Among digital privacy advocates, the launch of central bank digital currencies is often greeted with suspicion and alarm. On both sides of the Atlantic, there are concerns that CBDCs represent an opportunity for the state to obtain greater oversight over payments systems. In Europe, protesters demonstrated against a digital euro as an invasion of privacy in February, while in the US, Republican Congressman Tom Emmer has sponsored a bill called the CBDC Anti-Surveillance State Act.
In early 2022, a convoy of truckers in Toronto had their assets frozen after objecting to vaccine mandates and gridlocking US-Canada trade. This led some people to suggest that a CBDC would consolidate state control over payments and provide an easier tool to suppress dissidents or discourage certain behaviours.
It is true that certain ways of designing a CBDC might provide new, more efficient means for the state to implement control. Payments are best provided as a public good, and for the state to use access to them as a tool of social engineering is much closer to authoritarianism than most of us are comfortable with.
But as the example of the Toronto truckers indicates, Canadians are already living in a world where the state has the willingness and capacity to restrict access to payments services, despite not having a CBDC.
A CBDC might – if designed in a certain way – concentrate data, leading to new risks and the capacity to make the exercise of state authority over payments more complete. But this kind of development does not require a CBDC. Aggregating data from multiple services is a technical challenge, but one that law enforcement agencies are already eminently capable of solving.
Threatening our privacy? What privacy?
CBDCs are not a serious threat to the privacy of digital payments because we have so little to begin with. The European Data Protection Supervisor points out that, ‘tracking payments of a person can describe the consumers’ life in great detail… The amount of personal information that actors involved in transactions’ management learn about each individual when a payment system operates is significant. This generates a systemic risk of profiling and surveillance by the parties operating the payment system.’
Whether a CBDC is implemented or not, there should be more robust protection of privacy. At present, the main defence is simply that most people use a variety of services, but the sophistication of the tools used to aggregate and process payments data is growing. Regardless of whether this is driven by private actors seeking profit or state actors seeking greater control, the prospect is not appetising, as the EDPS also mentions that ‘payment data is often used for purposes other than those strictly related to the payment execution… payment providers may collaborate with private credit scoring companies that inform landlords, creditors and service providers about the individual trust score of their future clients.’
Can we hope for better?
Central banks have made it clear that they will not launch a fully anonymous CBDC due to the risk that it would facilitate financial crime. There is a notion that privacy and oversight are a trade-off and the best that regulators and privacy advocates can hope for is some kind of mutually unsatisfying compromise.
But innovation in privacy-enhancing technology offers a way to improve privacy without degrading law enforcement agencies’ ability to fight crime. In most countries, payments data is generally only available for use by law enforcement agencies under circumstances set out in a comprehensive legal framework. If a CBDC erodes that framework’s ability to protect individuals’ right to privacy, that is a design choice and not a necessity.If (and this is far from certain) a CBDC is designed with the correct principles, it can form a new benchmark for privacy in digital payments.
A central bank should not become a repository of individuals’ data. Whether the core ledger is distributed or centralised, there is no reason for the central bank to have access to the know-your-customer information of those transacting in CBDCs. That should be sufficient to ensure that a CBDC does not worsen the privacy of digital payments systems. Privacy-enhancing technologies can also be used to make improvements. There are a broad range of such techniques, many of which are discussed in the Bank of England’s digital pound technology working paper. These include: zero-knowledge proofs, which allow a party to verify a statement without revealing additional data; homomorphic encryption, which allows parties to process encrypted data; and distributed data analysis, which allows multiple entities to jointly process datasets without sharing data.
Central banks and law enforcement agencies will still need the capacity to obtain personal data in their crime-fighting activities, but these data should only be visible to them if rigorous criteria are met. The concept of reciprocal negotiated accountability offers a framework that keeps payment data encrypted and keys held in escrow – released only if certain rules are satisfied. It is a cryptographically secured enforcement of the existing framework.
Winning public trust
Much of the challenge in this area is cultural, not technical. The encryption standards and systems architectures already exist but revelations from Edward Snowden, the National Security Agency whistleblower, and others have shaken the public’s trust in the state’s willingness to respect individual privacy. Can the state be trusted to implement these privacy-enhancing technologies without leaving additional backdoors? Convincing the general public will be a tremendous challenge.
That is not a reason not to try. We are not starting from a point of sufficient privacy so do not risk losing it. Privacy in digital payments is already poor – the chance is that we improve it.
The digitalisation of the global economy has caused a rapid loss in control over data. The technology exists to regain it but, as the commercial value of such data increases, the likelihood of the private sector willingly deploying that technology shrinks. If, however, the state establishes a benchmark – a free, high-quality payments system that protects privacy without facilitating crime – then the private sector will be forced to raise its standards.
Lewis McLellan is Editor of the Digital Monetary Institute at OMFIF.