Notaries serve an extremely practical purpose: they make it harder for somebody to deny that they signed a document. They were never intended to verify the content of anybody's statement of anything.
The assurance they provide is real. It is MUCH HARDER, and more importantly MUCH RISKIER, for somebody to walk in and effectively impersonate another person than it is for them to forge a document in isolation... face mask or no face mask.
Block chains, on the other hand, can be very much about magical thinking... for example the built-in assumption that it's somehow harder for me to steal your private key than to fake your ID, or the idea that an on-chain assignment of a physical asset can somehow "enforce itself" out in the real world.
for example the built-in assumption that it's somehow harder for me to steal your private key than to fake your ID
I do think it can be much harder. I'm curious why we have different expectations.
There are two important differences between the two. Faking an ID depends only on your skills and resources. I can't invest resources in making it more difficult for you. But I can protect my private key or wallet better if I need to, trading security for inconvenience.
Also, IDs are verified by people, who can make different mistakes. You can keep trying different people, and different ways of using the fake ID. Whereas a key is either leaked or it isn't. A single point of weakness is easier to defend.
Correct me if I'm wrong, but:
That's true. But a well-protected key is much, much harder to steal than it is to fake an ID. (We were not discussing stealing IDs.)
It's a different way of looking at things - Anyone* who steals ANY KEY can use it. So there's benefit to attackers, just going after badly protected keys. The approach looks like an inversion of the way you're looking at it.
(That doesn't mean I'm always a fan of using multiple factors, or verifying new machines - but I understand the point in terms of security, and sometimes wish there were more (opt in) options, say periodic ones. For example, 'machines expire after X time or Y logins'.)
*with the skills.
Both things are true. An attacker can find poorly protected keys that are easier to steal (although key protection may weakly correlate with key value). And a defender can invest to make their own key much harder to steal.
You don't need to steal the ID, you just need to see it or collect the info on it. Which is easy since you're expected to share your ID with people. But the private key never needs to be shared, even in business or other official situations.
This could easily turn into a book on the different security models. But I don't think I have time for that, and you probably don't either, so I'll try to just respond to what you said...
Faking an ID depends only on your skills and resources.
I don't think that's a productive way to look at it at all. The skills and resources I will need depend on the countermeasures taken by the people who create the IDs... who, although they may be under cost constraints, are professionals, unlike most of the users. They are the ones who invest resources, and they do have all kinds of choices about how much to invest.
There's also the question of verifier resource investment. A store clerk deciding whether to sell you beer may just glance at the card. A cop who stops you in traffic will nearly always check everything on the ID against the issuer's database, at least if it's a "local" ID... with the definition of "local" being expanded constantly. It's a three-way verification between the card, your face, and the database. I suspect notaries in many places do the same now, and I would expect the number of such places to increase. An ID card is no longer just a piece of plastic.
So, for transactions big enough for your counterparty to bother investing in serious verification, faking the ID really becomes a matter of either faking the biometrics it uses (not so easy in person even if the biometric is just a facial photograph), or subverting the issuing system.
It's true that subverting the issuing system is a class break against all of the IDs it issues, but it's also true that finding a zero-day in code that protects keys is a class break against all of the keys protected by that code.
Also, IDs are verified by people, who can make different mistakes.
... but keys are also held by people, who can make different mistakes. And they use different ways of storing the keys.
In any case, for any particular transaction, I as an attacker don't usually get my pick of verifiers. If I want to divert the payment for your house, I have to fool the particular person who handles that payment (and then I have to move very fast to get the money out of reach before they claw back the transaction). I can't get $500,000 from an escrow agent by fooling the clerk down at 7-11.
Whereas a key is either leaked or it isn't.
Well, no, actually. I said "steal your key", but the real issue is "use your key".
Suppose you're using some kind of "hardware" key storage device (they're really hardware plus quite a bit of software). The problem for me isn't necessarily to get a copy of your key out of that device. It's enough for me to induce that device to sign the wrong transaction... which can be done by tricking either it or you. I may be in a position to do that in some circumstances, but not in others.
You don't just have one thing to defend against, either. I have a pretty broad choice of approaches to tricking you and/or the device, and my options multiply if I manage to own the general-purpose computer you've plugged the device into, let alone the device itself. You have to defend against all of my options.
If you step back further, take a timeless point of view, and look at the overall history of transactions controlling a block chain's idea of a durable asset's ownership, there are going to be a lot of keys and key holders in that history. Only one of them has to go wrong to permanently divert the asset. So there are still lots of different people to trick if I want to establish a new dynasty in the manor.
You're not necessarily the only person affected if you screw up with your key, either. Arguments based on self-reliance only go so far in deciding what kind of system everybody should be using.
What I feel like I see from "blockchain people" is this sense that keys are axiomatically safe, to the point where it's always sensible to use them for large, irrevocable transactions with no escape hatch. Even people who have personally made (or failed to make) diving catches to keep, say, Ethereum contract bugs from screwing people over, still somehow seem to maintain their gut-level faith in code as law and total trustlessness.
Frankly it feels like "just world" thinking: "Key compromise (or whatever) only happens to the clumsy and lazy (who deserve what they get). I'm not clumsy or lazy, so I'll be fine". Even if that were true, there are enough clumsy and lazy people out there to cause total system collapse in a lot of applications if you don't design around them.
I actually think that block chains are a useful tool, that they can reduce the need for trust in many applications, and that that's a very good feature. Nonetheless, the idea that they can make everything completely automatic and trustless is just not reasonable.
If we're talking about real estate titles, you might be able to use a block chain to record everything, but somebody is always going to have to be able to override the system and transfer title against the will of the listed holder, or when the listed holder has lost the relevant key. There is going to have to be a "bureaucratic" system for managing those overrides, including trust in certain authorities.
By the way, I am not saying that the sort of magical thinking mentioned in the original post doesn't exist. "Send in a scan of your ID card" is stupid 99 percent of the time. "You must make the signature using a pen" is stupid and usually based on ignorance of the law. It's just that nothing else is a magic fix either.
I think we had different intuitions because we considered different user populations; a kind of "typical skill fallacy" on my part.
It might be, as you say, easier to steal an average blockchain user's private key than to successfully fake their government ID. I don't think I know what the average blockchain user's security is like, and whether it's much better than the average computer user's security, which is very poor. (Although that statement once again bakes in some assumptions about the attacker...)
Rather, I was imagining myself, and others who like me have some relevant experience. (I've spent a few years helping manage a private X.509 CA and associated hardware and software in a pretty paranoid environment, so perhaps my expectations are set high!) I believe that if I wanted to strongly protect a private key, because I had a lot of value invested in it, I'd be able to make it much more secure than my government ID.
The key point is that a blockchain user can invest in security proportionally to the value being guarded. Whereas IDs provide a similar level of security to everyone; one person's ID probably isn't orders of magnitude harder to fake than another's. Unless they're e.g. very famous, or very unlikely to be found where you are or doing the things you're doing with their ID, in which case verifiers might not believe you even if you look like the photo on the ID. (Although social engineering can work wonders.)
I wasn't talking about any blockchain use in particular, and I don't have a strong, thought-out defense of any particular use tied to real-world entities like real estate; I haven't investigated the subject enough. I know my way around key management; what you do with the key afterwards is your business :-)
There seem to be a lot more identity theft online than in real life, so my prior is that identity theft is either easier or more rewarding when done through computers...
Online identity theft is not at all the same as stealing a private key / crypto wallet, and has a very different threat profile.
It is MUCH HARDER, and more importantly MUCH RISKIER, for somebody to walk in and effectively impersonate another person than it is for them to forge a document in isolation
Harder on the criminal or harder in fact? Frank Abagnale's story seems to show that a talented con-man can get away with almost anything. But yes, for the average criminal, it sounds much easier and perceptually safer to forge documents in isolation.
I'm in the middle of reading Sapiens, and there is a passage near the beginning that is about pretty much exactly this. Lawyers, judges, businessmen, and bureaucrats are powerful sorcerers, whose power comes from having completed certain rituals and having learned esoteric knowledge, whose stories are much stranger than those of a tribal shaman, and who have real power because we all agree to (at least pretend to) believe them. He uses the example of Peugeot, and asks in what sense a company exists. Well, some people spoke and inscribed certain spells with the right paper and ink, and presented them in special places to other sorcerers, and the company came into being, even though it had no physical body. Its owners could fire every employee, its customers could scrap every product, and a natural disaster could wipe out every factory and office, and the company would still exist. But if the sorcerers file certain forms and make certain arguments in the right way, it would cease to exist, even though all the people and products and assets are otherwise unchanged.
Sufficiently self-aware and genre-savvy lawyers know this, but I've yet to meet a bureaucrat who acknowledges it. At my own closing on my house, my lawyer commented that every form and step were there because someone, at some point, did something they shouldn't, and the form is to make it simpler to reduce or prevent it from happening a lot anymore. This sent me down a bit of a rabbit hole learning about the history of deeds and title, and legal fictions, which was kinda fun.
And if you haven't yet read Legal Systems Very Different from our Own (draft version online for free), I strongly recommend it.
I think most or all of these rituals are still functional even if participants can't see it. If you want to see that up close, look at how you get the rules waived. If a dispute over a document goes to court, a judge can waive almost any formal defect. But they won't always do it, and someone else, like the clerk, can't. The formalities take the place of human judgment because only a few people are trusted to exercise the appropriate level of judgment and getting it in front of such a person is expensive and time-consuming.
Yes, and I think that's kind of the point.
Make it expensive to break or get around the rules, and most people will follow them (see Scott Alexander's review of the Legal Systems book, and ctrl+F "one crime a year"). If enough people are willing to pay the high price (in time, money, etc.) to go through the formal processes of getting around them, or of taking the risks involved in just breaking them, that's a strong signal to society that the rules need updating.
As far as trusting judges more than clerks (and appellate judges more still, etc.): Like any good magic system, you lock the really dangerous powers behind rituals that require significant sacrifices. Going to law school, cultivating a reputation for whatever virtues the local judge-selecting mechanism uses, accepting a lower salary than you'd potentially have as a lawyer, and so on.
Meh – I suspect that most or all of these rituals were functional, or at least intended to be functional, but I often notice a lot of rituals that – today – can't possibly be functional.
The example in this post of 'we only accept scans not photos' seems pretty clearly in that category. I can imagine that it might have previously been functional, e.g. when it was much more difficult to take photos (and develop/print them) and functionally requiring almost everyone to use a copy machine did something useful. But copy machines have always been camera+printers and there's no additional 'magic' left in demanding that people continue to use them.
I suspect a big part of why 'magic rituals' lose functionality is that: 'magic ritual high priests' are mostly judged on their intentions in the first place – not any kind of strong evidence of the ritual's efficacy (relative to alternatives, including the previous status quo), and no one's really regularly and rigorously investigating whether those rituals are still functional.
Some magic rituals – even ones involving computers and no humans! – require entering the same info multiple times (sometimes to an absurd degree). That could be functional, but my prior is that they're almost always due to poor 'magic ritual' construction instead.
"Ritual" and "magic" are related, but not identical. You're correct that many of the participants don't know the full evolution behind the rituals, and many of the components make no sense to you or I. The rituals that make things Official do somewhat well at the job of seeming important and making it less likely for an average person to think they can get away with cheating, and make it easier for an adjudicator to see whether things appear "standard" and they need only to verify actual details, or whether everything is haphazard and they have to examine process and provenance before even thinking about the details.
That feeling that these irrelevant processes are critical to get right, or un-defined Bad Things will happen, is a benefit of rituals.
The magic of forms?
I could also see that being called Formal Magic*, but I probably don't wear a suit and tie often enough to be able to create a new term imbued with sufficient bureaucratic shaman energy. Perhaps if we get enough people together in a room to have a meeting about it...
*Business Magic doesn't have the same ring to it.
I'm currently applying for short-term position at my university in France. There are 15 identical positions open for the next year, but for some reason I need to fill in (the exact same) documents individually for each of those positions. Pretty fun...
On a more serious note, my experience with administration and bureaucracy has been that going to the office in person, being very polite, saying abundantly that you are sorry to cause a disturbance, and making clear that you won't leave until your problem is fixed do wonders. After 30min of you saying "I understand that I'm asking for something I've no right to, but could you pretty please do it nonetheless, even the most rule-loving employee will either cave in to your demand or send you to someone with actual power of fixing thing.
That is true, rarely do you get someone who intentionally wants to make you miserable. They usually just make you miserable as a side-effect of not caring enough, but as soon as you're sufficiently annoying, they do one of those two things.
The crux is that you must be annoying but in a sweet, non-threatening kind of way, over wise your interlocutor may switch to actively against you.
Here's some examples from my own life of these sorts of rituals to make things official:
Also, one I remember from when I was a kid but that I never had to do:
I grew up on Long Island and agree that the ID points rules are hard for a lot of people to fulfill. If you're under 21, and have a birth certificate and social security card, then you just need your parents to say you are who you claim, though. That is, as long as they have ID.
These rituals are inefficient in cases where there is mutual trust between all participants. But sticking to formality is a great Schelling fence against those trying to gain an advantage by exploiting unwitting bureaucrats.
I wouldn't have previously considered bureaucracies to be 'advanced technology', but they probably are.
I still wouldn't assume that bureaucracies really serve anyone or anything other than themselves tho! But perhaps it is useful to think of them as demonic manifestations of Moloch or something.
Buerocracy seems to be tedious at times, but in my opinion it's quite efficient.
Most buerocratic rituals still serve a purpose. There are a lot of decisions to be made by people and they simply want to follow an algorithm. Or a checklist. To do that without friction, people want to normalize their input, that's why everyone insists on the right form. It's standardization.
Let's have a look where buerocracy is happening: when dealing with money. Nobody wants to be responsible, so everybody is trying to secure a paper trail that proves they made the right decision.
Buerocracy is complementing (or weeding out) the human factor, by it's narrow-minded nature. It enables to make decisions based on the effort someone has put into his credentials.
Humans equipped with buerocracy are harder to game with sheer salesmanship and less prone to simple errors.
I previously wrote about some practical game-theoretical (game-practical?) realizations I had while buying a house. Today I want to talk about how bureaucracy is a ritualistic, magical place.
In our home-buying process, every step of the way, there were papers to be signed. Paperwork is how the magic of bureaucracy comes in view. I'm not saying "magic" to mean good or beautiful. I'm referring to the ritualistic nature of bureaucracy.
Everything in our journey was a ritual. When you debate the point of something, people participating in the ritual are confused. On the one hand, they understand that your request makes sense, because you're asking for the same function. On the other hand, you shall not ignore the Ritual!
Let me explain with several examples what I mean by ritual.
To buy a house and get state subsidies, you have to present an official document to the bank, confirming that the building may indeed be used as a dwelling, i.e. a use permit. It is not necessary that this document is an original, a copy will suffice.
Well, I got to the bank with printouts of photos of this permit. I don't have the original, and the agent simply took photos of it with his phone, and sent these photos to me. I printed them out on paper, and presented them to the bank. Problem: they have to be scans, not photos. "Photos aren't scans", the bank lady said, "They won't be accepted as official". My first impulse was to protest: "But since you don't need originals, what does it matter what form the copy has? Obviously the informational content is what's necessary - what's written in the document, not what device was used to transfer this information. And anyway, scans and photos are literally the exact same thing. Scans are just photos taken in a particular way. How is it important that-", but I stopped myself before saying any of this. There's a particular art to navigating bureaucracy, and arguing about the nature of information and how it represented is Not It, Chief ®. Instead, the Art is to constantly weigh where you can insist on being reasonable, and where you have to suck it up and comply with a dumb request.
What the bank lady actually wanted is a semblance of officiality. Photos simply don't look official, and that's it. To complete the ritual, a conventional way is required, and the most modern of the conventional ways is the offering of a scan. I downloaded the Adobe Scan app, "scanned" the JPEGs, made them look like they were actual scans from a scanning machine, told the lady that I just got the scans (implying that I got them from the agent, not from an app), and sent them via email. She was satisfied. Ritual complete.
One of the steps was to notarize a document stating that we don't currently own any real estate. To do so, we went to a notary. My girlfriend knew of one in a nearby mall, so we went there. I'm angry at myself that I didn't take a photo, but I'll try to describe it. So you come into this mall, and there are all these stores, with clothing, tech, sports equipment, food - just the regular stuff you'd expect in a mall. To get to the notary, you go through one of the service doors - those things that hide the inner workings of a mall, the mall's guts. You open that door, and you smell and you *hear* the toilets as they're being flushed. If you don't already know that you're going to see a notary, you'd think you've just walked into a toilet. So you walk through the toilet a bit, and at the end of the hallway, there's a door to the notary. The inside office is actually surprisingly well-furnished, but the outside is a mall favela.
We get in there, we present our ID cards, we sign a statement, the notary stamps it, and then we literally sign our names into a Big Book. The notary didn't verify my statement. She just verified that I signed it. Actually, she didn't do that, because I had a face mask on. So I could have come with anybody's ID card and produced any sort of statement, and it would have been notarized. A weirdly archaic industry, but it still lives because rituals aren't easy to replace.
All this reminds me of Pact by John C. McCrae (Wildbow). The main character there finds out about the world of magic, but it turns out that magic is magic only if the surrounding spirits and other practitioners of magic recognize it as magic. In other words, if you do unconventional stuff that doesn't look magic, it's not magic. There's no mechanism that you can game because the mechanism is the look; the form is the content.
Bureaucracy is a world of magic. Things are official if they look official. The more official-looking papers you collect, the stronger the spell. You want to do something that's functionally identical? Tough luck. It has to look the part. For years, this annoyed me. And it still does, but I've come to accept is as a price of doing things I want to do. I am glad that there are people out there building alternative, trustless systems. But until these systems take over, it's Real Wizard Hours.