4.0 Optional Features and Functions

There are several additional features and functions that should be considered in designing an electronic token system. These provide added safety, convenience, and value to the user. Although they are not required for a working electronic token system, most of these features have, in fact, been included in various proposed token systems.

4.1 Accounting

Features to be considered from an accounting and recordkeeping standpoint include the following.

Divisibility -- Electronic tokens could either be designed so they can be subdivided into arbitrary small units or available only in discrete increments. If change from a large-denomination token can be obtained remotely, token divisibility may not be necessary.

Receipts -- Purchasers seek refunds for any number of reasons. Regardless of whether their purchase was made via paper cash, debit or credit card, or electronic tokens, they will need a receipt or proof of purchase. New electronic analogues must be developed to replace physical receipts.

4.2 Conversions

Various features and functions involve the user's ability to convert electronic tokens into paper money and vice-versa.

Cash purchase of tokens -- Some users might prefer to purchase electronic tokens with paper cash. This practice would allow them to maintain anonymity. It would also let people without bank accounts purchase tokens.

Fungibility -- Users' ability to convert electronic tokens to paper cash and/or other monetary equivalents would increase the value and utility of the electronic token, particularly during the transition period when the NII is evolving and not yet universally used. On the other hand, this conversion capability could make the token a more attractive target for crime because of its increased fungibility (i.e., interchangeability).

International use and multi-currency -- People in the United States should be able to access and pay for foreign services as well as U.S.-based services from abroad. To support this access, electronic tokens would need to be available in multiple currencies. A service provider in one country could then accept tokens of various currencies from users in many different countries, redeem them with their issuers, and have the funds transferred back to banks in the local country. This ability to transport currency electronically across borders could have repercussions on trade and international banking laws.

4.3 Limits and Constraints

Many system requirements can be loosened and risk mitigated by imposing operational constraints, such as limits on (1) how much can be stored on and transferred by electronic tokens, (2) the time over which a given electronic token is valid, (3) the number of exchanges that can take place before a token needs to be redeposited with a bank or financial institution, (4) the number of such transactions that can be made during a given period of time, or other conditions. These and similar constraints and limits, however, introduce a whole set of implementation issues all their own.

Time limits -- Time limits could be imposed beyond which the electronic token would expire, worthless. The user would have to redeem or exchange the token prior to the expiration deadline. For this feature to work, electronic tokens would have to be date/time-stamped, and time would have to be synchronized across the network to some degree of precision.

Maximum amount and rate limits -- An upper limit could be imposed on the allowable value that could be assigned to any single electronic token device or that could be transferred to the same device within a given period of time. Imposing this maximum limit, however, could limit the issuer's liability. Additionally, since the user's terminal could be programmed to execute small transactions continuously at a high rate over the network, a strategy of reporting transactions over a certain amount will be ineffective for law enforcement. However, a tamper-resistant unit could enforce a policy involving both transaction size and value with time. For example, an "anonymous coin-purse" feature of the unit might be capable of receiving or spending no more than $500 in any 24-hour period. Alternatively, the "rate ceiling" for the next 24 hours could be made dependent on the rate of use or on the number of exchanges that could be permitted before a token would have to be redeposited in a bank or financial institution and reissued. Exchanges could also be restricted to a class of services or goods (e.g., electronic benefits could only be used for food, clothing, shelter, or educational purposes).

Conditional payment and post-dating -- The exchange process should allow payment to be withheld from the seller upon the buyer's instructions until delivery of purchases, goods, or services within a specified time in the future. Conversely, it should allow delivery to be withheld upon the seller's instructions until payment is received.

4.4 Traceability

The ability to trace transactions made in an electronic token system involves the following features.

Token registration -- It might be useful for all electronic tokens issued to be uniquely identified and registered. Just as physical coin and paper currency is identified with a unique serial number, so too could electronic tokens be similarly protected. It would then be easier to spot copies or tokens with duplicate or unregistered numbers.

Anonymity -- The issue of anonymity involves a spectrum of positions. Many users may want their transactions to be completely anonymous, with the identity of either the buyer or seller unknown. However, when a court order or warrant is presented, it might be in everyone's best interests to be able to reveal user identities and transaction details. In some cases, too, users might want to give up their anonymity in exchange for detailed reports of transactions, to improve their management information system, or to sell details of transactions to marketing organizations. The best resolution of these various concerns might be "almost anonymous" transactions, in which the transactor's anonymity is maintained unless either the transactor gives permission and/or a government warrant is issued. From a technical standpoint, additional encryption techniques will be needed to help achieve the desired level of anonymity, along with the relaxation of certain accounting features, constraints, and limitations.

4.5 Safety

An electronic token system raises a new set of safety issues. The anonymity, convenience, and privacy offered by electronic transfers over the NII can be turned against a user. For example, a criminal could force a victim to transfer tokens withdrawn from the victim's account to the criminal's electronic token device over the network. The criminal could then transfer the account to an accomplice (possibly in another country) and flee. This scenario is less risky for the criminal than kidnapping and forcing someone to make a withdrawal from an automated teller machine (ATM), since the robbery can be done in the privacy of the victim's residence or at a place of the robber's choice. It is also more lucrative, since the victim can be forced to execute a number of transactions of a high value. Moreover, if the transfer session is anonymous, the criminal could be very hard to trace. These possibilities give rise to various safety-related features and functions related to the following.

Ownership -- To ensure authentic ownership of a given token, the token could be linked to the current owner. This feature would require authentication of the owner as well as of the electronic token (requiring, for example, passwords, shared secrets, or biometrics such as verbal verification, dynamic handwritten signature recognition, fingerprints, hand geometry, or retinal scan). The advantage of such a feature is that lost or stolen electronic tokens would be worthless to anyone but the owner. Digital signatures ensure only that the electronic token is authentic, not the holder of the electronic token. The use of PINs or other secrets ensures that the holder of the electronic token is in possession of some knowledge believed to be known only by the legitimate owner. It is, however, possible for this knowledge to be compromised and used without the owner's awareness.

Biometric authentication cannot be duplicated by anyone but the owner, but may be coerced. If an electronic token is linked to either an owner's secrets or biometrics, the transfer of tokens to new owners would require altering this linkage. Alternatively, the owner could be identified only with the device that is storing/producing the token. It may be useful for the electronic token system to feature a false positive password/secret that provides a seemingly legitimate response, but in reality tags the transaction as invalid, renders the electronic token useless if used by anyone but the rightful owner, or notifies the authorities that a crime is in progress.

Co-located applications and data -- The relationship between electronic tokens used as payment mechanisms and other security-sensitive information objects that might be stored with electronic tokens needs to be carefully defined, especially when these are co-located in a single multipurpose device. Driving license information, health care-related information, buying preferences, biometrics, and other personal profile data as well as monetary units of value may all need to be stored in the same computer, card, or device in a private and secure fashion. Monetary electronic tokens should be able to be logically and/or physically isolated from other co-located data, lest linkages offer new opportunities for unauthorized misuse.