Cheaper than printing it out: buy the paperback book.

Out of Control
Chapter 12: E-MONEY

This anticipated information economy and network culture still lacks one vital component -- an ingredient that, once again, is enabled by encryption, and a key element that, once again, only long-haired crypto-rebels are experimenting with: electronic cash.

We already have electronic money. It flows daily in great invisible rivers from bank vault to bank vault, from broker to broker, from country to country, from your employer to your bank account. One institution alone, the Clearing House Interbank Payment System, currently moves an average of a trillion dollars (a million millions) each day via wire and satellite.

But that river of numbers is institutional electronic money, as remote from electronic cash as mainframes are from PCs. When pocket cash goes digital -- demassified into data in the same transformation that institutional money underwent -- we'll experience the deepest consequences of an information economy. Just as computing machines did not reorganize society until individuals plugged into them outside of institutions, the full effects of an electronic economy will have to wait until everyday petty cash (and check) transactions of individuals go digital.

We have a hint of digital cash in credit cards and ATMs. Like most of my generation, I get the little cash I use at an ATM, not having been inside a bank in years. On average, I use less cash every month. High-octane executives fly around the country purchasing everything on the go -- meals, rooms, cabs, supplies, presents -- carrying no more than $50 in their wallets. Already, the cashless society is real for some.

Today in the U.S., credit card purchases are used for one-tenth of all consumer payments. Credit card companies salivate while envisioning a near future where people routinely use their cards for "virtually every kind of transaction." Visa U.S.A. is experimenting with card-based electronic money terminals (no slip to sign) at fast-food shops and grocery stores. Since 1975, Visa has issued over 20 million debit cards that deduct money from one's bank account. In essence, Visa moved ATMs off of bank walls and onto the front counters of stores.

The conventional view of cashless money thus touted by banks and most futurists is not much more than a pervasive extension of the generic credit card system now operating. Alice has an account at National Trust Me Bank. The bank issues her one of their handy-dandy smart cards. She goes to an ATM and loads the wallet-size debit card with $300 cash deducted from her checking account. She can spend her $300 from the card at any store, gas station, ticket counter, or phone booth that has a Trust Me smart-card slot.

What's wrong with this picture? Most folks would prefer this system over passing around portraits of dead presidents. Or over indebtedness to Visa or MasterCard. But this version of the cashless concept slights both user and merchant; therefore it has slept on the drawing boards for years, and will probably die there.

Foremost among the debit (or credit) card's weaknesses is its nasty habit of leaving every merchant Alice buys from -- newsstand to nursery -- with a personalized history of her purchases. The record of a single store is not worrisome. But each store's file of Alice's spending is indexed with her bank account number or Social Security number. That makes it all too easy, and inevitable, for her spending histories to be combined, store to store, into an exact, extremely desirable marketing profile of her. Such a monetary dossier holds valuable information (not to mention private data) about her. She has no control over this information and derives no compensation for it.

Second, the bank is obliged to hand out whiz-bang smart cards. Banks being the legendary cheapskates they are, you know who is going to pay for them, at bank rates. Alice will also have to pay the bank for the transaction costs of using the money card.

Third, merchants pay the system a small percentage whenever a debit card is used. This eats into their already small profits and discourages vendors from soliciting the card's use for small purchases.

Fourth, Alice can only use her money at establishments equipped with slots that accept Trust Me's proprietary technology. This hardware quarantine has been a prime factor in the nonhappening of this future. It also eliminates person-to-person payments (unless you want to carry a slot around for others to poke into). Furthermore, Alice can only refill her card (essentially purchase money) at an official Trust Me ATM branch. This obstacle could be surmounted by a cooperative network of banks using a universal slot linked into an internet of all banks; a hint of such a network already exists.

The alternative to debit card cash is true digital cash. Digital cash has none of the debit or credit card's drawbacks. True digital cash is real money with the nimbleness of electricity and the privacy of cash. Payments are accountable but unlinkable. The cash does not demand proprietary hardware or software. Therefore, money can be received or transferred from and to anywhere, including to and from other individuals. You don't need to be a store or institution to get paid in nonpaper money. Anyone connected can collect. And any company with the right reputation can "sell" electronic money refills, so the costs are at market rates. Banks are only peripherally involved. You use digital cash to order a pizza, pay for a bridge toll, or reimburse a friend, as well as to pay the mortgage, if you want. It is different from plain old electronic money in that it can be anonymous and untraceable except by the payer. It is fueled by encryption.

The method, technically known as blinded digital signatures, is based on a variant of a proven technology called public-key encryption. Here's how it works at the consumer level. You use a digicash card to pay Joe's Meat Market for a prime roast. The merchant can verify (by examining the digital signature of the bank issuing the money) that he was paid with money that had not been "spent" before. Yet, he'll have no record of who paid him. After the transaction, the bank has a verifiable account that you spent $7, and spent it only once, and that Joe's Meat Market did indeed receive $7. But those two sides of the transaction are not linked and cannot be reconstructed unless you the payer enable them to be. It seems illogical at first that such blind but verifiable transactions can occur, but the integrity of their "disconnection" is pretty watertight.

Digital cash can replace every use of pocket cash except flipping a coin. You have a complete record of all your payments and to whom they were made. "They" have a record of being paid but not by whom they were made. The reliability of both impeccably accurate accounting and 100 percent anonymity is ranked mathematically "unconditional" -- without exceptions.

The privacy and agility of digital cash stems from a simple and clever technology. When I ask a digicash card entrepreneur if I could see one of his smart cards, he says that he is sorry. He thought he had put one in his wallet but can't find it. It looks like a regular credit card, he says, showing me his very small collection of them. It looks like...why, here it is! He slips out a blank, very thin, flexible card. The plastic rectangle holds math money. In one corner is a small gold square the size of a thumbnail. This is a computer. The CPU, no larger than a soggy cornflake, contains a limited amount of cash, say, $500 or 100 transactions, whichever comes first. This one, made by Cylink, contains a coprocessor specifically designed to handle public-key encryption mathematics. On the tiny computer's gold square are six very minute surface contacts which connect to an online computer when the card is inserted into a slot.

Less smart cards (they don't do encryption) are big in Europe and Japan, where 61 million of them are already in use. Japan is afloat in a primitive type of electronic currency -- prepaid magnetic phone cards. The Japanese national phone company, NTT, has so far sold 330 million (some 10 million per month) of them. Forty percent of the French carry smart cards in their wallets today to make phone calls. New York City recently introduced a cashless phone card for a few of its 58,000 public phone booths. New York is motivated not by futurism but by thieves. According to The New York Times, "Every three minutes, a thief, a vandal, or some other telephone thug breaks into a coin box or yanks a handset from a socket. That's more than 175,000 times a year," and costs the city $10 million annually for repairs. The disposable phone card New York uses is not very smart, but it's adequate. It employs an infrared optical memory, common in European phone cards, which is hard to counterfeit in small quantities but cheap to manufacture in large numbers.

In Denmark, smart cards substitute for the credit cards the Danes never got. So everyone who would tote a credit card in America, packs a smart debit card in Denmark. Danish law demanded two significant restrictions: (1) that there be no minimum purchase amount; (2) that there be no surcharge for the card's use. The immediate effect was that the cards began to replace cash in everyday use even more than checks and credit cards have replaced cash in the States. The popularity of these cards is their undoing because unlike cheap, decentralized phone cards, these cards rely on real-time interactions with banks. They are overloading the Danish banking system, hogging phone lines as the sale of each piece of candy is transmitted to the central bank, flooding the system with transactions that cost more than they are worth.

David Chaum, a Berkeley cryptographer now living in Holland, has a solution. Chaum, head of the cryptography group at the center for Mathematics and Computer Science in Amsterdam, has proposed a mathematical code for a distributed, true digital cash system. In his solution, everyone carries around a refillable smart card that packs anonymous cash. This digicash seamlessly intermingles with electronic cash from home, company, or government. And it works offline, freeing the phone system.

Chaum looks like a Berkeley stereotype: gray beard, full mane of hair tied back in a professional ponytail, tweed jacket, sandals. As a grad student, Chaum got interested in the prospects and problems of electronic voting. For his thesis he worked on the idea of a digital signature that could not be faked, an essential tool for fraud-proof electronic elections. From there his interest drifted to the similar problem in computer network communications: how can you be sure a document is really from whom it claims to be from? At the same time he wondered: how can you keep certain information private and untraceable? Both directions -- security and privacy -- led to cryptography and a Ph.D. in that subject.

Sometime in 1978, Chaum says, "I had this flash of inspiration that it was possible to make a database of people so that someone could not link them all together, yet you could prove everything about them was correct. At the time, I was trying to convince myself that it was not possible, but I saw a loophole, how you might do it and I thought, gee....But it wasn't until 1984 or '85 that I figured out how to actually do that. "

"Unconditional untraceability" is what Chaum calls his innovation. When this code is integrated with the "practically unbreakable security" of a standard public-key encryption code, the combined encryption scheme can provide anonymous electronic money, among other things. Chaum's encrypted cash (to date none of the other systems anywhere are encrypted) offers several important practical improvements in a card-based electronic currency.

First, it offers the bonafide privacy of material cash. In the past, if you bought a subversive pamphlet from a merchant for a dollar, he had a dollar that was definitely a dollar and could be paid to anyone else; but he had no record of who gave him that dollar or any way to provably reconstruct who gave it to him. In Chaum's digital cash, the merchant likewise gets a digital dollar transferred from your card (or from an online account), and the bank can prove that indeed he definitely has one dollar there and no more and no less, but no one (except you if you want) can prove where that dollar came from.

One minor caveat: the smart-card versions of cash implemented so far are, alas, as vulnerable and valuable as cash if lost or stolen. However, encrypting them with a PIN password would make them substantially more secure, though also slightly more hassle to use. Chaum predicts that users of digicash will use short (4-digit) PINs (or none at all) for minor transactions and longer passwords for major ones. Speculating a bit, Chaum says, "To protect herself from a robber who might force her to give up her passwords at gunpoint, Alice could use a 'duress code' that would cause the card to appear to operate normally, while hiding its more valuable assets."

Second, Chaum's card-based system works offline. It does not require instant verification via phone lines as credit cards do, so the costs are minimal and perfect for the numerous small-time cash transactions people want them for -- parking meters, restaurant meals, bus rides, phone calls, groceries. Transaction records are ganged together and zapped once a day, say, to the central accountant computer.

During this day's delay, it would theoretically be possible to cheat. Electronic money systems dealing in larger amounts, running online in almost real time, have a smaller window for cheating -- the instant between sending and receiving -- but the minute opportunity is still there. While it is not theoretically possible to break the privacy aspect of digital cash (who paid whom) if you were desperate enough for small cash, you could break the security aspect -- has this money been spent? -- with supercomputers. By breaking the RSA public-key code, you could use the compromised key to spend money more than once. That is, until the data was submitted to the bank and they caught you. For in a delicious quirk, Chaum's digital cash is untraceable except if you try to cheat by spending money more than once. When that happens, the extra bit of information the twice-spent money now carries is enough to trace the payer. So electronic money is as anonymous as cash, except for cheaters!

Because of its cheaper costs, the Danish government is making plans to switch from the Dencard to the Dencoin, an offline system suited to small change. The computational overhead needed to run a system like this is nano-small. Each encrypted transaction on a smart card consumes only 64 bytes. (The previous sentence contains 67 bytes.) A household's yearly financial record of all income and all expenditure would easily fit on one hi-density floppy disk. Chaum calculates that the existing mainframe computers in banks would have more-than-adequate computational horsepower to handle digital cash. The encryption safeguards of an offline system would reduce much of the transactional computation that occurs online over phone lines (for ATMs and credit card checks), enabling the same banking computers to cover the increase in electronic cash. Even if we assume that Chaum guessed wrong about the computational demands of a scaled-up system, and he is off by a factor of ten, computer speed is accelerating so fast that this defers the feasibility of using existing bank power by only a few years.

In variations on Chaum's basic design, people may also have computer appliances at home, loaded with digital cash software, which allow them to pay other individuals, and get paid, over phone lines. This would be e-money on the networks. Attached to your e-mail message to your daughter is an electronic $100 bill. She may use that cash to purchase via e-mail an airplane ticket home. The airline sends the cash to one of their vendors, the flight's meal caterer. In Chaum's system nobody has any trace of the money's path. E-mail and digital cash are a match made in heaven. Digital cash could fail in real life, but it is almost certain to flourish in the nascent network culture.

I asked Chaum what banks think of digital cash. His company has visited or been visited by most of the big players. Do they say, gee, this threatens our business? Or do they say, hmm, this strengthens us, makes us more efficient? Chaum: "Well, it ranges. I find the corporate planners in $1,000 suits and private dining halls are more interested in it than the lower-level systems guys because the planners' job is to look to the future. Banks don't go about building stuff themselves. They have their systems guys buy stuff from vendors. My company is the first vendor of electronic money. I have a very extensive portfolio of patents on electronic money, in the U.S., Europe, and elsewhere." Some of Chaum's crypto-anarcho friends still give him a hard time about taking out patents on this work. Chaum tells me in defense, "It turns out that I was in the field very early so I wiped out all the basic problems. So most of the new work now [in encrypted electronic money] are extensions and applications of the basic work I did. The thing is, banks don't want to invest into something that is unprotected. Patents are very helpful in making electronic money happen."

Chaum is an idealist. He sees security and privacy as a tradeoff. His larger agenda is providing tools for privacy in a networked world so that privacy can be balanced with security. In the economics of networks, costs are disproportionately dependent on the number of other users. To get the Fax Effect going, you need a critical mass of early adopters. Once beyond the threshold, the event is unstoppable because it is self-reinforcing. Electronic cash shows all the signs of having a lower critical mass threshold than other implementations of data privacy. Chaum is betting that an electronic cash system inside an e-mail network, or a card-based electronic cash for a local public transportation network, has the lowest critical mass of all.

The most eager current customers for digital cash are European city officials. They see card-based digital cash as the next step beyond magnetic fast-passes now issued regularly by most cities' bus and subway departments. One card is filled with as much bus money as you want. But there are added advantages: the same card could fit into parking meters when you did drive or be used on trains for longer-distance travel.

Urban planners love the idea of automatic tolls charging vehicles for downtown entry or crossing a bridge without having the car stop or slow down. Bar-code lasers can identify moving cars on the road, and drivers will accept purchasing vouchers. What's holding up a finer-grain toll system is the Orwellian fear that "they will have a record of my car's travels." Despite that fear, automatic tolls that record car identities are already operating in Oklahoma, Louisiana, and Texas. Three states in the busy Northeast have agreed to install one compatible system starting with experimental setups on two Manhattan/New Jersey bridges. In this system, a tiny card-size radio taped to the car windshield transmits signals to the toll gate which deducts the toll from your account at the gate (not from the card). Similar equipment running on the Texas turnpike system is 99.99 percent reliable. These proven toll mechanisms could easily be modified to Chaum's untraceable encrypted payments, and true electronic cash, if people wanted.

In this way the same cash card that pays for public transportation can also be used to cover fees for private transportation. Chaum relates that in his experience with European cities, the Fax Effect -- the more people online, the more incentive to join -- takes hold, quickly drawing other uses. Officials from the phone company get wind of what's up and make it known that they would like to use the card to rid themselves of a nasty plague called "coins" that bog public phones down. Newspaper vendors call to inquire if they can use the card.... Soon the economics of networks begin to take over.

Ubiquitous digital cash dovetails well with massive electronic networks. It's a pretty sound bet that the Internet will be the first place that e-money will infiltrate deeply. Money is another type of information, a compact type of control. As the Net expands, money expands. Wherever information goes, money is sure to follow. By its decentralized, distributed nature, encrypted e-money has the same potential for transforming economic structure as personal computers did for overhauling management and communication structure. Most importantly, the privacy/security innovations needed for e-money are instrumental in developing the next level of adaptive complexity in an information-based society. I'd go so far as to say that truly digital money -- or, more accurately, the economic mechanics needed for truly digital cash -- will rewire the nature of our economy, communications, and knowledge.