Mondex International, the electronic cash vendor, is leading a double life.
While Mondex promotes its electronic cash scheme as private to users, it tells government organisations, such as the tax authorities, that it is auditable.
In an internal memo the company advised its Canadian licensees of the "significant risk" to the electronic cash system's creditability if privacy campaigners discover that the system is auditable.
With Mondex, electronic credits are downloaded from a bank to a microprocessor on a user's smart card. Users can then buy goods or services with these credits by transferring them to a merchant's card at a store. The merchant then cashes these credits at a bank.
The strength of the system is that it transfers electronic credits from the user's microprocessor to the merchant's microprocessor, and unlike credit card systems, it is not run by a central computer program. Therefore, as with cash, each transaction is not stored, allowing Mondex to offer a modicum of privacy, company officials say.
However privacy organisations in both in the UK and Canada, where Mondex has run extensive trials, are disturbed by the company's claims to privacy because users' cards store the last 10 transactions, and merchant cards store the last 300 transactions. When each card comes in contact with the issuing bank's computer systems, it downloads the customer number, date, and amount of each transaction. These records can then be compared with each other.
Privacy campaigners argue that the company's choice of 10 transactions for a user's card and 300 transactions for a merchant's card will give Mondex a record of about 90% of all transactions.
"Think about it, how many times you use cash between trips to the ATM (automated teller machine). I have studied this and most people say that they would carry out less than 10 transactions. That means that Mondex is not cash-like and does not offer much privacy," says David Jones, president of the Electronic Frontier Canada and an assistant professor of computer science at McMaster University in Ontario, Canada.
Analysts agree that once records are kept, the information can be used and analysed by the bank or sold to a third party, if not now, then in the future.
"As soon as you begin to keep records, privacy is not possible," says Clay Ryder, director of Zona Research Inc., a consultancy based in Redwood City, California. "There are no records kept with cash; if an electronic cash system stores records it ceases to be like cash."
Mondex has carried out pilot studies in both Swindon in the UK and the university town of Guelph in Canada.
"There has been a well-orchestrated deception worldwide about the privacy of Mondex," says Simon Davies, visiting fellow at the computer security research center of The London School of Economics in England and director of Privacy International in Washington D.C. "The statement that only a cardholder will have access to the entries on their card is an outright lie. Mondex keeps an audit trail of transactions."
At Mondex, different divisions are making conflicting statements about the auditability of the electronic cash system.
"We do not keep a record of every transaction, but there is a way to track payments," says Cynthia Bengier, vice president of product management and marketing for Mondex USA. "Mondex is auditable."
Meanwhile Mondex officials in Canada say that it is impossible to keep track of all transactions because they all happen off line.
"There is no way that we can keep a full audit trail," says Tim McNaughton, manager of the pilot and implementation at the Mondex division of the Royal Bank of Canada, in Toronto. "Everything happens off line. It's not fully auditable."
In an internal memo from Mondex to the Royal Bank of Canada and Canadian Imperial Bank of Commerce (CIBC), however, the company admits that transaction records are being kept.
"Given the current situation in Guelph with Mondex naysayers, University student protesters, store vandalism, propaganda from P.J. types [P.J. Lilly - a student who is responsible for a Web page on the Internet that is critical of Mondex] on the Internet, it's a significant risk that if any of these groups discover that Mondex transactional data is being collected from merchant logs they would use and create every opportunity possible to cite negative headlines with 'Big Brother' accusations," the memo states.
McNaughton verified the authenticity of the memo but pointed out that it also recommended that transactional data collected should not be used except for what the company refers to as "risk management purposes."
Risk management is a method of using computer-generated algorithms to draw attention to any unusual activity. For instance, if 20,000 thousand transactions are carried out at one flower shop the system would initiate an investigation unless it was Mother's Day, McNaughton says.
However, privacy campaigner Jones sees Mondex's risk management as a threat to an individual's privacy.
"The algorithms they refer to may also automatically notify the tax authorities or police and prompt unwarranted investigations," says Jones. "What Mondex is saying is that it plans to scrutinise transaction logs and identify unusual spending patterns. So people may find themselves subject to a police investigation if it identifies one of these so-called patterns."
Mondex USA has confirmed that it is working with a number of government organizations to ensure the system is not used for illegal activities such as money laundering or drug trafficking.
"We have an ongoing relationship with the Office of the Controller of Currency (OCC), the Financial Crimes and Enforcement Network (Fincen), and the Internal Revenue Service to reduce the risk of Mondex abuse," says Bengier.
Mondex is no stranger to the privacy debate. In 1996 British Trading Standards authorities investigated Mondex and ruled the company should drop the word anonymous from its promotional literature, because transactions are "logged by the trader and were known to the bank." Mondex has since replaced its claim to anonymity with privacy.
While Mondex must assure individuals that their privacy is guaranteed, it must also assure governments that it cannot be used as a the currency for illegal activity, according to industry watchers.
Privacy campaigners fear that Mondex is the first step to the erosion of a basic human right of privacy, and even though it is not now selling information about spending patterns, it may do so in the future, in the same manner that credit card usage information and credit rating information is sold in the US today.
"If anybody could really establish a record of the public's cash spending patterns, then that information would be very valuable indeed," says Ryder.
"My fear is that Mondex is not testing the technology in Guelph," said P.J. Lilly, a researcher and rights activist based in Guelph. "After all, the technology has not changed since the Swindon trial. What they are really testing is the public's acceptance of the scheme."
However Mondex USA's Bengier maintains that this is not on the Mondex agenda. "Mondex international is currently in the process of establishing a code of practice to ensure privacy," she said.
Mondex USA is based in San Francisco and can be contacted at on the World Wide Web at http://www.mondex.com/. P.J. Lilly's Mondex Information Internet page can be found on the World Wide Web at http://www.tao.ca/~pj/mondex/bigplans.html/. The Electronic Frontier of Canada Mondex Web page can be found at http://www.efc.ca/pages/mondex/.