We begin with a nightmare of total surveillance and control from 1975 courtesy of electronic money. With predictions and fears of electronic transactions and computational commerce in mind, we turn to the work of David Chaum. His DigiCash project was a protocol for money that could be digitally issued and redeemed by existing banks in existing currencies with the anonymity of cash. Its failure left a design framework taken up by others who wanted to create, and not just transact, new kinds of digital cash.
First, the fantasies.
“BETTER THAN MONEY,” trumpeted the subhead amid visions of “computerized communities,” in Martin Greenberger’s 1964 article “Computers of Tomorrow.” He published it in the Atlantic, the same magazine that carried Vannevar Bush’s landmark proto-hypertext vision “As We May Think” in 1945. Like Bush, Greenberger was extrapolating the “information utility” of the future and its applications: “medical-information systems,” “automatic libraries,” simulation services, “design consoles … editing consoles … computerized communities.”1 Key to all of these would be that “better than money” platform: “These cards, referred to by some as ‘money keys,’ together with the simple terminals and information exchange, can all but eliminate the need for currency, checks, cash registers, sales slips, and making change.”
Greenberger meant something like the credit card infrastructure then being developed, relying on a highly centralized system of utility phone lines and existing banks and payment companies, plus a little futuristic magic. “Incidentally,” he promised, “we can look forward in the process [of adopting electronic money] to displacing another class of manual labor: miscellaneous thieves who prey on money. The increased possibilities for embezzlement through fraudulent accounting may attract some of the resulting unemployed, but there are ways that the computer can be deputized to police its own operation, quietly and without danger of corruption.” Do tell.
At a conference in Bordeaux six years later, the computer scientist John McCarthy was talking about something like those very “consoles” promised by Greenberger, with more rigor about putting them into practice.2 (This is the same McCarthy for whom Whitfield Diffie was housesitting in Berkeley when he developed his part of public key cryptography.) Considering the future of “home information terminals,” McCarthy was clear about the role “money” would play. Electronic money would enable new forms of digital commerce. He considered advertising, payments for information and articles—“the reader will have the system balk at what he considers overpriced material”—and as yet unrealized kinds of transactions. He anticipated “a profound effect on buying and selling.” But how do you verify these transactions? Though it may seem simple in retrospect, digitally verifying a transaction contains subtleties of identity, authorization, receipt, and proof.
Five years after, Dee Hock, the CEO of Visa, was proposing an answer. Hock belonged in the company of people like Buckminster Fuller, architect of geodesic domes and global networks, and the bearded cybernetic sage and management consultant Stafford Beer: jet-set sales reps for the utopian infrastructure of the 1970s, publicists for the cosmos. Hock, fascinated by emergent order and self-organizing processes in nature, had little interest in merely building a business for “Electronic Funds Transfer” (EFT). His sights were set on the social transformation of “Electronic Value Exchange” (EVE). EVE was what money would be, he wrote: “guaranteed alphanumeric data” in “arranged energy” flowing seamlessly through computer networks around the Earth.3
For Hock, EVE would be a sister system to the nascent Internet, a global network machine with a related set of utopian fantasies. His design for the headquarters was a circular office, which symbolically contained the four corners of the planet, with sections devoted to each region’s culture and booths for real-time translation across languages.4 (He described his acrimonious departure from Visa as a search for “a life of anonymity and isolation … with books, nature, and uninterrupted thought,” as if he were a Taoist sage departing for the mountains.) EVE would be a part of the next epoch of cybernetic society.
But there was a catch. What “guaranteed” the alphanumeric data that money would soon become? What would direct and sluice those flows of energy constituting credit?
Surveillance.
Now, the nightmare.
“Say you are about to buy a book,” wrote the Stanford computer scientist Paul Armer in 1975 in an article for the journal Computers and People. He based his article on his testimony to Congress, for whom his recommended reading included Orwell’s 1984, a Nixon administration memo on domestic intelligence gathering, and Dawidowicz’s The War Against the Jews, 1933–1945. Armer’s piece was startlingly prescient on the surveillance problem produced by authenticating electronic money. “You present your card (sometimes called a ‘debit card’ …),” he continued, “to a clerk who puts it into a terminal which reads it and then calls up your bank.”5 The bank either OK’d or declined the transaction—and there the trouble began.
When Armer bought a book with his debit card, the settlement system learned his location at that time, adding it to the log of his movements, and with it “a great deal of data about your financial transactions,” and “a great deal of data about your life.” What if you had already been flagged by the police for special attention? “I have no doubt that such systems have already been so abused.” Given the task of building an ideal, discreet surveillance apparatus for the KGB in 1971, Armer and a group of computing and surveillance specialists came up with a version of an electronic funds transfer system: “Not only would it handle all the financial accounting and provide the statistics crucial to a centrally planned economy; it was the best surveillance system we could imagine within the constraint that it not be obtrusive.”6
His choice of a book as the object of his notional purchase was deliberate: What if you were not yet flagged, but the purchase of a particular book put you “on a list,” as part of a suspect population or pattern? If it is a book that authorities decided is not for you to read, will the system auto-decline your purchase attempt? Will your money be good for some things and not others?
Recall that Margaret Atwood’s novel The Handmaid’s Tale, written a decade after Armer’s testimony, is partially a dystopian story about electronic money. Computerized accounts and credit identified as belonging to women are frozen—as Atwood said afterward, “now that we have credit cards, it’s very easy to just cut off people’s access to credit”—and she envisioned, among other systems of domination, a process of monetary coercion, with object-specific tokens to prevent independent choices and decisions: “I look at the oranges, longing for one,” thinks her protagonist Offred. “But I haven’t brought any coupons for oranges.”7 Real-world versions of this already existed or would come to exist: from the coupons and scrip of company towns, to color-coded state-issued food stamps, to welfare funds issued through electronic benefit transfer (EBT) in the United States—“money,” in the case of food benefits, that will not permit itself to be spent on certain goods and that is subject to data collection and analysis.8
Electronic money could serve as a control apparatus for making the marketplace into a rapid response system for the police, a location log, and a Skinner box for rewarding and denying citizens into doing what corporations or governments wanted. In 1990, the philosopher Gilles Deleuze wrote a short piece called “Postscript on the Societies of Control.” Deleuze started with the transition the theorist-historian Michel Foucault had identified—from sovereign societies to disciplinary societies, a transition in how power was expressed at every level of life—and then asked: Are people in postindustrial, networked, capitalist societies now living through a comparable transition to control societies? To explain what he meant, he turned to the exemplary technology of power: “Perhaps it is money that expresses the distinction between the two societies best.”9
The previous disciplinary society operated as a series of enclosures, “interiors,” with stabilizing and standardizing mechanisms at work to organize productive forces: to turn out biscuits, citizens, newspapers, soldiers, Model T’s, healthy right-thinking bodies, and interchangeable parts. It did this, he wrote, in a framework of “minted money that locks gold in as numerical standard”—as a benchmark, a calibrating mechanism. The current and near future control society, he argued, models value with “floating rates of exchange, modulated according to a rate established by a set of standard currencies”: a post-Nixon Shock system of as-good-as-instant telecommunications and continuous data collection, feedback, analysis, and adjustment.10
Knowing “the position of any element within an open environment at any given instant,” the control system exerts power through a society that has become largely overseen and managed as “coded figures,” as digital data, readily displayed, analyzed, and utilized. “Man is no longer man enclosed,” Deleuze writes, as if delivering the voiceover narration of a dystopian sci-fi movie, “but man in debt.”11 Money on a card, money as data, can govern and control: payable here and not there, for this and not that, and producing real-time information about its user for further adjustment. In his speculative mode, Deleuze brings together house-arrest ankle bracelets and parole cuffs, just-in-time production and logistics chains, mobile phones and geolocation and what would become the quantified self, area and access denial technologies, and digital payment and electronic money platforms: a wide territory that defines the outlines of a new model of sovereignty, and of the expression and exercise of power.12
David Chaum, too, feared a future in which the ledgers of online credit and debit systems had become dossiers: “The granularity of information that’s revealed about payments is going to explode,” he warned.13 In 1983, eight years after Armer’s testimony, Chaum was also writing about buying books, along with many other transactions that “reveal a great deal about the individual’s whereabouts, associations and lifestyle.”14 The same mechanisms that managed the trust in digital payment would produce a time-stamped and geocoded record from which much could be revealed—and that’s before considering the ways in which digital ledger money could be actively manipulated for real-time redlining, price fixing and gouging, and other mechanisms of financial exclusion. Chaum talked about Panopticons, police states, Big Brother; speaking before Congress in 1995, he foresaw in the credit card and the networked point-of-sale terminal a human population of “electronically tagged animals in feedlots.”15 However, he had a solution to offer.
The alternative to the feedlot, he continued, would be “buyers and sellers in a town market square,” with each party able to “protect its own interests.” To “secure parity between individuals and organizations,” he built on the technologies of public key cryptography and signatures, to make money that could identify itself while keeping its users secret. His Netherlands-based company DigiCash called the stuff “e-cash” (variously quoted as Ecash, eCash, and e-Cash). They created the first real and functional digital cash as an alternative to surveillance-based credit-and-debit systems; Chaum’s approach, patents, and theories set the agenda for digital cash research for more than a decade.
Chaum was fascinated by “dead drops, document security, burglar alarms, safes and vaults, locks, flaps and seals.” (His other patents included an electronic lock capable of recognizing different metal keys, and systems for ballots and voting.)16 He developed an idea whose outline resembles old-school, analog document security. Imagine that you wanted to notarize a document without revealing what it was—to have proof of a discovery written down and deposited today, making a claim for precedence and priority without sharing the discovery with the world yet. The historian of science Mario Biagioli has described just such a problem in the practice of Renaissance science, with Christiaan Huygens submitting an announcement of the discovery of the spring watch as an anagram (“413537312343242 abcefilmnorstux”) and Galileo announcing the observation of Saturn’s irregular shape as “smaismrmilmepoetaleumibunenugttauiras.”17 A paperwork solution evolved: sealed notes deposited with trusted institutions like the Academie des Sciences. This sealed-envelope approach could be taken one step further.
Slip your document into an envelope with a sheet of carbon paper, seal the flap, and then have a notary’s stamp or a signature and date applied to the outside of the envelope. The person stamping or signing does not know what they are authenticating: a “blind signature,” an indexical trace of time and proof that doesn’t give its secrets away. The carbon paper envelope and the blind signature connect the proof to the document rather than its container, eliminating any possible accusation of envelope switching—of the steaming kettles, heat lamps, slender ivory spatulas, and other elegant tricks of predigital “flaps and seals” spy tradecraft. The document can prove facts about itself without revealing what it is: recognizable without being known.
Chaum developed an analogous procedure for digital cash. You would withdraw money from your bank account in digital form, just as you would by withdrawing a stack of euros, dollars, or yuan from an ATM—except that it would go to a dedicated transaction card, or a program running on your computer and connected to the Internet. Card in hand, or program open on computer, you could spend the digital money like cash: not as transactions reflected in a ledger, with the system checking in remotely to credit one account and debit another, but like tokens changing hands.
The money would be on, or in, the card or the digital wallet; if you lost your card, the money would be gone, just as if you had left an envelope of tip cash on the train after work. When you gave a card to a merchant or authorized an online transaction on your computer, their system could take the value off the card without needing to confirm your identity or check in with your bank; the “secured data representing value” (as Chaum put it) could prove itself, as cash in hand does.18 Finally, and most important for Chaum, e-cash could not be connected to the person who withdrew and spent it: a technology of proof without identification that, Chaum hoped, would “make Big Brother obsolete.”19
This was not meant to be an autonomous digital store of value; Chaum was not proposing a new currency with his e-cash, but a mechanism for banks to turn existing currencies into digital cash and back again. The software developer Hal Finney—cypherpunk, Extropian, and eventually key Bitcoin contributor—made a good comparison when explaining the project in 1993: Before the last century-plus of national and territorial currencies, a local bank could issue money against their assets. A merchant would accept payment in those banknotes on the assumption that the note “could be redeemed at the issuing bank for its face value” in coin, bullion, or other stuff.20 The bank held the “materials of value,” and the notes circulated as their vehicles. Merchants in Chaum’s system would likewise accept e-cash, knowing they could redeem it at the issuing bank for its face value in the national currency.
Let’s break Chaum’s mechanism into four parts, with each solution creating another problem to be solved in turn.
1. How do you know the cash is real?
You want to make an online purchase. You request a twenty-dollar e-cash note from your bank. They withdraw this money from your account—just as if you were withdrawing cash from the ATM—and generate a new e-cash note, which they email to you or deposit on a smartcard. The note carries a statement of value: the equivalent of “This note is worth twenty dollars from Wells Fargo, payable on demand.” The bank encrypts the note with its private key before they send it to you. Recall that anyone with a public key can decrypt a message encrypted with a corresponding private key, so a private key-encrypted message acts as a kind of signature. Wells Fargo will distribute copies of their public key to merchants far and wide: your pub, conbini, taxi driver, bodega, and every online storefront has a copy, so their transaction software can instantly determine that e-cash notes are “signed” by the bank, and how much they’re worth.
2. Why can’t it be counterfeited?
The use of public key cryptography here keeps no secrets. The bank’s private key signature authenticates the e-cash note as a product of the bank and makes it impossible to forge its value—a criminal can’t create new notes that appear to be from the bank. The signature can’t protect against counterfeiting, though: the duplication of e-cash notes the bank actually produced. That “note” is just a string of data, after all; it could be intercepted, copied and pasted, and spent like someone writing a check for the same two hundred dollars at every store on the block. The bank therefore gives each note a unique serial number. At the end of your cab driver’s shift, she deposits the e-cash notes accumulated on her smartcard at her bank branch. The bank verifies that it signed the notes and their values, and checks the unique serial numbers to make sure they haven’t been previously deposited—that is, that the same notes haven’t been redeemed for dollars multiple times—and credits her account with these dollars. The unique serial number eliminates transactional privacy for the payer, though. When the merchant deposits it, the serial number corresponds to the one with which it was issued—to your particular account.
3. Can’t the serial number be used to track you?
Chaum’s solution was the blinding factor. The user—you—now generates a serial number for each note you want; you send these numbers to the bank with your request for e-cash; the bank signs these e-cash notes with their ten-bucks-payable-on-demand-from-us private key signature and debits your account for that amount. You can spend the e-cash where you will, as before. However, by an elegant trick of cryptographic mathematics, the serial numbers you sent have been multiplied by a random number known to you—the blinding factor—that you can divide out once the bank provides your e-cash notes, before you spend them. The bank has accounted for the money and created banknotes that you can spend, which it will redeem for national currency, but it no longer knows, nor needs to know, that they were from your account. Neither does the merchant who accepts them. The bank will check the serial numbers of the notes that merchants give them to redeem, to make sure they weren’t spent before, but the numbers no longer correspond to any other data and do not connect your transactions to your identity. They have stamped a sealed carbon-copy envelope to confirm that what it contains can be redeemed for ten dollars, without having a record of the document within.
4. What about fraudulent offline spending, though?
With offline transactions, using a “cold processor” wallet—in our notional taxicab, for instance—it would still be possible to spend the same note several times, before the bank could compare the serial numbers, in the digital equivalent of a bounced check. The bank would then refuse to honor all the e-cash notes after the lucky first merchant deposited theirs, and, with the blinding factor in place, would have no way to connect the fraudulent spending to you. This would obviously discourage merchants from adopting this new system and would cause trouble with many areas of payment, from offline contexts (like food carts and flea markets) to systems that need very rapid settlement (like an electronic tollbooth scanning a tag as your car drives through). (DigiCash worked on the payment system for an early electronic tollbooth infrastructure for the Netherlands.) In a final stroke of great elegance, Chaum, Gilles Brassard, and Claude Cripeau developed a mathematical mechanism by which each e-cash transaction would involve a question—a numerical challenge the spender’s software would have to answer about each note.21 One such answer would be meaningless, and would not compromise the anonymity of a given e-cash note, but two answers—which you would only give if you tried to spend the same note twice—would reveal the account to which the note was issued, deanonymizing the spender.
With the whole system before us, notice that the merchant—whoever redeems e-cash they’ve been paid—is not anonymous. Bribes and black market activity would have no easier time of it with e-cash than they would with hard currency. In fact, their activities would be further constrained by how much more difficult e-cash would be to launder compared to paper money and coins. Chaum had found a way to produce a kind of digital cash that broke with the all-or-nothing model of electronic money and surveillance—a technology that protected the privacy of individual customers and clients without further empowering drug deals, ransom demands, and the rest. Spending it was untraceable unless the spender tried to cheat the system, at which point they’d reveal themselves through the very act of abuse.
On a technical level, e-cash still had complex problems to resolve—like making change, getting refunds, and reversing charges—and many subsequent refinements would be developed by others. But the whole structure was functional and coherent: anonymous digital cash secured against surveillance, forgery, and counterfeiting by the same mechanisms as “the most sophisticated codes used to protect nuclear materials, military secrets and large-value wire transfers,” as Chaum said to Congress. It met many of the challenges in his model of privacy’s future crises, and without building infrastructure for potential malefactors.
His promise also had an implicit threat. “If we don’t get the national currencies in electronic form properly,” he warned, “then the market will route around them and make other currencies.”22 It was a prediction whose consequences we are now living out.
By the mid-1990s, the Netherlands-based DigiCash had a pilot program under way at a bank in St. Louis. They issued unbacked, playful “CyberBucks” for publicity, which were good for buying T-shirts, Encyclopaedia Britannica articles, transcripts of old Monty Python routines, and reprints of Chaum’s past work.23 Chaum was putting a deal together with Deutsche Bank, and studies of similar technologies were under way from Singapore to the UK. DigiCash software existed for all the common operating systems and was integrated into the web browser Mosaic. ING, Visa, Microsoft, and a string of banks came calling at DigiCash’s offices in Eindhoven.
Before the end of the decade, DigiCash was bankrupt.
The reasons are complex and still argued, but the legacy of DigiCash and its technology for those making digital currencies and speculative monies was clear: as an inspiration and as a warning. Jean-François Blanchette puts it perfectly: Chaum’s work “opened up not only durable research avenues but also—more importantly—a certain design space. That space suggested that computers need not necessarily be linked with images of surveillance and social control and that coherent and creative scientific research programs could be driven by explicitly social goals—in this case, privacy protection, anonymity, and their implications for democratic participation.”24 That design space and its social goals opened a terrain that would fill with further experiments: people seeking all-sides anonymity, or seeking money with new kinds of properties, or seeking permanently digital e-cash without banks—or nations—at all.25
The work of Chaum and his colleagues, and DigiCash’s rise and fall, provided a reference point for many other proposals. After e-cash would come “smart contracts,” “digital bearer certificates,” and monetary mechanisms suited not just to protecting privacy and preserving parity between people and corporations, but as the basis for more extreme projects: off-the-books transaction systems operating in international waters and the ciphered interstices of the network itself, and active conspiracies against the legitimacy of central banks and territorial currencies.26 Chaum and e-cash provided an example and an aspiration: a concrete research and development initiative in the service of anticipating and averting a malign future. Hal Finney described what cryptography and e-cash meant for him in 1992. The avenue Chaum had opened, Finney wrote, “balances power between individuals and organizations.… If things work out well, we may be able to look back and see that it was the most important work we have ever done.”27
E-cash was also a cautionary tale. “I was asking the world to change the way it did things so that there would be perfect privacy,” Chaum said, in retrospect.28 There was so much inertia to overcome to get these tools adopted. The computer scientist Arvind Narayanan used the phrase “societal buy-in” to explain one of the challenges faced by “ambitious ideas such as Chaum’s”: “a critical mass of potential users unhappy with the status quo” who must take up the new system completely and immediately for it to work.29 Tools like email encryption can be incrementally adopted by individuals and small groups, but Chaum’s system needed wholesale transformation. The technology alone is not enough, in other words. Even with good math, scientific discoveries, the free circulation of ideas, reliable hardware, and running code, you need a desire, a vision, a dissatisfaction, a fantasy, a story. The glow of a utopia just over the horizon, and a cosmogram for getting there.
What if, to meet that challenge, you could create the society first and the platform afterward? What if you could build a world in which the technology became inevitable?