Which E-Currency Issuer?

“P” is for privacy, “P” is for...—he who shall not be named—why free swaps used to be better than warranted searches—why the last shall be first—going the way of all flesh—the results of the privacy stakes—what to do in practice, be you a buyer or a merchant. ... Masochistium Clickium Hic!

“P” is for Privacy, “P” is for ...

Now there are different reasons why you might choose an e-currency issuer and we’ll compare the candidates on a point by point basis when we get around to it. But we thought it would be nice to offer some thoughts on the matter dearest to our hearts: which e-currency issuer should you choose on the grounds of privacy. While all e-currencies offer the convenience and certainty of non-reputiable transactions, e-currencies provide varying degrees of anonymity. The ideal is an e-currency issuer who

  • Operates on a “don’t-know-your-client” basis
  • Keeps no records of client transactions

If these two conditions are met then even if Big Brother commandeers the issuer’s data processing centre he will be no wiser when he leaves than when he entered.

The anonymous e-currency niche is a small one, but a relatively easy one to enter. Because of the increased interest by governments in the mass surveillance of financial transactions the world’s main financial players, who operate both onshore and offshore, cannot easily play in the anonymous e-currency market. They are forbidden from doing so onshore—except perhaps for small value transactions—by laws that require them to operate on a “know-your-client” basis. Were they to do so offshore then governments would take action, whether within or outwith the law, to ensure that the issuers were disadvantaged commercially as far as their onshore operations were concerned. And while e-currencies have been growing very rapidly, they have started from a very low base, and are only beginning to command the interest of the major players by way of small but interesting acquisitions.

These restrictions leave the anonymous e-currency niche open to any small enterprise that can consistently demonstrate itself to be trustworthy and reliable. Demonstrating reliability of operation is relatively easy, but as with any quasi-offshore business the appellation “trustworthy” only comes after many years of clients finding that they can “take out” that which they have “put in”!

While primary e-currency issuers require a moderate amount of capital to set up the infrastructure needed to safely store and routinely audit the precious metals that provide 100% backing for the e-currencies that they issue, secondary e-currency issuers that resell primary e-currencies under their own name have negligible set-up costs.

The main problem for the e-currency issuers is that while they readily attract a small and loyal following, making their e-currencies attractive to merchants is an uphill struggle. Without major financial backing and a high rate of cash-burn that effectively buys market share by giving away free cash, growth is, as the euphemism has it, organic!

At present there are three candidates that offer varying degrees of privacy, and who have been around for long enough for us to be reasonably certain that they will not run away with our gold. So if you’re interested in privacy which one of the big three should you select: Pecunix, e-gold, or 1mdc? (And that, dear reader, is called a hint!)

He who shall not be named

It’s a digression, but you may wonder why we always refer to the big three and not, as other commentators on e-currencies do, to the big four. Well, if you’ve seen that Harry Potter film you may recall the discussion between Harry and Hagrid in Diagon Alley, when Harry is told that the evil Lord Voldemort is always referred to by way of the phrase “He who shall not be named”. Well, like Lord Voldemort the invisible fourth member of the big four is as far as freedom loving people are concerned a name that we do not mention in polite society (well, if you must know it’s called “GoldMoney”).

GoldMoney operates under the same “know-your-client” rules that we might expect from the average bank. It requires detailed information about its account holders—notarized no less—though you can open an account and perform some limited transactions without verification. The following extract from their T&Cs gives you a flavour:

Unctuousness Personified

GoldMoney has a Customer Acceptance Policy (CAP) so that it can comply with established know-your-customer regulations for financial institutions ... all financial institutions are required to verify the name and address of their customers and the source of the customer funds entrusted to them.

While in some respects GoldMoney may seem similar to e-gold, there is a distinct difference in ethos. GoldMoney is, we feel, an unctuous servant of Big Brother, through and through. E-gold’s at times servile behaviour is dictated more by the practicalities of its location and by its aspiration to be a major financial player onshore. The other reason to shun GoldMoney is that it has gained a reputation for operating its accounts on a hair-trigger, and—taking a leaf from the Paypal rule book—of freezing accounts at a whim. Security demands that you are able to get access to your gold immediately: the price of gold can rise and fall rapidly in response to world events; were you to buy near a peak you would not wish to wait for months watching the gold price rapidly fall before your account was unfrozen.

So now you know why we speak of the big three and not of the big four!

E-gold versus 1mdc

This used to be an easy one to call. 1mdc tells us it operates entirely off-shore. E-gold’s data processing centre is in the US. As far as we know 1mdc does not disclose account details to third parties. E-gold tells us on its web site that “Our staff has participated in hundreds of investigations supporting the FBI, FTC, IRS, DEA, SEC, USPS, and others.”

Now we’re all for putting an end to crime, but what is a whistleblower to do when the government that instigates investigations contains within it the very criminal elements that the whistleblower is intent on exposing? And while we have every sympathy with the Agent Starlings of this world this sympathy does not extend to their political masters who find it difficult to distinguish between public interest and private gain, who seek to use the information gleaned from mass surveillance campaigns to manipulate public opinion, and who further their own political ends by passing on personal information garnered under the pretext of fighting crime to their paymasters within Big Business. The founders of the good old “US-of-A” were wise enough to place some restraints on the executive, but sadly that executive has found ways to get around them.

At the end of the day it comes down to which you fear the most, the criminals within, or the criminals outwith, governments. It we look around the world today we can ask who causes the most misery, those individuals acting at the behest of governments or those individuals acting at the behest of organized crime? The question is rhetorical, for the depredations of governments vastly outnumber those of organized crime. The peoples of the world have unwittingly allowed governments to gather unto themselves ever greater powers, powers that they abuse with deliberate intent, or, in the most charitable of interpretations, lack the wisdom to use wisely. So, we, the people, must wrest back from governments these powers, and where we face the uncomfortable choice between two evils, we must tackle first that which is the greater of the two.

Now you’d think the US government would appreciate e-gold’s cooperation in these matters. But no. On e-gold’s web site we read:

Biting the hand that feeds you

Starting in mid-December 2005, Gold & Silver Reserve, Inc. (G&SR), contractual Operator and primary dealer for e-gold, has been the subject of a warranted search of its premises and records, had its domestic bank accounts frozen, and been the target of a precisely timed, extraordinarily misleading attack by a major business publication. ... The examination utilized the full resources of e-gold's system and prevented customer access. We were told by the government examiners that the outage would be for a few hours, however, due to the volume of data maintained by e-gold for its customers' protection, a surprise to the examiners, the examination occupied e-gold's computing capacity for 36 hours.

“Maintained by e-gold for its customers’ protection”—ironic isn’t it? And 36 hours—the mind boggles! Had the government examiners just wanted details of the transactions made by a few hundred suspects then there would have been no need to bring e-gold’s operations to a grinding halt. It seems like a blatant attempt by the US government to damage a business whose operations are perfectly lawful but which the US government doesn’t approve of—a standard Big Brother ploy.

While we salute e-gold’s founder for his vision of a gold-based economy, he clearly did not appreciate that the playing field would not be level, that he would have to fight with one hand tied behind his back, and that the “so called” referee would trip him up at every opportunity. Sadly, e-gold seems to be at a fork in the road: either it becomes a pseudo-bank or, if it wishes to keep the vision alive, it must move off-shore.

The US has long ceased to be a democracy in which the executive makes policy that is implemented in a transparent and even-handed fashion by impartial public servants. Instead it has become a tyranny where the executive directs the operations of those public servants to its own ends. Francis Scott Key must be looking down with sadness from his place amongst the heavenly hosts, for while the US may still be “the home of the brave”, it has long since ceased to be “the land of the free”.

What’s important here is what e-gold doesn’t say. E-gold doesn’t say that the US government now has a copy of every transaction made by every e-gold account holder, including the relevant IP addresses, going back to the year dot (1996 in the case of e-gold). E-gold doesn’t say that the US government has shared this information with other “friendly” countries (and the US government keeps some strange company—Saudi Arabia, for example; and even in the case of hostile states information is often bartered). E-gold doesn’t say that the details of all these transactions are now being correlated by disparate governments with information obtained from other sources. And we’re not saying that any of these statements is true either. We just don’t know. But we can speculate! What would a government keen to tap everybody’s phone do with a database full of everybody’s transactions? Well Sherlock, even Watson could make a valid deduction in this case! What’s important here is not what e-gold says, but what every man and his dog thinks!

So it would be prudent to assume that the US government and it’s hangers-on around the world have a direct line into e-gold’s transaction database. That doesn’t rule out e-gold entirely from a privacy point of view. E-gold still does not validate your personal details, for which it is to be commended (though a GoldMoney-like scenario looms ever larger on the horizon). If you access your account using a good proxy chain, such as Tor, then you still have a measure of protection. But beware: analysis of transaction details can make it easy to identify you. The transaction database will allow any interested party to determine what merchants you’ve done business with. So if you’ve given personal information to anyone on the other side of an e-gold transaction—if you’ve ever purchased any physical goods using e-gold for example—then provided the US government or its “friends” can get access to that party’s records—and they often have “ways and means”—then your anonymity is blown. So if you’re a whistleblower or a dissident—no matter where you live in the world—and you are using e-currency to pay for a web site, for example, then stay clear of e-gold—if it’s worth their while, then governments and their friends may not find it too difficult to track you down.

So clearly, you should choose 1mdc ahead of e-gold. Well, it used to be that way, but not any more as we’ll see below!

Pecunix: And the last shall be first!

Now Pecunix has a more stylish interface than its competitors; Pecunix has more features than its competitors; and Pecunix offers greater security than its competitors. Yes, all very well, but what about privacy, the focus of this blog entry?

Well when it comes to privacy Pecunix not only belongs in a different category to e-gold and 1mdc, it belongs on a different planet! Or, if you’ll forgive us changing and elevating the metaphor still further: it’s a star shining brightly in the firmament of the great god Zimmerman, because, Pecunix, unlike its competitors, is PGP savvy (indeed if you want to quickly assess the privacy credentials of any site just ask the question, “Does it use PGP, and, if so, for what purposes?”). Now while the use of PGP with Pecunix is entirely optional, if you add a public key to your account then you will get much in return for your efforts.

When you get an email containing a PIN from almost any financial site on the Internet the email is sent as plain text, which means that every man and his dog could know what your PIN is long before you do! Your email has passed through multiple Internet routers and finally to your ISP’s mail server. You can be pretty sure that at least one Big Brother has sniffed the contents somewhere along the line, to say nothing of organized crime. But with PGP enabled, the PIN you receive from Pecunix comes in an encrypted email. And not only is the PIN encrypted, so too are all emails that you receive from Pecunix. And this kindness can be reciprocated since Pecunix’s PGP key is readily downloaded from its site for the purposes of (1) verifying that the email you’ve received is actually from Pecunix, and is not the result of some phishing expedition; and (2) encrypting your reply to Pecunix should one be warranted.

The next felicity that comes with PGP is a rock-solid mechanism for account verification. With PGP enabled if you don’t enter any personal information when creating a Pecunix account, you can still regain access to your account using PGP should you lose your password. No need to use your mother’s maiden name or avail yourself of other equally risible, cretinous, and hacker-friendly methods of password retrieval, methods that seem to be employed by almost all web sites. Hence, it can be said unequivocally that Pecunix operates on a “don’t-know-your-client” basis.

There is a fundamental privacy principle that any exemplary web site will hold fast to: authorization without identification. When it comes to logging into such a site you are your PGP key. And if you need multiple personae for different purposes, then you use a different PGP key for each persona. With Pecunix you have the option of using PGP for authorization providing unexcelled logon security, which is one of the reasons why Pecunix is also the issuer of choice for large-scale asset holding (but we’ll discuss security another day).

Wonderful isn’t it? Pecunix has always been by far the most impressive of the big three when it comes to privacy—impressive that is until you tried to create a Pecunix account and discovered that you couldn’t! And the reason you couldn’t was because you had disabled Javascript in your browser, and Pecunix wouldn’t allow you to create an account with Javascript disabled. Given the dangers of digital fingerprinting with the subsequent loss of anonymity that the use of Javascript entails, no one with an interest in privacy is going to take the risk. Hence, it was with a heavy heart that we said some time ago, “They stand head and shoulders above the competition in every other respect, but this one defect brings all their other good works to naught!”

In due course we received an email from Pecunix enquiring as to the nature of their sin, and the Prof told them in no uncertain terms what was needed by way of redemption. Despite our vast readership which must now number in millions—well, give or take six zeros—we had no expectation that Pecunix would accede to our request. But we’ve observed that Pecunix, unlike most web sites, responds well to criticism, and where it’s justified acts swiftly to remedy the matter. So we were not too surprised when we received an email from the “main man” at Pecunix, an email that contained the joyous news that Pecunix had repented—and we’re always prepared to welcome a lost sheep back into the fold.

It seems that Javascript is no longer needed in order to create and access a Pecunix account. Well, since “doing is believing”, the Prof started his sentinel, booted his Tor proxy, woke up Firefox, and then wended his way to Pecunixie land, www.pecunix.com. He arrived in Pecunixie land to be greeted by a scene from the Lord of the Rings, for the inhabitants of that fair kingdom had come under attack from some dark force. But those brave elven folk quickly rebutted the attack, and after burying their dead, and repairing a few minor dents that the Prof had discovered in the walls of their citadel, the Prof was able to continue with his allotted task. And yes, with Javascript disabled he was able to create and access a Pecunix account. Well done Pecunix!

1mdc: the way of all flesh!

And while we’re speaking of Javascript, when we tried to logon to a 1mdc account recently the logon form seemed different and it was only when we had clicked in our PIN and got no response that we realized that the logon form was indeed different and, even worse, needed to have Javascript enabled. “Bugger,” we thought, “we’ve just persuaded Pecunix to abstain from using Javascript, only to find that 1mdc has gone the way of all flesh.” Then we espied a small link at the bottom of the page pointing to the old logon form that does not use Javascript, and we thought that all might be well. But when we progressed a little further through the logon process we discovered that on the new security form Javascript was required and there was no corresponding Javascript-free option available for those users with an interest in privacy. So as long as 1mdc does not provide a Javascript free interface we recommend that you bid farewell to the land of free e-currency swaps!

Even worse, 1mdc’s new logon procedure requires the user to collect a new security code from his email account every time he logs on. This is extremely cumbersome and does not offer an improvement in security. For example, suppose there is a key-logger on your machine. It will record your 1mdc password as you type it in. 1mdc then insists you log on to your email account to collect a one-time security code to complete the login. But the key-logger will also record the name of the email account and the password as you login to collect the security code. Once a hacker knows your email account and password he will be able to collect the new security code when he in turn tries to login. So in adding this extra step 1mdc have added not to the user’s security but to the user’s frustration.

Extra security requires that the user performs some qualitatively different task rather than just doing more of the same. So requiring the user to select some items using the mouse will defeat basic key-stroke loggers, though not mouse-click loggers. But clicking on items with the mouse can be achieved without the use of Javascript, so there is no need for an increase in security to compromise privacy. To defeat mouse-click loggers, though not video surveillance, the positions of the elements to be selected can be randomized, so that a hacker cannot work out what character a user selected from the position of a mouse click on the screen. To defeat one-off video surveillance then “windowed password entry”, in which a randomly selected set of characters from the password rather than the full password, is entered each time, can be used—as is the case with Pecunix and many online banks. For the highest level of security a PGP challenge can be employed. Even if Big Brother bugs the entire room and rebuilds the entire operating system to record everything happening in the machine, the user simply records the text that has to be signed, takes it away to some other computer that does not have, nor has ever had, an Internet connection, signs the text on that machine and then brings the signed text back to the original machine. All that Big Brother’s spyware will see is the signed text which can only be used for a one-off access to the account.

The net effect of 1mdc’s changes to the logon procedure is to push 1mdc into third place for both privacy and ease of use.

Results of the Privacy Stakes

So for all of you freedom loving folks the results of the “Privacy Stakes” are as follows: Pecunix romps home, an easy winner, well ahead of the rest. In second place, limping badly following a fall at the “US Treasury” spread jump, comes e-gold. There’s concern as to whether e-gold has a broken leg, and the vet is performing an examination at present. We’ll let you know in due course whether e-gold recovers, or has to be “put down on compassionate grounds”! Unfortunately, 1mdc doesn’t come anywhere at present. Unless and until it stops forcing its users to enable Javascript it’s a non-starter. But if it did, then it would jump into second place well ahead of e-gold!

Now, that’s not to say that Pecunix is perfect. Could we say Nearly Perfect Pecunix? No, not quite yet. They are some areas where we’d like to see improvements, and we’ll expound on those when we get down to discussing details. But in the broad sweep of things, in regards to its motivation, its responsiveness, and its technical expertise, Pecunix is by far the best bet at present for the privacy-minded.

Practicalities

Of course, there’s a problem in practice. E-gold has the largest share of the market, with 1mdc a good second, and Pecunix coming well behind (and most web sites will take no e-currency of any kind in exchange for their merchandise). It would be nice to see Pecunix catch up a little, but that all depends on whether they have the business acumen to match their technical expertise.

Of course, any new entrant to the e-currency marketplace will have the same difficulties as Pecunix in gaining market share. We had a chat with JG about it one day. The ideas we floated were a virtual debit card offered with the same degree of anonymity as the e-currency account—sign up once and you get both; a pass-through mechanism for e-currency payments so that a merchant could maintain a unified accounting system with a single e-currency issuer; bundling of the e-currency interface with some other more popular product; and a user-friendly implementation of e-currency micropayments. But discussing these ideas in detail is something we must leave for another day.

The Buyer

If you’re a Herr W.S. Blooer or a Miss D.S. Dent open an account with Pecunix. Then you can easily pay for your web site and other basic Internet services with very little risk of losing your anonymity.

If, like us, privacy is nice in principle but not essential in practice then open accounts with all three e-currency issuers. Keep most of your gold with Pecunix (it will not only offer you greater privacy, it will also offer you greater security) and keep some working capital with e-gold or 1mdc. 1mdc have a very nice free swap facility with e-gold and now also, in one direction, with Pecunix as well—we can say this of 1mdc, “When the good Lord was giving out business brains, 1mdc was at the head of the queue! It’s a pity they don’t have the technical expertise to match.” If the site where you want to make a purchase doesn’t support Pecunix then use e-gold or 1mdc instead. With e-gold there is a good chance that Big Brother will be monitoring your transactions, though your anonymity should still be reasonably safe with a good proxy chain. With 1mdc your transactions are probably safe, though there is a small chance that Big Brother with get a digital fingerprint of your computer, so your risk losing your anonymity.

The Merchant

If you’re a merchant then having so many different payment systems is a pain in the neck. Apart from credit/debit cards, you’ll be looking at Paypal (well until they freeze your account that is!) long before you’ll consider any e-currency as a payment method. However, if you’re in a niche business and privacy is particularly important to your customers then it’s worth your while offering Pecunix as a payment method. JG pointed out to us that its value is not only the extra business that it would generate. If you wax lyrical about Pecunix’s privacy features then you’ll provide a focal point to differentiate your business from that of your competitors—some of Pecunix’s “street-cred” in this area is likely to rub off on you!

Tiffium & Morphium – Bigus Brutium-Absentium Zonium

Cyber roads, take me HOME
To the page where I came from
Freedom's Fire, my desire
Take me home, cyber roads.