Today the European Central Bank (ECB) published a blog post entitled “Making the digital euro truly private.” Worldwide one of the biggest concerns of potential users of central bank digital currencies (CBDCs) is that a CBDC provides a Big Brother way for the government to snoop on you. The current planned ECB design would be pretty robust in preserving privacy. However, even with a strong privacy design, some challenging privacy issues will be hard for most central banks to address.
Before touching on those issues, it’s worth noting that there will be two versions of the digital euro. The offline version aims to be as close to cash as possible and is designed for smaller payments. Online payments are closer to typical card or bank payments today.
The recent European elections show that future national governments could be very different from our current ones. Given Europe’s World War II history, it’s not a stretch to ponder what might happen in a less benevolent world. What if the digital euro has real traction and cash is barely used? How easy would it be to change the digital euro system to break the privacy protections currently being carefully crafted?
For the offline digital euro, transactions would remain private, but preventing people from topping up their wallets would be easy. In the case of the online digital euro case, a law change and a relatively small change in data access would probably suffice to undermine the privacy design completely.
Designing a CBDC to account for every future unpleasant scenario is likely impossible for central banks. Dooms Day scenarios aside, the ECB is making a concerted attempt to protect privacy.
Offline digital euro privacy
In theory, for the offline digital euro you will be able to bump phones with a friend to pay your cut of a restaurant bill. Or one of you might have a prepaid CBDC card rather than a phone.
The key with the offline version is the only people with access to the transactions are you and the person you paid. Any compliance checks are performed when you top up or de-fund your wallet with your bank or payment provider. However, offline CBDC is notoriously susceptible to criminal attempts at forgery, so there will also be anti-fraud procedures. While it’s planned to avoid using private data for these checks, until the design is final, that remains to be seen.
Additionally, we’ll have to wait until the digital euro legislation is passed to see whether these safeguards remain enshrined.
Online digital euro privacy
The online version will not be quite so private. It is far closer to other online payments, so the transaction details are logged. There are two issues here. How much will the government see and will private payment firms be able to use your data? The devil is in the details.
In the current design, the central bank only has pseudonymous transaction data. In other words, they don’t get to see your identity. Only your bank has full access to both sets of information.
Currently the proposal is to have a digital euro account number, which is what the central bank sees. Pseudonymity is tricky. If just one transaction somehow links the account to your identity, then all your transactions are exposed.
As part of the back and forth on the digital euro legislation, there were a couple of helpful amendment proposals. One suggestion is that each transaction uses a different pseudonymous identifier to make cross-linking data harder. That would enormously aid with privacy but makes it harder to detect patterns for anti money laundering.
Another proposal is that the user is informed when a central bank or law enforcement identifies a user as part of a fraud investigation process. That must happen when the investigation is concluded at the latest.
The Data Protection regulators also previously noted that the draft regulation outlines an intent to store transaction data pseudonymously but doesn’t oblige it. They raised another issue. If a user has multiple digital euro wallets, the central bank needs to link them to identities to impose holding limits. The regulators wanted to know how this would be done in a privacy-preserving manner. In the doomsday scenario described earlier, allowing central bank visibility to this holdings system could potentially give the central bank full visibility to all transactions.
Banks and your digital euro data
Moving on to banks and their use of your data for other purposes, it’s unclear whether this is ruled out. We suspect this is being kept as an option to provide a business model for payment providers. However, one of the numerous proposed legislative amendments is to prevent banks using your data other than for payments.
While there’s a proposal for a digital euro account number, there will also be a more usable ‘alias’ system. This might be your phone number or something similar. Again, the issue here is the ability to cross-link all transaction data based on your phone number.
There are still plenty of details to iron out, given the stage of development. However, there’s no question that the ECB is earnestly attempting to make the digital euro as private as possible.
