1230 words, 4:50 min read

An Orwellian Dystopia

As more and more payments become digital, a key question for payment systems architects is how to preserve the privacy of their users. Without privacy, payments systems risk becoming surveillance systems for government agencies and for corporations. In turn these can be extended into control systems where third parties have the information to decide and control who has access to public and private services, based on whatever criteria they choose.

It sounds like an Orwellian dystopia, but the risk is very real - it is well within today’s technology capabilities to monitor everyone’s payments, purchases, subscriptions, donations, income and gifts, together with their location, travel patterns, online searches, email, phone, photos, gaming, reading, political, religious, medical, social media and face-to-face interactions.  If it can be done, it will happen unless circuit breakers and controls are put in place to prevent it.

Privacy Risks

In analysing this risk, a good place to start is to examine how payment systems today can be used to compromise an individual’s privacy. Bank account and credit card statements are obvious starting points – between them, they contain a detailed picture of an individual’s electronic payments and income. Open banking is opening up access to information in these accounts to third parties, and the amount of information in them is ballooning due to cash displacement by contactless cards and online bank transfers. Open banking is enabling new innovations and business models, but it also poses privacy risks.

Some examples:

1.) a parent giving their daughter £10 pocket money. This should be completely private and undetectable, no-one has any reason to know about this transaction, nor how the child goes on to spend the £10. If the pocket money is paid in cash, this privacy is preserved. However, if it is paid through online banking, both the parent’s and child’s bank record the transaction and the child’s bank records how the money is spent. If either has signed up to a service using open banking, then this information is available to a third party to use - which may be legitimate, and agreed to by the parent and child, but the information is no longer private to them. Do they fully understand the implications, how sure are they the third party will protect the data and use it only for the perceived purpose they claim?     

2.) a government tax agency making it easier for say, freelancers to calculate and pay their income and sales tax owed, if they give access to their bank account transactions to a government tax application. However, the tax application will see a complete record of the freelancer’s banking history, risking the freelancer’s privacy if the information is then made available to any other government department that wishes to use it.

Federated identity systems are also a risk to privacy. Examples are a government id, social media id, email id or bank id, where the same credentials allow logins to multiple applications. However, they may also be a means to link the data together from these applications. This privacy risk is similar to the risk of getting hacked if the same password is used over and over on different websites and mobile apps.

Super apps which combine multiple functions into one app such as search, payments, banking, travel, tickets, health, social media, shopping also are also privacy risks as they pool data and access to it in one place.

There is of course real value, convenience and innovation to be had from open banking, federated identity, and super apps, in particular great customer experiences and exciting new products, services and business models. Additionally, access to linked data helps law enforcers fight crime, including financial crime such as money laundering and sanctions violations.

However, payments data is also a liability for those who have to handle it. In particular merchants who process payments. They spend huge sums complying with requirements such as PCI and GDPR, and face massive fines if they get it wrong (e.g. British Airways was fined $230m recently for a sophisticated hack of card data from its website). Data is a double-edged sword for many companies, where the compliance cost and downside from handling it incorrectly can be in excess of any upside from the customer insight and convenience it brings.

Privacy v Customer Experience

Unless privacy protection is designed into new applications, including payment systems, it becomes an afterthought and ends up as a compromise between privacy and customer experience. This is similar to security where there is often a trade-off between secure applications and customer experience.

However, the need for a balance between privacy and customer experience (and between security and convenience) is a false narrative spread by vested interests, in particular by commercial companies who want unfettered access to consumer data. It is common to hear from them comments such as “we are in a digital age, it is inevitable everyone’s data will be freely available, those who worry about it need to get over it, privacy is dead”. This is pernicious, dangerous and self-serving - in reality no such balance is necessary between privacy and experience, they can co-exist provided they are designed in from the start.

Privacy Solutions for Payment Systems

So what solutions can be designed into payments to protect individual privacy?

Some examples/ideas:

1. Design digital cash to emulate the privacy (and other) features of physical cash (see my blog “Sleepwalking towards a cashless society”, Feb 2017)
2. Introduce privacy-dependent payments through payment schemes with appropriate rules – for example, payers tag a privacy level on a payment which any third party with access to the data has to respect, restricting who, how and when the data can be used
3. Enable data-less payments, especially for low value transactions – if there is no, or little payment data, there is no, or little data to hack or abuse
4. Enable self-sovereign identity where individuals control their own identity, information and relationships without giving up personal information every time they access new goods and services and without the risk of their identity being stolen by hackers.
5. Make payments data and identity programmable – smart contracts which control how and where payments and identity data can be used, and which automatically delete data after use, after a specified archive period or self-destruct if accessed illegitimately.
6. Embed payments sousveillance (“watching the watchers”) and countersurveillance into applications where consumers are able to see who has had access to their data and when – again, smart contracts which self-report back to the individual where and when their data is used.
7. Adopt censorship-resistant blockchains for payments which encrypt data to keep it private – as pioneered by the Zcash and Monero blockchains.

Privtech v Big Brother

Just as technology makes surveillance through payments systems possible, so it can be used to ensure privacy. I have suggested just a few ideas here, but I expect a whole new industry of privacy technology, or “Privtech” will materialise, building sophisticated solutions to protect our privacy while enabling frictionless customer experiences.

Privacy is a human-right. It is critical that privacy is protected, and that payments systems are architected to protect privacy. Without it, we risk unaccountable state surveillance and uncontrolled commercial exploitation of personal data – an evil world where, to quote Orwell, “Big Brother is watching you”.