Subscribe

Building trust in the e-economy

In part two of ITWeb`s look at the E-Commerce Green Paper, Phillip de Wet examines building trust in the digital economy. Could security and privacy concerns be the ultimate legislative stumbling block to pervasive e-commerce?
By Phillip de Wet, ,
Johannesburg, 08 Feb 2001

In November last year, the Department of Communications launched the Green Paper on E-Commerce, a discussion document intended as the foundation of a white paper and eventual legislation.

Although debate around the form and extent of required legislation is heated and diverse, there is general consensus that regulation can play an important role in promoting not only electronic commerce, but also electronic government and a society that is less dependent on paper bureaucracy.

Arguments can be divided between two broad interest groups, which are not necessarily mutually exclusive. On the one hand are those who want legislation to focus on consumers and their protection, on the other those who want rules that make the Internet more accessible and profitable to business.

Intended as a basis for informed and structured debate, the Green Paper is constructed around short explanations of factors found relevant to e-commerce legislation and regulation, followed by specific "questions for policy consideration".

The Green Paper focuses exclusively on e-commerce, but after 16 months of discussions and working groups it became abundantly clear that e-commerce cannot be separated from Internet access issues and the sociological impact of an increasingly electronic society.

Main topics

The final Green Paper was therefore divided into four main topics:

  • Legal and regulatory issues
  • Building trust in the digital economy
  • Access, infrastructure and enabling technologies
  • Maximising the benefits: Economic and social impacts

(For more details on the format of the Green Paper and its first theme - legal and regulatory issues - see part one of this series, E-commerce: The quest for answers commences, and ITWeb`s coverage of the Green Paper launch.)

The second theme is covered in two chapters. The first, Security and Privacy, poses questions on establishing the integrity, authenticity, confidentiality and non-repudiation of information and transactions, as well as legal and technical ways of ensuring privacy. The second, Consumer Protection, covers safeguards for buyers and measures for dispute resolution between buyer and seller.

"The growth and development of electronic commerce relies primarily on building the confidence of the consumer, business and government in the e-commerce environment," the paper reads in its introduction to the topic. "Security measures used in conventional commerce may not be adequate to provide trust in the electronic economy."

Digital signatures

The paper leans towards suggesting using public key infrastructure (PKI), a combination of public and private encryption keys, to establish legal digital signatures. Yet it expresses reservations and raises the spectre of cryptography used to "hide trans-border criminal activities and threaten national security". Controlling the distribution and strength of allowed encryption in turn raises issues of privacy and freedom of communication.

In July last year, former US president Bill Clinton signed into law a bill making electronic signatures legally binding in the US. Britain, Ireland and Canada are among other countries working on similar laws.

However, the so-called e-sign bill had a bumpy ride through the American legislature. The final version was a compromise, with notices such as warnings of power and water cuts as well as court orders excluded on the one side, and onerous customer consent obligations resting on businesses excluded on the other.

Johan Coetzee, a partner in the commercial division of Hofmeyr Herbstein & Gihwala attorneys working in the e-commerce field, points out that many contracts concluded over the Internet may already carry legal weight, as South African law recognises verbal contracts as binding.

"There are at least four areas of everyday law which require written and signed documents," he says. "Where land is concerned, in credit agreements, with suretyships, and wills and testaments.

There are at least four areas of everyday law which requires a written and signed document.

Johan Coetzee, partner, Hofmeyr Herbstein & Gihwala

However, he says parties usually agree to written and signed contract documentation to make dispute resolution easier if a matter comes to court.

He also points out that trusted third-parties, in the form of notaries or commissioners of oaths, are already used to authenticate real signatures, much as certification authorities (CAs) are used to authenticate their digital cousins.

"If a document has to be used in a SA court, it can be signed in a foreign country before a notary and be validly used in the local court. It is about independence. I know that a notary in Britain is probably an unrelated and objective party to such authentication."

Coetzee estimates that 77 or more different SA statutes will be impacted by digital signatures, ranging from cheque regulation to the registration of deeds, and says changing all of these may be rather difficult and could take a substantial amount of time to achieve.

"Personally, I feel it might be better to establish one act to make provision for digital signatures and establish the general principles. Other acts can then be adapted or amended gradually." He also foresees that some areas, like the four areas which specifically require documentation, may initially be excluded from such legislation.

Certification authorities

The Green Paper assumes that effective certification requires trusted third-party CAs. The option of formal government licensing of such CAs, or allowing self-regulation without official endorsement is identified as one of the main policy areas to be addressed.

"A licensing regime would obviously offer strong reassurance to the public that [the] licensed CA is reliable and responsible," it reads. "The opposing view contends that the hierarchy of licensing government certification and industry CAs could stifle e-commerce development."

Instead, it recommends a hybrid - a voluntary but statutory framework that allows users to choose whether they can rely on non-approved CAs. However, the validity of certification by non-approved entities will not necessarily carry the same weight as those from their endorsed counterparts.

"Users of approved service providers would also benefit from the assurance that their electronic signatures would likely be given legal effect throughout the country," the paper reads.

A root government certification authority and a joint public/private authority are among the options raised for officially certified certification.

The SA Certification Authority (SACA) says it would welcome any form of licensing and guidelines as well as a root level government authority.

The more certificates are applied in our everyday lives, the more the market grows and people use the Internet with trust.

Gerda Venter, acting MD, South African Certification Authority

"I can`t say whether mandatory or voluntary licensing would be best, but licensing would help the public and enterprises know that they are dealing with a trusted company that has been audited on its policies and procedures," says SACA acting MD Gerda Venter.

She does not believe that fly-by-night certification would present a problem, saying a processing centre represents a hefty investment, but adds that some basic guidelines would be positive, if not too strict and inflexible.

Venter also sees definite advantage in a government CA rather than competition to private organisations.

"If the government has a root CA to issue citizen-type digital IDs for use in government transactions, that can be cross-certified to other CAs for other purposes," she says. "The more certificates are applied in our everyday lives, the more the market grows and people use the Internet with trust."

Michael Horn, GM of AST Security Management, says his organisation would approve of CA guidelines and a licensing regime built around such policies.

"PKI is approximately 30% about technology and the rest is policies and procedures," he says. "If there is a best practices framework built into licensing with an annual review, then it would be a good idea. But not if it`s just an idea for the government to make money."

He also sees no reason why government should not establish a root CA, saying a system of cross-certification could solve interoperability problems while increasing overall trust in the system.

Crime and encryption

The Green Paper identifies a knifepoint balancing of privacy rights and guarantees against the need for covert electronic surveillance. The need for crime control and national intelligence agencies to monitor certain types of communication is recognised in South African law, but according to the paper, the right to freedom of expression extends to both the production of cryptography products and their use.

"Cryptography policy must be assessed against costs and benefits in terms of basic human rights, commercial interest, public security and crime prevention," it says.

Should cryptography key escrow be enforced by law, or should the government outlaw strong cryptography?

The paper defines so-called cybercrimes as "illegal acts, the commission of which involves the use of an electronic system, networks, technologies and devices such as the telephone, microwave and satellite".

It recognises that restricting access to strong encryption could leave consumers and companies open to criminal attack, and also acknowledges international trends towards full liberalisation of the field.

It cites recommendations by the Working Group on Security and Privacy that legislation be passed to force anyone holding encryption keys to release them under a court-issued warrant, but that key escrow or key recovery not be legally enforced due to the complexity and vulnerability of such systems.

It is like lodging the key to your house with the police station in case they want to search it sometime.

Piet Opperman, head, Information Security Institute of South Africa

Piet Opperman, head of the Information Security Institute of South Africa, agrees, and says the institute is absolutely against either escrow or watered-down cryptography.

"It undermines trust," he says. "It is like lodging the key to your house with the police station in case they want to search it sometime."

While he acknowledges the problem law enforcement agencies face, he says weak cryptography will solve nothing. "You will have a situation where the only people with strong cryptography will be crooks. We are against any form of control."

Gerhard Claassen, technology group manager for cryptography in the research and development division of Prism Holdings, agrees that neither recovery or escrow are viable options.

"The massive deployment of key recovery infrastructures to meet law enforcement`s specifications will require significant sacrifices in security and convenience, and substantially increased costs to all users of encryption," he says. "Building the secure infrastructure of the breathtaking scale and complexity that would be required for such a scheme is beyond the experience and current competency of the field, and may well introduce ultimately unacceptable risks and costs."

AST`s Michael Horn says products already on the market make it possible to recover backed up cryptography keys without using a central government repository when the owner is unwilling to relinquish it.

"Escrow takes on a different meaning in terms of these technologies," he says. "You could enable with these products that a number of administrators would have to be present to recover a backed-up private decryption key."

Although no precedent exists, current evidence and obstruction of justice laws could already require administrators with such power to assist law enforcement under a judicial warrant.

Privacy protection

Chapter eight of the Green Paper deals with possible legislation needed to protect consumers against unsolicited goods and communications, illegal goods such as pornography, a lack of information about transactions and the risk of online privacy invasion.

"Any consumer, regardless of whether he or she is a South African or a foreigner, who accesses a commercial Web site, should feel comfortable dealing with any South African supplier of goods or services," it says. "This presents South African business with an opportunity to establish a reputation for sound e-commercial practices, not only locally or with the SADC [Southern African Development Community] but also worldwide."

As examples of international legislation, the paper cites European Directive provisions on distance contracts and consumer protection principles proposed by the Australian National Advisory Council on Consumer Affairs.

These call for, among others, prior information, written confirmation and the right of withdrawal for contracts entered into over a distance, as well as protection from inertia selling and the establishment of industry monitoring bodies.

However, while such principles may fall outside specific e-commerce legislation, the paper interprets the protection of private data online as its domain.

While privacy of communication is dealt with under the encryption topic of the paper, the gathering of private information through the Internet is also identified as an important issue for future legislation. Specifically named are tools such as Web site cookies and customer relationship management tools, designed with the express purpose of collecting consumer data.

Organisation of Economic Cooperation and Development guidelines on the protection of privacy and trans-border flows of personal data, also quoted in the document, establishes eight principles of protection:

  • Collection limitation principle: Data should only be collected by lawful and fair means with user knowledge or consent.
  • Data quality principle: Personal data gathered is required to be relevant to the purpose for which it is to be used.
  • Purpose specification principle: The purpose of data collection should be stated and subsequent uses limited to that purpose.
  • Use limitation principle: Data should not be disclosed unless for a purpose specified in the previous principle or by consent.
  • Security safeguards principle: Data should be protected by reasonable security measures.
  • Openness principle: Means should be put in place for consumers to establish what data about them is held, what it is used for, and what the identity of the controller is.
  • Individual participation principle: Individuals should be able to determine what data about them is held, and such data should be made available for examination. Individuals should be able to challenge data and a successful challenge should lead to data being rectified or erased.

Direct marketers will have to understand that there are a lot of things in life you want but can`t have.

Michael Judin, chairman, Direct Marketing Association

As different European Union members have recommended different approaches to implementation of these principles, the paper suggests that a database be set up for South African businesses to determine which practices are required in different countries.

The paper discounts self-regulation for the Internet industry as far as privacy matters go, saying that those complying with non-mandatory regulations would be at a disadvantage to the less scrupulous operators who do not.

Michael Judin, chairman of the Direct Marketing Association and attorney with Goldman - Judin, disagrees, and says self-regulation has proven successful in other fields.

"Look at the Advertising Standards Authority [ASA]. It operates with no statute, and people use it instead of the courts because it is faster and has better outcomes.

He believes direct marketers are accepting that, despite its obvious attractions, information gathered surreptitiously on the Internet is not fair game.

"Direct marketers will have to understand that there are a lot of things in life you want but can`t have. You will only be able to use information people want you to have and which is gathered lawfully."

Judin believes privacy will be the single issue that dominates the Internet field for many years to come, and that an ASA model may not be sufficient. Instead, he suggests a hybrid of legislation and self-regulation, with the Johannesburg Stock Exchange (JSE) as example.

"You can have self-regulation within a statutory environment, where you have laws but enforcement is done by the industry." As a regulator with teeth, he says, the JSE committee has proven that such a system can be effective in imposing the severe penalties needed to keep players in line.

Judin describes the current privacy legislative framework as "totally and utterly inadequate" and warns that it presents a major hurdle in doing electronic business, especially with the European Union.

He proposes three separate but interlinked pieces of legislation: a consumer protection law, a distance selling law, and a privacy law, saying that although there will be common threads within these, a single law will become unwieldy and unmanageable.

He also warns that the issue is extremely urgent.

"There is great pressure on government, with many pieces of legislation required, but privacy is just not a postponable issue."

Glossary of relevant terms

The following is a selection of terms relevant to security, privacy and user protection, as contained in the glossary section of the Green Paper. These definitions are likely to form the basis of legal definitions in subsequent legislation if left unchallenged.

  • Authentication: A mechanism of using information resources to verify the claimed identity of a party to a transaction or an entity involved in a transaction.
  • Authorisation: An authentication process whereby predetermined rights, including access to information resources, are granted to users or entities.
  • Confidentiality: Reasonable assurance that online or stored data cannot be viewed and interpreted by any person other than an authorised one.
  • Certification Authority: A secure third-party organisation or company that issues digital certificates used to create digital signatures and public key pairs. Certificate authorities guarantee that the two parties exchanging information are really who they claim to be.
  • Certificate: A certificate is a public key that has been digitally signed by a trusted authority to identify the user of the public key. SET [secure electronic transaction] uses certificates to encrypt payment information, for example.
  • Cryptography: Practice of digitally "scrambling" a message using a secret key or keys.
  • Digital signature: Digital codes that can be attached to an electronically sent message to uniquely identify the sender.
  • Encryption: The coding of data for the purpose of security or privacy.
  • Integrity: Reasonable assurance that stored or online data which [reaches] its intended destination without being modified in any unauthorised manner. [All current versions of the Green Paper, both physical and electronic, contain this intelligible definition. It is assumed that "which" has been substituted for "reaches".
  • IP address: The address which all computers and Web sites have to have on the Internet.
  • Public key cryptography: This encryption method requires two unique software keys for decrypting data, one public and one private. Data is encrypted using the published public keys and the unpublished private keys are used to decrypt the data.
  • Personal data: Any data which refers to an identified or identifiable individual, which is not otherwise readily available via a public source(s).
  • Repudiation: When a customer in a credit card transaction denies having been a party to that transaction.
  • Smart card: Card containing memory and a microprocessor, that can serve as personal identification, credit card, ATM card, telephone credit card, critical medical information record and as cash for small transactions.
  • Virtual private network (VPN): A VPN is a part of the public Internet to which access is controlled by firewalls and secure tunnels to enable private and secure use by authorised users.

Related stories:
Clinton signs digital signature law

Featured companies:

AST Security Management
Department of Communications
Direct Marketing Association
The E-Commerce Debate
Goldman-Judin Attorneys
Hofmeyr Herbstein & Gihwala Attorneys
Information Security Institute of SA
Miraculum
Prism Holdings
SA Certification Authority

Share