The overarching point of The Transparent Society is that our freedom can be better protected with openness than by secrecy. Rather than distrusting our government--emasculating it with consumer cryptography and stringent rules for intelligence gathering--we should empower our government to do its job, but recognize in proportion that it is our government. Don't emasculate government into a helpless bumbling bureaucracy, but nurture it into a powerful tool accountable to us to accomplish our social goals.
The first bit that struck me as unworkable is at page 182 under the emphasized comment, "Why not have most transactions take place in the open?" Brin presents his transparent alternative to cryptography-based electronic money:
Let us define an "open transaction" between two parties as an exchange that is immediately "announced" or broadcast across the Internet. In particular, a notification streaks toward both of the parties involved--a form of electronic receipt that is sent to the official home base that each person or group maintains for accountability purposes. This electronic address cannot be hacked because it stands in open view at all times, checked--routinely, randomly, and redundantly--as often as anyone wishes. It is permanent, a name.
The announcement also goes to as many other individuals or groups as either party might choose, so that it is common knowledge. This message--an attestation that a bargain has been struck--requires no secret codes, no potentially fragile ciphers, since it is not the same thing as the transaction itself. When each participant in the deal gets such a message, he or she can do one of three things:
- Confirm the transaction. (In most cases, the message-blip will be received just an instant after you strike an agreement, simply restating its terms.)
- Repudiate it. If the announcement comes as a surprise, it means someone is trying to spend your money! Repudiation automatically forbids the transfer and unleashes electronic sleuths to being tracing the source of the bogus deal.
- Do nothing--in which case the transaction is either confirmed or repudiated automatically, depending on the user's default choice.
Notice how this system differs from encrypted security, while achieving the same aims. Unscrupulous parties are thwarted because they will accomplish nothing by attempting to forge a false transaction. It will be cancelled anyway, and nothing will be gained except to attract attention from the authorities. Because the confirmation request was broadcast, the thieves cannot prevent you from receiving it, or deny you an opportunity at repudiation.
(If I have quoted overeagerly, well, given current technology, Brin basically asks me to on page 102.)
When I first read this, my sleepy hindbrain balked at all the apparently incorrect assumptions underlying this system. Here are a few I can think of now:
- Internet geography doesn't work that way.
- You can't effectively broadcast something, unless you want to waste a lot of other people's bandwidth. You can, however, narrowcast it "to as many other individuals or groups as either party might choose," so this may be minor.
- Someone has to send it. You can't have "a notification streak[ing] toward both of the parties involved" because, if only they know they're engaging in transaction, one of them has to be the one sending. Brin may mean a notification from each party to the other, but then it's not "a notification."
- Packets aren't in plain sight. The address on the receipt "can't be hacked because it stands in open view at all times"--but on the wired Internet, that isn't so. At any given time, only one machine has the active copy of each IP packet composing the receipt. This is more an attack on Brin's idea that Internet communications can be open to spying, but you get into the pseudo-Heisenbergian problem that to spy on a router over the Internet you have to send packets to and receive packets from it... and there are problems with that.
- The address of your "official home base" that receives your receipts "is permanent, a name," but as anyone dabbling in distributed systems knows, names are anything but permanent. Like real world luxury built on sweatshop toil, a lot of naming systems depend on the authority of a single domain name system that some people find offensive.
- I spy some deus ex machina syndrome. The receipt-generating unit (assuming he didn't mean each party sends the other a receipt) and the "electronic sleuths" and "authorities" unleashed at repudiation time are vague holes that break the system.
Thinking now, though, this seems the general approach of Todd Boyle's webledgers. Brin objects to the idea that privacy is necessary, while Boyle says, "When 3rd parties observe transactions no good can result." Brin also argues against using cryptography at all prima facie, something on which I'd like to hear his opinion nowadays that we use it so much more.
