More On Cryptocurrency
My second post on money provoked more comments, some by people who know much more than I do about the present status of crypto. The most interesting were by Zooko, who worked with David Chaum and was part of the founding team for ZCash,1 an anonymous money that does not require anyone to support it and so cannot, like Chaumian digital currency, be suppressed by an unfriendly government.2 That looks to be closer to a fully anonymous ecash than anything else out there.
Responding to another commenter’s claim that all anonymous cryptocurrencies are currently illegal, he described how you could check out ZCash for yourself.
Experiment 1: Ask your favorite search engine for "Zcash Wallets". Then download a Zcash wallet from the Apple App Store or the Google Play Store. (Assuming you're on mobile. You can do the same on desktop.) Now you have the ability to send, receive, and store Zcash without depending on any third party (custodian, bank, server)! And, you have the ability to control *disclosure* of your Zcash holdings and transactions. By default, nothing about that is disclosed to anyone else. You've now completed experiment 1.
David Trost's arguments in these comments are largely about whether third-party businesses will engage in Zcash transactions with you. That's important. The most common way that people buy or sell cryptocurrency is by using "exchanges", like Coinbase or Binance. If your experiment 1 showed you that you can own and control your own Zcash, but you are unable to conveniently and safely buy any Zcash, then his claim that Zcash is semi-illegal would still be valid.
Experiment 2: Create an account at any one of the three large USA exchanges -- Coinbase, Gemini, or Kraken -- or the largest world-wide exchange -- Binance -- buy some Zcash, and withdraw it to your wallet. (Or, since the "creating an account" part is a time-consuming hassle, ask a friend who already has an account to do this for you.) You've now completed experiment 2.
I responded:
The one issue your experiment, which I have not yet done, raises is that if I buy ZCash from an exchange, that is presumably not private. So the fact I am a Zcash user is known, what I do with the money is not. That is less true if I buy ZCash from a private individual, since who I got it from is not deducible from public information, especially if I bought it with cash, also an anonymous currency.
The point matters because if there are only a few ZCash users, the fact that you are one of them signals hypothetical spies to watch you, but not if there are a large number of ZCash users.
So I asked Zooko the current scale of ZCash. He responded that the number of users is unknown3 but the market cap, the price of a Zcash coin multiplied by number of Zcash coins, is currently close to a billion dollars. About ten percent of them are “shielded,” held in a wallet controlled by the owner, and that number appears to be increasing rapidly.
ZCash is not a stablecoin; its value in other currencies, like that of Bitcoin, varies substantially. In my post I argued that technological progress made that less crucial for transactions than it used to be since computers can and do convert one currency into another fast and cheap; I was talking about the advantage of using the same money as the people you transact with, but using a stablecoin whose value is reliably fixed at a dollar is very nearly equivalent to using dollars.
Zooko suggested that my point about money for transactions may be true for the same reason about money as a unit of account, that it is becoming less important for long term transactions that different people use the same or equivalent currencies.
Alice needs to hedge against the possibility that her future income from her loan to Bob is worth less than her future expenses, because the currency that Bob is paying her back has fallen in value compared to the expenses she'll incur at that time. But she doesn't *have* to get this protection out of her contract with Bob! … She can separately buy an instrument which will pay her more, when Bob's loan comes due, in proportion to how much the value of the currency has fallen. Again, her automated agent could do this on her behalf. (And of course, on the other side, Bob needs protection against the eventuality that the value of the currency that he owes Alice has gone _up_ since he took out the loan, and he can get protection against that eventuality in the same way -- by paying a third party to for it.)
When I think about it from this perspective, I think that "stablecoins" are an attempt to provide this feature to users, but in a "one size fits all" fashion -- no user can get greater or lesser protection from future changes in the value of the currency than any other user, just by using a stablecoin as medium-of-exchange (short term) and unit-of-account (long term). Maybe if improved financial tech can provide these in a more customized and efficient solution for each individual, then the need for stablecoins will evaporate. Similar to how the automated currency exchange that comes with your debit card has eliminated
That would reduce the incentive for different people to use the same money for long-term contracts, so makes it more likely that, in the future, multiple monies will be in use in the same area. But it is still desirable for both buyers and sellers to use a money with reasonably stable purchasing power, since that makes it easier to use information about prices in the recent past to judge whether a particular price is high or low, so still an advantage for a coin whose value is reasonably stable.
Zooko is pessimistic about making something like bitcoin effectively anonymous by concealing the link between an individual and his account:
People might intuitively think that you get practical privacy from the fact that your True Name and your home address aren't posted along with your random numbers.4 Your blog post suggests that, and Satoshi himself seemed to think that about Bitcoin. But that's wrong. The modern surveillance advertising industry reliably tracks fine details of everyone's behavior, on- and off- line, by linking together similarly "anonymous-looking" traces. It is possible, and likely, that other modern actors such as organized crime, armies, and other branches of government do the same. In fact, a recent development is services which are sold at retail to the public to do the same! See "Arkham Intelligence" for example (https://intel.arkm.com/). AI will only make this kind of surveillance even more efficient and comprehensive.
If this were a paying Substack I would owe most of the revenue from this post to Zooko, who wrote most it, but it isn’t. My pay is in status and, more important, spreading ideas; for this post he collects most of it.
As he should.
My web page, with the full text of multiple books and articles and much else
Past posts, sorted by topic
A search bar for past posts and much of my other writing
Sources for an explanation of ZCash that Zooko recommends:
Short of one with routine access to all our computers.
Zooko’s guess is between a hundred thousand and ten million,
The context for the quote is his sketch of how to convert my idea in Future Imperfect for a low tech version of Chaumian digital currency into something like ZCash.
If enough people are interested I may post my idea and his revision of it in the comment thread to this post; I think I have imposed on those of my readers not interested in the economics of alternative monies or the uses of cryptography long enough. My next post will be on something entirely different.
It might be interesting to note that there is a fundamental trade off between privacy and soundness. If you want unconditional sound money, you need everyone to be able to verify that the money is in fact sound. In other words, you need the public to be able to count up all the money so they can see the quantity is as expected.
Something like monero or zcash cannot do this, because the public can't see the amounts of the transactions. You trust that the quantity of money has not inflated because you can trust the cryptography that enforces this. However, if the cryptography is broken, someone might *secretly* inflate the money supply of the broken coin. This is known as "computational soundness".
On the other hand, bitcoin is unconditionally sound but isn't even computationally private. Mixing services give you "hide in the crowd" privacy, but its not strong enough to really be called "computationally private". It is possible to do confidential transactions in a way that is unconditionally sound and computationally private, but I'm not sure if anyone is doing that (possibly Oasis and Secret?).
Personally, I would never store my life savings on a chain that merely has computational soundness. Unconditional privacy is nice for transactions tho, and I certainly would consider using a coin like Monero for transactional purposes when I need privacy.
But another interesting thing about privacy is that fundamentally it's always a "hide in the crowd" type of privacy at a certain level. Even for something like Zcash, you at very least know that if someone is using zcash, they might be related to any zcash transaction. The larger the group of zcash users, the bigger the crowd to hide in. I don't know how big of a crowd is sufficient to eliminate any realistic attempt to correlate you, but it seems plausible that Zcash and Monero have reached those numbers.
Bitcoin will almost certainly will never be unconditionally private (because of the strong cultural importance given to unconditional soundness), but it is very likely to achieve default privacy of some kind. Specifically the kind of privacy that reduces transaction costs. Batching transactions can allow you to create a smaller (in megabyes) and therefore cheaper transaction than they would be separately. Having a system of transaction mixing where people collaborate to build a larger transaction can give people a similar level of privacy to mixing services. And since doing so would be cheaper than a normal transaction, its very likely that everyone will want to do it that way whenever possible. To me, this makes it inevitable, unless a cheaper form of transaction is invented that doesn't allow the privacy aspect.
It's an honor to be mentioned, even if my comment had to be called bullshit by Zooko to get it 🙂. Since my comments were about Monero, and privacy coins generally, not ZCash specifically, I took some time to square my knowledge of AML laws with my lack of knowledge of ZCash. It's odd to me that the distinction between private and public addresses within ZCash was never mentioned.
From coinbase:
(https://www.coinbase.com/price/zcash)
>Zcash is a cryptocurrency that offers two types of addresses: transparent addresses that are publicly visible on the Zcash blockchain and shielded addresses that are more private. Coinbase customers can receive Zcash from both transparent and shielded addresses and send Zcash to transparent addresses. Sending to shielded addresses is not supported at this time.
This means to me that at the end of experiment #2, you've taken self custody, but everything is still as transparent and public as Bitcoin. The fact this detail was left out seems disingenuous to me.
Regardless it seems you could then make those transparent funds private by moving them to a shielded address, fair enough. Impressive actually, I didn't know you could do that. But at this point the layers of indirection are exactly the point I was originally trying to make. Usage of private money is theoretically possible, but not convenient or practical for the average Joe.
So how does this fit with AML laws?
The centralized exchange (Coinbase in this case), which knows you intimately, also knows your new (transparent) ZCash address. And as a compliant Money Services Business (MSB) has to follow 31 USC 5311. To pull a quote:
>(2) prevent the laundering of money and the financing of terrorism through the establishment by financial institutions of reasonably designed risk-based programs to combat money laundering and the financing of terrorism;
The term "risk-based programs" is key. MSBs are expected to monitor their customers for anything and everything that could signal "higher risk". You must have an appointed officer and processes in place to monitor your customers and look for and secretly report red flags. This report is called a SAR (Suspicious Activity Report). Any cash transaction over $10k MUST have a SAR filed, as example. A SAR's content or even its existence cannot be revealed, not by the government, or the MSB, or even in court discovery. (https://www.federalregister.gov/documents/2010/12/03/2010-29880/confidentiality-of-suspicious-activity-reports) This is to encourage and embolden MSBs (All financial institutions but I'm focusing on MSBs) to report early and often.
As soon as you move those funds to a shielded address, Coinbase will almost certainly identify that as a risky behavior and file a SAR with anything else they find odd about your account. (Any suspicious IP locations? Unusual sums for your employment? Did you appear in the news for something bad or suspicious? (In AML world this is called "adverse media" or "negative news"). You are also expected to warn and collaborate and share data with other financial institutions to investigate and build a more complete profile of your suspicious customer for your SAR. From there various agencies and investigators decide whether further investigation is merited.
Why can Coinbase accept funds from shielded addresses and not send them? I'm speculating here but I'd guess that (1) Financing of terrorism relies on disguising the outgoing funds, less so their source. And the other goal (2) money laundering has other patterns to look for, such as volume and frequency and where the funds are subsequently moved. Investigators would much rather that money be on Coinbase tied to a known person they can investigate, than remain in a shielded anonymous wallet. That said, Coinbase gets as close to the edge of compliance as possible. And they've already paid 9 figures in AML compliance fines.
Why doesn't Coinbase support Monero, or the privacy-protecting elements of ZCash? It's not *de jure* illegal, but it is *de facto* illegal for them to do so, because a regulator expects a MSB to only take on new business with risks that it can manage successfully. How can a MSB justify to a regulator that it has the risk of money laundering and terrorist financing under control while also offering a product specifically designed to evade that due diligence? It can't, so they don't.
Is this government overreach? Maybe. Probably. I'm sympathetic to the kindof anarcho-individualist ideal where everyone takes sovereignty over their money and no business is involved. But the real world involves businesses facilitating transactions for any number of reasons besides just convenience. Those businesses, with current laws, are absolutely incompatible with a privacy currency.
I hope I'm wrong, because I'd love to exchange fiat for crypto, facilitate transactions and do all the things my customers need me to do while also respecting their maximum privacy.
None of this is intended as an attack on you @Zooko or ZCash. I believe we're on the same team at the end of the day.