I suspect most reputed signers will operate within the Tor network, which is very easy to do. Even if they don't use any proxy, determining which node is theirs is a difficult task that only organizations like NSA could hope to have any success at (if they cared to devote resources to it). Therefore, the premise of your scenario, that reputed signer IP addresses will be known, is false.
You're right; Tor would solve the problem. If someone takes down the exit node you can just switch to another one.
I think more humble organizations than the NSA could discover a signer's static ip, though. Here's a half dozen ways to do it off the top of my head:
1. Go to the signer's house and apply a rubber hose to the signer until the ip address (or even the private key) is volunteered.
2. Various other methods of coercion / blackmail / deception, including court orders, dating the signer, pretending to be the cable guy or whatever.
3. Hire a hacker / private detective to get the information (or hack into his computer yourself).
4. Own the company who leases the signer's VPS. How many will run their nodes on Amazon? If they keep the identity of their VPS providers secret from each other, how will they ever know if they're using the same one?
5. Ask the signer what VPS services he's tried and which ones he thinks are good. Compare the ip address ranges these VPS services provide to the ip addresses of persistent nodes.
6. Connect to 100 nodes. When a message from the target signer arrives, measure the time at which each node publishes the message. Drop the slowest 50 and connect to 50 different random nodes. Repeat. The probability that you're connected to the target signer increases with each iteration.
The first five methods you have described can be thwarted if a reputed signer is pseudonymous without revealing information about themselves outside the scope of their signing operation, which is exactly what I expect will occur.
The sixth method you describe would work if you presume a static IP, but if static IPs are a problem then signers won't use them. All they need to do is run the Tor browser bundle and configure the proxy settings in their B&C client. My guess is signers will do this.
If the shareholders feel so inclined, can they pass a motion requiring all the depositors' funds to be distributed among themselves?
Shareholders could do any number of things that would destroy their entire investment, but we can be sure they wouldn't be so foolish. When you consider that the market cap is likely to be equal to many years worth of revenue, it is unlikely that deposits will exceed market cap.
Well yes and no. Market cap > Revenue only implies Market cap > Deposits if Revenue > Deposits.
But would, say, 8 years of revenue really always exceed the value of the total deposits?
Let's say the total amount deposited on average is D. Let V be the number of times per day that money is traded. I might be wrong, but I think most of the money on the exchanges doesn't trade every day. Most of it stays in balances or in orders that don't get executed, I think. So I think V is less than 1, probably about 0.1. I might be way off.
And let F be the fee that you charge. Let's say it's 0.5%. That might be an overestimate, but maybe I underestimated the velocity of money on the exchange.
Then revenue over 8 years = D * V * F * 8 * 365 = D * 0.1 * 0.005 * 8 * 365 = D * 1.46.
So if the total value of deposited funds ever exceeded 1.46 times the average value of deposited funds, then the shareholders would get more money by stealing the deposits than by accumulating 8 years of revenue.
Let's say I way underestimated V. So suppose it's bigger by a factor of ten. Then the condition for rational (but evil) shareholders to decide to steal the deposits would be if the total amount currently deposited exceeds the average amount on deposit by a factor of 14.6. Could we be confident that that would never happen?
Thanks for the calculations. The range of values each variable could possess is considerable, so determining a reasonable scenario is difficult. While I suspect the market cap will exceed deposits, I agree that might not be the case at some point in time.
It is still implausible that so many people in a position of trust would collude to perpetuate such blatant fraud. Consider the case of BTC-e.com, a pseudonymous exchange that has been operating for four years without taking users' funds. That is functionally a 1 of 1 in multisig vocabulary. Each additional signer dramatically reduces the chances of this type of fraud. If 1 of 1 can work in at least some cases over a long time period and with the system having the capability to move as high as perhaps 11 of 15 signers if defending against such an outcome were a priority, we can be confident the chances of this type of fraud occurring on B&C Exchange is exceedingly low.
Presumably they could also do things like freeze or confiscate Jed McCaleb's XRP if they thought there was a good non-fraudulent reason to.
Unlike Ripple, the architecture of B&C Exchange is fundamentally incompatible with permitting anyone to freeze BlockShares, because transaction processing is truly decentralized.
However, funds placed in deposit addresses have different characteristics than assets that are natively held on the B&C Exchange blockchain. While no implementation of the feature is planned, it would be relatively easy for individual signers to maintain a list of addresses they will refuse to sign transfer for. Imagine funds which could be verified to have been stolen from BTER were placed in an exchange deposit address. If the majority of individual signers decided to sign a transaction to return funds to BTER, it would occur. But it would have to be done transparently and if shareholders felt any such action reduced the value of their BlockShares they would downvote the reputed signer and the protocol would no longer permit them to sign new deposit addresses. So there is a degree of flexibility with how deposited funds are handled, but signers will be held accountable in all cases and in all cases the cooperation of most signers will be required. Shareholders will collectively remain in control, because they control who the signers are.
Do we know that no single person will ever accumulate more than half of the shares?
Is there any way to prevent an enterprising gang of thieves from buying a majority of the shares?
We have a lot of very dedicated shareholders with a tremendous belief in the value of shares. They would not let go of the majority of their shares except at truly exceptional prices. My guess is that if you wanted to acquire a majority of the shares you would need to increase the market cap 100 times or more to do so. If you did that, you would have tremendous stake and would rationally take extraordinary care to maintain and increase the value of your BlockShares. Some imagine a central bank or government may be willing to purchase shares/coins of PoS networks to gain control of them in order to destroy them and prevent them from competing with their monetary systems. I don't think this approach would be an effective method for such entities to oppose PoS networks. They would just make their opponent rich and there are too many PoS networks to do this with. It would only cause the proliferation of PoS networks as a result of the financial success. We can only hope they are foolish enough to attempt this, but I doubt it.