Home
| Databases
| WorldLII
| Search
| Feedback
Journal of Law, Information and Science |
ASSOCIATE PROFESSOR GREG TUCKER*
Digital cash, as it has become known, is becoming an integral part of a number of retail electronic payment systems including smart card and internet based systems. Digital cash, in its various manifestations, presents a number of challenges. This paper considers several aspects of these challenges, specifically: banking law; security and privacy and law enforcement issues relating to digital cash. These matters, amongst others, will be fundamental to the structure and successful operation of the information highway as the conduit for electronic commerce..
At the heart of these issues lies the notion of trust; the users of the information highway must be reassured that the transition to new forms of payment is not at the expense of enforceable legal rights, privacy protection and security.
It is not the intention of this paper to suggest these developments are to be discouraged. On the contrary, it is necessary to raise and discuss the challenges before the systems are fully implemented.
Today digital currency and other electronic payment systems have emerged alongside traditional means of payment such as cash and cheques. In part, these developments are inextricably connected with new means of carrying on business more efficiently.
Digital cash here means the representation of cash in electronic, digital form. This does not imply that it is equivalent to cash, notes and coins. It is the communication of the electronic message, in binary code, in a prescribed manner which leads the parties to a transaction to regard it as tantamount to cash.[1] Thus Cybercash, for example, is a proprietary system for payment by means of pre-authorised credit card arrangements; this is not a digital cash system rather an electronic version of the credit card system.[2] Netcheque, too, approximates an electronic cheque system.[3] By contrast, where digital communications, representing value, are loaded and stored on a smart card or hard disk, for example, they represent a form of quasi cash called digital cash. Thus the focus of discussion is not on the vehicle used to store the digital cash but the digital communication itself. It is expected that the means of payment will converge so that smart cards may be reloadable via internet-based systems.
There is no reason why digital cash cannot become regarded as cash in time, however, for present purposes it is sufficient to acknowledge that there are significant differences between the two mediums of exchange.
• Australian notes and coins are legal tender[4], digital cash is not, nor does it have universal acceptance as a medium of exchange as it is typically used in a closed proprietary system. Digital cash may also represent a new form of currency, for example the euro (formerly the ecu) within the European Union which is not in hard currency form as yet but nevertheless is a recognised unit of payment;
Notes and coins are negotiable, digital cash may be restricted to a single use before it is redeemed and taken subject to any defects in title or equities;
Digital will typically have a “use by” date as it is necessary to not leave it open ended so that the encryption measures securing the electronic money may be altered periodically to minimise opportunities to crack them;
Some form of verification of digital cash is necessary whereas notes and coins are accepted on their face;
Notes and coins are issued under government supervision and control, digital cash is not;
In general the use of notes and coins is untraceable, the use of digital cash may be traced in some systems;
The use of electronic means to conduct transactions, or electronic commerce, is well established. Retail electronic payment systems will play a pivotal role in this environment. It accords with financial institutions’ objectives to reduce the cost of transactional banking. This will inevitably lead to less face to face transactions and the use of computers and communication technology as the medium for interaction. Less apparent are the objectives of consumers. How will they react to these new payment systems? To some extent this will be in the digital hands of the network operators, system providers and service providers.
There are three major types of retail electronic payment systems:
• Electronic Fund Transfers at the Point of Sale;
• Smart card systems; and
• Network (including internet) banking[5].
EFT POS networks rely on a series of contracts between the consumer, retailer and financial institutions which provide for the transfer of funds between accounts with the financial institutions in settlement of the transaction between the consumer and retailer. As EFT POS is not a digital cash system it will not be considered further.
Common to each of these systems is the replacement of traditional payment systems (eg. cash or cheque) with electronic communications underpinned by appropriate contractual agreements. The participants in each of these systems vary as does the nature of the agreements between them[6]. At present in Australia electronic funds transfer is the only system fully operative; various forms of smart cards are being tested and network banking has been used in some form, for instance telephone banking, however transactions using digital cash are still embryonic.
Some threshold legal issues arise in relation to the use of digital cash whether it is stored on a smart card or another medium. Digital cash is really an electronic communication, or bit stream, and is not a chattel or a document in any traditional sense. However it may effect the same transaction as, say, cash or cheques[7]. Reliance upon electronic communication as a medium for financial transfer and payment is not new, it has been happening in wholesale banking for many years, for example, the SWIFT system used by banks worldwide and the BITS system set up by the major Australian banks for high value interbank transfers. Below are several important issues relating to the use of digital cash.
It is tempting to characterise digital cash, in its various forms, in terms of existing means of payment. In Australia, this new digital medium of exchange is not a bank note or coin, like a 50c piece or $10 note, issued by Treasury or the Reserve Bank[8]. Paper money in Australia is not a promissory note, as in the United Kingdom for example, but is regarded as currency in itself. A core property of this is that it is negotiable so that people have confidence that they can accept it in good faith. Interestingly, the question of whether a coin (or note) may be other than metallic (or paper) has been left open. Dean J in Duranol Co Pty Ltd v Glenvern Novelty Sweet Co [9] held that for the purposes of the statutory counterfeiting offences counterfeit coins meant metallic coins and did not include plastic tokens. However by way of obiter his Honour stated “it may well happen that as the knowledge of the use of other materials grows, especially in the field of plastics, our government.....may hereafter make non-metallic tokens which would probably be described as ‘coins’”[10]. Indeed this has already occurrred with paper notes in Australia which are now made from polymer, a form of plastic. His Honour only contemplated other physical manifestations of coins becoming recognised but there is no reason why it could not be extended to digital cash in time. Of course the difference between coins and notes disappears in the digital equivalent as there is no reason to preserve this dihcotomy.
Arguably digital cash is a representation of cash in the same way as the amounts noted in deposit books indicate that there is a certain amount of cash available, generally on demand, from the account. Accordingly, the amount loaded onto a smart card may be regarded as an extension of the customer’s bank account where this facility permits the cardholder to transfer value from his account at the bank onto the card itself. This may also be true where digital cash is stored on the hard disk of a personal computer, for example in Digicash systems[11], and these tokens are able to be spent in virtual shopping malls and other sites on the internet[12]. This approach would be consistent with the usual condition for credit and debit cards where the card itself remains the property of the cardissuer. However, it is inconsistent with the emerging approach of the issuers of digital cash to the ownership of the value on the card, that is, it is the responsibility of the cardholder and that any loss of the digital cash is borne by the cardholder. This would not be the case where a passbook was lost or stolen.
Arguably, digital cash is not a negotiable instrument; it appears to fall outside the definitions of bills of exchange, cheques and promissory notes and has not been recognised yet, through mercantile usage, as forming a new novel category of negotiable instruments[13]. It will be recalled that negotiability in this context connotes that the instrument is transferable at law by endorsement and delivery or by mere delivery and that a transferee who takes the instrument in good faith, for value and unaware of any defects in title takes it free from any such defects or personal equities. It is not clear that digital cash would share these characteristics; status of negotiability is bestowed over time and emerges rather than occuring precipitously[14]. However it must be conceded that should digital cash become an accepted means of payment then it is likely to become, to use the industry jargon, the first virtual negotiable instrument. This characterisation is important where the card is lost or stolen, for innocent third party transferees would wish to be reassured that upon receipt of digital cash for value that they have good title to it. In part its success as a means of payment will rest upon this.
The issue of the legal characterisation of the various forms of digital cash is yet to be settled. Of course, the standard form financial institution contracts will provide some of the answers in each of the systems. However, the danger is that the answers may not necessarily be those which consumers or regulators seek.
Consistent with the present monopoly over the issue of notes and coins, the government through the Reserve Bank and Treasury may wish to be responsible for, or oversee, the issue of digital cash. In this sense the use of the word “cash” to describe digital money is misleading as the central bank and the federal Treasury in Australia have control already over the issue of cash. Visa, Mastercard, Digicash and Mondex are examples of non-bank issuers, or potential issuers, of digital cash in its various forms. When digital cash is issued there is no seigniorage; the profit made by the government in note and coin issue. Accordingly, a source of government revenue will be reduced as will direct control over a substitute for cash.
Any control mechanism implemented will be limited to the jurisdictional competence of the legislative body. This is problematic given the present ability to undertake transactions using digital cash issued by a financial institution, or its associate, in another country. The account from which the cash is drawn may be offshore and any transaction using it located in cyberspace.
At present the introduction of these private payment systems suggests some erosion of control by central banks over the cash component of the money supply. Of course, the possibility arises of central banks being able to stamp, or authorise in some other way, the issue of digital currency. This would permit better control of the system. Such a system is redolent of the overprinting by the Treasury of the early private bank notes in Australia between 1910 and 1913. The overprinting gave official status to the notes in recognition of the monopoly the Treasury had been given over note issue at this time.
Here the distinction needs to be made between the medium used for digital cash as it has an impact on the relationship between the parties. Typically, smart cards will work on a series of written agreements such that merchants agree to receive digital cash from customer smart cards and the issuer agrees to credit the merchants account with the amount of digital cash received which, at a later stage, may be redeemed in cash as required. In some card systems, like Mondex, and in online digital cash systems where multiple transfers are permitted, then the relationship between the transferor and transferee is not pre-ordained by the contractual provisions. In this case the general law needs to be addressed as it governs the relationship. The issuer of the digital cash should be regarded as the promissor in the sense that it represents to the users of the payment system that the digital cash is of value in the same way as the Reserve Bank stands behind the notes that it issues[15]. Any failure to pay valid digital money would be sheeted home to the issuer and the holder should be able to realize the value of the digital cash in hard currency.
An associated issue is when is value passed and when is payment irrevocable? The transfer of the electronic communication, the digital cash, between cardholder and merchant, for instance, may not discharge the debt immediately, rather the discharge is conditional upon the issuer of the digital cash ensuring payment.
This issue will become more acute where the digital cash is able to be transferred between a number of parties before it finds its way back to the relevant issuing institution. Who bears this risk? The answer appears to lie in what is regarded as the relevant banking practice in these cases or, where a contract is entered into, the intention of the parties as disclosed by the terms of that agreement[16]. There are several possible outcomes; where electronic tokens are used as a cash equivalent, receipt of the token is likely to be interpreted as final payment; under an EFT style system it will not, rather payment will be the responsibility of a third party under a pre-existing arrangement; or under a cheque system the payment is conditional upon the instrument being honoured upon due presentment. Both the Mondex (UK) and Mark Twain Bank (Digicash system) treat the value represented on the medium, the card or the disk, as cash[17]. Accordingly, this suggests that transfer of digital cash from customer to merchant represents payment in the same way as if it had been made in notes and coins.
What is the position where digital cash is forged/counterfeited and transferred for value? Assuming a security breach occurred, what would be the legal position as between the parties to the transaction as well as the liability of the issuer of the digital cash whose system was penetrated?
At common law forgery and counterfeiting of money relate to paper money and coins respectively. Forgery is an awkward term to use as it will not be the forgery of a paper instrument such as a note or a cheque, rather it will require access to an appropriate form of message and the underlying algorithm making up the digital cash communication or, alternatively, it may involve copying the authorised message itself. The same awkwardness applies to the term counterfeit.
Under federal legislation counterfeit money refers to both coins and paper money[18]. Hitherto the focus has been on the prohibition of the creation of fake notes or coins which resemble, or are intended to resemble, the real thing. It would appear that the assumptions of a physical money underlying the criminal law here prevent digital cash from being caught within it. Thus it is unlikely that digital cash will be considered to be counterfeited physical money as it is not likely to be regarded by a court as resembling paper money or metallic coins. Perhaps the more interesting question is whether digital cash itself is capable of being forged or counterfeited. It is clear that it would not constitute counterfeit money for the purposes of the federal Crimes (Currency) Act 1981[19].
At a forensic level, the false digital cash will be indistinguishable from the validly issued digital cash as all the digits, the ones and zeros, would be in the same place or, at least, be recognised by the system as being authentic[20]. Ironically the use of a digital payment system relies on this attribute, the ability to make perfect copies, as it permits holders of the digital cash to copy it and pass it on during an authorised transaction.
Where digital money is “forged”, typically the loss would fall upon either the merchant (the holder) or the issuer of the digital cash. In general, if the system permits the merchant to confirm online with the issuer that it is authentic digital cash and it has not been spent already and the merchant relies upon this in concluding the transaction, then the issuer would appear to be estopped from denying its authenticity. This is the general positon but much will depend upon the actual terms of the agreement as to what the issuer represents to the merchant when it verifies the digital cash. Verification or authorisation may be something less than an acceptance of responsibility for any loss resulting from the acceptance of the false digital money.
It is to be hoped that many of these issues, and the more general concerns which follow, are determined before systems are implemented. However, there are no signs of this presently. Without this, reliance will be placed on the terms of the relevant contracts and the common law which will emerge as it did, for example, in Re Charge Card Services Ltd[21].
The final report of the Financial System Inquiry[22], the Wallis report, recommended that stored value systems, including digital cash systems, which are intended for widespread use, be regulated to ensure the safety and integrity of the system.[23] This may afford the regulator the opportunity to control any float, or unused funds, in the system. The Australian Payments Clearing Association, in conjunction with the new Payment Systems Board, were seen as the appropriate regulatory bodies. Finally, the report recommended that there should be legislative amendments to enable electronic commerce to take place, for example, laws recognising the legitimate use of digital signatures once the appropriate standards are in place.[24]
Before briefly noting some of the issues that arise for privacy, security and law enforcement in the context of the use of digital cash, it is appropriate to consider some overarching policy questions which go to the heart of how governments and communities will go about reconciling tensions and resolving issues which exist between these important areas.
Question one: What are the objectives of a particular society or, stated another way, what sort of society do we seek?
The objectives of each society may vary or, at least, the prioritisation of the objectives may differ. These objectives, and the associated values, should manifest themselves in the way each country establishes its version of the information society. At an international level, this approach is unlikely to lead to a synchronised global information infrastructure (“GII”). However in order to attain the global social and economic benefits of such structures there is a need for some common ground and standards to be reached to resolve these tensions.
Question two: Who controls the networks themselves? Is it the owners, lessors, service providers, governments, users, trusted third parties or a combination of these?
The answer to this will determine the level of control the stakeholders have over the networks, including payment systems. At present the networks are being constructed by the private sector across the world and many governments are considering the appropriate response to these developments.
Question three: Who protects or controls the data (personal and commercial) on the networks? Is it the service providers, the users themselves, the government, a privacy commissioner, or a hybrid of these?
The answers to this will have an important bearing on the confidence potential users of the networks have in relying upon them for electronic commerce, electronic payment systems or even personal communication. There are a range of reponses to this and they vary from jurisdiction to jurisdiction. In some cases there have been legislative responses and also, in some systems, the technology itself has determined the control. For example, the Digicash system places control in the hands of the consumer as it provides an anonymous payment system.
In the absence of timely workable policy, the danger exists that the GII will be crafted, by default, with the digital hands of the service providers, software companies or communication providers. If this emerges then governments and consumers, amongst others, may become marginalised and the opportunity for proper policy input lost. The establishment of payment systems using digital cash is one aspect of these policy considerations. How will they be set up and by whom? What data will be available and how will they be used? What control, if any, will consumers have over their data? Are current consumer protection laws sufficient to cover these new systems? Will law enforcement agencies be locked into or out of the communication systems?
The remainder of this article will discuss several importent issues raised within this policy context: privacy; security and law enforcement. Privacy and security have been described as “show stopper” issues[25] of the GII and have direct relevance to digital cash. The types of criminal laws, and the ability to enforce them, require consideration as the potential for crimes, relating to digital cash, emerges.
Privacy and security are not dealt with together to imply that they are the same, rather to suggest that they are strongly interrelated though not necessarily complementary. There is considerable international support for these issues to be addressed in order to ensure that the economic and social aspirations for the GII may be realised[26]. Some countries have taken different approaches to these areas and there may be little common ground. The intention here is to raise some of the issues and the pressures which exist.
It is not intended to augment the legion of unsuccessful attempts to define privacy; it is at once a social, legal, and political concept which changes over time. It is accepted by most that it is not an absolute concept and that it may be divided into component parts, viz, physical privacy, communication privacy, information privacy and the freedom from unwanted surveillance. In the context of this paper privacy may be regarded as the right “to be let alone”[27] and the focus is on information privacy as this will be the category most relevant to the use of digital cash.
In relation to the security of information systems, it is clear that it may have many meanings. In this paper it is used to mean the making of something safe or protected rather than in the sense of a feeling or a human condition, although obviously the two are related. The OECD Guidelines for the Security of Information Systems[28] state that the objective of security is “the protection of the interests of those relying on the information systems from harm resulting from failures of availability, confidentiality and integrity”[29]. In turn the United States Council for International Business provides the following definitions of the key words:
confidentiality “the property that the information is not made available or disclosed to unauthorised individuals, entities, or processes”;
integrity “the property that data has not been altered or destroyed in an unauthorised manner”; and
availability “the property of being accessible and useable upon demand by an authorised entity”[30].
To date a right to privacy has not been recognised at common law in Australia. Even within the limited scope of the federal Privacy Act 1988 it does not create a direct statutory right to information privacy for individuals, rather the rights are exercisable through the powers bestowed on the Privacy Commissioner[31]. Specific privacy issues relating to digital money include the following:-
• To the extent that digital cash transactions replace cash transactions they may create a trace or record where none would previously have existed. Moreover the increasing use of digital cash may lead to the ability to conduct surveillance on the payment habits of individuals as they go about their daily lives leaving a purchasing pattern of digital cash behind them. Of course, this depends upon the type of digital cash system used.
• Collection and storage of digital cash transaction data could be compiled from a range of daily activities including: shopping; banking; health and insurance payments; and entertainment. Pooling or matching of this data could lead to data profiles that may be disclosed and used for purposes never contemplated by the individuals when the information was collected. In this way individuals could well lose control over decisions made about them based on this data and have little or no knowledge that this is taking place. People need to be made aware of the data which are being collected and the purpose(s) for which they will be used so that any decision made to use the system is based on full knowledge of the consequences.
• The existing common law seems manifestly unsuited to digital cash. The implied duty of secrecy as stated in Tournier v National and Provincial and Union Bank of England[32], would demand procrustean efforts to apply it to situations never contemplated in 1924 when the case was decided. There is doubt as to its wider application to non-banks, it only seeks to control the disclosure of certain customer information and is silent on whether or not it should be collected in the first place and for what purposes, how it may be used internally by a bank, and what rights customers have to access, amend or delete it[33].
Moreover the dynamics of information collection may change so that payment systems permit electronic clearinghouses and/or systems operators to collect transactional data, only a portion of which are available to financial institutions for settlement purposes. In these circumstances, the controls would need to be extended to these organisations as well.
At present the regulatory scheme in place, the Electronic Funds Transfer Code of Conduct 1991[34] does not cover all digital cash transactions as its scope only covers transactions which use a card and personal identification number. In many instances digital cash transactions will fall outside the code as the particular system will not use either a card or a PIN.
How will private sector companies across various industries be accountable for the collection, storage and use of personal data, including transactional data? This becomes an international issue for many companies as they conduct business in a number of jurisdictions and for controllers and users of payment systems which may span several countries. Digital cash payments may be freely sent across the national boundaries in many cases but there are not necessarily the privacy laws or practices in place to safeguard these data. However this is not a significant difference from the information which currently flows from the use of debit and credit cards.
The implementation of the European Union (EU) general data protection directive is likely to have a significant impact on non member countries[35]. By the end of 1998, the fifteen EU member countries will have legislation reflecting, as a minimum, the standards laid down in the directive. The impact upon non member countries lies in the interpretation of the transborder data flow provisions for the movement of personal data from member to non member countries. It requires that personal information not be transferred to non member countries which lack adequate data protection safeguards. Some insights are given as to what measures would be adequate and there are also a list of available derogations[36].
In this context it must be questioned whether the laws and many of the codes of conduct used in Australia[37], Japan, the United States and elsewhere outside the EU, will be adequate for the purposes of the directive.
• Where a multifunctional card is used so that it provides a means of payment with other services, for example health and medical data, the design will have to ensure that unauthorised persons are not able to access the other fields.
A range of measures exist to safeguard personal data, including financial data. Principal among these is the use of legislation to establish the rights of the data subjects and the rules which apply to the collection, use and disclosure of personal data. Codes of conduct or self regulation are also employed sometimes in conjunction with legislative measures[38]. Public education also plays an important role as it provides individuals and organisations with knowledge of their rights and duties.
The other emerging protective mechanism is technology, privacy technology as it is sometimes known. Technology applied in this manner can safeguard personal data as well as other data. For instance, the use of Zimmerman’s Pretty Good Privacy software can do this for email through the use of encryption[39]. In the context of telephony, the use of per line or per call blocking of caller ID enables the privacy of the called party to be protected. In relation to digital cash, the adoption of anonymous payment systems, such as those proposed by Mondex[40] or Digicash[41], are said to provide a high level of privacy for the consumer similar to that which exists presently with the use of the cash payment system[42].
It should be noted that privacy technology also has the capacity to protect confidential information, for example, business confidences. In this way the technology provides a convergence of the needs for the protection of data generally not just for personal information.
It is uncontroversial that the security of information systems is a primary objective of the GII. In the context of digital payment systems, it is essential to their success. Consumers and merchants are unlikely to move away from existing payment systems, with which they are comfortable, to the use of digital cash where there is any significant doubt over its integrity and arguably its confidentiality[43]. Anecdotally, it seems that consumers require a higher level of security from these new systems than they do from existing systems; at present customers seem perfectly happy to hand over their credit cards and signed payment slips to waiters in restaurants.
In this context one aspect of security, cryptography, is pivotal to the success of digital payment systems. Cryptography permits a message to be scrambled into a form which is unintelligible to unauthorised persons as they would be unable to read it assuming that the encryption algorithm cannot be cracked easily[44]. One further sophistication is the development of digital signatures which act as a surrogate for handwritten signatures. Digital signatures have been defined as:
“A transformation of a message using an assymetric cryptosystem and a hash function such that a person having the initial message and the signer’s public key can accurately determine:
(1) whether the transformation was created using the private key that corresponds to the signer’s public key, and
(2) whether the initial message has been altered since the transformation was made.”[45]
The use of digital signatures assumes that the private key of the sender is under his control and that the signature itself is unique to each message. On this basis once a message is received with a digital signature then the recipient can rely upon its authenticity and integrity. Taking this one step further, the use of blind digital signatures permits messages to be sent anonymously yet the recipient can unconditionally verify that the message is authentic and has not been altered. This development has significant implications for digital cash systems as it permits them to better approximate a real cash system by maintaining their untraceability[46].
A polemic remains; who controls the security mechanisms? Formerly, encryption was squarely in the domain of spies, academics and fiction writers. Today the ability to secure a system through encryption is in the hands of government, the private sector and individuals. Thus a tension exists between law enforcement and national security interests on the one hand and the right of the individual to privacy and business to its confidences on the other. This conflict was at the heart of the Clipper Chip debate in the United States in 1994 and it continues today. The challenge is to strike an appropriate balance between these competing concerns. The OECD has drafted a set of cryptography guidelines to provide international guidance on these conflicting policy issues.[47]
Financial computer crime is not new, it has been with us since the introduction of computers as part of commercial life. For example, R v Thompson [48], a case in the UK in the early 1980s, involved a computer programmer who, whilst working for a bank in Kuwait, identified dormant accounts with large balances in them and wrote a programme to transfer the money to his accounts and to erase all trace of the transfers. These transfers took place when he was en route to England ostensibly on vacation.
The creation and development of the GII, with its implications for electronic commerce, redoubles the opportunity for financial computer crime. It is difficult to know whether it is just another manifestation of more traditional crimes such as theft and obtaining financial advantage by deception, or whether it is occurring in addition to these crimes. Of course, ultimately there will be less opportunity to undertake theft of cash and cheques etc as electronic substitutes replace them. Retailers already see the benefits of dealing in non cash forms.
Some general issues will face law enforcement when investigating and prosecuting cyber crimes including those relating to digital cash.
• At a forensic level, where a particular PC has been identified as the one used to commit an offence, the difficulty is to link the use of a that PC to a particular operator of it and establish that this person is the offender beyond all reasonable doubt[49]. In the context of digital cash, will payment for illicit goods in this manner be able to be sheeted home to the operator of the PC in order to prove the offence? Moreover, where digital cash has been forged or intercepted it will be difficult to establish who was operating the PC at that time?
Cash/financial reporting systems, enacted to permit the timely identification of money flows for the purpose of law enforcement authorities being able to trace possible proceeds of crime, may not apply to digital cash [50]. Legislation may need revision to ensure all issuers of digital cash, including organisations outside the traditional banking network, are caught.
As discussed earlier, there may be no regulation of digital cash as its creation and distribution is controlled by the private issuers themselves. Furthermore, the use of strong encryption techniques allows the loss of technical control over the system by the authorities. No effective mechanism exists to permit law enforcement to compel the disclosure of the key to the encryption algorithm. Accordingly, the interception of communications may be possible but decoding them may not be. Even where hardware and software are seized, it is possible that they will provide little useful evidence unless the encryption keys are either available or calculable[51].
Existing legislative requirements for tracing certain types of payments, including cash transactions of $10,000 or more and suspicious transactions, may be avoided or prove more difficult to police. The possibility of using offshore financial instiututions as the conduit for digital financial transfers adds a further complication to law enforcement. Equally it would seem a simple matter to circumvent the reporting requirement for $5,000 or more in cash brought into or taken out of Australia[52]; it could be taken on a card or disk as digital cash without the need to go through the Australian banking system.
Jurisdictional issues will also be problematic. The users and abusers of digital cash systems may pay little respect to national boundaries and the commission of a crime may span several jurisdictions. This will inevitably cause delays for investigators and there may be no appropriate avenue through which to gain the timely evidence required for a conviction within jurisdiction as essential aspects of this may not be available[53].
One would assume that many of the apparently illicit activities involving digital cash would be caught by federal or state computer crime legislation. There is some doubt about this. It will depend on the particular system and the modus operandi obviously, however, several observations can be made about the liklihood of the legislation applying to digital cash on smart cards, for example:
- Under the federal Crimes Act 1914 there are offences for unlawful access or damage to data stored on a computer[54]. These untested provisions rely upon the use of a commonwealth facility for undertaking the crime where the crime is not related directly to what is called a commonwealth computer[55]. This would be the case with digital cash as it would be part of a non government communication network presumably. Presently a commonwealth facility would be the use of the Telstra network lines so long as it remains a corporation owned by the federal government. Should this alter, and the network become privately owned, then the legislation may not apply[56].
- the Crimes Act does not define a computer; it is debatable whether unlawful access to data held on a smart card would constitute unlawful access to data held on a computer. Similar problems arise under some state legislation[57].
- State computer crime legislation varies significantly around Australia[58]. The Crimes Act 1900 (NSW) is similar to the federal legislation without the constitutional complexities. There has been little interpretation of these provisions[59] and it is yet to be determined how effective they will be in law enforcement.
- In relation to forgery, some states have replaced the common law offence with a statutory provision[60]. Where digital cash has been fraudulently copied or created then, prima facie, these provisions which relate to the creation and use of false documents or instruments, seem apposite.
At a more general level, it is doubtful that enough resources will be available to conduct investigations and support prosecutions of computer related crimes. Given limited resources of law enforcement in this area on the one hand and suspected enormous amounts available to organised crime, it makes the pursuit of computer criminals all the more unlikely.
In Australia, one of the most recent insights into the impact of digital cash on law enforcement is a study undertaken by the Office of Strategic Crime Assessment during 1995[61]. The study involved, inter alia, an expert Delphi study. This study involved eliciting responses to a series of questionnaires about the likely impact/future of digital cash. The questionnaire was distributed to thirty eight respondents representing a range of expertise in the area (e.g. technical, banking and legal). From the responses, OSCA was able to build a number of scenarios. The study focussed on the potential for new payment systems to assist in criminal activities, principally money laundering.
Forecasts of the widespread use of digital cash range from 5-10 years for Australia but few doubt that it will take hold. Australians have a history of rapid acceptance of technology. The widespread use today of ATMs, EFTPOS and mobile phones underscores this.
Four major implications for law enforcement were identified in a digital cash society, namely:
• movement of illegal funds;
• traceability of fund movements;
• counterfeiting, and
• regulation of the systems.
One of the scenarios which emerged from the Delphi study[62] prognosticated that by the year 2000, smart cards will have replaced magnetic stripe cards as a means of payment and will account for approximately 50% of cash transactions by volume in Australia. Digital cash would be acceptable in most consumer transactions. The implication of this is that criminals would be able to avoid traditional payments systems and to transfer money without it being traced.
Electronic commerce would emerge on a platform which would permit the use of broadband services for private networks. This may lead to secure anonymous transactions being undertaken without the ability of law enforcement to gain access to them. Banks would no longer be performing their traditional functions and other participants would enter this market, for example, software and telecommunication companies.
Matters raised in this section may create substantial challenges. Who will control the digital cash system and how will the systems be regulated and audited? Given that many of the participants are non-banks, traditional controls existing under banking legislation will be ineffective unless they are amended.
There are a number of countervailing forces at international level. The number of tax havens with strong secrecy provisions remains very high and these venues would afford protection for caches of digital money. It would be possible to operate a virtual bank from one of these venues with its customers being able to send encrypted digital cash messages to it from other parts of the world.
Finally, international suasion is alive and well; the Financial Action Task Force, at the OECD, continues to encourage countries to adopt responsible attitudes to the implementation of controls to help detect and eradicate money laundering. There are, of course, separate national initiatives in many countries also.
Underlying the concerns of law enforcement is the desire to be able to trace the flow of funds. This is only possible to a limited extent in the current cash system. Even legislative measures do not require reports of cash transactions below $AUD10,000.
It is of concern that one response may be to attempt to make all transactions/transfers traceable. This represents a significant shift from the current environment and one which may not be acceptable to many. Perhaps an appropriate response is to monitor the incoming systems closely, including their potential uses, and their penetration into the marketplace. It may be an over-reaction to place strictures on these nascent payment systems which may evolve in a manner consistent with the needs of law enforcement.
Digital cash is not cash, it only approximates it in certain ways. Payment systems like these are fundamental to the establishment of the electronic marketplace. There are considerable legal uncertainties about how such systems may be characterised. This underlying uncertainty will only make broad acceptance of the schemes more difficult. The recommendations of the Wallis report, although general, address some of these issues.
Crossborder issues arise in each of the areas discussed. The impact of different banking laws, privacy and security regulation and law enforcement requirements and the ways in which these apply to digital cash systems, will amount to a mish mash of laws requiring costly solutions and which detract from the central objective of establishing a workable GII which emerges, at least in part, out of various national infrastructures as they become further linked.
The issues relating to digital cash considered in this paper are important aspects of the creation and development of the GII, electronic commerce and the new payment systems underpinning them. It is recognised that the areas are entwined and they do not always sit comfortably together. For example, it would be inappropriate to address all the threshold banking law issues if the basic confidence of consumers was undermined by privacy and security concerns. Equally, transactional anonymity may be preferred by users of these systems but not by law enforcement agencies. This begs the question, how important will these systems become.
Increasing reliance on electronic payment systems is decreasing the incidence of human interaction during transactions. To an extent consumers will need to be reassured that the trust they have in existing payment systems should also be placed in these new faceless payment systems many of which are presented as equivalent to notes and coins.
It is inappropriate to deal with these areas in geographic isolation, either from each other as they form part of an important interrelationship, or from developments taking place in other parts of the world. Activities from abroad may not be decisive in shaping domestic policy responses to the information highway but it should be acknowledged that there may be an adverse impact on national policies if they are not taken into consideration. It may create a disjointed GII.
c:\winword\privacy\legaliss.doc 5/4/97
* Department of Tax and Business Regulation, Monash University.
[1] This usually detailed in the written agreement, see for example the Mark Twain Bank agreement cl.13 at http://www.marktwain.com/legal.html
[2] http://www.cybercash.com
[3] http://nii-server.isi.edu/info/NetCheque/
[4] Reserve Bank Act section 36(1). This means that the tender of a specific amount is all that the offeror is required to do to meet the particular obligations.
[5] In general, details of operational material are not available on these systems for proprietary and security reasons.
[6] See generally, Reed A Legal Comparison of Digital Cash and Traditional EFTs (1995) 47 ABT Bulletin 5.
[7] The legal characterisation of the precise communication may vary between payment systems, for example, between the Visa smart card and the Digicash systems.
[8] See Part V of the Reserve Bank Act 1959 (C’th). Amongst other things the digital cash is not issued in accordance with the definition in section 32. Section 43 goes on to state that the Reserve Bank is prohibited from issuing other notes or bills for circulation as money.
[10] At p.544.
[11] See http://www.digicash.com/
[12] See http://www.marktwain.com/ as it has a virtual shopping mall linked to its digicash payment system.
[13] See generally, Tyree Banking Law in Australia 2d Butterworths, 1995 pp 253-4.
[14] This is true of instruments such as cheques and bills of exchange but note the exception with payment orders which had negotiability bestowed on them when they were created under the Cheques and Payment Orders Act 1986 (C’lth) see ss 40 and 49.
[15] Tyree Virtual Cash - Part II JBFLP 139, 140.
[16] See Momm v Barclays Bank International Ltd [1977] QB 790 and Delbrueck & Co v Manufacturers Hanover Trust Co 609 F 2d (1979).
[17] The Mondex brochure used in the 1995 Swindon, UK, trial states of lost or stolen Mondex cards “Unfortunately, if it is not returned or insured you will lose the cash on it.” Clause 13 of the Mark Twain Bank Ecash Agreement states “any ‘account’ set up in the Ecash system is not a deposit with Bank but represents cash held by Customer in its personal computer under the Ecash system” see http://www.marktwain.com/legal.html.
[18] Crimes (Currency) Act 1981 s3.
[19] Id.
[20] In relation to the criminal law in Australia, the laws of counterfeiting do not apply; see section 6 of the Crimes (Currency) Act 1981 (C’lth). However forging digital cash may constitute a computer crime under the Crimes Act 1914 (C’lth) section 76D and the relevant computer crime legislation in the states and territories.
[21] [1987] Ch 150 and affirmed in [1989] 1 Ch 497.
[22] Commonwealth of Australia, AGPS, March 1997.
[23] Ibid recommendation 72, p402.
[24] Ibid recommendations 91 & 92, p501.
[25] Nelson, US Delegation to the OECD, see Report of the Ad Hoc Meeting of Experts on Information Infrastructures OECD/GD/(96)74, Paris, 1996, p25.
[26] See the Closing Statement of the Chairman at the G-7 Summit on the Information Society, European Commission, Brussels, 26-7 Feb., 1995 and the APEC Ministerial Meeting on Telecommunications and Information Industry, Declaration for the Asia Pacific Information Infrastructure, Ministry of Information and Communication, Republic of Korea, Seoul, May 1995. Also see OECD, Report of Ad Hoc Meeting of Experts on Information Infrastructures, Issues Related to Security of Information Systems and Protection of Personal Data and Privacy OECD/GD (96) 74, Paris, 1996.
[27] Judge Cooley A Treatise on the Law of Torts 2ed. (1888).
[28] Organisation for Economic Co-operation and Development, Paris, 1992.
[30] Private Sector Leadership: Policy Foundations for a National Information Infrastructure, Washington, July, 1994 p9.
[31] Note that the Australian Privacy Charter, drafted by the Australian Privacy Charter Group in 1995, includes a principle of transactional privacy (principle 10) which states that people should have the option of not having to identify themselves when entering into a transaction.
[33] See generally Tucker Vale Tournier Salve Privacy Act (1993) 21 ABLR 290
[34] Australian Consumer and Competition Commission, Canberra.
[35] European Union, Document no.95/46/EEC, Brussels.
[36] Ibid arts 25 and 26.
[37] For example, the EFT Code of Conduct 1991.
[38] For example, this has been done in the Netherlands, New Zealand and the EU data protection directive.
[39] For example PGP is available at http://rschp2.anu.edu.au:8080/crypt.html#how
[40] See http://www.mondex.com/index.html
[41] See http://www.digicash.com/
[42] See generally Furche and Wrightson Computer Money Dpunkt, Germany, 1996 pp 84 - 87.
[43] For a summary of the characteristics of electronic payment systems see Furche and Wrightson Computer Money - A Systematic Overview of Electronic Payment Systems Dpunkt, Heidelberg, Germany, 1996.
[44] See generally Lynch and Lundquist Digital Money - The Era of Internet Commerce John Wiley & Sons, New York, 1996, ch 3.
[45] American Bar Association Digital Signature Guidelines Chicago, August 1996, para.1.11.
[46] See generally Schneier Applied Cryptography John Wiley & Sons, New York, 2ed., 1996,34-44 and Chaum “Achieving Electronic Privacy” Scientific American August 1992..
[47] OECD, Cryptography Policy Guidelines 27 March 1997 at http://oecd.org/dsti/iccp/crypto_e.html.
[49] Will the existence of a unique password for this person be sufficient evidence?
[50] For example, in Australia the Financial Transaction Reports Act 1988 requires the reporting of cash transactions of $AUD10,000 or more, suspect transactions, international transfers of currency of $AUD5,000 or more, and international funds transfer instructions for any amount. These categories do not seem to catch domestic use of digital cash unless it is suspicious. It would not catch international transfers of digital cash out of Australia where the transferor is not a cash dealer under the Act (ss3 and 17B).
[51] It also raises the related question of whether the computer evidence would be admissible in court in the relevant jurisdiction.
[52] See Financial Transactions Reports Act s15.
[53] Mutual assistance treaties may be useful in some instances to expedite this process but these treaties do not exist in every jurisdiction.
[54] See ss76D and E.
[55] This provides the constitutional basis for the provision, ie the communications power.
[56] Telstra is scheduled to be privatised during 1997. Also cf US legislation see the Computer Fraud and Abuse Act 18 USC 1030, 1030 (a) (4).
[57] For example see Crimes Act 1900 (NSW) Part 6 and Summary Offences Act 1966 (Vic) s9A.
[58] For a summary of the provisions see Tucker Information Privacy Law in Australia Longman Cheshire, 1992 ch 5.
[59] See DPP v Murdoch [1993] VicRp 30; [1993] 1 VR 406.
[60] For example, see Crimes Act 1900 (NSW) ss 299-307 and Crimes Act 1958 (Vic) s83A.
[61] Australia’s Move Towards Electronic Commerce: Some Implications for Law Enforcement Research Series No. 2/95, Canberra, 1995.
[62] This scenario is set out in Wahlert, Some Implications for Law Enforcement in Proceedings of OSCA seminar “Australia’s Move to a Cashless Society: Some Implications for Law Enforcement”, 18 August 1995, CSIRO Conference Centre, Canberra.
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/journals/JlLawInfoSci/1997/3.html