"Privacy by design"understanding Project Hamilton and the digital dollar by "following the AML"
Project Hamilton sets the stage for a privacy protecting digital dollar.
The Boston Fed and “MIT’s Digital Currency Initiative” published its long-awaited “Project Hamilton” White Paper on the payment processing systems that we can expect for the digital dollar.
The paper does not claim that the Fed will issue a central bank digital currency (CBDC). Still, it does take the reader through the technological decisions that the Fed and MIT went through to arrive at two potential systems that “exceed speed and throughput requirements” for the digital dollar.
In this newsletter, I would like to take a high-level view of the White paper to examine the designer's potential choices and what they mean for the digital dollar.
The good news is that the technical choices made are all privacy-protective. But what may not be apparent to the casual reader is that the two systems presented in the paper have a lot to say about the roles of the Fed and the supporting third party banks.
The Fed is not going to allow the circulation of a digital dollar without “anti-money laundering” (AML) and “know your customer” (KYC) requirements, so the real question when we look at these two options is “who will do it?”
The designs proposed by the White Paper each push the burden of AML to either the Fed or banks with significant implications.
The performance criteria the research set out were not dictated by the Fed so much as by practical considerations derived from existing payment systems. The requirements are perfectly capable of meeting the needs of a modern cash transfer system but not exceptional. As a reference point, Visa and Mastercard networks operate at roughly 50 to 70,000 transactions per second. The transaction speed target of 5 seconds would seem like a lifetime!
• Speed: a target of 99% of transactions completing within 5 seconds, where completion includes a transaction being validated, executed, and confirmed back to users.
• Throughput: 100,000 transactions per second as a minimum target based on existing cash and card volumes and expected growth rates.
• Resiliency: continuing to provide system access and preventing data loss even in the presence of multiple data center failures.
1.7 million transactions per second or (TPS) is fast and MIT’s big headline. Still what we can expect out of the laboratory will be very different as transactions need to flow through networks and wallets which add friction.
At least partly because of the rigorous performance criteria above and the centralized nature of the system, the researchers ruled out blockchain-based systems.
The paper cites the following issues with blockchain or “distributed ledger” based systems:
• Distributed ledger operating under the jurisdiction of different actors was not needed to achieve our goals.
• Project Hamilton assumes that the platform would be administered by a central actor.
• Distributed ledger architecture creates performance bottlenecks
• Requires the central transaction processor to maintain transaction history, which one of our designs does not, resulting in significantly improved transaction throughput scalability properties.
Blockchain aficionados will say that the game was rigged. They’re right. The Fed has no desire for a distributed ledger system.
Proponents of blockchain will rail at the assumption that the Fed must run the system. Criteria that to them would appear to “rig” the outcome. That is a fair point, but even if the Fed considered a distributed system, its distribution partners would likely be limited to major banks. Most blockchain aficionados would consider this an equally dubious choice.
Performance issues with blockchain are genuine and remain an issue with high-volume payment systems in larger countries, much less so in smaller countries.
Privacy through tokens and no accounts
Privacy is, of course, a hot-button issue for many Americans who consider the digital dollar a “dystopian nightmare” and “the end of American freedom.”
To protect privacy, the designers opted for a system that does not collect personal data: “the safest way to secure data is not to collect it in the first place. We designed Hamilton"s transaction processor to retain very little data about transactions.”
A wise move by the designers that let it down the path of a token or coin-based system that “borrows heavily from Bitcoin’s transaction format.” Including adopting a wallet-based system with Bitcoin’s UTXO or “unspent transaction output” system and public keys indicating ownership.
The easiest way to visualize UTXO is through its similarities with cash payment. Imagine paying five vendors simultaneously when all you have is cash and no coins for making exact change. Depending on the sum, you"ll overpay most if not all vendors with a combination of bills and then receive change in return. Each vendor processes the banknotes independently of the other.
All fair minded fans of CBDC will acknowledge that the tech used in Bitcoin was repurposed in CBDCs. Fans of Bitcoin will of course say “co- opted”
Diagram source: Cashless: China’s Digital Currency Revolution
With Bitcoin or a CBDC, you transfer digital currency and get a newly created digital coin back as change in your wallet. As coins are spent, cryptographic validation systems protect against double-spending and digitally forged coins. There is no need for an account.
The most important feature of this system is that to validate a coin, the system does not need to know who you are, so much as that your coins are valid through a unique serial number assigned to the coin and stored in cryptographic hash format.
“Whether or not we like cryptocurrency, we all owe a debt to its creators.”
UTXO also yields performance improvements because the digital currency system doesn’t have to spend time checking whether there is money in an account. The underlying infrastructure is concerned with validating the coin through its cryptographic encryption rather than checking whether there is money in an account.
UTXO is a critical distinction that changes the notion of money for many and should remind us that whether or not we like cryptocurrency, we all owe a debt to its creators. The systems they designed and how they reimagined payment as a token-based system are critical.
A Tale of Two Systems
The White Paper goes on to explain the two systems it designed that exceed the performance criteria outlined above. What is interesting is that both systems take us in very different directions for AML.
Let’s examine step by step the Fed’s explanation from the executive summary:
• The first architecture processes transactions through an ordering server which organizes fully validated transactions into batches, or blocks, and materializes an ordered transaction history.
Translation: You may be familiar with bitcoin’s notion of storing all transaction history on the coin. Here as with Bitcoin the coin stores transactions, public keys, transaction graphs, and values. The complete history of the coin follows it throughout its life.
• This architecture durably completed over 99% of transactions in under two seconds, and the majority of transactions in under 0.7 seconds.
Translation: Yes it works fine in that it can be used and is a valid option for the Fed to consider.
• However, the ordering server resulted in a bottleneck which led to a peak throughput of approximately 170,000 transactions per second
Translation: Because the coin carries a complete usage history, this history can become computationally heavy, which means that its digital history will slow the validation process. 170,000 tps isn’t set in stone and is certainly above the performance criteria but requires more computational horsepower to go faster.
The Fed refers to System 1 as having “atomizer architecture” as it contains a linear history of all transactions.
Privacy proponents should be pleased. Validation of transactions on this system does not require not the identification of the individual users. The system does, however, have a complete record of the transaction history. User ID would be a function of the wallet issued by a supporting bank or even a telecom company. Would the Fed be able to connect the two? Not without some form of trickery or legal warrant, which they would present to the wallet issuer.
This is the exciting part as the Fed would have the entire history of the token AML would likely fall at least in part to the Fed. Furthermore, tokens spent on the network do not revert to the bank that issued them, which means that the Fed would be the only entity with computers that could decrypt usage and perform this function.
The Fed has no intention of issuing a “privacy coin” like Monero!
Let"s examine step by step the Fed"s explanation from the executive summary:
• Our second architecture processes transactions in parallel on multiple computers and does not rely on a single ordering server to prevent double spends.
Translation: Here the system does away with carrying the coin transaction history, which means that the data payload carried by each coin is significantly reduced. Validation of whether a coin has been spent or not to avoid double spends does not require historical look back.
• This results in superior scalability but does not materialize an ordered history for all transactions.
Translation: None needed! The history is not carried with the coin.
• This second architecture demonstrated throughput of 1.7 million transactions per second with 99% of transactions durably completing in under a second.
Translation: A stunning technical accomplishment! Millions of transactions per second mean that the system is future-proof for years to come! But as we will see, this comes at a cost.
Two-phase commit or 2PC architecture executes non-conflicting trans- actions (transactions which do not spend or receive the same funds) in parallel and does not create a single, or- dered history of transactions.
Again the system does not require the user's identification to validate a transaction! If you are the Fed, there is a real drawback in the lack of transaction history. The Fed is not going into the “privacy coin” business like Monero! So this lack of transaction history raises a critical question. If the Fed can’t perform AML, who does?
In the first system with an encrypted history, that role fell to the Fed. Without this history, is the Fed likely to surrender and not perform AML? No way. The most likely answer is that the Fed will pass this critical function to the banks. To do this, the Fed will likely link CBDC wallets to issuing banks, a fundamental change as CBDCs are traditionally considered bank independent. Linking would push some amount of payment information to the banks allowing them to continue with their traditional role of monitoring AML.
Follow the AML to understand what this all means
The Fed will not issue a digital dollar without KYC and AML. I do not think this statement is controversial, even if it upsets proponents of crypto who see untraceable currency as a human right.
The KYC function is the natural role for banks, and in a two-tier CBDC system, banks retain this role to some degree.
For performance reasons, the Fed will gravitate toward the second system, which the research paper calls the “two-phase commit” or 2PC system.
But another motivation of equal or greater import for the Fed to adopt the 2PC system is that it will keep AML responsibilities with the banks:
1) The Fed can claim with great certainty that it has neither user identification nor a complete transaction history. Privacy advocates would go apoplectic if they found that the Fed had complete transaction histories as maintained in the first system.
2) The Fed can then push AML and KYC responsibilities back to the banking system by tying CBDC wallets payments to the banks. Unfortunately, this maintains the banks' role in the currency system and regrettably ties users to banks, a blow for the unbanked and financial inclusion.
3) The Fed’s operational requirements would be substantially reduced. In essence, the Fed would run server farms providing processing capability but would not be required to implement the latest AI-based AML- systems. Note that with either system, the Fed would not need KYC systems.
4) Banks would be beneficiaries as it would ensure the minimum disruption to their reserves and allow them to maintain a grip, albeit a relaxed one, on payments.
The drawbacks to this system are clear, the Fed will have a hybrid CBDC, which does have precedent, but ties users to their banks. It does little for the unbanked to improve financial inclusion as usage will be tied to a bank.
It is also a gift to the banking system, allowing them to maintain a lock on the payment business. Arguably robbing the CBDC and the American people of the CBDC’s greatest achievement, direct peer-to-peer transfer without third parties.
Rich Turrin is the international best-selling author of "Cashless - China's Digital Currency Revolution" and "Innovation Lab Excellence." He is an Onalytica Top 100 Fintech Influencer and an award-winning executive previously heading fintech teams at IBM following a twenty-year career in investment banking. Living in Shanghai for the last decade, Rich experienced China going cashless first-hand. Rich is an independent consultant whose views on China's astounding fintech developments are widely sought by international media and private clients.
Check out my books Cashless and ILE on Amazon!