I'm not sure what developers you're talking about— but anonymity loves company. Good privacy should be a default, if it can't be then it's probably to inefficient to give much improvement. Infrequently used privacy systems which are detectable risk raising suspicion and censorship for there mere use. (One of the attractions of CoinJoin and CoinSwap is that they're potentially indistinguishable from ordinary transactions)

wow. You're kidding right?  Can you suggest a _single_ widely adopted financial system in the history of the modern world which made everyone's transactions and 'balances' mandatorily public?

Imagine you collect a paycheck in Bitcoin— when you get a raise, do you want your landlord increasing your rent?  "I know you're good for it."

Imagine you resell a product you paid for in Bitcoin and hear from your customers "I know you paid less for it, I want a better price!" or from your suppliers "We want a bigger share, we know you're selling these items for top dollar.".

Do you want your competitors knowing what your sales figures are, what products you're selling, and to which customers you're selling them to?

Do you want your employer potentially questioning the causes you donate to?— or just the risk that they _might_ question them, forcing you to self censor your actions for fear of losing your job, "It's just not working out".

Should the barista at the coffee shop know your bitcoin-net-worth or your lack thereof? Or the mugger they pass the info off to know that you're the ideal person to kidnap? Should loan-sharks know when you're tight on funds and most likely to take a predatory loan or participate in some long shot investment gamble?

Should your in-laws know you're paying for contraception while they're clamoring for grandchildren, or what kind of porn you like?

Should people in your community know what you're paying for your child's education— funds you could be instead spending supporting the community garden?

Should bidders for a deal know what your prices were— undermining the inherent motivation to be honest in auctions which depends on keeping some information secret?

Good fences make good neighbors and financial transactions frequently reveal a bit about our most intimate secrets and values.  Being able to answer "it's none of your business" when it really isn't is what frees people from feeling they have to impose their values on everyone else and frees people from everyone else constantly imposing their values on them for all things.

Transparency is an essential tool in our social tool-belt too— but like all things it must be used in an intelligent and controlled manner. Sunlight can be a disinfectant but it can also cause skin-cancer.

In a world where massive power asymmetries exists having control over your private information is one of the few re-balancing forces which are theoretically available to everyone... and this applies in a multitude of business and personal contexts far more numerous than what I've listed here, sometimes in gross ways and sometimes subtle ways. In some sense a financial transaction underlies every interaction we make with another person— though sometimes the scarce assets exchanged don't include money— sometimes we trade with less formal systems like reputation, trust, future obligation, etc instead of or in addition to money... but such trades are always happening, and without some privacy in them we can have privacy in nothing. (Some people hope that Bitcoin, or Bitcoin inspired systems might help create formalized versions of some of these non-monetary value exchanges in the future too… hopefully not while also undermining their privacy.)

Used in a poor way (as some wallets have enshrined and some businesses seem to be promoting) Bitcoin is one of the least private transaction and value systems ever created. I'm hopeful for the human-welfare-enhancing possibilities that Bitcoin could create in the future, but if it goes a route that further erodes the privacy we have in our interpersonal interactions then it could instead fuel a terrible dystopia.

There are also some Bitcoin specific risks— In Bitcoin our goal is to build a system of exchange which minimizes the need for trust... but we still must trust miners to establish the ordering of transactions. As a result miners have a substantial power to censor, but privacy undermines that risk— so long as we have enough of it. Anything that creates an incentive to control mining— e.g. to achieve censorship goals— risks undermining the whole system, so we're all better off if the system is more private... even the non-existing hypothetical person that has no need for privacy.

So back to your question— I'd turn it around, if Bitcoin undermines people's privacy how could it possibly be adopted— are people that foolish? And if so, could free society survive the harm such an outcome would create?

Nodes currently only store the historical blockchain for serving out to newly initializing peers and for stats queries in the rpc. Since 0.8 the software is restructured so that it never accesses it otherwise, and the next release will likely include a feature to operate with only about 1GB storage.

Right "anonymous" in this context is about participation having "membership", not about privacy (though anonymous and anonymous do sometimes go hand in hand).  Sorry about that, it's a bit of terminology overload that occurs in the literature.

Ah, good spotting then. It was a product of this discussion today: http://download.wpsoftware.net/bitcoin/wizards/2014-07-20.html  start at 00:56:13

I made an erroneous assumption that you'd been watching the logs and made the post as a result.

It's perfectly possible, but it has some pretty severe overheads— and the tech is immature and rapidly improving. E.g. Just recently Andytoshi and I invented a way for coins of different values to partially share anonymity sets.

One challenge with all strong privacy systems is that they breaks pruning and increases transaction sizes substantially (4x+ in size for these ring signatures, typically).  Right now a full verifying node in Bitcoin requires on the order of 1GB of storage, if we'd had the bytecoin-ring-signatures from day one and the same traffic it would be more like >100GBytes.

They have entirely different scriptPubKeys, however. The sameness is only even remotely interesting because of bugs in bc.i (and perhaps some other wallets that just ignore the version bytes).

You might want to attribute where you saw this discussion…

Seems no one knows, but likewise— who created the paper the printed version of the spec was printed on?  What software was used to spell check the document?  Who came up with the shortname for the curve? maybe they were a secret NSA plant!   if you want to go down the rat whole of _provably_ irrelevant things there is no end to it.  Ultimately people who are not technically sophisticated are at risk of being FUDed by people who are dishonest or themselves confused, but no amount of good process can prevent that.

Exactly like cash is illegal, and precious metals...

Fortunately all the cryptographic privacy systems can be transcript producing. Some of them inherently are, in the bytecoin/monero/fantomcoin system getting your single scanning private key lets the holder identify all your transactions... so it's very much audit-able, just not a free lunch for global passive surveillance and not a total privacy cluster-@#$@ for normal users.

The software uses best-practices in handling, it's adaptively strengthened with a cryptographic KDF and salted (and cracks at no faster than 10 per second on the user's CPU)— but users (including myself) stink at producing passwords or if they manage to produce a good one, they can't remember it.

No amount of encryption can protect you from poor passwords, keyboard sniffers, or other local machine compromises... or from forgetting or disk corruption.  The wallet encryption helps against some things, but the rest is up to you currently.

Of course not. The zercoin code— though very interesting was a technical non-starter for our applications (20-30kb signatures, very slow validation, trusted initialization). As of now it's been abandoned by its developers and not adopted by any altcoins (AFAIK). Of course, techniques improve with time— thus…

Zerocash  (which is unrelated technology to zero-coin) is expected to improve validation speed (signing is still tens of seconds), and get transactions down to only ~5+ times larger than current ones, but will still require a trusted initialization also very new and largely untested cryptography (some of which includes assumptions which are provably non-falsifiable) which, if compromised, grants unbounded undetectable inflation. This isn't exactly a good fit for use as Bitcoin yet. I'd like to use the technology in a side-chain when made available, where the risk could be more contained,— I spent a bit of time making recommendations about how it could be integrated in Bitcoin with them in email and in person— but the people involved seem to be very interested in creating an altcoin specifically as an altcoin. (Which goes along with not publishing an actual implementation of the complete zerocash cryptosystem, e.g. what was benchmarked in the paper).

I have an implementation of bytecoin ring signatures suitable for our system but if I publish it at this time, it will just result in more altcoins... All these cryptographic anonymity proposals are very immature and come with high costs attached (resource usage or cryptographic risks), and are rapidly developing science, some of which I've been directly contributing to. Bitcoin core— under live fire in a consensus system— is precisely the wrong place to be developing them, but a reasonable place for them once they're mature, tested, and have some of the ugly compromises engineered out of them (e.g. trusted initialization (for zerocoin), transaction bloat, or imperfect privacy (BRS)).

There are several other cryptographic approaches which have been invented (some by me), but all have unfortunate tradeoffs so far... but the technology seems to be rapidly improving.

Schemes which provide improved privacy in a safe and compatible way like CoinJoins (e.g. see darkwallet) are already being developed by multiple parties now and are flourishing. They aren't where we need ultimately but they do have good tradeoffs for the short term.

This isn't my experience, but if you'd care to point out any specific instances where something was unfriendly— I'll be glad to go work to resolve it.

I was referring to the donors themselves making a condition as part of their donation (obviously this wouldn't cover dues), other funds— the bylaws wouldn't say anything about this.

As a member you're free to ask— though a better forum might be the foundation forum.  Since this isn't the foundation's current area of interest I'd expect you'd see more success elsewhere with less effort though.

Sure, this is what I'd hoped ripple would become— back before opencoin bought it and turned in into yet-another-alt-coin. (and I had to go and revise a bunch of my posts to remove recommendations to look at the ripple system when it changed entirely).  (And one of the reasons I've been concerned about proposals to raise the block size limits— a world where much of the txn volume moved to fast txn processing systems might look a lot different from ours now and may need lower limits— or very different ones— to retain security in the long term).

Right— well ripple has seemed to leave the membership process undefined (as this proposal seems to have done as well) which is probably a huge liability. ... but the whole notion of a federation of semi-trusted parties isn't a bad one— it's one I've recycled many times myself as an example of a way to do high throughput low value transactions with scale no truly decentralized system can provide. ... But I don't think that kind of the system can really be the underlying basis of a complete worldwide currency because it is still fundamentally based on trust. If it could: we would have had it already long ago— multiple-signer federation isn't a new idea relative to digital-cash.

I read it multiple times as I did not find it clear at all.  Communications is hard. You could help me out by picking apart why some of the things I cited do not apply and that might help my understanding.

If anyone can mine with no ID and no disadvantage what prevents every miner (including the attacker) from using a unique ID in every single block, and thus being indistinguishable?  

Alternatively, if you pin blocks based on the decisions of some of these "optional" IDs to the detriment of IDless miners, what prevents the ID-ed miners from pinning a particular otherwise-non-consensus blockchain (e.g. to enforce some economic policy in excess of the system's rules).

Coinbase outputs cannot be spent until they mature 100 blocks later. This addresses some incentive concerns related to miner honest and prevents a fungibility difference from the fact that recently generated coins are at greater risk of irreversible loss since they cannot be restored if they fall out of the chain in a reorg.

This is a fairly basic part of the Bitcoin system.

The Bitcoin Foundation in no way owns or controls the Bitcoin core implementation hosted at github.com/bitcoin. The Bitcoin Foundation currently sponsors some of the work there, since that is currently a good way to support the ecosystem— but this may not always be the case, and in the future the Bitcoin foundation may better spend its funds supporting the ecosystem in other ways (including other technical ways).

As such, I don't think the the bylaws should single this out.

I do not know if the BCF accepts restricted donations, some organizations do— some do not—  if they do then thats potentially a way you could better target your funds.  Additionally, there are other groups and indivigual developers working in the ecosystem who's work you could support directly and separately from the foundation. Increased diversity of support is good for the ecosystem and you may be able to support work which better aligns with your concerns and values than the initiatives currently being undertaken by the Bitcoin Foundation.

It may also be that some of the work you'd like to see done would best be accomplished outside of Bitcoin core— because the importance of the software is so high its a more challenging platform to experiment in. It can be easier to prove and refine an idea outside of it using other software on the network and then implement it back in Bitcoin Core once the design is clear.

If you're going to remove the non-membership of mining and require certified (and ... presumably licensed by states, since the process will make it easy to pin them down) you might as well eliminate the mining, use signatures, and call it SWIFT.

There are perfectly legitimate uses for signature based systems— they have useful security/performance tradeoffs— but they're very much at odds with Bitcoin's security model. In Bitcoin mining is anonymous (in the sense that it has no membership) as part of the process of making it decenteralized and somewhat censorship resistant.

Anything that lets you tell if blocks are from the "same dude" creates hooks to force miners to only mine particular transactions.

(WRT "protocol changes", the coins produced by the coinbase transaction cannot be spent for 100 blocks)

You have, but I've given up responding.

I certantly wouldn't agree there. For people that are actually willing to write code an inability to just copy and paste is not much of a barrier.

How about, you know, actually offering a distinct value that justifies having a whole other currency (e.g. friecoin)?

Edit: I removed some spam plugging Bytecoin based (e.g. bytecoin, monero, fantom, etc.) coins from this thread which also spammed other threads— but to the extent that there was a genuine misunderstanding, and not just a desire to spam I figure I should comment... the bytecoin ring signature is pretty straight forward to add to Bitcoin— though it implies a pretty considerable scalability tradeoff. Andytoshi and I have come up with some pretty substantial cryptographic improvements, e.g. https://download.wpsoftware.net/bitcoin/wizardry/brs-arbitrary-output-sizes.txt

Forget that— even ignoring the scaling they require the participants to be enumerated in advance.  Thats generally a non-starter to begin with for what Bitcoin attempts to achieve.

A neat variation is that for the parties that compute H(R_n) you make H() really be g*R_n  on bitcoin, and require that the transaction commuting to the scheme actually be doing a coinjoin with the R_n parties, putting up some non-trivial amount of bitcoin to be held under each of the private keys for the duration of mining time.  This means that if any of the parties leak their R_n value to a miner (or other R_n) holders during the mining interval so that the miner could attempt to grind a solution with a particular output then someone could instead steal their coins... so the integrity of the process would be bonded.  The bonds could potentially be very large.