The growth of internet commerce has fallen far short of expectations.
The key factor in this is that despite a wide variety of encryption and authentication tools created by numerous well funded enterprises, people simply are not using them:
The vast majority of small businesses use off-line methods to handle promises to pay and promises to deliver, or they use on-line methods that just do not work, such as the above.
For electronic commerce to succeed, people need to have online methods to make and manage promises, and they need to be able to transfer ownership of promises to pay over the internet, that is to say, transfer money over the internet.
Tools already exist to do all that, but in general they are only being used by rather large companies, and by medium sized companies doing business with those rather large companies, and in general they are only being used by companies that already have a priesthood of computer gurus on staff.
Small businesses and individual people who are members of the economic elite that is highly represented on the internet are always sending snail mail documents containing their signatures and/or a signed cheque, the check being accompanied by other documents that define the meaning of the cheque, or which are given authority by the cheque.
I obtained a Verisign identity certificate for a company I worked for. It was tedious to get it, tedious to get it working, and when I left the company, they ceased to use it for some considerable time. Perhaps they still do not use it.
The fundamental obstacle is that the "true name" model that underlies both Verisign, and to a lesser extent PGP, is fundamentally hard, because no human really knows what true names are, and it is impossible to program computers to act as if they knew what true names are.
People are not using these tools because the certificate management problem is hard, and the certificate management problem is hard because the underlying concepts are ill defined, and no amount of really nice user interface can make it easy. Verisign had a really nice user interface, and for a long time PGP had a really bad user interface, yet far more people use PGP than MIME. And if you look at how they are using PGP, most of them are largely ignoring the identity model that the program is attempting to apply, or adhering to it in form without substance. Very few people have ever actually attended PGP key signing meetings. It appears to me that the acceptance of PGP is largely a result of the fact that one can disregard the identity model it attempts to impose.
The solution then is a fundamentally different model of identity. And when we look at existing business practices carefully we discover that outside the internet businesses are not in actual practice using the "true name" system of identity, though they sometimes imagine that they are. They are using the "same name" system of identity.
Suppose you receive a message from Bob Jones. It is not the job of the software to tell you if this is the "real" Bob Jones, a task far beyond any computer, and perhaps beyond any mortal. It is the job of the software to tell you if it is the same Bob Jones, to keep your interactions with one Bob Jones separate from your interactions with the other Bob Jones.
The problem is not to detect a malicious person fraudulently pretending to be the real Bob Jones, but merely to keep one Bob Jones distinct from the other Bob Jones, a task well within the capabilities of computers, whereas recognizing evil is well beyond any computers capability, and inherently hard even for humans.
Crypto Kong was written to implement this model of identity in a user friendly, business friendly, fashion. When a second Bob Jones writes to you, Kong will not tell you this is a fraudulent Bob Jones. Instead it tell you it has not seen this Bob Jones before, and ask you to give this Bob Jones an additional name, a discriminator, a name that Kong will apply to distinguish him from the other Bob Jones.
Identity is the problem that needs to be solved. This is the reason people almost always finalize a transaction off-line. This is what we need to be able to do on the internet. First we need to be able to send signed, enclosed documents. Then once that is working we need to be able to do something that is entirely equivalent to sending a cheque enclosed with signed documents.
In principle software already exists to do this on the internet, but in practice it is inconvenient, and so few people use it that it is highly illiquid. You could send a signed encrypted PGP document containing some electronic cash (transferable promises by the Mark Twain bank to pay) or e-gold (transferable promises to deliver gold), or any one of a number of similar instruments, but very few people have the capability to handle such promises, and if everyone who used PGP had this capability, they would still be too few to provide liquidity. The list of merchants accepting Mark Twain cash would make a rather small village square, or an exceptionally small mall.
When funds are sent by the internet, they immediately move off the internet into the banking network and the visa card network: The same visa card network that creams a few percent off every transaction, and the same banking system that takes so long to settle cheques that it would seem they are still sending them by pony express, and entering them in their system by clerks using goose quills dipped in ink. Thus there is no substantial advantage to transacting through the internet, and there never will be an advantage as long as we must rely on the owners of existing financial networks to provide internet financial transactions, for naturally they want to use their networks that they control, rather than the internet network that their customers control.
First we need is an easy to use system for signing and encrypting messages, which will make the many existing systems for transferring value on the internet, such as Mark Twain ecash, much more usable, and once we have that in widespread use, making existing systems for transferring value worth while, then what we will then need is an internet centric system for making and exchanging and tracking promises to pay, so that we can exchange promises to move funds on and off the internet, instead of actually moving funds on and off the internet.
This will resemble the original rediscovery of banking, when the Dutch merchants realized that rather than marching mule trains of gold to and fro, it was easier and safer to leave the gold where it was and move ownership of the gold. Until the twentieth century, the things that now only banks do, everyone did, though banks specialized. When we have enough people using the internet to transfer promises to pay, it becomes more convenient to use the internet to transfer promises to pay, forcing the banks to provide faster and cheaper movement, or forcing them to move full and cheap access to their funds transfer system onto the internet in order to compete.
So the first step to solving the problem is easy to use software for signing and encrypting messages, and the second step is easy to use software for making, tracking, and transferring promises. Crypto Kong is that first step, and in due course I intend to add the second step. The second step will also require server tools, and such tools can be sold, whereas, due to the need to create a standard, basic encryption tools need to be given away.
For an internet funds transfer system to be successful, it must be part of a system capable of making and signing arbitrary messages, and it must be easy to make and sign arbitrary messages. Thus the first step towards internet funds transfer is ordinary communications encryption and digital signatures. This is the necessary foundation step. Previous attempts to provide this necessary foundation step, in particular PGP and Verisign, have not been widely adopted.
The key feature of the proposed product is that any digitally signed document itself performs the functions of a certificate, just as a normal handwritten signature does. The user usually does not need to check a document against a certificate to see if it was signed by the "real" John Doe. Instead he normally checks one document against another to see if they were both signed by the same John Doe. And similarly when he encrypts a document, he does not need to use a certificate to encrypt a message to the one real John Doe, he merely encrypts a message to the same John Doe who signed the letter he is replying to.
This eliminates the steep initial learning and management curves of existing products. The user does not need use and manage specialized certificates except for specialized purposes.
Cryptographic software must be easy enough for everyone to use. Cryptographic software will only be useful for commerce if it useful for any purpose, and people will only pay for it if it useful for commerce.
Revolutionaries, drug dealers, political dissidents, child pornographers, and members of persecuted minorities are reluctant to pay for software, partly because there is so much bullet proof free encryption software available on the net. Any nine year old can encrypt his letters with software that no one can crack, and sign his letters such that no one can forge his signature.
The people who are making money out of encryption today are the people who provide encryption for web enabled financial transactions. Their servers are mostly used to encrypt credit card transactions. People are willing to pay money to protect money. They do not seem to be willing to pay money to protect privacy, unless it is the privacy of their money. Nobody is making any significant money out of general purpose encryption. This is likely to change for reasons given in "The future market for encryption".
The future of encryption is the future of money. To do business through the Internet, people must be able to do the equivalent of signing a check and a letter, and enclosing the check with the letter in an envelope, and must be able to sign contracts. This requires a full general purpose encryption tool.
People will be willing to pay for encryption when the net is routinely used to transfer checks, promises to pay, and promises to deliver.
At present there are a substantial and steadily increasing number of business to business transactions on the Internet, but anything that involves a signature or transfer of funds is mostly done off the net.
When there is a sufficiently large volume of contracting and outsourcing mediated across the net, when we reach critical mass it then becomes profitable to employ the internet for clearing and settlement, leading to a vast increase in the need for encryption tools and digital certificates of many diverse kinds.
Clearing and settlement ultimately means shuffling swapping promises to pay so that multilateral deficits are revealed as bilateral deficits. For example if Ann owns Bob $100, and Bob owes Carol $120, and Carol owes Anne $100, and they swap the IOU's around so that everyone ends by owning their own IOUs, and Bob owes Carol $20, this is clearing and settlement.
In the twentieth century this sort of activity has become an exclusive privilege of the banks, partly because their network was vastly more efficient than any one else's, and partly because of government enforcement of a banking cartel, in an effort to control and observe peoples transactions.
However in the nineteenth century in America, this sort of activity was routinely done by most people, though the banks did more of it. Often promissory notes signed jointly and severally by several notables of a little town were used for money more than bank notes. The kind of transactions that are now only done by banks were part of every schoolchild's education. Every eighth grader was expected to be able to issue a promissory note or a letter of credit, and to be able to write a bank check on a blank piece of paper.
Today, when everyone has access to a network as powerful as that of the banks, we should expect to return to that system, where everyone is his own banker, even though some large and powerful organizations specialize in banking.
The more people do business on the net, the more desirable it becomes to move those parts of the transaction that require the exchange of promises onto the net, thus the greater the need for a general purpose encryption tool, primarily for signatures and certificates, rather than for privacy.
PGP is such a general purpose tool, but its certificate structure is not powerful and flexible enough for some commercial purposes, and is too powerful to be convenient for the most common routine uses.
Any tool that provides general purpose encryption and digital signatures will be mostly used for financial transactions, as is the case today. The future will resemble the present, only with better tools more extensively used. The big difference will be that it will resemble the past more.
At present all internet settlement systems rely on the banking system to settle and clear internet transactions. This will eventually change. When it changes, when the internet becomes the central mechanism for exchanging promises to pay, then encryption will become a major market, comparable to other network tools. Until this happens, encryption will remain an insignificant niche market, or rather a collection of tiny niche markets.
Crypto Kong is essentially an interface to a database that contains cryptographic evidence on identity and on the authorship of documents.
By and large, most people will not pay money for this.
If, however, many of the documents are certificates that mean things like "Ann promises to pay Bob $300, Bob has signed this IOU over to Carol, and Carol has signed this IOU over to Ann", then they will pay money for servers designed to interact with such promises.
This is essentially the Netscape plan. Give away the browser and sell servers.
Now if we had a tolerably free market in banking, nineteenth century style, when every literate person did the kind of transfers that banks specialize in doing, this would be no problem. We would simply add some special case handling to Kong, to make checks, letters of credit, and promissory notes quicker and easier, and pretty soon lots of people would be passing cheques on the internet, and pretty soon lots of enterprises would want servers that can automatically accept a cheque signed from Ann to Bob, and from Bob to Carol, debit Ann's account, and issue a cheque to Carol, and soon we would have lots of money.
Existing laws and institutional structures create some large obstacles for such a business plan.
One early adopter will be brokers and the like, but these people would generally not need servers, and when they do need servers, SSL suits their needs well enough.
People who use the internet to move ownership of promises to pay from one entity to another are likely to run into the "know your customer" regulations, since on the internet, they probably do not know their customer.
Thus large scale use of this kind of software to transfer ownership of promises to pay is likely to occur outside the US. In addition, banking in the US is a government enforced cartel, and this cartel does not want people using the internet to transfer ownership of promises to pay.
This of course, immediately leads to a problem with export regulations. However the export regulations have several large loopholes, as successfully demonstrated by PGP inc., and any attempt to tighten them to make them effective is likely to get the legislators and regulators into just as much hot water as loosening to make them less of an obstacle for commerce. As PGP has demonstrated, to their great credit, it is possible to publish the source code without violating regulations, whereupon it leaks out of the US without violating regulations, whereupon it gets posted outside the US without violating regulations, whereupon the company whose source it is can make money from its trade mark and so forth without violating regulations.
(I do not intend to go through all the work involved in the PGP legalisms for the freeware version of Crypto Kong, but it may well be worth doing for versions that will be sold, rather than given away.)
Of course, to make real money, we want the banks in the US to play ball, to cooperate in large scale transfers of ownership of value through the internet.
How can this be achieved?
Recollect the reformation and the counter reformation.
When the catholic church enforced a monopoly on writing and thought in 1277, this was bad news for printers. The reformation was good news for printers, and then, to compete, the Catholic church launched the counter reformation, which was also good news for printers, perhaps better news than the original reformation.
If the government and the banks see increasing numbers of people using financial institutions outside the country to store readily transferable promises to pay, pretty soon, in order to compete, they will offer more acceptable arrangements to make promises to pay readily transferable, and will be more willing to allow a wide diversity of people and organizations to perform bank like operations. Bank haven transactions are a lever to crack open the big market, a market that can more readily be persuaded to pay for software.
Back to main CryptoKong page