As the world stands today, the future of transaction privacy does not look great. The existing landscape is dominated by traditional credit companies, who over the past decade have been steadily pushing their networks for increased access to user data. They (and their data customers) are on a track to getting SKU level data of every purchase everyone makes everywhere. There are other contenders, such as regional online payments networks (like Venmo in the US), but the data story there is similar.
This is not a future we are particularly excited about. At Signal, we want to help build a different kind of tech – where software is built for you rather than for your data – so these are trends that we watch warily.
Alternative futures
Simultaneously, there has been growing interest in cryptocurrency as an alternative payments infrastructure, and some projects within that space are building with privacy in mind. Many have noted that there is the potential to build a payments network with the user experience of Venmo, but with support across borders, and a privacy model that ensures your data stays in your hands.
Unfortunately, in the past decade, this has failed to substantially emerge. Much of the energy in the cryptocurrency space seems to have been channeled into other directions like asset speculation/finance. It’s still rare to find cryptocurrency projects that start with UX as a first principle.
The only exception may be Facebook, who appears ready to emerge with technology that will deliver on this promise — though not in the way everyone had hoped (notably, on privacy). The “alternative future” has been shaping up so that it may, very unfortunately, be Facebook.
Alternative, alternative futures
Signal has often been asked if we can build something to support this kind of payments use case for a better alternative future (one that isn’t dominated by big tech). While Facebook can absorb the risk and overhead of building a cryptocurrency protocol from the ground up, that would be a significant risk and endeavor for a team our size. Rather than take that on directly, we can include linked support for existing separately built and maintained cryptocurrency wallets (a “non-custodial wallet,” in cryptocurrency parlance) that allow people to interact with existing payments networks.
This is similar to other Signal integrations like using GIPHY for GIF search, and would allow Signal to help make private payments a reality while maintaining our focus.
Just as GIPHY has to work well from within Signal for it to make sense in Signal, any cryptocurrency wallets that we include support for also have to work well from within Signal. This would mean:
- Integration is “non-custodial”: Signal does not have access to your keys or your funds; that information remains associated with your own wallet.
- Like everything else in Signal, data is private: all your data stays in your hands rather than being visible to others.
- Transactions are fast: like Venmo, it can only take a few seconds to send a transaction.
- Everything works well on mobile: it can’t require downloading and scanning all ongoing transactions in order to find your own.
- The experience is simple: in most other ways the experience should be the same as something like Venmo.
- It can scale to hundreds of millions of people.
Some things that might initially seem like a great fit don’t yet meet these usability requirements. Projects like Zcash and others are designed with privacy in mind, but aren’t yet fast enough or mobile-oriented enough. Transactions can take tens of minutes, and even with shortcuts to speed up an individual transaction, subsequent transactions can block on it. They also require all clients to scan all transactions made by all other clients in order to identify those relevant to them, which won’t work on all mobile devices on all networks (similar to how requiring all Signal clients to scan all Signal messages everyone sends to everyone else in order to identify those destined to them wouldn’t work). Or alternatively they require a server using a “view key” to do trial decryption (which won’t scale to Signal doing hundreds of millions of trial decryptions – one for every user – for each transaction).
Projects like Lightning don’t have very strong privacy guarantees, particularly in a situation where Signal would be both the ingress and egress channel, and would also currently have difficulty scaling to hundreds of millions of people holding relatively low balances – in part due to costs associated with setup.
These projects are all constantly improving, and we hope are focused on getting closer to being integratable by an app like Signal so that it would be possible in the future. For now, Signal started with MobileCoin because its design does currently offer fast, private, transactions at scale in a way that is easy for Signal to integrate.
Beta feedback from the field
These Signal betas have been available for a week, and we’ve been watching the feedback closely. To summarize some of the critical feedback we’ve seen:
- I’m not a beta tester, but cryptocurrency is the worst. We’ve only been testing this in beta in one country, so lots of people haven’t seen this yet and are imagining the worst. Don’t worry, it’s an opt-in feature, so if you don’t ever want to use payments in Signal, you never have to.
- Cool, but the fees are too high. The MobileCoin transaction fee is currently around 50p ($0.60), which is kind of a lot in order to pay your friend for a slice of pizza! The MobileCoin Foundation is working on changing this.
- Very cool once you’re using Signal, but it’s too hard to get funds in and out. It currently requires a wire transfer for people in the UK to get funds in and out of cryptocurrency exchanges that support MobileCoin, which costs money. We agree the onramps and offramps need to be smoother for this to work well in most use cases.
- The price volatility seems risky for Signal users. We agree that it’s important to consider mitigations for the ways in which people trying to use payments in Signal for utility might be negatively exposed to volatility.
We’ll keep watching the feedback as it comes in. Thanks to everyone who has taken the time to test and help out.