The Electronic Communications and Transactions (ECT) Act, signed into law last week, continues to be controversial. The bumper law`s provisions on the local domain name system and some of the bureaucracy it introduces has not been met kindly in many quarters, and dark rumours of constitutional challenges keep surfacing.
Yet what is seen as the heart of the law, the part that seeks to make online transactions easier and safer and give legal recognition to electronic documents, is not under fire. In fact, it has been warmly welcomed by almost all parties and, in contrast to loud calls for the removal of other sections, it has attracted only muted suggestions for minor adjustments.
When the Act was being considered, it was already abundantly obvious that the Internet presents some unique challenges to doing business. Many of these come down to the nature of the medium; it is a far quicker way to do business entirely on the Internet and distance is largely irrelevant, but the price paid in return is a lack of knowledge about the party at the other side of the connection. Less information than would be natural in real-world transactions breeds mistrust, and mistrust would certainly limit the possible growth of e-commerce.
The government has high hopes that growing Internet use in South Africa will benefit general economic growth and was not about to allow online commerce to be stifled.
At the time other countries, such as the US, had already introduced electronic signature laws that made a digital signature equivalent to its real-world precursors and this was an obvious first step for SA.
It gives credibility and legitimacy to the digital signature process.
Adrian Schofield, president, Information Industry SA
The system the government finally settled on and is now legislated creates two tiers of digital signatures: one which parties in a contract can agree to themselves and requires only that they take due care to see that it is reliable; and a second that has the full weight of the law behind it if accredited by and acceptable to the government.
This, perhaps, is why companies involved in digital signatures and certification are so positive about the new law. The two-tiered approach may be more complex than a one-size-fits-all offering, but it is said to provide flexibility without sacrificing the benefits of an enabling law in the process. "A nice bit of footwork," one observer described it, rare praise for an Act better know for the acrimony it generated.
The government-approved signatures today depend almost exclusively on the use of public-key cryptography, which in turn requires digital certificates to be effective in the real world. And although many Internet users have used such certificates in one way or another, and nearly all have the technology necessary to do so at their fingertips, many are far from using its full capabilities.
If you are not an initiate of the digital certificate world your interaction with them may have been limited to spotting an e-mail marked with a ribbon. You may vaguely remember an icon on your browser when visiting an online banking website or clicking through security warnings on either. Before last week even these messages and data carried as much weight as a telephone call, but the ECT Act has changed that and if it succeeds as hoped you will soon have your own digital signature.
On the Internet nobody knows you are not an 18-year-old girl impersonator
On the Internet, nobody knows you are a dog, the saying goes. This is a good thing when you want to crack a website to make a political statement or want to pretend to be an 18-year-old girl in chat rooms.
Yet on the Internet nobody knows that you are really you, or that a deranged maniac in Albania pretending to be you is not, in fact, you. Neither do you know that anybody else is who they claim to be, or even that a server you are communicating with is what it claims to be. This can be a bad thing when you are trying to conduct e-commerce or want to prevent somebody pretending to be you from claiming that you like pretending to be an 18-year old girl in chat rooms.
Enter encryption, the age-old science that has found its calling on the Internet.
Traditional symmetric cryptography, where the same key is used to encrypt and decrypt a message, presents some difficulty over the Internet. Encryption is needed because the Internet is an inherently insecure network, so how would you transmit the secret key in the first place?
The problem was solved before it existed, with the invention of public-key cryptography in the mid-70s. Also known as asymmetrical encryption or Diffie-Hellman encryption (after its founders) the system is admirably suited to the Internet. It uses two keys that relate to one another in such a way that a message encrypted with one can only be decrypted using the other. Importantly, the possession of one key and a message encrypted with it does not enable you to determine the other key without extreme difficulty.
Such a pair of keys allows the user to publish one as widely as possible on the Internet while keeping the other secret. A message encrypted with the publicised key can only be decrypted by using his secret key, and if he uses his secret key to encode a message anyone decrypting it with the public key can rest assured that he sent it.
In other words, two people using public key encryption can send each other encrypted messages in safety, or a single user can send a publicly accessible message that can attributed to him in safety.
You want to be certain that you have the records; you don`t want to make a mistake
John Giles, Thawte notary, Harty Rushmere McPherson
The former is used to establish secure contact in e-commerce transactions; the latter is the basis for digital signatures, the electronic but harder to fake version of a traditional John Hancock.
However, on the Internet nobody knows that the pair of keys you are using really belongs to you, and if they must trust your claim it leaves you back at step one.
That is where digital certificates come into the picture. In its most basic form a digital certificate contains the name and details of its owner and his public key, effectively linking the key to a person. The key is digitally signed with the private key of a certification authority (CA), a trusted third party that guarantees to a specified level of certainty that the identified person is the legitimate owner of the public key. As long as the CA is trusted, the certificate can be trusted.
A system of cascading certificates and CAs, known as public key infrastructure, allows for the online verification of certificates and the distribution of public keys.
Spreading the love
CAs have different ways of going about issuing digital certificates. The preferred way is by face-to-face authentication; where a trusted agent can compare a photo ID to a face before vouching for anyone`s identity.
I do it because I believe digital certificates are important and it doesn`t take up all that much of my time.
John Giles, Thawte notary, Harty Rushmere McPherson
Local CA Thawte, which made headlines when it was bought by US rival Verisign and making founder Mark Shuttleworth a billionaire, operated one such face-to-face system in SA.
The Thawte Freemail Web of Trust uses a network of volunteers to issue certificates. A member is issued with a full certificate once identified by at least two informal notaries of the system. When identified by at least three notaries a member can become a notary in turn, allowing the network to expand.
John Giles is a local Thawte notary and, by day, a lawyer with IT commercial firm Harty Rushmere McPherson. As one of more than 20 Thawte notaries in Gauteng and dozens more throughout the country, he took on the role because of an interest in the Internet and specifically in digital certificates.
"I do it because I believe digital certificates are important and it doesn`t take up all that much of my time," he says.
While some Thawte notaries charge for their time or are willing to come to the applicant if reimbursed for travel expenses, Giles offers his services for free. Any Thawte member who holds a basic certificate with only his e-mail address specified can visit Giles at his office for an upgrade. With some details of the basic certificate and a copy of the applicant`s ID book, Giles will access the Thawte website and certify that you are indeed who you say you are.
Although being a Thawte notary is an unofficial position with no formal qualification, Giles takes the responsibility seriously and keeps meticulous documentation about each individual he certifies.
"You want to be certain that you have the records; you don`t want to make a mistake," he says, with a file of ID copies under his arm. The Thawte system records exactly who asserted which identity and if a wrongfully issued certificate is used to defraud anyone the notaries could find themselves on the wrong end of a damages claim. If that happens Giles wants to be able to show that he did everything the rules require of him.
Whether you trust such a self-regulating system or not, it worked for Thawte, with hundreds of notaries available in just under 80 countries, including the likes of Zimbabwe and Fiji.
Volunteers such as Giles, and most other ground-level authentication providers, are unlikely to be affected by the ECT Act and will probably continue to be a part of the local landscape for some time. However, the public service they provide will not benefit from the new law either.
Under the two-tier system of digital signatures just about anything two parties agree on can be used to sign documents for exchange between themselves. But where a signature is required by law the ECT Act calls for an "advanced electronic signature" to be used. Such a signature can only be issued by a provider accredited by the government.
The procedures used to issue a certificate will play a large role in the government evaluation and it seems unlikely to grant its blessing to a system where a group of three crooked notaries can produce a web of fake identities only detectable once it is used.
Evolution, acceleration
So what does the ECT Act change in the world of digital certificates? It probably adds an extra push to growth, over time. Or so think the established industry players, and it is music to their ears.
We are not expecting everything to start revolving around public key infrastructure overnight.
Maeson Maherry, GM, Namitrust
"It gives credibility and legitimacy to the digital signature process," says Adrian Schofield, president of the Information Industry SA, an umbrella body. "There is always a risk attached to government involvement in what was previously a purely commercial environment, but the industry is happy for the additional credibility."
Those who have made a business of certificates and have found it difficult to justify the technology to business clients, never mind their specific solution, are indeed happy with the Act.
"We were trying to break through a certain mindset and [the Act] will be a great help from a business education point of view," says Maeson Maherry, the general manager of Namitrust, the division that handles certification for NamITech.
Namitrust is an affiliate of certification authority Verisign, and Maherry believes there will be an inevitable increase in demand for digital certificates, which the ECT Act will accelerate. In the long term, that is.
"At the moment business is still in shock because of the Act," he says. "Business has operated pretty well for the past few hundred years and [adoption] will be an evolution, not a revolution. We are not expecting everything to start revolving around public key infrastructure overnight."
Another long-term change will be increased government use of signatures and certificates. The ECT Act lays some groundwork for e-government and with the other provisions aimed at consumers and business, starts to make it possible for the large government bureaucracy to interact with the citizenry online.
Few government websites may accept credit card numbers today, but where Internet growth and e-government use intersects, the powers that be will require certificates. Lots of them; not only to authenticate servers but to encrypt information in the virtual version of the paper trails civil servants have such a legendary love of.
Even the much criticised part of the Act that requires cryptography providers, including those who issue certificates, to register in a government database doesn`t faze the current players. "They want to see what our algorithms are to ensure that there is a minimum standard for algorithms," says Maherry. "We are happy with that."
Such knee-high barriers to entry make things difficult only for fly-by-night operators, players say, and they would happily not compete with those.
Nor are they concerned that the Act locks their industry into specific technology or structures such as public key infrastructure. Here, at last, it seems government achieved the goal of technology-neutral enabling legislation.
In fact, the only widespread criticism of the ECT Act is that the cryptography, authentication and signature parts could have been split out into their own laws; mostly because those in the business think it would have gotten better mileage out of the public perception side that way. These positive parts of it, they feel, have been overshadowed by controversial issues that have no impact on them or their customers.
At the end of the day it comes down to perception. Digital certificates were previously trusted only by those who understood their inner workings. Now, it is hoped, they will be trusted by all who trust in the protection of their government.
"I hope the industry will be able to use it to their best advantage," says Schofield.
Share