Three ways to have anonymous CBDCs

Central Bank Digital Currencies (CBDCs) are on everyone’s agenda.  Nations big and small are studying their advantages and disadvantages, examining retail, wholesale, and hybrid models and even deploying functioning systems.

In future, it appears that CBDCs will co-circulate with cash, at least for a while, and then eventually replace cash.  CBDCs are better than cash in many ways, including in the execution of monetary policy and the making of overseas remittances.  However, the big downside of CBDCs is their lack of anonymity: ensuring transaction privacy remains cash’s big advantage.

CBDCs are on everyone’s agenda

Any type of money that requires a ledger, be it centralised or distributed, does not provide anonymity to the user.  Even if the ledger does not require a user’s identity, it will record the transactions of the user that can be used to track him or her down.  This was seen in the case of bitcoin and the Silk Road darknet website, which was shut down by US federal agents in 2013.  And current CBDCs, as in China and the Bahamas, make no claim of full anonymity in transactions.  So, is anonymity even possible with a CBDC?

I think there are three ways to design a CBDC that at least approaches the anonymity of cash.

The hardware model

If anonymity is achieved by not needing remote approval for a transaction, then a hardware solution might be the way to go.  An example is the Mondex Electronic Purse that was launched in the 1990s in Britain.  This system involved a smart card that was a self-standing value store.  It required no connection to a central ledger to approve or execute a transaction, making the transaction non-trackable.  Here’s how it worked.

Using an ATM, phone, or device at a bank, a user transferred money from his or her bank account on to the card, where it was held as a Mondex value equivalent.  The value was stored in the card’s microchip, which also held the required programs and security to transfer funds to point of sale terminals or other Mondex cards.

There are three ways to design a CBDC that approaches the anonymity of cash

At a merchant, a user would insert his or her card into a point of sale (PoS) terminal and authorise the transferral of a certain amount of value.  The amount would then be moved from the chip on the customer’s card to the retailer’s chip.  This was done without going onto an electronic network to verify either the customer or his or her bank balance: the Mondex hardware was all that was necessary to complete the transaction.  Value could also be transferred from one Mondex card to another using a password-protected Mondex wallet.

A CBDC could certainly be deployed using the same principles and using a smart phone instead of a chipped card.  In fact, a new company, WhisperCash, is developing the Mondex model for use in a CBDC application.

The timed-erase model

But, speaking of cards, the London Underground’s (Metro’s) Oyster card provides another model for a CBDC with at least partial anonymity.  The Oyster card is a smart card (it also exists as a phone app) that one loads with value.  Like a number of such cards around the world, you touch the card to a reader as you enter the system and again as you leave.  The card then accesses a central ledger to calculate your fare and deduct it from your account.

Temporary retention of transaction data is a trade-off between anonymity and identity

This account can be anonymous if you do not register your card.  However, this is really a form of pseudo-anonymity as a particular card is always identified in a transaction.  And, no doubt, a particular card can be eventually connected to its owner.

But there is another way for the Oyster card to serve as a model for CBDCs.  According to David Birch, the card has a unique way of handling transaction data.  The card’s journey and transaction history is only held for 8 weeks, after which it is erased.

This temporary retention of transaction data is a trade-off between the benefits of anonymity and identity.  Holding the data allows people who have registered their Oyster cards (created an identifiable account) to replace a lost card. It also gives the police the ability to track who was in a station in order to investigate crime, at least for a limited time.

Ideally, to maintain anonymity, no record of transactions should be kept. For a CBDC, all records of a transaction should be deleted from the central or distributed ledger once the transaction is concluded.  However, a time-limited retention of records would allow for the flagging or tracking of money laundering or terrorist funding.  It would also allow a consumer to challenge or reverse a transaction within a certain period.

A timed-erase CBDC would be an acceptable compromise for many.

The Zcash model

Can CBDC anonymity problems be solved using the Zcash model?  This is suggested by JP Koning in his paper, “Approaches to a Central Bank Digital Currency in Brazil.” Here, he presents the alternative of a Hybrid Money (MoedaHibrida), built on a blockchain, that has both a ‘shielded’ and an ‘unshielded’ mode.

Zcash tokens allow the user to conduct shielded (confidential) transactions by not disclosing addresses.  It does this through a cryptographic technique called zero-knowledge proofs, allowing for transactions to occur without revealing the parties or the amount involved.  However, a Zcash user can also decide to conduct an unshielded transaction, with all the information in the open.

Full anonymity is possible under the Zcash model, but it will cost you extra

Koning’s MoedaHibrida tokens could be purchased at businesses and banks without an account or KYC procedures.  However, large transactions in tokens would be flagged (unshielded), as now happens with large transactions in cash.  Unshielded tokens would provide for transactions that could be tracked on the blockchain.  And, since no identity verification was needed to buy the tokens, a pseudo-anonymity would be provided as transactions are not directly traceable to an individual. However, transactions made with shielded tokens would be fully anonymous and untrackable, like cash.

The downside for users, and to discourage illegal activity, is that shielded tokens would incur a negative interest rate of 5% per annum. Meanwhile, fully visible, unshielded MoedaHibrida would receive a positive interest rate. This system would therefore reward open behaviour.


As we have seen, there are ways to have anonymous CBDCs.  But there are trade-offs involved in having a digital equivalent to cash.  With the hardware model, one bears the cost and possible inconvenience of the equipment involved.  The timed-erase scenario gives anonymity, but only after the issuer has had a chance to review your transaction.  Full anonymity is possible under the Zcash model, but it will cost you extra.  Future ideas for anonymous CBDCs will have to wrestle with all these trade-offs.

Franklin Noll is a historian of the technology of money, from banknotes to cryptocurrency


Comments are closed.