Someone needs to remind the European Commission that it can’t have its cake and eat it too.
An EC proposal this week for regulating a future central bank digital currency (CBDC) insisted that it must “protect privacy,” describing a system of NFC chip-based offline payments in which “nobody would be able to see what people are paying for.”
This recognizes European citizens’ civil liberties, as politicians are wont to do. But you can be forgiven for seeing it as mere lip service. A review of the proposal’s explicit record-keeping provisions for payment service providers challenges those intentions, especially in light of recent European government crackdowns on cryptographic privacy.
The fact is the European Commission – and for that matter, the governments of the U.S., U.K. and other major liberal democracies – have generally shown themselves incapable of embracing real privacy in digital money. They want the facade of privacy, something that lets them sell the idea that Western democracies would never engage in the kind of round-the-clock surveillance for which China is accused, while retaining the power to uncover users’ identities when needed.
I mean, what exactly is the difference?
European proponents of privacy-preserving CBDCs say they want to recreate the freedom of cash. But as security analyst Lukasz Olejnik pointed out this week in his critique of the European proposal, these models are a long way from the anonymity of euro notes. In the case of the offline NFC transactions, service providers would be required to record data on the amount spent; the phone or other device’s unique identifier; the date and time of the transactions and the account numbers used. Does any such identifying information get logged when you hand over a banknote to a merchant? No.
Meanwhile, the crackdowns on open-source privacy projects are a clear indication that tolerance for people engaging in private, non-monitored transactions is low, whether in Europe or elsewhere. The Netherlands played a very active role in prosecuting the U.S. case against Ethereum-based mixing service Tornado Cash, arresting developer Alexey Pertsev days after the U.S. Office of Foreign Asset Control took the unprecedented step of placing the open-source software system – not a person, nor a company, but a body of code – on its list of sanctioned foreign persons.
Misplaced enforcement actions
The Tornado Cash enforcement, which civil rights activists decry as an attack on free speech, sent a chill through the pro-privacy cryptography community. It fears for innovation in the field as developers worry about reprisals by security agencies.
Sure enough, the legal pressure on privacy coin Zen reached such extremes this week that developers relented and altered the code to strip it of its privacy protections. Zen transactions are now open for all to see, which prompts the question: why bother?
This crackdown is boneheaded. We are entering into an artificial intelligence era in which digital systems are extracting ever-ballooning amounts of data from our digital activity and can use it to manipulate us. Privacy tech is a bulwark against that encroachment into our lives. Our leaders have expressed concern about AI’s invasive powers, so they should be encouraging the development of these innovative solutions, not driving them out of town.
Let’s recognize that a half-century (since the introduction of the 1971 Bank Secrecy Act) of ever-expanding compliance rules to enable government surveillance of financial activity has built such a complex web of compliance requirements for financial institutions that true digital privacy is mostly impossible without tearing down that entire complex of regulations. That sort of reform runs counter to the principles of that surveillance system, which governments built in a (mostly futile) effort to curb money laundering and other forms of illicit finance.