Alan L Tyree

Virtual Cash - Part II

Introduction

In the first article of this series we saw how the mathematics of public key cryptography could be used to create secure payment mechanisms that are analogous to bank issued notes or to bills of exchange and cheques.1 Because of the emphasis on small payments, the methods are usually referred to in the computing literature as "digital coins".

Public key cryptography combined with the keeping of a register of "spent" coins permits us to identify who "possesses" the coins or, if we think in terms of negotiable instruments, the "holder" of the instrument.

In each case the essential feature of the methods is that public key cryptography allows us to translate some of our "paper" notions such as signature and possession into the realm of pure electronic messages. Using public key cryptography we can be certain that a message has not been altered, we can identify those parties who have agreed to the message by means of adding their digital signature and we can identify a unique person who "possesses" the message.2

Anonymous Transactions

Without going into the cryptographic details, the next step in the process is the introduction of "blind signatures".3 These are cryptographic methods which allow us to ensure that the digital coin is genuine, that it is being received in payment for a particular service and that it has not previously been spent, but it does not allow us to identify the payer or any previous "holder" of the digital coin.

Blind signatures permit, in other words, the electronic equivalent of cash. Payments made by such methods leave no trail. This method is now being trialed in the USA and Europe by the DigiCash group in cooperation with local banks.4

Anonymity can be achieved even without the introduction of "blind signatures" if coin issuers are prepared to exchange valid coins for new ones.5 Consider: a customer A is issued with coins by a bank B. Since each coin is identified by serial number the bank could build a spending profile of the customer by noting which merchants return the identified coins. If, however, B or some other bank is willing to exchange coins for new ones then the owner of the new coins may be unknown since all that is needed is a network address in order to conduct the transaction. The owner of the new coins would be unknown.

The motivation behind these developments is to provide a cheap, secure, anonymous method of making small payments via the internet. Payments as small as a fraction of a cent are contemplated by would-be vendors of small amounts of valuable information. It must be appreciated however that this motivation in no way limits the potential of the end product. There is no obvious limit to the size or number of payments which could be made using the methods. The consequences of this will be examined later.

Summary of "digital coins"

It might be useful at this point to summarise the concept of the "digital coin". A digital coin is a message which is digitally signed6 by the issuing bank or other organisation. The contents of the message identify

The issuing bank maintains some record system which guards against the possibility of double spending the coin. The "holder" of the coin is not necessarily known to the bank. When a coin is "spent" the amount is either credited to the account of the payee or the payee is issued with new coins. In the second case, the bank will not necessarily know the identity of the payee.

What's new?

In some ways it may seem that the problems posed by digital cash do not differ significantly from those raised by the introduction of smart cards.7 Smart card systems such as Mondex which allow the transfer of value from one holders "wallet" to another would, on the face of it, seem to differ from digital cash only in the method of transfer.

It is certainly true that all of the problems raised by smart cards are equally applicable to the introduction of digital cash. These problems have been discussed recently both in this Journal and in a paper issued by the Australian Payments Systems Council. Major issues which must be addressed (or settled by default) include:

There are, however, physical and legal restraints on smart cards that help to solve some of these issues. All of the participants in a smart card scheme must be in some continuing contractual relationship with each other in order to make the system viable. In this sense at least, all smart card systems are "closed".8 In order for a smart card system to be commercially viable the card issuer must be an organisation of significant size, thus preventing, or at least limiting, the proliferation of card issuers. The contractual arrangements reduce the need to worry about the legal nature of the smart card transaction. Most smart card transactions will occur within a single legal jurisdiction.

These restraints do not apply to digital cash. Anyone with a computer could theoretically become an issuer of digital cash. Certainly any bank anywhere in the world could establish itself as an issuer of digital cash. Provided there is some commercial mechanism whereby a merchant can be reasonably assured of obtaining ultimate value these digital coins could be used by anyone anywhere in the world to make purchases over the internet.

Further, the parties need not be in any long term contractual relationship with each other. A holder of digital coins issued by one bank is (or may be) free to exchange them for coins issued by a different bank. Issuers are encouraged to make such exchange arrangements since it increases the value of their own coins. The free exchange of coins makes the whole system more attractive to merchants since it broadens their effective consumer base.

In a system that allows the free exchange of digital coins it may be necessary to determine the legal nature of a digital coin. This is because the relationships may no longer be directly controlled by an express contract. To illustrate, a merchant may confidently accept a credit card or a smart card in payment because he or she knows that the contract that they have with the card issuer will guarantee that they receive value for the transaction. No appeal to the general law is necessary.9

By contrast, a merchant who is offered digital coins in payment may have no contractual arrangement with the issuing bank. If the system is to flourish, the merchant must be able to rely upon some general law which governs the relationship of the parties.

What is the legal nature of Digital Cash?

All of the proposed methods of implementing payments over the internet share the characteristic that there is an "issuer". Digital coins are "issued" by a "bank" to a customer who then uses the coins via electronic messages to pay for goods or services via the internet. In order to have legal effect, we must treat the issuer as a promisor who has promised to make or to guarantee payment.

To whom is the promise made? This will depend upon the particular implementation of the payment mechanism. An issuer could make it a condition that merchants may only accept payment by prior arrangement. This would re-establish the contractual restraints which are lacking in the general model. However, for the commercial reasons outlined above, this is unlikely to be a stable long term solution. In real life schemes for "digital coins" it seems that the issuer must be taken to promise at least to anyone who takes a valid coin in good faith and for value that the coin will be met.

Even that interpretation is not wide enough to make the anonymous payment schemes work. In such a case it must be taken that the issuing bank promises to give value for any valid coin to anyone who presents it for payment.10

The obvious analogy is with the now obsolete bank note. Until this century the bank note was the common and widely recognised currency.11 It is a nice tribute to the law that many of the problems which may be encountered with digital cash may be solvable by looking to the law of a payment system which has been obsolete for the last 90 years.

However, it was never considered that a bank note issued by an obscure foreign bank could be regularly used for payment locally. Digital cash releases us from the confines of geography and in so doing introduces a whole new set of problems that were not relevant to bank notes and which have little relevance to payment by credit card or smart card.

The issuing bank, the payer and the payee may have no geographical connection whatsoever. It is perfectly plausible that an Australian purchaser could pay a Bolivian supplier by means of digital coins issued by a Mongolian bank. In such a case which law will we use to settle disputes when the transaction goes wrong? How can we even begin to ensure integrity of the payment system or to implement consumer protection policies? How can we control and detect money laundering schemes?

Interesting questions. They will be addressed in the third and final paper of this series.

Alan L Tyree
Landerer Professor of Information Technology and Law
University of Sydney

1 "Virtual Cash" XXXX Journal of Banking and Finance Law and Practice XXX.

2 Several American States have implemented legislation which gives effect to and governs digital signatures. See the Utah Digital Signature Act of 1996. The mathematics of public key cryptography is described in Rivest, Shamir and Adleman "A method for obtaining digital signatures and public-key cryptosystems" (1978) 21 Communications of the ACM 2. The RSA algorithm is named after the authors of this paper.

3 Blind signatures were pioneered by David Chaum who is a principal in DigiCash, the largest of the existing net payment organisations. See Chaum, D., "Privacy Protected Payments: Unconditional Payer and/or Payee Anonymity," in Smart Card 2000, North-Holland, 1989, pp. 69-92 and D.Chaum. Blind Signatures for Untraceable Payments. In Advances in Cryptology - Crypto '82 Proceedings, Plenum Press, 1983, pages 199-203

4 See Van Der Hoek, "Digicash" in the proceedings of the First Australian Computer Money Day, conference held at the Department of Computer Science, University of Newcastle, 28 March, 1996.

5 The method described here is that of Pierce. See M. Peirce, PayMe: Secure Payment for World Wide Web Services, B.A. (Mod) Project Report, Computer Science Department, Trinity College Dublin, Dublin 2, Ireland. May 1995

6 For the concept of "Digital signature" see the previous article in this series, Virtual Cash in XXXXXXXX.

7 See "Smart Cards", (1995) 6 JBFLP 297 - 299

8 See "Smart Cards" (1995) 6 JBFLP 297 for a discussion of the confused terminology relating to "open" and "closed" smart card systems.

9 This is not, of course, entirely true. When the entire system collapses it may be necessary to resort to general law principles to unravel liabilities. So, for example, if the card issuer fails, it may be necessary to consider the legal nature of payment by credit card; see Re Charge Card Services Ltd [1986] 3 All ER 289 and generally, Tyree, Banking Law in Australia, Butterworths, 1995 at p. 300.

10 These general promises are not without precedent since they are quite similar to the promise made by a bank who issues a "negotiable" documentary letter of credit: see Banco Nacional Ultramiarino v First National Bank of Boston 289 F 169 (1923) for a classical example. By analogy with the letter of credit, there may be some "fraud exception" which could apply to the presentment of digital coins.

11 Bank notes were the common form of currency in Australia until the first issue of the Commonwealth notes in 1910. This was accompanied by the imposition of a tax on bank notes which led to their rapid demise although bank notes were issued in Tasmania until the 1930s. See Tyree, Banking Law in Australia, Butterworths, 1995, p2.