Electronic Commerce: Security Issues


Research Paper 12 1998-99

Matthew L. James
Science, Technology, Environment and Resources Group
16 February 1999

Contents

Major Issues Summary

Glossary

The Internet as the Information Superhighway

Introduction to the Internet
Electronic Commerce
Information Economy
Converging Insecurity

Cryptography Concepts

Electronic Encryption
Superhighway Robbery
Key Escrow
Authentication
Smart Cards and Beyond
Electronic Funds Transfer and Secure Electronic Technology

The Business Battle for E-commerce Control

Credit Cards versus On-line Banks Industry Codes of Practice
Privacy on the Net
Privacy Policies
Cyberspace Crime

Cryptography and Authentication Policies

Cryptography Law
OECD Guidelines
Public Key Authentication Framework
Engendering Trust

Appendix: Encryption and the United States Clipper Chip Saga

Chronology of Commonwealth Initiative for the Information Economy

Endnotes

Major Issues Summary

The information revolution has provided part of the world's population with a de facto information superhighway that we know as the Internet. Use of these networks for on-line purchases and some transactions forms just part of the growth in global electronic commerce (e-commerce), which is actually a broader use of information technologies by business and government. Considering that, in 1997, Australia had 1.5 billion electronic transactions, this is a significant, growing commercial sector. However, the public remains concerned about privacy, security and equitable access costs, perhaps not without reason.

Successive federal governments have conducted a series of extensive policy studies about converging communications and established various advisory organisations to reflect the importance of the information sector. Perhaps necessarily, such approaches have focused on industry development rather than technical frameworks, security or consumer issues. In the event, self-regulatory schemes apply to matters of privacy and content provision.

Any e-commerce on the Internet becomes potentially subject to interception, tracking or attack and thus warrants the use of cryptography to code transmissions for security and privacy. The encrypted data becomes reasonably secure assuming safe handling at each end. Whether or not government or organisations should have access to encrypted transmissions is a current argument. There is a need for digital certificates to establish the authenticity of on-line users and also a Public Key Authentication Framework for security.

On-line currency movements may be facilitated by secure electronic technologies but implementation is slow in Australia with a risk of incompatibility between rival systems. There is also a risk to consumers from unauthorised transactions made by third parties. Industry codes of practice apply to electronic funds transfer, smart cards and the Internet. Regulatory controls may restrict e-commerce and other laws but might also assist consumers so it may be necessary to achieve some balance in the public interest.

Regulatory and policy measures span portfolios but do not necessarily encompass wide interests or consumers. Meanwhile, the information sector remains vulnerable to crime and the paper provides several case examples. Underlying government e-commerce programs is the need for secure and private broadband capacity, which, if the Internet is anything to go by, has not yet been achieved. Networks lack common standard protocols and quality.

The specific matter of cryptography regulation awaits resolution. Some nations have acted to restrict encryption while others and the OECD advise against such bans. The United States attempt to control encryption shows the pitfalls of such technology regulation. Australia's on-line security policy effort appears befuddled, inconsistent and without full public scrutiny. We need wide trust for successful e-commerce, not just new technology with restrictions. With the introduction of the Electronic Transactions Bill 1999 the Government aims to provide a strategic framework for e-commerce development. This paper concentrates on the security aspects of the new information economy age.

Glossary

ATM

Automatic Teller Machine used for electronic funds transfer.

Authentication

Process of confirming user identity or data origin and integrity.

Biometrics

Identification using physical features or behavioural characteristics.

Blind signature

Means to hide document contents and sender identity from signer.

Broadband

Communications of high capacity and usually of multimedia content.

Certificate

Digital signature combining data verification and encryption key.

Certification

Creation of key certificates by a party trusted by the user community.

Chaff/winnowing

Advanced encryption technique involving data dispersal and mixing.

Compression

Process that reduces the amount of data to be transmitted or stored.

Convergence

Integration of computing, communications and broadcasting systems.

Cookies

Record of WWW URL visits stored in user's computer memory.

Cryptography

Technique to scramble data to preserve confidentiality or authenticity.

Decryption

Transformation of scrambled (encrypted) data back to original form.

Digital cash/coins

Electronic money which only exists on-line or with digital purses.

E-commerce

Integration of communications and data management for businesses.

E-mail

Electronic mail transfer of unstructured information between users.

EDI

Electronic Data Interchange automated business information exchange.

EFT(POS)

Electronic Funds Transfer between accounts (at Point of Sale).

Encryption

Transformation of data into scrambled form before transmission.

Escrow

Legal storage of encryption keys in a secure repository by third party.

Hash function

Compression of an input message into an output number result.

HTTP

Hyper Text Transfer Protocol allows computers to access the Internet.

Internet

Collection of interconnected networks for e-mail, file transfer and login.

InternetTV

Internet (World Wide Web or Net) delivered by standard Television.

Interactivity

Allows information users to respond to or control the source flow.

ISP

Internet Service Provider for user access, e-mail and data storage.

IT&T

Information Technology and Telecommunications as multimedia.

Key

A numerical value used by an encryption algorithm for security.

Multimedia

Integrated video, audio, text and data graphics in digital form.

NOIE

National Office for the Information Economy for Australia.

OECD

Organisation for Economic Cooperation and Development.

OGO(IT)

Office of Government On-line (formerly Information Technology).

PECC

Pharmaceutical Electronic Commerce and Communication project.

PIN

Personal Identification Number enables user access to EFT accounts.

PKAF

Public Key Authentication Framework for certification services.

Private key

Allows decoding of a message encoded using a matching key.

Public key

Allows transmission without previous exchange of a private key.

Purses/wallets

Contain digital certificates for on-line use as a form of digital cash.

SET

Secure Electronic Trading/Transaction security standard for banking.

Smart cards

Plastic card with embedded integrated circuit for information storage.

SVC

Stored Value Card variety of smart card used for electronic money.

Trusted 3rd party

Network entity trusted by all others to manage encryption information.

URL

Uniform Resource Locater machine address of computer location.

WIPO

World Intellectual Property Organisation

WTO

World Trade Organisation.

WWW

World Wide Web Internet system that uses browsers to handle data.

The Internet as the Information Superhighway

Introduction to the Internet

The terms 'information super-highway' or 'global information infrastructure' refer to the trend of convergence of communications networks, media and computing systems into one system. However, through the rapid recent global growth of Internet access and usage, that system of networks has become the default information superhighway, though not as previously envisaged by communications experts. The Internet is a global network of networks, involving many different private, public and academic computer systems linked by high-speed communications lines. These use agreed standards (protocols and architectures) and digital signals. Convergence is a process of network digitisation for information and content that replaces the separate analogue systems of the past. Convergence leads to easy data manipulation, large storage capacity and interactivity.(1)

The World Wide Web has lately dominated the Internet through use of commercial Web browsers and search engines. The Web is composed of all computers that use and accept the Hyper Text Transfer Protocol. They allow use of the Web as a user interface system used to access the Internet through browsers that present data in readable forms. The Web is a multimedia system blending text, images, video and audio transmissions. There are other directories, file transfer protocols, categorises and remote access services on the Internet. Further developments include news (discussion) groups, relay (writing) chat, voice (telephone) chat, electronic mail (e-mail), cyber (digital) electronic cash, messaging and Web-Television.(2) The Web developed from defence and academic networks and allows user access through each machine page address called a Uniform Resource Locater (URL). The domain name system that URLs access translates Internet names into numeric protocols, sites, folders and file names, for information transmission. There has been some inconsistency in domain name registration, reflecting the chaotic nature of the Internet.

Australia's Internet infrastructure has evolved awkwardly from academia, through Telstra and Optus telecommunications carrier control of Internet Service Provider (ISP) operation and global connections. ISPs serve local Internet users by offering computer connections over telecommunications lines. A number of ISPs are now establishing their own international network links by undersea cable or via satellite. Pay television operator Austar plans broadband microwave service to bypass local Telstra or Optus cables. InternetTV may provide an interface system for easier consumer interface to the Internet using home televisions.(3) Data compression technologies help to spread the Internet load among lines already at capacity. Technical developments should improve access, data speeds, transaction time and support. In future, ISPs may evolve into Commerce Service Providers to facilitate multiple business transactions as transaction costs continue to drop.

Studies note the growth in Internet shopping coupled with user concern about access costs and lack of security. While such shopping involves market access interstate and overseas, it lacks personal contact, complete security and wide use as yet. There are also wider concerns about adequate broadband line capacity, particularly in rural and remote areas. An interesting distinction is possible between the nature of physical goods and electronic transactions. Both may have considerable value and yet electronic commerce may defy any tangible, visible, identification. As such, as yet, it is not subject to customs duties!

Electronic Commerce

The newer concept of electronic commerce (e-commerce) is the use of on-line networks to promote or sell products or services. It is also the process of using electronic methods and procedures with information technology as a tool, to conduct all forms of business activity. Electronic commerce utilises different technologies and forms such as electronic banking and trading, electronic funds transfer (EFT), electronic data interchange (EDI), electronic mail (e-mail), facsimile transfer, electronic cataloguing, video-conferences and multimedia communications and all other forms of sending electronic data messages between enterprises. Earlier applications of EDI were too costly and complex to succeed. The use of smart cards adds a further dimension to enable on-line transactions around the globe.(4) The paper defines some of these concepts later, but also, see the Glossary.

The take-up of e-commerce is still small when compared to the broader context of electronic transactions and cash flows such as already occurs within banking systems. In a study of the wider business sector and cash flows, the Australian company www.consult estimates 1.5 billion electronic transactions in Australia in 1997, of a total of 21 billion total movements involving some $16 trillion.(5) One estimate for total business to business e-commerce in Australia in 1997 was $25 billion. The Internet component was around about $55 million spent on on-line retail shopping. Anderson Consulting estimates the sales in Australia for e-commerce in 1997 to be $85 million or 0.02 per cent of GDP.

The most popular uses for the Internet have been for academic research and business information, but now growth is occurring in goods and services purchases. There are about 2 million people using the Internet in Australia. However, only a small proportion of small businesses has come on-line. Aside from business to business applications and the retailing of physical goods, there may be e-commerce applications for financial services, banking and professional consulting.(6) Already, experienced users such as young professionals and youngsters are on-line and active. However, speed, service, privacy, security and authentication risk issues remain unclear and subject to varying policies.

Information Economy

With the convergence of telecommunications, broadcasting and information system services, the United States Government intends minimalist regulation cognisant of the strong industry competition, decentralised nature and global aspect of e-commerce. This may well match American industry interests, given their leadership of Internet, but may not necessarily best suit Australia. The information economy has implications across a wide spectrum of portfolios but it is perhaps not clear as to how best coordinate national direction for it. Nonetheless, convergence has been the subject of a number of studies here.

When the concept of electronic convergence arrived earlier this decade, studies outlined likely scenarios for the provision of the new communications systems that linked to information and broadcasting technologies.(7) They identified possible service types for home entertainment, communications services, transactions, business and on-line information. These raised a wide variety of policy issues including matters of the user demand for such services, the level of service access available to the community and of information flows generally. Further considerations included the degree of privacy found on-line, content controls (particularly relating to violence and pornography) and the imposition of taxation to on-line services. Wider issues included the impact on culture, as well as cross media and foreign ownership of the service providers. There also remained a bandwidth management problem, requiring regulation or pricing, and varying standards.

It was clear that the Federal Government had to respond to the new age of the information economy and indeed it has through a series of initiatives as outlined in the appended chronology. These include various advisory organisations, major reviews and studies, many of which have now ceased or been greatly changed. The National Office for the Information Economy (NOIE) and the Office of Government Online (OGO) now lie within the Department of Communications, Information Technology and the Arts. An apparent insecurity in OGO and NOIE appears inconsistent with a strong Government regulatory interest and commitment to put the Commonwealth on-line by the year 2000.

Considering that the Internet has not yet been the subject of extensive Commonwealth legislation, there is some impetus towards reviewing all telecommunications and broadcasting legislation towards convergence. There is a review by the Department of Communications of datacasting services to complete before 2000, and the commencement of digital television broadcasting, while the introduction of new Web-Television has further implications. Broadband capacity infrastructure issues arise with the role of Australian and overseas multimedia industry remaining fragmented. Some observers suggest the need for a complete review of all the legislation required for convergence regulation noting the growing dominance of transaction management relating to development of the service based economy.(8)

Some regard the fragmentation of information policy across numerous agencies as a long-standing problem.(9) While a series of reports has argued for a ministry of information technology, this still does not exist in spite of NOIE, which concentrates on business, and OGO, which handles Commonwealth information technology policy. The information economy applies to different degrees to all government portfolios. As the information industry is primarily driven by the private sector, the Australian Government like others has pursued a relatively non-interventionist framework. It has upheld a 'no duties' or a (bits of information) tax on the Internet. However, other problems of equity, privacy protection and cryptography policy need resolution. There are wider issues of intellectual property and consumer interests while the matter of security is often also not considered.

Converging Insecurity

Given the apparently inevitable growth in the use of information systems, Australia would seem to need an appropriate regulatory and policy framework to facilitate on-line services and accelerate the uptake of e-commerce to open new opportunities. The framework might provide targeted awareness and education strategies across all sectors to encourage broad understanding. It may also resolve core infrastructure issues such as broadband capacity and cost. It may stimulate market uptake by identifying key agencies to promote on-line services while recognising access and equity issues in a global context.(10) Requirements of access, content, skills, technologies and costs remain important, but an understanding of demand remains a primary factor. Pilot projects have a useful access role especially if linked to the provision of electronic government services.(11)

Much of Australia's communications legislation to date has been based upon technology regulation. There is an argument for technology-neutral regulation, in that the market and society should be left to establish the most efficient on-line network services. The interactive and participatory nature of Internet use may evolve new activity patterns and fringe networks that do not just maintain material consumerism or traditional trade-flow diplomacy. Through joint enterprise, the industry would value human capital skills for software and content development in the global marketplace for software and content. Regulation might then be only necessary to ensure matters of privacy, security and costs.

Underlying all of this on-line economic activity is the dependent need for secure access and systems to identify both customers and business providers. Without the means to securely transmit funds, data and documents over networks, it is difficult to see how any electronic age could survive. Focusing on such security aspects, this paper addresses the nature of electronic transactions, before raising policy issues and options. It is noteworthy that at the time of writing, a draft Electronic Transactions Bill 1999 has emerged for public comment. Yet it is probable that many persons have no idea of the implications of such a Bill and e-commerce generally, let alone an appreciation of the security aspects. As the discussion continues, it will emerge, that matters of line capacity, taxation, standards, and certification of secure transactions are all relevant as we enter the Information Age.

Cryptography Concepts

Electronic Encryption

For some time now, most of us have used electronic transaction systems such as automatic teller machines (ATMs) and electronic funds transfer (EFT). These utilise closed, supposedly secure, networks that are generally safe from interception by using encryption or secure data coding. Digital mobile telephone systems have also employed encryption to help keep private conversations secure. However, their somewhat limited system standard has enabled eavesdropping, perhaps indicating that no technology is totally secure. Information security has objectives including confidentiality (secrecy), data integrity (non-alteration), authentication (identity corroboration of an entity and data origin), and non-repudiation (prevents the denial of previous commitments).

The arcane science of encryption is called 'cryptography', which, until recently, had been largely the preserve of secret defence intelligence agencies, spies and diplomatic officers. Encryption transforms data by the use of cryptography to produce unintelligible (encrypted) data to ensure its confidentiality. The inverse function of decryption then converts transmissions back to normal form. Cryptography is the study of mathematics related to aspects of information security while cryptology is the study of cryptography. Cryptanalysis is the use of mathematics to crack cryptographic techniques as employed by a cryptanalyst. Cryptographic functions include encryption, authentication and digital signatures, while cryptographic tools are ciphers, hashes, codes and signatures.

Computer ciphers have two parts: a method, or algorithm, plus a key number for access. Cipher algorithms change symbols or strings of data. In traditional coding, both parties to a secret message had to firstly share a private password or key in order to cipher or decipher their messages. The sharing of this key was in itself a weakness of the system if any other party could get hold of the key. In the 1970s, scientists devised a way of splitting the key into two parts, one public and one private, linked by a complex mathematical relationship. Now it was possible for one party to release a 'public key' to all other parties, to enable them to encipher messages but only the holder of the 'private key' could decipher them upon return. With computing advances, the ability arose of including such complex cipher routines in ordinary software. Sophisticated cryptographic software now enables almost any computer user to encode their transmissions for security. There are many forms of encryption available that help make e-commerce transactions reasonably secure.

Encryption techniques generally divide into two types: symmetric (single, shared) private key, where the same key is used for encryption and decryption, and asymmetric public (twin) keys. The latter involves a public encryption key and a private decryption key. Symmetric key ciphers are relatively short and have high rates of data throughput, but need a trusted third party manager, while public keys have larger ciphers and work slower. Thus public keys are most often used to transport symmetric keys for bulk data encryption and authentication or for encrypting small data items such as credit card numbers and PINs. Private key examples include DES, Blowfish, IDEA, LOKI and RC4. Public keys include Diffie-Hellman, ElGama, PGP and RSA. Note that codes differ from ciphers as they involve linguistic translations that may complicate any cryptographic interpretation.(12)

Further types of encryption algorithms are the 'hash' type, used to compress data for signing, and 'signatures' used to sign and authenticate data. Examples of hash algorithms are MD5 Haval and SHA while signatures include RSA and DSA. Hash functions convert binary strings of arbitrary length to a fixed length with a value. To enable Internet users to establish their credentials for any transactions, the concept has arisen of 'digital certificates or signatures'. These are software packages containing personal references and a private key. A digital signature is a number dependent on some secret known only to the signer and on the signed message content. To create a digital signature, users begin with an electronic message and hash it, that is, calculate a number using the contents of the message. Hashing ensures message integrity, as any alteration would change the result. Encrypting the resulting hash with a personal secret key provides the certificate. To verify the digital signature, users decrypt it with a public key and the hash technique to provide the original hash result, and then rehash and compare the result for verification. 'Blind signatures' have applications when the sender does not want the signer to be able to observe the document content or sender identity. A signature is a means to bind information to an entity and so is fundamental in authentication and non-repudiation especially between separated parties.

Superhighway Robbery

To summarise, public key certificates are a means by which public keys may be stored, distributed or forwarded over insecure media without the danger of undetectable manipulation. This allows one's public key to be made available to others such that its authenticity and validity are verifiable. Nonetheless, a weakness remains at each end of the secure communications where the message and or private keys might be revealed or available to third parties, or included within software. A further weakness is the ability of advanced computer systems to work out the mathematical formulae defined in keys and thus decode messages within a reasonable time. This is achieved by trying every possible combination of bits of information until the code is broken.

Symmetric key lengths determine the security level of the algorithm. If the key is 8 bits of information long, there are 2 to the power 8, or 256 possible combinations. So, at most, only 256 attempts are needed to find the key. With a 56 bit key and a computer trying one million keys a second, it may take as long as 2 285 years to find the correct key. For a 64 bit key, the computer needs up to 585 000 years, assuming no easier way to break the cipher than this brute force attack. However, specialised computers can substantially reduce the breaking time and cost involved. It appears that 56 bit keys are no longer safe, while 64 bit keys are within military budgets, suggesting that key lengths should be 80 bits or more for medium term security. In the future though, the use of viruses, neural networks, DNA or quantum computing or even nano-technology systems may render keys subject to resolution. Meanwhile, for public keys it is wise to utilise 1 024 bit numbers in order to remain secure for now. As public keys may be used to secure systems for a long time, it is best to achieve some balance between selection of private and public keys. (13)

Encryption programs might also be circumvented in a variety of ways that do not involve breaking the code. Security is breached if a password or access phrase is disclosed to third parties. A substituted public key may enable a perpetrator to read encoded messages. Illegal recovery of deleted files may reveal private details or keys. Viruses and 'Trojan Horses' can damage encryption programs or insert procedures to allow substitute keys. Computer viruses are a special type of program that may produce undesirable outcomes and that spread across networks and computers by making copies of themselves. A hoax virus is a message spread among uses about supposed viruses in order to cause scares and costs. Physical security breaches or espionage may reveal codes to intruders. Traffic analysis of message movements between sites and the data sizes may reveal sensitive information.(14) Public key cryptography sometimes permits patterns to survive encryption, making it vulnerable to cryptanalysis (the study of breaking ciphers) by cryptologists.(15)

Various organisations have patents and standards for cryptography. They include the International Organisation for Standardization (ISO), the International Electrotechnical Commission (IEC), the American National Standards Institute (ANSI), the United States Federal Information Processing Standards (FIPS), and the Internet Engineering Steering Group (IESG) of the Internet Engineering Task Force (IETF), as well as private interests. A Dutch company, DigiCash, owns most of the digital cash patents.

A new technique for sending secret messages involves digital authentication and not message encryption. Called 'chaffing and winnowing', the technique splits the message into tiny pieces. Each of these data bits are labelled with a number and digitally signed before being interspersed with nonsense data that also has numbers and appears to be signed. Only the correct authentication key can separate or winnow the wheat of the message from the chaff.(16) Maybe this will serve as the ultimate encryption technique to preserve individual privacy and security on the Net. This also shows that any regulatory attempts to thwart encryption use may well be bypassed in future.

Key Escrow

Some governments have become alarmed at the prospect of losing the ability to intercept private conversations or transactions due to the use of cryptography. They cite the battle against criminals, drug-lords and child pornographers as warranting a ban on the use of encryption. However, the widespread use of cheap ciphers over the Net has more or less thwarted any bans. Nonetheless, communications agencies require access to data for the purposes of system recovery after failure. Since all transmissions may have the same key, the agencies may wish to keep a register of private keys. Some governments propose that a copy of every private key be held in trust by national security agencies for their use in criminal investigations. This policy of 'private key escrow' has spawned opposition from civil liberties groups and those opposed to government scrutiny. In the United States, attempts to establish such an escrow agency failed, as detailed in the Appendix.

Key escrow is a system to provide encryption of user traffic such as voice or data so that the session keys used are available to properly authorised third parties under special access circumstances. Law enforcement agencies promoted the concept while other uses might be for recovery of encrypted data following its loss or destruction due to equipment failure. The United States Escrowed Encryption Standard involved a computer ('Clipper') chip with a unique identity number and a two-piece secret key stored by two different agencies. However, users can already backup keys and there is no guarantee for liability or that any escrow agency itself is trustworthy. Thus, key escrow appears dead, bypassed by the widespread availability of encryption products. However, key backup is useful for good management reasons in applying to archival data.

Authentication

'Certification' is the endorsement of information by a trusted entity. A certificate consists of a data part and a signature part binding identity to a key number. However, a system is needed to authenticate the identity of public key holders, as otherwise, illicit organisations might distribute sham public keys among users. Major risks include corruption, errors, criminal hacking and the organisation's vulnerability. This requires a public key authentication authority (PKAF) as a separate public or private organisation to vouch for each identity and the public key.

A certificate authority is a trusted third party agency that verifies identification, creates a recognised and trusted document that certifies personal identity and issues the document. The authority binds the identity of the certificate owner to the public key contained within it. Authorities may be independent commercial businesses. Alternatively, digital certificates might be on a smart card or compact disc to enable use with personal computers or InternetTV.

The use of biometrics may provide a final means of absolute personal authentication. 'Biometrics' involves the use of finger-scans (electronic fingerprint identification) or eye-scans to identify individuals as indeed being the persons they claim to represent. Such systems already operate, although there has tended to be some human resistance to bodily scanning techniques to prevent more widespread use of biometrics. Intelligent smart cards may provide improved security having a user's unique biometric measurement data (for voice, signature, photo, fingerprint, and/or eyes).(17) Development proceeds on rugged computer chip units that can detect and identify fingerprints for use within smart cards.

Smart Cards and Beyond

'Smart cards' are credit card like, portable, plastic envelopes encasing an integrated circuit, that combine personal digital certificates and private keys within the sealed confines of an electronic chip. Smart cards have uses as 'stored value cards', with money stored as an electronic value in the chip, and/or as applications run from the card's computer chip. Loaded with information and/or electronic cash protected by an encryption scheme, smart cards may be a convenient, versatile medium for business transactions. As stated earlier however, any software package is liable to manipulation so there remains a degree of uncertainty about the security of digital certificates, although this situation also applies to normal written signatures. However, cryptographers have already identified techniques for breaking the security systems built in smart cards. They cracked the codes by monitoring power consumption as the card circuits performed cipher operations. Hackers can use less expensive equipment to monitor a smart card's electronic responses and hence gain user electronic account access as long as they have a card to examine.(18) More devious means of using smart cards may involve viruses or malicious key copies.

Among the types of stored value cards available are anonymous disposable cards with a set value, anonymous re-loadable cards, personalised re-loadable cards, multi-function cards combining stored value, debit, credit or other functions all on the one card. There are a number of different types of smart card technology available. Intelligent Memory Cards provide for telephone network access and credit card usage. Microprocessor Cards enable user personalisation and crypto-processors for extra security and encryption speed. Wireless non-contact cards combine a querying device, either active or passive, and an answering device for use in fields such as tollways, identification management, position control and information media. However, all of these different cards are not compatible as yet leaving the way open for rival on-line monetary systems.

Smart cards may have various cryptographic protocols and algorithms programmed into them and may operate as an electronic 'purse' to be able to receive and spend digital cash. They might also sign documents or perform authentication and have encryption keys. Their actual computer memory is usually up to 8 kilobytes with an 8 bit microprocessor. An electronic 'wallet' is a small computer resembling a pocket calculator containing a screen, keyboard, battery, and an infra-red channel for communicating with other wallets. Each user owns and uses their own wallet to administer their rights and ensure security. The wallet allows operation independent of terminals, off-line transactions and versatility.

Electronic Funds Transfer and Secure Electronic Technology

Purses contain digital certificates for on-line use as a form of digital cash or coins or electronic cash (e-cash) and stored value money cards. Such a card with value of up to a few hundred dollars need only be reasonably secure compared to digital certificates and may provide for anonymous transactions. Digital coins or electronic e-cash are like bank notes with a message signed by the issuer that specifies the issuer, value, expiry data, serial number and the Internet address of the issuer, all as a digital signature. Using blind signature technology, a technique that hides the document content from the user, the customer chooses the serial number and then blinds it. The coin issuer signs the blinded version and returns it to the customer who then un-blinds it. This protects the payer's identity and prevents any double spending. There may also be other similar techniques.

The Secure Electronic Transaction/Trading/Technology (SET) is a proposed industry standard for payment card acceptance over the Internet. At the system heart is a pair of digital keys, one public and one private, held by each party to a transaction. In practice, banks will give both keys to a customer together with a digital certificate for authenticity. When customers wish to purchase over the Internet, they firstly give the public key to the merchant along with the certificate to prove its authenticity. Likewise, the merchant provides its own public key and certificates to prove its own bona fides to allow the transaction to proceed. Problems may arise in key distribution and customer identification in order to ensure that accounts and clients match.(19)

An actual transaction may have a number of steps. Firstly, the consumer requests a purchase at a merchant's Web site. Next, the purse at the merchant's Web server sends a payment request to the consumer's purse. Thirdly, the consumer confirms the payment and sends a message to the merchant to clear the payment with the bank. The merchant's Web site then contacts the bank for confirmation that the purse is valid and has unspent funds. Then the bank sends confirmation to the merchant's Web server and at the same time allocates the funds to a safe created on the bank's system for that merchant. Finally, the merchant software provides a receipt to the customer. Fortunately, this long-winded process is completed by modern on-line systems within a second or two. Various layers of encryption are applied to protect these transactions. Note that, when a customer purchases funds from the bank, these are debited to the consumer's account, but after that, the use of the funds remains unknown to the bank, since they are submitted by the merchant, not the consumer, for reasons of privacy.

However, this is only one possible approach and assumes standards and security levels that may not exist. In the end, all parties involved in electronic transactions will have to agree on common security standards to enable e-commerce to operate successfully.

The Business Battle for E-commerce Control

Credit Cards versus On-line Banks

The development of different types of electronic money could have considerable impact on e-commerce growth and may not necessarily involve any government agencies. There may be a new era of free banking, where privately issued currencies compete with legal tender as the preferred medium of exchange. These new currencies may be in market determined units to allow versatility, security, low cost and privacy. Such development along with any erosion of government revenue bases and possible law and tax avoidance, means that an appropriate regulatory framework must be achieved.(20),(21)

Law enforcement agencies still have concerns about the possible uses of digital cash for money laundering and tax evasion given that it is not currency. Note that issuers need not be licensed as financial institutions, under current laws, with many consequent legal implications.(22) However, since digital cash may be the preserve of low-cost transactions, perhaps this is not a crucial issue. The DigiCash e-cash and CyberCash 'Cybercoin' began operation, but with only minimal takeup by merchants or banks, with the result that DigiCash failed by late 1998. Australia's St George Bank had used the DigiCash system. A number of merchant software packages exist from Camtech, ABA, Telstra and Jadco, but it is early days for SET use.(23) Telstra has combined a bar code with a colour photographic identification card to produce a more resistant security package. The Australian Information Technology and Telecommunications Forum comprises major suppliers of IT&T security products and applications. The Forum promotes an advanced IT&T security industry but we are left to wonder about just how secure is e-commerce. The Europay/Mastercard/Visa (EMV) combined stored value cards (smart cards) system or credit/debit cards involve electronic trading, software standards and public key security.

Through SET, smart cards represent the next obvious stage in the evolution of EFT to combine banking, travel, telecommunications and information services access into one card. There are many possible applications for smart cards in fields such as social security, health care, payment, access control, education and authentication on-line. Smart cards may particularly suit the telecommunications, health and loyalty markets - the latter exemplified by the success of take-up of the Qantas-Telstra-ANZ-Visa-card in Australia. It may be that smart cards would incorporate means of biometric identification to enable users to log into computer systems or the Internet to conduct secure transactions.

According to an industry analyst, the banking industry has stalled e-commerce within Australia.(24) The cost and complexity of SET means that most financial services institutions are delaying rollout to the mass market until the turn of the century. SET implementation requires substantial investment in purchase and systems integration and construction of a digital certificate authority and database management. Without a large on-line market, banks have been reluctant to invest in order to control SET distribution channels. Meanwhile, overseas credit card companies, with their own vested interests, are promoting SET technology to retailers by guaranteeing payment for goods delivered when using it. Once more payments are made over the Net, consumers may be less fearful, but in the meantime competing digital cash and on-line money systems may take control over EMV.

Instead of SET, the Australian Pharmaceutical Electronic Commerce and Communication (PECC) project aims to create an Internet-based platform for communications between the industry's outlets at wholesale and retail pharmacies, suppliers and manufacturers. PECC handles processing, invoicing and inventories for the $19 billion of Australian pharmacy sales each year, with a significant proportion on the Internet. The PECC may represent a transaction volume sufficient to force banks to unify their electronic payment processes and also provide a link between EDI and ordering systems.(25) A unified bill payment system is now available under the commercial branded Bpay, E-Bill or giroPost systems.

The risks of a lack of coordination in relation to the introduction of smart cards could affect the economy, business and public confidence, or governments as card issuers.(26) In late 1998, Telstra called on all organisations promoting smart cards in Australia to collaborate and avoid a proliferation of separate technologies. Telstra urged the formation of a local chapter of the Global Chip Card Alliance coalition of businesses trying to establish worldwide standards for smart cards. Telstra itself has provided 35 000 smart card Amper-brand payphones and sold over 10 million smart Phonecards. Meanwhile, software giant Microsoft proposed a wallet purse for approval by the SET consortium controlled by credit card companies such as Visa and Mastercard. A battle between Mastercard and Visa had led to early delays and apparent lack of bank involvement. When the SET standard was ratified in June 1997, it did ensure compatibility between SET users.

There are other local initiatives that may or may not apply elsewhere around the world. Dun & Bradstreet with KPMG have developed an Australian digital certification product Insite to help ensure safer trading for companies conducting business on the Net. Trusted third parties issue site identifications for installation on servers for authentication and encryption. Only companies listed in the database can receive Insite products. Meanwhile, the accounting profession has joined forces to launch WebTrust, an assurance system for on-line customers. WebTrust may guarantee that business members will adhere to standard practices and controls. Each Internet entry would have a report issued by the accountant to help ensure sound business practice, transaction integrity and information protection. Verisign issues Server Certificates to organisations after verifying business legitimacy. Australia Post provides digital signatures on a floppy disk for authentication.

Industry Codes of Practice

Modern business has to consider e-commerce security strategies just as it has ever since credit card numbers were accepted over the telephone without signatures. Business has to consider external and internal threats, encryption, enterprise authentication, firewalls, virtual private networks, SET and e-cash through risk assessment. According to media reports, the information industry faces uncertainty due to the lack of a detailed national electronic signature scheme.(27) In general, the wide variety of corporate initiatives undertaken to facilitate e-commerce, have only resulted in different standards, software quality and security levels. However, a number of industry codes of practice exist.

The Australian Securities and Investments Commission oversees the voluntary Electronic Funds Transfer Code. This applies to all ATMs and Electronic Funds Transfer at Point of Sale (EFTPOS) transactions involving a Personal Identification Number (PIN). The Code requires card issuers to notify customers with clear and accurate terms and conditions of use, charges and restrictions. For the banking industry, electronic systems have been a panacea to rising staff costs, as well as providing considerable income. EFTPOS usage has boomed in Australia, handling an average of over $5 million a day with retailers charged monthly rental fees and ongoing charges of one to three per cent of transaction values. Telephone banking may rise to become a tenth of all transactions and EFTPOS half of those by 2000 as branch banking declines. Internet banking should rise accordingly. ATM use makes up the remaining portion of usage by banking customers.

The Smart Card Industry Code of Conduct deals with the collection and handling of personal information and consumer protection. The Code establishes minimum standards of practice for the collection, use, storage, security and disclosure of information by smart card vendors. Code participants must also recognise privacy principles. The privacy issues posed by smart cards fall into categories of loss of anonymity, information collection and the potential for them to develop into a national identification card. A more insidious matter to users is that of cost, since banks, card issuers and promoters propose fees for issuance, renewal, transactions, reloads, interest and monthly usage.(28)

The Internet Industry Association Code of Practice for E-commerce was released in 1998. It covers businesses that use the Internet to sell their products and services. The Code implies use of fair trading practices, prohibits X-rated content advises on payments means and costs.

It is possible that regulatory controls for electronic transactions (e.g. EFTPOS) may restrict e-commerce and conflict with other laws. With its all encompassing nature, the success of e-commerce legislation depends in part on regulations made by each of Federal, State, Territory and overseas governments. While the objectives of some of the policy reviews listed in the appended chronology may conflict, others may be complementary. Proposals of self-regulation regimes or codes of conduct for e-commerce require clear evaluation within the context of regulatory impact statements and wide consultation processes.

Privacy on the Net

Successful e-commerce depends upon proving the identity of persons on-line and linking them to a transaction without repudiation. It must prevent system access by unauthorised persons and computer applications, while preserving privacy and security. Since e-mail is transmitted in plain text over unknown pathways, residing for various periods on computer systems, it allows illegal scanning of message contents using filter software. An additional e-mail problem is the easy ability to forge sender or recipient identity. While personal data might be kept private in one country, any trans-border flow may not be secure upon the transmission to another nation. Surveys of attitudes to privacy on-line consistently reveal that the majority of Internet users remain unconvinced that their on-line transactions are secure.(29)

The most common invasions of privacy involve the use of personal information by marketeers who gain information from Web users either voluntarily or through software technology. Many Web sites require patrons to register first before entering, often divulging a wide array of personal details. As well, many Web sites track user habits and preferences through the use of 'cookies' or data bits placed on the computer hard disk that record Web page visits. Cases of identity theft have arisen leading to calls for legislative protection against the invasion of privacy, rather than through industry self-regulation. In August 1998, United States federal regulators charged that Geocities, a popular Internet destination that provided free Web sites, misled its two million members by secretly selling personal information to marketeers. Geocities then agreed to advise customers of its true data collection practices and allow them to delete personal data. Customers had previously provided names, addresses, incomes and occupations.(30) Whether Geocities intended to abide by a code of practice is not clear, but calls for industry regulation necessarily arise.

Privacy Policies

The Commonwealth has acted to address a number of e-commerce privacy issues, initially concentrating on information flows. On 30 April 1998, the Attorney-General announced proposed amendments to the Copyright Act 1968 to cover material on the Internet yet make exceptions for fair dealing and ISPs. On 20 February 1998, the Attorney-General released National Principles for the Fair Handling of Personal Information, in conjunction with the Privacy Commissioner.(31) These raised matters of minimum general standards, flexibility, consistency and harmony with other laws. On 31 March 1998, the Attorney-General's Expert Group on Electronic Commerce presented a report on Electronic Commerce: Building the Legal Framework. The report had three broad aims, to move towards technological neutrality, create functional equivalence of all forms of commerce and, the facilitation of international harmonisation and standards. It thus related to matters of the legal status of information and identification. Currently, the Privacy Act 1988 partially implements the individual's right to information privacy.

On 16 April 1998, the Government released twelve Principles for Consumer Protection in Electronic Commerce drafted by the National Advisory Council on Consumer Affairs. The principles aim for technology neutral accountability and disputes resolution including matters of information provision, dispute resolution and privacy. These followed a 1997 paper from the Human Rights and Equal Opportunity Commission on Information Privacy in Australia.(32) The paper proposed a national self-regulatory scheme for privacy protection in the private sector. Such matters assumed the operation of a basic level of security on information networks presumably provided by cryptographic systems. On 16 December 1998, the Attorney-General announced legislation to protect the privacy of personal and other data handled by the private sector, while exempting employment records. The plan, to be developed in consultation with States and Territories, will endorse industry privacy codes of practice developed under a privacy framework, rather than through regulation.

Cyberspace Crime

There are many aspects to crime on the information superhighway. These range from illegal interception, theft or piracy of telecommunications services, to telemarketing fraud and transmission of offensive materials. Electronic vandalism and terrorism, electronic funds transfer crime and money laundering are further problems.(33) The extent of such telecommunications related crime tends to defy detection, quantification or territoriality. Law enforcement agencies may need special powers and initiatives to counter such crime.

Australian lawyers have warned that consumers may lose on unauthorised credit card transactions made over the Internet.(34) The encryption software may reveal secret key information or permit re routing via third parties that alter information. Consumers may be left with little or no evidence to prove any system breakdown. It may be possible for SET certificates to be copied from a PC, allowing an intruder to illegally use a card. This is just one of the many criminal opportunities available on the Internet as we head towards the promised era of e-commerce. Possibly merchants, rather than the card holders, commit the majority of credit card fraud, at least according to media reports of industry insiders.(35)

Internet attacks may include masquerades and interception, unauthorised use, service denial (due to overload), disclosure of sensitive information or alteration of materials. Broader information warfare may include physical and electronic attacks on computer network systems. Victoria Police suspect that 1 300 companies have fallen victim to computer hackers called 'Number Crunch' who use the Internet to infiltrate and destroy corporate systems, especially those without 'firewall' barriers.(36) Press reports suggest that the United States Federal Bureau of Investigation believes that hackers will eventually intercept web transactions. Meanwhile, malicious persons have attempted to gain personal bank account details and passwords by e-mail from people who have just established ISP accounts.(37)

'Cyberbetting' or Internet gaming is an interactive and growing business that uses a browser to provide client access to different types of real or virtual gambling and betting systems. While the United States and Singapore have acted to prohibit such activities, other governments such as those of Queensland and the Northern Territory have legalised them, with regulations to license operators within consumer protection guidelines. There appears to be some technological capacity to control or ban on-line gaming but any national legislation would have to consider the relevant financial, telecommunications and foreign affairs implications. It is not difficult to conceive of criminal activities associated with cyberbetting.

In a wider sense, two recent Australian reports warn of the growing threats and vulnerability of the nation's information infrastructure. The first, a confidential report to the Defence Signals Directorate (DSD) by a former senior intelligence officer, covers the threat to telecommunications, power supply, air traffic control, banking and finance industries.(38) The second, by an academic strategic analyst outlines similar vulnerability.(39) On the other hand, the DSD is apparently listening to domestic communications traffic in the manner of the British Echelon eavesdropping system. Echelon performs a key word search on all European messages including telephone, facsimile and e-mail.

According to the Organisation for Economic Cooperation and Development (OECD), while the growing importance of information and communications systems for the global economy and society is evident, such systems and data are increasingly vulnerable to threats such as unauthorised access, misappropriation and destruction. The Australian Office of Government Online has established an Inter-Agency Steering Committee to coordinate key aspects of information technology. An Inter departmental Committee to the Secretaries' Committee on National Security was set up by the Attorney-General's Department to consider security matters.(40)

The World Trade Organisation (WTO) has adopted an Internet Duty Free Declaration not to impose duties on such transmissions. The WTO further requires access guarantees to telecommunications networks and free trade facilitation.(41) The Australian Competition and Consumer Commission prepared a 1997 discussion paper on The Global Enforcement Challenge that discusses compliance with fair trading principles in order to encourage global market mechanisms including e-commerce over the Internet.(42)

Overall though, given that e-commerce is largely technology driven by competing corporate interests, we face a plethora of standards, content controls and security levels. The chaotic nature of the Internet itself reflects the mishmash of communications standard protocols and network operations. There is no guarantee that existing networks can cope with the anticipated demands stemming from e-commerce. Computer systems have largely evolved in an ad hoc manner without any centralised planning or control. Therefore, any possible regulation must be carefully focussed on the essential aspects, such as encryption.

Cryptography and Authentication Policies

Cryptography Law

Matters of cryptography, authentication, public key technology, e-commerce taxation, on-line privacy, consumer interests, intellectual property, content and the legal framework all await resolution. There may be a need to separate the privacy requirements for cryptographic technologies between the needs of individuals, enterprises and governments. While individual security and privacy may be a matter for personal choice, business systems may need trusted systems with agreed appropriate standards that link to directories of services and network users. There has been some recognition that cryptography should follow international guidelines while local rules for digital signatures may match those devised by the Standards Association of Australia.

The Federal Attorney-Generals' Walsh Report was released after a Freedom of Information request by Electronic Frontiers Australia.(43) The Walsh report questioned attempts to control encryption without public debate.(44) The report had a useful glossary and among its conclusions upheld the benefits of individual data security while noting the requirements of law enforcement and security agencies. The report supported the need for certification facilities but within OECD guidelines. It did not favour legislative action, just reviews. Later, the Australian Transactions and Reports Analysis Centre gave a Report of the Electronic Commerce Task Force to the Commonwealth Law Enforcement Board.(45) The report recommended a 'whole of government' response to law and commerce on the Internet. The report explored law enforcement issues for specific electronic payment technologies.

However, in turn, the Telecommunications Legislation Amendment Bill 1997 amended the Telecommunications (Interception) Act 1979 to allow law enforcement agencies to intercept transmissions on telecommunications networks. If a Carriage Service Provider (CSP) encrypted data or supplied the encryption to clients, the legislation required that the CSP must have provided an interception capability. This does not apply to client-encrypted traffic. Critics attacked the decision as a restriction on encryption without formal policy. Note that from 1997, telecommunications carriers were required to obtain customer proof of identity for the purchase of mobile telephone pre-paid SIM smart cards.

Meanwhile, Australia's export controls for cryptography are found in the Customs (Prohibited Exports Regulations) Schedule 13E and the Customs Act 1901 section 112 (Prohibited Exports). Actual details of prohibited items is listed in the Defence and Strategic Goods List of the Australian Controls on the Export of Defence and Strategic Goods Part 3, Category 5/2. All such cryptography software requires a licence before export with the licence applications made by the Defence Signals Directorate. Exemptions apply to exports for personal use such as on small computers. However, given that on-line software such as encryption routines is not a physical good, some uncertainties arise.

A military treaty known as the Wassenaar Arrangement provides export controls on weapons and cryptography above 64 bits without Government approval. Renegotiated in late 1998, this Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies has a preamble to exempt mass market and public domain software. Australia disallows this waiver as does the United States, New Zealand, France and Russia and 28 other nations although they may choose to ignore the agreement. This applies to web browsers, e-mail applications and telephone message scrambling software. Vendors such as IBM, Sun, Microsoft and Netscape and civil libertarians have lobbied against it. An Internet-based global campaign continues promoting the free use of cryptography, ie. without a surveillance capability, through bodies such as Electronic Frontiers Australia. (See their Internet site at http://www.efa.org.au/Issues/.)(46)

OECD Guidelines

On 27 March 1997, the OECD adopted a set of guidelines on cryptography policy to balance the various interests involved. In its view, cryptography should be subject to user choice of the means of encryption, regardless of government views to the contrary to control and monitor transmissions. The OECD guidelines also uphold trustworthy cryptography and national standards, preserve privacy, allow key access, and establish liability under government coordination. Under the guidelines, cryptography protects data confidentiality, verifies data integrity, establishes authenticity, prevents unauthorised modifications, repudiation and unauthorised use.(47) Certification of the public key through informal trust or formalised authorities remains an issue. Matters also arise of trust, choice, standards, privacy, lawful access and liability.

Since 1997, OECD experts have so far found no major failings in their guidelines, despite greater understanding of the importance to e-commerce of cryptography.(48) There is broad consensus on the need to introduce digital signatures, but there is a need for a coherent approach, and caution, to the legal access of encryption keys. Overall though, the threat of insecure transactions on e-commerce remains a reality. While the United States, France and the Council of Europe have proposed restrictions on cryptography, through the Wassenaar Arrangement, the OECD recommends free use for security and privacy.

Public Key Authentication Framework

In the 8 December 1997 industry policy statement entitled Investing for Growth, the Australian Federal Government adopted the OECD cryptography guidelines as a basis for Australian policy, i.e. a basis of user choice of encryption. In October 1997, the Federal Government had announced the formation of a body to oversee the development of a national system for on-line authentication. Earlier in 1997, the new National Office for the Information Economy developed a national e-commerce authentication framework using PKAF as an infrastructure to distribute digital signatures to prove on-line identities. NOIE convened a working group of experts to report on its structure and functions by March 1998. On 19 August 1998, NOIE released a discussion paper on a proposed model for a National Authentication Authority to serve as a PKAF agency, albeit to some criticism. Note that in April 1996, the Standards Association of Australia released for comment a draft on strategies for the implementation of a PKAF in Australia.

In May 1998, the Federal Government released the Gatekeeper, a public key technology strategy report and announced establishment of the Government Public Key Authority. However, Gatekeeper is separate from the PKAF initiatives project and is a Commonwealth initiative to allow Federal Government communications over the Internet secured by digital certificates. Developed by the Office of Government Online in consultation with other agencies including the DSD, the strategy published a two stage Government Public Key Technology Authority process. Privacy considerations in this allow individuals to hold key pairs with different labels.

Meanwhile, the Attorney-General's Expert Group on Electronic Commerce examined the legislative requirements for e-commerce. In September 1998, the Federal Government released for public comment two draft secure electronic transaction standards relating to the PKAF. The first proposed a profile for digital certificates while the second proposed a set of rules to support the certificates. In August, the Certification Forum of Australia was formed by the e-commerce industry to provide authentication.

The Parliamentary Joint Committee of Public Accounts and Audit further examined these new challenges in matters of consumer protection and privacy, supporting a legislated privacy regime within an international context.(49) Some see the need to clearly separate the requirements for privacy-enforcing cryptographic technologies between the needs of individuals, enterprises and governments.(50) A diversity of encryption types may prevail. Others deplore the paucity of consumer or privacy considerations to the Gatekeeper and PKAF initiatives or the assumption of a need for any trusted third party key register.(51) There may be alternatives to PKAF type 'identity' authentication in terms of value or attribute characteristics and use of anonymous transactions with wide protection.

Engendering Trust

Computer commerce is a new means of business communication, meaning and culture. At the broadest level, e-commerce is e-business, while a narrower definition includes only the Internet and EDI, or just the Internet. Small business sees the Internet as a creative aid and marketing tool for client communications within an age of information technology. Internet take up by small business is still a small portion of activity. Australia may be lagging behind overseas nations in e-commerce, apparently for reasons of security and privacy concerns, an absence of e-commerce culture, poor access and knowledge.

As an incentive, it is necessary to engender trust on-line because of the lack of face-to-face communication.(52) People use a form of money that they trust, provided they have access, convenience and the form of money yields information, meaning and provides value. Trust involves matters of authenticity, encryption and the security of transactions as well as control, comfort and caring aspects. Comfort relates to familiarity and reputation while caring demonstrates benevolence, intimacy and a desire to communicate to clients.(53) Through trust, we can establish confidence, then reliance and dependence on e-commerce.

Successful e-commerce is a matter of trust and not just blind use of new technology. Therefore, appropriate legislation will be a prerequisite for the most effective entry into the Information Age. It will determine if there is to be a global black market and manipulation of electronic business, or Australian-led innovation in on-line services. Our Australian regulation will establish the liability of certification authorities for private key misuse, erroneous orders, and security breaches whether made from here or overseas. It is though, a mammoth task.

For now, Australia has a proposed Electronic Transactions Bill 1999 designed to bring our e-commerce into line with the United Nations Commission on International Trade Law model law on electronic commerce. While this may allow e-commerce to operate in a valid legal manner, wider questions remain about network security, content control and technical standards. Without an Australian PKAF operating, local e-commerce may well be hamstrung, as it already is without an agreed SET regime. Granted, competing interests may well eventually determine these outcomes, but Australians must be able to preserve their own interests within the global information economy. We also have an opportunity to develop a successful, exporting information technology industry if we get regulation right.

Appendix: Encryption and the United States Clipper Chip Saga

In 1993, the White House announced the Escrowed Encryption Initiative consisting of Skipjack, a classified algorithm implemented on the tamper resistant Clipper Chip. The scheme proposed that the United States Government keep a copy of the decryption key for all encryption equipment produced. The Key Escrowed Encryption System of the Clipper Chip was an initiative of the National Security Agency introduced on 16 April, 1993. The key was generated and programmed onto the chip after the chip was manufactured but before placement into its security product. The two safe keepers were the Treasury Department's Automated Systems Division and the National Institute of Standards and Technology. The two provisions of two independently escrowed keys and the voluntary nature of the program were intended to reassure the public and business about system security and dependability.

Unlike scrambled messages produced by public key systems, which remained essentially impossible for non-recipients to intercept, Clipper telephones were vulnerable to anyone who might be able to obtain their codes. Under the United States plan, the Federal Government maintained a master list of identity numbers for all Clipper devices ever sold. Each number was split in two with each half 'escrowed' by a government agency. In appropriate cases, such as for a wire tapping, the agency would have reunited the two halves in order to intercept telephone calls. Access to the escrowed numbers remained a weak link in the Clipper system.

The Clipper Chip, officially known as the MYK-78T device programmed by Mykotronx Inc of California came built in to telephones and modems in order to scramble messages through the secret Skipjack encryption algorithm. Skipjack worked with several 'keys' or unique numbers built into the chip and supplied with telephones to produce an encrypted code for digital communications. The Clipper plan required no legislation in the United States and existed as a voluntary standard there for all government contracts and purchases. It forced no-one else to use the system, but generated much controversy. By 1995 though, the Clipper Chip had not won market acceptance and was abandoned. As an alternative to the Clipper Chip, 128 bit encryption technology has, for some time, been available off the Internet.(54)

Since its inception and routine use, the Clipper Chip faced great opposition from the business community and professional groups. They claimed a compromise of individual privacy, cost and disadvantage with respect to overseas information services. They preferred private encryption or use of an international agency such as the World Trade Organisation or the International Telecommunications Union. Many governments remained opposed to the use of strong cryptography in products designed for the international market. Internet enthusiasts meanwhile used their own packages, such as PGP, public keys and digital signatures.

PGP or Pretty Good Privacy brought encryption technology to the average desk top computer user. Version 5 became an e-mail standard tool for wide, free usage. Each encrypted message was preceded by a phrase mentioning PGP use, which showed that a coded transmission was occurring. This evidence was tantamount to proof of illegal activity in countries where cryptography was prohibited. Another public system masked ciphered material within a video picture so that it was not evident that cryptography was in use. It has also been possible to alter digital images, but new masking can detect whether any tampering has occurred to the data that makes up images. The American developer of PGP became himself subject to national security agency investigation as those very same organisations began to learn to cope with the release of their very own style of encryption techniques onto the world stage. So the saga of the Clipper Chip continued on.

United States key management remains under fire with its ban on the export of over-56 bit encryption techniques. The American Government will not permit exports of cryptography products above 56 bits unless applicants can demonstrate key management infrastructure plans. This involves storage of keys with a third party that would provide access to government law enforcement or national security agencies. Critics argue that the policy has driven encryption technology development overseas. The United Kingdom has instead proposed a voluntary key recovery program while the European Union opposes the United States policy on the grounds of free trade and privacy.(55) A newer proposal is for the use of trusted third party systems, a key recovery system rather than an escrow system. On production of a court order, the key recovery agency would reconstitute the message without recovering the key. However, there is a potential for corruption in such activity.

Media reports claimed that by using a single, custom-built computer costing less than $400 000, RSA Data Security of San Mateo CA sponsored experts from the Electronic Frontier Foundation, a San Francisco based non-profit civil liberties group, to crack a widely used method for scrambling sensitive data within three days. Previous attempts had taken five months and later only 39 days to unscramble similar electronic messages. The breakthrough attempt tested 88 billion possible combinations every second for 56 hours until it unscrambled the Data Encryption Standard encoded message. The Standard had 56 bits, while the United States Government had prohibited the export of encryption products stronger than 40 bits.(56) Meanwhile, the Americans for Computer Privacy lobby group and others claimed that 128 bit encryption was now the world standard for e-commerce.

Chronology of Commonwealth Initiative for the Information Economy

 

Milestones

Details

Source Documents

1995

Broadband Services Expert Group Report

The 1995 Broadband Services Expert Group Report to the Commonwealth Minister for Transport and Communications emphasised the content and cultural dimensions of information policy to serve the whole community. The open, participatory and egalitarian nature of the Internet tended to defy any prescriptive approach.

(57)

July 1995

OGIT/OGO

The Commonwealth established the Office of Government Information Technology (OGIT) to provide a coordinated, efficient approach to information use within the Australian Public Service. Now renamed as the Office for Government Online (OGO), it provides the Commonwealth Government Entry Point on the Internet found at http://www.fed.gov.au/. OGO also coordinates the national response to the Year 2000 (Y2K) computer problem.

(58)

August 1997

IPAC

A milestone was the Information Policy Advisory Council (IPAC) report. IPAC was a high-level advisory body to the Commonwealth for on-line information and communications services and technologies until it ceased in 1998. The IPAC report stressed Australia's IT&T advantages. The report elaborated on constructive Government programs to facilitate IT&T as an economic force. IPAC recommendations addressed matters such as financial payment systems and cross-border trade, taxation, secure data protection, privacy and intellectual property protection. Further recommendations concerned electronic transaction law, consumer protection matters, content regulation, IT&T infrastructure and technical standards and system protocols. The IPAC report prompted government recognition of the importance of information and communications services industries for small to medium enterprise growth and trade.

(59)

July 1997

Goldsworthy

The Goldsworthy report to the Commonwealth Government noted the key role of the information industries in enabling businesses to compete internationally. Among its recommendations was benchmarking Australia's taxation regime with those found overseas. The report's focus was on incentives and subsidies for encouraging investment rather than any analysis of technical frameworks, security or consumer issues. Critics contended that it ignored questions of equitable demand for information services. This contrasted to the 1995 Broadband Services Expert Group Report.

(60)

1997

Silk Road report

A 1997 Department of Foreign Affairs and Trade (DFAT) report considered elements of an on-line trade strategy in the context of the rapid regional growth in e-commerce. These matters included the financial and payment systems, consumer protection, intellectual property, cryptography, encryption, authentication, certification, secure electronic transactions, content regulation, legal and social issues, and privacy. The subsequent DFAT On-line Trade Strategy aimed to identify practical export industry promotions.

(61),(62)

1997

Corporate Law

The Commonwealth Treasury Corporate Law Economic Reform Program study proposed various measures for corporations law and securities commission involvements to ensure the verification of electronic documents, contracts and records. This may lead to electronic distribution of prospectuses and legal title to debt securities.

(63)

1997

Financial Systems

A related review was the Wallis 1997 Financial Systems Inquiry that considered impediments to e-commerce amongst many broader issues. E-commerce matters arising from the World Intellectual Property Organisation apply through the Attorney Generals Department.

(64)

1997

Taxation

The Australian Tax Office released a report to examine ways in which electronic transactions impact on taxation and might be dealt with. The paper recommended limits on transactional and user anonymity in electronic payment systems so that these didn't allow a tax evasion.

(65)

May 1998

Internet Commerce

The Parliamentary Joint Committee of Public Accounts and Audit produced its report on Internet commerce. However, the report actually examined matters of taxation concepts such as source, residency and permanent establishment and strategies for collecting taxes on electronic transactions. It recommended ongoing monitoring of such matters and many specific practicalities but little in terms of security aspects.

(66)

December 1997

Ministerial Council

The Federal Government's 8 December 1997 Investing for Growth policy statement led to the establishment of a Ministerial Council for the Information Economy to develop a national information and on-line services strategy. The Council aimed to frame an approach to e-commerce and encouraged and educated business and wider communities to move on-line.

 

1998

NOIE

The National Office for the Information Economy (NOIE) supported the Council in its broad policy role to coordinate regulatory, legal and physical infrastructure for on-line activities as well as electronic service delivery by government. NOIE held an e-commerce summit in April 1998 along with regional events to help raise awareness. The organisation has also been active in promoting the consistency of the Commonwealth's position at international forums on e-commerce. NOIE has produced strategy papers and reports on legal and regulatory frameworks.

(67)

1998

AIECA

In late 1998, the Government abolished the NOIE advisory board to replace it with the new Australian Information Economy Advisory Council (AIECA) to provide high level industry and community input to Government decision making on information industry and economy.

 

6 May 1998

Project Gatekeeper

OGO launched Project Gatekeeper to facilitate digital security for Commonwealth communications. The Federal Government aimed to deliver all appropriate Commonwealth services on the Internet by 2001. Electronic payment is also to become the normal means by 2000 along with a government-wide Intranet (internal network) for secure on-line communications.

(68)

1998

PARRA

The Federal Government established the Policy and Root Registration Authority (PARRA) to oversee development of a digital signature system.

 

1998

DISR Business

The Australian Electronic Business Network (AeBN) is a national, non-profit, organisation that targets small business with software designed to encourage take-up of on-line technologies. A related aspect is the Networked Enterprises Web Strategy. Other initiatives apply to the pharmaceutical industry, tele-medicine and IT&T that involve training strategies and industry targets. The Department of Industry, Science and Resources (DISR) Business Online and Technology Initiative aims to foster on-line business trading and information systems through training and demonstration centres, commerce systems and high performance computing centres. Other DISR programs include educational support, disabled access support and awareness campaigns.

(69)

January 1999

Transactions Bill

The Commonwealth released a draft Electronic Transactions Bill concentrating on the validity of electronic transactions within the legal environment, but without specifying any technology or a dedicated signature regime.

 

January 1999

Transigo

Following a chequered history, the Commonwealth decides to terminate its contract with the Transigo e-commerce system provided by Telstra.

 

January 1999

Information Economy

Government releases a strategic framework for the information economy identifying priorities for action.

 

February 1999

New Silk road

DFAT releases two new reports on 'Creating a Clearway on the New Silk Road' and 'Driving Forces on the New Silk Road'. These reports document the growth of the Internet in trade, competitive advantages of e-commerce, Australian success and the need for prompt online action.

 

Endnotes

  1. C. R. Blackman, 'Convergence between telecommunications and other media: How should regulation adapt?', Telecommunications Policy, vol. 22, no. 3, April 1998.

  2. P. Budde, Information Technology Management Report 1997, Paul Budde Communication Pty Ltd, Bucketty, 1997.

  3. M. L. James, 'Wait - there's more: the Internet on your very own home television!', Research Note no. 24, Department of the Parliamentary Library, Parliament of Australia, Canberra, February 1997.

  4. M. L. James, 'Towards the Cashless Society?', Research Note no. 48, Department of the Parliamentary Library, Parliament of Australia, Canberra, 25 June 1996.

  5. DIST, Stats.: e-commerce in Australia, Information Industries and Online Taskforce with www.consult, Canberra, April 1998.

  6. Magaziner, 'E-commerce and Mankind's Last and Greatest Hope on Earth', Communications Law Bulletin, vol. 17, no. 2, 1998, pp. 10-14.

  7. M. L. James, 'Broadband Convergence on the Information Superhighway', Background Paper no. 24, Department of the Parliamentary Library, Parliament of Australia, 2 December 1994.

  8. T. Cutler, 'Keynote Address', Proceeding: Communications Research Forum 1998, Department of Communications and the Arts, Canberra, 24-25 September, 1998.

  9. J. Thomas, ''Towards Information Policy', Media International Australia, no. 87, May 1998, pp. 9-14.

  10. E. Richardson, S. Miller and S. Singh, 'Effective use of on-line services', CIRCIT Policy Forum Report, Bowral 20-22 November 1997, Centre for International Research on Communication and Information Technologies, Melbourne, December 1997.

  11. T. Sewards, 'International Government Approaches to Stimulating the Uptake of New On-line Services', CIRCIT Research Report no. 17, Centre for International Research on Communication and Information Technologies, Melbourne, January 1998.

  12. J. Menezes, Handbook of Applied Cryptography, CRC Press, Boca Raton, 1997.

  13. Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C, Second Edition, John Wiley & Sons, Inc., New York, 1996.

  14. Davidson, 'E-mail, encryption and electronic security', Law Institute Journal, vol. 71, no. 11, November 1997, pp. 26-30.

  15. P. R. Zimmermann, 'Cryptography for the Internet', Scientific American, vol. 279, no. 4, October 1998, pp. 82-7.

  16. K. Kleiner, 'Making sense of absolute nonsense', New Scientist, 4 April 1998, p. 12.

  17. P. Budde, Information Technology Management Report 1998 and Telecommunications Strategies Report - 1997/1998, Paul Budde Communication Pty Ltd, Bucketty, 1998.

  18. J. Peterson, 'Power Cracking of Cash Card Codes', Science News, 20 June 1998, p. 388.

  19. J. Davidson, 'Scrambling for security in the digital world', Australian Financial Review, Sydney, 30 March 1998, p. sr6.

  20. S. Rimmer and R. Prasad, 'Electronic Money and Electronic Commerce: A regulatory best practice approach', Canberra Bulletin of Public Administration, Institute of Public Administration Australia (ACT Division), Manuka, no. 88, May 1998, pp. 29-38.

  21. S. Lang, 'Electronic Commerce: The Threat to Revenue'? Research Paper forthcoming, Department of the Parliamentary Library, Parliament of Australia, Canberra, 1999.

  22. Tyree and A. Beatty, 'Digital Cash in Australia', Journal of Banking and Finance Law and Practice, vol. 9, no. 1, March 1998, pp. 5-11.

  23. R. Chirgwin, 'E-Payment at the Starting Gate', Australian Communications, July 1998, pp. 61-8.

  24. P. Budde, 'E-commerce not until late 1999', Information Superhighways, vol. 5, no. 6, Paul Budde Communication Pty Ltd, Bucketty, July 1998.

  25. R. Chirgwin, 'Internet Commerce: Size Does Matter', Australian Communications, August 1998, pp. 17-8.

  26. GTTC, Smart Cards as National Infrastructure: Results and Recommendations of an Inter-Governmental Review, Government Technology and Telecommunications Committee, Final Report, September, ACT Government Printer, Canberra, 1997.

  27. J. Foreshew, 'Industry welcomes e-trading law plan', The Australian, 12 December 1998, p. 32.

  28. Connolly, 'Smart Cards and Privacy', Telecommunications Journal of Australia, vol. 48, no. 2, 1998.

  29. M. Scollay, 'Privacy Protection in Australia: How far have we come?', Telecommunications Journal of Australia, vol. 48, no. 2, 1998, pp. 7-14.

  30. J. Gruenwald, 'Who's Minding Whose Business on the Internet?', Congressional Quarterly Weekly, 25 July 1998, pp. 1986-90.

  31. OPC, National Principles for the Fair Handling of Personal Information, Office of the Privacy Commissioner, Human Rights and Equal Opportunity Commission, February 1998.

  32. HREOC, Information Privacy in Australia: A National Scheme for Fair Information Practices in the Private Sector, Human Rights and Equal Opportunity Commission, August 1997.

  33. P. N. Grabosky and R. G. Smith, Crime in the Digital Age: Controlling Telecommunications and Cyberspace Illegalities, Transaction Publishers, The Federation Press, Leichardt, 1998.

  34. H. Meredith, 'Internet customers warned against banking on encryption', The Australian Financial Review, 26 June 1998.

  35. M. Banaghan, 'Visa plays a smart card to stop new services from getting all the credit', Business Review Weekly, 12 October 1998, p. 98.

  36. Carson, 'Hackers leave calling card', The Melbourne Age, 21 July 1998, p. 3.

  37. Fox, 'Spam scam nets newbies', New Scientist, 31 October 1998, p. 7.

  38. DSD, The National Information Infrastructure: Threats and Vulnerabilities, Defence Signals Directorate, Department of Defence, Canberra, February 1997, 16pp, unpublished.

  39. Cobb, 'Thinking about the Unthinkable: Australian Vulnerabilities to High-Tech Risks', Research Paper no. 18, Department of the Parliamentary Library, Parliament of Australia, Canberra, 29 June 1998.

  40. G. Barker, 'The next big crash', Australian Financial Review, 6 April 1998, p. 16.

  41. I-Ways: Digest of Electronic Commerce Policy and Regulation, Second Quarter, Virginia, 1998.

  42. ACCC, 'The Global Enforcement Challenge: Enforcement of consumer protection laws in a global marketplace', Discussion Paper, Australian Competition and Consumer Commission, AGPS, August 1997.

  43. G. Walsh, Review of Policy Relating to Encryption Technologies, Attorney-General's Department, Canberra, 10 October 1996.

  44. Connolly, 'Back door code curbs', The Australian, 11 November 1997.

  45. AUSTRAC, Report of the Electronic Commerce Task Force to the Commonwealth Law Enforcement Board, Australian Transactions and Reports Analysis Centre, November 1996.

  46. G. Taylor, 'Cryptography Policy: Overdue for Reform', Communications Law Bulletin, vol. 17, no. 3, pp. 18-20, 1998.

  47. OECD, Cryptography Policy: the Guidelines and the Issues, Organisation for Economic Co-operation and Development, Paris, 1988, p. 22.

  48. OECD Emerging Market Economy Forum: Report of the Workshop on Cryptography, OECD Working Papers, no. 1, Paris, 1998.

  49. JCPAA, Internet Commerce: To buy or not to buy?, Parliament of Australia, Joint Committee of Public Accounts and Audit, Report 360, Canberra, May 1998.

  50. Caeli, 'Privacy, Cryptography and Global e-Commerce', Telecommunication Journal of Australia, vol. 48, no. 2, Telecommunication Society of Australia, Sydney, 1998, pp. 15-20.

  51. N. Waters, 'Privacy under Pressure: Competing Public Interests in Cryptography and Related Policy', Telecommunication Journal of Australia, vol. 48, no. 2, Telecommunication Society of Australia, Sydney, 1998, pp. 53-9.

  52. S. Singh and C. Slegers, 'The Story of Small Business and Electronic Commerce', Policy Research Paper no. 43, Centre for International Research on Communication and Information Technologies, Melbourne, June 1998.

  53. S. Singh and C. Slegers, 'Trust and Electronic Money' CIRCIT Policy Research Paper no 42, Centre for International Research on Communication and Information Technologies, June 1997.

  54. W. Diffie and S. Landau, Privacy On The Line: The Politics of Wiretapping and Encryption, MIT Press, Cambridge 1998 and P. E. Agre and M. Rotenberg, (eds), Technology and Privacy: The New Landscape, MIT Press, Cambridge, 1998.

  55. Johnson, 'Encryption Policies remain controversial', I-Ways: Digest of Electronic Commerce Policy and Regulation, Second Quarter, Virginia, 1998, pp. 26-33.

  56. T. Bridis, 'US Experts Break Widely Used Data-Scrambling Method', AAP, 18 July 1998.

  57. T. Flew, 'The Goldsworthy Report: Credibility and Australian Information Policy', Media Information Australia, no. 87, May 1998, pp. 15-22.

  58. M. L. James, 'Date with Destiny: The Year 2000 Computer Bug', Research Note no. 35, Department of the Parliamentary Library, Parliament of Australia, Canberra, March 1998.

  59. IPAC, A national policy framework for structural adjustment within the new "Commonwealth of Information", Information Policy Advisory Council, Department of Communications and the Arts, Canberra, August 1997.

  60. Goldsworthy, The Global Information Economy - The Way Ahead, Report of the Information Industries Task Force, Department of Industry, Science and Tourism, August. 1997.

  61. DFAT, Putting Australia on the New Silk Road: The Role of Trade Policy in Advancing Electronic Commerce, Department of Foreign Affairs and Trade, Canberra, 1997, pp. 23-37.

  62. Stewart, 'National Office for the Information Economy: Cross-Portfolio Implications', Canberra Bulletin of Public Administration, no. 88, Institute of Public Administration Australia (ACT Division), Manuka, May 1998, pp. 83-6.

  63. Treasury, Corporate Law Economic Reform Program: Proposals for Reform: Paper no.5, "Electronic Commerce: Cutting cybertape - building business", AGPS, Canberra, 1997.

  64. S. Wallis, Financial Systems Inquiry: Final Report, AGPS, Canberra, March 1997.

  65. ATO, 'Tax and the Internet', Discussion Report of the ATO Electronic Commerce Project, Australian Taxation Office, AGPS, August 1997.

  66. JCPAA, Internet Commerce: To buy or not to buy?, Parliament of Australia, Joint Committee of Public Accounts and Audit, Report 360, Canberra, May 1998.

  67. NOIE, Annual Report 1997-98, The National Office for the Information Economy, Canberra, 1998.

  68. OGIT, Annual Report 1997-98, Office of Government Information Technology, Canberra, 1998.

  69. DIST, Getting Business Online, Prepared by the Information Industries and Online Taskforce, Canberra, May 1998.

 
 

Top