IP: The Money Laundromat part 2 of 2

[Dave Farber <farber () central cis upenn edu>]

for transactions, but it may read off your name, as when it says, "Thank you,
Jow Blowup, for allowing me to serve you." The second track contains up to 40
numerical figures, of which the first 19 are reserved for your PAN, which is
followed by the expiration date and other information. The third track will
hold 107 numerical digits [isn't this redundant?], starting again with your
PAN, and perhaps information related to your PAN (personal identification
number, or "secret password"), along with other information, all of which
potentially gets rewritten every time the track is used.
    The ATM machine into which you insert your card is itself a computer. The
ATM typically has both hard and floppy drives, a PC motherboard that contains
the microprocessor, and a power supply -- as well as drawers for deposits,
cash and swallowed cards. If the ATM is "on-line" (i.e., connected to a
distant central bank computer, which makes all the real decisions), then it
also has a modem to communicate over phone lines with the central computer.
When you make a request for cash, the ATM machine compares your password to
the one you entered. If they are the same, it then takes your request and
your PAN, encrypts the information, and sends it on to the central computer.
The central computer decrypts the message, looks at your account information,
and sends an encrypted message back to the ATM, telling it to dispense money,
refuse the transaction, or eat your card.
    Somewhere between the ATM and the authorizing bank, there is usually a
"controller", which services several ATMs. The controller monitors the
transaction, and routes the message to the correct authorization processor
(bank computer). Some transactions, for example, will involve banks in
different ATM networks, and the transaction will have to be transferred to a
different network for approval. The controller would also generally monitor
the status of the different physical devices in the ATM -- to see that they
are operating properly and that the machine is not being burglarized.
    Consider some of the security problems in this framework. The first duty
of the local ATM is to verify you've entered the correct PIN. A typical way
of doing this is to recreate your PIN from your card information and ocmpare
it to the one you entered.
    Here is a general example of how PINs are created (there are many
variations). The bank first chooses a secret 16-digit "PIN key" (PKEY). This
key will be stored in the ATM's hardware. The PKEY is then used as a DES
encryption key to encrypt 16 digits of your account number, which the ATM
reads off your card. The result of the encryption is a 16-digit hexadecimal
number. Hexadecimal numbers use the digits 0 to 9 and also the letters A to F
(the latter standing for the decimal numbers 10 to 15). Next, a table is used
to turn the 16-digit hexadecimal number back into a 16-digit decimal number.
(23) The first four digits of the resulting 16-digit number are the "natural
PIN". (If you are allowed to choose your own PIN, a four-digit "offset"
number is created, and stored on the third track of your ATM card. This
offset will be added to the natural PIN before it is compared to the one you
entered at the ATM keyboard.)
    Since this comparison between the natural and entered PIN is done locally
in the ATM hardware, the customer's PIN is not transmitted over phone lines.
This makes the process relatively more secure, assuming noone knows the PKEY.
But if an evil programmer knows the PKEY, he can create a valid PIN from any
customer's account number. (Customer account numbers can be found by the
hundreds on discarded transaction slips in the trash bin.) He can easily and
quickly loot the ATM of its cash contents.
    The security problems worsen when the ATM gets a "foreign" card. A foreign
card is essentially any card from any bank other than the one that runs the
ATM. The local ATM does not know the PKEYs of these other banks, so the PIN
that is entered at the ATM must be passed on to a bank that can authorize the
transaction. In this process, the account number and PIN will be encrypted
with a communication key (COMKEY), and then passed from the ATM to the ATM
controller. Next, the account number and PIN willl be decrypted at the
controller, and then re-encrypted with a network key (NETKEY) and sent on to
the proper bank.
    Foreign PINs give the evil programmer three additional possibilities for
defeating security. The first way is to get hold of the COMKEY. He then taps
the line between the ATM and the controller, and siphons off account
number/PIN pairs. A second possibility is to get access to the controller,
because the account number/PIN pairs may be temporarily in the clear between
encryptions. The third possibility is to obtain the NETKEY, and tap the line
between the controller and the foreign network. (24)
    The COMKEY and NETKEY are generally transmitted over phone lines, so the
chances of acquiring them are pretty good. These two encryption keys are
themselves usually transmitted in an encrypted form, BUT THE KEYS USED TO
ENCRYPT THEM ARE SOMETIMES SENT IN THE CLEAR. Thus, while banks are generally
somewhat careful with their own customers, they are often quite helpful in
giving rip-off artists access to the customers of other banks. The evil
programmer simply reads off the encryption keys and uses them to decrypt the
COMKEY and NETKEY, which are in turn used to decrypt account numbers and PINs.
    The way to solve these security problems is to use smart cards and public
key cryptography. That way, banks could transmit their public keys in the
open without worrying about evil wire-tapping programmers. Customer messages
encrpyted with a bank's public key could only be decrypted with the bank's
private (secret) key. Digital cash issued by the bank could be signed with
the bank's private key, and anyone would be able to check that the cash is
authentic by using the bank's public key. In addition, the bank would not be
able to repudiate cash signed in this way, because only the bank had access
to its own secret key. Communications between ARM machines and bank computers
could also take polace with randomly-generated encryption keys that can be
determined by each of the two parties, but which could not be discovered by
someone who listens in on both sides of the traffic. (25)




                    ARE SMART CARDS THE MARK OF THE BEAST?




    Besides optical and magnetic stripe cards, there are two types of "chip"
cards. Chip cards are basically any cards with electronic circuits embedded in
the plastic. One type of chip card, called a memory (or "wired logic) card,
doesn't have a microprocessor and isn't any smarter than the cards we
discussed previously. Prepaid phone cards are of this type. They may have
about 1K of memory, and can execute a set of instructions, but can't be
reprogrammed.
    Then there are the truly smart cards, which have a microprocessor and
several kilobytes of rewriteable memory. Smart cards allow for greatly
increased security, since access to their data is controlled by the internal
microprocessor. And there can be built-in encryption algorithms. This
versatility has made smart cards controversial.
    The negative reputation arises from certain cases where smart cards were
imposed by force, as well as from smart-card storage of biometric data. The
use of smart cards became a prerequisite for Marines to receive paychecks at
Parris Island. Fingerprint-based smart card ID systems were implemented by the
Los Angeles Department of Public Social Services and the U.S. Immigration and
Naturalization Service. The "childhood immunization bill" introduced by Sen.
Ted Kennedy (D-Mass.) would have used smart cards to track vaccinations of all
children under six years of age, together with at least one parent, across
geographical areas. Access control at the U.S. Department of Energy Hanford
Site requires smart card badges that store the cardholder's hand geometry.
Security access through retinal scan patterns stored in smart card memory have
been tested at the Sandia National Laboratory.
    Visa recently announced plans for creating an "electronic purse". The
purse would be a reloadable spending card. You would charge the card up at an
ATM machine, where it would suck some cash value out of your account and store
it in memory. You would then use the card instead of cash to make small
purchases. Visa is attracted by the estimate that consumer cash transactions
in the U.S. are about five times the size of bank-assisted transactions (those
that use checks, credit cards and debit cards). Visa has been joined in this
endeavor by a consortium that invludes VeriFone, the leading supplier of
point-of-sale transaction systems, and Gemplus, the leading manufacturer of
smart cards.
    There may be increased security in the use of an electronic purse, but it
is not clear how replenishing one's card balance at an ATM is any more
convenient for the user than getting cash at an ATM. Since Visa is not
advertising the privacy aspects of electronic purse payments, one must assume
this feature was omitted in the planning. Hence a cynic could conclude that
the "electronic purse" is little more than a Rube Goldberg device which, by
substituting for cash, will create a better set of PROMIS-type transaction
records.
    These and other examples suggest possible uses of smart cards for more
general surveillance and social control. The truly paranoid envision the use
of a single smart card for every financial transaction, medical visit, and
telephone call. This information would be sent directly to a common
PROMIS-like database, which would constitute a record of all your activities.
In addition, they suggest, "your card could be programmed to transmit its
identification code whenever you use it. So you (or your card, anyway) could
be instantly located anywhere on earth via the satellite-based Global
Positioning System." (26)
    But smart cards don't have to be used this way. Recall that mainframe
computers once seemed destined to turn the average citizen into Organization
Man, a creature to be folded, spindled and mutilated in lieu of IBM's punched
cards. The advent of the personal computer, however, showed that the same
technology could be a tool of individual freedom and creativity.
    There is nothing intrinsically evil in storing a great deal of information
about ourselves, our finances, and our current and future plans. That is,
after all, exactly why some of us carry around portable computers. But in this
case the use of the computer is voluntary, and we ourselves control both
access to and the content of the information. The same may apply to smart
cards. It is smart cards more than any other aspect of banking technology, I
believe, that will allow for financial privacy through cryptology, for
anonymous and secure digital cash transactions. It's simply a matter of taking
control of the technology and using it to enhance personal freedom.




                   ELECTRONIC CASH, the Way It Ought to Be


    Suppose we had it our way. Suppose we sat down to create digital cash that
had all the right properties. What would these be? Think of the attractive
properties of currency -- physical cash. (27)


        1) Physical cash is a portable medium of exchange. You carry it
        in your pocket to give to people when you make purchases. The
        digital equivalent of this process could be provided by smart
        cards, which would actually improve on the mobility of physical
        cash: the weight of $1,000,000 in digital money is the same as
        the weight of $1.


        2) You would want the ability to make digital cash payments offline,
        just like you can with physical cash. A communication link between
        every store you shop at and your bank's authorization computer
        shouldn't be required. Moreover, if digital cash is to have all the
        desireable qualities of physical cash, you should be able to
        transfer it directly to another smart-card carrying individual.
        Smart cards that could connect directly to other smart cards would
        be ideal in this respect, and would represent an improvement over
        physical cash. Even if everyone observed two smart cards
        communicating, they would have no way of knowing whether the
        transaction involved $5 or $50,000. There would be no need to slide
        money under the table.


        3) Digital cash should be independent of physical location --
        available everywhere and capable of being transferred through
        computers and other telecommunications channels. So we want a
        smart card that can jack into the communications nodes of the
        global information network. One should be able to pop into a
        phone booth to make or receive payments.


        4) Got change for a dollar for the quarter slots in the pool table?
        Just as we "make change" or divide physical currency into subunits,
        so should electronic cash be divisible. Electronic calculators can
        perform an operation known as division, and so can third-graders. So
        smart cards ought to be able to handle this also, even if it presents
        a few difficulties for theoretical cryptology.


        5) To be secure against crooks and rip-off artists, digital cash
        should be designed in such a way that it can't be forged or reused.
        We wouldn't want people spending the same money twice, or acting as
        their own miniature Federal Reserve System, creating money from
        nothing. This cryptological problem is different between on-line
        and off-line cash systems. In on-line systems, the bank simply
        checks whether a piece of cash has been spent before.
           Proposed off-line systems rely on a framework developed by David
        Chaum. Chaum has been the preeminent cryptological researcher in
        the field of digital cash. (28) In his framework for off-line
        systems, one can double-spend the same piece of cash only by losing
        one's anonymity. This has considerable value, because the bank or
        person, knowing the identity of the devious double-spender, can send
        out a collection agent.
           But I consider this way of enforcing the "no double=spending"
        rule a serious flaw in Chaum's framework. Catching thieves and rip-
        off artists is not the comparative advantage of either banks or the
        average citizen. (Banks are usually only good at providing
        transaction services, and charging interest and fees.) Would you
        really want to see, say, the First Subterranean Bank of Anonymous
        Digital Cash merge with the Wackenhut Corporation? Luckily,
        however, there are alternative approaches that will prevent double-
        spending from ever taking place. (29)


        6) The most important requirement for individual freedom and privacy
        is that digital cash transactions should be untraceable, yet at the
        same time enable you to prove unequivocally whether you made a
        particular payment. Untraceable transactions would make impossible a
        PROMIS-type data-sorting og all your financial activities. In Joe
        Blowup's financial chronology discussed previously, you wouldn't be
        able to connect Joe Blowup's name to any of his purchases. Similarly,
        noone would know about the money you wired to Liechtenstein, your
        purchase of Scientology e-meters and the banned works of Maimonides,
        or your visits to the Mustang Ranch. Privacy-protected off-line cash
        systems can be made nearly as efficient as similar systems that don't
        offer privacy.




                            PARALLEL MONEY SYSTEMS


    To set up a digital cash service meeting these requirements, you would
need to buy the rights to use patents held by David Chaum and RSA, or
equivalent rights, and then set up a bank to issue accounts and smart cards in
a legal jurisdiction where the service won't run afoul of the local banking
and money laundering laws. Of course, in many other countries the money
laundering statutes will be quickly amended in an attempt to apply the same
reporting requirements to anonymous digital cash transactions. Such laws will
probably generate little compliance. (30) Since the transactions in question
are unconditionally untraceable, there won't be any evidence of wrongdoing.
    Anonymous digital cash will arise as a parallel system to the existing one
of ordinary money. Therefore, there will be a record of the initial entry into
the anonymous system. For example, you might write a $10,000 check drawn on
CitiBank to the First Subterranean Bank of Anonymous Digital Cash. This check
will be recorded, but no subsequent transactions will be traceable, unless you
make transfers back out into the ordinary banking worls. Over time, as more
people begin to use the anonymous cash system, some wages will be paid in
anonymous digital cash. This will enable all income transactions, as well as
expenditures, to take place entirely outside the ordinary monetary system.
    Since the anonymous cash system will exist parallel to the existing
system, a floating exchange rate will be created by market transactions
between ordinary money and anonymous money. Think, by analogy, of a currency
board. Such a board issues domestic currency through the purchase of foreign
"hard" currencies. In the same way, anonymous digital cash will be issued
through the purchase of ordinary cash or bank deposits. That is, when you make
a deposit at the First Subterranean Bank of Anonymous Digital Cash, First
Subterranean will issue you an anonymous digital cash account, and will in
turn acquire ownership of the ordinary money. The exchange ratio will not
necessarily be one-for-one: anonymous digital cash that does not meet some of
the ease-of-use requirements listed previously may exchange for less than one
ordinary dollar. On the other hand, digital cash that meets all those
requirements will trade at a premium, because anonymous digital cash has
enhanced privacy aspects. Money launderers, for example, currently get about
20% of the value of money that is made anonymous. That represents an exchange
rate of 1.25 "dirty" dollars for one "clean" dollar. The market will similarly
determine the exchange ratio between ordinary and anonymous digital money.
    In the 1960's, various tax and regulatory burdens and political risk
considerations gave rise to a new international money market, the Eurodollar
market, which was created specifically to get around these regulatory and
political roadblocks. (31) When a junior staff member of the Council of
Economic Advisors named Hendrik Houthakker discovered the Eurodollar market's
existence, he thought it was an important development, and recommended that
some discussion of it be included in the annual *Economic Report of the
President*. "No, we don't want to draw attention to it," he was told. When
Houthakker himself later became a member of the Council under Nixon, he made
sure the Report included a discussion of the Euromarkets. But it was only much
later, in the mid-70's, that the *Report* said, in a burst of honesty: "The
emergence and growth of the Eurodollar market may be viewed as a classic
example of free-market forces at work, overcoming obstacles created by
regulations, and responding to market incentives to accomodate various needs."
(32)
    In a similar way, some future report will say that "the emergence and
growth of anonymous digital cash may be viewed as a classic example of
free-market forces at work, overcoming obstacles created by surveillance
technologies and money laundering regulations, and responding to market
incentives to accomodate the public's need for financial privacy."




FOOTNOTES


1. Quoted in *Money Laundering Bulletin*, January 1995, p. 3.


2. Bryan Burrough, _Vendetta: American Express and the Smearing of Edmond
Safra_  (HarperCollins, 1992), pp. x, xi.


3. Sec. 1517 (c) states: "Any financial institution that makes a disclosure of
any possible violation of law or regulation or a disclosure pursuant to this
subsection or any other authority, and any director, officer, employee, or
agent of such institution, shall not be liable to any person under any law or
regulation of the United States or any constitution, law, or regulation of any
State or political subdivision thereof, for such disclosure or for any failure
to notify the person involved in the transaction or any other person of such
disclosure."


4. "A completely cashless economy *where all transactions were registered*
would create enormous problems for the money launderers" (emphasis added),
*Report of the Financial Action Task Force on Money Laundering*, February 7,
1990.


5. Kirk W. Munroe, "Money Laundering: The Latest Darling of the Prosecutor's
Nursery", law firm of Richey, Munrow & Rodriguez, P.A., Miami, Florida, 1994.


6. President's Commission on Organized Crime, *The Cash Connection: Organized
Crime, Financial Institutions, and Money Laundering* (U.S. Government Printing
Office, October 1984). This definition is certainly more coherent than Michael
Sindona's circular statement that "laundering money is to switch the black
money or dirty money...to clean money." The U.S. definition of money
laundering is found in 18 U.S.C. 1956, which was enacted in 1986, and
strengthened in 1988, 1990 and 1992. It sets out three categories of offenses:
transaction offenses, transportation offenses and "sting" offenses:


  *Transaction Offenses*: It is a money laundering transaction crime for any
person to conduct, or to attempt to conduct, a financial transaction which, in
fact, involves the proceeds of specified unlawful activity, knowing that the
property involved in the transaction represents the proceeds of some crime,
and, while engaging in the transaction, with either (a) the intent to promote
the carrying on of the specified unlawful activity, or (b) the intent to
commit certain tax crimes, or with the knowledge that the transaction is
designed at least in part (a) to conceal or disguise the nature, location,
source, ownership or control of the proceeds, or (b) to avoid a cash reporting
requirement.


  *Transportation Offenses*: It is a money laundering transportation crime for
any person to transport, transmit or transfer, or to attempt to transport,
transmit or transfer, a monetary instrument or funds into or out of the U.S.,
and, while engaging in the act, with either (a) the intent to promote the
carrying on of specified unlawful activity, or (b) the knowledge that the
monetary instrument or funds represent the proceeds of some crime, and the
knowledge that the transportation, etc., is designed, at least in part, (i) to
conceal or disguise the nature, location, source, ownership or control of the
proceeds, or (ii) to avoid a cash reporting requirement.


  *"Sting" Offenses*: It is a money laundering crime for any person to
conduct, or to attempt to conduct, a financial transaction which involves
property represented to be the proceeds of specified unlawful activity, or
property used to conduct or to facilitate specified unlawful activity, said
representation being made by a law enforcement officer or by another person at
the direction of, or with the approval of, a federal officer authorized to
investigate or to prosecute S.1956 crimes, and, while engaging in the
transaction, with the intent to (a) promote the carrying on of specified
unlawful activity, or (b) conceal or disguise the nature, location, source,
ownership or control of the property believed to be the proceeds of specified
unlawful activty, or (c) to avoid a cash reporting requirement.


7. See Samuel J. Rabin, Jr., "A Survey of the Statute and Case Law Pertaining
to 26 U.S.C. 60501 (Forms 8300)", in Fletcher N. Baldwin, Jr. and Robert J.
Munro, *Money Laundering, Asset Forfeiture and International Financial Crimes*
*Oceana Publications, 1994, three volumes).


8. Section 4702 of P.L. 100-690.


9. 31 C.F.R. 103.11(p) (1991).


10. "The means should, in fact, include access by Interpol to the
telecommunications system SWIFT," *Draft Explanatory Report on the Convention
on Laundering, Search, Seizure and Confication of the Proceeds from Crime*,
September 8, 1990.


11. *Money Laundering Bulletin*, March 1995, p. 3.


12. Curiously, however, some of the same set of characters were apparently
involved on all sides: in drug-running, money laundering and the theft and
modication of the PROMIS system. I will leave it to someone with more lawyers,
guns and money than I have to bring that part of the story to light.


13. U.S. Congress, Committee on the Judiciary, *The Inslaw Affair*, House
Report 102-857, September 10, 1992.


14. Memorandum to Judge Nicholas Bua from Elliot Richardson, p. 34. The NSA,
naturally, does not acknowledge the existence of such a chip, much less
provide technical information. But in order to avoid detection of the chip's
transmission signal by the organization being spied upon, the chip would be
designed so its broadcast would be masked by the general -- or some
characteristic -- electronic noise of the computer. This could imply a low
probability-of-interception digital spread spectrum (DSS) communication system
with a broad bandwidth, perhaps with a transmission frequency in the range of
1-10 gigahertz. As a related example of this technique, a "low level wideband
SS signal, can easily be hidden within the same spectrum as a high power
television signal where each signal appears to be noise to the other." Quoted
from "Spread Spectrum Techniques", in Geoff Lewis, *Newnes Communications
Technology Handbook* (Oxford, 1994). The broadcast power requirements of such
a chip would not be large, but rather similar to a walkie-talkie's. The
information broadcast by the chip could then either be monitored locally and
re-transmitted to satellite, or transmitted directly to a geosynchronous
signals-collection satellite such as Magnum. The Magnum and other U.S. spy
satellites are operated by the Air Force on behalf of the National
Reconnaissance Office, while NSA does the signal processing. (I am grateful to
John Pike, Director of Space Policy & CyberStrategy Projects, Federation of
American Scientists, for advice on the information in this footnote. He is not
responsible for any errors or the specific content of any statement.)


15. I have in mind an NSA operation. But recently, the CIA approached my own
former company (which sells banking software) and proposed that it provide
cover for their agents to enter foreign banks. The CIA also separately offered
to pay $100,000 for the customer list of a particular bank among the Swiss big
four.


16. Barry A.K. Rider, "Fei Ch-ien Laundries -- the Pursuit of Flying Money",
in *Money Laundering, Asset Forfeiture and International Finance Crimes*.


17. *Money Laundering Bulletin*, April 1995, p. 2.


18. Ibid, p. 4.


19. Details of the foreign exchange, Eurocurrency and Eurobond markets are
covered at length in J. Orlin Grabbe, *International Financial Markets* (Simon
and Schuster, 1995, third edition).


20. Eurobonds are *bearer* bonds. So if you have the bond in your pocket, you
own it, in the same way you own the dollar in your pocket. The same goes for
interest coupons -- they are to be paid to bearer. Most Eurobond-issuing
companies pay interest to Euroclear, which distributes the payments to the
owners of the bonds stored in its depository vaults. But the companies are
afraid that if the bonds are stolen, they will have to pay the same coupons
again. Hence they insist coupons be clipped and destroyed as they are paid.
When I visited Morgan Guaranty (which operates Euroclear) in Brussels in 1982,
there were 20 employees whose full-time job was clipping coupons.


21. John W. Moscow, "The Collapse of BCCI", in *Money Laundering, Asset
Forfeiture and International Financial Crimes*.


22. Details of the card size, layout, coding and recording are laid out in ISO
standards 7810 to 7813. The first track is sometimes called the International
Air Transport Association track, the second the American Bankers Association
track, and the third the Mutual Institutions National Transfer System track.


23. This may be as simple as assigning the numbers 0 to 5 to the letters A to
F. If this assignment is made, the probability is three-fourths that a digit
in the resulting decimal number is one of 0 to 5, while there is only one-
fourth probability that a digit is 6 to 9.


24. Computer logs are often kept for each part of a transaction. So the evil
programmer doesn't have to tap lines if he can get hold of the logs instead.


25. Public-key encryption is implemented in the Datakey smart card of the
National Institute of Standards and Technology. This card uses the Hitachi
H8/310 processor. Atmel and Phillips chips also include public-key encryption
hardware, and allow algorithms to be implemented by the card's application
designer. Smart and other chip card standards are laid out in ISO 7816. More
on smart cards can be found in Jose Luis Zoreda and Jose Manuel Oton, *Smart
Cards* (Artech House, 1994). The recent ANSI X9F standards include those for
using public key systems to secure financial transactions. The communication
link would involve two-way authentication using Diffie-Hellman key exchange.


26. From Clark Matthews, "Tomorrow's 'Smart Cards': Technical Marvels That
Give Government Fearful Power", reprinted from *The Spotlight*, undated.


27. Some of the following points were broached in a different way by T.
Okamoto and K. Ohta, "Universal Electronic Cash", *Advances in Cryptology --
Crypto '91* (Springer-Verlag, 1992.)


28. See David Chaum, "Achieving Electronic Privacy", *Scientific American*,
August 1992; "Blind Signatures for Untraceable Payments", in D. Chaum, R.L.
Rivest and A.T. Sherman (eds.), *Advances in Cryptology -- Crypto '82*
(Plenium, 1983); "Online Cash Checks", in J.J. Quisquater and J. Vandewalle
(eds.), *Advances in Cryptology -- Eurocrypt '89* (Springer-Verlag, 1990);
"Efficient Offline Electronic Checks", with B. den Boer, E. van Heyst, S.
Mjxksnes and A. Steenbeek, in *Advances in Cryptology -- Eurocrypt '89*;
"Crytographically Strong Undeniable Signatures, Unconditionally Secure for the
Signer" with E. van Heijst and B. Pfitzmann, in J. Feigenbaum (ed.), *Advances
in Cryptology -- Crypto '91* (Springer-Verlag, 1992); "Numbers Can Be a Better
Form of Cash than Paper", in D. Chaum, *Smart Card 2000* (North Holland,
1991); "Privacy Protected Payments: Unconditional Payer and/or Payee
Untraceability", in D. Chaum and I. Schaumuller-Bichl (eds.), *Smart Card
2000* (North Holland, 1989); "Security Without Identification: Transaction
Systems to Make Big Brother Obsolete", *Communications of the ACM* 28:10,
October 1985; "Smart Cash: A Practical Electronic Payment System", in J. Bos
and D. Chaum, *CWI-Report CS-R9035*, August 1990; "Untraceable Electronic
Cash", with A. Fiat and M. Naor, in S. Goldwasser (ed.), *Advances in
Cryptology -- Crypto '88* (Springer-Verlag, 1989).


29. "[P]rior restraint of double-spending can be achieved by using a tamper-
resistant computing device that is capable of merely performing a signature
scheme of the Fiat-Shamir type (of one's own choice), such as the Schnorr
signature scheme" (Stefan Brands, "Highly Efficient Electronic Cash Systems",
Mary 17, 1994.)


30. I highly recommend Henry David Thoreau's essay "Civil Disobedience".


31. These included the interest ceilings set by the Federal Reserve's
Regulation Q, Kennedy's Interest Equalization Tax, and the Foreign Credit
Restraint Program. See Grabbe, op. cit., chapter 1.


32. *Economic Report of the President*, 1975.


.end.