The internet has been around for decades. It has grown from a few mainframes linked together servicing the academic community to an "information superhighway" that span the whole world linking millions of users. The business community are becoming aware of the potential of the internet.
An ultimate dream is to be able to rely totally on the internet as a medium of conducting business deals- the process of negotiations, discussion and entry into agreement. Given the current size of the internet and the level of technology available this is achievable. However, one thing that limits the realisation of this dream is the concern about security on the internet.
Security is a multi-dimensional problems. But the core technology that facilitates internet commerce is already here: encryption. Encryption is absolutely critical to the success of internet commerce. Without the freedom to choose and develop encryption technology, internet commerce will be prevented from exploiting its full potential. Consequently, encryption technology should not be dominated or controlled by the government.
This thesis is addressed in this paper. First, this paper outlines the nature of the problems, and explains the nature and function of encryption in the context of commercial transaction. Second, the significance of encryption in internet commerce is explored further by examining its roles in terms of authentication, integrity and non-reputability. Then the rationale for the thesis are canvassed.
The internet is essentially an open system. The very method which enable it to seemlessly interconnect different systems and users become the cause of the problem. Information, in the form of packets, are bounced though dozens or hundreds of routers, through numerous computers, organisation, countries before it reached the intended destination. In this journey the message passes though parties that the sender do not know, and hence naturally the sender do not trust. The data passing through the net could too easily be intercepted, sniffed or scanned, without the recipients knowing about it.
Doing business in such a context where sensitive information could be read by unlimited number of people is unthinkable. Additionally, the electronic medium means that fraud can be easily committed in that the bits and bytes that make up messages can be easily copied or transformed. The contents of documents can be altered, the identity of senders can be faked, and so forth.
Cryptography have been used government secret agencies to hide the content of message for decades. Modern crypto codes are for all intend and purpose not economically breakable, in the sense that the cost of breaking it would probably exceed the value of the information contained within it. Indeed, nowadays, it is arguable that electronic encryption provides more security compared to the paper environment.
With the advances in computer technology, cryptography is now economically available to the average PC users. This means that encryption technology has became a viable mean to solve the problems posed above. In particular, public key cryptography provides a neat technological solution. Public key cryptography satisfies the four important criterions for viable internet commerce: (i) data confidentiality, (ii) authentication, (iii) data integrity and (iv) non-reputability.
While the function of confidentiality is often discussed and stressed, by people advocating privacy and personal liberty and freedom of communication, the other elements receive much less attention and emphasis. It is submitted that these other functions (particularly data integrity and non-repudiation) of cryptographic technology is equally important, if not more so, in the context of internet commerce.
This is not saying that confidentiality have no role in internet commerce. The open nature of the system means that deals cannot be done in the confidential environment that is often critical in business deals. A leak of secret negotiation details could lead to consumer opposition or to counter-attack by competitors. Encryption is needed to stop this:
"... as more and more people conduct their affairs through computer networks, encryption helps erect a wall of privacy around communication that are otherwise exposed."
Enough, however, have been said on confidentiality on the internet by numerous commentators. It is sufficient to note that confidentiality is very important for proper internet commerce to take place.
Public key cryptography is seen as the fundamental building block of the information infrastructure. It is integral to the success of internet commerce. This part explores this critical role.
In a business relationship each party needs to have some assurance that the other party is the genuine party. In real life, face-to-face business deals, authentication do not pose much of a problem largely because the person is physically there. In case where there are doubts, the person's identity can be verified by relatively simple means. The electronic and non-physical medium of the internet complicates the situation. While traditional authentication mechanisms work to some extend in the new electronic medium, they all failed in one important respect: in an electronic arena the unique identification traits can too easily be copied and used by unauthorised person. Fraud is too easy to commit.
Therefore, on the net a more secure and foolproof technology is required. Public key cryptography provide an answer. Because a message encrypted by a person private key can only be decrypted by that person's public key, the recipient can be sure that the message originated from that person. It is true that the public key alleged to be from a particular person can be faked, but this problem can be alleviated by the use of Certifying Authority (CA). CA is basically a trusted organisation that issues certificates on behalf of others, proofing they are who they say they are. A crude analogy is that it is like a `digital' ID card.
As mentioned above, the nature of electronic technology is that messages can easily be faked and changed. Business cannot be properly conducted given such possibilities. The uncertainty as to whether the message is genuine is too great. Business requires data integrity; they want to be sure that there is little or no possibility that the information has been tempered with during transmission or while in storage.
Once again, the use of cryptographic techniques in the form of digital signature provide a solution. A digital signature is essentially an unique string of characters that bears a mathematical relationship to the data contained within the document. Any change in the content of the document means that the signature will not verify.
Business or commercial deals depend to a large extend on certainty. In real life, when people enter into a deal (eg. by signing a contract), they are certain that it is binding and that the terms are as written in the documents. This certainty is supported, not only by age old common law contractual principles, but also by the Statute of Fraud, which imposed the writing and signature requirement as protection.
If business-to-business transaction is to move successfully onto the internet, a similar assurance need to be present. However, on the internet, an important problem immediately arise: the contents of the electronic document can be easily altered and the other party can deny they have entered into the agreement. A simple documents is not adequate.
A pertinent issue here is how to make sure the terms alleged by the parties are in fact the terms that they have previously agreed upon via the internet? While there may well be written documentations, in electronic form, that substantiate the deals. But the germane problem is that the so called written terms transmitted via email or ftp is not as foolproof as black and white ink on paper; the electronic bits and bytes that constitute the terms can be altered! The consequence is that the party could easily go back on their words, saying that they never made the agreement, or, that they agreed on different terms; and the worst thing is that they would have the `document' (altered or manufactured of course) to prove their claim. Commerce under this scenario would be a nightmare; and any contract would be downright unenforceable in law because of uncertainty as to the terms.
With cryptography the solution is simple and elegant: sign the document using a digital signature. Now, the content of the documents cannot be tampered with unnoticed (data integrity) and the identity of the party is assured. Thus, it prevents the document's originator from denying the existence, or origin of the document, by proofing that a particular person is the only possible originator of the document.
In a situation where time of business deals is significant, time stamping technique can be adopted to cure the inability of digital signature alone to provide time-related non-repudiation. This prevents party from denying entry into deal at a particular time.
It is all very well to claim that a cryptographic techniques can provide authenticity, integrity and non-repudiation. But a question that arise is whether, and the extend, such evidence is acceptable in a court of law. A brief outline of the legal significance of encryption technology is offered. Cryptographic technology serves as a solid foundation for establishing that the business deals conducted on the internet is legally binding and enforceable. This is so for a number of reasons. First, it contributes towards the admissibility of evidence. In Australia, under the uniform Evidence Act 1995, the initial criteria of admitting evidence is relevance. So far as electronic documents are concern, there is a need to establish that it is reasonably open to the court to find that the computer system does what is claimed for it. In other words, the integrity and security of the system is highly important and need to be demonstrated. It is submitted that the use of public key cryptography support such a positive finding because of what it is capable of doing.
Second, messages or documents that are subjected to cryptographic techniques mentioned previously provide the evidence needed to establish and proof the existence of the deal. And importantly such evidence are difficult to challenge. To proof that a deal is valid and binding, one need evidence on: (i) proof that the electronic communication actually come from the party that it purports to come from; (ii) proof of the actual content of the transaction; (iii) proof that there is little or no possibility that the content of the electronic record of the transaction have been deliberately or inadvertently altered. The ability of encryption to provide authentication, data integrity and non-reputability permits the establishment of these facts.
While, the validity and legally binding status of digital signature is not known in Australia, there is no reason for not treating it like conventional paper signature. If anything, the digital signature is even more secure. Indeed, the strength of such evidence is given recognition in Utah, USA, where the Digital Signature Act 1995 set up the law and administrative mechanism to accommodate the validity of digital signature. Under the Act, a document signed by a person's digital signature is presumed to be signed by the person owning the relevant private key.
Overall, it is fair to say that encryption makes electronic document more reliable as evidence. The safeguard provided by cryptographic techniques can proof the existence and origin of the substantive terms of the business deal beyond any doubt. Thus, making it more likely than not that business deals committed entirely on the internet would be binding and enforceable. This confers certainty on business conducted on the internet.
People and businesses have so far remain fairly reluctant to embrace and adopt the internet fully for businesses-to-business transactions. A fundamental barrier is that people do not trust the system. If businesses do not trust the system, then it is not likely to be used where conventional method still work.
It must be stressed that this is but a perceived conception. The reality of the situation is that the current technology is sufficiently robust and secure, perhaps even more so than conventional way of business transactions and deals. Even without encryption technology, transaction on the internet is no more dangerous than giving one's credit card number over the phone. People feel insecure because people are naturally scare of the unknown, that there is no apparent `locks'; and the media exposition of security breaches on the internet compound this negative sentiment.
This distrust is highly damaging to internet commerce. Business relationship is essentially built on trust, whether it is conducted in person, by phone, or electronically. In real life, trust is established over time and with the assistance of legal and commercial infrastructures. eg. banking mechanisms, law dealing with contracts, etc. It is these infrastructures that give businesses the confidence in the current system.
It is submitted that the use of encryption technology help establishes the confidence and trust needed for commerce to propagate on the internet. Encryption brings about a sense of order and certainty in internet commerce. As people come to understand encryption technology, the myth of insecurity on the net will quickly be shattered. The effect of the enhanced confidence is that the popularity of the internet as a means of doing business also increase.
The significance of encryption cannot be emphasised enough. In the previous part this paper have already established that encryption contributes significantly to the proliferation of internet commerce. This part further submits that because of its significance, people or businesses should be free to choose and develop cryptographic technology.
It is acknowledged that law enforcement and national securities bodies do have legitimate concerns. With the advent of encryption they could effectively be locked out: "computers and telecommunications systems would become safe havens for criminal activity." This would open the door for tax evasion, money laundering, espionage, contract killings, and unlimited number of other illegal or illicit activities.
This type of argument have been used to justify government control of cryptographic technology. For example, recently the US Government sponsored Key Escrow system, Clipper, for encrypting messages and transaction. And then there is the US export ban on strong encryption products.
The concern here is that there is a tendency for the government to impose control on encryption standard or the use of encryption technology. While the underlying rationale that law enforcement agencies ought to have access to private communication is legitimate and in the public interest, this kind of mentality tends to point towards more interference from the government. The danger is that through the excuse of criminal and national security concerns, more and more control is imposed on encryption; resulting eventually in a situation where the government control directly or indirectly the encryption standard available, or mandate a standard, or `force' the adoption of a particular standard.
This is not yet the case, but it may happen. If the rationale and motivation behind the Clipper chip and export ban persists, then the move towards true internet commerce could be severely restricted. While encryption can be exploited by criminal, encryption do have a use for the law abiding citizens; and this use for lawful purposes will become more important as internet commerce ripened.
Freedom to develop encryption scheme and standard can produce more and better alternatives. For example, recently there is a novel method (also using encryption) to generate digital signature. If the freedom to choose and develop encryption is curtailed, or replaced by government control (direct or indirect), such alternative would less likely be developed. Less or no alternatives will be available. This is detrimental because securities measures required continuous development: "it is an endless journey in which the good people hurry to stay a step or two ahead of the bad people." So by restricting development and creation of better alternative technologies, criminal elements have a better chance of getting ahead and circumventing the law enforcement bodies. Thus, the very action taken to keep crime under control could paradoxically facilitate new crimes! This may create chaos in the internet system, further undermining the popularity of the internet as a means of commerce.
Moreover, mandatory standard is financially and economically destructive to the country concern. A taste of the potential adverse consequence of government control over encryption is evident from the current US practice which treat strong encryption system as munitions. This effectively curtail export. At present, such policy act as "significant inhibitor to deployment of a safe, worldwide network infrastructure within which to implement this [electronic] marketplace." US software companies are losing Billions of dollars each year because of the current practice. Also, international US banks are unable to implement strong encryption for their overseas transaction. This certainly would not do the banks' competitiveness and reputation any good.
Public key cryptography is said to be a public good. If it is so regarded, then it is arguable that it usage should not be restricted. It is as integral to internet business as air (a public good) is to life on earth. Anyhow, pragmatically, the truth is that the use of encryption in the global information infrastructure would be so pervasive that any attempt to control or restrict the use of encryption would only bring about chaos and impede the development of electronic commerce. Take authentication for instance, routers will use cryptography to authenticate each other, as will users to other users, programs to users, users to services, programs to hardware and so forth.
Under this scenario it is questionable whether control is possible at all. Independent attempt to control encryption technology by particular country will only fail and place that country's enterprise at a disadvantage. This is because the interconnectability of the internet requires mutual cooperation for the system to work; a system sanctioned and controlled by one particular country would not be welcomed by others. Unfortunately, cooperation between countries is not likely to be forthcoming given the sensitive political and national securities issues involved. And without full cooperation, any control would not be effective because it leaves open avenue to circumvent it.
In a free market, businesses are accustomed to choosing the technology needed for their business. In real life, business can choose how to do business and what tools they need for carrying out the business. It is by freely mixing and choosing the different alternatives available that business are able to gain competitive advantages. The same principle apply to internet commerce. Cryptographic technology is, in this regard, a tool for conducting business on the internet.
Also, in real life business can protect their property; and so in cyberspace, they ought to have the same right to protect their cyber property. Just like people are free to choose locks and alarms system for their house, by analogy business ought to be free to choose encryption standard (which is like `lock' in the real world).
Remember, it is important that the users (businesses) feel secure. The mere fact that there are adquate physical and software protection in place (a system manadated or designed by the government may well achieve this) does not automatically translate to a positive feeling of security and confidence. Feeling does not work that way. If businesses could freely choose and develop the cryptographic technology they are going to use, they are more likely to have trust and confidence in the system, than where it is forced upon them. This is because where people are unable to choose and evaluate the alternatives systems, they are less likely to trust the system. Returning to the analogy refer to above, the fact that people can choose the locks, alarms, and any other security devices for their home, make them feel safe and protected.
Consequently, any attempt by the government to restrict freedom to choose and develop, tends to undermine the confidence and trust enrichment function of encryption technology.
The freedom to choose and develop encryption technology is paramount. As canvassed above it is counterproductive to have regulations which impose control over the development of encryption technologies and which restrict the choice that people have. This is not to say that the need for law enforcement should be ignored. Facilitating law enforcement and protecting national security is important, but at the same time it needs to be sensitive to the needs of electronic commerce. Moreover, it should be recognised that encryption also benefits criminal investigation:
"... by strengthening the integrity of evidence and binding it to its source, cryptographic tools for authentication are a forensic aid to criminal investigations."
Overall, there is perhaps more to lose by imposing excessive control over the choice and development of cryptographic technologies. However, it is well to keep in mind that encryption is not the be all end all technique. Far from it, it is but one of a whole array of techniques and discipline that need to be adopted to establishing a secure environment for internet commerce.
In recent years the business community is launching into the Internet with unforeseen vigour. However, concern for security still impose a barrier to relying fully on the internet to conduct business deals. To overcome this concern, it is important that the users (businesses) feel confident about the system. It is only when businesses trust the electronic medium as much as, if not more than, the conventional approach will they fully embraced the electronic way of making business deals.
This paper submitted the proposition that encryption is the key to establish such confidence and trust in the internet. Any attempt to curtail encryption, restrict the freedom of choice or ability to freely develop encryption technology will only work to impede the realisation of internet commerce. So far, rigid control or restriction have not emerged; let us hope it stays this way for the sake of proper development of electronic commerce.
Back to Publication Index
Modified on: 15th March, 1998.
Copyright © 1996- 1998 Raymond Yu.