Everybody has heard about Bitcoin by now. It was the first cryptocurrency to go mainstream, but others are fast growing in popularity. There could be more than 1800 different types of cryptocurrencies in existence, and more are being developed every day. So how do we ensure digital currencies are safe? ISOfocus picks its way amid the confusion to find out more.
Imagine you’re sitting in the foyer of ISO, waiting for your meeting. Seated next to you are two gentlemen also waiting for their meeting. You greet each other and ask, “So what are you here for?” Edward and Ryan answer. “We’re here as part of the technical committee ISO/TC 68 to work on developing International Standards for security aspects of digital currencies.” Like most people, you’d probably nod politely and feel too uninformed to ask any further questions. That’s where we step in: What is digital currency, exactly? It is easy to get bogged down with the myriad of terms used: cryptocurrency, e-money, b-money, i-money, e-currency, virtual currency, but a useful definition sees digital currency as a type of currency – or money – that’s available in digital form, unlike the physical objects we know as banknotes and coins.
Like “physical” currency, digital currency can be used to buy objects and services, but some can be restricted to more specific items in online gaming communities. Unlike “real” currency, digital currency does not have to be issued by a government or bank, but instead uses cryptography to link transfers through online networking and date-stamping. The most well-known example is “Bitcoin”, which allows digital currency to be decentralized or unregulated and controlled by its developers and users in the online community.
ISO already has a standard for “real” currency, ISO 4217. This has been in use since 1978 and lists currency codes based on World Bank verifications. These codes are three digits, such as EUR for euro, USD for United States dollar, and are used by banks around the world in their financial transactions.
However, digital currency is expanding faster than these codes can cope with. The ISO 4217 standard can allocate around 500 three-digit codes, yet digital currencies are being created and used online with thousands of separate versions. In 2018, it was estimated that over 1800 digital currency options existed.
In July 2019, the International Monetary Fund (IMF) published its paper “The Rise of Digital Money”, which found that the growth in popularity of digital currency boils down to convenience, workability with online apps and very low cost to users. Trust is also important in countries like Kenya where digital currency is considered more reliable than banks and telecommunications companies. In 2016, roughly a millennium ago where digital currency is concerned, the Study Group on core banking services of ISO /TC 68’s subcommittee SC 7 (now disbanded) noted that digital currencies can be used to replace some real currencies in many areas, which raised concerns about how to apply computer science, cryptography and banking guidelines to ensure that digital currency is properly defined and secure to use. It was then estimated that there were more than a hundred thousand digital currency transactions every day.
PROTECTING OUR DIGITAL ASSETS
Back to Edward and Ryan, or Edward Scheidt, Convenor of ISO/TC 68/SC 2/WG 17, Security aspects of digital currencies; and Ryan Pierce, expert member of ISO/TC 68/SC 8/WG 3, Digital Token Identifier – DTI. With such obscure titles, what exactly are these working groups focusing on?
Edward Scheidt liaises with ANSI (American National Standards Institute) and is the Vice-Chair for ANSI x9 Global Security Standards (banking standards under the American National Standards Institute); he also collaborates with the ITU (International Telecommunication Union) Fiat Digital Currency Committee. “Our first focus is to examine the potential security of digital currencies with a goal to develop a future ISO standard. We meet monthly and have 21 members representing various national bodies taking part.”
Technology is moving at an incredibly rapid pace, which raises issues on how the economic stability of currency (non-digital) could be affected; what commercial and private industry influences can affect digital currency; what various political and regional issues need to be addressed; and how to connect these elements into a robust framework that can be used by all.
Scheidt explains that physical money is already well supported by policies, laws and rules leading to banking regulations. Yet while convenience appears to be a big advantage for money in a digital format, three security-related issues need to be resolved:
- Trust, so that the supporting international financial ecosystem can warranty its financial payments and financial transactions
- Binding liability, so that investments supporting a financial ecosystem do not have negative legal ramifications
- Privacy, so that the individual, as a consumer, with the supporting financial infrastructure can ensure that information remains private when needed
Casting a wide net
Collecting input from ISO members and financial experts is vital, he says. The committee must consider issues from policy, legal, central authority and technical security standpoints.
“The technical committee is working on drawing a line between the security technology needed for these standards and how they can apply to business cases. Potentially, we’re looking at collections of concepts and directions by national authorities to end up with a security framework that all digital formats can adhere to.
“We need to take the standards we have today and update them to ensure interoperability across countries’ recognized digital currency systems. This will be the first step towards universal acceptance. Trust is paramount: without that, all the technology in the world is not going to provide the answer.”
As both gentlemen point out, it’s also important to note that digital currency is not just the concern of countries and their government agencies: businesses and commercial enterprises are also operating in this area, which was traditionally left to governments. These standards could, at a conservative estimate, affect up to one trillion dollars in digital transactions per day, so security is vital.
Distribution of trust
Ryan Pierce, who is also Co-Chair of the Digital Asset Working Group at FIX Trading Community, expands further. “We are examining the creation of identifiers for digital tokens. This is an obstacle facing us all right now because there are so many new types of digital assets being created, and we need to be able to identify them to help eliminate any ambiguity between firms sending and receiving them.”
He explains that while Bitcoin was the original digital currency, thousands more digital currencies have since been created and used. These digital currencies represent bartering, equity, securities and services, all of which have expanded beyond the original function of Bitcoin. They have a similar function to currencies in that they can be used as a medium of exchange, but they can move beyond that definition if they are also tokens tied to specific utilities or services such as allowing data storage in a shared cloud, earning extra tokens by viewing advertising, or providing other services.
“When Bitcoin was first introduced, it helped solve the problem of ʻdistributed trustʼ. If someone wanted to trade digital assets in the past, they would have had to pick a trusted party to hold the ledger and keep records of who owned what. For example, most of us place our trust in banks. We know that we can use our credit card and we can pay for our lunch; we trust that we will only be charged once for the correct amount.”
With Bitcoin, he says, no one person can censor or modify transactions, and it no longer requires placing absolute trust in one entity. The technology allows the creation of a ledger that does not depend on a bank. It operates by having enough people running the same computer software to achieve consensus on the state of the ledger; it would be cost-prohibitive to modify or delete past transactions.
Pierce provides a good example of how digital currency needs to be properly identified: “If you wanted to wire transfer one hundred US dollars to me, then you’d automatically be using the ISO 4217 currency codes, which identify US dollars as ʻUSDʼ. All banks know exactly what this means, and there is no confusion. There are also ISINs, defined by ISO, that identify other forms of securities such as stocks, bonds and derivatives. This results in making all transactions unambiguous by all banks around the world.”
However, digital currency has no official identifiers, names, or currency codes. Your bank can differentiate US dollars and euros, but how would they tell the difference between Bitcoin and Bitcoin Cash?” That is the issue facing ISO. There is no authority anywhere in the world in charge of digital currencies today, so there is no official way to define Bitcoin or any other digital currency, and no universally recognized identifier for it.
“Back in 2016, it was determined that digital currencies, such as Bitcoin, that were not issued by monetary authorities could not be assigned ISO 4217 currency codes (such as USD or EUR). However, we believe that they need a separate list of codes to identify them – digital token identifiers. These codes will eliminate confusion and allow banks and other financial entities to transfer digital tokens. By easily identifying them, we would avoid misunderstandings,” Ryan explains.
As with all ISO standards, these are best-practice guidelines and not regulations. “We will not provide any opinion on the reliability of the digital tokens that would be issued identifiers as we must not make judgments. If a digital currency or token exists, then it is eligible for an identifier. That does not mean that all digital currencies that have identifiers will be reliable or valuable. Think of your birth certificate: it establishes that you’re born, and you officially exist, but no other judgments (like creditworthiness or whether you are trustworthy) can be made solely based on that identifying document.”
A worrying business model is emerging where companies plan to create a digital platform to provide a service, then sell tokens that can be used to pay for that particular service. Investors buy these tokens in the hopes of seeing an increase in value when the service is launched. But there have been “exit scams” that see companies taking the money and disappearing. In these cases, a DTI (digital token identifier) could still be issued for that token.
Pierce explains the valuable role in introducing DTIs to reduce fraud. “Regulators frequently ask for transaction records in regulated industries. Banks can detect suspicious financial activity and file reports if you suddenly have a hundred thousand US dollars appear in your account. But can regulators ask for transaction records on suspicious financial activity involving digital currency? Without an official digital token identifier, it would be hard for regulators to make sense of such data.
“It’s not just the regulators. The average person benefits from being able to access and use the DTIs to know exactly what they are sending or receiving. I could sell my car to you for five Bitcoin tokens, but when we carry out the actual transaction, you could send me something completely different. Without an official definition of Bitcoin or a recognized identifying code, there are too many opportunities for confusion. Digital token identifiers will eliminate that confusion (or deliberate fraud) and will be an objective way to identify a particular digital currency or token.”
With all that explained, it seems that the world of cryptocurrencies will soon be as safe as a game of digital Monopoly.