As I tried to explain, both systems leak some entropy about previous transactions, but there's much less leakage in monero than in DASH (that, under the assumption that the dark nodes are not keeping the information that *totally* exposes the link).

The amount of information that can be extracted depends essentially on the anonymity set.  In as much that being member of the anonymity set is mandatory (as far as I understand, ONLY monero (as a representative of cryptonote) has this property - I'm not sure about ZCASH), this has the advantage that the anonymity set grows over time even if you do nothing.  With an optional anonymity, such as in DASH, it depends on how many users actually use it.   But both in monero and DASH, the anonymity set is (initially) finite and even rather small.  In DASH, the anonymity set is guaranteed to contain only other people wanting anonymity explicitly ; in Monero, the anonymity set is random and growing.  But both sets are small in the beginning.

In ZCASH, for anonymous transactions, the anonymity set is much larger, and essentially equal to all people ever having done at least one anonymous transaction.   However, in as far as ZCASH has no mandatory anonymity, that set can in practice turn out to be much smaller than the anonymity set in Monero after a long time, where this will tend to include all users of the block chain.  In as much as ZCASH would have mandatory anonymous transactions, it would be the only system with TOTAL anonymity instantaneously (that is, the transaction can be just ANY person on the block chain).

This is why this question of mandatory anonymity for ZCASH is so important: if it *is* mandatory, it is the only system that is FULLY anonymous right away.  If it isn't mandatory it has a similar problem as DASH.  It would be a pity.  (it would still be better than DASH because of the lack of need for master nodes)

Amen.

This I also understood, and then when I tried to read the white paper, this doesn't occur in the text as far as I can see.  I only see transactions with "notes" (which are anonymous) and "in the clear" coin transactions, in such a way, that you cannot have an "in the clear" input and an "in the clear" output at the same time, which makes me think, that after all, it is mandatory.

So I'm kind of confused between "it is too complex to do for every transaction" on one hand, and in the white paper, there is no other way than to do it that way.  But maybe the white paper is ONLY describing the optional, heavy, anonymous transactions, and maybe there are simple "in the clear" transactions next to it.  But I couldn't find that information on the zerocoin site (I may simply not be looking in the right place).

The point is that a smart contract is a totally different beast than "software".  A smart contract, like a normal contract, is stated once and for all, when the first two parties sign up ; in as much as it can "auto-mutate", this is part of the original contract.  There's nothing *unforeseen* that you can change in a smart contract. 

In fact, the closest you come to the situation of a smart contract, is firmware running on a space probe you cannot update remotely.  It has to work at launch, and can never be updated any more.

Now, look at normal contracts.  Normal contracts can be quite complex when you look at the paper work, but their state tree is in fact relatively simple.   The hard part of normal contracts is how the legal system will interpret the state tree: this is why you use expensive business lawyers to try and verify normal contracts.  A wild guess is that even a very complicated normal contract doesn't contain more than a few tens of leaves in its state tree ("if this, then so, and if so then this, but if not no, then that").  NO SINGLE NORMAL CONTRACT HAS EVER USED UNSPECIFIED LOOPS OR UNLIMITED RECURSION.  So no normal contract has ever needed a Turing-complete description language.  It is this absence of Turing completeness which allows to analyse the state TREE (and not a state GRAPH).

If you cannot formally make sure that the state tree is what you consider it should be, then you are using "frozen software" of which you have no formal proof that it doesn't contain bugs or exploits (if you have a formal proof, then these things cannot occur, because you have explored the full state space of your contract).

The holy grail of software development is to know how to write bug free and exploit free software in Turing complete languages, and in more than 50 years of software engineering, we never succeeded in doing so.  But in non-Turing complete systems, one can, with formal state tree verification.  We even know that this proof is not possible in Turing complete languages (the Halting Problem).

So, writing a contract, that cannot only never be altered, but that will run open to anyone, containing potentially a lot of money (bait for exploits), on a system where it is mathematically impossible to prove the absence of bugs or exploits, is NUTS.  Especially, because that aspect which renders the system unprovable (Turing completeness) is never used in real normal contracts.


But these are SIMPLE, small contracts with just a few leaves on the state tree.  You do not need Turing completeness to implement that.  In the same way that the statements in the "paper" version of these things also doesn't need any Turing completeness, unlimited recursion and all that.


This is again a simple contract with just a few states.


These are NOT "complex" smart contracts.  They are very simple ones.

I asked this several times: can someone who knows, explain whether Zcash has *obligatory* anonymity (with or without optional disclosure), or just *optional* anonymity ?

Monero has obligatory anonymity, and optional disclosure.

It is very important to have obligatory anonymity or the anonymity isn't worth much.  This is also (amongst others) a problem with DASH for instance.  Anonymity must be "normal" and "by the masses not needing it" in order for it to work.  If only people needing it, use it, they stand out in the clear as needing anonymity.

This is cryptonote.  RingCT is even more subtle: it also hides the amounts in the transaction, which was still a "privacy leak" of some sorts in the original cryptonote protocol: you could still see in the clear the *amounts* of transactions, which could be correlated with real-world purchases or earlier amounts. 

My hope for monero is that it will not get hijacked by the institutional crowd like bitcoin has been, but will remain a grass roots *currency*, not a Winkelvoss brothers' type of vehicle (I have nothing against those people in itself, but turning grass roots crypto in institutional betting coins kills the idea to me).  Also, there shouldn't be too much hype over monero or TPTB will put their ugly nose in.
So somehow I hope the price will cool down somewhat.  This is too much, too fast.

My point is that it shouldn't make a difference.  My idea is that if having a gui makes a difference for you using monero, then you have not sufficient mileage in computing to have even the basics of your OPSEC right, and you shouldn't be toying with anon coins (unless the anon part is not important to you, in which case monero shouldn't make a difference).  Of course a gui is fancier and nicer to use, but it shouldn't be a *break point* in using it.  If it is, then you should first pump up your easiness with computing before trying to do "anon" stuff.

I don't believe that.  If it were, they wouldn't fight it.  It would be the perfect honey pot.  Let people have TOR, let them have VPN, and let them think they are safe, and we can just read what they do and go after them.  The more TOR, the merrier for TPTB under your hypothesis.  While you're right that these tools only give limited protection, it DOES piss them off.

(unless we have to anticipate them more, and they will "fight" it, just to *seem* pissed off, and then they will "lose" the fight so that people REALLY think that they are safe, while all TOR traffic is immediately without cost decripted, sourced, and analysed by them, laughing their asses off).

My bet is that it DOES annoy them for sure.

BTW, as far as I know, TOR was NOT compromised as such.  TOR was DDossed which allows for some time correlation analysis if you happen to use TOR at that moment and one is watching your connections, but this is proper to any low-latency system, and TOR itself tells you that this kind of stuff is outside of their threat model even though they are now working on mitigating it to an extend.

It is a common misconception that monero is some "automated mixing without masternodes".  It is more subtle than that.  
As you probably know, in bitcoin, a transaction consists of saying which input transaction you use (by indicating this explicitly, and by signing with a signature of the secret key that goes with that former transaction output).  In a mixer, you make a transaction with several inputs *which are all really used*, but you pay back the same sums to the owners in new addresses.  In other words, you have, say, 3 inputs A, B and C (of identical amounts) and you produce 3 outputs (of same amounts) D, E and F.   The mixer doesn't say whether D came from A, from B or from C, but is is one of the three.  However, you KNOW that amongst D, E and F, there is A *FOR SURE*.

In a cryptonote transaction (such as used with monero), what happens is that there is a transaction from { A , B OR C} to D.  You have no idea whether A actually went somewhere.  A could very well NOT be used.   It could in fact be B who made a transaction to D, and A never moved his funds.  It is just that the original transaction, and the signature, were obfuscated in a ring signature scheme where two other random signatures (A and C) were picked from the block chain.

Note that there is no "mixer node" or anything involved.  The transaction sending wallet on your computer is the one using the extra signatures that it picks off from the block chain to compose a transaction containing this ring signature, composed of your real signature, and a few others picked from the block chain at random. (*)

So while the big difference is that in a mixer, {A, B, C} to {D, E, F} guarantees you that A moved his funds to one of D,  E or F, with a ring signature, if there is a transaction {A, B, C} to D, you have no idea whether A, B or C was the one moving his funds.  You know that 2 of the 3 are randomly picked signatures which have nothing to do with this transaction.

This makes "coin couloring" impossible, and makes all coins equivalent.
Indeed, suppose a "thief" has stolen funds in address B.  Suppose that exchanges and other people don't want the thief to use his funds.  They can now refuse all coins that have a transaction history including B.  Even if *you* wouldn't mind accepting them, YOU would be the one not able to spend them afterwards, so you are somehow obliged to boycott the "thief" too. Suppose that that thief uses a mixer.  You now know that D, E or F are the thieves' funds.  Now, idiots who mixed with the thief in the mixer can be punished, because you could now say that D, E AND F are boycotted.  Nobody is going to be willing to mix with the thief.  One could, in the end, implement a soft fork where transactions with a history leading to B are made non-accepted.

Consider the same story in monero.  The "thief" has his funds in B.  But just *any* transaction can randomly select B's signature to obfuscate just ANY transaction.  So a transaction where B's signature occurs, and which COULD possibly be B moving his funds, will UNAVOIDABLY occur, even if the thief doesn't do anything.  Sooner or later, his signature will appear, say, in a transaction G.  And somewhat later, the signature of G will also be randomly selected for another transaction H.  And so on.  After a while, MANY transactions will be "contaminated" by B's signature or its descendent transactions - while in reality, the "thief" may still hold his funds in B.   If we "block" all descendants of B's signature, then we end up blocking most of the transactions, while those have nothing to do with B.
So the longer you wait, the more B's signature will occur somewhere in the potential pasts of just any transaction, and there's no way to block B, even not with a soft fork.  This is what makes monero essentially fungible (which comes down to making past payments anonymous).

(*) you may ask how it comes that you need your private key to make a signature of your transaction, and that you can "pick random signatures off the block chain" while of course you don't know the private keys (but only the public keys which are the addresses).  This is the magic of ring signatures.   A ring signature needs ONE private key, and N-1 public keys, to fabricate a ring signature R.  Someone who has the N public keys (but no private key) can verify that there was a private key used to fabricate R, but he doesn't know WHICH of the N possible was the private key, and which were the N-1 public keys.  While only you have your private key, you can pick as many public keys (addresses) from the block chain as you want.
There's more to it, but this is the gist.

Although I agree with most of what you say in principle, you should also see the other side of the medal.  Even though TPTB have a lot of resources, their resources are not infinite, and every anon technique costs them a finite amount of resources to deal with it.  In the end they will go broke if they will try to go after everyone, in the same way the soviet empire collapsed.
The biggest problem is not so much TPTB, but rather the immense herd of brainless people not realizing this.

Compare it to downloading copyrighted movies.  If you do this open in the clear, you get trouble.  If you use a VPN, the effort to track you is most of the time too much of a hassle and too little gain for them to annoy you.  But don't use a VPN to organize a killing of a US president of course.

This is why you should consider your threat model.

"You actually didn't intend to ask but asked nevertheless".


It is quite simple, in fact.

In bitcoin-like currencies, your transaction links a previous transaction or a set of previous transactions (where you received the coins) and the future transaction(s) of the receiver(s).  This is pseudonymous, in the sense that nobody knows (apart from you broadcasting your transaction with your IP, on your computer, etc...) who you are, you are just a bitcoin wallet address.... UNLESS they find out who was ONE of the previous transaction owners or they find out who was one of the FUTURE transaction owners.  For instance, if a previous transaction owner was an exchange, then this exchange knows of course that YOU (Jack Smith) have withdrawn the funds to THAT address, or you bought a smartphone with your bitcoins at THAT store, and they know of course that it was YOU (Jack Smith) who paid them with those coins.

As coins hop from transaction to transaction, and this is fully traceable on the bitcoin block chain, it is sufficient to have SOME "real world identities" along that chain, to be able to resolve most of the identities along.  This comes about because you have to combine several of your own addresses to arrive at the right amount of coins to pay someone, and to get back some change.

Imagine you have withdrawn 5 bitcoin from exchange A, to address J1.
Imagine you have done a shady deal with Joe, and got 3 bitcoin to address J2.

Now, imagine you pay a gaming computer for 7 bitcoin at store B.  Your wallet will combine addresses J1 and J2 into 8 bitcoin, and send 7 of them to store B, and you get 1 back in change address J3.

Suppose now that you pay a coffee at starbucks C for 0.01 coin.  You will use address J3 (and get back 0.95 at address J4), and they know it is you.

Now, suppose that law enforcement caught Willy, the guy with whom Joe did affairs, and got his coins from.  Willy doesn't say anything, but they found his bitcoin wallet on his computer and found his addresses (they didn't even need to have the secret key for that).  Suppose that the coffee shop works regularly with law enforcement too.

Now, they see that from one of Willy's addresses, after a few hops, the coins (YOUR coins) arrived at the coffee shop:

In fact, the hops were: (Willy) - (Joe X) - your J2 - your J3 - the starbucks C address.

Law enforcement now needs to resolve X, J2 and J3.  They know J3, because starbucks tells them: it is yours !
They know that Willy's coins went through you to buy a coffee.  But you could have gotten those coins J3 "honestly" from the guy owning J2.  So they now have to resolve J2 and X.  They know that J2 was combined with J1 to do a transaction (to store B, but they don't even have to know that).  There are hence chances that J1 and J2 belong to the same person.  Now, J1 is known by an exchange, it is YOUR address.

This is sufficient to know that J2 is yours, and hence that you got money from a guy that did business with Willy.  That's reason enough to come and ask you some nasty questions.  You cannot deny that you are the owner of J2.  You mixed it with J1 which is definitely yours, and you were still the owner of J3 which came out of a transaction.  So you MUST be the owner of J2.

The only thing that law enforcement knew, where your interaction with an exchange, your interaction with a coffee shop, and Willy's interaction with Joe.

At no point they knew anything about Joe's wallet (the don't yet know who Joe is, but you are going to tell them if they use rubber hose cryptography), nor about your wallets.

This is the fundamental problem with traceable coins like bitcoin, ethereum, and all the rest.

Now, for mixers.  The trick is that many people wanting to hide their addresses from their identities, put their coins in a big transaction where they get them out again.  Whether that is a good, or rather a bad idea, depends on how often and by how many people it is actually used.  If you mix your coins J2 with S1 and S2, where S1 and S2 are also shady people, then 1) it is somewhat more work to trace the network, but they payoff is that 2) they will catch more shady guys along !

You need more "contact points" to resolve the mixer, but you will also catch more fish !

It is only if mixers are used regularly, by MOST (innocent) people, that mixers help.   If they are MOSTLY used by people wanting to hide their transactions, then mixing is actually a bait for law enforcement/TPTB.

Also, mixers are specific entities that KNOW of course the mixing.  In as much as they are centralized entities like exchanges, they are more dangerous than not mixing, because you don't know what they do with this knowledge ; if they are distributed entities, you might very well be mixing on an FBI node without knowing.

This is BTW why OPSEC and anonymity go together and you cannot just consider them two different problems.

This is why *optional mixing* such as in DASH or with centralized tumblers, is something that can make your anonymity decrease as well as increase.  There are two potential problems with it: 1) the "optional" part, if not enough people use it and 2) the fact that the knowledge exists somewhere out there, in the mixer and you don't know what they do with it (voluntary or even not voluntary, if their OPSEC is not OK).

So mixers on transparent block chains can help, but can also be a problem, depending on how distributed the mixers are, and how much they are actually used normally.

Monero type block chains are different.  You could say that at first sight, monero transactions "do a random mix" at every transaction.  That would already be nice, because 1) there are no centralized mixers 2) every user uses it automatically all the time.  That's already very very good and solves the issues we mentioned earlier.  But monero does in fact more.  A transaction is not a genuine mixing, but an obfuscation of WHAT is the real previous transaction amongst several.

In monero, you only know that this transaction got its input from SOME of these previous transactions, where only the owner of the previous transaction output knows which one it is, and the others got used (without their knowledge and without them doing what so ever) to obfuscate the signature.

So, when you pay starbucks, starbucks only knows that they got paid, MAYBE from output J3, maybe from output Q, maybe from output R, maybe from output S.  When looking into the chain, they see that J3 got a return, maybe from J2, maybe from T, maybe from U, maybe from V.

The anonymity is not total, in the sense that IF law enforcement gets Willy AND if law enforcement uses sufficiently their rubber hose so that Willy gives his secret key to them, THEN they can find out that Willy did the transaction Willy - Joe (X).
(remember that they didn't need the secret key to see what were Willy's transactions, only his unlocked wallet, for the bitcoin stuff).

Now, they can see that X was (maybe) used in a transaction to J2, or maybe in a transaction to M, or maybe in a transaction to N, or ... maybe not at all.  They don't know whether Joe spend his money or not, and whether his signature got only randomly used in other obfuscating transactions, or whether there was a genuine transaction.

But there IS an arborescence on the block chain that allows for a path from X to the coffee shop, that goes through J2 and J3.  This is still visible, although it could be a fake path, and there are many other paths.

The more transactions there are between X and the coffee shop, the more this web of potentially fake paths becomes dense, but it is not "total".

So this is the kind of anonymity you get with monero.

With Zcash, the anonymity is total.  Instead of having a finite set of random signatures at each step, you could say (although technically it is different) that ZCASH is like monero, where at each transaction, ALL signatures on the block chain are used.  There's strictly no relationship between X and the coffee shop.  If the anonymity is used each time in ZCASH, something I can't figure out.  I used to think it was not (that there are also transactions "in the clear" such as with zerocoin) but I don't know now.

That question doesn't make sense.  Imagine that you are alone on this world with your family, and that *everybody else* is part of a big single enemy entity (the super state and most citizens are also their spies - somewhat like former Eastern Germany, but on steroids).  No single cryptographic system can ever be "totally anonymous", as the computer or smartphone you buy from just anybody is loaded, every single communication you make with "the outside world" is with your enemy and every keystroke you make is registered through those loaded devices.  The partners you think you are anonymously dealing with are one and the same cooperating enemy and they all know of course that it is you because all other communication is known to the enemy as it is theirs.  

This extreme example of "you are alone and all the others are part of one big conspiring enemy against you" shows you that there's no such thing as 100% anonymous and untraceable, because it should then be applicable in that extreme case too and obviously, it can't, whatever it is.

So there's no such thing as "100% anonymous" in ALL cases.

So you have to say in what cases you want your anonymity to work because obviously it is not going to work always.  The cases you enumerate are then your "threat model".  
You also have to know that cryptocurrencies are usually NOT taking into account certain evident threats, such as compromised hardware.  You can have the best cryptographic system in the world, if you run it on compromised hardware, the enemy can probably do and know everything you do and know on that machine, including passwords, secret keys and everything.  This is probably the biggest, and most realistic, threat to anonymity: compromised hardware.  If you buy your hardware from the enemy (that could be just as well a company like Apple or Dell), you are probably already done.  If you buy hardware containing *components* made by the enemy (that could be Intel or AMD), you might already be done.  If you have system software made by your enemy, you are done.

So once you have excluded all these realistic threats from your threat model, because they are not potentially your enemies (imagine you work for the US government, then Intel and Apple will not be part of your enemies), or because you "take the risk and accept it", you start considering the cryptographic part.

If you already accepted a 5% risk on this part, there's no point requiring a 0.0001% risk or less on the crypto part, is there ?

You should hence think of your question in this light: what is my threat model (what kind of attacks and enemies am I facing) ?  Where do I accept to take risks *because I know that the solutions I'm using are not entirely protecting me* ?

Technical analysis is rationally BS, but it is a self-fulfilling prophecy if enough people trading the stuff follow it.  So technical analysis "works", but only if enough of your peers think that it works and use it (and if at the same time, there is still enough uncorrelated noise from "newbies" to take profits from).  There must be some optimal mix of traders using TA, and newbies not using TA, for TA to "work" (that is, bring profit to the one using it).  If you are using the "wrong" TA (that is, a small minority in a certain asset trading club), then you are a "newbie" in that circle, because you will just be to-be-ripped-off noise on top of a correlated movement.

You can very easily simulate this in toy models.

The way they propose to do it, I fully agree with you.  However, I think the issue is not entirely hopeless.  There are a few conditions, and I don't know if they can be satisfied, but if:

1) the pool of key generators should be large - say at least a 1000 members, in such a way *that everybody who wants, can participate*.

2) the entropy of the total key will be at least the entropy of each individual contributing key

3) each participant can see many other participants (maybe not all, but many of them), and each participant can check that his contribution is part of the final result

then I think the trusted setup can work.

For instance, suppose that one uses a known communication channel - say bitcointalk.org - where people can sign up and POST their contribution (the public key contribution, not their to be destroyed private key of course).  YOU CAN TOO.

When, after sufficient time, the number of needed participants is reached (can this be variable or is this fixed from the start ?), the final keys are publicly calculated from the posted ones.  You can do that too, including your own key of course.  We should all agree upon the resulting keys, and we can all verify that all key shards have been included, including our own.

Now in as much as we know of ourselves that we destroyed (or at least kept secret :-) ) our secret key, we know that nobody has the golden key.  And in as much as we DO collude with all the others to make a golden key, then we also know that at least a thousand people, including ourselves, are aware of this and we can make this public at any moment (and prove it: by publishing the golden key, we definitely kill the trusted setup ; we would be crazy not to obtain the golden key in return for our own shard of secret key).

It will be difficult to keep such a secret with 1000 people, and at least EACH of these 1000 people know, and know that the 999 others know.

The point is: *if* anybody has the OPPORTUNITY to be part of the trusted setup, and if the number of people involved is huge, then I think one can trust the trusted setup.  But 18 "celebrities", no thank you.

Same here.   I might come over as a kind of monero shill, but I followed the same way as you did: for the moment, I think it is one of the better anon tech (and a coin that seems to be reasonably fair) ; I like monero because of the tech, and not the other way around.   I used to like DASH, and I still like DASH as a pioneer and one of the first movers in the anon space, but I think that monero is simply better anon tech.

I'm in doubt about zcash.  It just *might* be super great tech.  What is sure, is that there are several things that I don't like about the particularities of this future coin: its "for profit company" stuff, the "first 4 years of taxes", and the way the trusted setup is set up.  But it may just be brilliant technology on which a better anon coin can be built.   You could compare it to the situation with the brilliant technology of cryptonote, but first put to work in a scammy coin.  It is not because the first coin putting the tech to work has problems *as a coin* that the technology is bad.

If ZCASH turns out to be "default anonymous" I think there are ways to make a better "trusted setup" (for instance, with thousands or more initial participants) ; so who knows that from zcash, one can make a clone that is fair and better than monero (or maybe monero can incorporate part of its tech).

In the end, what I'm interested in, is the best anon tech.

It is true that things like NAV are integrating an aspect of anonymity which wasn't considered in monero: the *network* anonymity.  Monero was still solving the problem of *blockchain data anonymity*.

Now, I think that this is the most important aspect, and one could discuss whether the network anonymity is the job of the coin or not.  The problem with a lack of block chain anonymity a la bitcoin, is that your transactions are graved in stone *forever*.   So 30 years after you did so, one can still go and dig it up, and there is no deniability.   The networking anonymity is more furtive.   Ok, if your IP is registered in the clear by a node to which you send it, one can trace you.  But this knowledge becomes less and less usable after many years.  One can wonder whether the networking anon protocol is the job of the coin - after all, this is not part of the "block chain tech" which only describes the block chain data structure, the rules of interpretation and verification and the rules for appending.  But as a software system, it can be nice to integrate also an anon network.  Or one could use an existing one, such as I2P or TOR.

Finally, there's something else.    There's a rule in crypto, which is: "don't use crypto you've invented in your basement for serious stuff".  You can invent crypto in your basement, but then it should be peer or hacker reviewed for years, before you can start to assume that it is somehow safe.  That's a pain, because it means that you cannot do quick innovation in crypto.   Crypto is technology, but also belief.   If the tech doesn't work, then the belief is dangerous.  But even if the tech works, it takes time to develop the belief.   So one should find a middle ground between doing new stuff, and being conservative with crypto technology.  You cannot invent new crypto on Monday, and use it on a large and important scale on Friday.  Crypto has to mature, and win justified belief in its correct functioning, failed attack after failed attack.

I didn't know NAV - well, I might have seen it "amongst the krill of altcoins" but I didn't realize it had some serious anonymity tech.  I started looking into it.  There's at least one thing I don't like about it from the start, and that is that anonymity is an option (that is, you can do transactions "in the clear").   In fact, it is the thing I didn't get around for ZCASH either, I don't know if ZCASH, finally, will be "default anonymous", or whether anonymity is an option there.  With zerocoin, it is an option, because you have to decide yourself to "commit" the underlying coin (originally bitcoin), which is why I thought that the same happened to ZCASH.  But after reading the ZCASH paper, it is not clear to me now.

I've repeated this often: anonymity shouldn't be an option.  It should be inherent in the system, and there may be an option to DISCLOSE your transactions.  Like cash is essentially anonymous by construction.   You MAY go through the hassle of writing down all the serial numbers of the bills that go through your hands and publish this, so that people later can recognize that the bill they got, 50 transactions later, were once yours.    But the system shouldn't offer a way to "be automatically in the clear" because one NEEDS A LOT OF INNOCENT ANONYMOUS TRANSACTIONS in order for anonymity as obfuscation technique to work.  If only those needing it, are going to use it, they stand out, which defeats the purpose.

On the contrary.  There is not one single good reason for these laws to exist, except to have a strong argument to require oversight of all trade, because SOME trade for which there is big offer and big demand has been declared extremely illegal.  Essentially, marijuana laws are there for tptb to have an excuse to kill all freedom in the market: hell, you might be a *drugs dealer* !!   If you sell a bottle of whiskey, that's ok, but if you sell some marijuana, you are amongst the biggest criminals that run around.
At the same time, given the large demand for marijuana, there is hence a strong offer for it, declared totally illegal and of the highest levels of criminality, and as such, creating a very lucrative opportunity for underground circuits.  The declared "war on drugs" is nothing else but a way to have the market CREATE an illegal, and lucrative circuit, and then give the opportunity to tptb to "fight" it, infiltrating EVERY underground circuit, and giving excuses to liberticide laws.

In other words, the marijuana laws are nothing else but a method, by tptb, to promote actions and laws that increase their grip on their victims, the people, that would otherwise be difficult to justify.   However, in as much as they are losing the war on drugs, this is because in the end, nobody is stronger than the market, they already obtained most of what they wanted concerning coercion, and they now have a much better enemy to do even more: terrorism.

Ah, I really thought they were going to sell hardware too, you know, an integrated thing with no need of any computer, just type in your wifi router PW, or connect an ethernet cable, configure the contract, and off you go.

I went looking at the site, but I couldn't find the *price* of such a box.  They tell you how much you can make (in Euro) per month if you can have your box running, but:
1) how much does the box itself cost ?
2) how do they know the price if that's market-determined ?

The idea is not bad, but I don't understand why this must run on ethereum, hence fixing the price of the contract in ethereum with all its volatility.  It would have been better if there were a specific storage token, that is mined offering (provable) storage, and bought by people wanting storage, so that it has its own market.