Chapter VI: Ecash

I pay for things in one of three different ways – credit card, check, or cash. The first two let me make large payments without having to carry large amounts of money. What are the advantages of the third?

One is that a seller does not have to know anything about me in order to accept cash. That makes money a better medium for transactions with strangers, especially strangers from far away. It also makes it a better medium for small transactions, since using cash avoids the fixed costs of checking up on someone to make sure that there is really money in his checking account or that his credit is good. It also means that money leaves no paper trail, which is useful not only for criminals but for anyone who wants to protect his privacy – an increasingly important issue in a world where data processing threatens to make every detail of our lives public.

The advantage of money is greater in cyberspace, since transactions with strangers, including strangers far away, are more likely on the internet than in my realspace neighborhood. The disadvantage is less, since my ecash would be stored inside my computer, which is usually inside my house, hence less vulnerable to theft than my wallet.

Despite its potential usefulness, there is as yet no equivalent of cash available online, although there have been unsuccessful attempts to create one and successful attempts to create something close. The reason is not technological; those problems have been solved. The reason is in part the hostility of governments to competition in the money business, in part the difficulty of getting standards, in this case private monetary standards, established. I expect both problems to be solved sometime in the next decade or two.

Before discussing how a system of electronic currency, private or governmental, might work, it is worth first giving at least one example of why it would be useful – for something more important than allowing men to look at pornography online without their wives or employers finding out.

My email contains much of interest. It also contains READY FOR A SMOOTH WAY OUT OF DEBT?, A Personal Invitation from make_real_money@BIGFOOT.COM, You’ve Been Selected….. from friend@localhost.net, and a variety of similar messages, of which my favorite offers “the answer to all your questions.” The internet has brought many things of value, but for most of us unsolicited commercial email, better known as spam, is not one of them.

There is a simple solution to this problem – so simple that I am surprised it is not yet in common use.^¹ The solution is to put a price on your mailbox. Give your email program a list of the people you wish to receive mail from. Mail from anyone not on the list is returned with a note explaining that you charge five cents to read mail from strangers – and the URL of the stamp machine. Five cents is a trivial cost to anyone with something to say that you are likely to want to read, but five cents times ten million recipients is quite a substantial cost to someone sending out bulk email on the chance that one recipient in ten thousand may respond.

The stamp machine is located on a web page. The stamps are digital cash. Pay $10 from your credit card and you get in exchange 200 five-cent stamps – each a morsel of encrypted information that you can transfer to someone else who can in turn transfer it.

A virtual stamp, unlike a real stamp, can be reused; it is paying not for the cost of transmitting my mail but for my time and trouble reading it, so the payment goes to me, not the post office. I can use it the next time I want to send a message to a stranger. If lots of strangers choose to send me messages, I can accumulate a surplus of stamps to be eventually changed back into cash.

How much I charge is up to me. If I hate reading messages from strangers, I can make the price $1, or $10, or $100 – and get very few of them. If I enjoy junk email, I can set a low price. Once such a system is established, the same people who presently create and rent out the mailing lists used to send spam will add another service – a database keeping track of what each potential target charges to receive it.

What is in it for the stamp machine – why would someone maintain such a system? Part of the answer is seigniorage – the profit from coining money. After selling a hundred million five-cent stamps, you have five million dollars of money. If your stamps are popular, many of them may stay in circulation for a long time – leaving the money that bought them in your bank account accumulating interest.

In addition to the free use of other people’s money, there is a second advantage. If you own the stamp machine, you also own the wall behind it – the web page people visit to buy stamps. Advertisements on that wall will be seen by a lot of people.

One reason this solution to spam requires ecash is that it involves a large number of very small payments. It would be a great deal clumsier if we used credit cards – every time you received a message with a five-cent stamp, you would have to check with the sender’s bank before reading it to make sure the payment was good. A second reason is privacy. Many of us would prefer not to leave a complete record of our correspondence with a third party – which we would be doing if we used credit cards or something similar. What we want is not merely ecash but anonymous ecash – some way of making payments that provides no information to third parties about who has paid what to whom.

Suppose a bank wants to create a system of ecash. The first and easiest problem is how to provide people with virtual banknotes that cannot be counterfeited.

The solution is a digital signature. The bank creates a banknote that says “First Bank of Cyberspace: Pay the bearer one dollar in U.S. currency.” It digitally signs the note, using its private key. It makes the matching public key widely available. When you come in to the bank with a dollar, it gives you a banknote in the form of a file on a floppy disk. You transfer the file to your hard disk, which now has a one-dollar bill with which to buy something from someone else online. When he receives the file he checks the digital signature against the bank’s public key.

There is a problem – a big problem. What you have gotten for your dollar is not a single dollar bill but an unlimited number of them. Sending a copy of the file in payment for one transaction does not erase it from your computer, so you can send it again to someone else to buy something else. And again. That is going to be a problem for the bank, when twenty people come in to claim your original dollar bill.

One solution is for the bank to give each dollar its own identification number and keep track of which ones have been spent. When a merchant receives your file he sends it to the bank, which deposits the corresponding dollar in his account and adds its number to a list of banknotes that are no longer valid. When you try to spend a second copy of the note, the merchant who receives it tries to deposit it, is informed that it is no longer valid, and doesn’t send you your goods.

This solves the problem of double spending, but it also eliminates most of the advantages of ecash over credit cards. The bank knows that it issued banknote 94602… to Alice, it knows that it came back from Bill, so it knows that Alice bought something from Bill, just as it would if she had used a credit card.

The solution to this problem uses what David Chaum, the Dutch cryptographer who is responsible for many of the ideas underlying ecash, calls blind signatures. It is a way in which Alice, having rolled up a random identification number for a dollar bill, can get the bank to sign that number (in exchange for paying the bank a dollar) without having to tell the bank what the number they are signing is. Even though the bank does not know the serial number it signed, both it and the merchant who receives the note can check that the signature is valid. Once the dollar bill is spent, the merchant has the serial number, which he reports to the bank, which can add it to the list of serial numbers that are now invalid. The bank knows it provided a dollar to Alice, it knows it received back a dollar from Bill, but it does not know that they are the same dollar. So it does not know that Alice bought something from Bill. The seller has to check with the bank and know that the bank is trustworthy, but it does not have to know anything about the purchaser.

Curious readers will want to know how it is possible for a bank to sign a serial number without knowing what it is. I cannot tell them without first explaining the mathematics of public key encryption, which requires more math than I am willing to assume my average reader has. Those who are curious can find explanations of both public key encryption and blind signatures online.^²

So far I have been assuming that people who receive digital cash can communicate with the bank that issues it while the transaction is taking place – that they and the bank are connected to the internet or something similar. That is not a serious constraint if the transaction is occurring online. But digital cash could also be useful for realspace transactions, and the cabby or hotdog vendor may not yet have an internet connection.

The solution is another clever trick (Chaum specializes in clever tricks). It is a form of ecash that contains information about the person it was issued to but only reveals that information if the same dollar bill is spent twice.^³

Skeptical readers should at this point be growing increasingly unhappy at being told that everything about ecash is done by mathematics that I am unwilling to explain here – which they may reasonably enough translate as “smoke and mirrors.” For their benefit I have invented my own form of ecash – one that has all of the features of the real thing and can be understood with no mathematics beyond the ability to recognize numbers. It is a good deal less convenient than Chaum’s version but a lot easier to explain, and so provides at least a possibility proof for the real thing.

Low-Tech ECash

Alice has sent the FBC a dollar, accompanied by the number 59372. She now wants to buy a dollar’s worth of digital images from Bill, so she emails the number to him in payment. Bill emails the FBC, sending them three numbers: 59372, 21754, and 46629.

The FBC checks to see if it has a dollar on deposit with number 59372; it does. It changes the number associated with that dollar bill to 21754, Bill’s second number. Simultaneously, it posts on a publicly observable bulletin board the statement “the transaction identified by 46629 has gone through.” Bill reads that message, which tells him that Alice really had a dollar bill on deposit and it is now his, so he emails her a dollar’s worth of digital images.

Alice no longer has a dollar, since if she tries to spend it again the bank will report that it is not there to be spent – the FBC no longer has a dollar associated with the number she knows. Bill now has a dollar, since the dollar that Alice originally sent in is now associated with a new number and only he and the bank know what it is. He is in precisely the same situation that Alice was in before the transaction, so he can now spend the dollar to buy something from someone else. Like an ordinary paper dollar, the dollar of ecash in my system passes from hand to hand. Eventually someone who has it decides he wants a dollar of ordinary cash instead; he takes his number, the number that Alice’s original dollar is now associated with, to the FBC and exchanges it for a dollar bill.

My ecash may be low tech, but it meets all of the requirements. Payment is made by sending a message. Payer and payee need know nothing about the other’s identity beyond the address to send the message to. The bank need know nothing about either party. When the dollar bill originally came in, the letter had no name on it, only an identifying number. Each time it changed hands, the bank received an email but had no information about who sent it. When the chain of transactions ends and someone comes into the bank to collect the dollar bill he need not identify himself; even if the bank can somehow identify him he has no way of tracing the dollar bill back up the chain. The virtual dollar in my system is just as anonymous as the paper dollars in my wallet.

With lots of dollar bills in the bank there is a risk that two might by chance have the same number, or that someone might make up numbers and pay with them in the hope that the numbers he invents will, by chance, match numbers associated with dollar bills in the bank. But both problems become insignificant if instead of using 5-digit numbers we use 100-digit numbers. The chance that two random 100-digit numbers will turn out to be the same is a good deal less than the chance that payer, payee, and bank will all be struck by lightning at the same time.

It may have occurred to you that if you have to roll up a 100-digit random number every time you want to buy a dollar of ecash from the bank and two more every time you receive one from anyone else, not to mention sending off one anonymous email to the bank for every dollar you receive, ecash may be more trouble than it is worth. Don’t worry – that’s your computer’s job, not yours. With a competently designed ecash system, the program takes care of all mathematical details; all you have to worry about is having enough money to pay your (virtual) bills. You tell your computer what to pay to whom; it tells you what other people have paid to you and how much money you have. Random numbers, checks of digital signatures, blind signing, and all the rest is done in the background. If you find that hard to believe, consider how little most of us know about how the tools we routinely use, such as cars, computers, or radios, actually work.

When Chaum came up with the idea of ecash, email was not yet sufficiently popular to make spam an issue. What motivated him was the problem we discussed back in Chapter 4 – the loss of privacy created by the ability of modern information processing to combine publicly available information into a detailed portrait of each individual.

Consider an application of ecash that Chaum has actually worked on – automated toll collection. It would be very convenient if, instead of stopping at a toll booth when getting on or off the interstate, we could simply drive past, making the payment automatically in the form of a wireless communication between the (unmanned) tollbooth and the car. The technology to do this exists and has long been used to provide automated toll collection for busses on some roads.

One problem is privacy. If the payment is made with a credit card, or if the toll agency adds up each month’s tolls and sends you a bill, someone has a complete record of every trip you have taken on the toll road, every time you have crossed a toll bridge. If we deal with auto pollution by measuring pollutants in the exhaust plumes of passing automobiles and billing their owners, someone ends up with detailed, if somewhat fragmentary, records of where you were when.

Ecash solves that problem. As you whiz past the tollbooth, your car pays it fifty cents in anonymous ecash. By the time you are thirty feet down the road, the (online) tollbooth has checked that the money is good; if it isn’t an alarm goes off, a camera triggers, and if you do not stop a traffic cop eventually appears on your tail. But if your money is good you go quietly about your business – and there is no record of your passing the tollbooth. The information never came into existence, save in your head. Similarly for an automated system of pollution charges.

It works for shopping as well. Ecash – this time encoded in a smart card in your wallet, a palmtop computer in your pocket, or perhaps even a tiny chip embedded under your skin^⁴ – could provide much of the convenience of a credit card with the anonymity of cash. If you want the seller to know who you are, you are free to tell him. But if you prefer to keep your transactions private, you can.

My examples so far assume that ecash will be produced and redeemed by private banks but denominated in government money. Both are likely, at least in the short run. Neither is necessary.

Private money denominated in dollars is already common. My money market fund is denominated in dollars, although Merrill Lynch does not actually have a stack of dollar bills in a vault somewhere that corresponds to the amount of money “in” my account. My university ID card doubles as a money card, with some number of dollars stored on its magnetic strip – a number that decreases every time I use the card to buy lunch on campus. A bank could issue ecash on the same basis. Each dollar of ecash represents a claim to be paid a dollar bill. The actual assets backing that claim consist not of a stack of dollar bills but of stocks, bonds, and the like – which have the advantage of paying the bank interest for as long as the dollar of ecash is out there circulating.

While I do not have to know anything about you in order to accept your ecash, I do have to know something about the bank that issues it – enough to be sure that the money will eventually be redeemed. That means that any ecash expected to circulate widely will be issued by organizations with reputations. In a world of almost instantaneous information transmission, those organizations will have a strong incentive to maintain their reputations, since a loss of confidence will result in money holders bringing in virtual banknotes to be redeemed, eliminating the source of income that the assets backing those banknotes provided.

Some economists, in rejecting the idea of private money, have argued that such an institution is inherently inflationary. Since issuing money costs a bank nothing and gives it the interest on the assets it buys with the money, it is always in the bank’s interest to issue more. The rebuttal to this particular argument was published in 1776. When Adam Smith wrote The Wealth of Nations, the money of Scotland consisted largely of banknotes issued by private banks, redeemable in silver.^⁵ As Smith pointed out, while a bank could print as many notes as it wished, it could not persuade other people to hold an unlimited number of its notes. A customer who holds $1,000 in virtual cash – or Scottish banknotes – when he only needs $100 is giving up the interest he could have been earning if he had held the other $900 in some interest-earning asset instead. That is a good reason to limit his cash holdings to the amount he actually needs for day-to-day transactions.

What happens if a bank tries to issue more of its money than people wish to hold? The excess comes back to be redeemed. The bank is wasting its resources printing money, trying to put it into circulation, only to have each extra banknote promptly returned for cash – in Smith’s case, silver. The obligation of the bank to redeem its money guarantees its value, and at that value there is a fixed amount of its money that people will choose to hold.

Let us suppose that all the paper of a particular bank, which the circulation of the country can easily absorb and employ, amounts exactly to forty thousand pounds; and that for answering occasional demands, this bank is obliged to keep at all times in its coffers ten thousand pounds in gold and silver. Should this bank attempt to circulate forty-four thousand pounds, the four thousand pounds which are over and above what the circulation can easily absorb and employ, will return upon it almost as fast as they are issued. (Wealth of Nations, Bk I, chapter 2)

So far I have assumed that future ecash will be denominated in dollars. Dollars have one great advantage – they provide a common unit already in widespread use. They also have one great disadvantage – they are produced by a government, and it may not always be in the interest of that government to maintain their value in a stable, or even predictable, way. On past evidence, governments sometimes increase or decrease the value of their currency, inadvertently or for any of a variety of political purposes. In the extreme case of hyperinflation, a government tries to fund its activities with the printing press, rapidly increasing the amount of money and decreasing its value. In less extreme cases, a government might inflate in order to benefit debtors by inflating away the real value of their debts – governments themselves are often debtors, hence potential beneficiaries of such a policy – or it might inflate or deflate in the process of trying to manipulate its economy for political ends.^⁶

Dollars have a second disadvantage, although perhaps a less serious one. Because they are issued by a particular government, citizens of other governments may prefer not to use them. This has not prevented dollars from becoming a de facto world currency, but it is one reason why a national currency might not be the best standard to base ecash on. The simplest alternative would be a commodity standard, making the unit of ecash a gram of silver or gold or some other widely traded commodity.

Under such a commodity standard the monetary unit, while no longer under the control of a government, is subject instead to the forces that affect the value of the particular commodity it is based on. If large amounts of gold are discovered or if someone invents new and better techniques for extracting gold from low-grade ore, the value of gold, and of gold-based money, will decline.^⁷ If, on the other hand, important new uses for gold are found but little new gold is mined, the value of gold will rise and prices fall. Thus commodity money carries with it at least some risk of unpredictable fluctuations in its value, and hence in prices measured in it.

That problem is solved by replacing a simple commodity standard with a commodity bundle. Bring in a million Friedman dollars and I agree to give you in exchange 10 ounces of gold, 40 ounces of silver, ownership of 1,000 bushels each of grade A wheat and grade B soybeans, a ton of grade S30040 stainless steel…. If the purchasing power of a million of my dollars is less than the value of the bundle, it is profitable for people to assemble a million Friedman dollars, exchange them for the bundle, and sell the contents of the bundle – forcing me to make good on my promise and, in the process, reducing the amount of my money in circulation. If the purchasing power of my money is more than the worth of the commodities it trades for, it is in my interest to issue more money. Since the bundle contains lots of different commodities, random changes in commodity prices can be expected to roughly average out, giving us a stable standard of value.

A commodity bundle is a good theoretical solution to the problem of monetary standards, but implementing it has a serious practical difficulty – getting all the firms issuing ecash to agree on the same bundle. If they fail to establish a common standard, we end up with a cyberspace in which different people use different currencies and the exchange rates between them vary randomly.

That is not an unworkable situation – Europeans lived with it for a very long time – but it is a nuisance. Life is easier if the money I use is the same as the money used by the people I do business with. On that fact our present world system – multiple government moneys, each with a near monopoly within the territory of the issuing government – is built. It works because most transactions are with people near you and people near you probably live in the same country you do. It works less well in Europe than in North America because the countries are smaller, which is why the European countries have largely moved from national currencies to the euro.

A system of multiple monopoly government moneys works less well in cyberspace because in cyberspace national borders are transparent. For information transactions, geography is irrelevant – I can download software or digital images from London as easily as from New York. For online purchases of physical objects geography is not entirely irrelevant, since the goods have to be delivered, but less relevant than in realspace shopping. With a system of national currencies, everyone in cyberspace has to juggle multiple currencies in the process of figuring out who has the best price and paying it. The obvious solution is to establish a single standard of value, either by adopting one national currency, probably the dollar, possibly the euro, or by establishing a private standard such as the sort of commodity bundle described earlier.

That may not be the only solution. The reason that everyone wants to use the same currency as his neighbors is that currency conversion is a nuisance. But currency conversion is arithmetic and computers do arithmetic fast and cheap. Perhaps, with some minor improvements in the interfaces on which we do online business, we could make the choice of currency irrelevant, permitting multiple standards to coexist.

I live in the United States; you live in India. You have goods to sell, displayed on a web page, with prices in rupees. I view that page through my brand new browser – Firefox v 9.0. One feature of the new browser is that it is currency transparent. You post your prices in rupees but I see them in dollars. The browser does the conversion on the fly, using exchange rates read, minute by minute, from my bank’s web page. If I want to buy your goods, I pay in dollar-denominated ecash; my browser sends it to my bank, which sends rupee-denominated ecash to you. I neither know nor care what country you are in or what money you use – it’s all dollars to me.

Currency transparency will be easiest online, where everything filters through browsers anyway. One can imagine, with a little more effort, realspace equivalents. An unobtrusive tag on my lapel gives my preferred currency, an automated price label on the store shelf reads my tag and displays the price accordingly. Alternatively, the price is displayed by a dumb price tag, read by a smart video camera set into the frame of my glasses, converted to my preferred currency by my pocket computer, and written in the air by the heads-up display generated by the eyeglass lenses.

As I write, the countries of Europe are in the final stages of replacing their multiple national currencies with the euro. If the picture I have just painted turns out to be correct, they may have finally achieved a common currency just as it was becoming unnecessary.

We now have three possibilities for ecash. It might be produced by multiple issuers but denominated in dollars or some other widely used national money. It might be denominated in some common nongovernmental standard of value – gold, silver, or a commodity bundle. It might be denominated in a variety of different standards, perhaps including both national monies and commodities, with conversion handled transparently, so that each individual sees a world where everyone is using his money. Any of these forms of ecash might be produced by private firms, probably banks, or by governments.^⁸

During World War II, George Orwell wrote regular articles for Partisan Review, an American magazine. Near the end of the war, he wrote a retrospective in which he discussed what he had gotten right and what wrong.^⁹ One of his conclusions was that he was generally right about the way the world was moving, wrong about how fast it would get there. He correctly saw the logical pattern but failed to allow for the enormous inertia of human society.

Similarly here. David Chaum’s articles laying out the groundwork for fully anonymous electronic money were published in technical journals in the 1980s and summarized in a 1992 article in Scientific American. Ever since then various people, myself among them, have been predicting the rise of ecash along the lines he sketched. While pieces of his vision have become real in other contexts, there is as yet nothing close to a fully anonymous ecash available for general use. Chaum himself, working with the Mark Twain Bank of Saint Louis, attempted to get a semi-anonymous ecash into circulation – one that permitted one party to a transaction to be identified by joint action of the other party and the bank. The effort failed and was abandoned.^¹⁰

One reason it has not happened is that online commerce has only very recently become large enough to justify it. A second reason, I suspect but cannot prove, is that national governments are unhappy with the idea of a widely used money that they cannot control and so are reluctant to permit (heavily regulated) private banks to create such a money. A third and closely related reason is that a truly anonymous ecash would eliminate a profitable form of law enforcement. There is no practical way to enforce money-laundering laws once it is possible to move arbitrarily large amounts of money anywhere in the world, untraceably, with the click of a mouse. A final reason is that ecash is only useful to me if many other people are using it, which raises a problem in getting it started.

These factors have slowed the introduction of ecash. I do not think they will stop it. It only takes one country willing to permit it and one issuing institution in that country willing to issue it, to bring ecash into existence. Once it exists, it will be politically difficult for other countries to forbid their citizens from using it and practically difficult, if it is forbidden, to enforce the ban. There are a lot of countries in the world, even if we limit ourselves to ones with sufficiently stable institutions so that people elsewhere will trust their money. Hence my best guess is that some version of one of the moneys I have described in this chapter will come into existence sometime in the next decade or so.

1 There are current projects along these lines, both commercial and academic.

2 For the mathematically serious, a series of posts sketching the math of an approach to blind signatures and some related material: 1 2 3 4

3 Hal Finney's explanation of the double sending problem and Chaum's solution to it.

6 Friedman (1986, 90) Chapter 19, Friedman (1986) Chapter 22.

7 The example is not wholly imaginary. At the end of the nineteenth century, the combined effect of the discovery of the South African gold fields and the invention of the cyanide process for extracting gold from low-grade ore lead to a gold inflation, although a mild one compared to fiat money inflations. An earlier gold (and silver) inflation was produced in the sixteenth century by the inflow of both metals from the New World.

8 E-gold is a current product along these lines. So far as I know, their money is not an anonymous ecash, but it is set up so that your holding is defined in gold but payments can be converted into a variety of currencies.

9 “London Letter to Partisan Review,” in Orwell, 1968, p. 293.

10 Information on Digicash. Mark Twain Bank closes down the digicash experiment.