From Cashless Cafes to Surveillance States: Why Defending Cash Is Defending Human Rights

Coffee for Coordinates

I am a coffee snob. I love a good latte, a flaky croissant and a properly executed egg breakfast and I will go to great lengths to experience a quality example of all three on a Sunday morning. Last summer, while staying in downtown Melbourne, I started noticing something on the retail face of the building across the road from my apartment. There was a huge stylised image of a croissant window-wrapped over the building's glass facade. A herald of an incoming specialty cafe. This was excellent news. I had recently bemoaned accidentally landing in a part of Melbourne that somehow had very few decent cafes so I started counting down to opening day. When it came, I joined a surprisingly long queue, ordered my coffee and croissant, pulled out the $30 it cost (yes, $30) only to be told my cash was no good. Card only. By the way we also charge a 1.2% card processing fee.

If I am honest, this really annoyed me. I don't carry cards generally and I was hungry so it made the situation more uncomfortable than it should be. Why should I not be able to pay in cash when I want to? I made my protest known to the server and on a google review.

This was honestly a petty annoyance, I can simply go to a better cafe. The reason I bring this up here however is that this cafe sits at one end of a continuum that, at the other end, runs through predictive-policing and the end of human rights for sections of the community. This sounds extreme, the cafe and the authoritarian surveillance state are not the same thing and I'm not going to pretend they are. But they are on the same line and the line is moving in one direction. This piece is about why that direction matters, why financial data is uniquely dangerous and why a cafe that won't take cash contributes a small piece towards a serious problem.

Why financial data is different

Three properties make financial data different from other categories of personal information and unusually dangerous when aggregated.

It is uniquely revealing. Browsing history captures what you considered; financial data captures what you actually did, with whom and when — intent, association, location and timing in a single record. Re-identification of "anonymised" datasets is one of the most consistent findings in privacy research. Transaction data sits at the easy end of the problem: a 2015 MIT study found four arbitrary credit-card transactions were enough to re-identify roughly 90% of individuals in a dataset of 1.1 million people. "Anonymised" financial data is, in practice, not anonymous.

It is uniquely durable. Most jurisdictions require financial institutions to retain transaction records for five to seven years with many institutions retain them indefinitely.

It is uniquely under-protected. In the US, the CCPA contains a data-level exemption for information covered by the Gramm-Leach-Bliley Act, and most state privacy laws include similar GLBA carve-outs, some at the entity level. Under the GDPR, financial institutions are in scope, but statutory retention obligations override the right of erasure for transaction records, and the right to object is limited where processing is based on contract or legal obligation. In practice, consumers have no general right to delete transaction history, limited ability to object to its processing and, in the US, no comprehensive right to identify which data brokers hold their spending data.

The predictive power that data models have is huge. In 2012 a father stormed into a Minneapolis-area Target, furious that his teenage daughter had been mailed baby-product coupons. He called back a few days later to apologise: she was, in fact, pregnant and Target had figured it out from her shopping patterns before he had. That was fourteen years ago, before the modern analytical stack existed. Visa and Mastercard are now documented to mine transaction histories and monetise them through data-broker sales without meaningful consent. The companies holding this data are not pretending to be on your side.

"I have nothing to hide"

The most common response to any privacy argument is some version of I'm not doing anything wrong, so what does it matter who sees? It is worth taking seriously, because the people who say it usually mean it and because the answer is not the dismissive one privacy advocates often reach for. Four things are wrong with it.

Privacy is not about hiding wrongdoing; it is about power. Information asymmetry is power asymmetry. When one party can see every transaction of another and the reverse is not true, the relationship is not neutral, regardless of whether either party is doing anything wrong. This is why we close the bathroom door, why salary negotiations happen in private, why doctors do not discuss your conditions with your employer. The information is not shameful. The exposure is the harm. A society in which the state, your bank and an unbounded list of data brokers see every economic act you perform and you see nothing of theirs, is not a society of equals.

"Nothing to hide" assumes the rules will not change. The set of things that are legal, normal, or socially acceptable is not fixed. Abortion was a constitutional right in the United States in May 2022 and a prosecutable offence in thirteen states by July. Homosexuality was a felony in most US states within living memory and is a capital offence in eleven countries today. Cannabis use is legal in twenty-four US states and grounds for deportation under federal law. The transaction record you generate today is evaluated under the laws of whatever government holds it in ten, twenty, fifty years. "I have nothing to hide" is a statement about the present that quietly assumes the future will agree. It usually does not.

Context collapses. The philosopher Helen Nissenbaum's framework of contextual integrity captures something most people already know intuitively: information appropriate in one context is harmful in another. Telling your doctor you drink heavily is fine; your insurer learning it is not. Your therapist knowing about your affair is fine; your spouse's lawyer subpoenaing the payment record is not. A donation to a political party is fine in your voting booth and a problem in your employer's HR file. Aggregated financial data destroys context by default: the same transaction stream is read by your bank, the merchant's processor, a handful of data brokers, your insurer's underwriter, any government agency with a subpoena and anyone who buys the data downstream. None of them see the context in which you spent the money. All of them act on what they see.

Surveillance changes behaviour, even when nothing is hidden. This is the best-documented finding in the privacy literature. People under observation self-censor, conform, avoid the controversial and steer clear of the legal-but-stigmatised. Studies after the Snowden disclosures found measurable drops in searches for politically sensitive terms on Wikipedia and Google. The chilling effect does not require an actual punishment, only the awareness that punishment is possible. A society in which every donation, subscription, purchase and movement is logged and attributed is a society that thinks differently, reads differently, gives differently and organises differently from one in which those acts are private. The harm is not what is done with the data. The harm is what people stop doing in anticipation of what might be done with the data.

The honest version of "I have nothing to hide" is I am willing to bet that nothing I do now will be held against me later, by anyone, under any future legal or political regime and I am willing to make that bet on behalf of everyone else too. Almost no one would endorse the second formulation. It is the same statement.

Who actually gets hurt

Five spots where the cashless economy is already producing concrete harm to people who haven't done anything most would consider wrong:

The Canadian Freedom Convoy. The cleanest recent demonstration of what a cashless economy permits when the political mood shifts. In February 2022, Canadian banks froze personal and corporate accounts without a court order, under emergency powers, on the basis of donations as small as $20 made through GoFundMe and GiveSendGo. Donors who had never set foot in Ottawa found their mortgages and payrolls suspended. At the time the world was trying to get on after COVID and ecouraging vaccine usage seemed like one way to try to do this safely. What was actually dangerous was setting a precedent that limits the rights of people to object. A government that declares an emergency can now financially sever a movement from society and the banks comply. The Nigerian government did the same to the organisers of the 2020 #EndSARS protests against police brutality, with the Central Bank of Nigeria directing the freezing of protest-linked accounts within weeks of the demonstrations. The right to protest means very little if the right to fund a protest can be revoked so easily.

Americans seeking abortion across state lines. Anyone travelling for an abortion in post-Dobbs America carries their itinerary in their card statements: clinic copays, mifepristone or misoprostol at the pharmacy, gas and hotels along the route, period-tracker subscription fees. Texas SB8-style civil bounties create private incentives to sue; "aiding and abetting" prosecutions in Idaho and Alabama threaten anyone who helped. Subpoenas of out-of-state pharmacies and tech firms are already happening. The Nebraska case against Jessica Burgess relied on Facebook DMs, but the same playbook applies directly to financial data and unlike a chat history, you can't decline to use your debit card if cash is no longer accepted anywhere.

Domestic abuse survivors face specific risks in a cashless economy. Abusers with access to a joint account can monitor transactions in real time, including purchases that may signal an attempt to leave: appointments with therapists or lawyers, travel bookings, prepaid phones, or transactions near a shelter. This visibility can allow an abuser to detect an exit attempt before it is completed, and separation is the period of highest lethality risk in abusive relationships.

Cash plays a documented role in how survivors leave. An estimated 95% of domestic abuse cases involve economic abuse, a well-documented pattern of coercive control, and survivors frequently accumulate departure funds through small cash withdrawals over time because larger or unusual transactions would be noticed. Reducing the availability of cash narrows this option and increases the share of a survivor's financial activity that is visible to a coercive partner.

The PayPal / Free Speech Union episode in the UK. In September 2022, PayPal closed the accounts of the Free Speech Union, the Daily Sceptic and the personal account of founder Toby Young within days of each other, citing unspecified policy violations and offering no route of appeal. PayPal partially reversed under public pressure and a parliamentary letter, but the lesson stuck: a single private payment processor, accountable to no regulator on viewpoint grounds, could simultaneously defund a journalist, his publication and the civil-liberties organisation defending him. There is no First Amendment claim against a payment company. The same mechanism has hit dissident organisations across the political spectrum, in the US, the UK and Europe.

Uyghurs in Xinjiang. The endpoint of the trajectory and the warning of what comprehensive payment tracking abuse becomes. Financial data feeds the 'Integrated Joint Operations Platform', the predictive-policing system used to flag people for "re-education" detention. Donations to mosques, religious-text purchases, halal-food spending and remittances to relatives abroad all feed the algorithm, as documented in the leaked Xinjiang Police Files. There is no version of this system that works without comprehensive payment tracking.

One might consider Xinjiang a problem of authoritarianism rather than of payments infrastructure, yet the mechanisms already operate in democracies, at lower intensity, against the same kinds of targets. After 9/11, US Suspicious Activity Reports on Muslim donors and charities surged and several Muslim charities were shut down in proceedings that relied heavily on aggregated transaction data. Operation Choke Point (2013-2017) pressured US banks to drop entire categories of legal-but-disfavoured customers, including firearms dealers and adult-industry workers, on AML grounds. AML pressure on correspondent banks has dismantled the formal remittance corridors serving the Somali diaspora, with Barclays closing accounts of operators including Dahabshiil in 2013 despite warnings that billions in lifeline remittances would be pushed into less traceable channels. Religious donations flagged, diaspora remittances disrupted, disfavoured-but-legal merchants severed from banking. The intensity is lower than Xinjiang's. The mechanism is the same.

And many others

The cases above are illustrative, not exhaustive. In the same family of harms, more briefly:

What these cases have in common is that they cut across the conventional political map. Right wing gun owners and left wing trans folks don't agree about much, but on this issue, their interests are identical. So are the Hong Kong activist and the Canadian trucker, the cannabis user and the Uyghur Muslim, the journalist's source and the UK free-speech campaigner. This is not a left-right issue and any framing that treats it as one actually supports the surveillance system.

But what about the crime?

Now, some folks will tell you that cash enables crime, tax evasion and money laundering. And look, they're not wrong, not entirely. But the question is where the laundering actually happens. Serious money laundering runs through the banking system itself: shell companies, trade misinvoicing, correspondent banking, real estate. That is where the big end of town moves money it does not want examined and that is where AML enforcement actually matters. Retail cash is a rounding error in this picture.

What retail AML rules do instead is sweep up ordinary people and inflation has made it worse. The US Bank Secrecy Act has required a report for any cash transaction over $10,000 since 1970. That number has not moved in over fifty years; in real terms it is now roughly $85,000. A threshold originally calibrated to flag genuinely large transactions now flags used-car purchases and ordinary small-business takings, while the people laundering hundreds of millions through opaque corporate structures operate two orders of magnitude above it. Surveillance built for narrow crime-fighting purposes also has a reliable habit of being repurposed more broadly, as the post-9/11 financial-surveillance regime, now routine in domestic policing, demonstrates.

Cashless is just more convenient. People actually prefer it. Many do and this is real demand-side pressure. But individual convenience and collective infrastructure are different things. I prefer fast roads; I do not therefore prefer a world where walking is impossible. The convenience argument holds as long as cash remains a viable parallel option. The moment a critical mass of businesses stops accepting it, individual convenience becomes collective coercion.

Sweden is having second thoughts

The country that went furthest is reversing. Sweden spent fifteen years as the world's most cashless economy, with cash down to around 1% of GDP and one in ten purchases. In its 2024 and 2025 Payments Reports, the Sveriges Riksbank, Sweden's central bank, has called for legislation requiring merchants to accept cash for essential goods and for banks to be legally obliged to handle consumer cash deposits. Governor Erik Thedéen has put it directly: "People should always be able to pay for food, healthcare and medicines both digitally and with cash."

The Riksbank's reasoning is operational rather than ideological: a payment system that depends entirely on electricity, telecoms and uninterrupted bank IT is one cyberattack or cable cut away from a society that cannot buy bread and the elderly, rural, disabled and unbanked are being progressively locked out of basic commerce. Finland's central bank has reached similar conclusions and Switzerland is heading to a constitutional referendum on cash acceptance driven by a "Cash is Freedom" citizens' initiative.

The lesson is not that Sweden was wrong to digitise. It is that "cashless by default" turns out to be a one-way door and the country that walked furthest through it is now trying to walk back. Other countries do not have to make the same trip first.

Reproducing cash in software

Privacy-preserving cryptocurrency is the right answer to the digital-payments problem and the reputational baggage needs addressing head-on because it gets in the way of the argument. Crypto has accumulated a lot of it in the last decade: speculative manias, exchange collapses, rug pulls, energy debates, a venture-capital culture and a Twitter culture that are both unbearable and a political association with a particular strain of American libertarianism that puts a lot of readers off before the technology is discussed. None of that is the argument here. The argument is narrower and older than any of it: the privacy properties of cash, which we have taken for granted for centuries, can be reproduced digitally only through specific cryptographic techniques and those techniques happen to be implemented on blockchains. The blockchain is incidental. What matters is the cryptography and what the cryptography does is reproduce the one property of cash that no card, app, or CBDC will: the absence of a record.

Every non-cash payment method on offer today, whether debit card, mobile wallet, bank transfer, or future CBDC, records the sender, the recipient, the amount and the time and retains that record indefinitely. Cash does not. Replacing cash with these systems is not a like-for-like substitution. It is the construction of a permanent transaction record for every economic act in daily life. Policy reforms can constrain how that data is used, but they cannot make the data not exist. A digital substitute for cash that does not preserve this property is not a substitute; it is a different thing wearing the same name. Zero-knowledge cryptography lets one party prove to another that a statement is true without revealing anything about the statement beyond its truth. Applied to payments, a network can verify that a transaction is valid (the sender owns the funds, the amount is correct, no double-spending has occurred) without the network, or any observer, learning who sent what to whom. This is not pseudonymity, which is what Bitcoin offers and what chain-analysis firms like Chainalysis trivially defeat. It is mathematical privacy: the information the watcher would need is not encrypted, it is simply not present in the system.

Three networks matter most. Monero, the most widely used, makes privacy the default by mixing every transaction with decoy inputs so that the real sender is indistinguishable from a set of plausible alternatives. Zcash, in shielded mode, uses zk-SNARKs to provide stronger guarantees: a shielded transaction reveals nothing about sender, recipient, or amount to anyone outside the two parties, while allowing optional selective disclosure for audit or tax purposes where the user chooses. Railgun brings shielded transactions to Ethereum and other smart-contract chains and this is the move that matters for everyday use. Railgun shields ERC-20 tokens, which means it works with stablecoins. The single biggest objection to crypto payments has always been volatility: people don't want to be paid in something that might drop 30% before they spend it. Stablecoins solve that and Railgun lets you transact in shielded stablecoins. A payment denominated in dollars, settled privately, on a public network. This is the configuration that turns privacy-preserving crypto from a niche tool into a credible cash substitute.

On the objections. Four are worth addressing directly. Volatility. Solved by stablecoins via Railgun, as above. The sender sends $30, the recipient receives $30, neither party has price exposure.

Blockchain surveillance. The standard line that "blockchains are public and therefore not private" is true of Bitcoin and Ethereum's transparent layer and false of every network discussed here. Chain-analysis firms have publicly conceded they cannot reliably trace Monero. Zcash's shielded pool is provably private under standard cryptographic assumptions. Railgun's privacy set inherits from the underlying chain, but the shielded transactions themselves are opaque. The whole point of these systems is that they defeat the analysis tools their critics cite against them.

Exchange access. Centralised exchanges have delisted privacy coins under regulatory pressure, which makes converting them to local currency awkward through that channel. This is true and beside the point, because decentralised exchanges allow permissionless swaps that no regulator can selectively block. Near Intents, Uniswap and ThorChain route between assets without a custodian; the off-ramp to a bank account is the only meaningful chokepoint left and peer-to-peer markets route around even that.

Energy. Whilst Monero and Zcash use proof of work they do so at a tiny fraction of Bitcoin's energy budget and at an even smaller amount than the energy requirements of AI. Railgun runs on Ethereum, which switched to proof of stake in 2022 and dropped its energy use by over 99%. The energy argument was real in 2017. It is a stale objection in 2026.

The convenience case. Cashless payment is genuinely convenient and that convenience is half of why people accept the surveillance trade. The rest of this essay has implicitly asked readers to give some of that convenience back: carry cash, use it in person, accept the friction. Privacy-preserving crypto is the only payments technology that does not require the trade in the first place. You can pay online, pay in person, settle in seconds, denominate in US dollars and leave no permanent record of who paid whom for what. Cash gives you privacy at the cost of physical handling and the inability to pay remotely. Cards and bank transfers give you convenience at the cost of total visibility. Shielded crypto gives you both. It is not merely an alternative to the financial panopticon; it is the only digital architecture that makes refusing the panopticon practical at scale.

The technology is ready. The merchant tooling is not. Point-of-sale software for these networks is bespoke, fragmented and maintained almost entirely by volunteers. BTCPay Server, the closest thing to a standard self-hosted processor, supports Zcash only through a community extension built outside its core team. Closing this gap needs two things: development of merchant infrastructure and businesses willing to accept private payments while the tooling matures.

What you can actually do.

This is a coordination problem. Actions are threefold:

Individually: carry cash and use it. When you walk out of a card-only business, make clear to the staff that the payment policy is the reason. If you review a cashless business publicly, be honest about it: note the payment policy clearly so other cash-preferring customers can find them, rather than tanking unrelated dimensions of the business. The aim is coordination, not punishment. If you can, learn to use a privacy-preserving wallet; there is friction initially but front-loaded and the tooling improves the more people use it.

Civically: donate to the organisations doing the legal and legislative work. The Electronic Frontier Foundation, the Electronic Privacy Information Center and Fight for the Future in the US; Privacy International, Big Brother Watch and the Open Rights Group in the UK and EU; Digital Rights Watch in Australia. These groups file the amicus briefs, write the model legislation and run the public-comment campaigns that actually move policy. They are perpetually under-resourced.

Politically: show up to the consultations. Central-bank digital currency proposals are currently under public comment in the US (the Federal Reserve), the EU (the digital euro), the UK (the digital pound) and Australia (the eAUD pilots) and the design choices being made now (whether transactions are visible to the issuer, whether holdings are capped, whether offline use is supported) will shape what digital money looks like for a generation. The Fourth Amendment Is Not For Sale Act in the US, cash-acceptance legislation in your state or country and the financial-data carve-outs in GDPR-equivalent privacy law are all live targets. Write to your representative. Submit a comment. The consultations are dominated by industry lobbyists by default and a few thousand citizen submissions visibly move the dial.

The panopticon need not be the norm

The cafe in Melbourne is a small thing. Xinjiang is a big thing. They are not equivalent, but they are connected. Both enforce blind acceptance of the same normative idea, a financial panopticon: the assumption that the natural state of a financial transaction is to be logged, attributed to a named individual, retained indefinitely and made available (through data sharing, subpoena, sale, voluntary disclosure, or breach) to people the payer never chose to share it with.

This panopticon is relatively new. The Bank Secrecy Act laid the foundation in 1970, the Patriot Act turned it into a permanent dragnet in 2001. Things that seem wierdly invasive to a Boomer feel second nature to Gen Z and you cannot miss what you have never known. As technology increases in ability, retaining privacy in payments and communication becomes one of our few checks on power available to us as individuals. The boring but crucial version of this fight is to keep cash alive as a normal way of paying for things. Not because every transaction is sensitive, but because a society in which privacy is available only to people with something specific to hide is a society in which privacy has already been lost.