I thought Gavin said ordinary people don't care much about anonymity. I'm not sure I concur, but it is a valid and important distinction between privacy and anonymity. With the right tools bitcoin does well with the former. Zerocoin addresses the latter.
You can get privacy without anonymity, eg as with the committed coins idea
https://bitcointalksearch.org/topic/blind-symmetric-commitment-for-stronger-byzantine-voting-resilience-206303, only the sender and the recipient get to see the coins and who is spending to who. (Unfortunately the committed coin privacy is not ideal because later people in the transaction chain of committed-form respends necessarily have to learn all previous details for validation reasons).
Some of the privacy focused ecash systems distinguished between payer anonymity and payee anonymity. As a buyer you dont necessarily want all your payments to allow the public, the (ecash) bank nor the merchant to track which say ebooks you are reading. It none of their business.
However the usual argument to blackmail crime scenario is that the criminal cant do that if there is only conditional payee anonymity (ie the spender colluding with the ecash bank can identify who the receiver is). In bitcoin there is no bank to collude with, but you could imagine arbitrators in that role, or that the payee is identified to the payer (but no one else). And of course the identify the recipient ignores identity theft, and assumes criminals are mindless non-adaptive automatons so its a fairly weak argument IMO. In any system that strips privacy, the people who suffer loss of dignity and privacy invasion are the normal users, the criminals can still get privacy via identity theft, fake identities, buying fake identities from corrupt employees of government id issuers etc. And criminals still launder money en-masse even with regular banks. HSBC which reportedly laundered $880m of significantly dirty mexican drug cartel and even terrorist money and faces a $1.9b fine. http://www.guardian.co.uk/business/2013/may/23/hsbc-court-threat-money-laundering-charges Probably HSBC are going to walk away with the fine only (too big to jail despite the posturing).
Another possibility is it would be technically possible for the spender to be convinced who the recipient is without being able to prove it to other people eg with a ring signature, non-transferable signature, or designated verifier signature (the spender being the designated verifier).
Being able to sell things anonymously is a different and actually separable feature. But people have also made pretty convincing arguments about why individuals should have the right to retain privacy while selling physical or virtual goods in a free society.
But I do think bitcoin ideally needs to find an efficient way to fix the fungibility problems with taint. Payer privacy without payee privacy might not fully fix that as a payer who claims he didnt make the payment (claims the thief made the payment using the victims wallet to the thief) the victim would then identify the recipient. If there were identities separate from coin addresses, you could imagine payee/recipient losing privacy on payer complaint, without the payee losing ability to make further payments with payment privacy. ie the payee is expected to repay the value, not that the coins themselves become traceable. However even then when identity is some random public key with no certification, its really not much of a threat to burn an identity. Fidelity bonds perhaps are closer to network identities with some cost to losing.
Even in the physical world with conventional banks, once non-petty criminals are involved "identifying the perpetrator" becomes a fuzzy and useless fig-leaf fast as they identify a victim, or a fake identity bought from a corrupt government employee, or dupe the issuer - the RA stage is usually inherently pretty weak. Criminals rent identities (money mule), buy or create fake identities, shell companies etc.
Finally to note a payment system could obviously have emergency tracability added to it as noted in the zerocoin paper. Its typically easy technically to selectively weaken a protocol. The problem is if you want it at all, you want emergency tracabiliy to be restricted to genuine emergencies, not drag-net fishing, not tracing of petty crimes. Law enforcement are not always so clever about drawing lines there so you get mission creep until jay walking is an emergency. eg in the UK I read a local council abused crime surveillance cameras to trace people who were bending the rules about which area they lived in to get their kids into a better school! Next up people not pooper scooping their dog. You know those things were weakly approved by society for terrorism clean up and maybe, arguably, serious organized crime.
Some ecash crypto papers have talked about system limits like payments are fully untraceable if they are under some amount (eg $10k like paper cash reporting limits) or under some amount per day per user. Another limit can be the "emergency" access is limited to 1% of traffic period, more is not cryptographically possible. Or I think alternatively and more simply access requires cooperation from involved users would be a nice balance. Everyone has to transact with someone, and most transacting parties have no particular interest to protect some organized crime activity that rented a server or car from them.
Anyway the whole thing is a big mess. And it's hard to maintain binary fungibility in the face of grey fuzzy privacy/traceability, and court ordered mission creep. Computers do binary well so to me that is the natural physics of crypto and p2p virtual payments: irreverasable is cheaper than charge-backs (cash over credit cards), and there is no partially irrevocable.
Probably in an actual free society, people would understand that more people being killed by furniture falling on them than by terrorists should be sort of factored in in terms of spending and focus, and societal balance. Obviously the people charged with cleaning up and infiltrating these things are too involved for perspective, but they work for society not the other way around.
The UK had its share of history with IRA blowing various stuff up, the US news typically in that era referred to the IRA as freedom fighters, some US factions even funded them, and yet the sky did not fall, eventually the UK lost their face of "we do not talk with terrorists", the IRA became involved in the political process, some political prisoners were freed, and now things are not blowing up. The UK government got up to some pretty shady things in the history of the troubles also. Its just possible that the current problems have an element of blow-back and two sides to any argument also. Its kind of interesting from inability to learn from history that the UK government finally admitted and will compensate victims of its past torture of kenyan resistance fighters and civilians including Obama's grandfather in kenya troubles, and here is Obama presiding over the next generation of the same picture (the powerful torturing the weak for attempting asymmetric and reactive warfare). That still seems to me like a retrograde step, trials were heard at nuremberg about such activities in the past for good reason.
Adam