Facebook recently announced a new project, Libra, whose mission is to be “a simple global currency and financial infrastructure that empowers billions of people”. The announcement has predictably been met with scepticism by organisations like Privacy International, regulators in the U.S. and Europe, and the media at large. This is wholly justified given the look of the project’s website, which features claims of poverty reduction, job creation, and more generally empowering billions of people, wrapped in a dubious marketing package.

To start off, there is the (at least for now) permissioned aspect of the system. One appealing aspect of cryptocurrencies is their potential for decentralisation and censorship resistance. It wasn’t uncommon to see the story of PayPal freezing Wikileak’s account in the first few slides of a cryptocurrency talk motivating its purpose. Now, PayPal and other well-known providers of payment services are the ones operating nodes in Libra.

There is some valid criticism to be made about the permissioned aspect of a system that describes itself as a public good when other cryptocurrencies are permissionless. These are essentially centralised, however, with inefficient energy wasting mechanisms like Proof-of-Work requiring large investments for any party wishing to contribute.

There is a roadmap towards decentralisation, but it is vague. Achieving decentralisation, whether at the network or governance level, hasn’t been done even in a priori decentralised cryptocurrencies. In this sense, Libra hasn’t really done worse so far. It already involves more members than there are important Bitcoin or Ethereum miners, for example, and they are also more diverse. However, this is more of a fault in existing cryptocurrencies rather than a quality of Libra.

But is it, in fact, desirable to have Libra move towards decentralisation? As Libra is aiming to be an alternative to classical payments systems, which process many more transactions than cryptocurrencies, this may not be the case. Practical issues like dispute resolution and KYC compliance, which are ignored in the technical paper, do not benefit from decentralisation and in general, it isn’t really clear what the benefits would be in this specific context. On the other hand, a decentralised Libra may be harder to regulate effectively. This could help parties with more power in the system to be less accountable, especially if the system is decentralised in name only, like existing cryptocurrencies. This is without considering the inherent problems of maintaining a decentralised stablecoin backed by multiple centralised currencies.

Conspicuous lack of privacy

The above, however, are questions for the future. The more important discussion point is related to the privacy that Libra might offer. David Marcus (co-creator of Libra, lead at Calibra) has tweeted on the topic of privacy, but a search for the word privacy in the technical paper shows that this is completely ignored. The technical paper says very little about how the system avoids revealing all of the details of a transaction (in terms of who is sending money, who is receiving money, how much is being sent, etc.) to all of the validators or observers of the blockchain. The main part of the paper that refers to this, at the transaction layer at least, reads as follows:

The Libra protocol does not link accounts to a real-world identity. A user is free to create multiple accounts by generating multiple key-pairs. Accounts controlled by the same user have no inherent link to each other. This scheme follows the example of Bitcoin and Ethereum in that it provides pseudonymity [19] for users.

Sarah Meiklejohn’s research has, for the past six years, focused largely on demonstrating that Bitcoin achieves little to no privacy for the vast majority of its users, and many other researchers have shown this as well. Beyond research, there are now several companies (e.g., Chainalysis, Elliptic) devoted solely to following flows of bitcoins, ether (with Ethereum achieving strictly less privacy than Bitcoin) and other popular cryptocurrencies as they move between different users, in and out of exchanges, and so on.

This is problematic for several reasons. Most notably, it means that Libra will not provide any meaningful notion of privacy, and the validators and observers of its blockchain will have almost complete visibility into how and where users choose to spend their money. This is unlikely to change, given that David Marcus has made clear the choice to not enable shielded transactions.

Already, several lawmakers have expressed concerns related to data protection. Maxine Waters, who chairs the House Financial Services Committee in the U.S., made the point that “Facebook has data on billions of people and has repeatedly shown a disregard for the protection and careful use of this data. […] With the announcement that it plans to create a cryptocurrency, Facebook is continuing its unchecked expansion and extending its reach into the lives of its users.”

Despite what Mark Zuckerberg says at keynotes, the past indicates that users should not have any expectation of privacy, which stands alongside other criticism of Facebook that has marked the company’s history. Libra involves more than just Facebook, but it isn’t why anything different should be expected when the financial data that Libra would make available is certainly valuable. Trusting privacy guarantees that are not founded on strict properties, e.g., using cryptographic tools or differential privacy, is hardly reasonable at this point.

Calibra, Facebook’s wallet app for Libra that will be integrated into Facebook Messenger and WhatsApp, apparently won’t share information with Facebook and other third parties without consent. This is what Facebook (and other platforms) are supposed to do in the first place, but in reality, consent is either obtained through the use of lengthy terms of service that we all know no one reads, or it is simply ignored. More generally, there is little information about custodial wallets and payment channels, despite the fact that it is anticipated that most transactions will take place off-chain.

Will it really help the unbanked?

Finally, it’s also interesting that Libra has as target unbanked users that previously would not have been able to perform online payments. This also means that advertisers would not have paid much for ads that target these users, or likewise might not have been able to pay for ads in the first place. While there are benefits to enabling online payments for those that cannot use them at present, it is questionable whether this should happen at the cost of financial privacy and giving more power to private companies that have no history of treating their product as a public good. Instead, this might just serve as a way of opening up new avenues to profit from users at their expense.

It also isn’t clear why Libra believes it will address the needs of unbanked users. The main reason for not having a bank account, as per the document referenced by Libra, is lack of money. How Libra will help in these cases is unclear.

Disclaimer: despite some of the people working on Libra having been, or currently being, affiliated with the UCL Information Security Group, the group itself has no affiliation.