A document published on October 18 by the ECB titled A stocktake on the Digital Euro proposes the following in its executive summary:
"The Digital Euro would benefit from the most important characteristics of cash as a public good when paying digitally:
- widely accepted and easy to use;
- free for basic use;
- usable for any digital payment in the euro area;
- not requiring an online connection (it could also be used offline);
- offering the highest possible protection of privacy;
- inclusive, leaving no one behind;
- settling payments instantly;
- secure;
- risk-free (as money issued by the central bank);
- usable for payments at the point of sale and person-to-person.
No other digital means of payment offers all these characteristics at once."
These characteristics of course sound wonderful and we all are onboard to support a Digital Euro that really delivers the above.
And then reality sets in...
The first thing that is obvious in my opinion is that the ECB will never deliver the promised digital euro "offering the highest possible protection of privacy". That is impossible in the proposed digital euro design that have been presented so far. They remind me of the Digital Pound papers, claiming protection of privacy from the central bank with the most advanced PET, ZKP, ... then clarifying on the next slide that anonymity is prohibited and that they are benchmarking the privacy of the new digital pound offering on the (non-existent) privacy of credit cards and bank accounts. The Bank of England will create a proclaimed "privacy from the central bank" by collecting all the personal data at banks and PSPs and only transmitting a subset of it to the central bank, thereby ensuring this “privacy from the central bank"? Impressed? Privacy in such an CBDC ecosystem = 0 and the hackers or government (intelligence) agencies don't care if they get the data from the banks or the central banks. But the central bank can claim “privacy from the central bank” – and we remain exactly where we are today with credit cards and bank accounts, at ZERO privacy. Please watch the exact choice of words when you read such statements central bank statements. These wordings are not coincidental. Can we really not do any better? is my question here.
A second characteristic that will be challenging to fulfil is "inclusive, leaving no one behind". The document states that "Users of any digital payment services currently need to identify themselves to their PSP before they can start making use of such services. Under the draft legislation, onboarding to digital euro services would be treated in a similar way to other digital payment services." and that would lead to believe that those, who cannot open a bank account or get a credit card today, will also not be able to get digital euros. Better inclusion, not on the horizon?
Looking at the proposed Digital Euro published by the ECB in the “A stocktake on the digital euro” on October 18th, 2023, I wanted to raise the following key points. I have been involved in the design of several CBDC solutions and I am a strong proponent of CBDCs (really not an opponent) and a convinced privacy advocate. Therefore, let us start with privacy.
1. Privacy that can be removed is no privacy!
If I give someone access to my data, to be accessed sooner or later, it is no longer private, isn't it? It is not a philosophy to be tested as my friend Richard Turrin put it. I just think it is misleading to talk about privacy, where there simply is none. Once you share your data with others, it no longer is private – even if you trust these others not to access it. That is just logical I would say.
2. Privacy for bank accounts and credit cards
So let us not talk about privacy of bank accounts and credit cards. You trust your banks and credit card companies to keep your data confidential, but private it is no longer as these organizations have it at their disposal and are clearly exploiting it today. Privacy for bank accounts and credit cards does not need to be removed - there is simply none.
3. Expecting a better future?
A CBDC that gives us no better privacy than what we have today with bank accounts and credit cards should not be accepted by the citizens, in my opinion. That amounts to introducing an even better mass surveillance tool (to be used sooner or later). What would be the benefit of such a CBDC? If we do not seize the opportunity to improve key things with a CBDC, then let us better skip the investment for better uses. Consider following the American lead (in opposing mass surveillance CBDCs) here. Who would have thought that the Americans would one day care more about privacy than Europeans?
4. Offering the highest possible protection of privacy, according to...
Why do I question the statement that the Digital Euro will “offering the highest possible protection of privacy”? This seems fake news per excellence. The highest possible level of privacy is called Anonymity and cannot be reversed. That is not planned for the Digital Euro, so the highest possible level of privacy protection is already eliminated from the start. What remains is a system built on trust that the banks/PSPs/central banks will not share our data, not exploit it nor, lose it to hackers. When even organizations like the NSA get hacked regularly, who will actually protect this data successfully once it is collected?
Additionally, in order to enforce holding limits, do forward and reverse waterfalls to bank accounts and deliver the features proposed for the Digital Euro, only an account-based system with user identification will do. Account-based systems are perfect solutions for mass surveillance. All the crypto talk with regards to privacy is thereby proven to be at best smoke and mirrors.
The following statement totally confirms the above: "Under the draft legislation, onboarding to digital euro services would be treated in a similar way to other digital payment services" (i.e. credit cards and bank accounts).
5. Americans, behind on CBDC but far ahead in fighting CBDC mass surveillance
The Americans, having already forbidden CBDCs in several states like Florida and Indiana due to their mass surveillance risks, are smarting up. The latest law proposal by Republican House Member Tom Emmer, which just recently passed the House Financial committee, outlaws all CBDCs except those that digitally replicate real cash with hard privacy, is the only way to go if we really care about our privacy. Everyone reading these lines needs to take away that there are no technical problems to deliver such privacy-preserving solutions, that prevent tax evasion, black markets, illegal stuff...at the same time. While this may sound impossible and surprising, it is actually quite simple and true.
6. Data minimisation, privacy by design and by default
Any CBDC system design should follow the privacy by design and data minimization principles (say hello to the GDPR which would actually require compliance with these principles for the Digital Euro, if enforced properly). If we apply data minimization and do not store all that (unnecessary) private data anywhere in the CBDC ecosystem, it cannot be used and will never be stolen. No need for banks or central banks to store it, share it in whole or in parts, impossible for central banks to be pressured to hand it all over for national security or political reasons…
7. Redundant and sovereign public utility
Making the CBDC solution open-source/free software for the central bank and the public CBDC payment rail to be independent and a solution that reinforces a country's sovereignty and payment rail redundancy. The ECB has not listed this as a key characteristic on its list. Maybe worth a second thought, or will we run the digital euro on Amazon, Visa and Mastercard payment rails?
8. Offline: Great, but risky...
Offline availability sounds great, but it comes unfortunately with a high risk. I want to highlight here this combination of 3 characteristics from the published list that are somewhat contradictory: Risk-free, Secure and Offline. Offline and secure/risk-free are incompatible terms. A solution that offers payments with customers and merchants being offline at the same time cannot be secure – that is mathematically proven by the CAP Theorem. It will be extremely interesting to see how this experiment will play out. We all know that existing online solutions (which theoretically can be 100% secure) are being hacked regularly. It will be interesting to see what will happen with a central bank offline solution that already from the start is inherently insecure. The secure hardware that is usually advanced to somewhat mitigate the problem has at least a checkered, shortlived history.
Who would not want to have his own central bank printing press in his back pocket? Motivation and incentives seem provided to hackers of all kinds... Interesting times ahead indeed.
I would hope that in the end we all will benefit from CBDCs that deliver on all 10 characteristics listed above by the ECB, and such designs are technically possible today. Unfortunately, the information available from the ECB so far does not lead to the conclusion that the proposed Digital Euro design will be able to deliver on those promises. I invite everyone to keep watching these developments and annoucements critically.
And one key item that I hope everyone will take away from this article and which is critical for anyone’s decision to support or reject a future CBDC design is the following:
Privacy that can be removed is NO privacy!!!
