A Market Model for Digital Bearer Instrument Underwriting

May 23, 1998
(Revised September 8, 1998)

By Robert A. Hettinga
Founder, Philodox Financial Technology Evangelism



About 3 years ago, after it was apparent that it was failing, I started thinking about what was wrong with the business model for DigiCash, David Chaum's company for marketing his blind-signature digital cash protocol. Actually, it was the underwriting model that Mark Twain Bank, DigiCash's first customer, was using for their ecash product that struck me as the heart of the problem.

It has become increasingly apparent to me ever since that nobody is paying attention to the way bearer instruments have been issued historically, much less why that model was successful.

The business model below shows how to implement the underwriting of digital bearer financial instruments in light of that long tradition, this time using the new financial cryptographic techniques on a ubiquitous geodesic global internetwork.



Shortly after Mark Twain Bank became the world's first internet issuer of DigiCash's ecash product, they caused considerable discussion on the net among aficionados of blind signatures because the Bank wouldn't reveal its reserve criteria for the ecash certificates it was issuing. I myself was upset, until I figured out why I needn't be.

If you thought about it from the standpoint of underwriting bearer securities to a primary market, Mark Twain was acting as both underwriter and trustee for the certificates they were issuing to the net. This means, as a financial risk, it didn't matter what a reserve account for the ecash outstanding had in it, because the entire bank was at risk for any single digital bearer certificate on the net. Full faith and credit, in other words. They were not obligated to say anything but "If you present the certificates, we'll honor them. They're backed by the full faith and credit, the assets, of the Mark Twain Bank."

Like American Express, when they "underwrite" traveler's' checks while at the same time being trustee/custodian for the cash reserving those checks, Mark Twain was more than large enough at that stage of the game to underwrite any losses out of their own pocket if they wanted to. Something, unfortunately, they have had to do recently, because the underwriting model they were using failed utterly.

The first inkling this was going to happen was when Mark Twain had to cancel some ecash merchant accounts because the account holders were apparently merchants of internet pornography.

In the ultimate irony of internet commerce, the world's first, and still only payer-anonymous electronic payment system would be stillborn precisely because the merchants were selling something that nobody would admit to buying, much less having as a banking customer. The fact that internet pornography was, even at that time, a huge market on the internet (and is still probably the largest "software" market) could not be reconciled with what I called then the "Grundy" factor, named for the apocryphal Robert Heinlein character and Missouri resident, Mrs. Grundy, who was surely sitting on Mark Twain's board of directors at the time.

Frankly, this was not some Shakespearean fatal flaw, leading to the tragic death of financial privacy on the internet. It was a structural defect in Mark Twain's ability to underwrite digital bearer financial instruments; in this case, cash. The problem lay in the fact that users of ecash had to have any account at Mark Twain at all.

Ideally, it should have been possible for people to convert their money to ecash in out of their own bank accounts, just like they can for paper cash. Accounts at banks which already had established good working business relationships with them in the first place, whatever business they chose to be in. More to the point, banks which are in complete compliance with the laws of their own physical jurisdiction.

That realization began my thinking about what I am now convinced is the right model for underwriting digital bearer certificates to the internet. First cash, of course, but eventually, as economic necessity permits, bonds, stocks, or any derivative thereof.

page up


This was also the first time, I think, that I realized that privacy, qua privacy, was never going to sell strong internet cryptography, much less digital bearer settlement. I think Sameer Parekh's necessary conversion of Community Connexion, a "privacy enhanced" ISP, into C2NET, an importer of financial cryptography software, is a perfect real world example of this.

And, so, too, is the rapid acceleration of retail internet commerce, where virtually all of a currently annualized $10 billion in credit card transactions takes place under very simple 128-bit encrypted SSL sessions -- in some cases even less secure than that -- instead of more baroque book-entry protocols like SET. Or, even, Cybercash, which is, in general, a very well-designed system for handling otherwise credit-card-"settled" transactions. Though, you can't really call the internet execution of a credit card trade clearing, much less settlement.

Occam's razor rules on the internet, just like it does elsewhere, and the cost of a simple SSL session gets you the same result cheaper, probably even cheaper with SSL on a "MOTO" basis, than with SET's as-yet unfulfilled promise of "card-present" transaction pricing.

page up


At about the same time of the "Grundy" debacle at Mark Twain, I came up with my now well-known comparison of cryptography to flight. Just like people died learning to fly, others died in the cause of privacy, as anyone who has studied cryptographic history from the ancients to Midway and Canterbury could attest. Privacy, like flight to some people, is an inherent good. However, there has to be an *economic* basis for increased privacy, or nothing changes. What sold flight-hours in the end was not "slipping the surly bounds of earth" at Kitty Hawk, it was the price of airline coach fare from Kitty Hawk to Dayton. Flying is simply the cheapest way -- including net present value of everyone's time -- to move people over any large distance.

And yet, for all the focus of attention on the privacy of ecash, and, more particular, the "purer" forms of Chaumian blind signature digital bearer instruments, there *was* an economic argument for the adoption of digital bearer settlement technology like ecash. In theory, at least, ecash had the potential to be much cheaper than a comparable book-entry transaction, like using a credit card for simple payment, or even, possibly, for consumer debt itself.

Look at processing loads. Simply counting the 5 to 7 intermediaries in a credit card transaction's execution, clearing, and settlement versus the single intermediary in a digital bearer trade tells you which must be cheaper. This is the case even if the digital bearer transaction is done on-line, and a new bearer certificate was issued at every transaction. And, if the new digital bearer certificate remains in "circulation", out on the net in other words, instead of being exchanged for some form of book-entry money like changing a bank account balance, the cost saving is simply enormous.

Effectively, a digital bearer transaction without taking the money off the net, for all intents and purposes, is just the cost of microprocessing, which falls by half every 18 months, and bandwidth, which, believe it or not, is falling faster than that.

More to the point, it was the very *anonymity* of digital bearer transaction settlement that makes it so cheap. You could do business with a completely anonymous individual and they still couldn't repudiate the trade. More to the point, they couldn't repudiate it, right there, at the very time of execution, an enormous improvement on the typical, and still batch-settled, book-entry transaction.

That anonymity, whether you consider it to be an inherent good worth dying for or unfortunate invitation to anarchy, represents the highest possible transaction security there is, and what reduces a transaction's cost the most.Absolute financial privacy is a byproduct of the efficacy of digital bearer settlement efficacy as a value transfer mechanism, not its primary cause.

In addition, there's the issue of storage. With digital bearer settlement, only one copy of any certificate is in existence at any time. It is either with the buyer, the seller, or, finally, the underwriter after spending. And, after a reasonable time, determined by the risk-adjusted or contractual lifetime of the instrument involved, the underwriter can just *delete* previously spent digital bearer certificates, because they have no information value to him whatsoever except to prove double-spending. There is simply no need to keep those huge volumes of past book-entries at the buyer, the seller, and the 5 to 7 intermediaries required to execute, clear, and settle the trade, all for 7 years -- or more -- after the fact.

All of this means, most likely, that you can do much smaller transactions with digital bearer settlement on the net than you can with any book-entry settlement mechanism, and, quite frankly, you can probably do larger ones as well, because they're several orders of magnitude less complex to do.

And, of course, we'll ignore for the moment the cost, socially and financially, of having to "hire" force from the local force monopoly, namely a nation-state, as the penultimate backstop to the repudiation of a book-entry transaction.

Now, there are other kinds of digital bearer transaction protocols out there these days besides Chaumian blind signatures, some more anonymous than others, some at higher risk for double spending than others, and some which even claim to be off-line, though I'm still not sure how that's possible, even after seeing the protocols written up in the literature. Nonetheless, I think the economics of the above still hold, in one form or another, for almost all digital bearer settlement protocols. As an aside, I think an offline digital bearer settled transaction protocol would even change the rules yet again, supplanting on-line transactions by reducing the cost almost as dramatically as simple on-line protocols will when compared book-entry methods, however, at the moment, no one can see any to make that possible, so the issue is moot for the time being.

Two Hypotheses

So, my current hypothesis that, on a risk-adjusted basis, a given digital bearer financial instrument will turn out to be 3 orders of magnitude cheaper than for an equivalent book-entry instrument is more a bet, really, based on what it would take to cause a phase-change in financial operations to digital bearer settlement. At least a phase-change equivalent to the one which replaced physical bearer delivery over book-entry settlement to begin with. I definitely think it's a bet worth making.

I also think that, as transaction settlement and clearing time tends to the instantaneous, the cheaper digital bearer transaction settlement technology will continue to get, relative to book-entry methods, until it completely supplants those methods somewhere near instantaneity.

page up


So, let's go back to thinking about why Mark Twain failed in their attempt to bring digital bearer settlement to the net, and, even though very large banks are now signing up with DigiCash, why they still are treating their purchase of blind signature technology more as a hedge against the future than anything else. I think Deutchebank's reported million-dollar-a-month "call" option on an exclusive German blind-signature license is a perfect example, though I believe they've succumbed to actually purchasing a license now because it's probably a cheaper way to hold the option in the long term.

My claim at the time I came up with this model, and I still hold it now, is that there is no functional difference, from the viewpoint of financial operations and transaction settlement processes, between a physical bearer certificate and a digital one.

That is, the transaction behavior of digital bearer transactions is *almost* identical to physical bearer certificate transactions, except that you need the underwriter of the certificate to mint you, as the new holder of the certificate, a fresh one at the time of the transaction to prevent double spending.



This is a fundamental problem for almost everyone who talks to me about it, especially those who say that an asset can't be held in bearer *form* if you need to get a new *certificate* at each transaction. Notice, however, how I just made the distinction between the form the asset is *held* in, and how the certificate representing that form is *exchanged*. My claim is that if you posses a certificate representing a claim on an asset, it's still a bearer certificate even though the certificate has a single use lifetime.

Somewhere along the line, I think that anonymity of exchange, and thus possession of the asset, is bound up in this, too. I've caught myself more than once saying "the more anonymous, the more bearer", though it sounds like something out of a Spike Lee movie.

I hope that's clear now, though I expect to get beat up by lots of people about it, not the least of which are lawyers, who have made a few peculiar distinctions of their own with regard to the word "bearer".

Obviously, you don't *have* to exchange a digital bearer certificate on every transaction, except that you run a (probably calculable) risk of that certificate not being worth anything when you go to spend it yourself. Under certain circumstances, like with bandwidth micropayment between machines which are physically linked to each other, at great relative cost to the transaction involved, repudiation through double spending probably not going to be a significant issue. But, between perfectly pseudonymous *human* actors, especially if they don't know each other's reputation from Adam's, and who are executing a capital market transaction of significant value, it's probably a good idea to go get reissued certificates, one for the cash presented, and the other for stock, bond or derivative certificate being bought or sold.

Furthermore, I have decided, for all intents and purposes, that this "exchange" step, this reissuing of a certificate to prevent double spending, is about as negligible in terms of financial operations to the inspection we all make, consciously or not, when we get a dollar bill in our hands in payment or change, and probably costs about as much.

When you make that conceptual step, the world operates under identically the same rules we have learned about money since the first bearer instrument was invented in Mesopotamia, thousands of years ago. More to the point, book-entry execution, clearing and settlement themselves start to look like an aberration instituted in the last 50 years because we couldn't figure out how to send a bearer certificate down a wire until 1985.

page up


So, looking back at the vast experience we have with bearer settlement, how do we do *digital* bearer settlement in such a way to interoperate with the current book-entry settlement system, and yet capitalize on the massive cost reduction that digital bearer settlement promises us? First, let's look at the players in this market.


The first player is the consumer. This is the person who purchases a digital bearer certificate for some reason. In the case of a digital cash certificate, this person is buying a piece of digital cash from a financial intermediary, an underwriter, in exchange for some other kind of money, in order to effect a transaction on the net.


This is a person who accepts a digital bearer certificate in exchange for something else. This person may be a commercial entity, trading with many unknown parties, who needs to be able to exchange the certificate for a new one, on-line with the underwriter, in order to prevent double-spending and reduce the risk of the transaction. Or, this person may be a friend, whatever definition for that you might want to use, who is willing to take an off-line transaction for whatever reason, including convenience or inaccessibility to the proper network. Caveat vendor, of course. Frankly, I would bet that the best way to keep friends is to exchange bearer certificates offline.

Of course, I hate the use of the words "consumer" and "merchant", except that the banking world understands them perfectly, like they do "underwriter" or "trustee" or "custodian". In the case of the words consumer and merchant we're all buyers and sellers of one thing or another in a geodesic economy, usually something like software, information, or opinions about that information and software. I believe that concepts of "wholesale" and "retail" are direct artifacts of an industrial distribution network hierarchy, but that's fodder for another discussion, which we'll have in a bit.


This is the entity which issues the certificates, and is fiduciarily responsible for exchanging them into other forms of money, in this initial case, a bank account change, but, someday, other digital bearer assets. The *second* most important thing an underwriter does is to verify that certificates outstanding on the net haven't been double-spent.

The *most* important thing an underwriter does is to market its certificates to the world. Which, if you look at an underwriter in the capital markets, is exactly its role: to create a primary market in a new security issue and to keep a liquid secondary market in it after the issue is sold. I expect underwriters to multiply like rabbits, as their function in a geodesic market is directly related to their costs of entry, which are in turn driven by Moore's Law, which, finally, creates diseconomies of scale on a ubiquitous internetwork. The original "mint" at Mark Twain was a used 486 machine, just to give you an example of the hardware cost of being an underwriter.


A trustee, or custodian, holds the money for the underwriter while it's on the net. Like bond trustees or mutual fund custodians, the trustee actually works for the "shareholders", the holders of the digital certificates, according to an agreement between the underwriter and the certificate holders.

In the early stages of digital bearer cash underwriting, the trustee is an actual bank of deposit, because that's where the most fungible assets can be found to collateralize the underwriter's reserve account. Also in the early stages, the trustee is the primary gateway to the rest of the "meatspace" financial system, and plays by *all* the rules there, or they can't exist at all.

I expect that, even in a completely bearer-settled world, a trustee in cypherspace will eventually be the closest thing around to a traditional bank of deposit, though they will collateralize the contents of the underwriter's reserve accounts with other digital bearer instruments instead of book-entry ones. While the underwriter is the direct financial intermediary, the trustee contributes mostly their reputation to the transaction, and, to that extent, is responsible for keeping things honest.

Since reputation attack is the only form of sanction in a digital bearer market, the trustee is the financial equivalent of a modern judge. Except, once they become pure net-based entities, they'll be driven more by pure financial economics than by government policy. In that sense, the market is the "police officer", and a very strict one, at that.

Since, in the initial stages, the trustee/custodian will be a normal institutional trust bank, and, if those kinds of banks shy away from such a digital bearer cash underwriter for any other reason than the novelty of the underwriter's idea, the underwriter is using the wrong operating model, it's the underwriter's obligation to present his operating model to the trustee in as familiar terms as possible, and not for the trustee to get up to speed on the underwriter's operations. As usual, novelty isn't an excuse for poor exposition.

There is no way to to get exchangeability into book-entry assets without a genuine, fully regulated trustee bank, which, in my opinion, is why we don't have internet digital bearer settlement today. In the modern financial system, larger and more reputable the trustee, the more digital bearer certificates prospective underwriter using them can sell.

As we will see, perfect pseudonymity or anonymity on the net and biometric identity in book-entry settlement are perfectly compatible. Actually, they're completely orthogonal. The only required intersection is a book-entry collateralized "meatspace" trustee of some kind, with an internet connection in addition to it's normal proprietary network connections to the rest of the financial world. And, as we'll see, the occupiers of that intersection will have a lucrative franchise.

When it eventually becomes more economical to "domicile" a digital-bearer collateralized trustee in cypherspace, then the world will have changed more than just its "know your customer" laws to get there. Until then, we can actually issue digital bearer certificates on the internet, collateralized by book-entries at any large institutional trust bank, which I will show in just a bit.

Inventors and Developers

For all intents and purposes, the consumer, merchant, underwriter and trustee are really all the financial entities necessary in a market for a digital bearer instrument. There may be other variants of the same classes, but all financial functions are covered in those four categories.

There are other, extrafinancial, entities required to make this work, of course. The principal ones, in terms of revenue, are the developers of the software for that market, like C2NET or BlueMoney, or OpenMarket, or someone new, say, like Ryan Lackey.

More important, there are the inventor(s) of the financial cryptography protocols, without which the markets wouldn't exist in the first place. People like David Chaum, or Mark Manasse, or Stephan Brands, or Ron Rivest or, now, Ian Goldberg with HINDE.

Developers can either sell their software direct to the users, or they can sell servers to the underwriters and the underwriters can give clients to their users.

Inventors can license their protocol to the market as a whole through the trustee. On the inventors' behalf, trustees can take royalties out of a percentage of the underwriters' interest earnings on the reserve account, or from the fees charged when some other asset is converted into the bearer instrument in question, or some combination of both.

With book-entry trustees, this makes patent enforcement cheap and easy to do, and, notice that you don't really *need* patents here. Even with bearer-collateralized trustees, the inventor of the protocol still gets paid.

In an eventual bearer-settled, and, most likely, perfectly pseudonymous internet financial market, reputable trustees, underwriters, and software developers will probably tend to partner with acknowledged protocol inventors, especially in the earlier stages of a protocol's lifecycle. This will be done in order to ensure that newer protocols are properly implemented, or to use the inventor's name as an endorsement, or for some other reason. We'll ignore, in this writing, the idea of recursive auction markets for information as a way to compensate the protocol inventor, and come back to it some other time. Having to think about geodesic markets and digital bearer settlement is bad enough.

page up


It should be obvious by now that we're looking at a classic case of Metcalfe's Law here: The more entities there are in a market/network the more robust and valuable it is. Accordingly, the reader should imagine a many-to-many universe of interdependent underwriters, trustees, software developers and protocols, all in competition with their peers to offer the best price, collateral, reputation, quality of execution, and so on. The idea is to create a ubiquitous geodesic capital market composed of efficient, instantaneously cash-settled auctions of fungible, risk-graded, digital bearer financial instruments, or network services, or even physical assets.

The more the merrier, in other words.

Now all the above seems to be at odds with what people commonly call financial disintermediation. People think of disintermediation, like what Fidelity did to the local bank and brokerage office, and what large nationwide banks seem to be finishing in a recent spate of vertical integration, as a process where the number of intermediaries are removed. Everyone goes to, in the wildest financial aggregator's dream, a single entity where all trades are executed for all securities.

Certainly, the old "salesman selling to salesmen" hierarchical distribution channels of financial assets are going, if not gone altogether, and, in that sense, markets are getting disintermediated.

The idea of a single, giant, "intermediary in the sky" is really not possible in a world of geodesic networks and Moore's law. No single processor can handle the load of even small active markets. That's why Moore's law creates geodesic networks, not hierarchical ones.

What will probably happen is in fact disintermediation, but with lots of *small* financial intermediaries operating directly between buyers and sellers just like that aggregator's dream intermediary does, but because of Moore's law, they'll be "speciated" by market niche: type of customer, transaction, security, what have you.

Microintermediaries, in other words. Someday, lots of small underwriting "bots", swarming around a particular security issue, directly linking buyers and sellers with bearer certificates.

page up


So, let's see how this all works for digital bearer cash "notes", from the bottom up, starting with the invention of a new digital bearer settlement protocol.

Inventing the Protocol

The protocol invents a digital bearer certificate protocol. He announces it, patents it if patents still exist (this model works without them, as I've said before), lots of other cryptographers vet it, and it works. Simple unless you know how, to torture the cliche.

Marketing the Protocol

The inventor and interested developers work out how to implement the protocol into code. At that point, the inventor could charge to certify implementations of the code, which, I would think, will be more necessary in the early public acceptance of a new protocol than afterward. As always in geodesic recursive auction markets for innovation, new stuff makes the most money, and usually for the person who makes the new stuff.

So, inventor makes deals with developers, the developers make deals with underwriters, and underwriters make deals with trustees. I expect that developers and underwriters would make deals with the inventor and the trustee would monitor and execute royalty payments, because the startup and royalty compliance costs on a given protocol would be lower to the underwriters and developers, and the total return on a successful protocol would be higher to the inventors.

Marketing Digital Bearer Instruments

Many different underwriters go out onto the net and start offering certificates representing different kinds of digital bearer financial instruments using the new protocol. For the time being, however, we're talking about cash. We'll handle other securities shortly, as the extension of them from the base case of cash is trivial.

"Primary" Market

The consumer buys, from a software developer, or is given by an underwriter, a "wallet", a client application, which allows the storage and disbursement of the digital bearer certificates. Wallets are universal probably only on a protocol basis, but "wallets" might be just plug-ins to some other financial program.

So, the consumer goes to a secure web page. Think of this web page, and the minting server behind it, as the equivalent of an automatic teller machine. The consumer's account information is probably blinded, something like the Cybercash transaction "tunneling" protocol, so that not even the underwriter, or even the trustee, sees it, as it goes through the trustee and onto the ATM network for authorization.

Mechanically, if the consumer's machine has a card swiper, she swipes a card and enters a pin number. She could store this information encrypted on her hard drive, and just type a passphrase to release it. She could have all this on a smart card. She could have it on a bigger, more secure device of some kind. However it eventually works, software and hardware vendors will build what consumers, underwriters, and trustees want to use, and so seems safe to fiat the mechanics here for our purposes.

So, the request and authorization for cash goes over the net, encrypted and blinded, through the underwriter, the trustee, and the ATM network, to the consumer's bank. The consumer's bank sends an authorization message back to the trustee, who tells the underwriter, who disburses digital cash certificates in the amount of the consumer's request.

This is all done for whatever fee the underwriter charges, in the same way traveler's checks are sold at a premium at the time of sale, or, as an interesting initial price point, "foreign" banks are charged for non-customer ATM withdrawals.

In some future scenario, probably both the consumer's bank and the trustee would be on the net, so the transmission authorizing disbursement to the underwriter could go over the net itself. The bank and the underwriter settle with a fed funds wire. Which, of course, someday, could go over the net as well, through some clearinghouse there, though it's a simple step from that to a totally bearer-settled transaction, and, while we're at it, a digital bearer collateralized trustee.

However the background book-entry, or other, authorization, clearing and settlement happens, the underwriter then issues the certificates to the consumer in the desired denominations. The money from the consumer's bank, plus fees, goes to the underwriter's account at the trustee bank, collecting interest, payable to the underwriter, until the money comes back off of the net someday, payable to "redeemers" at par, the stated value of the redeemed certificate.

Purchases on the Net

The consumer then buys something on-line from a merchant, or, possibly, off-line from another consumer. Or, more rarely, as time passes, from a merchant who can't afford the security of an on-line transaction, and believes the risks are worth it. Remember what I said before about caveat vendor and trusting your friends, however...

The merchant, as a new certificate holder, can then spend the cash certificate somewhere else, this time for free, because the longer it stays on the net the more interest it earns in the underwriter's reserve account, at minimal underwriter transaction cost.

Or, the merchant redeems the certificate, again, at par, through the underwriter, who in turn has the trustee wire the money to the merchant's bank, and so forth, in the exact reverse of the process which got the money onto the net in the first place.

What's really great about this is that, for the first time, it makes sense to a cash deposit from a "foreign" bank, in this case, the trustee. This was problematic in the case of physical cash, and, in the case of a check deposit, functionally impossible because of the cost of handling all the paper involved.

page up


Notice a few things about the mechanics of the model. First, everyone who puts money onto the net, or takes it off, is identified to the complete satisfaction of government regulators everywhere. Digital bearer cash is treated just like physical cash in the eyes of regulators, and is subject to the same regulations. There is no functional difference between a digital cash underwriter and an ATM machine.

To look at it any other way is to mystify the technology at the risk of your own profit, either as a member of the banking status quo, as a member of the regulatory community, and, especially, as a member of the "cypherpunk" financial cryptography community.

Digital bearer cash, put into purely financial terms, becomes a fully-collateralized (for the moment, anyway) digital bearer banknote, which, in turn, is a loan of principal from the purchaser of the note to the issuer in exchange for a liquid, fungible asset. In terms of financial operations, it can also be seen the equivalent of an anonymous traveler's check, which can be redeemed on the net at no charge for another anonymous traveler's check, or it can be redeemed off the net, also at no charge, for a non-anonymous change in a bank account balance somewhere.

The issues of deliberate anonymity can be misleading unless explained in terms of security. As I've said before, the very things which make digital bearer certificates so secure are the things which make it anonymous. They are so secure, in fact, that biometric identification of the trading parties is a significant unnecessary cost.

A simple digital signature, and it's reputation, is enough. In the case of cash, the digital signature doesn't even have to be "certified" anywhere, either, because exchange protocols prevent double spending at the point of exchange itself. If you show up at the mint with double spent money, you only have yourself to blame for it, in other words.

page up


Using the model, you can now see the world of digital bearer settlement in very interesting terms. For instance, most proposed players in the digital bearer cash business are trying to wear too many hats. Underwriters who are also trustees, protocol inventors developing software, merchants who are software developers.

The result, in terms of Metcalfe's law, is pretty obvious. By not subdividing and distributing the transaction risk, you cheapen the value of the network to anyone who wants to use it.

Admittedly, in the early days of DigiCash, they had no choice, because what I claim is the primary component in the blind signature protocols' success, a ubiquitous public --and commercial-- internetwork, didn't exist. DigiCash was forced to try to bootstrap all the components of underwriting digital bearer certificates, including all financial intermediaries and developers. They had to, at one point or another, try to be underwriter, trustee, developer and inventor all at once.

I'm sure, when they thought about what would happen if it all actually *worked*, if DigiCash could manage to control *all* those roles in some kind of glorious industrial, vertically integrated fashion, it made their stockholders mouths water. It probably still does, though it's probably the source of the cruel joke going around about the greater fool theory of DigiCash stock.

In point of fact, there is no "central chokepoint" in a geodesic network and the markets which will eventually inhabit it. No "top" of a transaction hierarchy where all the economic rent goes. The network can process many more transactions than a single entity, a single network node, can ever hope to handle. To, once again, paraphrase Gilmore, a geodesic market sees monopoly as damage and routes around it.

Yet, you need to have points of access to the proprietary financial networks of the status quo, and those are, for the moment, banks. However, banks simply cannot operate on the internet as purely transnational, net-based, financial entities offering instantaneous -- and especially anonymous -- clearing of cash-equivalent transactions. Their officers would go to jail, in the worst case scenarios, and, even in the best, they run afoul of the occasional Mrs. Grundy, like Mark Twain Bank did.

So, in order to get into the market for digital bearer certificates, banks of deposit have to develop some kind of symbiotic customer relationship with digital bearer underwriters, businesses who are, in fact, purely net-based, and who can profitably deal with their customers anonymously.

And, by hooking an underwriter up to a bank operating as a trustee/custodian in this fashion, you get a device similar to a sailboat, moving itself around on the boundary layer between book-entry and digital bearer settlement, between ""meatspace" and "cypherspace", with a "foil" in each fluid. Digital bearer settlement gets exchangeability, and, only at that exchange, loses anonymity for those exchange transactions. Oddly enough, this loss of anonymity at the "ancient interface" between the the "air" of the internet and the "water" of current finance is more than enough accountability for the most stringent regulators, including FinCEN. Just by obeying all the laws for withdrawing and depositing cash through an ATM, for instance, book-entry financial institutions gain interest and fee income midwifing a digital bearer economy on the internet.

Unfortunately, the current terms of the blind signature license, as sold by DigiCash, are almost certain not to reflect this at all.

page up


DigiCash's current strategy, which can be ascertained pretty well by watching the deals they've signed and by listening to their principals speaking in public, is one of seeking out the largest bank in a given national banking system and selling it a monopoly for that monetary system, ala Nobel's dynamite cartel, or any other of the nineteenth century. And, as such, is doomed to failure if the model we're discussing turns out to be the right one.

Unless, of course, those banks see themselves in the capacity of trustees, and are in fact allowed to sublicense their use of blind signatures to any and all underwriting customers -- and all developers, for that matter -- something which is unlikely to happen.

The Wright Brothers, whose only seeming strategy, prior to a massive infringement by Curtis, (who, by infringing, paradoxically made them more money in court than they ever would have earned otherwise) was to try to sell to governments, probably because they had the most money. The problem was, the airplane, to a government -- and particularly one in peacetime -- was just a military novelty. It's interesting to note that all significant innovation on the airplane after the Curtis/Wright merger occurred outside the US, and especially after hostilities broke out on the European continent. American airpower, as a technology, was non-existent in World War I.

In the same vein, DigiCash has been reduced to selling a novelty financial technology, a toy for large banks, instead of something which could have profound impact on the global financial system by drastically reducing transaction costs. This comes from trying to sell, in the privacy-as-flight analogy, the dream of "slipping the surly bounds" of government, or now, apparently, even private surveillance, instead of concentrating on the "coach fare" of lowering transaction cost.

page up


Probably the most important thing I can say here is that the people who are doing most of the significant innovation in financial cryptography today are not paying attention to the financial side of things, except from the standpoint of pure security.

They do understand that merely moving book-entries across the internet under encrypted pipes is a completely trivial exercise, as evidenced by the current triumph of SSL over SET, supposedly the protocol nobody could refuse. However, they do not realize the true economic value of the technology they are currently developing.

More to the point, they do not realize the central paradox of financial cryptography, that any transaction protocol secure enough to enable anonymous transactions also represents an effectively qualitative difference in transaction cost. Like the early aviation pioneers, they concentrate more on lift and maneuverability, (that is, privacy) and not on drag or speed (transaction cost). As any F18 pilot will tell you, reduced drag has its compensations.

Once financial cryptographers concentrate on transaction cost as a significant variable, then the true promise of digital bearer settlement will be realized, in the same way that NACA streamlining revolutionized aviation in the 1920's and '30's.

In the same vein, the financial community should realize that, through all the fog created by claims about amazing security and privacy, most of the strongest financial cryptography protocols these days are in fact a digital form of bearer settlement. This is a financial technology which the capital market has a recent and intimate memory of, and one which has many methods which can be used almost completely off the shelf to great effect.

An underwriting model for these digital bearer certificates will probably look more like historic models for physical bearer certificates than anything we can invent short of a breakthrough in genetic programming -- or another 5,000 years of financial evolution.

page up

Copyright, 1998, Robert Hettinga
All rights reserved.
Not replicable without permission. (Make me an offer, in other words.:-))

Philodox Financial Technology Evangelism
44 Farquhar Street
Boston, MA 02131
(617) 327-6143