[taler-marketing] branch master updated: better conclusion

[gnunet]

This is an automated email from the git hooks/post-receive script.

dold pushed a commit to branch master
in repository marketing.

The following commit(s) were added to refs/heads/master by this push:
     new 8037f88  better conclusion
8037f88 is described below

commit 8037f88f2bad1b233ce98b308900bec8664a8d86
Author: Florian Dold <florian@dold.me>
AuthorDate: Mon Mar 22 14:17:50 2021 +0100

    better conclusion
---
 2021-offline/offline.tex | 85 +++++++++++++++++++++++++++++-------------------
 1 file changed, 52 insertions(+), 33 deletions(-)

diff --git a/2021-offline/offline.tex b/2021-offline/offline.tex
index 3d6d39e..8f18eff 100644
--- a/2021-offline/offline.tex
+++ b/2021-offline/offline.tex
@@ -1,6 +1,7 @@
 \documentclass{article}
 
 \usepackage{url}
+\usepackage{enumitem}
 
 % The "Report on a Digital Euro" contains some discussion
 % about offline payments in Section 5.1.7.
@@ -18,6 +19,12 @@
 % should have anonymity: "However, this second type of digital euro would
 % exclude the possibility of anonymity for users."
 
+
+% We still need to mention the following issues:
+%
+% * Offline payments should be a fallback, not regular (migitate risks!)
+% * Payments with anonymity should not be "second class" citizens
+
 \title{Why a Digital Euro should be Online-first and Bearer-based}
 \author{Christian Grothoff \and Florian Dold}
 \date{\today}
@@ -44,21 +51,17 @@ can be fulfilled by operating these two types of systems in 
parallel:
 % * now *three* systems need to be maintained (cash, online CBDC, offline) CBDC
 
 The report does not discuss other choices of hybrid systems.  However, the
-choice is more arbitrary than it might seem at first sight: Bearer-based
+choice is more arbitrary than it might seem at first sight: bearer-based
 systems are not necessarily offline payment systems, and online payment systems
-do not need to sacrifice anonymity.
+do not need to exclude anonymity.
 
-We argue that a different hybrid system would be superior in fulfilling the
-requirements laid out in the ECB report:
-
-\begin{enumerate}
-  \item An online, bearer-based payment instrument with anonymity and income
-    transparency features \cite{chaum1988untraceable,chaum2021issue}.
-  \item A limited and optional offline mode for the first payment system
-  \item Physical cash as a fallback for emergency situations where
-    power outages or cyber attacks render a digital euro temporarily
-    unusable.
-\end{enumerate}
+We argue that operating a bearer-based payment system to complement an
+account-based CBDC in order to gain offline and privacy features is not a good
+trade-off.  Adding permanent, regular offline capabilities via the bearer-based
+payment instrument constantly exposes the CBDC to the severe issues inherent in
+offline-capable payment systems.  Instead, the offline mode of operation should
+be restricted to scenarios where it is actually required, which mitigates the
+risks.
 
 \section{Challenges of offline payments}
 
@@ -100,7 +103,7 @@ choices:
 There is no third choice. While there are minor variations how one
 could implement these designs (like blaming the merchant and forcing
 merchants to cover the double-spending cost), the list is basically
-exhaustive.  
+exhaustive.
 
 \subsection{Hurting security}
 
@@ -182,25 +185,41 @@ A CBDC that competes with cash by providing offline 
functionality
 has a higher potential of harming the use of cash than a CBDC that
 is online-only.
 
-\section{An alternative hybrid system}
-
-FIXME: Describe Taler's properties of income transparency and anonymity here
-
-Adding offline capabilities to a CBDC weakens it overall, while having
-physical cash as a non-digital fallback readily available strengthens
-the whole system. Trying to accommodate both necessarily (CAP!) gives
-you a hybrid that is not particularly good for either the online or
-the offline scenario.
-
-Given these drawbacks, requiring a CBDC to operate offline is of
-questionable benefit.  While having a single uniform payment system
-for everything has some estetic appeal, it only creates significant
-cost benefits if cash were to be abolished entirely.  As most central
-banks investigating CBDCs have publicly stated that their goal is not
-to get rid of physical cash, they should then drop offline
-functionality from their list of desired properties, and in fact
-recommend that the technical solution should not work securely in an
-offline-scenario.
+
+\section{Conclusion}
+
+While in some situations, offline payments might be a desireable requirement,
+adding offline capabilities to a payment system comes with substantial risks.
+The exposure to these risks should be limited by only resorting to an offline
+fallback mode of the payment system when actually required.
+
+% FIXME:  Probably this is not explained well enough
+Discouraging the use of the offline fallback mode can be easily achieved by by
+exposing the payee to counterparty risk.  In a system based on restricted
+hardware elements, the payee would bear the risk in case of a compromised
+hardware system.  In a system based on identifying offline double spenders /
+cheaters, the payee would bear the risk in case the offline double spender /
+cheater can't be found and held accountable.
+
+Preliminary results from a survey done by the ECB have shown that privacy is
+regarded as one of the the most important feature by participants among
+citizens and businesses.  Only providing privacy in the offline
+payment instrument would make privacy a second class citizen, especially
+as privacy is important in innovative online usages of a digital euro.
+
+Thus, our improved suggestion for a secure, robust and privacy-friendly
+digital euro would be the following hybrid:
+
+\begin{enumerate}
+  \item An online, bearer-based payment instrument with anonymity and income
+    transparency features \cite{chaum1988untraceable,chaum2021issue}.
+    Note that in this proposal, only one of the two parties (payer, payee)
+    needs to have network connectivity.
+  \item A limited and optional offline mode for the first payment system.
+  \item Physical cash as a fallback for emergency situations where
+    power outages or cyber attacks render a digital euro temporarily
+    unusable.
+\end{enumerate}
 
 \section*{Acknowledgements}
 

-- 
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.