Topic: Cooperative unmixing for anti-money-laundering (Read 25735 times)

Money laundering is a victimless crime. Financial privacy should not be a crime.

Nice try, NSA 

Money, is money. as long as it isn't counterfit there is no good or bad money. there is most likely money in your pocket that was used in an illegal activity at one time or another. Should we take it away from you?

Don't get me wrong, I'm with your side of the debate, but I couldn't even agree to that. Technical analysis of how torture implements do their job so effectively is not invalid analysis, but if anything it serves to further illustrate how unethical it is, not to diminish it. Admiring the technical side is a little too close to the sort of logic eugenics enthusiasts tended to use.

Good luck. The ones who want to remain private will probably be, for all intents and purposes, untraceable. They're currently doing it now through fiat, despite all the tracking that all the governments and secret service and NSA and all the 3 letter acronym organizations are doing. They'll just do the same thing if they are dealing in bitcoins. Or, they simply won't use bitcoins.

Yeah the idea that people only help law enforcement is forced to is sort of naive. That's why there are videos on YouTube warning people "don't talk to the police" .... for many the natural response is to try and be helpful.

E.g. look at the newest iOS feature that is designed to prevent theft. Apple didn't have to do that but the police were bugging them to do something to reduce iPhone thefts. So they did.

I think a lot of people would do it, if it's easy, low overhead and people generally trust the organisation requesting the trace (so .... not the NSA then)

Widely used personal wallets with built in p2p mixers should have plenty of clean money and people mixing. If mixing is legit, I don't see why that wouldn't happen - everyone wants privacy if the cost is low.

Maybe people wouldn't cooperate for no reward as you say. So do you think a reward-based scheme might work? Remember that with the MPC algorithm the authority won't actually learn anything about you, only about the victim of the trace.

One of the things some coin-mixing services do to ensure timely service, is give a cut of the revenues to large holders who pump clean money in during times where there's too much dirty money (or, at least, a low volume of people mixing a lot of coins). The government would have to offer better incentive, and it'd get expensive fast.

Cooperating with dubious entities for no reward, though, is unrealistic. 90% of non-regulated businesses volunteering information for free to INTERPOL is right around a 0% probability. Governments need to go to people they already have by the balls and just sell it as a "cost of doing business," which naturally creates more pressure on entities to stop submitting to regulation entirely. It might actually be most cost-effective to just buy the mixers, where governments "happen" to figure out what goes where. Either the services are outed individually, or mixing is generally considered unsafe, the latter being the greatest win.

Oops, yes. I look forward to reading your research.

Actually I have an alternative design for handling taxation. Tracking taint is better for cases where you know a particular output was obtained via {theft, kidnap, fraud, etc} or you know an output is owned by a particular person (e.g. it's their salary) and you want to find them real fast.

For tax evasion the problem is you, by definition, don't know what outputs are owned by that person. In this situation properly configured incentives can encourage reporting.

I intend to write more on the topic of taxation in a decentralised system later this year.

Thanks for all the support in this thread Mike.

I'll delve briefly into the political debate myself:

Once there's a significant number of Bitcoin businesses using tax evasion as their competitive edge, the authorities are going to get nasty pretty quick. Where do people see this going? So far I've really only seen 2 responses:

• Go black-market. Sure, you can. But if at least part of the Bitcoin market is legitimate, Bitcoin can have a much greater influence and utility.
• Some form of tainting. If we're really lucky this might be something like what Mike's proposed in the other thread. I suspect what we'll end up with will be much more draconian though. You can still have your black-market at the same time as this.

EDIT: This sounds pessimistic, but I'm actually really enthusiastic about Bitcoin's long-term prospects, and of course have some coins myself. I just think it's good to think about the bigger problems when there's actually a lot of stuff you can do to combat it.

If you read my original post (linked to from the first post in this thread) you will see it has an entire section discussing the definition of crime.

Oh how cute. Who gets to decide what is a "crime" and what is not?

What about jurisdictional issues? Do people get their coins tainted or addresses blacklisted if they engage in an activity that is "legal" where they live but the Central Taint Council doesn't accurately determine jurisdiction? Then do they have to hire a lawyer and appeal to get the taint removed? What about even trickier jurisdictional issues, like people selling pot in Colorado where it's legal in that state but not according to federal law? Will that person not be allowed to sell their coins at MtGox if MtGox participates in a certain blacklist? Lol.

I'm sure people will try this or some related scheme. I'm sure it will not be even remotely successful. We'll run into the same problems we run into with state law enforcement, except it will be 100 times messier, more corrupt, and unethical.

EDIT: For the record, I understand that the technical solutions behind this are intellectually stimulating. So I'm not attempting to trash the discussion. I just think actual implementation of cooperative unmixing, tainting, blacklisting/whitelisting addresses, any "lazy crime-fighting" attempts will end badly.

The issue with custom PSI protocols is they tend to be vulnerable to full-set intersection attacks.

Thanks for your thoughts everyone.

I probably should have done a bit more reading and led with the MPC solution, which doesn't leak your private data to the authority at all. If used over Tor (ouch, slow!) it fully addresses the concerns about unmixing being voluntary.

Basically multi-party computation (MPC) is a magic box for lots of people combining their secret data and calculating some aggregate values, without anyone knowing anyone else's data. The aggregate values can be shown only to certain people.

The theory says that there's an MPC algorithm for every problem in NP, the only question is how fast it is (these algorithms can be prohibitively slow). There's a ton of research being done here, and it's getting faster every day. The paper Mike referenced had working code for doing private set intersection on an Android phone in a reasonable amount of time, and I also found a later paper claiming to have beaten that performance using a custom PSI protocol.

I think this problem needs MPC signature verification as well as set intersection - you want every (input, output) pair to be doubly signed, otherwise malicious colluding adversaries can wholly implicate non-participating parties.

On quotas, I was imagining quotas would be an incentive for greater transparency; people have bigger quotas for more transparent/democratic organizations.

Payment/reward for financial history is really interesting. There might be some gaming attacks to be done for profit. I wonder if a contract could be devised such that if someone pays the asking price for some output in a tx, they'd be guaranteed to get back a signed input in the same tx.

I like the idea of loss-of-privacy being your choice.  Let the "who cares if the government strips me of my privacy" people give it up on their own without eroding the privacy of everyone else. 

Maybe the central banks can give them a cookie as a reward.

Right, nobody talks about something similar for Tor. The result is that the police come up with their own approaches for tackling criminal activity there, for example, the Dutch police have a history of hacking hidden services. Perhaps you feel state sponsored hacking is OK. What about state sponsored DoS attacks? It's not a big step.

Anyway, Tor operates in a different space to Bitcoin. Communication and web hosting is largely unregulated and freedom of speech is a well defended right, at least in the USA. The internet started out being pretty anonymous, Tor makes it slightly more so but isn't really a game changer in that regard. So people tolerate it.

Unfortunately there is no such history in the monetary realm. It's starting from a much less anonymous, more controlled point. Anonymous currency exchanges do get wiped out. There's no inherent right to "freedom of money" in most countries, financial censorship and control is rife. It's a much bigger leap. Not undoable, but not easy either.

Arguing "the real world wasn't designed to accept an anonymiz-able system" is not valid. We're challenging what people accept, this is a social construct, not a force of nature. That's the entire point. To change money, not keep it the same.

Satoshi designed a digital cash/gold style analogue. That design would be contradicted by any such tainting schemes. This is not difficult to grasp.

I agree.  Mixing coins is not just for hiding illegality.  If I have 500 BTC at address A, and send 10 to B my hot wallet for my vacation (or to buy a Starbucks or some tequila) C will not be certain that I own A.  With pattern analysis however C can become more confident that I do and then your net BTC worth becomes much more public and you become a target.

Sure, you have a certain degree of anonymity if you are only buying online VPN services, but as soon as you purchase anything offline, you are tying one address and its chain of antecedents to you which drops your anonymity significantly.  With a usage pattern available, it becomes more troublesome.

If I were Satoshi and wished to remain anonymous, I would be holding my coins until they are p2p mixing services established and well used prior to moving coins or he would be outed quite quickly.  (Non-p2p are okay, but logs are kept and you are relying on a third party to be honest and not monitored.)

Cooperative unmixing is only really voluntary if the people participating in the unmixing are anonymous. Otherwise you have known and non-anonymous individuals facing the charge of obstructing a police investigation. Though I will grant that it has the possibility of delaying investigations through multiple jurisdictions, not unlike the Tor model. Tor however is always pretty clear that participants are expected to not maintain logs, for a reason. So the question is why do we want to move away from that model? You have to ask what is so different about finance verses information that we suddenly give up our resolve to allow people freedom.

No-one talks about co-operative unmasking for Tor operators "just in case" we want to trace a crime committed over Tor that the community can agree on.