Without privacy, do we really want a digital dollar?

If a digital dollar is developed it must be just as “bearer” and private as physical cash.

COVID-19 is accelerating discussions about digitizing the dollar. Relief payments to support those suffering economically have revealed shortcomings inherent in current payment infrastructure. Fear of contagion has made handling physical cash less desirable. The dollar may turn out to be one of several facets of society that will not return to normal after this pandemic wanes.

What is a digital dollar?

By “digital dollar” we mean a transferable digital token that is the legal equivalent of cash, not electronic bank balances, not a private company’s promise to give you cash on redemption, but actual dollars issued by the government and backed by the full faith and credit of the United States.

We should expect any digital dollar to be centrally managed with at least as much control as physical dollars are managed today. This suggests an obvious design constraint: digital dollars will be a “centralized digital currency” rather than a true cryptocurrency, but more on that later.

What kind of digital dollar should we want?

China’s progress towards a digital yuan illustrates that a state-run digital currency may involve substantially more state control over transactions made in that currency than is currently available with cash. While China’s central bank promises to “protect users’ privacy,” it does so by making transactions and identities anonymous between users, including intermediary banks, but not to the central bank, which sees and records all transactions and identities. If we create digital dollars, they should be private by design such that (as is the case with physical cash) even the issuing authority can’t engage in surveillance of transactions system-wide. There’s a difference between trusting an authority to abstain from inappropriately surveilling a mountain of available transaction data, and building a system that never collects such data to begin with. Privacy by design means the latter and later we’ll describe how a digital dollar can be built this way technically.

Privacy aside, there is also the question of whether a digital dollar will be as easy to transfer from one person to another as physical cash is today. Cash is an ideal technology because it doesn’t discriminate. It is “bearer,” which means that possession is the only prerequisite for its use. This means that paying someone is as simple as handing them the cash. Bank transfers, credit cards, and other electronic payment mechanisms don’t work that way. You must have an account with some bank or service-provider before a payment can happen, and if that institution doesn’t want you as a customer, doesn’t want you to pay the person you are paying, or wants to freeze your account, then you cannot make a payment. This kind of payment censorship might help stop some crime, but it also can be abused to systematically deny payment services to the poor or politically disfavored. If bearer payments like cash were no longer available, what remains would be a system of complete central control over individual participation in the economy. Even China’s proposed digital yuan has been designed, thus far, as a bearer asset, and the digital dollar should be no different.

That all said, it is not clear that a digital dollar would, in fact, make things like relief payments any easier, and, as just discussed, we are concerned that the decline of physical cash will inevitably harm the poorest among us most while also eroding everyone’s privacy and autonomy. A cashless economy is a surveillance and control economy, a closed economy that only works for the privileged and politically acceptable.

To address these concerns, any digital dollar must have certain features: it must be bearer and transactions must be private by design. This would ensure that it has—at least—feature parity with physical cash.

We are not advocating for the creation of a digital dollar, but if a digital dolar is developed, then it must be built to be private and liberty-enhancing. Like cash, it must not rely on intermediaries (public or private) who can surveil and control the entirety of digital dollar payments. Like cash, it must be open and available to anyone who wants to use it, and it must not discriminate between users. Here’s how that is possible.

What is zero knowledge privacy?

At first blush, the goals of privacy and currency soundness may seem contradictory: in traditional electronic banking, the bank must keep track of the exact balances of each customer, and record all transactions between them in order to prove that customers are only spending money to which they are entitled. However, recent developments in the field of cryptography have made it possible to build sound currencies that provide strong privacy for users.

A successful approach to constructing such currencies draws on a suite of technologies called “zero knowledge proofs.” These mathematical techniques, first pioneered at MIT in the 1980s, make it possible to prove the truth of a mathematical statement without revealing the complete details of that statement. In the context of a currency, this means that a balance-holder can prove that she owns a sum of money in an account, and that these funds have been appropriately transferred to a second individual. This can be done without revealing either person’s identity, the sum of funds, or any other details of the transaction. Zero-knowledge techniques are well studied in the scientific literature, and have been deployed in practical cryptocurrencies.

These techniques could be used in a digital dollar system in order to safeguard the privacy of users. Unlike a traditional bank ledger, in a zero-knowledge system each transaction would reveal no information about the sender, recipient, or amount sent, yet proofs would protect the soundness of the currency from theft and counterfeiting.

What’s different from cryptocurrency?

A centralized digital dollar would have several technological differences from existing cryptocurrencies. Those systems are intended to be run by networks of volunteers without the need to identify or trust any particular participant in the network. However, similar digital currencies can be deployed in a more centralized setting—where network infrastructure is operated by known providers, but anyone with a computer or phone and free software can still use the network. To be clear, this is a hybrid model. Unlike a cryptocurrency, only one party is entrusted with keeping the public ledger, but—like a cryptocurrency—the ledger is public and anyone can create a payment address to receive payments on that ledger without seeking permission from the trusted ledger-keeper. To make a payment address and begin receiving payments a user simply creates a valid cryptographic keypair using commonly available smartphones or computers and free software.

Facebook’s original design for a Libra digital currency followed this hybrid model: the ledger of libra transactions is maintained by Libra Association members but, unlike traditional banking, the transactions on that ledger may come from Libra users who are not necessarily customers of the Association or its members. The transactions can be between anyone who creates valid libra cryptographic addresses, whether they are banked, unbanked, a customer of some financial institution or not.

There is no reason why a centralized digital currency similar to Libra could not be issued and maintained by a public entity such as the Department of Treasury, which today produces paper dollars through its Bureau of Engraving and Printing. Treasury would be in charge of keeping and updating a ledger of valid transactions on the digital dollar network, but, like the Libra Association, it would not need to have a customer relationship with the individual persons making those transactions, and anyone could make transactions without seeking the government’s permission (just like cash). The government’s role is limited by design; it simply checks that transaction messages are valid according to basic rules before adding them to the ledger. Any digital dollar system implemented by the government should combine elements of Libra’s centralized architecture with the privacy guarantees afforded by privacy-preserving cryptocurrencies. To be clear, we do not suggest that the government use the Libra network as it is currently being developed, we suggest that the government should simply implement a similar technology on its own. Libra’s protocol is open source and so are protocols for the zero-knowledge transactions described earlier; a good starting point for a digital dollar would be simply forking (copying) the source code of these existing projects.

Unlike decentralized cryptocurrencies, centralized digital currencies can be backed by existing financial instruments such as fiat currencies. They do not require “mining” to create new currency, and can be pegged to a real-world currency such as the U.S. dollar. In this setting, the supply of currency in the system is controlled by a centralized party. So-called dollar-backed stablecoins are existing examples of this model. A stablecoin issuer chooses to mint a certain number of stablecoins and commits to keeping real currency on hand as a one-to-one backing for all stablecoins in circulation.

If a government issued its own centralized digital currency it could have full control over how much new money it chooses to put into circulation on the network and to whom those new balances should be distributed. Unlike the dollar-backed stablecoin example, each unit could be backed simply by the full faith and credit of the issuing government, rather than balances held in commercial banks. The issuing government could choose to use this power to create digital money as a direct means of stimulating the economy, providing basic income, or offering emergency support to individuals in a crisis like COVID-19. Unlike physical cash or banking, a digital dollar ledger could offer a real time and publicly auditable report of the supply of money in circulation, and by using zero-knowledge proofs this public accountability can be offered without revealing individual transaction details that could jeopardize the privacy of digital dollar users.

Does this allow for scale? What would you lose by making these design choices?

A major benefit of this approach is that, unlike traditional cryptocurrencies, the total number of transactions allowed by the system can be made to scale to tens or hundreds of thousands per second. This is vastly greater than systems such as Bitcoin can currently accommodate.

The cost of this approach is the loss of certain security properties available to decentralized cryptocurrencies. A key feature of cryptocurrencies is that they are resistant to transaction censorship: this means that it is hard for any party to prevent a user from spending money. Censorship resistance is more difficult to guarantee in a centralized system. For example, a centralized digital currency could be shut down entirely by the government that maintains the ledger; individual payment messages could be ignored when they come from certain IP addresses; and balances could be “rolled back” en masse, to an earlier state.

Some of these protections may, however, remain in place due to the use of zero knowledge proofs. For example: if a centralized provider cannot see the details of participants in a transaction, and merely validates mathematical proofs for those transactions, it may not be able to filter out unwanted transactions as easily.

Censorship resistance is the only way to guarantee that a digital asset truly is “bearer” and can be sent directly from one person to another without reliance on a third party. Cryptocurrencies achieve this property by making network participants (miners) compete for the power to add transactions to the ledger. Even if some miners wish to censor a transaction, we assume that others will not, particularly if it means they are forgoing fee revenue. A centralized digital dollar would not have competitive mining but if the role of the ledger-keeper was reduced to verifying zero-knowledge proofs then any refusal to perform that verification risks indiscriminately censoring users throughout the economy. If the Treasury became corrupt, it could degrade the performance of the network system-wide, but it would be difficult to selectively block certain individuals or surveil their activities.

None of these protections, however, are guaranteed, and new technologies always present unpredictable risks and unintended consequences. We must, therefore, preserve and defend physical cash and should never celebrate its demise. Cash, along with cryptocurrencies, is essential as a payment method of last resort that cannot be surveilled or controlled by corrupt governments or unscrupulous corporations.

As we said at the start, digitizing the dollar is not a panacea for our current economic downturn or the pandemic at its heart. However, if governments do decide to develop a publicly-run digital alternative to existing bank-mediated payments and physical cash, then technologies pioneered in the cryptocurrency space should deliver scale and accountability while preserving much of the privacy and freedom inherent in cash transactions, privacy and freedom that are essential to a free and democratic society.

This post was updated for clarity on May 19.