A retail central bank digital currency (CBDC) has the potential to give authorities more information on users and their transactions as well as facilitate detection, supervision, monitoring and law enforcement efforts. However, this opens the central bank to criticisms that CBDCs could be used as a surveillance tool not only by itself, but by banks and payment service providers that are part of the CBDC ecosystem.
Also, authorities could theoretically censor specific users and transactions, thereby impairing user freedoms. Storing and collecting personal and transaction information could ultimately lead to price discrimination for CBDC users and increase their cybersecurity risks. In the case of a hack, the leakage of personal information could lead, in the most extreme case, to financial losses that the central bank and/or its agents may be obliged to cover.
This article is part of CoinDesk’s Policy Week. John Kiff, a former senior financial sector expert at the IMF, is the research director at the Sovereign Official Digital Association (SODA), head of CBDC/digital capital markets advisory at Satoshi Capital Advisers and advisor to WhisperCash. Dr. Jonas Gross is chairman of the Digital Euro Association (DEA) and chief operating officer at etonec.
Due to these reasons, enabling high privacy for CBDC transactions is crucial.
What do we mean by ‘privacy’ and how private are existing digital payment rails?
Although privacy is a fundamental civil right, e.g., specified in Article 12 of the Universal Declaration of Human Rights by the United Nations, its application is not necessarily black and white, and different forms of money differ in terms of their degree of privacy.
Cash is the most private form of money. If a payment is conducted with cash, only the two transaction parties involved know the information about the transaction, such as transaction amount and transaction parties. No third party can observe any payment-related data.
Today, the public already accepts some financial privacy invasion. Existing digital payment methods, such as debit and credit cards, bank account transfers and mobile money payments do not have a high degree of privacy – and are growing in market share. Know-your-customer (KYC) measures are necessary to open bank accounts and, ultimately, to conduct transactions. That confidential KYC and transaction data is shared with intermediaries, such as banks, credit card companies, etc., that are involved in the transaction process.
According to a recent survey by the European Central Bank (ECB), in the European Union (EU), the volume of digital payments has in 2022 – for the first time – overtaken the volume of cash payments. However, the survey also revealed that the high privacy of cash is a feature that is highly appreciated, indicating strong demand for privacy-oriented payment methods.
High privacy for payments, however, also has a general drawback. As transaction data remains private, it is more difficult for financial institutions to comply with Financial Action Task Force (FATF) anti-money laundering, countering terrorist financing and combating proliferation financing (AML/CFT/CPF) standards. Per definition, transaction data would not be shared with third parties making it challenging – and in some cases impossible – to identify the parties involved, study the origin of funds, etc.
With a view to the discussion on privacy and compliance, how private are CBDC payments? There is no general answer to this question. It ultimately depends on the CBDC design and the goals of the central bank. As mentioned, privacy is not black or white. Privacy of CBDCs will differ across jurisdictions.
The European Central Bank (ECB), for example, sees four possible forms and degrees of transaction data privacy around a potential digital euro. These privacy provisions are listed in order from little to complete:
- Fully transparent to the central bank: All transaction and KYC data is visible for the central bank
- Transparent to intermediaries: All transaction and KYC data is visible to intermediaries
- Privacy threshold: High degree of privacy for low-value transactions, while large-value transactions are subject to standard customer due diligence checks, typically implemented via limits built into digital wallets. The ECB has tested out non-transferrable ”anonymity vouchers” that allow users to transfer a limited amount of CBDC over a defined period with a higher degree of privacy. One key question around a privacy threshold is if the end-users need to trust the central bank for preserving privacy, e.g., in a sense that the central bank guarantees not to look into data for large-volume transactions or monetize data, or if privacy is independent of the central bank, e.g., implemented via privacy-oriented cryptographic techniques, such as zero-knowledge-proofs or blind signatures.
- Non-transparent to third parties: Holdings/balances and transaction amounts are not known to intermediaries and the central bank. In the most extreme case, this can mean full anonymity, where – as for cash payments today – the identity of users is not known and no KYC measures are conducted, except when onboarding.
The privacy threshold model seems to be the preferred compromise between guaranteeing privacy of payments, while accounting for regulatory requirements, in retail CBDC launches and pilots. Countries like China, Nigeria and the Bahamas use such a model for their CBDCs.
However, the ECB, which conducted a survey and found that privacy is the most demanded feature for a digital euro, uses a so-called “transparent towards intermediary” framework. This “baseline model,” the envisioned design so far, is meant to satisfy AML/CFT demands, though may come into conflict with the general public’s demand for high privacy.
New technological approaches for balancing payment privacy and regulatory compliance
The degree of privacy of a CBDC has an important effect on adoption. It impacts if people see central bank systems as a substitute for cash or for digital forms of payments – which have separate uses. If users have strong preferences for privacy, a CBDC that has cash-like attributes could lead to higher usage and impinge less on bank deposits.
Technology solutions – both software- and hardware-based – have been developed that offer ways for CBDCs to enable a high degree of privacy while complying with regulation, such as:
- Gross et al. (2021) have proposed a CBDC system that enables cash-like private CBDC transactions up to specific monetary limits. If these limits are reached, transactions above the limit have similar (lower) degrees of privacy as existing digital payment platforms. Limits can be specified in terms of transaction size, holdings and/or turnover. The system works best with the availability of a unique digital ID available to all users but such a digital ID is not a requirement. High privacy guarantees and compliance with limits are ensured via the use of cryptographic zero-knowledge proofs.
- Chaum and Moser (2022) have proposed a CBDC system based on blind signatures that allows central banks to issue tokens through payment service providers without knowing who owns specific tokens. The central bank holds a ledger of all coin identifiers, so no one can mint new tokens, but transactions between wallets are not recorded. However, if users want law enforcement to trace stolen tokens, they can give up the privacy of their tokens. The Bank for International Settlements (BIS) Innovation Hub's Swiss Centre has launched Project Tourbillon which will build and test this eCash 2.0 platform.
- CBDC hardware solutions that take the form of a card or a mobile wallet app on which prepaid values are stored locally also open the possibility of almost complete anonymity. Such wallets could conceivably be as anonymous and private as physical cash, although the central bank may require identification to enforce a one-wallet-per-person policy or holding and/or transaction size limits to mitigate financial integrity risk. Giesecke+Devrient has been testing a card-based CBDC platform in Ghana that allows for unlimited consecutive offline transactions.
The point is, as noted in this 2021 paper, the degree of data privacy to choose for a CBDC is not a technological question. Technologically, all degrees of privacy can be reached.
See also: What Will 2023 Bring for CBDCs?
It is rather a political and policy question. With retail CBDC launches and pilots attracting underwhelming user interest, to put it mildly, it is now time to consider more cash-like, privacy-focused CBDC solutions. A CBDC can only become a success if it addresses relevant user needs – and has sufficient trust from society.