Anyone can create and maintain an anonymous online identity through the use of Tor and carefully chosen browser settings, but a difficulty soon arises: How does one pay anonymously for services? Some hosting and email providers accept digital currency (usually e-gold), but the process of getting e-gold in the first place is a bit trickier. Every reputable-looking digital currency exchange service that I've seen demands some proof of identity in a bid to prevent money launderers and financial fraudsters from using their system. There used to be a service that allowed anonymous digital currency transfers (YodelBank), but it closed when the operator became weary of running it. Where does this leave anonymity-seekers? I have a proposal for a system that could allow (though not guarantee) anonymous, blind transfers without opening avenues for money laundering.
Kinda like traveller's checks
The idea really isn't that revolutionary, and is probably best illustrated by example. Let's say Alice wants to send 5 grams of gold anonymously to Bob. Alice goes to the Mixer service and spends 5 grams of e-gold. The Mixer receives the gold into its own account, creates a database entry with a 512-bit code, and returns a Certificate to Alice. The Certificate is a text file (signed by Mixer) that contains the database entry's ID and code and a statement that it was issued for 5 grams of digital gold. Alice sends an encrypted copy of this to Bob. Bob decrypts the Certificate and "spends" it at the Mixer, which destroys the Certificate's database entry and transfers roughly 5 e-gold from Mixer's account to Bob's account. (Why not exactly 5 grams? See the section on fees.)
Caps and limits
Caps and limits prevent the system from being useful for money laundering:
- To create an account, the user must have a working email address and a 2048-bit (or larger) PGP key with that email address as one of the user IDs. No two accounts may have the same email address (or PGP key). This should limit the number of accounts that can be created.
- Certificates are capped at a quantity equivalent (at purchase time) to US$50.
- A user may only purchase or spend 4 Certificates or US$200-equivalent per month, whichever comes first.
Protecting the Mixer
To protect the administrator of the Mixer, the service could be run as a Tor hidden service, preventing intrusion or interference by the authorities. This also makes sense because users should be using Tor in the first place.
Maintaining an e-gold account incurs monthly service fees (currently 1% per annum), and each transfer incurs a fee as well. Since the Mixer maintains a pool of e-gold representing the sum of all issued Certificates, at some point it may be unable to redeem a Certificate due to account maintenance fees. To prevent this, each certificate may be redeemed not for the amount originally purchased, but for the amount remaining after fees. In other words, the Mixer maintains strictly segmented accounting. Obviously, the longer a Certificate is held, the less it can be redeemed for.
Threats to anonymity
Each transaction is visible to e-gold, who could conceivably link two transactions that are close in timing and amount. Holding a Certificate for a longer period of time could allow for a better mixing effect.
The server's private key would be kept only in system memory, and the disk's empty space would be periodically shredded (the usual measures.) Several offsite boxes could be maintained, to which the main Mixer would send encrypted backups to be stored in rotation.
I'd prefer to implement the Mixer on a standard LAMP box, running a Tor hidden service but not an exit node (to minimize chances of service interruption.) The source code would need to be developed under the GPL by a team of security- and anonymity-conscious coders.
I plan on developing a working proof-of-concept model of this for my senior I.S., pending approval by my advisor. So, what do you think?