Down with Observers!

22 Aug 93

A lot of our discussion is influenced by the ideas of David Chaum. He pioneered technology which could protect individual privacy while allowing very flexible sorts of credentials and guarantees. He has also played a big role in the various proposals for digital cash.

But I think that Chaum has gone off in the wrong direction in the last few years. More and more he is concentrating on protocols which rely on a tamper-proof, hardware implementation of a cryptographic protocol which he calls an "observer". This observer chip would sit in your computer (which could be a Newton-style PDA or a smart card) and would play an important part in the exchanges of information, cash, or credentials which you would make with others. The observer basically makes sure you are telling the truth in your transactions, that you are not double-spending your digital cash, or not claiming a credential which you don't have.

Now, this approach has the obvious advantage that it allows solving certain problems which can't be solved otherwise. There appears to be no way to provide for secure, off-line digital cash, for example, other than with something like an observer.

But it has the equally obvious problem of relying on a tamper-proof chip as a necessary part of the protocol. Recently it seems that many of the papers out of his group are designed to explore observer-based protocols. This means that these ideas are not useful for software-only implementations. One of the (relatively few) strengths that we and the forces we represent have is that free software can be spread very far and very fast, making it hard for those opposed to privacy to successfully stop our efforts. Any technology based on special chips is going to lose these advantages.

Another problem with the observer is psychological. Although Chaum goes to great lengths to design his cryptographic protocols so that even a cheating observer can learn effectively NOTHING about the computer user that would compromise his privacy, people may still feel uncomfortable about having a mechanical "conscience" in their pocket. People want to feel in control of their computers, and I think supporting this control is a big part of the Cypherpunks philosophy.

A related point is that there have already been comparisons on sci.crypt between Chaum's observers and the Clipper chip, in that both rely on tamper-resistant technology to implement features which are not entirely in their owner's best interests. Assuming we do manage to successfully defeat Clipper, the taint of this association may increase resistance to observers.

I wish Chaum and his group would stop directing their efforts towards protocols which require an observer chip to be effective. Granted, there are some things that don't work as nicely without observers. But I think that a realistic appraisal of the pros and cons suggests that non-observer protocols are more likely to further our ultimate goal of personal privacy.

Hal Finney
hal@rain.org

Hal Finney Home Page