Piero Cipollone, a board member at the European Central Bank (ECB), has written to Thierry Breton, the European Commissioner for the internal market, to warn that Apple’s current plans are like to make the iPhone incompatible with making offline payments in any future European central bank digital currency (CBDC). I think it is interesting to explore why.
The issue is, as Mr. Cipollone rightly notes, that Apple’s proposed commitments to the European Commission would not give third parties full access to the secure element (SE) in the iPhone. Access to the SE important in the central bank digital currency (CBDC) context because, as Mr. Cipollone sets out in his letter, access to the SE is vital for mobile device-based offline digital euro payments.
The ability to exchange digital currency between people without using a mobile network, the internet and with the power out is fundamental to an electronic cash alternative and since half of the ECB’s digital currency development budget is allocated to offline payments, it looks as if they agrees with that view. But what exactly do they mean by offline payments? Some clarity is required here, so I think perhaps we should stop talking about online and offline in this context and instead find some better labels. Are the transactions mediated or unmediated, centralised or decentralised? Are they hub or “edge” transactions?
(If you think of a network as nodes connected by edges, then edge transactions are transactions between one node and another with no other nodes involved.)
In a hub system (eg, M-Pesa in Kenya) the digital currency is not stored in the device. The wallet balances are maintained in a central hub and the device — actually in this case, the SIM in the device — merely stores the keys needed to authorise a transaction. All transactions between devices route via the hub (put to one side whether that hub is truly centralised or distributed or some combination, it’s not important).
In an edge system, the transactions route from device to device. There is no hub, and the wallet balances or coins are stored in the device itself. When Alice sends Bob five digital bucks, the five digital bucks move from her wallet directly into his wallet and no-one knows about this except for Bob and Alice.
Off Line
Now that we have the definitions clear, let us return to what the ECB is planning. Last year, the ECB published its “stocktake”, the findings of the work the Eurosystem carried out during the digital euro investigation phase, which lasted from October 2021 until October 2023. In this, they talk about how a digital euro would be usable online and offline. In their words, the “offline” mode would designed to maximise certain cash-like characteristics: that is, a bearer payment instrument “that is not dependent on an online connection, but is limited to proximity payments”.
But why should edge transactions be limited to proximity payments? It seems to me that if the system has the capability to implement device-to-device transfers (ie, edge transactions) then transactions should always be device-to-device whether the devices are local or remote. In other words, if I go online to pay Netflix using a digital euro, the value should transfer from a device of mine to a device of theirs even if we are both online.
If all transactions are edge transactions then there are no scaling issues, no constraints impose by traffic through the hub and no bounds on the number of transactions that might complete simultaneously. These are, as you might have already spotted, characteristics of cash.
Security and Privacy
Well, you might think, that sounds good but what happens to national security if a substantial fraction of the nation’s money is flowing around from device to device. How could the integrity of the system be assured? What happens if well-funded and highly-motivated nation-state hackers find a way to get into an SE and reset the balance to the maximum after each transaction, or replenish spent tokens in order to double spend?
That is a rational concern, but remember that while the transactions might be entirely offline, auditing and accounting would not be. The Session used to store the digital currency would be part of an integrated risk management system.
The chips would have a transaction limit and might only be allowed a certain number of transactions before they have to interact with a financial institution in some way, to load money from a regulated digital currency provider or to deposit money into a a bank account.
There’s no need to go into it here, but suffice to say that it would be possible to build a system with integrity. And, of course, there’s always a “smash the glass” option of turning off device-to-device mode in the event of a catastrophic hardware breach (so that, for example, consumers could only pay merchants until their chip is upgraded or whatever).
Ethereum founder Vitalik Buterin, in an essay lamenting the terrible state of internet security, explores some ways to fundamentally shift the calculus and specifically highlights secure hardware as way forward. He points out the obvious fact that a great many people already have the necessary chips in the form of the SE in their smart phone.
In a population-scale solution, if the architecture is going to allow any device-to-device transactions then it may as well make all transactions device-to-device. That way there is only one transaction type to be designed, tested, analysed, certified and monitored. There are no special cases: a transaction is a transaction is a transaction. Now the system can scale. Ten transactions per second or ten million transactions per second makes no difference, and when there’s no mobile network you can still buy a beer with your iPhone.