Strong Privacy Protection vs. Data Trail
Ecash goes live in the US, Finland and Germany
(c) by Volker Grassmuck
in: InterCommunication Magazine, No.19 NTT Publishing, Tokyo, Winter 1997
"1996 is the year of electronic money on the Internet," said Nicholas Negroponte in February. Further into the year, the frantic activities of financial, networking and retailing industries indicate that the prediction of the MIT Media Lab's director was accurate.
The universal medium of exchange enters the universal medium. Marx' "pure fantastic form" was abstracted from all the concrete commodities and services. Now money is abstracted from the materiality of coins and bills, and converted into electric charges. In the process, the symbol, of course, doesn't lose any of its precision in marking the distinction between have and have-not.
The Internet until now was a commerce-free realm with an economy based on the exchange of ideas and a currency of reputation. Money in cyberspace will make all visions - and nightmares - of online shopping come true. The economy of desires takes on a pecuniary form. The desires for anything money can buy. The desires of earning money by means of whatever one has to offer. The desire of increasing money by lending, circulating and handling it. The desire of making easy money by gambling. The desire for dirty money by means of fraud, bank robbery and -especially tempting in a digital sphere where a copy is indistinguishable from an original - counterfeiting.
Computer networks support two opposite power trajectories. Historically, they consisted of centralistic top-down military and corporate structures of mainframes and large databases. With the Internet and with the development of mini-computers and PCs, a decentralized, distributed and open network structure emerged. The circulation of byte tokens that represent a generally acceptable value equivalent cannot possibly be open, grass-roots-based, anarchic. Still, there are alternatives for implementing online payment systems at both ends of the power scale. On the one hand, there are systems where control and data collection is concentrated in large financial institutions like credit card corporations. On the other, are systems that emulate the anonymity of cash and convey as little information to merchants and banks as necessary, while putting as much control as possible in the hands of the individual user.
Writes David Chaum, inventor of the Ecash system: "The choice between keeping information in the hands of individuals or of organizations is being made each time any government or business decides to automate another set of transactions. In one direction lies unprecedented scrutiny and control of people's lives, in the other, secure parity between individuals and organizations. The shape of society in the next century may depend on which approach predominates." 
The development towards commercialization is inevitable. The question is not if money is introduced on the net, but under which conditions. Will it be along the centralistic trajectory of credit card schemes, or will the net opt for privacy protection and empowerment of individuals?
Evaporation of Cash
Money, until now, was bound to a material form - from the earliest shells and whale's teeth via precious metals to high-tech printed bills. It shares this attribute with our other essential symbolic exchange medium, script. Both were subject to mechanization by the printing press and also their immaterialization happens in parallel.
The cash we are used to has certain advantages, but also its price. Printing and minting, storing, transporting, securing, sorting, and replacing worn money is expensive. Producing coins actually costs more than their nominal value. According to an informed guess, two to three percent of the gross national product are needed just to keep the stuff in circulation that makes the world go round.
"Money doesn't smell." It is not linked to the way it was earned and the person holding it. Which is good for privacy, but also good for all sorts of criminal activities. It attracts street crime and burglary. Drug dealers, extortionists, kidnappers and corrupt government officials prefer cash to payments by bank transfer or cheque because those can be traced back to them. The payer, e.g. of a bribe to a government official has prove of the recipient, and could later come back and blackmail that person. Briefcases full of notes can be passed from hand to hand without leaving any record, allowing money laundering and tax evasion.
Money (just like print and software) has its users as well as its hackers. Special papers and printing, water marks, metal threads, and ultraviolet marks are intended to make counterfeiting difficult. But technology is speeding ahead, and color copy machines can produce bills that look fairly genuine to humans. As long as they are mostly handled by human cashiers and not by machines, many of the security features are lost.
And, most of all, cash is unsuitable on electronic networks. Being a symbol, the materiality of the universalized form of equivalence was always only accidental. The symbolic is characterized by its ability to change its place with other symbols. When money changes its form from atoms to bytes, its function and the conditions of its functionality remain the same. The number of tokens representing value have to be restricted, they have to be protected against duplication, and linked to an authority warranting their exchangeability.
Actually, the really big money by which the global economies tick is beyond matter already. More than ninety percent of major currencies exist as nothing but disembodied bytes floating around digital networks.
The evaporation of the remaining "personal money" in our wallets started with the spread of credit cards. Money-lending was probably invented together with the earliest forms of money, but for the first few thousand years it meant passing matter from hand to hand. The 670 million rectangular pieces of plastic in world-wide use today are nothing but the physical carriers of the key that together with a signature unlocks access to one's share of the big pool of digital money. Credit cards are the last commemorative token of material money for the material girl. They are nothing much really, but, at least, something that you can still hold in your hands. On the networks, even this cluster of atoms disappears. The code that from the start was designed to be machine-readable takes off from the card and easily adapts to the digital world.
Indeed, most online payment systems operating today are based on credit cards. American Express, MasterCard, Eurocard, Visa - all the market players are developing or already operating their payment schemes in various alliances with large online providers. Several thousand merchant companies accept credit card payments via the Internet. The procedure is the same as in real world usage. The payer enters his card number and expiration date, and the payment is debited to his account.
The disadvantages are also the same as in the material world. Only authorized dealers can accept credit card payments. The transaction fees are high, and therefore cards are unsuitable for payment of small amounts. Credit card fraud has been surging during the last years. In 1994, Germany saw an increase of 125% over the previous year. Since credit cards are a postpay system, a person who gains control over the card has access to the complete credit range of the user's account. Additionally, transfer of the sensitive information over open networks multiplies the points where it can be intercepted.
And most of all, data on each transaction are centrally collected and used to create individual and statistical consumption profiles that are sold to marketing departments and advertisers. Whether you take a trip, eat at a restaurant, or mail-order lingerie for your girlfriend - unlike with cash, each card purchase adds to the your data trail. The open character of most of the Internet, the possibility of automatic sorting and matching of data, and the generally lacking use of security measures already create an unprecedented transparency of individual's activities on the networks. Add to this the central registration of any payment over the net, and you end up with the ultimate paranoiac's scenario.
The problem of online money is to create a unique data entity - a set of bits in an unbreakable code that can only exist once - in the digital realm where anything can be copied without loss of quality. The solution is cryptography, a rather obscure field of mathematics, made even obscurer by the fact that the US National Security Agency and other government's secret services claim an exclusive right to research results even in academia, and if they might threaten their ability to listen in on citizen's communications declare them classified.
Cryptography is the art of sending secure messages over insecure channels, and it was likely invented together with the first letter sent by a priest or sovereign who didn't trust his courier. "Cryptography is kinda like magic," says Chaum. "It's not intuitive that it can work but it does surprising things."
Classic cryptosystems are based on a secret or 'private' key that has to be send to the person whom you want to be able to send you secret messages. Classic systems are symmetric, i.e. they use the same key for encryption and decryption. The problem is that you need to send the key over a separate secure channel, e.g. via registered mail.
Most cryptanalysis or 'code-breaking' techniques depend on analyzing a number of ciphertexts encrypted with the same key. Therefore, one-time keys that are used for only one message are considered to be the most secure in this category. They are used for online banking purposes, but are rather unpractical because the user has to have the list of keys at hand for each transaction and remember to cross out the one she just used.
An alternative is a public-key cryptosystem that uses public encryption and private decryption. A user generates two complementary keys, one of which he keeps secret, the other is published. If somebody wants to send a secure message to this person, he gets his public key and encrypts the message with it. The receiver alone can unlock the message with his secret key.
In order to authenticate a message, the sender can include a text, e.g. a mathematical summary (created by a so called "hash function") of the secret message, that he encrypts with his own secret key. The receiver can then verify this 'signature' by using the algorithm in reverse with the sender's public key. If the information decrypts sensibly, he knows that it can only have originated from the sender, and that the message was not altered along the way.
The complementarity of public and private key is based on so called trapdoor functions that are easy to calculate in one direction, but difficult to reverse. To multiply two numbers is trivial, but to factor a number, i.e. to break it down into two prime numbers whose product it is, is not. The theory behind factorization is not well-understood, but all known algorithms require an amount of time that essentially grows exponentially with the size of the number. Any code can be broken, but given a long enough key it will take a lot of computing power and time to do so.
"Hence public key cryptography 'solves' one of the most vexing problems of all prior cryptography: the necessity of establishing a secure channel for the exchange of the key. To establish a secure channel one uses cryptography, but private key cryptography requires a secure channel! In resolving the dilemma, public key cryptography has been considered by many to be a 'revolutionary technology,' representing a breakthrough that makes routine communication encryption practical and potentially ubiquitous." 
The theory behind public-key cryptography was invented by Whitfield Diffie and Martin Hellman and first published in 1976 . Two years later, Rivest, Shamir and Adelman introduced an algorithm based on it. Their company, RSA Data Security Inc., holds exclusive rights to make toolkits based on public-key cryptographic techniques (which caused a controversy in the network community with many thinking it should be freely available to all) and sells encryption software and hardware. Another application of public-key techniques is the well-known freeware PGP (Pretty Good Privacy) by Phil Zimmermann. 
PGP was explicitly developed as 'guerilla freeware' to counter the NSA's attempt to enforce the key escrow-based Clipper Chip standard for which the NSA would hold the master key. After wide-spread resistance brought down the Clipper Chip , public key cryptographic techniques now move from guerilla to mainstream. Also SSL (Secure Socket Layer) developed by Netscape, the de facto standard in Web browsers and servers, uses public keys. So did IBM's iKP (Internet Keyed Payment protocols) which together with several other approaches was folded into SET (Secure Electronic Transactions). SET was primarily developed by Microsoft and has been endorsed by Mastercard and Visa.
An absolutely unbreakable code can not exist. The strength of a cryptosystem is always a relative measure. It is useful if it can resist attacks by likely enemies for whatever length of time the data it protects is expected to remain valid. This is why the privacy PGP provides is "pretty good." And this is why US export laws allow techniques using keys of 40-bit length to be taken outside the country, but not the 128-bit keys commonly used inside the USA that would put too much strain even on the computing power of the NSA to decipher. Cryptosystems are considered weapons.
The "strength" is also a historic measure. "Factorization is a fast-moving field - the state of the art just a few years ago was nowhere near as good as it is now. If no new methods are developed, then 2048-bit RSA keys will always be safe from factorization, but one can't predict the future." 
These cryptographic techniques allow secure transmission of money tokens or credit card information over open networks. They allow to authenticate the sender, and ensure that the data has not been manipulated by a third party. For an anonymous, truly cash-like system additional requirements have to be met. The validity of a money token has to be verified independently of the payer.
Ecash achieves this by combining public key encryption with a "blind signature" invented by David Chaum, computer scientist, cryptography expert, and founder of the U.S. and Netherlands-based company DigiCash . Chaum introduced the "blinding" concept in the 1992 Scientific American article "Achieving Electronic Privacy" which he opened with the programmatic statement "The author hopes it may return control of personal information to the individual." 
DigiCash, set up in 1990, offers a number of on- and offline payment systems. Their main product is the software-only Internet-based "Ecash." The system consists of a kind of virtual ATM from which the user withdraws money in an electronic format onto his computer's harddisk and can spend it from there at shops on the Internet. The Ecash scheme has been widely tested in a simulation trial, and is operational in the US and Finland with two more pilot projects coming up in Germany and Sweden.
In more detail, this is how it works: The user signs up for an account at the Ecash "mint" into which he transfers money from a regular bank account. He then receives a password to download the client software from the Net. No other hardware than a networked PC is needed. After installation, the software asks the user to type in some random keystrokes. Because people's typing is not purely random, the input is "whitened," i.e. the user types in a lot more digits than are displayed. To this uniform distribution some redundancies are added for the purpose of printing it out and typing it in, so that the software can detect errors and correct them. Says Chaum: "The cryptographic pseudo-random techniques we use are powerful enough that there's an extremely high grade security, higher than the normal commercial stuff you see."
The client finally displays a string of digits, and asks the user to write them down in a safe place. This is the random seed value from which the unique "serial numbers" of the actual Ecash coins will be calculated, and which also allows the user to recover her Ecash value in case her harddisk crashes. Explains Chaum, "The seed can be expanded cryptographically to be a whole lot of, in effect, independent numbers that would be, as far as we know, impossible to link in any way. There is a pseudo-random sequence, an arbitrarily long sequence of digits that can be created from a single secret number such that knowing any sub-sequence gives you no help whatsoever in finding anything useful about any other sub-sequence."
A number created from the seed is large, say 100 digits long, which makes it extremely unlikely that the same number is created twice. The user's client then multiplies it by a random factor, i.e. "blinds" it, and sends this "envelop" to the bank in public key encryption format. The bank countersigns the blinded "serial number," sends it back, and the random number is divided out. The electronic coin residing in a "wallet" on the user's harddisk is now ready to be spend. The crypto magic sounds rather complicated, but is performed by the client software. For the user, the process has the feel of withdrawing money from a regular automatic teller machine.
When the user comes across an Internet service accepting Ecash, the wallet pops up, he confirms the product to be bought, the payee and the amount, and the exact number of coins are transferred. The merchant's software immediately clears the coins with the issuing bank to make sure they are valid. In the same way also individual users can make over money between themselves.
The bank keeps a record of the now unblinded serial numbers and matches them against incoming coins to check for double spending. If a user made copies of a coin and tried to spend it again, only the first coin would be accepted. A coin is only used once. After it is received by the bank it is retired and its value is credited to the recipient's account. If a user wants to spend her electronic earnings again in the form of Ecash, she has to re-withdraw them as fresh coins. A large retailer would just send all their money to the bank and leave it there.
In this way, the bank knows the amounts a person receives. It also knows how much he withdraws from his account onto his wallet, just as with current ATMs. And just as with cash, the bank does not know where the money goes from there.
Because the bank does not know the blinding factor, it has no way of linking the coins issued during the user's original withdrawal to those that are finally deposited by a shop. The system is designed such that if a bank recorded everything it could possibly know, and even if the shop and the bank colluded, they would not be able to determine who spent which coins. The blinded coin numbers are "unconditionally untraceable."
The only record the bank, in fact, retains of the withdrawal transaction is a coded compression, a so called "cryptographic hash function," of all the envelops received. The hash value can not be reversed to recreate the original information. It only comes into play when lost Ecash is recovered and the bank has to verify that the resubmitted coins are identical to the ones it had previously signed.
Also the retailer will not necessarily know where the information it sells is going to. Usually, proxy servers are used to buffer packet traffic, in which case the shop does not know the individual user, but only the address of the server. For absolute anonymity, "re-payers" have been set up, proxy servers that bounce the transactions just like anonymous re-mailers.
Says Chaum, "other people say, yes, we know who you were when you came to our shop but we don't save that, or we don't use that for other purposes. This is very weak and unconvincing. This is the old paradigm of privacy enforcement based on law. This is nonsense, in my opinion, in the networked world where it's so easy for copies of data to flow all over the place. Ecash is one of the first examples of systems that allow you to do things without disclosing unnecessary information, so that other parties only have the needed information for the transaction but not extra stuff."
The one-way privacy of the Ecash system achieves an empowerment at the user's end, where the random factor and the serial numbers are created, and where all transactions are logged. If he wishes he can later reveal these numbers, irrefutably identify the recipient of any payment, or permit the coins to be stopped or traced. But once the coin has left the hands of the payer, no one but himself can link any of the records to each other or to him.
What happens if a computer with the Ecash client and the coins is stolen? The data are stored on the harddisk in an encrypted format, and the user has the option to protect them by a password which is, of course, highly recommended. But, even assuming nobody else can spend your cash, it is also lost for you. And what if a harddisk crashes?
The unfortunate person would re-install the client, find back the original secret random seed value and enter it again. The client software then recreates the exact same blinded coins that were used in previous withdrawals and resubmits them for signing by the bank. The bank can verify that they are the same by comparing their hash value to that of the previous withdrawal. Since the digital signatures are bi-jective, i.e. there's a one-to-one mapping from the things signed to the signatures, the bank returns exactly the same bits it had sent before. They will include coins that had been spent already. "The coins are ordered per denomination," explains Chaum. "Your software searches through for each denomination and find out what's the last coin that was spent so you know all the new ones that you hadn't spent."
If Ecash would be designed so that for every coin the user has to type in random digits, recovery would not work. With the secret random seed a person can recover their lost Ecash without compromising their privacy, and without creating any greater exposure to the issuing institution. The greatest danger is that of every password: writing it down on the back of a mouse-pad.
DigiCash does not intend to operate a bank itself, but licenses the technology to financial institutions. The company is talking to major banks, but compared to the credit card-based schemes their efforts are less visible. "A payment system," says Chaum, "is not something you can implement by guerilla technique. It needs to be generally accepted, and therefore has to offer something not only to the individual but to others as well, to merchants, financial institutions, and society at large. It's a chicken-and-egg sort of proposition. You can't sign merchants if you don't have enough users. You can't sign users if you don't have enough merchants. It takes efforts to build."
The Ecash system has been tested in a "monopoly game" simulation in which each participant received 100 "CyberBucks" for which she could buy teasers from real stores, read a South-African newspaper, look up entries in the Encyclopedia Britannica or play roulette. Over 70,000 people registered in the ongoing experiment.
Ecash left the beta-testing phase, when in October 1995 Mark Twain Bank  in St. Louis, Missouri, began providing a limited number of accounts for conversion from conventional money. By now, the system is fully operational. The Ecash denomination is US Dollars but the bank's multi-currency facilities allow transfers by check or wire from many countries. Merchants include used car dealers, health food and software houses, Internet providers and several online malls with dozens of shops, mostly in the US but also in Australia, Denmark and Sweden. Ecash users can buy music CDs, translation services, sunglasses, Australian sheepskin, or the services of a dating agency. There is even a market where Cyberbucks, the beta-test currency from DigiCash, are traded for real cash.
Mark Twain's Ecash system has been criticized for their not very friendly pricing policy. There are no charges for movement of money within the Ecash system. Only when money is moved between the regular bank account and the Ecash system, a commission is taken. In the case of Mark Twain, this can be up to US$ 3.00 for minting Ecash, and up to 5% for converting it back into Dollars. Additionally, a one time set up fee and a monthly basic fee is charged.
The second Ecash system went live in Finland in March 1996, supported by Merita Bank and operated by the Internet provider EUnet . Finland is the appropriate place for launching Ecash in Europe. It is the country with the world's highest ratio of Internet hosts per head of population. A very active national policy intends to propel the country into the information age, and it works from the minister of education teleconferencing one day per week from home via ISDN PictureTel, to cities like Oulu making all their public documents accessible on the Web, and structurally weak regions like Lapland where an extensive plan for creating online jobs has been launched.
"Everybody is skeptical, when you are dealing with money," says Jyrki Rikalainen from EUnet Finland, "therefore Merita Bank checked the system thoroughly to make sure it's bulletproof before they went for it." The Finnish banking system is already highly networked and was therefore ready for an all-digital payment system. Merita is the largest commercial bank in Finland serving three million personal customers and over 100,000 small and medium-sized businesses. It had already introduced its "Solo" payment system that allows online banking via a Netscape browser. Solo is based on SSL encryption (Netscape Navigator's Secure Socket Layer) and one-time passwords. Merita now also provides a "virtual ATM" from which users can withdraw money into their Ecash wallet. Patrons of other banks can also transfer money to the Ecash account. Different from the U.S. system, in Finland every participant can receive and spend Ecash, but, for now, only merchants can reconvert electronic to conventional money.
Another difference to Mark Twain is that Merita does not actually operate the Ecash mint. Rather, EUnet has one Merita account for all Ecash users, mints the coins, and clears the individual Ecash accounts. Rikalainen says it wasn't easy to fit the Ecash project into the existing financial structure. "The bureaucrats are on our side, but they still have to play by the rules of the established system. It wasn't easy since we are not a bank."
EUnet  was founded by the European UNIX Users Group (Europen) in 1982 to organize an Internet backbone for the (mostly academic) members of the group. It soon became clear that the backbone could just as well be used for providing commercial services. Today, EUnet provides Internet services to 450,000 customers with an estimated 2 million endusers in 42 countries on its own network infrastructure. In Finland it was the first commercial provider and services 55% of Internet users today. EUnet's business is Internet access, but they function as Ecash backer for the initial period because it helps them attract new Internet users.
Another motivation is a strong emphasis on privacy. According to Rikalainen, the Finnish launch has a lot to do with the dedication of Johan Helsingius, who comes from the old culture of net hackers and techno-libertarians and is the mastermind of EUnet Finland. 
At the end of August, there were more than a dozen shops providing services in Finnish Mark denominated Ecash, including weather information and screen savers, the Finnish Securities and Derivatives Exchange and Clearing House SOM offering real-time financial market information on stocks, options and futures, Yomi Media selling phone accessories, MTV3 Finland with its online shop, and the direct marketing service MicroMedia providing access to its database of Finnish decision makers. Opening soon are City Magazine and the newspaper Finnish Keltainen Porssi both allowing to pay for classified ads with Ecash, and a casino. The number of users will be announced when the Finnish system moves from pilot to production phase in fall 1996.
EUnet itself plans to make its Traveller service payable in Ecash. EUnet Traveller allows users travelling in currently 23 countries to dial a local number and pay for their Internet access via credit card. The problem of setting up an Ecash payment is to find a bank that would do the clearance in an appropriate currency. "It is still early for these clearance systems," says Graham Wilson from EUnet International in Amsterdam. Even a card company like American Express has a less globally-minded policy as one would expect.
A third Ecash pilot project was announced in May 1996 by Deutsche Bank . Deutsche Bank is the leading European bank, and one of the ten largest in the world with a profit of more than two billion DM in 1995. Like the banking world at large, it is eager to adapt to conditions of globalized competition and digitization. This includes an online-only bank called "Bank 24" currently running on the German videotex system T-Online that will also become accessible via the Internet.
The pilot project will go live in late 1996 within a closed user group. "Internet is a fairly new medium for our customers," says Mr. Thoma from Deutsche Bank, "and Ecash is an even newer medium. We see ourselves in a learning period for a market that enters into a totally new dimension." They expect to learn from the operating systems in the US and Finland, but also see differences regarding the target groups in Germany. Therefore, the pilot project intends to bring the supply and demand side for electronic commerce together and provide them with a payment system. Says Thoma, "we see Ecash which is directly specified for the Internet as an attractive solution because you can do everything online. It is well suited to the medium." Deutsche Bank is looking for participants - private users and merchants - willing to give feedback in order to determine how the new medium is received and accepted, and what specifications are desired by the customers.
Next in line might be Sweden, where Sweden Post that holds the accounts of over 75% of Swedish households has licensed Ecash. EUnet is also preparing Ecash systems in other countries and other currencies, including the Ecu. Then, also currency conversion will become possible.
Even the still fairly small group of Netizens lives largely in the material world. There, they need digital carry-on money. The solution becoming popular are smart-cards that contain not only a magnetic strip or a memory chip as with current telephone cards but a microprocessor. They can provide more sophisticated security and tamper resistance. Because it cannot be assumed that terminals are online, the validity of the card and the authorization of its user have to be checked locally in a dialogue between the buyer's smartcard and the security module of the POS-terminal. And smartcards can be recharged at special terminals or specially equipped public phones. Money turns into something you pull out of a vending machine, like soft-drinks, cigarettes, and condoms.
The stored money can be spend at point-of-sales terminals that store all transactions and upload them once a day to a clearing center. These systems are intended for payment of small amounts. In most schemes the smart-card can hold from 100 to 500 DM. Being a prepaid system like telephone cards the maximum damage is restricted to the value stored in the card.
Smartcard pilot projects of various designs have been started since 1995 in most European countries, including Belgium, UK, Austria, Germany, the Netherlands, Denmark, Finland, and Switzerland. Involved are (besides banks and credit card companies) retailers, telecommunications, and public transportation industries. Before they come into wide-spread use, an extensive infrastructure of terminals has to be installed. When German banks will start issuing smartcards nationwide in fall 1996, they announced that they will upgrade or newly install more than one million POS terminals.
Security in most of the smartcard systems is based on a personal identification number and a shared secret key residing in the card with a master-key in the security module of the terminal. The payment flow including personal information on the buyer are logged by the system provider. While there are some systems that use public-key encryption, it is again only a scheme based on DigiCash's technology that provides strong buyer anonymity and untraceability. 
The system is called CAFE (Conditional Access For Europe) and was developed as a project within the European Community's ESPRIT program. Thirteen partners from financial and networking industries and from research institutes in seven European countries formed a consortium chaired by David Chaum. Based on public-key encryption and the blind signature scheme of Ecash a smartcard and an electronic "wallet" was designed, a pocket-calculator-like device that reads the card, displays its content on an LCD screen, and has an infrared interface for contact-less transfers - point-and-pay. While the card can be used by itself, the wallet provides stronger protection against fake-terminal attacks by means of challenge-response techniques. .
On the Internet each payment is cleared immediately with the issuing bank. Checking for double spending is a straight-forward procedure. In the case of Ecash residing in chip-cards to be used at point-of-sales terminals the process is trickier. Since the off-line terminal cannot validate a payment immediately with the bank's server, money would be accepted assuming that it had not been spent before. Once a day the locally stored information is uploaded to the bank, which finds out that it received two coins with identical serial numbers. If the coins were, indeed, absolutely anonymous, the bank would have no way to learn who it was that had withdrawn them in order to make that person pay twice. Therefore, a scheme had to be devised whereby personal information is, in fact, stored in each coin, but becomes visible only in the case of double spending.
Chaum explains how this is done: "This is a really cute trick in my opinion. It's sort of hard to explain. The envelop is partly transparent, and the bank can look through it and see that your name is really in there. Let's say your name is written in there a bunch of times, but when you go and pay with the coin you only have to show parts of the coin. Those parts are chosen at random by the shop. One shop received a coin and sees a set of information, another shop gets a copy of the same coin and sees another set of information. It's only once both get send into the bank, that the bank sorts them and finds out they actually came from the same coin, because each set always contains some fixed part. One set of random choices does not contain enough information to reveal your name, but the combination with a second set almost certainly does reveal enough that you could piece it together and see who's name was in it."
The designers also envisioned additional functions of the CAFE card storing medical information and doubling as passport, driver's license or housekey. Card readers for PCs would make payments over the telephone or the Internet possible.
The CAFE project ran from December 1992 to November 1995, and is still in use on the premise of the EC headquarters in Brussels. About thirty organizations have joined a European Special Interest Group on the subject. The results have not yet been turned into an operational system, "probably because of unresolved patent issues." In early 1996 only a few countries such as Greece proposed to turn the CAFE approach into a national scheme. 
DigiCash's technology is also used in three other smartcard systems. "Facility Card" is used for access control, time and attendance systems, and payment in vending machines, POS terminals, copiers, telephones and game machines, and it also works online. Over 100,000 cards are in use in the Netherlands. "DyniCash" that is being tested extensively in Japan is a highway-toll collection system where the smart card is inserted into a dashboard unit and a microwave transceiver allows contact-less drive-by payment.
The "old Internet" as it grew from the US military-industrial complex was situated in an academic, economy-free enclave. It brought forth a culture that despised any form of commercialism. These days are gone, at the latest, since the National Science Foundation's backbone monopoly ended in 1993, and thereby its "Acceptable Use Policy" that had prohibited the use of the Internet for commercial purposes. US vice-president Al Gore's announcement of the information superhighway vision in September that year created enormous expectations for the electronic market place, but the lack of an online currency made for a reluctant start. The most successful businesses like magazines and search engines are financed by advertizing which still allows the enduser to move freely in information space and pick up whatever she wants. Also these days are numbered. With the spread of Ecash and other online payment systems, the net culture will change.
The fact that, different from credit cards, there are no fees for transactions made in Ecash makes it very easy to collect penny amounts for small chunks of information. "Low-value payments will be catalytic to growth in electronic commerce," writes Chaum. Online services that until now were offered in closed networks and based on subscriptions will become available on the Internet on a per-document base. Since it's so easy to attach a price tag on each text, picture or sound, we will see it not only on corporate sites with millions of hits, but down to the microlevel of private homepages. If you have something that somebody might find worthwhile it will be tempting to charge for it. The old Internet culture based on a give-and-take will be further marginalized. "The basic problem with actual existing, or any postulated idealisations of markets, and monetary systems in general, is that they tend to hook up all activity as the motor to drive profit. Any remaining 'non-productive areas of energy expenditure' are liable to annexation and subordination to the discipline of 'doing something useful...' Non-productive areas of enery expenditure are expunged, marginalised or conversely, used as attractive bait." 
Chaum's comment on the issue is this: "In the early days of the Internet there was a currency, a currency of reputation. If you look back and talk to people, this apparently was something that drew a lot of contribution. Of course, that currency becomes unviable as the net has grown. People cannot be recognized by all the other users on the net."
Also Finnish EUnet's Helsingius does not expect an imminent end of the Internet culture. "The fact that there will be lots of commercial services that we have to pay for is inevitable. There are already a lot of services taking credit cards. Of course, cash-like payments will change the situation. It makes it even easier to charge for minor services. There will still be a huge amount of free services, services sponsored by advertizing and so on. But next to it, there will also be services where by paying you get better or more service. I think it is a win-win situation where if you want something more you can get more by paying for it, but there will still by a lot of free services around."
Value-added freeware archives, MUDs, IRC channels offering celebrities - all services that are free today could be commercialized. Walls will be erected in the seamless net, regions sealed off that are accessible only for an entrance fee. Already, tools for PGP and anonymous remailers, and UNIX ports - software that would typically have been placed in public domain - are sold for Ecash. Helsingius sees this as a mere continuation of the old concept of shareware. "Instead of having to pay a hundred dollars for a piece of software, it's now OK to have somebody pay one dollar. If enough people pay, it would still pay off. People writing freeware and shareware have to be able to continue doing so. It was OK when the user community was small and everybody contributed. But now there is a huge number of users, the software is much better now, much easier to use. That is a huge amount of effort, and there has to be some way of sponsoring that. So I think it's pretty useful to have a mechanism by which you can pay even small amounts."
There are, of course, elements of grass root empowerment in Ecash, as well. Non-profit organizations can get support for their online work by collecting donations. Individual producers of software, texts or music can sell their wares directly to the user without going through large record companies, publishers or distributors.
DigiCash is also preparing qualified versions of Ecash linked to causes. For the confounded issue of children being exposed to pornography on the Net negative filtering solutions have emerged so far. DigiCash's approach is a positive selection of sites suitable for children. "We have something we call KidCash," explains Chaum. "That is just Ecash, but the only entities that can accept it as payment are approved shops. You can safely give your kids KidCash, and they can go out and spend it on the net, and you'll know that they can only spend it at certain sites. To the extent that there is cash on the net, bad content won't be just lying around for free. It's a different angle."
Like stores for pedagogically valuable toys and eco food, these will likely be phenomena at the fringes of the global super-malls and multi-media multi-nationals. Media history repeats itself. When in the 1920s radio moved from amateur to mass medium, it was regulated and "civilized," and individual communications use was put into a nerdish hook. Scarce bandwidth is not an issue on the Internet, therefore personal and group communications like email and newsgroups are not endangered. Still, the playfulness, the readiness to cooperate over causes, the happy dilettantism, the experimentation for its own sake will if not go away appear in a different light.
If this is the change of network tides, Chaum might be right in saying that it is necessary to take the offensive: "To me, Internet is not a done deal. It could be killed by the '500 channel guys,' or whatever. In order for the Internet to survive, I think, it has to gobble up television. In order to do that it must have that commercial dimension, otherwise it's going to be killed."
Since monetarization of network interactions seem inevitable, the question remains what kind of payment system will be able to establish itself as a standard. Will it be one on the centripetal power trajectory towards what Gilles Deleuze called a "society of control"; one where online money becomes another mechanism of nano-control, driven into the pores of the social fabric?
Or will it be part of the centrifugal tendency shifting power to the individual; one that has the privacy of cash and the security making it acceptable to banks and retailers without leaving a data trail?
Ecash is one of the rare cases where a new technology is endorsed by hackers and banks alike. On the one hand, one of the largest financial institutions in the world will start using it, and the European Commission awarded DigiCash with the "Information Technology European Award 1995" for its innovative methods and security concepts.
On the other, privacy watchdogs like the Electronic Frontier Foundation and the Electronic Privacy Information Center were among the early adopters of Ecash.
The German Chaos Computer Club, known among other things for proving that the home-banking protocols on the German videotex system are not secure and that credit cards are hackable, also finds Ecash worth supporting. They see it as, if not the best possible, than at least the best existing solution. What they would like to see added is a transfer option between users without an intermediary bank.
The German Forum of Computer Scientists for Peace and Social Responsibility (FIFF) welcomes David Chaum's DigiCash concept as "an attempt to develop and utilize anonymous transfer schemes. It thereby distinguishes itself from other schemes, that from the start view electronic payment traffic as source of new marketing data." Ingo Ruhmann from FIFF sees possible problems involving the traceability of Ecash by the bank and the security at the point of signature, during transmission and storage. "It is pretty daring," he writes, "to store larger amounts of electronic money on something so unreliable as a computer and to send it over networks; even worse to store Ecash on computers that are constantly connected to the net." He expects new forms of fraud. "Just think of teleshopping without delivery via intermediary servers in countries without consumer protection." Finally, Ruhmann points out that with an operational Ecash system the last hurdle is taken to establishing commercial information services on the Internet. "The end of the flood of information free of charge is foreseeable. The less financially strong will be excluded."
Ecash is the "best available system," but will it become the standard? As in the infamous case of the struggle between VHS and Betacam over setting a standard video format it might not be the better system that wins in the end. Only here there is more at stake than the image on our TV screens.
DigiCash and Ecash are registered trade marks.
1. David Chaum, Achieving Electronic Privacy, in: Scientific American, August 1992, p. 96-101; and: http://www.digicash.com/publish/sciam.html
2. Eric Bach, Steve Bellovin, Dan Bernstein, Nelson Bolyard, Carl Ellison, Jim Gillogly, Mike Gleason, Doug Gwyn, Luke O'Connor, Tony Patti, William Setzer et.al., Cryptography FAQ, part 06, ftp://rtfm.mit.edu/pub/usenet/news.answers/cryptography-faq/part0 6
3. see Wired 1.2, p.54 and 2.11, p.126
5. At least in the first round. For the ongoing attempts to establish Clipper as international standard see the EFF's key escrow archive at http://www.eff.org/pub/Privacy/Key_escrow/
6. Cryptography FAQ, part 06
8. David Chaum, "Achieving Electronic Privacy", op.cit.
12. see http://www.race.u-tokyo.ac.jp/RACE/TGM/Texts/remailer.html
14. Phil Janson, Michael Waidner, Electronic Payment Systems, SEMPER Activitiy Paper 211ZR018, May 1st, 1996, p.8
16. Arnd Weber, The Development and Usage of Public Key Systems on Networks as a Social Process. An Overview with an Emphasis on Payment Techniques, in: WZB (ed.) Proceedings of the COST A3 Workshop "Management and Network Technology", WZB Discussion Paper, FS II 96-104, Berlin 1996
17. Matthew Fuller, SPEW. Excess and Moderation on the Networks, http://www.is.in-berlin.de/~pit/ZKP/spew.asc
Special thanks to Arnd Weber and Matthias Schunter.