Discover more from In the future, everyone will be famous for 15Mb
Off And On
Digital currency should be like cash, in that it should carry on working when the network is down.
Dateline: Woking, 3rd January 2022.
One of the great attractions of building a new digital cash infrastructure to implement a digital currency, instead of just laying a simple peer-to-peer protocol on top of the existing digital money infrastructure, is that it would add diversity to the payment system and therefore increase resilience in this vital national infrastructure.
When Monzo went down in the UK just before Christmas, thousands of customers were unable to make or receive any payments. Many of them, no doubt, had to resort to finding an ATM and withdrawing cash to buy their presents.
If the existing digital money infrastructure goes down for any reason - and this happens all the time - it seems to me that a parallel digital cash system built on different rails should carry on working. A Bank of Japan research paper on the subject identified universal access and resilience as two key characteristics of a digital currency. It must be possible, in their view, to use a digital yen without electricity, especially given Japan’s recent earthquakes and power outages.
This ability to transact between devices that are not connected to a network at all either because the cloud is down, or there is no mobile network or there is no power because of a natural disaster was also a key design requirement for the Chinese digital currency, as it should be one for any other digital currency that intends to replace, or even complement, cash.
That’s actually a tougher ask than it seems at first and December’s failure at Amazon Web Services (AWS), when the Amazon cloud vanished not once but twice, shows just how tough. Amazon have all the money in the world and I don’t doubt they employ some of the very best engineers in the world, but even that combination can’t deliver 100% uptime. And when AWS went down, the impact was significant. Indeed, as the Wall Street Journal pointed out, some vacuum cleaners, light switches and cat-food dispensers stopped working. That’s survivable — I can get by for a few hours without watching Netflix -- but I would imagine the impact on the economy would be somewhat greater if money stopped working for a while.
Up and Down
It is not possible to spend an infinite amount of money to get a 100% uptime (even for the most systemically important payment systems of all - look at the complete failure of all payment transactions within the Euro Target2 system for several hours last year, with backup systems and contingency modules also initially unable to function). Spending more money on the existing infrastructure exhibits diminishing returns in this respect, which is why a parallel infrastructure is the more cost-effective way to achieve the resilience that society needs.
Resilience must be on the minds of others looking to deliver population-scale cash alternatives across the globe. Facebook, is one of them. Their Novi wallet now allows (some) US customers to exchange digital dollars across WhatsApp and they have great plans for it. Mark Zuckerberg told Congress that the Libra (now Diem) digital currency would “extend America’s financial leadership”, yet only a couple of weeks ago his services were down too when an outage left almost three billion internet users unable to access Facebook, Instagram, WhatsApp, Facebook Messenger and other tools for roughly six hours.
(The Facebook outage has interesting ramifications that go way beyond people sending stupid pictures of cats to each other. In large parts of the world Facebook, and in particular WhatsApp, are national infrastructure. They are vital to business, whether they carry payments or not.)
In addition to potential equipment failures, programming mistakes, server hacks and software upgrades-gone-wrong, there is the infrastructure of the communications to and from the servers: the interweb tubes. For most people, in most of the world, this means mobile phones. We often talk about creating financial services mobile-first generation in the developed world, but the developing world needs financial services that are mobile-only. Yet mobile networks can go down because of fires or floods or management incompetence and commerce must not stop when they do!
On And Off
What all of this means is that, as I have repeatedly pointed out (eg, here in Forbes), a digital currency that is to function at population scale in both developed and developing countries must be able to work off-line. If it cannot work off-line then it is not a viable cash replacement and not a viable strategic platform for new financial services. Suppose that Facebook's Novi wallet becomes as important to the economies of countries around the world as banking networks are today? In that environment a six hour outage could be completely catastrophic and inflict serious damage to national economies because payments are the only part of the financial infrastructure that are actually critical.
(It doesn't particularly matter if the stock exchange goes down for a few days or if bond issues are delayed by a day or two. But if the payment system goes down the real economy grinds to a halt.)
For most of the world, offline use is actually the most important characteristic of digital cash. Speaking at a recent Ghana Economic Forum, Kwame Oppong (head of fintech and innovation at the Bank of Ghana), said that efforts to bring financial services to people without access to bank accounts are hindered by "the availability of connectivity and power". This is why a central bank digital currency (CBDC) retail infrastructure must be constructed from a new set of building blocks that sit in parallel to the electronic money infrastructure to bring diversity and resilience to the payments network. Credit cards won’t work if the network is down and nor will Bitcoin, so we need to look elsewhere for the new infrastructure.
This is one of the aspects of digital currency that fascinates me. Some innovative thinking will be required to deliver a genuine cash alternative into mass markets and my strong suspicion is that it will depend on the use of secure, tamper-resistant hardware. Visa’s proposed Offline Payment System (OPS) works this way. It implements digital currency using digital signatures generated in such hardware, in the form of Trusted Executions Environments (TEEs) in mobile phones and laptops and so on. This is only one of the solutions being proposed but it illustrates the general class of most-likely implementation rather well: since these chips cannot be cloned, they provide a means to prevent the subversion of transactions even when they are device-to-device with no blockchain or database in sight.
These TEEs are chips (just the like chips on bank cards or the SIM cards inside mobile phones) that cost next to nothing. Given the fact that banks and telecommunications operators are not bankrupt, they seem to provide pretty solid protection for a mass market solution and, as IDEMIA point out when discussing their offline CBDC solution developed with ConsenSys, they can be embedded in a wide range of devices (not only smart cards or mobile phones).
Off and On
What all of this means is that payments should stay on when the grid goes off so that life can go on. Not necessarily for buying houses or leasing planes, but at least for buying groceries and riding the bus. And this is achievable using the technology that we have at our disposal today: the cost-effective and proven technology of TEEs.
When the mobile network has crashed because of a botched software upgrade, cloud services are down because of a DNS misconfiguration and the electricity is out because of high winds blowing trees down on power lines, you should still be able to send cash from your phone to a neighbour’s phone via Bluetooth or UWB whatever and you should still be able to tap your CBDC super smart card on a shopkeepers mobile phone to buy some food.
The Facebook and Amazon failures performed the useful function of reminding us that vague talk about networks and clouds and blockchains is no substitute for the kind of detailed risk analysis and countermeasure development that will be required to create the vital national infrastructure for CBDCs.