In my opinion, for those of us who aren't anti-government, Taler represents an ethical future of digital spending:
It is interoperable, so unlike our current Visa situation, the free market should be able to bid down payment fees to a fair rate. It's insane to me that Visa and Mastercard have basically positioned themselves as exclusive middlemen on the vast majority of digital transactions, in an age when so much commerce necessarily is digital.
It offers privacy that Visa / PayPal / etc cannot.
It makes income traceable in a way that bitcoin does not, to facilitate lawful taxation.
It is inherently scalable in a way that bitcoin arguably is not (bitcoin has offchain scaling mechanisms, sure, but if you're being honest it's a stretch)
It's not introducing a new currency or coin that will be endlessly speculated on, unlike most every crypto solution out there (even stablecoins rely on eth or others for transaction fees)
Engage in the "wrong" kind of commerce and after the political winds change-- maybe you get rounded up and executed. Regardless of your political alignment, one can't really look at the governance of many nations and say with confidence that you can trust that they won't change in a way which profoundly disrespects your human rights.
Taler misleads people into thinking that its private by claiming that only merchants are surveilled. But every time you pay you both were previously a recipient and you are paying to someone else who relieves. Monitoring reception is equivalent to monitoring everyone, and taler's surveillance is realtime and always active.
> It makes income traceable in a way that bitcoin does not, to facilitate lawful taxation.
Taxation is based on self-reporting, whistle-blowing, and serious criminal penalties for evasion, not on invasive realtime state surveillance into the private transactions of individuals.
Facilitating "lawful taxation" by pervasive surveillance of everyone who receives a payment is like preventing sexual assault by requiring a camera in every bedroom streaming in realtime back to government.
No, actually, you are describing the current state of affairs with mainstream online payment systems like PayPal and Venmo
Taler uses blind signatures which means that your exchange has no knowledge of where you are spending your tokens. In essence, when you make a payment the merchant knows you have an IOU to the exchange, the exchange knows it's a valid IOU, but since it was issued with a blind signature the exchange is not aware that it's an IOU that was issued to you. This gives you privacy that parallels the use of real world cash.
Instead, it requires the recipient to identify themselves and the amounts for every payments. This is a continuous realtime surveillance which does not exist for cash.
Used perfectly it might be potentially more private than paypal, but no one is under any illusion that paypal is particularly private.
On a scale of ethical behavior providing strong privacy is superior to providing limited privacy but both are vastly superior to falsely claiming something has strong privacy when it is limited.
Taler takes matters a step further a falsely claim that its continuous realtime mass surveillance is required to facilitate lawful taxation. This claim is false-- an outright lie in fact. Not only is it technically not required, it's not legally required either and taxation has existed for countless generations when this kind of electronic surveillance was unimaginable.
Taler provides strong privacy for buyers, not for merchants. It's important to note that Taler is not a peer-to-peer system for transferring money (there are claims for interest in implementing such a system in the future, but it does not exist), so the receiver is always a merchant
Personally I don't mind that businesses are surveilled when I purchase at them, because businesses are not people and do not have the right to avoid surveillance. I would be very concerned if such surveillance could extend to me, but as discussed Taler provides buyers privacy and blindly signed tokens cannot be traced to me.
On a given day you're signing a few billion in IOUs into existence from users, while paying out a few billion in IOUs from merchants. Since you are providing blind signatures, you essentially have two ledgers: one is transactions of the form (user, token_value, signed_at) and a second is transactions of the form (merchant, token_value, redeemed_at).
How do you suggest the exchange matches user to merchant from this data?
Taler wallets just sit there until you use them, much like cash. Realistically, there would be too many degrees of freedom to create a matching from merchant to user, even if we additionally assumed a ton of metadata about user/merchant location and such.
But that's not even how Taler works: you withdraw an arbitrary amount of Taler (say $50), this is what is recorded on the consumer side, but then you have anonymous tokens (exactly like coins and bills) that you can spend without connecting to anything: only the supplier need to have a connection to a certification entity (which ensure no double spending).
: section “4.7.4. Refreshing and Linking” in this paper https://ged.univ-rennes1.fr/nuxeo/site/esupversions/41aac1ac...
So, basically, if a merchant requests payment of $5 and the buyer only has a $4 and a $3 token then the buyer exchanges her $3 token for three $1 tokens with the exchange (without involvement of the merchant) and then pay the merchant with a $4 and a $1 token?
But Taler doesn't start out by building what I consider to be a very strong privacy base and then allowing for optional relaxations. Instead it makes a series of design decisions that begin with the idea that privacy will be limited in certain ways, and then bakes those design choices all the way down to the foundations of the protocol. This means the designers have chosen the deployment parameters, rather than the people and democracies who might actually want to make the decisions. This rubs me the wrong way.
* This has in the past been interpreted by people as me saying "I think backdoors are great", which is funny and also not true.
Using your own example, if your "world" supports a perfect invisibility device, then your world can't provide any guarantees that under certain conditions specific things will be seen - you can't have your cake and eat it too, if you want or need such guarantees, then you need to design a world where a perfect invisibility device is impossible.
Stability of any financial system needs an ability to protect against malicious, resourceful actors. Just as a proof-of-work coin needs to protect against double-spending and miner collusion, a Taler-like system needs to protect against malicious exchanges (so, the requirements foor auditability) and against malicious fraudulent merchants (so, the requirements to ensure that there's no option that a malicious merchant might use to cash out anonymously after receiving a payment).
Perhaps there is some way to satisfy all needs, but I personally doubt that, there are too many fundamentally opposite requirements (anonymity vs AML; circumventing gov't control vs ability to take legal action; irreversibility vs reversibility of fraud, etc) - and a system has to choose! If 99% of your transactions use a reversible mode and 1% are irreversible and untraceable, well, you can't have fraud protection for hacked wallets since those will use the irreversible and untraceable option; if you want feature A, you have to ensure that feature B is impossible.
A system does not have to choose. The society that deploys it has to choose which systems they will use, how those systems will be configured and so on. That society also needs to decide whether they will (or even can) ban alternative systems.
The technology itself should not force the designers' favored technical balance onto society. An ideal technology should allow the broadest possible range of configurations, and let users and society make the remaining decisions wherever it's technically possible.
(Many real-world systems are not ideal, and cannot technically admit the broadest possible range of solutions. But we know that centralized e-cash systems can make different choices than Taler.)
The society can freely choose between different systems and properties/configurations of systems; but certain emergent properties of a payment system that a society might want to choose require that some other options are closed off, that the configuration is set to ensure that no transactions in that system can use that option.
For example, if some uses need an strictly anonymous system and others need an strictly unanonymous system, then these systems can interact only through some gateway that enforces breaking anonymity in the latter; if some uses need a reversible system and others need an irreversible system, then interaction needs to happen through some gateway that will reverse a transaction even if the other leg can't be reversed, taking on financial risk to cover the costs of such a scenario. And, crucially, it seems plausible that in many cases such gateways on the boundary between different configurations are socially impractical to operate as they would have to take on risks they can't protect from, and there would be financial motivation to target them to abuse that configuration difference.
For example, we're seeing a bunch of barriers between physical cash USD and USD in bank accounts; and we're seeing a bunch of barriers between USD payments via cheques and USD Fedwire transfers. They are almost interchangeable, but the boundary between different "configurations" requires treating them as distinct and anyone offering a service for unrestricted exchange of one of those into the other is in for a world of hurt.
You are having a discussion about what solutions society should adopt, and whether multiple systems should be allowed. I think that's interesting but a very different conversation.
The only place where these two discussions interact is when technology developers proactively decide to make some kind of specific privacy/security compromise that they think is the right one. This means that societies who want privacy don't get it. It means that societies who want a different tradeoff don't get it. And the most likely outcome is nobody ever adopts the new system, and we get PayPal.
My point is that "technology developers proactively deciding to make some kind of specific privacy/security compromise that they think is the right one" is unavoidable, since any attampts to "avoid" of that choice by leaving options open simply means proactively deciding to make a different compromise that also means that societies who want a different tradeoff (e.g. that the technology must ensure that those options are impossible) don't get the tradeoff they want. Opening one door closes others, in this space one does not simply "add options" without implicitly trading off others.
IMHO the larger thread here is having a technical discussion about how we should design payment systems, of which privacy preservation is one factor that's not axiomatic. Your presumption that the systems must be privacy-preserving and as powerful (on the front of privacy-preservation) as possible seems exactly like a case of a technology developer proactively deciding to make some kind of specific privacy/security compromise that they think is the right one. And not really a compromise, but a point at one extreme on that tradeoff scale, which means that societies who want effective anti-fraud measures, anti-tax-evasion measures and ability to recover funds with legal means without the cooperation of wallet-holder don't get it; and IMHO it's quite clear that societies generally do want a tradeoff like that, as evidenced by all the laws societies have chosen to pass. The societies in general are not willing to trade off these factors to gain privacy preservation, and privacy-perserving payment systems get made only because developers proactively decide to make specific tradeoffs that they personally think are the right ones.
Leaving aside differences in values and the "ought" part, I also fundamentally disagree with the factual points you make in the first paragraph. I disagree that it's vastly harder to turn a security-preserving system into a privacy-preserving one than to turn a privacy-preserving system into a security-preserving one. IMHO many decades and much, much, much more effort has gone into building security-preserving systems than privacy-preserving systems, and we still haven't succeeded at the former, as evidenced by all the loopholes in electronic transfers and cash controls that still leave enormous space for money laundering. Cash is probably the counterexample of a technology that's somewhat "powerful" w.r.t privacy preservation and has proven to be very, very hard to "selectively weaken" effectively.
I'd say that to "selectively weaken" a powerful privacy-preserving system is definitely not easier, I'd say that it's pretty much impossible - since if a society would choose an ability to track specific transactions (e.g. money laundering or drug trades) then a selective weakening does not achieve that goal, and even 99% weakening does not achieve that goal. If there are multiple channels available, then achieving that requires that all channels are privacy-breakable, since otherwise the malicious transactions would all get funneled through the privacy preserving channel. The society can (and should!) apply privacy-breaking selectively, but if the technology can't ensure that these specific transactions are privacy-breakable despite some fraudster trying to preven tthat, then the society doesn't get the tradeoff it wants, that goal requires that 100% of the loopholes are closed - which IMHO is harder than ensuring that some transactions are privacy preserving; especially since you can have privacy preservation even if many transactions are non-private - as if you have multiple channels available, then you can choose to use only the privacy-preserving channels.
The second disagreement is with the statement "Using this approach means that society gets the largest range of technology to choose from." My point is that societies may reasonably want choices which require that other choices are impossible - providing extra choices is not necessarily a net benefit, as the mere availability of option A denies the society some choices. For example, if a society chooses that a certain class of payments should be taboo (for whatever reason), then providing an extra choice of an uncensorable channel does not mean a larger variety of choices - it means denying the society one choice - the choice they wanted, to ensure that taboo-payments don't get made - just to provide another choice that they did not want as much.
Perhaps that's the proper framing of this dichotomy? Maximum-choice-of-policy-outcomes is incompatible with maximum-choice-of-technology-options, there's a tradeoff.
In this case you have a choice. You can ban all browsers entirely. You can use the hobbled browser that doesn’t meet your needs because that’s what’s available. You can try to add new functionality to the hobbled browser, which can be a hard path to follow. Or you can hope that instead of a hobbled browser, there is a more powerful full-featured browser that you can strip down to have the specific set of features you want. In the best case this is easy: just a matter of changing a configuration file. In the worst case maybe you have to snip away some code. To continue this silly analogy: it’s vastly easier to remove PDF support from Chromium than to write a brand new PDF renderer into software that chose not to have one.
Obviously I’m going to have to ask you to take my word that in this case a powerful privacy-preserving payment system stands in for a full-featured browser, and it’s relatively easier to “strip (privacy) features away” from a strong privacy system then to make a weak system more private. I’ve spent a good chunk of my life thinking about this exact problem so I feel confident making this case.
The remaining point you raise is essentially the following: the mere existence of privacy-preserving payment systems deprives societies of choice. This holds in the same way that the existence of, say, Chromium or Firefox makes it impossible for some country to plausibly mandate a browser that can only visit selected web sites or use file formats chosen by the government.
The best thing I can say about this argument is: tough luck. Better (centralized) privacy-preserving payment technologies exist. You can’t make them go away, any more than you can hope that Chromium or Firefox will stop existing. If the success of your preferred system depends on the non-existence of other technology, and that technology is already out there, then you need a better plan.
Bitcoin, Z-Cash, Stellar, GNU Taler and many more, all of those offer different characteristics which societies can pick and choose from. Central Banks don't necessarily like the particular choices that have been made by existing systems and drill down a level further to design a system with exactly the combination of cryptographic blocks that provide the desired mix of characteristics.
I don't think it's wrong that a particular solution like GNU Taler specializes in a particular set of combinations, it will do a better and more maintainable job at this (already pretty massive) project than trying to cover every arbitrary combination of characteristics. Same as libsodium provides a better crypto API than OpenSSL while not running into Heartbleed-scale bugs, because it actually dares to make opinionated choices.
The flexible layer for e-cash should be on the level of crypto primitives, and the actual implementation is the configurable layer that you're asking for.
Web browsers and operating systems are neat and general-purpose, but for a mission-critical currency it would be nice not to have to deal with the endless security fixes that an almighty everything-framework will unleash unto us.
This kind of thing is just barely tractable when you're talking about something as "simple" as a non-interactive encryption protocol. It becomes exponentially harder when you get into the world of interactive crypto protocols with ZK proofs and privacy guarantees (where a bug means losing millions of dollars.) It becomes even harder when specific anti-privacy features have been baked into the underlying protocols on purpose, because it requires so much expertise to remove them, and the consequences of a mistake are catastrophic to the whole system. You're often better off just starting from scratch, since the technology of centralized e-cash is reasonably well understood (and the Taler authors probably aren't going to support your fork, because they politically disagree with your choices.)
I have been following Taler for several years and it's great that it exists. But I don't see a pathway to adoption for it, partly because it's so "politically" opinionated around a specific set of features that the authors think are the right ones, and partly because it's hard to launch a centralized private currency without buy-in from a lot of people who agree with your political decisions. Taler can only launch if it finds sponsors who agree with all its choices, and it has not found them yet. Whereas Zcash and Monero launched because, while they're also opinionated, they're decentralized currencies and don't face the same coordination problems.
I've no idea if the "on-chain governance" crowd like Cosmos, Polkadot, etc. could politically introduce tools that supported taxation. Any "miner consensus" design like ZCash, Bitcoin, etc. could never introduce such politically contentious upgrades.
ZCash's developers have thus de facto spoken definitively against taxation, by defining the voting set to oppose taxation.
Taler exchanges do whatever governments permit/encurage banks to do. You might dislike our political system, but clearly Taler adopted a notion of society much closer to the conventional one.
As I noted above, Taler could swap their crypto for balance hiding tool or with techniques that support balance hiding blockchains. ZCash cannot disentangle itself from its anti-tax roots.
Sure it can. Anyone can fork the Zcash code, and with some changes can adapt it to a centralized ledger. Or you can use a Chaumian system. Once you do this, you will have a system that faces exactly the same adoption hurdles as Taler.
At a technical level, both ZCash and Taler operate upon two databases, one for UTXOs and one for nullifers, and either could change their cryptography. If you compare design decisions more carefully then you'll find ZCash baked their politics much more deeply than Taler.
Taler provides inexpensive anonymous payments for small everyday purchases. This is not controversial. ZCash employs non-scalable blockchain designs that cannot realistically support many small purchases, and even requires merchants track the chain, making it primarily an investment instrument. It's true one ECC dev has contributed to the scaling discussion, and ECC's code base spawned zexe and arkworks, which advanced zk rollups, but.. ZCash does not fund obviously much scalability work. In short, Taler appears focused upon real privacy needs of everyday people, while ZCash appears focused upon investors' privacy desires, including for for tax evasion.
ZCash could engineer some taxation support system, although not sure about the complexity. Taler could trivially simplify their refresh protocol, which then makes all transactions become plausibly refreshes, and makes taxation hard.
ZCash expressly supports hiding large balances, presumably from taxation. Taler could adopt a system that hides balances with range proofs, if they valued hiding large balances.
ZCash like Bitcoin was designed to combat flawed government monetary policy, which weds them tightly to this goal. If desired, Taler could operate upon finality proofs produced by blockchains, thus giving supporting the same anti-governmental monetary political goals as ZCash, etc.
Again, if we compare the political positions based into the designs of Taler and ZCash, then we find ZCash's positions to be more extreme, and to be baked more deeply into the design.
The way I see the process, the flow of Talers is strictly asymmetric and one way, with a clear distinction between users(consumers) and merchants:
1. From exchange to user (deposits).
2. From user to merchant (payments for orders).
3. From merchant to exchange (withdrawals).
The monitorable steps are 1. and 3., which allow tracking the total amount that you can spend and the total amount that the merchant has received. The actual transactions (step #2) are not surveilable, the system does not track who paid what to whom.
The statement "every time you pay you both were previously a recipient" is not correct, since as a non-merchant user you can't be a recipient of payments, you can't have any income in Taler, you can only spend what you yourself deposited in the system through an exchange. And vice versa, as a merchant, you can't make any payments, you can only withdraw your Taler income for real money at the exchange - it's exactly just as with a merchant account for receiving credit card payments, which is strictly separate from any credit card payments that the company might want to make themselves.
(off-topic: thank you for Opus.)
Of course, if one wants to trust other entities one can already easily use chaumian cash w/ Bitcoin.
That works similar to Taler except no integrated spyware.
This approach can even be implemented with multiparty security relatively easily, so that the funds are protected by a majority threshold rather than just requiring a single point of failure.
Bitcoin is (intended to be) a form of money — just like USD, EUR, gold, silver. The Taler network needs a unit of account (numeraire) to denominate amounts in, and this is what money is used for. Tail itself cannot function without a monetary unit since it’s a payment system (a way to move money).
 "the Bitcoin network", meaning the use of blockchain transactions to facilitate payments, or off-chain schemes to do the same with on-chain settlement (as in lightning network)
Can you explain this a bit more? I thought all Bitcoin transactions are completely traceable.
Bitcoin is just as much about improving money in general as it is about preserving and transferring wealth.
Before WWI, a large part of the world was all on the gold standard. I think a Bitcoin standard would be similar to that but with improvements to consensus.
Perhaps Taler is more competing with Lightning networks or decentralized exchanges?
One of the major limitations of a pure debits-and-credits system like Taler is that it has limited speculative interest. It can't be gamed for returns on investment, so it can't initiate the boom-and-bust cycle.
If my national currency was going up like bitcoin spending would decrease a lot. Why you'd you buy a car today when you can buy it in a month and spend 20% less? The economy would stop functioning.
And when the value of currency falls people want to spend it as fast as possible.