Alan L Tyree

Virtual Cash III

In the two previous articles in this series we have seen how cryptography allows pure electronic messages to assume the most important characteristics of written messages.1 We have seen how this technology may be used to implement secure methods of payment over open channels of communication. These methods are known generically as "digital coins". The use of the word "coins" reflects the small transaction orientation of these systems, an orientation made possible by the very low transaction cost. However, there is no inherent limitation on the size of a "digital coin". We have also noted that the "digital coin" bears a remarkable resemblance to the historical banknote.

This concluding part of the series will discuss some of the legal issues of the new payment methods. Some of the legal issues are similar to those raised by the introduction of "smart cards". These issues have been discussed recently in this Journal.2

Payment system confidence

Any system of payments must maintain a very high standard of confidence in the payment system. The value stored on a smart card or in the digital coin represents a liability of the issuer in favour of the card or coin holder. That the liability may be readily and completely transferred to a wide range of third parties is what makes a payment system. If the system is to be successful as a payments system then there must be confidence that the liability can be met.

It was this concern that has led the Working Group on European Union Payment Systems to recommend that only "credit institutions", that is, those institutions that are supervised by central banks or other authorities, should be permitted to issue smart cards.3 Although that is a solution which can be implemented nationally in a card system it seems unlikely that issuers of digital coins can be so restrained.

Restraining issuers of digital coins may be impossible. The technology required is minimal and we have enough experience to know that countries which see a benefit will provide "digital coin havens" for operators who are prevented from operating by the regulatory bodies of other countries. There is no current regulatory method available which would prevent Australian citizens from maintaining and using "virtual accounts" in any part of the world. Indeed, from the point of view of the user, maintaining a foreign account is no more difficult or inconvenient than using one in the same suburb.4

The second aspect of payment system confidence is the integrity of the payment method itself. The possibility of an unauthorised person to alter the contents of a smart card or of the digital coin message introduces the spectre of counterfeiting into the system, but it is a spectre that is substantially more frightening than normal counterfeiting. It might be very difficult or impossible to detect the smart card counterfeiting particularly if card-to-card transactions are permitted.

The difficulty of detecting digital coin counterfeiting will depend upon the particular form in which the system is introduced. However, the need to guard against "double spending" may also provide the means for early detection of counterfeiting. Protection against double spending is achieved through keeping a database of coin serial numbers. In a simple system where the bank knows the serial numbers of issued coins, the database contains the serial numbers of all issued coins. The serial number of an incoming coin is checked to verify that it has been issued and not previously spent.

In the "blind signature" systems the bank does not know the serial numbers of issued coins. The database contains all of the coins which have ever been spent. The check is against the list of all coins which have been spent. In this system, other methods for detecting counterfeit coins must be implemented.

Some protection against counterfeiting may be obtained by other operational means. It would be possible to introduce limits to the amounts that may be loaded on cards or the amount of the individual coin, or to limit the maximum size of individual payments. More controversial would be to monitor the activities of individual cards or internet payments, a problem in privacy that is discussed below. Once again, while these operational protections may work well for smart cards, their application to digital coins will depend upon the cooperation of authorities in foreign jurisdictions. Past experience is not encouraging.

Money Laundering and tax avoidance

If smart cards and digital coins do assume characteristics of currency then there is a need to deal with the problem of illicit transfers. If there is no limit on the amount that may be loaded on a smart card and if card-to-card transfers are permitted, then the card becomes much more attractive than currency as a means of moving "black" money. The attraction of digital coins is even greater since international transfers are no more difficult than local ones.

Unfortunately, some suggested solutions to the money laundering problem, limits on amounts,5 limits on the acceptable range of transfers, monitoring the movements on individual cards, all limit the attractiveness of the smart card/digital coin as a general purpose payment method. Some of these measures would be difficult to implement in a smart card system, more difficult or impossible in a digital coin system. There is no obvious solution to the money laundering problem even when "hard currency" is the medium of exchange.

However, it is easy to overstate the effect of new payment systems on the money laundering problem. It must be remembered that the main problem for the launderer is to convert ill-gotten gains to gains which appear to be legitimate. Where the money is "laundered" through some legitimate Australian enterprise, the particular form of the money would not seem to be particularly important.

However, where money can be smuggled out of Australia and converted to a foreign currency, then "laundering" is much easier since it may be re-imported in the guise of payment for some goods or services. Smuggling a smart card loaded with $1m value or transferring $1m worth of digital coin is certainly easier than smuggling a suitcase of cash, but there is still the very significant problem of converting the amount to electronic form in the first place.

As long as all payment transfers to/from Australia must ultimately pass through a bank or other financial institution, the actual method of payment does not seem particularly relevant to the money laundering problem. In order for black money to be converted to electronic funds the services of a "cash dealer" must be used.6 The methods used now by AUSTRAC7 are independent of payment form and there is little reason to suppose that they will be any more or any less effective when cards or digital coins are the method of payment.

It must be acknowledged that digital cash may open the door to new forms of enterprise which would avoid the current structures. For example, an Australian could operate a computer site in some remote country which permitted pornographic material to be loaded on WWW sites. Payment for the service could be by digital coin which would then be deposited in an account in a remote location. The illicit operator could then launder the money by paying himself/herself for consulting services. The operation of offshore electronic casinos is also an obvious possibility.8

Similarly, if existing domestic black market operations could be organised so that their income is in electronic form then the new payment systems could be used to circumvent the existing AUSTRAC surveillance. Somehow the vision of large numbers of street drug deals being made with smart card payment seems remote. It is, however, not impossible and forms part of the scenario of those who are concerned about the use of electronic money to evade normal money laundering surveillance.

Further, it must also be admitted that the bad guys are clever. If methods can be devised for making a clandestine conversion from currency to digital money then the hope of tracing it is slim.

The need to track money movements must be kept in perspective. The use of "money trail" methods is relatively recent. Police enforcement agencies were able to take advantage of certain aspects of the payments system to pursue their objectives. In my opinion, the desire for anonymous payments is a legitimate one, and the needs of law enforcement are only one factor in the consideration of the form of the payments system. There is an understandable tendency among law enforcement agencies to believe that their needs should dictate the form of the system.9

Consumer Protection

The consumer problems posed by smart cards and digital coins are unlikely to be different in principle to those posed by EFT generally. What happens with lost cards? What happens when there is an unauthorised transaction? What happens when a transaction goes wrong in some way? How are costs and charges to be distributed among the players in a smart card/digital coin system? And so on.

The EFT Code of Conduct provides a reasonably fair means of dealing with these problems where the transaction falls within the terms of the code. A transaction does not fall within the terms of the code unless initiated with a card and PIN. Some smart card transactions may require a PIN to complete,10 but most will not. The Code requires dispute resolution procedures which ensure that the customer has a forum in the event that the dispute cannot be resolved in-house.11

Digital coin transactions are almost certain to be outside the scope of the Code. The transaction is unlikely to be initiated with a card, although it might be argued that the Private Key is a :Personal Identification Number" for the purposes of the Code.

While it will probably be possible to devise a Code of Practice for the use of smart cards in Australia, the outlook for consumer protection in digital coin transactions is less promising. The reason, once again, is the trans-jurisdictional nature of digital cash.

Take a simple example. An Australian consumer is "surfing" the internet and discovers some information which he or she wishes to acquire. The information is located on a server at Tblisi Tech. The "store owner", Tblisi Tech, will accept digital coins issued by the First Virtual Bank of Ulan Bator. The Australian keeps an account with the Digital Bank of the Bahamas, but the account needs funds. An order to a local bank, Freezepac, directs funds to the Bahaman bank. Digital coins issued by that bank are then used to purchase digital coins issued by the bank in Ulan Bator. Those coins are used to purchase the information from Tblisi Tech.

A transaction such as this could, of course, be carried out at the present day with mail order forms and various paper/electronic transfer methods. The point is that although it is possible, it does not in fact happen at the consumer level because of the transaction costs involved. Internet payment mechanisms provide the possibility of such transactions becoming commonplace.

How shall we begin to address the consumer protection problems inherent in such transactions? "Consumer education" is the only solution that springs to mind, a strategy which has proved itself to be so ineffective that it is the major strategy promoted by providers who wish that the consumer protection debate would simply go away.

Some comforting thoughts

The main use of international internet payments will probably be for small items. As we noted at the outset, the most exciting commercial possibilities relate to the sale of small amounts of information or software. This fact will help to keep the consumer protection problem in check where the transaction is an international one.

Domestic payments over the internet can be controlled and regulated in the same way as any other payment form. So, for example, it could be a requirement that Australian business receiving internet payments of more than a certain value must receive only coins issued by an Australian bank or that they bear the risk of default if they accept non-Australian issued coins. This would allow consumer protection at the domestic level to proceed in a familiar fashion through the development of a Code of Practice.

There is another form of protection built into the internet payment system. The failure of an issuing institution may not be too traumatic since there is no real reason to store digital coins. Coins can be issued only seconds before they are spent and deposited. The "exposure" of an institution at any one time may be small. This is quite different from the traditional banknote issue where there may be large sums of money outstanding.

The point of these "comforting thoughts" is that a new payment system does not spring into existence overnight. We have time to address problems posed by the new systems and to provide incremental solutions as the problems occur. There are real problems, however, and the "comforting thoughts" are not to be taken as an excuse for doing nothing.

Alan L Tyree
Landerer Professor of Information Technology and Law
University of Sydney

1  Tyree, AL, "Virtual Cash - Payments on the Internet" (1996) 7 JBFLP 35 - 38; "Virtual Cash II", (1996) 7 JBFLP XXXX.

2  Tyree, AL, "Smart Cards", (1995) 6 JBFLP 297 - 299

3  Report to the Council of the European Monetary Institute on Prepaid Cards by the Working Group on EU Payment Systems, May 1994.

4  This can already be seen in the operation of DigiCash. The company is a Dutch company operating through American, German and Finland banks at the present time.

5  In an effort to combat money laundering the United States has recently ceased the issue of notes with a face value of more than $100: see Wenninger and Laster, "The Electronic Purse" in (1995) Current Issues in Economics and Finance 1.

6  "Cash dealer" is defined in the Financial Transactions Reports Act 1988 (CTH). The term includes entities as disparate as banks and bookmakers.

7  AUSTRAC is the Australian Transaction Reports and Analysis Centre, formally the Cash Transaction Reports Agency.

8  The ealy trials of DigiCash involved issuing "Cyberbucks" to testers. These Cyberbucks could be used, inter alia, for playing casino games at an electronic casino run by the University of Newcastle as part of the trial. The casino was closed down under threat of prosecution by the NSW Police.

9  For the law enforcement view, see Lapworth, C "Anonymous untraceable payments on the Internet", Proceedings of the First Australian Computer Money Day Conference held at the University of Newcastle, 28 March 1996.

10  One suggestion is that the card be programmed so that transactions for more than some threshold amount would require a PIN to complete.

11  The Code requires only that an independent mechanism be established. The most elaborate of these mechanisms is the Australian Banking Industry Ombudsman.