CBDC as a Privacy Catalyst
In the CBDC world, there is a popular opinion that a CBDC might centralize consumer data collection in a single ledger. This is because, in some configurations, all transaction data is stored in a single ledger, controlled by a single party (the central bank), and consumer privacy risks seem higher than when consumer transaction data is stored in multiple ledgers at multiple financial entities. This argument sounds logical, but the reality is quite different. Whatever path the digital evolution of finance will take, privacy and security will remain priorities for all stakeholders.
Over the years, consumer privacy deteriorated despite the best efforts by the government, privacy advocates, enterprises, and consumers. Consumers in many nations have created an average of over 300 online accounts, transacted mostly online, and seldom use cash. They have learned to trust hundreds of enterprises to adhere to best-in-class privacy and security procedures with data stored in their own systems and ledgers. Many new privacy laws have been passed and enterprises are expected to comply with these laws. The intent of these regulations is to put consumer and societal interests ahead of business interests and have required businesses to obtain SOC, PCI, and GDPR certifications or compliance with local laws. Despite best efforts by enterprises, government, and enforcement bodies, consumers do not feel their data and privacy are secure. Within the last year, there have been numerous data breaches from market-leading companies like Microsoft, Amazon, Marriott, Block, Facebook, and government organizations in Costa Rica, Russia, Ukraine, United States, impacting billions of consumers' data records.
Here are a few reasons behind the current situation:
- Enterprises have siloed databases/single ledgers of transactions. Just look at all data breaches from some of the world’s largest companies. Their silos were not secure. They are only as secure as we make them.
- Enterprise systems and business models are optimized for profit and compliance. Social media companies know a lot about us. They are happy to monetize our data, largely for targeted marketing purposes.
- Enterprises do "best-they-can" privacy and security procedures but are not tasked to build with security and privacy as core tenants. Compliance, security, and privacy investments are super expensive. Not every enterprise can afford to, nor will choose to, do all the right things.
- Adversaries/bad actors are two steps ahead of the enterprises and consumers. Consumer data is stored in too many silos. All bad actors need is one weak link on which they can capitalize on any given day.
- Balancing organizational compliance and consumer privacy is challenging. It is hard to balance regulatory support and user protection in large enterprises. Most of the time, regulatory support gets higher priority.
Consumer privacy outlook is at its lowest point within the last decade, even though one could argue that it is a human right. As we move towards a new CBDC system that necessitates centralized security policy, standards, and privacy as key tenants, the pertinent question is “what is the best way to handle privacy?”. This is a core system design issue that can, and should, be solved. Strong privacy policies, governance, legislation, and regulation can re-establish and reinforce the core privacy tenants at the national level.
Organizations like MIT’s DCI, BIS, Atlantic Council, and others are deeply engaged with security and privacy experts, government entities, and fintech leaders to design a CBDC system that meets all the following: best security from malicious actors, high throughputs at low cost, good privacy to consumers, and built-in governance models that enable configurable controls for ecosystem players.
CBDC technology, like any other software, can benefit from well-scoped requirements and design, high-quality implementation, incremental rollout, and ongoing optimization. Recent innovations in the CBDC market (venture capital investments, 100+ government and monetary authority pilots, blockchain technology maturity, powerful use cases that drive financial inclusion, and key cost efficiencies enabling large quantities of innovation) give us hope that consumer privacy will be adequately addressed and required by central banks worldwide.
Author: Baker Nanduru, Chief Product Officer, Bitt