Infoworld Canada
May 7, 1997

Mondex's double life:
E-Cash both "private" and "fully auditable"

Officials tell different stories on privacy and security

by Niall McKay, niall_mckay@idg.com

SAN FRANCISCO -- Mondex International, the electronic cash vendor, is leading a double life.

While Mondex International promotes its electronic cash scheme as private to users, it also admits that it is auditable to government organizations, such as the tax authorities.

In an internal memo the company advised its Canadian licensees of the "significant risk" to the electronic cash system's creditability if privacy campaigners discover that the system is auditable.

With Mondex, electronic credits are downloaded from a bank to a microprocessor on a user's smart card. Users can then buy goods or services with these credits by transferring them to a merchant's card at a store. The merchant then cashes these credits at a bank.

The strength of the system is that it transfers electronic credits from the user's microprocessor to the merchant's microprocessor, and unlike credit card systems, it is not run by a central computer program. Therefore, as with cash, each transaction is not stored, allowing Mondex to offer a modicum of privacy, company officials say.

However privacy organizations in both in the U.K. and Canada, where Mondex has run extensive trials, are disturbed by the company's claims to privacy because users' cards store the last 10 transactions, and merchant cards store the last 300 transactions.

When each card comes in contact with the issuing bank's computer systems, it downloads the customer number, date, and amount of each transaction. These records can then be compared with each other.

Privacy campaigners argue that the company's choice of 10 transactions for a user's card and 300 transactions for a merchant's card will give Mondex a record of about 90 per cent of all transactions.

"Think about it -- how many times do you use cash between trips to the [Automated Banking Machine]. I have studied this and most people say that they would carry out less than 10 transactions. That means that Mondex is not cash-like and does not offer much privacy", said David Jones, president of the Electronic Frontier Canada and an assistant professor of computer science at McMaster University in Hamilton.

Analysts agree that once records are kept, the information can be used and analyzed by the bank or sold to a third party, if not now, then in the future.

"As soon as you begin to keep records, privacy is not possible", said Clay Ryder, director of Zona Research Inc., a consultancy based in Redwood City, California. "There are no records kept with cash; if an electronic cash system stores records it ceases to be like cash."

Mondex has carried out pilot studies in both Swindon in the United Kingdom and the university town of Guelph, Ont.

"There has been a well-orchestrated deception worldwide about the privacy of Mondex", said Simon Davies, visiting fellow at the computer security research center of The London School of Economics in England and director of Privacy International in Washington D.C. "The statement that only a cardholder will have access to the entries on their card is an outright lie. Mondex keeps an audit trail of transactions."

At Mondex, different divisions have made conflicting statements about the auditability of the electronic cash system.

"We do not keep a record of every transaction, but there is a way to track payments", said Cynthia Bengier, vice-president of product management and marketing for Mondex USA in an interview with the IDG News Service. "Mondex is auditable."

Meanwhile Mondex officials in Canada say that it is impossible to keep track of all transactions because they all happen off-line.

"There is no way that we can keep a full audit trail", said Tim McNaughton, manager of the pilot and implementation at the Mondex division of the Royal Bank of Canada in Toronto. "Everything happens off-line. It's not fully auditable."

Privacy campaigners fear that Mondex is the first step to the erosion of a basic human right of privacy, and even though it is not now selling information about spending patterns, it may do so in the future, in the same manner that credit card usage information and credit rating information is sold in the U.S. today.

"If anybody could really establish a record of the public's cash spending patterns, then that information would be very valuable indeed", said Zona's Ryder. "My fear is that Mondex is not testing the technology in Guelph", said P.J. Lilly, a researcher and rights activist based in Guelph. "After all, the technology has not changed since the Swindon trial. What they are really testing is the public's acceptance of the scheme."

However Mondex USA's Bengier maintains that this is not on the Mondex agenda. "Mondex international is currently in the process of establishing a code of practice to ensure privacy", she said.

Mondex USA is based in San Francisco and can be contacted at +1-415-396-5905 or on the World Wide Web at http://www.mondex.com/ . P.J. Lilly's Mondex Information Internet page can be found on the World Wide Web at http://www.tao.ca/~pj/mondex/bigplans.html/ . Electronic Frontier Canada's Mondex Web page can be found at http://www.efc.ca/pages/mondex/ .


Copyright © 1997 by IDG News Service, International Data Group Inc. All Rights Reserved. Reprinted with permission.