CBDC: privacy risk and how to reduce it

Central Bank Digital Currencies: How to Maintain Privacy in the New Financial Reality

The implementation of Central Bank Digital Currencies (CBDCs) presents society with a fundamental question: how to reconcile the technological modernization of the financial system with the protection of citizens' privacy. The architecture of a CBDC determines the balance between efficiency and the risk of centralized control. This article analyzes the primary CBDC models, their impact on data confidentiality, technological solutions for protection, and proposes a system of criteria for evaluating specific projects.

What Is a CBDC and What Types Exist?

A Central Bank Digital Currency (CBDC) is a digital form of government-issued currency that is a direct liability of the central bank. Unlike money in commercial bank accounts, CBDC transactions do not require intermediaries.

There are two key types of CBDCs:

1. Wholesale CBDCs: Designed for settlements between financial institutions; they do not directly affect ordinary citizens.
2. Retail CBDCs: Available to the general public and implemented in two main models, the choice of which directly impacts privacy levels.

Model	Ownership Principle	Privacy Level (Potential)	Key Risk	Implementation Example
Account-based	Access to funds is tied to a digital identity. Identification (KYC) is required.	Low	Centralized surveillance, transaction censorship.	Digital Yuan (e-CNY) in China, Digital Ruble pilot in Russia.
Token-based	Ownership is verified by a cryptographic key ("digital cash").	High	Risk of double-spending, difficulty recovering access if the key is lost.	e-krona pilot in Sweden, Sand Dollar in the Bahamas.

To combat money laundering and terrorist financing (AML/CFT), states require user identification, known as the "Know Your Customer" (KYC) procedure. This creates a fundamental conflict with the anonymity inherent in physical cash.

Global Experience: Lessons from Pilot Projects

• China (Digital Yuan, e-CNY): The largest pilot project, using an account-based model. It implements the concept of "managed anonymity": small transactions are anonymous to counterparties, but all data is accessible to the central bank. A 2021 People's Bank of China white paper lists strengthening monetary control and combating illegal activities as primary goals.
• The Bahamas (Sand Dollar): One of the world's first launched retail CBDCs. It uses a token-based model to increase financial inclusion. It employs balance and transaction limits for wallets with different levels of identification, serving as an example of a balanced approach.
• Sweden (e-krona): During pilot projects (2020–2023), the Riksbank explored technical and legal aspects of the token-based model. Final reports emphasize that the e-krona should complement, not replace, cash, and that privacy issues require further refinement.
• Russia (Digital Ruble): Launched in 2023, this pilot project is based on a centralized Bank of Russia platform, corresponding to an account-based model with high risks for data confidentiality.
• USA: The official position remains exploratory. However, the CBDC Anti-Surveillance State Act (H.R.5403, 2023) was introduced in Congress, aiming to prohibit the issuance of a retail CBDC that could be used to collect data on citizens.

Key Risks and Compromise Solutions

1. Centralization and Cybersecurity. A single database of financial transactions becomes a primary target for attacks. A successful breach could lead to systemic failure and the disruption of financial stability.
2. Censorship and "Programmable Money." CBDC technology, especially in account-based models, allows for restrictions on the use of funds: expiration dates, prohibitions on purchasing certain goods, or blocking accounts without a court order.
3. Erosion of Financial Anonymity. Total transaction transparency for the state creates the conditions for social scoring, discrimination, and increased surveillance.

To achieve a compromise between privacy and state control (AML/KYC), the following solutions are proposed:

• Threshold Anonymity: Transactions below a certain amount remain anonymous, while operations exceeding the limit require identification.
• Delegated Identification: KYC verification is conducted by commercial banks, and the state only receives access to data through a motivated court order.

Legal Governance and Privacy Guarantees

Technology alone cannot guarantee privacy without a robust legal framework. Key elements of such a framework include:

• Legislative Restrictions on Data Access: A clear definition of the individuals and agencies entitled to request transaction data, and an exhaustive list of grounds for such requests (e.g., only by court order within a criminal case).
• Transparency and Auditing: Publication of the source code for key CBDC system components and regular independent audits of its security and data processing algorithms.
• Oversight Bodies: The creation of an independent body (or empowering an existing one, such as a data protection ombudsman) to monitor data operations within the CBDC system and handle citizen complaints.

Privacy-Preserving Technologies: Opportunities and Limitations

Cryptographic methods exist that can provide privacy in CBDC systems; however, their implementation faces practical challenges.

• Zero-Knowledge Proofs (ZKP): Allow for the verification of a fact (e.g., the existence of funds) without revealing the data itself (amount, balance).
  Limitations: Require significant computational resources. This can lead to increased transaction confirmation times (latency) and reduced overall system throughput, which is critical for retail payments. The cost of implementing and maintaining such systems is higher.
• Blind Signatures and Confidential Transactions: Hide transaction details (amount, recipient) from intermediaries and even from the issuer at the time of authorization.
• Offline Payments: Allow transactions to be conducted without a network connection, mimicking the properties of cash.
  Limitations: Require specialized hardware (e.g., a Secure Element in smartphones or smart cards) to prevent double-spending. It is difficult for regulators to monitor such transactions for AML/CFT compliance.

Ultimately, the decision regarding who has access to data remains in the legal and political realm, rather than the technological one.

CBDC Privacy Assessment Criteria: An Analysis Checklist

Use this checklist to analyze official central bank documents (white papers, concepts).

Criterion	Key Questions for Evaluation
Anonymity Level	Are there limits for anonymous transactions? Who has access to the full transaction history (central bank, government agencies, commercial banks)?
Self-Custody Capability	Does the architecture allow users to store their own funds (keys) without intermediaries? Or is storage only possible in accounts at authorized organizations?
Data Access Control	What is the legal procedure for accessing transaction data? Is a court order required? Is there independent audit and oversight?
Censorship Resistance	Does the architecture technically allow for blocking transactions or "freezing" funds by category (e.g., prohibition of certain goods) or without a court order?
Offline Capabilities	Does the system support offline payments that mimic the properties of physical cash?

Roadmap for Protecting Financial Autonomy

1. Analysis. Study official CBDC documents in your country using the checklist above. Determine which model (account-based or token-based) is being proposed and what privacy guarantees are embedded within it.
2. Public Participation. Participate in public consultations and send inquiries to legislators and relevant agencies demanding the implementation of robust legal and technical privacy guarantees. Use petition templates from human rights organizations.
3. Personal Strategy.
   • Adopting Private Tools: If a model supporting self-custody is offered, master the principles of working with hardware and software wallets, including the secure storage of keys and seed phrases.
   • Asset Diversification: Regardless of the CBDC model, keep a portion of your savings in assets resistant to centralized control: physical cash, decentralized financial instruments, and assets in different jurisdictions.

Conclusion

The choice of CBDC architecture is not only a technological task but also a political one, determining the balance between state security and citizens' rights. The level of financial privacy in the future will depend not so much on cryptographic methods as on legislative guarantees, data management transparency, and mechanisms for public oversight. Informed analysis and participation in the discussion are key conditions for building a digital financial system that serves the interests of society.

---

Sources:
[1] People’s Bank of China. (2021). Progress of Research & Development of E-CNY in China.
[2] Central Bank of The Bahamas. (2020). Sand Dollar Project.
[3] Sveriges Riksbank. (2023). E-krona pilot phase 3 Report.
[4] Congress.gov. (2023). H.R.5403 — CBDC Anti-Surveillance State Act.