1996
Smart cards and digital coins, like any other new form of payment method, raise certain legal and regulatory issues. As with the introduction of electronic funds transfer (EFT) most of these can be seen in advance. As with the introduction of EFT we will probably not deal adequately with some of the issues until forced to do so. What follows is a brief discussion of the more important issues concerning the introduction of a smart card and internet payment systems. Certain of these issues are common to smart cards and internet payments, others are peculiar to digital coins. Common issues will be discussed first.
First and foremost is that any system of payments must maintain a very high standard of confidence in the payment system. The value stored on a smart card or in the digital coin represents a liability of the issuer in favour of the card or coin holder. That the liability may be readily and completely transferred to a wide range of third parties is what makes a payment system. If the system is to be successful as a payments system then there must be confidence that the liability can be met.
It was this concern that has led the Working Group on European Union Payment Systems to recommend that only "credit institutions", that is, those institutions that are supervised by central banks or other authorities, should be permitted to issue smart cards.2 Although that is a solution which can be implemented nationally in a card system it seems unlikely that issuers of digital coins can be so restrained.
The second aspect of payment system confidence is the integrity of the payment method itself. The possibility of an unauthorised person to alter the contents of the card or of the digital coin message introduces the spectre of counterfeiting into the system, but it is a spectre that is substantially more frightening than normal counterfeiting. It might be very difficult or impossible to detect the smart card counterfeiting particularly if card-to-card transactions are permitted. The difficulty of detecting digital coin counterfeiting will depend upon the particular form in which the system is introduced. However, the need to guard against "double spending" may also provide the means for early detection of counterfeiting.
Some protection against counterfeiting may be obtained by operational means. It would be possible to introduce limits to the amounts that may be loaded on cards or the amount of the individual coin, or to limit the maximum size of individual payments. More controversial would be to monitor the activities of individual cards or internet payments, a problem in privacy that is discussed below.
A licence to print money is a valuable item. In Australia the Reserve Bank issues notes and the Treasury issues coins. The value arises in the following way: a note or a coin represents a liability of the issuer, but it is a liability on which no interest is paid. On the other hand, the issuer obtains normal market interests on assets.
This difference, the interest free liability and the interest bearing security, is known as seigniorage and is a valuable source of earnings for governments. To the extent that smart cards and digital coins replace currency, the benefits of seigniorage would be lost to the government and would accrue instead to the card/coin issuer.
It is not too hard to imagine that the solution to this problem, if it is a problem, will take the form of a tax on the value of transactions. It is interesting to note that there is precedent for this in Australia. The first issue of Commonwealth notes was accompanied by the introduction of a tax on the issue of bank notes.3 Such a tax would be relatively easy to enforce against smart card transactions, rather more difficult or impossible to levy against issuers of digital coins.
One of my favourite quotations is from Douglas J in the US Supreme Court:4
In a sense a person is defined by the checks he writes. By examining them, the agents get to know his doctors, lawyers, creditors, political allies, social connections, religious affiliations, educational interests, the papers and magazines he reads and so on ad infinitum.
There is no doubt that a complete "trail" of expenditures is one of the most powerful surveillance methods known.5 It is, no doubt, for this reason that various privacy interests are beginning to express concerns about the use of smart cards.
In my view this concern is justified but does not raise any new principles. The same concerns were expressed, again justifiably so, when EFT was introduced, and the above quotation shows that the same concerns are present with a more established payment system.
The research and implementation of digital coin systems seems to assure that privacy will not be a major issue in digital coin transactions (subject to the privacy concerns expressed about digital signature legislation which are discussed below). Indeed, some of the concerns about digital coin transactions arise precisely because of the ability to keep the transactions private.
If smart cards and digital coins do assume characteristics of currency then there is a need to deal with the problem of illicit transfers. If there is no limit on the amount that may be loaded on a smart card and if card-to-card transfers are permitted, then the card becomes much more attractive than currency as a means of moving "black" money. The attraction of digital coins is even greater since international transfers are no more difficult than local ones.
Unfortunately, some suggested solutions to the money laundering problem, limits on amounts,6 limits on the acceptable range of transfers, monitoring the movements on individual cards, all limit the attractiveness of the smart card/digital coin as a general purpose payment method. Some of these measures would be difficult to implement in a smart card system, more difficult or impossible in a digital coin system. There is no obvious solution to the money laundering problem even when "hard currency" is the medium of exchange.
However, it is easy to overstate the effect of new payment systems on the money laundering problem. It must be remembered that the problem for the launderer is to convert ill-gotten gains to gains which appear to be legitimate. The ill-gotten gains must either be smuggled out of Australia or they must be disguised as the proceeds of some legitimate enterprise. Smuggling a smart card loaded with $1m value or transferring $1m worth of digital coin is certainly easier than smuggling a suitcase of cash, but there is still the very significant problem of converting the amount to electronic form in the first place.
As long as all payment transfers to/from Australia must ultimately pass through a bank or other financial institution, the actual method of payment is not particularly relevant to the money laundering problem. In order for black money to be converted to electronic funds the services of a "cash dealer" must be used.7 The methods used now by AUSTRAC8 are independent of payment form and there is little reason to suppose that they will be any more or any less effective when cards or digital coins are the method of payment.
Still it must be admitted that the bad guys are clever. If methods can be devised for making a clandestine conversion from currency to digital money then the hope of tracing it is slim. Further, digital cash may open the door to new forms of enterprise which would avoid the current structures. For example, an Australian could operate a computer site in some remote country which permitted pornographic material to be loaded on WWW sites. Payment for the service could be by digital coin which would then be deposited in an account in a remote location. The illicit operator could then launder the money by paying himself/herself for consulting services.
Similarly, if existing black market operations could be organised so that their income is in electronic form then the new payment systems could be used to circumvent the existing AUSTRAC surveillance. Somehow the vision of large numbers of street drug deals being made with smart card payment seems remote.
The consumer problems posed by smart cards and digital coins are unlikely to be different in principle to those posed by EFT generally. What happens with lost cards? What happens when there is an unauthorised transaction? What happens when a transaction goes wrong in some way? How are costs and charges to be distributed among the players in a smart card/digital coin system? And so on.
The EFT Code of Conduct provides a reasonably fair means of dealing with these problems where the transaction falls within the terms of the code. The Code requires dispute resolution procedures which ensure that the customer has a forum in the event that the dispute cannot be resolved in-house.9
Do smart card transactions fall within the terms of the Code? The answer is: some will, and some will not. A transaction does not fall within the terms of the code unless initiated with a card and PIN. Some smart card transactions may require a PIN to complete,10 but many will not.
Digital coin transactions are even less likely to fall within the scope of the Code since they will almost never be initiated with a card or a PIN, although it might be remotely possible to argue that the digital signature is a "Personal Identification Number" for the purpose of the Code.
It would be nice to think that a "Smart Card Code of Conduct" or a "Digital Coin Code of Conduct" could be agreed upon before the inevitable and predictable problems occur, but Australian history is not encouraging on this point. EFT card issuers refused to accept that there was any need for such a Code until such time as they were threatened with legislation. I expect that we will see a replay of that drama with smart cards and digital coins.
As a simple example of the problem, consider the responsibilities for a lost smart card. On one view, it is the same as lost currency and the card holder should bear the loss of the stored value. On the other hand, it is easy to program a "lock" into the card so that it cannot be used without a key. Should issuer be required to issue cards that may be locked? Should the liabilities be different where there is a possibility of locking the card? These are problems which are entirely foreseeable and which could, and in my view should, be settled before they arise.
Because of the distributed nature of the digital coin system the consumer protection problem is more difficult and is discussed below.
Although there are many similarities between smart cards and digital cash there are physical and legal restraints on smart cards that make it easier to solve some of the legal issues. All of the participants in a smart card scheme must be in some continuing contractual relationship with at least one other member of the scheme in order to make the system viable. In this sense at least, all smart card systems are "closed".11 In order for a smart card system to be commercially viable the card issuer must be an organisation of significant size, thus preventing, or at least limiting, the proliferation of card issuers. The contractual arrangements reduce the need to worry about the legal nature of the smart card transaction. Most smart card transactions will occur within a single legal jurisdiction.
None of these restraints apply to digital cash. Anyone with a computer could theoretically become an issuer of digital cash. Certainly any bank anywhere in the world could establish itself as an issuer of digital cash and such an issuer could service customers anywhere in the world. Provided there is some commercial mechanism whereby a merchant can be reasonably assured of obtaining ultimate value these digital coins could be used by anyone anywhere in the world to make purchases over the internet.
Further, the parties need not be in any long term contractual relationship with each other. A holder of digital coins issued by one bank is (or may be) free to exchange them for coins issued by a different bank. Such free exchange is likely to become the norm since issuers are encouraged to make such exchange arrangements which have the effect of increasing the value of their own coins. The free exchange of coins also makes the whole system more attractive to merchants since it broadens their effective consumer base.
All of these considerations suggest that it will be necessary to determine the legal nature of digital coins. This is because the relationships may no longer be directly controlled by an express contract. To illustrate, a merchant may confidently accept a credit card or a smart card in payment because he or she knows that the contract that they have with the card issuer will guarantee that they receive value for the transaction.12 No appeal to the general law is necessary.13
By contrast, a merchant who is offered digital coins in payment may have no prior contractual arrangement with the issuing bank. If the system is to flourish, the merchant must be able to rely upon some general law which governs the relationship of the parties.
All of the proposed methods of implementing payments over the internet share the characteristic that there is an "issuer". Digital coins are "issued" by a "bank" to a customer who then uses the coins via electronic messages to pay for goods or services via the internet. In order to have legal effect, we must treat the issuer as a promisor who has promised to make or to guarantee payment.
To whom is the promise made?14 This will depend upon the particular implementation of the payment mechanism. An issuer could make it a condition that merchants may only accept payment by prior arrangement. This would re-establish the contractual restraints which are lacking in the general model. However, for the commercial reasons outlined above, this is unlikely to be a stable long term solution. In real life schemes for "digital coins" it seems that the issuer must be taken to promise at least to anyone who takes a valid coin in good faith and for value that the coin will be met.
Even that interpretation is not wide enough to make the anonymous payment schemes work. In such a case it must be taken that the issuing bank promises to give value for any valid coin to anyone who presents it for payment.15
The obvious analogy is with the now obsolete bank note. Until this century the bank note was the common and widely recognised currency.16 It is a nice tribute to the law that many of the problems which may be encountered with digital cash may be solvable by looking to the law of a payment system which has been obsolete for the last 90 years.
However, it was never considered that a bank note issued by an obscure foreign bank could be regularly used for payment locally. Digital cash releases us from the confines of geography and in so doing introduces a whole new set of problems that were not relevant to bank notes and which have little relevance to payment by credit card or smart card.
Suppose that an Australian customer, wishes to purchase information from a Tblisi supplier. The Australian customer offers payment by digital coin issued by The First International Web Bank of Ulan Bator. The Australian purchaser does not have an account with the Ulan Bator bank, but has exchanged coins issued by the Cook Islands Internet Bank. These coins were paid for by ordinary EFT transfer from the Australian's local bank, Freezepac. The Australian customer is not satisfied with the quality of the merchandise and wishes to take action. What law governs the various transactions?17
The question of which law applies is governed (in our law) by the so-called rules of conflict of laws, but these rules are ill suited for settling a case which is as complex as the one above. Without going into detail for a forum such as this, we often search for the legal system which has the "closest" association with the transaction. When such a legal system is found then the courts will apply the laws of that legal system rather than our own law.
But the search for a "closest" legal system seems hopelessly futile in the above example. In a sense the geographical locations and the associated legal systems are entirely accidental and there seems little reason to give more weight to one factor than to another. Such problems are not entirely new for the courts, but the result is seldom entirely satisfactory. In one case where there was a similar multiplicity of connections the court was finally swayed by the currency in which the transaction was conducted.18 Does it really make sense to say that the above transaction should be governed by the law of Outer Mongolia?
A world-wide open digital coin system cannot exist without some method of determining the authenticity and currency of digital signatures. There must be not only a repository for the public keys but there must also be some method of revocation, of saying "This is no longer my signature."
These problems have been addressed by legislation in the American State of Utah.19 The Act establishes the concept of a "Certification Authority" where users may register their public key and certain other details. A Certification Authority must post a bond which may be used to meet liabilities arising through error on the part of the Authority. Upon registration by a subscriber the Authority issues a "certificate" which is a computer record containing the subscribers identity, public key and certain other information. By issuing the certificate the Authority assumes certain responsibilities for the accuracy of the information.
By accepting a certificate issued by a licensed certification authority, the subscriber identified in the certificate assumes a duty to exercise reasonable care to retain control of the private key and prevent its disclosure to any person not authorised to create the subscriber's digital signature. The Certification Authority's liability is limited to the amount of the bond. Also relevant to the Authority's liability is the so-called "recommended reliance limit" which is specified in the certificate and which limits the liability of the Authority.
The value to subscribers is that a digital signature which is properly certified by an Authority is given full legal status in any circumstance where a rule of law requires a signature, or provides for certain consequences in the absence of a signature.20
The downside of the Act for subscribers is that the Authority has access at least to transaction information that may be commercially sensitive. In addition, of course, the "recommended reliance limit" may reflect badly on a commercial enterprise. The need to register destroys some of the anonymity which has been so painstakingly built into the digital coin system.
The example given in the preceding section also illustrates the difficult problems facing consumer protection legislation. Many transactions will take place outside the jurisdiction of any single State but we must expect the same kind of consumer complaints that we have with products sold locally.
When we consider how difficult it is to provide remedies for wronged consumers in a local or a national context, the problem of doing so in an international electronic market seems daunting indeed. Add to this the possibility that the merchant might be anonymous in a Web transaction and the task seems hopeless.