In the second part of her overview into internet commerce, Joanna Mancey looks at the problems of encryption.
The single biggest trade barrier to internet commerce…is the US Administration’s policy restricting the export of encryption software. Without secure authentication and confidentiality, the internet cannot thrive, said Bernard Vergnes, chairman of Microsoft Europe, speaking in Bonn in July. While the US declaration nominally favors allowing free market forces to dictate security policy on the internet, the US Government currently forbids the unconditional export of high levels of encryption technology, above 40-bit. Free export of encryption technology, it says, could create a haven for criminals and terrorists. Today the most commonly exported encryption standard is the SSL protocol, developed by Netscape and supported by web browsers from both Netscape and Microsoft. The fact that it uses only 40-bit encryption, however, means it is far from secure. The only ‘unbreakable’ encryption standard is 128-bit encryption but, to date, the US only allows banks and ‘approved’ organizations to use it overseas, mostly with the proviso that the Government be given the recovery key to ‘unlock’ the transaction if it wishes. This has effectively created divisions on the internet, while some transactions are secure, others are not.
Within and beyond the US, there is opposition to this situation. The Security and Freedom through Encryption Act is seeking to eliminate restrictions on the use and export of encryption technologies. Although it is receiving widespread backing, encryption enthusiasts say it has a long way to go before it is passed into law. On a similar note, a US proposal to create an international key escrow system, the Electronic Data Security Act of 1997, to allow law enforcement agencies to eavesdrop on the internet also came in for widespread opposition earlier this year, being rejected by the OECD. A similar proposal put forward in the UK by the Department of Trade and Industry was also thrown out. Despite all the conflict over encryption levels and the rights of governments to monitor internet traffic, the reality is that most web sites do not use encryption. A study late last year by O’Reilly and Associates found that only 10% of web sites use encryption, and only 5% of those use verification procedures, suggesting that the majority of companies are a long way off being ready for secure internet commerce. Part of the problem is the decision of governments to stay out of setting standards has led to a confusing array of competing protocols. On top of SSL and SET, the secure electronic trading standard being used for online credit card purchases, there are dozens of other internet security efforts including systems backed by Hewlett-Packard, Intel, and American Express. According to Dean of EEMA, the limitations are, however, political. The internet could become secure within a year, he says. Creating a secure environment for commerce on the internet, however, will require more than just improved procedures and techniques. At the unveiling of the US framework for electronic commerce, Bill Clinton said, In many ways electronic commerce is like the Wild West of theGlobal economy. Our task is to make sure that it is a safe and stable terrain for those who wish to trade on it. His aim, he said, is to modify the law to support trade over the internet and to put this into practice by January 1, 2000. Europe too is aware of the need to update contract law to create a legal framework which can be applied to electronic transactions. Such measures, it says, must include government recognition of digital signatures and documents, and the creation of dispute mechanisms. These issues are complex, and vary considerably, not only from country to country but from industry to industry. For this reason, says Bonn, the future legal framework should be based on general principles of law, not on sector specific legislation. In the meantime, governments are advising that goods ordered over the internet are subject to existing legislation for cross-border commerce and responsibility rests with participants to observe the law of their own countries. One of the most pressing legal issues is ‘cyber notaries’. At the moment, there is nobody to check the certification agencies which hand out the digital signatures designed to prove the identities of traders. This creates a grey area when it comes to financial transactions on the web. Although Banks usually shoulder the burden when they cash a forged paper check, does this apply to digital checks? In the absence of a generalized legal framework, various state governments are drafting their own; to regulate certification authorities and add a legal backbone to the issuance and the management of digital certificates. But, warn lawyers, letting every state impose different requirements would be like forcing consumers to carry multiple credit cards.