In the second part of her overview into internet commerce, Joanna Mancey looks at the problems of encryption.
The single biggest trade barrier to internet commerce…is the US Administration’s policy restricting the export of encryption software. Without secure authentication and confidentiality, the internet cannot thrive, said Bernard Vergnes, chairman of Microsoft Europe, speaking in Bonn in July. While the US declaration nominally favors allowing free market forces to dictate security policy on the internet, the US Government currently forbids the unconditional export of high levels of encryption technology, above 40-bit. Free export of encryption technology, it says, could create a haven for criminals and terrorists. Today the most commonly exported encryption standard is the SSL protocol, developed by Netscape and supported by web browsers from both Netscape and Microsoft. The fact that it uses only 40-bit encryption, however, means it is far from secure. The only ‘unbreakable’ encryption standard is 128-bit encryption but, to date, the US only allows banks and ‘approved’ organizations to use it overseas, mostly with the proviso that the Government be given the recovery key to ‘unlock’ the transaction if it wishes. This has effectively created divisions on the internet, while some transactions are secure, others are not.
Secure encryption
Within and beyond the US, there is opposition to this situation. The Security and Freedom through Encryption Act is seeking to eliminate restrictions on the use and export of encryption technologies. Although it is receiving widespread backing, encryption enthusiasts say it has a long way to go before it is passed into law. On a similar note, a US proposal to create an international key escrow system, the Electronic Data Security Act of 1997, to allow law enforcement agencies to eavesdrop on the internet also came in for widespread opposition earlier this year, being rejected by the OECD. A similar proposal put forward in the UK by the Department of Trade and Industry was also thrown out. Despite all the conflict over encryption levels and the rights of governments to monitor internet traffic, the reality is that most web sites do not use encryption. A study late last year by O’Reilly and Associates found that only 10% of web sites use encryption, and only 5% of those use verification procedures, suggesting that the majority of companies are a long way off being ready for secure internet commerce. Part of the problem is the decision of governments to stay out of setting standards has led to a confusing array of competing protocols. On top of SSL and SET, the secure electronic trading standard being used for online credit card purchases, there are dozens of other internet security efforts including systems backed by Hewlett-Packard, Intel, and American Express. According to Dean of EEMA, the limitations are, however, political. The internet could become secure within a year, he says. Creating a secure environment for commerce on the internet, however, will require more than just improved procedures and techniques. At the unveiling of the US framework for electronic commerce, Bill Clinton said, In many ways electronic commerce is like the Wild West of theGlobal economy. Our task is to make sure that it is a safe and stable terrain for those who wish to trade on it. His aim, he said, is to modify the law to support trade over the internet and to put this into practice by January 1, 2000. Europe too is aware of the need to update contract law to create a legal framework which can be applied to electronic transactions. Such measures, it says, must include government recognition of digital signatures and documents, and the creation of dispute mechanisms. These issues are complex, and vary considerably, not only from country to country but from industry to industry. For this reason, says Bonn, the future legal framework should be based on general principles of law, not on sector specific legislation. In the meantime, governments are advising that goods ordered over the internet are subject to existing legislation for cross-border commerce and responsibility rests with participants to observe the law of their own countries. One of the most pressing legal issues is ‘cyber notaries’. At the moment, there is nobody to check the certification agencies which hand out the digital signatures designed to prove the identities of traders. This creates a grey area when it comes to financial transactions on the web. Although Banks usually shoulder the burden when they cash a forged paper check, does this apply to digital checks? In the absence of a generalized legal framework, various state governments are drafting their own; to regulate certification authorities and add a legal backbone to the issuance and the management of digital certificates. But, warn lawyers, letting every state impose different requirements would be like forcing consumers to carry multiple credit cards.
Privacy issues
More complicated still are consumer privacy issues. Europe, the US, Canada and Japan have each taken slightly different approaches to regulating the collection and processing of personal data. The German Government has gone the furthest, introducing a bill that requires any data collected by an ISP during an internet communication to be erased immediately after deconnection. German content providers are also obliged to censor illegal content on their services. The European Commission is also taking a tough privacy stance, threatening to enforce an outright ban on the flow of personal data outside of the European Union if others do not mirror its approach. Thomas Smedinghoff, chairman of the Electronic Commerce division of the American Bankers Association recommends that, to stay within the law, banks and other organizations keep the same verification information in electronic format as is kept on paper. But, he says, records must be backed up constantly and access to them must be limited to ensure security. The enormity of these issues is daunting for governments. We must work for an international commercial code to simplify and encourage electronic commerce under consistent rules and rights, urges William Daley, US Secretary of Commerce. In reality, little has been done towards this aim. Following the Bonn conference, ‘A Borderless World’ event is being held in Canada in 1998. But in ‘internet time’ that will be two decades from now.
Content from our partners
