By Jim Harper
Last week, the Digital Dollar Project (DDP) highlighted the challenges involved in producing a central bank digital currency (CBDC) that will preserve important values such as privacy. Every CBDC effort we have found gives privacy protection short shrift even though privacy is of paramount importance. A CBDC that sends our financial privacy from frying pan to fire quite simply should not be adopted. The DDP’s privacy principles are an important contribution to the CBDC discussion.
Inspired in part by my role as an advisor to the DDP (I’m an advisor, not a spokesperson; the report is the DDP’s, and these comments are mine), I had American Enterprise Institute researcher William Rau examine documents discussing the many CBDCs at various stages of discussion and development around the world. That (unpublished) research finds that their treatment of privacy is generally wanting. Many documents articulating CBDC projects make no mention of privacy. Those that do typically treat it as a “to be determined” item.
That might incline thoughtful people to reject CBDCs out of hand. Recently, one prominent surveillance expert issued a powerful warning against CBDCs, calling them “a cryptofascist currency . . . expressly designed to deny its users the basic ownership of their money and to install the State at the mediating center of every transaction.” That may be hyperbole or appropriate caution. It is poor civic hygiene to install technologies that could someday facilitate a police state.
Whatever the case, a CBDC that jibes with American values must pass stringent tests. The DDP’s aforementioned privacy principles suggest four such tests.
First, a CBDC should be private, meaning people should be able to use a CBDC “without making themselves subject to undue government surveillance. People may benefit from above-board, contractual sharing of information with financial services providers, or they may refuse it.” That begs a lot of questions, but I see it as calling for a system that at worst replicates the challenges of protecting privacy from financial services providers. As to government, the report says law enforcement access to CBDC usage data “should be strictly controlled by due process, and other applicable U.S. law, including the Fourth Amendment.”
Second is security, which has many dimensions: “A U.S. CBDC should improve and not degrade people’s security against theft, hacking, illegal seizure, and fraud,” the DDP’s principles stipulate. Private seizure (theft) and public seizure (seizure) are rightly on the same plane. Hacking of the system and hacks on people’s interfaces with the system — their accounts, phones, wallet software, and so on — should be as good or better than the status quo.
It’s not quite a privacy value, but the report next emphasizes accessibility and low cost for users:
A U.S. CBDC should improve Americans’ and global dollar users’ access to financial services. Because it is a more efficient system, it should cost less to engage in basic financial transactions. And as an open system, it should draw competition into financial services that produces better services at lower costs.
To assure the public that the protections required above are real, the fourth emphasis of the report is transparency:
The system on which a U.S. CBDC runs should be operationally transparent so that a variety of parties — governments, NGOs, businesses, and academics — can independently assure themselves about its technical functioning, its security, and its resistance to impermissible monitoring or other exploitation.
How do you do all that? I think it’s hard but not impossible. I’ll treat the report’s focus points in reverse order, being entirely too brief.
The technical infrastructure that can assure the public of privacy and security will tend to be open software platforms operated by heterogeneous actors, not closed software operated by a single institution or the delegates of a central bank. Openness and dispersion will facilitate necessary oversight.
To lower costs, I think openness also prevails. It will produce healthy competition, because it will give no actor an edge over others on techniques or products the system makes possible.
Openness would also enhance a CBDC system’s security. A multitude of actors in competition are more likely to discover flaws in the technical functioning of the system. Manifold actors poring over the consumer security challenges will also do better than a unified effort, I think.
As to privacy, a rule of thumb that I think works here is that a CBDC system must be able to support all information policies from entirely private transactions equivalent to cash, to closely monitored transaction flows, to public broadcast of, say, government spending. The privacy innovations being developed in the cryptocurrency world such as zero-knowledge proofs probably end up being essential components of a CBDC.
In short (painfully short), the CBDC that is consistent with American values will probably be a lot more like an open cryptocurrency network than not.