa Clara University and is the author of The Machinery of Freedom. They sign it using their private key. I attach the certificate to my signed message and send it. The recipient checks the signature on the certificate using the public key posted on the door of every American Express office in the world. He now knows my public key. If I do not entirely trust American Express, I send him separate certificates from a half dozen different authorities. Unless they are all working for the National Security Agency, I should be safe.
What if what I want to prove is not my realspace identity but my cyberspace identity, that I am the same online persona he has interacted with before? That persona is associated with the public key he used to encrypt the messages he sent it. I prove my online identity by using the matching private key to sign the messages I send him.
As this example demonstrates, public key encryption not only makes possible secure communications, it can also make it possible to combine reputation with anonymity, to have an online persona with a reputation without having to tell anyone in the world, including those you deal with as that persona, who you are, how old you are, or what continent you live on.
There are still two ways in which an observer, possibly from the IRS or the NSA, might identify you. One is by observing where emails come from and go to. The other, assuming that you are engaged in economic transactions online, is by following the flow of money.
Public key encryption makes counter measures possible. The solution to traffic analysis is an anonymous remailer. You encrypt your message with the public key of the intended recipient, add a note with his email address, encrypt the whole thing with the public key of the remailer, and send it to them. The remailer strips off the top layer of encryption, reads the email address and forwards the message. The remailer has thousands of messages coming in and thousands coming out; incoming and outgoing cannot be matched up since they differ by one layer of encryption. Even an observer who can see every message, who sent it, and who received it, cannot link the original sender to the final recipient.
What if the remailer has been taken over by whomever you are trying to keep the information from? For that problem too there is a solution. The forwarding address of your email is not that of the recipient but of another remailer. Stripping off the top layer of encryption reveals that address and exposes a second layer of encryption, this time done with the second remailer’s public key. Bounce your message through ten remailers on its way to the intended recipient and, unless all ten are owned by the same bad guys, no observer can link sender to recipient.
The problem of online payments can be solved by another application of encryption technology, anonymous digital cash, a technology first worked out by David Chaum, a Dutch cryptographer. It is a way in which one person can make a payment to another by sending him a message without either party having to know the identity of the other and without the bank holding the money knowing the identity of either. Readers sufficiently interested and with a sufficient mathematical background should be able to find the mathematical details with a little online searching. For the rest I offer a low tech version:
Low-Tech Anonymous Ecash
I randomly create a very long number. I put the number and a dollar bill in an envelope and mail it to the First Bank of Cybercash. The FBC is committed to do two things with any money it receives in this way:
- If anyone walks into the FBC and presents the number, he gets the dollar bill associated with that number.
- If the FBC receives a message that includes the number associated with a dollar bill it has on deposit, instructing the FBC to change it to a new number, it will make the change and post the fact of the transaction, not including the new number, on a publicly observable bulletin board. The dollar bill will now be associated with the new number.
Alice has sent the FBC a dollar accompanied by the number 59372 (actually a much longer number, to make it harder for other people to guess it—I’m simplifying). She now wants to buy a dollar’s worth of digital images from Bill, so she emails the number to him in payment. Bill emails the FBC, sending them three numbers: 59372, 21754, and 46629.
The FBC checks to see if it has a dollar on deposit with number 59372; it does. It changes the number associated with that dollar bill to 21754, Bill’s second number. Simultaneously, it posts on a publicly observable bulletin board the statement “the transaction identified by 46629 has gone through.” Bill reads that message, which tells him that Alice really had a dollar bill on deposit and it is now his, so he emails her a dollar’s worth of digital images.
Alice no longer has a dollar; the FBC no longer has a dollar associated with the number she knows, so if she tries to spend it again the bank will report that it is not there to be spent. Bill now has a dollar, since the dollar that Alice originally sent in is now associated with a new number and only he and the bank know what it is. He is in precisely the same situation that Alice was in before the transaction, so he can now spend the dollar to buy something from someone else. Like an ordinary paper dollar, the dollar of ecash passes from hand to hand. Eventually someone who has it decides he wants a dollar of ordinary cash instead; he takes his number, the number that Alice’s original dollar is now associated with, to the FBC and exchanges it for a dollar bill.
It may be low tech, but it meets all of the requirements. Payment is made by sending a message. Payer and payee need know nothing about the other’s identity beyond the address to send the message to. The bank need know nothing about either party. When the dollar bill originally came in, the letter had no name on it, only an identifying number. Each time it changed hands, the bank received an email but no information about who sent it. Even if the bank identifies the person who finally comes in for the dollar, he has no way of tracing it back up the chain. The virtual dollar is just as anonymous as the paper dollars in my wallet.
A World of Strong Privacy
Imagine that public key encryption for secure communication and identity, a network of digital remailers, and some form of anonymous digital cash are all in common use. Further suppose that technologies such as virtual reality are far enough developed so that many people spend large parts of their lives interacting online. The result is a world, cyberspace, with a level of privacy humans have never known.
It is hard to tax what you cannot see. If you earn money in realspace and spend it online, the government can tax your income. If you earn money online but spend it in realspace, the government can tax your spending. If you earn money online and spend it online, both income and expenditure are invisible to the IRS.
It is hard to regulate what you cannot see. Suppose I want to sell legal advice, despite not being a member of the bar. I create a web site and an online identity: Legal Eagle Online. Also a public key. I spend the next year building my reputation by offering legal advice for free, good legal advice, as those who take it discover. Thereafter I charge for it, accepting payment in digital cash. I am violating state licensing rules. But since the Bar Association has no idea who I am or where I live, there is no way they can enforce those rules against me.
Generalize those examples and you have a world where governments control realspace but cyberspace is stateless.
Force and Fraud: Law Enforcement In an Online Anarchy
Force is mostly not an option in cyberspace; the internet protocols do not provide for the transmission of bullets. To kill someone in realspace, even to arrest him, you have to know who he is. Fraud remains a problem.
Consider contracts. I hire you to write me a computer program. If I pay in advance I may never get the program. If you code in advance you may never get paid. The solution is reputational enforcement. You are not willing to code in advance unless I have a history of performing on my contracts in the past, a history linked to my online identity and a reputation that will be at risk if I receive the program and then refuse to pay for it. I am not willing to pay in advance unless you have such a reputation.
To make it work, we need some way in which interested third parties, people who might want to do business with one of us in the future, can tell, if a dispute arises, which of us cheated. The solution is arbitration. Our contract, digitally signed by each of us using his private key, includes the public key of the arbitrator that we have agreed to. If a dispute arises, the arbitrator decides which of us owes what to the other. If the losing party fails to pay, the arbitrator writes up a statement to that effect, digitally signs it with his private key, and gives the signed document to the prevailing party to post on a web page with the other party’s name all over it. Anyone who wants to check the reputation of the losing party does a web search, finds the document, and discovers that that party can not be trusted to abide by the decision of the arbitrator he himself chose. He can verify that by checking the digital signatures. No further research required.
What if neither party has a reputation to lose? They rent the reputation of a third party, an escrow agency. Each makes a deposit with the escrow agency and agrees that it will forfeit to the other if the arbitrator they have agreed on so rules. Readers are invited to think through for themselves further problems that might arise and how they might be dealt with.
Everything I have described so far we have known how to do for several decades now. Public key encryption is widely used to protect online commerce but the infrastructure has not developed to the point where everyone has a key pair, where digital certificates are routinely used to link public key to real space identity, where a large fraction of online communication is protected by end to end encryption and sent through digital remailers. Anonymous ecash was proposed by Chaum in 1990 but does not yet exist, probably because it requires a trusted bank, banks are heavily regulated, and the existence of anonymous ecash would eliminate an important tool of law enforcement.
That last may be changing, thanks to the introduction of a different sort of eCash called Bitcoin. Bitcoin is not only not anonymous, it is the least anonymous form of money that has ever existed, since every transaction is visible to every holder of Bitcoins. But the transaction is identified by an account, not a realspace identity, and it is apparently possible, by adding procedures analogous to anonymous remailers, to delink payment and receipt, converting it into a fully anonymous currency. Its great advantage over Chaum’s version is that it does not require a trusted issuer. Readers interested in details can investigate them online; an adequate treatment would take a fair fraction of another book.
The problems produced by the lack of the rest of the infrastructure were demonstrated in 2013 by Snowden’s revelations about the activities of the National Security Agency. Not only was it getting information from the phone companies about who called whom when, it was monitoring online activity on a large scale, in part by legal search warrants, in part by methods whose legality depended on a secret interpretation of the relevant statutes, in part by activities that, if Snowden’s account was correct, were flatly illegal. One feature of criminal law in the U.S. at present is that only the government can prosecute it, which is convenient for criminals who commit crimes that the government approves of.
Widespread adoption of end to end public key encryption and the use of anonymous remailers would make impossible most of what the NSA has been doing, although they could still go after inadequately protected private keys, perhaps by hacking into the computers that held them. No security system that I know of is safe against human error; exploiting such error has been, in the past, a central feature of successful intrusion.
Revelation of what the NSA has been up to has increased the pressure for action by firms and individuals to protect online privacy, but there remains a practical problem. For most of us, encrypting our email only pays if most of the people we interact with are part of the public key infrastructure, with key pairs and the necessary software. As long as they are not we will not, and as long as we do not they won’t. A further problem is that encryption and anonymous remailers only protect privacy if lots of people are using them. As long as there are only a few, using them puts you at risk of being identified as having something to hide. A future of strong privacy online is possible but far from certain.
In my Future Imperfect, where I discussed these issues at greater length, I paired them with a technological development in the opposite direction: surveillance. The combination of inexpensive video recorders, face recognition software and database technology could create, arguably is creating, what David Brin called the transparent society, a world where everything that happens in public places is recorded and findable. Fast forward a little further to the point where inexpensive video cameras are available with the size and aerodynamics of mosquitos, and transparency may not be limited to public places.
Imagine a future where cyberspace has more privacy than we have ever known, realspace less. How private or public that world is will depend on how much of our life is lived in cyberspace and how well we can protect our connection to cyberspace from realspace surveillance. It does no good to protect your email with strong encryption if a video mosquito is watching you type.
Welcome to the future.
This chapter is dedicated to Tim May, a founder of the Cypherpunk mailing list where many of these issues were raised and argued out some twenty years ago, and to Verner Vinge, computer scientist and science fiction author, whose story “True Names,” published in 1981, pointed out the possibilities of online anonymity.