Matthew L. James
Science, Technology, Environment and Resources Group
16 February 1999
Contents
Major Issues Summary
Glossary
The Internet as the Information
Superhighway
Introduction to the Internet
Electronic Commerce
Information Economy
Converging Insecurity
Cryptography Concepts
Electronic Encryption
Superhighway Robbery
Key Escrow
Authentication
Smart Cards and Beyond
Electronic Funds Transfer and Secure Electronic Technology
The Business Battle for E-commerce
Control
Credit Cards versus On-line Banks
Industry Codes of Practice
Privacy on the Net
Privacy Policies
Cyberspace Crime
Cryptography and Authentication Policies
Cryptography Law
OECD Guidelines
Public Key Authentication Framework
Engendering Trust
Appendix: Encryption and the United States
Clipper Chip Saga
Chronology of Commonwealth Initiative for the
Information Economy
Endnotes
The information revolution has provided part of
the world's population with a de facto information superhighway
that we know as the Internet. Use of these networks for on-line
purchases and some transactions forms just part of the growth in
global electronic commerce (e-commerce), which is actually a
broader use of information technologies by business and government.
Considering that, in 1997, Australia had 1.5 billion electronic
transactions, this is a significant, growing commercial sector.
However, the public remains concerned about privacy, security and
equitable access costs, perhaps not without reason.
Successive federal governments have conducted a
series of extensive policy studies about converging communications
and established various advisory organisations to reflect the
importance of the information sector. Perhaps necessarily, such
approaches have focused on industry development rather than
technical frameworks, security or consumer issues. In the event,
self-regulatory schemes apply to matters of privacy and content
provision.
Any e-commerce on the Internet becomes
potentially subject to interception, tracking or attack and thus
warrants the use of cryptography to code transmissions for security
and privacy. The encrypted data becomes reasonably secure assuming
safe handling at each end. Whether or not government or
organisations should have access to encrypted transmissions is a
current argument. There is a need for digital certificates to
establish the authenticity of on-line users and also a Public Key
Authentication Framework for security.
On-line currency movements may be facilitated by
secure electronic technologies but implementation is slow in
Australia with a risk of incompatibility between rival systems.
There is also a risk to consumers from unauthorised transactions
made by third parties. Industry codes of practice apply to
electronic funds transfer, smart cards and the Internet. Regulatory
controls may restrict e-commerce and other laws but might also
assist consumers so it may be necessary to achieve some balance in
the public interest.
Regulatory and policy measures span portfolios
but do not necessarily encompass wide interests or consumers.
Meanwhile, the information sector remains vulnerable to crime and
the paper provides several case examples. Underlying government
e-commerce programs is the need for secure and private broadband
capacity, which, if the Internet is anything to go by, has not yet
been achieved. Networks lack common standard protocols and
quality.
The specific matter of cryptography regulation
awaits resolution. Some nations have acted to restrict encryption
while others and the OECD advise against such bans. The United
States attempt to control encryption shows the pitfalls of such
technology regulation. Australia's on-line security policy effort
appears befuddled, inconsistent and without full public scrutiny.
We need wide trust for successful e-commerce, not just new
technology with restrictions. With the introduction of the
Electronic Transactions Bill 1999 the Government aims to provide a
strategic framework for e-commerce development. This paper
concentrates on the security aspects of the new information economy
age.
ATM
|
Automatic Teller Machine used for electronic
funds transfer.
|
Authentication
|
Process of confirming user identity or data
origin and integrity.
|
Biometrics
|
Identification using physical features or
behavioural characteristics.
|
Blind signature
|
Means to hide document contents and sender
identity from signer.
|
Broadband
|
Communications of high capacity and usually of
multimedia content.
|
Certificate
|
Digital signature combining data verification
and encryption key.
|
Certification
|
Creation of key certificates by a party trusted
by the user community.
|
Chaff/winnowing
|
Advanced encryption technique involving data
dispersal and mixing.
|
Compression
|
Process that reduces the amount of data to be
transmitted or stored.
|
Convergence
|
Integration of computing, communications and
broadcasting systems.
|
Cookies
|
Record of WWW URL visits stored in user's
computer memory.
|
Cryptography
|
Technique to scramble data to preserve
confidentiality or authenticity.
|
Decryption
|
Transformation of scrambled (encrypted) data
back to original form.
|
Digital cash/coins
|
Electronic money which only exists on-line or
with digital purses.
|
E-commerce
|
Integration of communications and data
management for businesses.
|
E-mail
|
Electronic mail transfer of unstructured
information between users.
|
EDI
|
Electronic Data Interchange automated business
information exchange.
|
EFT(POS)
|
Electronic Funds Transfer between accounts (at
Point of Sale).
|
Encryption
|
Transformation of data into scrambled form
before transmission.
|
Escrow
|
Legal storage of encryption keys in a secure
repository by third party.
|
Hash function
|
Compression of an input message into an output
number result.
|
HTTP
|
Hyper Text Transfer Protocol allows computers to
access the Internet.
|
Internet
|
Collection of interconnected networks for
e-mail, file transfer and login.
|
InternetTV
|
Internet (World Wide Web or Net) delivered by
standard Television.
|
Interactivity
|
Allows information users to respond to or
control the source flow.
|
ISP
|
Internet Service Provider for user access,
e-mail and data storage.
|
IT&T
|
Information Technology and Telecommunications as
multimedia.
|
Key
|
A numerical value used by an encryption
algorithm for security.
|
Multimedia
|
Integrated video, audio, text and data graphics
in digital form.
|
NOIE
|
National Office for the Information Economy for
Australia.
|
OECD
|
Organisation for Economic Cooperation and
Development.
|
OGO(IT)
|
Office of Government On-line (formerly
Information Technology).
|
PECC
|
Pharmaceutical Electronic Commerce and
Communication project.
|
PIN
|
Personal Identification Number enables user
access to EFT accounts.
|
PKAF
|
Public Key Authentication Framework for
certification services.
|
Private key
|
Allows decoding of a message encoded using a
matching key.
|
Public key
|
Allows transmission without previous exchange of
a private key.
|
Purses/wallets
|
Contain digital certificates for on-line use as
a form of digital cash.
|
SET
|
Secure Electronic Trading/Transaction security
standard for banking.
|
Smart cards
|
Plastic card with embedded integrated circuit
for information storage.
|
SVC
|
Stored Value Card variety of smart card used for
electronic money.
|
Trusted 3rd party
|
Network entity trusted by all others to manage
encryption information.
|
URL
|
Uniform Resource Locater machine address of
computer location.
|
WIPO
|
World Intellectual Property Organisation
|
WTO
|
World Trade Organisation.
|
WWW
|
World Wide Web Internet system that uses
browsers to handle data.
|
Introduction to the Internet
The terms 'information super-highway' or 'global
information infrastructure' refer to the trend of convergence of
communications networks, media and computing systems into one
system. However, through the rapid recent global growth of Internet
access and usage, that system of networks has become the default
information superhighway, though not as previously envisaged by
communications experts. The Internet is a global network
of networks, involving many different private, public and academic
computer systems linked by high-speed communications lines. These
use agreed standards (protocols and architectures) and digital
signals. Convergence is a process of network digitisation
for information and content that replaces the separate analogue
systems of the past. Convergence leads to easy data manipulation,
large storage capacity and interactivity.(1)
The World Wide Web has lately dominated
the Internet through use of commercial Web browsers and search
engines. The Web is composed of all computers that use and accept
the Hyper Text Transfer Protocol. They allow use of the
Web as a user interface system used to access the Internet through
browsers that present data in readable forms. The Web is a
multimedia system blending text, images, video and audio
transmissions. There are other directories, file transfer
protocols, categorises and remote access services on the Internet.
Further developments include news (discussion) groups, relay
(writing) chat, voice (telephone) chat, electronic mail
(e-mail), cyber (digital) electronic cash, messaging and
Web-Television.(2) The Web developed from defence and
academic networks and allows user access through each machine page
address called a Uniform Resource Locater (URL). The
domain name system that URLs access translates Internet names into
numeric protocols, sites, folders and file names, for information
transmission. There has been some inconsistency in domain name
registration, reflecting the chaotic nature of the Internet.
Australia's Internet infrastructure has evolved
awkwardly from academia, through Telstra and Optus
telecommunications carrier control of Internet Service
Provider (ISP) operation and global connections. ISPs serve
local Internet users by offering computer connections over
telecommunications lines. A number of ISPs are now establishing
their own international network links by undersea cable or via
satellite. Pay television operator Austar plans broadband microwave
service to bypass local Telstra or Optus cables.
InternetTV may provide an interface system for easier
consumer interface to the Internet using home televisions.(3) Data
compression technologies help to spread the Internet load among
lines already at capacity. Technical developments should improve
access, data speeds, transaction time and support. In future, ISPs
may evolve into Commerce Service Providers to facilitate multiple
business transactions as transaction costs continue to drop.
Studies note the growth in Internet shopping
coupled with user concern about access costs and lack of security.
While such shopping involves market access interstate and overseas,
it lacks personal contact, complete security and wide use as yet.
There are also wider concerns about adequate broadband line
capacity, particularly in rural and remote areas. An interesting
distinction is possible between the nature of physical goods and
electronic transactions. Both may have considerable value and yet
electronic commerce may defy any tangible, visible, identification.
As such, as yet, it is not subject to customs duties!
Electronic Commerce
The newer concept of electronic
commerce (e-commerce) is the use of on-line networks to
promote or sell products or services. It is also the process of
using electronic methods and procedures with information technology
as a tool, to conduct all forms of business activity. Electronic
commerce utilises different technologies and forms such as
electronic banking and trading, electronic funds transfer
(EFT), electronic data interchange (EDI),
electronic mail (e-mail), facsimile transfer, electronic
cataloguing, video-conferences and multimedia communications and
all other forms of sending electronic data messages between
enterprises. Earlier applications of EDI were too costly and
complex to succeed. The use of smart cards adds a further dimension
to enable on-line transactions around the globe.(4) The paper
defines some of these concepts later, but also, see the
Glossary.
The take-up of e-commerce is still small when
compared to the broader context of electronic transactions and cash
flows such as already occurs within banking systems. In a study of
the wider business sector and cash flows, the Australian company
www.consult estimates 1.5 billion
electronic transactions in Australia in 1997, of a total of 21
billion total movements involving some $16 trillion.(5) One
estimate for total business to business e-commerce in Australia in
1997 was $25 billion. The Internet component was around about $55
million spent on on-line retail shopping. Anderson Consulting
estimates the sales in Australia for e-commerce in 1997 to be $85
million or 0.02 per cent of GDP.
The most popular uses for the Internet have been
for academic research and business information, but now growth is
occurring in goods and services purchases. There are about 2
million people using the Internet in Australia. However, only a
small proportion of small businesses has come on-line. Aside from
business to business applications and the retailing of physical
goods, there may be e-commerce applications for financial services,
banking and professional consulting.(6) Already, experienced users
such as young professionals and youngsters are on-line and active.
However, speed, service, privacy, security and authentication risk
issues remain unclear and subject to varying policies.
Information Economy
With the convergence of telecommunications,
broadcasting and information system services, the United States
Government intends minimalist regulation cognisant of the strong
industry competition, decentralised nature and global aspect of
e-commerce. This may well match American industry interests, given
their leadership of Internet, but may not necessarily best suit
Australia. The information economy has implications across a wide
spectrum of portfolios but it is perhaps not clear as to how best
coordinate national direction for it. Nonetheless, convergence has
been the subject of a number of studies here.
When the concept of electronic convergence
arrived earlier this decade, studies outlined likely scenarios for
the provision of the new communications systems that linked to
information and broadcasting technologies.(7) They identified
possible service types for home entertainment, communications
services, transactions, business and on-line information. These
raised a wide variety of policy issues including matters of the
user demand for such services, the level of service access
available to the community and of information flows generally.
Further considerations included the degree of privacy found
on-line, content controls (particularly relating to violence and
pornography) and the imposition of taxation to on-line services.
Wider issues included the impact on culture, as well as cross media
and foreign ownership of the service providers. There also remained
a bandwidth management problem, requiring regulation or pricing,
and varying standards.
It was clear that the Federal Government had to
respond to the new age of the information economy and indeed it has
through a series of initiatives as outlined in the appended
chronology. These include various advisory organisations, major
reviews and studies, many of which have now ceased or been greatly
changed. The National Office for the Information Economy (NOIE) and
the Office of Government Online (OGO) now lie within the Department
of Communications, Information Technology and the Arts. An apparent
insecurity in OGO and NOIE appears inconsistent with a strong
Government regulatory interest and commitment to put the
Commonwealth on-line by the year 2000.
Considering that the Internet has not yet been
the subject of extensive Commonwealth legislation, there is some
impetus towards reviewing all telecommunications and broadcasting
legislation towards convergence. There is a review by the
Department of Communications of datacasting services to complete
before 2000, and the commencement of digital television
broadcasting, while the introduction of new Web-Television has
further implications. Broadband capacity infrastructure issues
arise with the role of Australian and overseas multimedia industry
remaining fragmented. Some observers suggest the need for a
complete review of all the legislation required for convergence
regulation noting the growing dominance of transaction management
relating to development of the service based economy.(8)
Some regard the fragmentation of information
policy across numerous agencies as a long-standing problem.(9)
While a series of reports has argued for a ministry of information
technology, this still does not exist in spite of NOIE, which
concentrates on business, and OGO, which handles Commonwealth
information technology policy. The information economy applies to
different degrees to all government portfolios. As the information
industry is primarily driven by the private sector, the Australian
Government like others has pursued a relatively non-interventionist
framework. It has upheld a 'no duties' or a (bits of information)
tax on the Internet. However, other problems of equity, privacy
protection and cryptography policy need resolution. There are wider
issues of intellectual property and consumer interests while the
matter of security is often also not considered.
Converging Insecurity
Given the apparently inevitable growth in the
use of information systems, Australia would seem to need an
appropriate regulatory and policy framework to facilitate on-line
services and accelerate the uptake of e-commerce to open new
opportunities. The framework might provide targeted awareness and
education strategies across all sectors to encourage broad
understanding. It may also resolve core infrastructure issues such
as broadband capacity and cost. It may stimulate market uptake by
identifying key agencies to promote on-line services while
recognising access and equity issues in a global context.(10)
Requirements of access, content, skills, technologies and costs
remain important, but an understanding of demand remains a primary
factor. Pilot projects have a useful access role especially if
linked to the provision of electronic government services.(11)
Much of Australia's communications legislation
to date has been based upon technology regulation. There is an
argument for technology-neutral regulation, in that the market and
society should be left to establish the most efficient on-line
network services. The interactive and participatory nature of
Internet use may evolve new activity patterns and fringe networks
that do not just maintain material consumerism or traditional
trade-flow diplomacy. Through joint enterprise, the industry would
value human capital skills for software and content development in
the global marketplace for software and content. Regulation might
then be only necessary to ensure matters of privacy, security and
costs.
Underlying all of this on-line economic activity
is the dependent need for secure access and systems to identify
both customers and business providers. Without the means to
securely transmit funds, data and documents over networks, it is
difficult to see how any electronic age could survive. Focusing on
such security aspects, this paper addresses the nature of
electronic transactions, before raising policy issues and options.
It is noteworthy that at the time of writing, a draft
Electronic Transactions Bill 1999 has emerged for public
comment. Yet it is probable that many persons have no idea of the
implications of such a Bill and e-commerce generally, let alone an
appreciation of the security aspects. As the discussion continues,
it will emerge, that matters of line capacity, taxation, standards,
and certification of secure transactions are all relevant as we
enter the Information Age.
Electronic Encryption
For some time now, most of us have used
electronic transaction systems such as automatic teller machines
(ATMs) and electronic funds transfer (EFT). These utilise closed,
supposedly secure, networks that are generally safe from
interception by using encryption or secure data coding.
Digital mobile telephone systems have also employed encryption to
help keep private conversations secure. However, their somewhat
limited system standard has enabled eavesdropping, perhaps
indicating that no technology is totally secure. Information
security has objectives including confidentiality (secrecy), data
integrity (non-alteration), authentication (identity
corroboration of an entity and data origin), and non-repudiation
(prevents the denial of previous commitments).
The arcane science of encryption is called
'cryptography', which, until recently, had been largely
the preserve of secret defence intelligence agencies, spies and
diplomatic officers. Encryption transforms data by the use of
cryptography to produce unintelligible (encrypted) data to ensure
its confidentiality. The inverse function of decryption
then converts transmissions back to normal form. Cryptography is
the study of mathematics related to aspects of information security
while cryptology is the study of cryptography. Cryptanalysis is the
use of mathematics to crack cryptographic techniques as employed by
a cryptanalyst. Cryptographic functions include encryption,
authentication and digital signatures, while cryptographic tools
are ciphers, hashes, codes and signatures.
Computer ciphers have two parts: a method, or
algorithm, plus a key number for access. Cipher algorithms
change symbols or strings of data. In traditional coding, both
parties to a secret message had to firstly share a private password
or key in order to cipher or decipher their messages. The sharing
of this key was in itself a weakness of the system if any other
party could get hold of the key. In the 1970s, scientists devised a
way of splitting the key into two parts, one public and one
private, linked by a complex mathematical relationship. Now it was
possible for one party to release a 'public key' to all
other parties, to enable them to encipher messages but only the
holder of the 'private key' could decipher them upon
return. With computing advances, the ability arose of including
such complex cipher routines in ordinary software. Sophisticated
cryptographic software now enables almost any computer user to
encode their transmissions for security. There are many forms of
encryption available that help make e-commerce transactions
reasonably secure.
Encryption techniques generally divide into two
types: symmetric (single, shared) private key, where the same key
is used for encryption and decryption, and asymmetric public (twin)
keys. The latter involves a public encryption key and a private
decryption key. Symmetric key ciphers are relatively short and have
high rates of data throughput, but need a trusted third party
manager, while public keys have larger ciphers and work slower.
Thus public keys are most often used to transport symmetric keys
for bulk data encryption and authentication or for encrypting small
data items such as credit card numbers and PINs. Private key
examples include DES, Blowfish, IDEA, LOKI and RC4. Public keys
include Diffie-Hellman, ElGama, PGP and RSA. Note that codes differ
from ciphers as they involve linguistic translations that may
complicate any cryptographic interpretation.(12)
Further types of encryption algorithms are the
'hash' type, used to compress data for signing, and
'signatures' used to sign and authenticate data. Examples of hash
algorithms are MD5 Haval and SHA while signatures include RSA and
DSA. Hash functions convert binary strings of arbitrary length to a
fixed length with a value. To enable Internet users to establish
their credentials for any transactions, the concept has arisen of
'digital certificates or signatures'. These are software
packages containing personal references and a private key. A
digital signature is a number dependent on some secret known only
to the signer and on the signed message content. To create a
digital signature, users begin with an electronic message and hash
it, that is, calculate a number using the contents of the message.
Hashing ensures message integrity, as any alteration would change
the result. Encrypting the resulting hash with a personal secret
key provides the certificate. To verify the digital signature,
users decrypt it with a public key and the hash technique to
provide the original hash result, and then rehash and compare the
result for verification. 'Blind signatures' have
applications when the sender does not want the signer to be able to
observe the document content or sender identity. A signature is a
means to bind information to an entity and so is fundamental in
authentication and non-repudiation especially between separated
parties.
Superhighway Robbery
To summarise, public key certificates are a
means by which public keys may be stored, distributed or forwarded
over insecure media without the danger of undetectable
manipulation. This allows one's public key to be made available to
others such that its authenticity and validity are verifiable.
Nonetheless, a weakness remains at each end of the secure
communications where the message and or private keys might be
revealed or available to third parties, or included within
software. A further weakness is the ability of advanced computer
systems to work out the mathematical formulae defined in keys and
thus decode messages within a reasonable time. This is achieved by
trying every possible combination of bits of information until the
code is broken.
Symmetric key lengths determine the security
level of the algorithm. If the key is 8 bits of information long,
there are 2 to the power 8, or 256 possible combinations. So, at
most, only 256 attempts are needed to find the key. With a 56 bit
key and a computer trying one million keys a second, it may take as
long as 2 285 years to find the correct key. For a 64 bit key, the
computer needs up to 585 000 years, assuming no easier way to break
the cipher than this brute force attack. However, specialised
computers can substantially reduce the breaking time and cost
involved. It appears that 56 bit keys are no longer safe, while 64
bit keys are within military budgets, suggesting that key lengths
should be 80 bits or more for medium term security. In the future
though, the use of viruses, neural networks, DNA or quantum
computing or even nano-technology systems may render keys subject
to resolution. Meanwhile, for public keys it is wise to utilise 1
024 bit numbers in order to remain secure for now. As public keys
may be used to secure systems for a long time, it is best to
achieve some balance between selection of private and public keys.
(13)
Encryption programs might also be circumvented
in a variety of ways that do not involve breaking the code.
Security is breached if a password or access phrase is disclosed to
third parties. A substituted public key may enable a perpetrator to
read encoded messages. Illegal recovery of deleted files may reveal
private details or keys. Viruses and 'Trojan Horses' can damage
encryption programs or insert procedures to allow substitute keys.
Computer viruses are a special type of program that may produce
undesirable outcomes and that spread across networks and computers
by making copies of themselves. A hoax virus is a message spread
among uses about supposed viruses in order to cause scares and
costs. Physical security breaches or espionage may reveal codes to
intruders. Traffic analysis of message movements between sites and
the data sizes may reveal sensitive information.(14) Public key
cryptography sometimes permits patterns to survive encryption,
making it vulnerable to cryptanalysis (the study of breaking
ciphers) by cryptologists.(15)
Various organisations have patents and standards
for cryptography. They include the International Organisation for
Standardization (ISO), the International Electrotechnical
Commission (IEC), the American National Standards Institute (ANSI),
the United States Federal Information Processing Standards (FIPS),
and the Internet Engineering Steering Group (IESG) of the Internet
Engineering Task Force (IETF), as well as private interests. A
Dutch company, DigiCash, owns most of the digital cash patents.
A new technique for sending secret messages
involves digital authentication and not message encryption. Called
'chaffing and winnowing', the technique splits the message
into tiny pieces. Each of these data bits are labelled with a
number and digitally signed before being interspersed with nonsense
data that also has numbers and appears to be signed. Only the
correct authentication key can separate or winnow the wheat of the
message from the chaff.(16) Maybe this will serve as the ultimate
encryption technique to preserve individual privacy and security on
the Net. This also shows that any regulatory attempts to thwart
encryption use may well be bypassed in future.
Key Escrow
Some governments have become alarmed at the
prospect of losing the ability to intercept private conversations
or transactions due to the use of cryptography. They cite the
battle against criminals, drug-lords and child pornographers as
warranting a ban on the use of encryption. However, the widespread
use of cheap ciphers over the Net has more or less thwarted any
bans. Nonetheless, communications agencies require access to data
for the purposes of system recovery after failure. Since all
transmissions may have the same key, the agencies may wish to keep
a register of private keys. Some governments propose that a copy of
every private key be held in trust by national security agencies
for their use in criminal investigations. This policy of
'private key escrow' has spawned opposition from civil
liberties groups and those opposed to government scrutiny. In the
United States, attempts to establish such an escrow agency failed,
as detailed in the Appendix.
Key escrow is a system to provide encryption of
user traffic such as voice or data so that the session keys used
are available to properly authorised third parties under special
access circumstances. Law enforcement agencies promoted the concept
while other uses might be for recovery of encrypted data following
its loss or destruction due to equipment failure. The United States
Escrowed Encryption Standard involved a computer ('Clipper') chip
with a unique identity number and a two-piece secret key stored by
two different agencies. However, users can already backup keys and
there is no guarantee for liability or that any escrow agency
itself is trustworthy. Thus, key escrow appears dead, bypassed by
the widespread availability of encryption products. However, key
backup is useful for good management reasons in applying to
archival data.
Authentication
'Certification' is the endorsement of
information by a trusted entity. A certificate consists of a data
part and a signature part binding identity to a key number.
However, a system is needed to authenticate the identity of public
key holders, as otherwise, illicit organisations might distribute
sham public keys among users. Major risks include corruption,
errors, criminal hacking and the organisation's vulnerability. This
requires a public key authentication authority (PKAF) as a
separate public or private organisation to vouch for each identity
and the public key.
A certificate authority is a trusted third party
agency that verifies identification, creates a recognised and
trusted document that certifies personal identity and issues the
document. The authority binds the identity of the certificate owner
to the public key contained within it. Authorities may be
independent commercial businesses. Alternatively, digital
certificates might be on a smart card or compact disc to enable use
with personal computers or InternetTV.
The use of biometrics may provide a final means
of absolute personal authentication. 'Biometrics' involves
the use of finger-scans (electronic fingerprint identification) or
eye-scans to identify individuals as indeed being the persons they
claim to represent. Such systems already operate, although there
has tended to be some human resistance to bodily scanning
techniques to prevent more widespread use of biometrics.
Intelligent smart cards may provide improved security having a
user's unique biometric measurement data (for voice, signature,
photo, fingerprint, and/or eyes).(17) Development proceeds on
rugged computer chip units that can detect and identify
fingerprints for use within smart cards.
Smart Cards and Beyond
'Smart cards' are credit card like,
portable, plastic envelopes encasing an integrated circuit, that
combine personal digital certificates and private keys within the
sealed confines of an electronic chip. Smart cards have uses as
'stored value cards', with money stored as an electronic
value in the chip, and/or as applications run from the card's
computer chip. Loaded with information and/or electronic cash
protected by an encryption scheme, smart cards may be a convenient,
versatile medium for business transactions. As stated earlier
however, any software package is liable to manipulation so there
remains a degree of uncertainty about the security of digital
certificates, although this situation also applies to normal
written signatures. However, cryptographers have already identified
techniques for breaking the security systems built in smart cards.
They cracked the codes by monitoring power consumption as the card
circuits performed cipher operations. Hackers can use less
expensive equipment to monitor a smart card's electronic responses
and hence gain user electronic account access as long as they have
a card to examine.(18) More devious means of using smart cards may
involve viruses or malicious key copies.
Among the types of stored value cards available
are anonymous disposable cards with a set value, anonymous
re-loadable cards, personalised re-loadable cards, multi-function
cards combining stored value, debit, credit or other functions all
on the one card. There are a number of different types of smart
card technology available. Intelligent Memory Cards provide for
telephone network access and credit card usage. Microprocessor
Cards enable user personalisation and crypto-processors for extra
security and encryption speed. Wireless non-contact cards combine a
querying device, either active or passive, and an answering device
for use in fields such as tollways, identification management,
position control and information media. However, all of these
different cards are not compatible as yet leaving the way open for
rival on-line monetary systems.
Smart cards may have various cryptographic
protocols and algorithms programmed into them and may operate as an
electronic 'purse' to be able to receive and spend digital
cash. They might also sign documents or perform authentication and
have encryption keys. Their actual computer memory is usually up to
8 kilobytes with an 8 bit microprocessor. An electronic
'wallet' is a small computer resembling a pocket
calculator containing a screen, keyboard, battery, and an infra-red
channel for communicating with other wallets. Each user owns and
uses their own wallet to administer their rights and ensure
security. The wallet allows operation independent of terminals,
off-line transactions and versatility.
Electronic Funds Transfer and Secure
Electronic Technology
Purses contain digital certificates for on-line
use as a form of digital cash or coins or electronic
cash (e-cash) and stored value money cards. Such a card with
value of up to a few hundred dollars need only be reasonably secure
compared to digital certificates and may provide for anonymous
transactions. Digital coins or electronic e-cash are like bank
notes with a message signed by the issuer that specifies the
issuer, value, expiry data, serial number and the Internet address
of the issuer, all as a digital signature. Using blind signature
technology, a technique that hides the document content from the
user, the customer chooses the serial number and then blinds it.
The coin issuer signs the blinded version and returns it to the
customer who then un-blinds it. This protects the payer's identity
and prevents any double spending. There may also be other similar
techniques.
The Secure Electronic
Transaction/Trading/Technology (SET) is a proposed
industry standard for payment card acceptance over the Internet. At
the system heart is a pair of digital keys, one public and one
private, held by each party to a transaction. In practice, banks
will give both keys to a customer together with a digital
certificate for authenticity. When customers wish to purchase over
the Internet, they firstly give the public key to the merchant
along with the certificate to prove its authenticity. Likewise, the
merchant provides its own public key and certificates to prove its
own bona fides to allow the transaction to proceed. Problems may
arise in key distribution and customer identification in order to
ensure that accounts and clients match.(19)
An actual transaction may have a number of
steps. Firstly, the consumer requests a purchase at a merchant's
Web site. Next, the purse at the merchant's Web server sends a
payment request to the consumer's purse. Thirdly, the consumer
confirms the payment and sends a message to the merchant to clear
the payment with the bank. The merchant's Web site then contacts
the bank for confirmation that the purse is valid and has unspent
funds. Then the bank sends confirmation to the merchant's Web
server and at the same time allocates the funds to a safe created
on the bank's system for that merchant. Finally, the merchant
software provides a receipt to the customer. Fortunately, this
long-winded process is completed by modern on-line systems within a
second or two. Various layers of encryption are applied to protect
these transactions. Note that, when a customer purchases funds from
the bank, these are debited to the consumer's account, but after
that, the use of the funds remains unknown to the bank, since they
are submitted by the merchant, not the consumer, for reasons of
privacy.
However, this is only one possible approach and
assumes standards and security levels that may not exist. In the
end, all parties involved in electronic transactions will have to
agree on common security standards to enable e-commerce to operate
successfully.
Credit Cards versus On-line
Banks
The development of different types of electronic
money could have considerable impact on e-commerce growth and may
not necessarily involve any government agencies. There may be a new
era of free banking, where privately issued currencies compete with
legal tender as the preferred medium of exchange. These new
currencies may be in market determined units to allow versatility,
security, low cost and privacy. Such development along with any
erosion of government revenue bases and possible law and tax
avoidance, means that an appropriate regulatory framework must be
achieved.(20),(21)
Law enforcement agencies still have concerns
about the possible uses of digital cash for money laundering and
tax evasion given that it is not currency. Note that issuers need
not be licensed as financial institutions, under current laws, with
many consequent legal implications.(22) However, since digital cash
may be the preserve of low-cost transactions, perhaps this is not a
crucial issue. The DigiCash e-cash and CyberCash 'Cybercoin' began
operation, but with only minimal takeup by merchants or banks, with
the result that DigiCash failed by late 1998. Australia's St George
Bank had used the DigiCash system. A number of merchant software
packages exist from Camtech, ABA, Telstra and Jadco, but it is
early days for SET use.(23) Telstra has combined a bar code with a
colour photographic identification card to produce a more resistant
security package. The Australian Information Technology and
Telecommunications Forum comprises major suppliers of IT&T
security products and applications. The Forum promotes an advanced
IT&T security industry but we are left to wonder about just how
secure is e-commerce. The Europay/Mastercard/Visa (EMV) combined
stored value cards (smart cards) system or credit/debit cards
involve electronic trading, software standards and public key
security.
Through SET, smart cards represent the next
obvious stage in the evolution of EFT to combine banking, travel,
telecommunications and information services access into one card.
There are many possible applications for smart cards in fields such
as social security, health care, payment, access control, education
and authentication on-line. Smart cards may particularly suit the
telecommunications, health and loyalty markets - the latter
exemplified by the success of take-up of the
Qantas-Telstra-ANZ-Visa-card in Australia. It may be that smart
cards would incorporate means of biometric identification to enable
users to log into computer systems or the Internet to conduct
secure transactions.
According to an industry analyst, the banking
industry has stalled e-commerce within Australia.(24) The cost and
complexity of SET means that most financial services institutions
are delaying rollout to the mass market until the turn of the
century. SET implementation requires substantial investment in
purchase and systems integration and construction of a digital
certificate authority and database management. Without a large
on-line market, banks have been reluctant to invest in order to
control SET distribution channels. Meanwhile, overseas credit card
companies, with their own vested interests, are promoting SET
technology to retailers by guaranteeing payment for goods delivered
when using it. Once more payments are made over the Net, consumers
may be less fearful, but in the meantime competing digital cash and
on-line money systems may take control over EMV.
Instead of SET, the Australian Pharmaceutical
Electronic Commerce and Communication (PECC) project aims to create
an Internet-based platform for communications between the
industry's outlets at wholesale and retail pharmacies, suppliers
and manufacturers. PECC handles processing, invoicing and
inventories for the $19 billion of Australian pharmacy sales each
year, with a significant proportion on the Internet. The PECC may
represent a transaction volume sufficient to force banks to unify
their electronic payment processes and also provide a link between
EDI and ordering systems.(25) A unified bill payment system is now
available under the commercial branded Bpay, E-Bill or giroPost
systems.
The risks of a lack of coordination in relation
to the introduction of smart cards could affect the economy,
business and public confidence, or governments as card issuers.(26)
In late 1998, Telstra called on all organisations promoting smart
cards in Australia to collaborate and avoid a proliferation of
separate technologies. Telstra urged the formation of a local
chapter of the Global Chip Card Alliance coalition of businesses
trying to establish worldwide standards for smart cards. Telstra
itself has provided 35 000 smart card Amper-brand payphones and
sold over 10 million smart Phonecards. Meanwhile, software giant
Microsoft proposed a wallet purse for approval by the SET
consortium controlled by credit card companies such as Visa and
Mastercard. A battle between Mastercard and Visa had led to early
delays and apparent lack of bank involvement. When the SET standard
was ratified in June 1997, it did ensure compatibility between SET
users.
There are other local initiatives that may or
may not apply elsewhere around the world. Dun & Bradstreet with
KPMG have developed an Australian digital certification product
Insite to help ensure safer trading for companies conducting
business on the Net. Trusted third parties issue site
identifications for installation on servers for authentication and
encryption. Only companies listed in the database can receive
Insite products. Meanwhile, the accounting profession has joined
forces to launch WebTrust, an assurance system for on-line
customers. WebTrust may guarantee that business members will adhere
to standard practices and controls. Each Internet entry would have
a report issued by the accountant to help ensure sound business
practice, transaction integrity and information protection.
Verisign issues Server Certificates to organisations after
verifying business legitimacy. Australia Post provides digital
signatures on a floppy disk for authentication.
Industry Codes of Practice
Modern business has to consider e-commerce
security strategies just as it has ever since credit card numbers
were accepted over the telephone without signatures. Business has
to consider external and internal threats, encryption, enterprise
authentication, firewalls, virtual private networks, SET and e-cash
through risk assessment. According to media reports, the
information industry faces uncertainty due to the lack of a
detailed national electronic signature scheme.(27) In general, the
wide variety of corporate initiatives undertaken to facilitate
e-commerce, have only resulted in different standards, software
quality and security levels. However, a number of industry codes of
practice exist.
The Australian Securities and Investments
Commission oversees the voluntary Electronic Funds Transfer Code.
This applies to all ATMs and Electronic Funds Transfer at Point of
Sale (EFTPOS) transactions involving a Personal
Identification Number (PIN). The Code requires card
issuers to notify customers with clear and accurate terms and
conditions of use, charges and restrictions. For the banking
industry, electronic systems have been a panacea to rising staff
costs, as well as providing considerable income. EFTPOS usage has
boomed in Australia, handling an average of over $5 million a day
with retailers charged monthly rental fees and ongoing charges of
one to three per cent of transaction values. Telephone banking may
rise to become a tenth of all transactions and EFTPOS half of those
by 2000 as branch banking declines. Internet banking should rise
accordingly. ATM use makes up the remaining portion of usage by
banking customers.
The Smart Card Industry Code of Conduct deals
with the collection and handling of personal information and
consumer protection. The Code establishes minimum standards of
practice for the collection, use, storage, security and disclosure
of information by smart card vendors. Code participants must also
recognise privacy principles. The privacy issues posed by smart
cards fall into categories of loss of anonymity, information
collection and the potential for them to develop into a national
identification card. A more insidious matter to users is that of
cost, since banks, card issuers and promoters propose fees for
issuance, renewal, transactions, reloads, interest and monthly
usage.(28)
The Internet Industry Association Code of
Practice for E-commerce was released in 1998. It covers businesses
that use the Internet to sell their products and services. The Code
implies use of fair trading practices, prohibits X-rated content
advises on payments means and costs.
It is possible that regulatory controls for
electronic transactions (e.g. EFTPOS) may restrict e-commerce and
conflict with other laws. With its all encompassing nature, the
success of e-commerce legislation depends in part on regulations
made by each of Federal, State, Territory and overseas governments.
While the objectives of some of the policy reviews listed in the
appended chronology may conflict, others may be complementary.
Proposals of self-regulation regimes or codes of conduct for
e-commerce require clear evaluation within the context of
regulatory impact statements and wide consultation processes.
Privacy on the Net
Successful e-commerce depends upon proving the
identity of persons on-line and linking them to a transaction
without repudiation. It must prevent system access by unauthorised
persons and computer applications, while preserving privacy and
security. Since e-mail is transmitted in plain text over unknown
pathways, residing for various periods on computer systems, it
allows illegal scanning of message contents using filter software.
An additional e-mail problem is the easy ability to forge sender or
recipient identity. While personal data might be kept private in
one country, any trans-border flow may not be secure upon the
transmission to another nation. Surveys of attitudes to privacy
on-line consistently reveal that the majority of Internet users
remain unconvinced that their on-line transactions are
secure.(29)
The most common invasions of privacy involve the
use of personal information by marketeers who gain information from
Web users either voluntarily or through software technology. Many
Web sites require patrons to register first before entering, often
divulging a wide array of personal details. As well, many Web sites
track user habits and preferences through the use of
'cookies' or data bits placed on the computer hard disk
that record Web page visits. Cases of identity theft have arisen
leading to calls for legislative protection against the invasion of
privacy, rather than through industry self-regulation. In August
1998, United States federal regulators charged that Geocities, a
popular Internet destination that provided free Web sites, misled
its two million members by secretly selling personal information to
marketeers. Geocities then agreed to advise customers of its true
data collection practices and allow them to delete personal data.
Customers had previously provided names, addresses, incomes and
occupations.(30) Whether Geocities intended to abide by a code of
practice is not clear, but calls for industry regulation
necessarily arise.
Privacy Policies
The Commonwealth has acted to address a number
of e-commerce privacy issues, initially concentrating on
information flows. On 30 April 1998, the Attorney-General announced
proposed amendments to the Copyright Act 1968 to cover
material on the Internet yet make exceptions for fair dealing and
ISPs. On 20 February 1998, the Attorney-General released
National Principles for the Fair Handling of Personal
Information, in conjunction with the Privacy Commissioner.(31)
These raised matters of minimum general standards, flexibility,
consistency and harmony with other laws. On 31 March 1998, the
Attorney-General's Expert Group on Electronic Commerce presented a
report on Electronic Commerce: Building the Legal
Framework. The report had three broad aims, to move towards
technological neutrality, create functional equivalence of all
forms of commerce and, the facilitation of international
harmonisation and standards. It thus related to matters of the
legal status of information and identification. Currently, the
Privacy Act 1988 partially implements the individual's
right to information privacy.
On 16 April 1998, the Government released twelve
Principles for Consumer Protection in Electronic Commerce
drafted by the National Advisory Council on Consumer Affairs. The
principles aim for technology neutral accountability and disputes
resolution including matters of information provision, dispute
resolution and privacy. These followed a 1997 paper from the Human
Rights and Equal Opportunity Commission on Information Privacy in
Australia.(32) The paper proposed a national self-regulatory scheme
for privacy protection in the private sector. Such matters assumed
the operation of a basic level of security on information networks
presumably provided by cryptographic systems. On 16 December 1998,
the Attorney-General announced legislation to protect the privacy
of personal and other data handled by the private sector, while
exempting employment records. The plan, to be developed in
consultation with States and Territories, will endorse industry
privacy codes of practice developed under a privacy framework,
rather than through regulation.
Cyberspace Crime
There are many aspects to crime on the
information superhighway. These range from illegal interception,
theft or piracy of telecommunications services, to telemarketing
fraud and transmission of offensive materials. Electronic vandalism
and terrorism, electronic funds transfer crime and money laundering
are further problems.(33) The extent of such telecommunications
related crime tends to defy detection, quantification or
territoriality. Law enforcement agencies may need special powers
and initiatives to counter such crime.
Australian lawyers have warned that consumers
may lose on unauthorised credit card transactions made over the
Internet.(34) The encryption software may reveal secret key
information or permit re routing via third parties that alter
information. Consumers may be left with little or no evidence to
prove any system breakdown. It may be possible for SET certificates
to be copied from a PC, allowing an intruder to illegally use a
card. This is just one of the many criminal opportunities available
on the Internet as we head towards the promised era of e-commerce.
Possibly merchants, rather than the card holders, commit the
majority of credit card fraud, at least according to media reports
of industry insiders.(35)
Internet attacks may include masquerades and
interception, unauthorised use, service denial (due to overload),
disclosure of sensitive information or alteration of materials.
Broader information warfare may include physical and electronic
attacks on computer network systems. Victoria Police suspect that 1
300 companies have fallen victim to computer hackers called 'Number
Crunch' who use the Internet to infiltrate and destroy corporate
systems, especially those without 'firewall' barriers.(36) Press
reports suggest that the United States Federal Bureau of
Investigation believes that hackers will eventually intercept web
transactions. Meanwhile, malicious persons have attempted to gain
personal bank account details and passwords by e-mail from people
who have just established ISP accounts.(37)
'Cyberbetting' or Internet gaming is an
interactive and growing business that uses a browser to provide
client access to different types of real or virtual gambling and
betting systems. While the United States and Singapore have acted
to prohibit such activities, other governments such as those of
Queensland and the Northern Territory have legalised them, with
regulations to license operators within consumer protection
guidelines. There appears to be some technological capacity to
control or ban on-line gaming but any national legislation would
have to consider the relevant financial, telecommunications and
foreign affairs implications. It is not difficult to conceive of
criminal activities associated with cyberbetting.
In a wider sense, two recent Australian reports
warn of the growing threats and vulnerability of the nation's
information infrastructure. The first, a confidential report to the
Defence Signals Directorate (DSD) by a former senior intelligence
officer, covers the threat to telecommunications, power supply, air
traffic control, banking and finance industries.(38) The second, by
an academic strategic analyst outlines similar vulnerability.(39)
On the other hand, the DSD is apparently listening to domestic
communications traffic in the manner of the British Echelon
eavesdropping system. Echelon performs a key word search on all
European messages including telephone, facsimile and e-mail.
According to the Organisation for Economic
Cooperation and Development (OECD), while the growing importance of
information and communications systems for the global economy and
society is evident, such systems and data are increasingly
vulnerable to threats such as unauthorised access, misappropriation
and destruction. The Australian Office of Government Online has
established an Inter-Agency Steering Committee to coordinate key
aspects of information technology. An Inter departmental Committee
to the Secretaries' Committee on National Security was set up by
the Attorney-General's Department to consider security
matters.(40)
The World Trade Organisation (WTO) has adopted
an Internet Duty Free Declaration not to impose duties on such
transmissions. The WTO further requires access guarantees to
telecommunications networks and free trade facilitation.(41) The
Australian Competition and Consumer Commission prepared a 1997
discussion paper on The Global Enforcement Challenge that discusses
compliance with fair trading principles in order to encourage
global market mechanisms including e-commerce over the
Internet.(42)
Overall though, given that e-commerce is largely
technology driven by competing corporate interests, we face a
plethora of standards, content controls and security levels. The
chaotic nature of the Internet itself reflects the mishmash of
communications standard protocols and network operations. There is
no guarantee that existing networks can cope with the anticipated
demands stemming from e-commerce. Computer systems have largely
evolved in an ad hoc manner without any centralised planning or
control. Therefore, any possible regulation must be carefully
focussed on the essential aspects, such as encryption.
Cryptography Law
Matters of cryptography, authentication, public
key technology, e-commerce taxation, on-line privacy, consumer
interests, intellectual property, content and the legal framework
all await resolution. There may be a need to separate the privacy
requirements for cryptographic technologies between the needs of
individuals, enterprises and governments. While individual security
and privacy may be a matter for personal choice, business systems
may need trusted systems with agreed appropriate standards that
link to directories of services and network users. There has been
some recognition that cryptography should follow international
guidelines while local rules for digital signatures may match those
devised by the Standards Association of Australia.
The Federal Attorney-Generals' Walsh Report was
released after a Freedom of Information request by Electronic
Frontiers Australia.(43) The Walsh report questioned attempts to
control encryption without public debate.(44) The report had a
useful glossary and among its conclusions upheld the benefits of
individual data security while noting the requirements of law
enforcement and security agencies. The report supported the need
for certification facilities but within OECD guidelines. It did not
favour legislative action, just reviews. Later, the Australian
Transactions and Reports Analysis Centre gave a Report of the
Electronic Commerce Task Force to the Commonwealth Law Enforcement
Board.(45) The report recommended a 'whole of government' response
to law and commerce on the Internet. The report explored law
enforcement issues for specific electronic payment
technologies.
However, in turn, the Telecommunications
Legislation Amendment Bill 1997 amended the Telecommunications
(Interception) Act 1979 to allow law enforcement agencies to
intercept transmissions on telecommunications networks. If a
Carriage Service Provider (CSP) encrypted data or supplied the
encryption to clients, the legislation required that the CSP must
have provided an interception capability. This does not apply to
client-encrypted traffic. Critics attacked the decision as a
restriction on encryption without formal policy. Note that from
1997, telecommunications carriers were required to obtain customer
proof of identity for the purchase of mobile telephone pre-paid SIM
smart cards.
Meanwhile, Australia's export controls for
cryptography are found in the Customs (Prohibited Exports
Regulations) Schedule 13E and the Customs Act 1901 section
112 (Prohibited Exports). Actual details of prohibited items
is listed in the Defence and Strategic Goods List of the
Australian Controls on the Export of Defence and Strategic
Goods Part 3, Category 5/2. All such cryptography software
requires a licence before export with the licence applications made
by the Defence Signals Directorate. Exemptions apply to exports for
personal use such as on small computers. However, given that
on-line software such as encryption routines is not a physical
good, some uncertainties arise.
A military treaty known as the Wassenaar
Arrangement provides export controls on weapons and cryptography
above 64 bits without Government approval. Renegotiated in late
1998, this Wassenaar Arrangement on Export Controls for
Conventional Arms and Dual-Use Goods and Technologies has a
preamble to exempt mass market and public domain software.
Australia disallows this waiver as does the United States, New
Zealand, France and Russia and 28 other nations although they may
choose to ignore the agreement. This applies to web browsers,
e-mail applications and telephone message scrambling software.
Vendors such as IBM, Sun, Microsoft and Netscape and civil
libertarians have lobbied against it. An Internet-based global
campaign continues promoting the free use of cryptography, ie.
without a surveillance capability, through bodies such as
Electronic Frontiers Australia. (See their Internet site at
http://www.efa.org.au/Issues/.)(46)
OECD Guidelines
On 27 March 1997, the OECD adopted a set of
guidelines on cryptography policy to balance the various interests
involved. In its view, cryptography should be subject to user
choice of the means of encryption, regardless of government views
to the contrary to control and monitor transmissions. The OECD
guidelines also uphold trustworthy cryptography and national
standards, preserve privacy, allow key access, and establish
liability under government coordination. Under the guidelines,
cryptography protects data confidentiality, verifies data
integrity, establishes authenticity, prevents unauthorised
modifications, repudiation and unauthorised use.(47) Certification
of the public key through informal trust or formalised authorities
remains an issue. Matters also arise of trust, choice, standards,
privacy, lawful access and liability.
Since 1997, OECD experts have so far found no
major failings in their guidelines, despite greater understanding
of the importance to e-commerce of cryptography.(48) There is broad
consensus on the need to introduce digital signatures, but there is
a need for a coherent approach, and caution, to the legal access of
encryption keys. Overall though, the threat of insecure
transactions on e-commerce remains a reality. While the United
States, France and the Council of Europe have proposed restrictions
on cryptography, through the Wassenaar Arrangement, the OECD
recommends free use for security and privacy.
Public Key Authentication
Framework
In the 8 December 1997 industry policy statement
entitled Investing for Growth, the Australian Federal
Government adopted the OECD cryptography guidelines as a basis for
Australian policy, i.e. a basis of user choice of encryption. In
October 1997, the Federal Government had announced the formation of
a body to oversee the development of a national system for on-line
authentication. Earlier in 1997, the new National Office for the
Information Economy developed a national e-commerce authentication
framework using PKAF as an infrastructure to distribute digital
signatures to prove on-line identities. NOIE convened a working
group of experts to report on its structure and functions by March
1998. On 19 August 1998, NOIE released a discussion paper on a
proposed model for a National Authentication Authority to serve as
a PKAF agency, albeit to some criticism. Note that in April 1996,
the Standards Association of Australia released for comment a draft
on strategies for the implementation of a PKAF in Australia.
In May 1998, the Federal Government released the
Gatekeeper, a public key technology strategy report and announced
establishment of the Government Public Key Authority. However,
Gatekeeper is separate from the PKAF initiatives project and is a
Commonwealth initiative to allow Federal Government communications
over the Internet secured by digital certificates. Developed by the
Office of Government Online in consultation with other agencies
including the DSD, the strategy published a two stage Government
Public Key Technology Authority process. Privacy considerations in
this allow individuals to hold key pairs with different labels.
Meanwhile, the Attorney-General's Expert Group
on Electronic Commerce examined the legislative requirements for
e-commerce. In September 1998, the Federal Government released for
public comment two draft secure electronic transaction standards
relating to the PKAF. The first proposed a profile for digital
certificates while the second proposed a set of rules to support
the certificates. In August, the Certification Forum of Australia
was formed by the e-commerce industry to provide
authentication.
The Parliamentary Joint Committee of Public
Accounts and Audit further examined these new challenges in matters
of consumer protection and privacy, supporting a legislated privacy
regime within an international context.(49) Some see the need to
clearly separate the requirements for privacy-enforcing
cryptographic technologies between the needs of individuals,
enterprises and governments.(50) A diversity of encryption types
may prevail. Others deplore the paucity of consumer or privacy
considerations to the Gatekeeper and PKAF initiatives or the
assumption of a need for any trusted third party key register.(51)
There may be alternatives to PKAF type 'identity' authentication in
terms of value or attribute characteristics and use of anonymous
transactions with wide protection.
Engendering Trust
Computer commerce is a new means of business
communication, meaning and culture. At the broadest level,
e-commerce is e-business, while a narrower definition includes only
the Internet and EDI, or just the Internet. Small business sees the
Internet as a creative aid and marketing tool for client
communications within an age of information technology. Internet
take up by small business is still a small portion of activity.
Australia may be lagging behind overseas nations in e-commerce,
apparently for reasons of security and privacy concerns, an absence
of e-commerce culture, poor access and knowledge.
As an incentive, it is necessary to engender
trust on-line because of the lack of face-to-face
communication.(52) People use a form of money that they trust,
provided they have access, convenience and the form of money yields
information, meaning and provides value. Trust involves matters of
authenticity, encryption and the security of transactions as well
as control, comfort and caring aspects. Comfort relates to
familiarity and reputation while caring demonstrates benevolence,
intimacy and a desire to communicate to clients.(53) Through trust,
we can establish confidence, then reliance and dependence on
e-commerce.
Successful e-commerce is a matter of trust and
not just blind use of new technology. Therefore, appropriate
legislation will be a prerequisite for the most effective entry
into the Information Age. It will determine if there is to be a
global black market and manipulation of electronic business, or
Australian-led innovation in on-line services. Our Australian
regulation will establish the liability of certification
authorities for private key misuse, erroneous orders, and security
breaches whether made from here or overseas. It is though, a
mammoth task.
For now, Australia has a proposed Electronic
Transactions Bill 1999 designed to bring our e-commerce into line
with the United Nations Commission on International Trade Law model
law on electronic commerce. While this may allow e-commerce to
operate in a valid legal manner, wider questions remain about
network security, content control and technical standards. Without
an Australian PKAF operating, local e-commerce may well be
hamstrung, as it already is without an agreed SET regime. Granted,
competing interests may well eventually determine these outcomes,
but Australians must be able to preserve their own interests within
the global information economy. We also have an opportunity to
develop a successful, exporting information technology industry if
we get regulation right.
In 1993, the White House announced the Escrowed
Encryption Initiative consisting of Skipjack, a classified
algorithm implemented on the tamper resistant Clipper Chip. The
scheme proposed that the United States Government keep a copy of
the decryption key for all encryption equipment produced. The Key
Escrowed Encryption System of the Clipper Chip was an initiative of
the National Security Agency introduced on 16 April, 1993. The key
was generated and programmed onto the chip after the chip was
manufactured but before placement into its security product. The
two safe keepers were the Treasury Department's Automated Systems
Division and the National Institute of Standards and Technology.
The two provisions of two independently escrowed keys and the
voluntary nature of the program were intended to reassure the
public and business about system security and dependability.
Unlike scrambled messages produced by public key
systems, which remained essentially impossible for non-recipients
to intercept, Clipper telephones were vulnerable to anyone who
might be able to obtain their codes. Under the United States plan,
the Federal Government maintained a master list of identity numbers
for all Clipper devices ever sold. Each number was split in two
with each half 'escrowed' by a government agency. In appropriate
cases, such as for a wire tapping, the agency would have reunited
the two halves in order to intercept telephone calls. Access to the
escrowed numbers remained a weak link in the Clipper system.
The Clipper Chip, officially known as the
MYK-78T device programmed by Mykotronx Inc of California came built
in to telephones and modems in order to scramble messages through
the secret Skipjack encryption algorithm. Skipjack worked with
several 'keys' or unique numbers built into the chip and supplied
with telephones to produce an encrypted code for digital
communications. The Clipper plan required no legislation in the
United States and existed as a voluntary standard there for all
government contracts and purchases. It forced no-one else to use
the system, but generated much controversy. By 1995 though, the
Clipper Chip had not won market acceptance and was abandoned. As an
alternative to the Clipper Chip, 128 bit encryption technology has,
for some time, been available off the Internet.(54)
Since its inception and routine use, the Clipper
Chip faced great opposition from the business community and
professional groups. They claimed a compromise of individual
privacy, cost and disadvantage with respect to overseas information
services. They preferred private encryption or use of an
international agency such as the World Trade Organisation or the
International Telecommunications Union. Many governments remained
opposed to the use of strong cryptography in products designed for
the international market. Internet enthusiasts meanwhile used their
own packages, such as PGP, public keys and digital signatures.
PGP or Pretty Good Privacy brought encryption
technology to the average desk top computer user. Version 5 became
an e-mail standard tool for wide, free usage. Each encrypted
message was preceded by a phrase mentioning PGP use, which showed
that a coded transmission was occurring. This evidence was
tantamount to proof of illegal activity in countries where
cryptography was prohibited. Another public system masked ciphered
material within a video picture so that it was not evident that
cryptography was in use. It has also been possible to alter digital
images, but new masking can detect whether any tampering has
occurred to the data that makes up images. The American developer
of PGP became himself subject to national security agency
investigation as those very same organisations began to learn to
cope with the release of their very own style of encryption
techniques onto the world stage. So the saga of the Clipper Chip
continued on.
United States key management remains under fire
with its ban on the export of over-56 bit encryption techniques.
The American Government will not permit exports of cryptography
products above 56 bits unless applicants can demonstrate key
management infrastructure plans. This involves storage of keys with
a third party that would provide access to government law
enforcement or national security agencies. Critics argue that the
policy has driven encryption technology development overseas. The
United Kingdom has instead proposed a voluntary key recovery
program while the European Union opposes the United States policy
on the grounds of free trade and privacy.(55) A newer proposal is
for the use of trusted third party systems, a key recovery system
rather than an escrow system. On production of a court order, the
key recovery agency would reconstitute the message without
recovering the key. However, there is a potential for corruption in
such activity.
Media reports claimed that by using a single,
custom-built computer costing less than $400 000, RSA Data Security
of San Mateo CA sponsored experts from the Electronic Frontier
Foundation, a San Francisco based non-profit civil liberties group,
to crack a widely used method for scrambling sensitive data within
three days. Previous attempts had taken five months and later only
39 days to unscramble similar electronic messages. The breakthrough
attempt tested 88 billion possible combinations every second for 56
hours until it unscrambled the Data Encryption Standard encoded
message. The Standard had 56 bits, while the United States
Government had prohibited the export of encryption products
stronger than 40 bits.(56) Meanwhile, the Americans for Computer
Privacy lobby group and others claimed that 128 bit encryption was
now the world standard for e-commerce.
Milestones
|
Details
|
Source Documents
|
1995
Broadband Services Expert Group Report
|
The 1995 Broadband Services Expert Group Report
to the Commonwealth Minister for Transport and Communications
emphasised the content and cultural dimensions of information
policy to serve the whole community. The open, participatory and
egalitarian nature of the Internet tended to defy any prescriptive
approach.
|
(57)
|
July 1995
OGIT/OGO
|
The Commonwealth established the Office of
Government Information Technology (OGIT) to provide a coordinated,
efficient approach to information use within the Australian Public
Service. Now renamed as the Office for Government Online (OGO), it
provides the Commonwealth Government Entry Point on the Internet
found at http://www.fed.gov.au/. OGO also
coordinates the national response to the Year 2000 (Y2K) computer
problem.
|
(58)
|
August 1997
IPAC
|
A milestone was the Information Policy Advisory
Council (IPAC) report. IPAC was a high-level advisory body to the
Commonwealth for on-line information and communications services
and technologies until it ceased in 1998. The IPAC report stressed
Australia's IT&T advantages. The report elaborated on
constructive Government programs to facilitate IT&T as an
economic force. IPAC recommendations addressed matters such as
financial payment systems and cross-border trade, taxation, secure
data protection, privacy and intellectual property protection.
Further recommendations concerned electronic transaction law,
consumer protection matters, content regulation, IT&T
infrastructure and technical standards and system protocols. The
IPAC report prompted government recognition of the importance of
information and communications services industries for small to
medium enterprise growth and trade.
|
(59)
|
July 1997
Goldsworthy
|
The Goldsworthy report to the Commonwealth
Government noted the key role of the information industries in
enabling businesses to compete internationally. Among its
recommendations was benchmarking Australia's taxation regime with
those found overseas. The report's focus was on incentives and
subsidies for encouraging investment rather than any analysis of
technical frameworks, security or consumer issues. Critics
contended that it ignored questions of equitable demand for
information services. This contrasted to the 1995 Broadband
Services Expert Group Report.
|
(60)
|
1997
Silk Road report
|
A 1997 Department of Foreign Affairs and Trade
(DFAT) report considered elements of an on-line trade strategy in
the context of the rapid regional growth in e-commerce. These
matters included the financial and payment systems, consumer
protection, intellectual property, cryptography, encryption,
authentication, certification, secure electronic transactions,
content regulation, legal and social issues, and privacy. The
subsequent DFAT On-line Trade Strategy aimed to identify practical
export industry promotions.
|
(61),(62)
|
1997
Corporate Law
|
The Commonwealth Treasury Corporate Law Economic
Reform Program study proposed various measures for corporations law
and securities commission involvements to ensure the verification
of electronic documents, contracts and records. This may lead to
electronic distribution of prospectuses and legal title to debt
securities.
|
(63)
|
1997
Financial Systems
|
A related review was the Wallis 1997 Financial
Systems Inquiry that considered impediments to e-commerce amongst
many broader issues. E-commerce matters arising from the World
Intellectual Property Organisation apply through the Attorney
Generals Department.
|
(64)
|
1997
Taxation
|
The Australian Tax Office released a report to
examine ways in which electronic transactions impact on taxation
and might be dealt with. The paper recommended limits on
transactional and user anonymity in electronic payment systems so
that these didn't allow a tax evasion.
|
(65)
|
May 1998
Internet Commerce
|
The Parliamentary Joint Committee of Public
Accounts and Audit produced its report on Internet commerce.
However, the report actually examined matters of taxation concepts
such as source, residency and permanent establishment and
strategies for collecting taxes on electronic transactions. It
recommended ongoing monitoring of such matters and many specific
practicalities but little in terms of security aspects.
|
(66)
|
December 1997
Ministerial Council
|
The Federal Government's 8 December 1997
Investing for Growth policy statement led to the
establishment of a Ministerial Council for the Information Economy
to develop a national information and on-line services strategy.
The Council aimed to frame an approach to e-commerce and encouraged
and educated business and wider communities to move on-line.
|
|
1998
NOIE
|
The National Office for the Information Economy
(NOIE) supported the Council in its broad policy role to coordinate
regulatory, legal and physical infrastructure for on-line
activities as well as electronic service delivery by government.
NOIE held an e-commerce summit in April 1998 along with regional
events to help raise awareness. The organisation has also been
active in promoting the consistency of the Commonwealth's position
at international forums on e-commerce. NOIE has produced strategy
papers and reports on legal and regulatory frameworks.
|
(67)
|
1998
AIECA
|
In late 1998, the Government abolished the NOIE
advisory board to replace it with the new Australian Information
Economy Advisory Council (AIECA) to provide high level industry and
community input to Government decision making on information
industry and economy.
|
|
6 May 1998
Project Gatekeeper
|
OGO launched Project Gatekeeper to facilitate
digital security for Commonwealth communications. The Federal
Government aimed to deliver all appropriate Commonwealth services
on the Internet by 2001. Electronic payment is also to become the
normal means by 2000 along with a government-wide Intranet
(internal network) for secure on-line communications.
|
(68)
|
1998
PARRA
|
The Federal Government established the Policy
and Root Registration Authority (PARRA) to oversee development of a
digital signature system.
|
|
1998
DISR Business
|
The Australian Electronic Business Network
(AeBN) is a national, non-profit, organisation that targets small
business with software designed to encourage take-up of on-line
technologies. A related aspect is the Networked Enterprises Web
Strategy. Other initiatives apply to the pharmaceutical industry,
tele-medicine and IT&T that involve training strategies and
industry targets. The Department of Industry, Science and Resources
(DISR) Business Online and Technology Initiative aims to foster
on-line business trading and information systems through training
and demonstration centres, commerce systems and high performance
computing centres. Other DISR programs include educational support,
disabled access support and awareness campaigns.
|
(69)
|
January 1999
Transactions Bill
|
The Commonwealth released a draft Electronic
Transactions Bill concentrating on the validity of electronic
transactions within the legal environment, but without specifying
any technology or a dedicated signature regime.
|
|
January 1999
Transigo
|
Following a chequered history, the Commonwealth
decides to terminate its contract with the Transigo e-commerce
system provided by Telstra.
|
|
January 1999
Information Economy
|
Government releases a strategic framework for
the information economy identifying priorities for action.
|
|
February 1999
New Silk road
|
DFAT releases two new reports on 'Creating a
Clearway on the New Silk Road' and 'Driving Forces on the New Silk
Road'. These reports document the growth of the Internet in trade,
competitive advantages of e-commerce, Australian success and the
need for prompt online action.
|
|
-
- C. R. Blackman, 'Convergence between telecommunications and
other media: How should regulation adapt?', Telecommunications
Policy, vol. 22, no. 3, April 1998.
- P. Budde, Information Technology Management Report
1997, Paul Budde Communication Pty Ltd, Bucketty, 1997.
- M. L. James, 'Wait - there's more: the Internet on your very
own home television!', Research Note no. 24, Department of
the Parliamentary Library, Parliament of Australia, Canberra,
February 1997.
- M. L. James, 'Towards the Cashless Society?', Research Note
no. 48, Department of the Parliamentary Library, Parliament of
Australia, Canberra, 25 June 1996.
- DIST, Stats.: e-commerce in Australia, Information
Industries and Online Taskforce with www.consult, Canberra, April 1998.
- Magaziner, 'E-commerce and Mankind's Last and Greatest Hope on
Earth', Communications Law Bulletin, vol. 17, no. 2, 1998,
pp. 10-14.
- M. L. James, 'Broadband Convergence on the Information
Superhighway', Background Paper no. 24,
Department of the Parliamentary Library, Parliament of Australia, 2
December 1994.
- T. Cutler, 'Keynote Address', Proceeding: Communications
Research Forum 1998, Department of Communications and the
Arts, Canberra, 24-25 September, 1998.
- J. Thomas, ''Towards Information Policy', Media
International Australia, no. 87, May 1998, pp. 9-14.
- E. Richardson, S. Miller and S. Singh, 'Effective use of
on-line services', CIRCIT Policy Forum Report, Bowral
20-22 November 1997, Centre for International Research on
Communication and Information Technologies, Melbourne, December
1997.
- T. Sewards, 'International Government Approaches to Stimulating
the Uptake of New On-line Services', CIRCIT Research Report no.
17, Centre for International Research on Communication and
Information Technologies, Melbourne, January 1998.
- J. Menezes, Handbook of Applied Cryptography, CRC
Press, Boca Raton, 1997.
- Schneier, Applied Cryptography: Protocols, Algorithms, and
Source Code in C, Second Edition, John Wiley & Sons, Inc.,
New York, 1996.
- Davidson, 'E-mail, encryption and electronic security', Law
Institute Journal, vol. 71, no. 11, November 1997, pp. 26-30.
- P. R. Zimmermann, 'Cryptography for the Internet',
Scientific American, vol. 279, no. 4, October 1998, pp.
82-7.
- K. Kleiner, 'Making sense of absolute nonsense', New
Scientist, 4 April 1998, p. 12.
- P. Budde, Information Technology Management Report
1998 and Telecommunications Strategies Report -
1997/1998, Paul Budde Communication Pty Ltd, Bucketty, 1998.
- J. Peterson, 'Power Cracking of Cash Card Codes', Science
News, 20 June 1998, p. 388.
- J. Davidson, 'Scrambling for security in the digital world',
Australian Financial Review, Sydney, 30 March 1998, p.
sr6.
- S. Rimmer and R. Prasad, 'Electronic Money and Electronic
Commerce: A regulatory best practice approach', Canberra
Bulletin of Public Administration, Institute of Public
Administration Australia (ACT Division), Manuka, no. 88, May 1998,
pp. 29-38.
- S. Lang, 'Electronic Commerce: The Threat to Revenue'?
Research Paper forthcoming, Department of the
Parliamentary Library, Parliament of Australia, Canberra, 1999.
- Tyree and A. Beatty, 'Digital Cash in Australia', Journal
of Banking and Finance Law and Practice, vol. 9, no. 1, March
1998, pp. 5-11.
- R. Chirgwin, 'E-Payment at the Starting Gate', Australian
Communications, July 1998, pp. 61-8.
- P. Budde, 'E-commerce not until late 1999', Information
Superhighways, vol. 5, no. 6, Paul Budde Communication Pty
Ltd, Bucketty, July 1998.
- R. Chirgwin, 'Internet Commerce: Size Does Matter',
Australian Communications, August 1998, pp. 17-8.
- GTTC, Smart Cards as National Infrastructure: Results and
Recommendations of an Inter-Governmental Review, Government
Technology and Telecommunications Committee, Final Report,
September, ACT Government Printer, Canberra, 1997.
- J. Foreshew, 'Industry welcomes e-trading law plan', The
Australian, 12 December 1998, p. 32.
- Connolly, 'Smart Cards and Privacy', Telecommunications
Journal of Australia, vol. 48, no. 2, 1998.
- M. Scollay, 'Privacy Protection in Australia: How far have we
come?', Telecommunications Journal of Australia, vol. 48,
no. 2, 1998, pp. 7-14.
- J. Gruenwald, 'Who's Minding Whose Business on the Internet?',
Congressional Quarterly Weekly, 25 July 1998, pp. 1986-90.
- OPC, National Principles for the Fair Handling of Personal
Information, Office of the Privacy Commissioner, Human Rights
and Equal Opportunity Commission, February 1998.
- HREOC, Information Privacy in Australia: A National Scheme
for Fair Information Practices in the Private Sector, Human
Rights and Equal Opportunity Commission, August 1997.
- P. N. Grabosky and R. G. Smith, Crime in the Digital Age:
Controlling Telecommunications and Cyberspace Illegalities,
Transaction Publishers, The Federation Press, Leichardt, 1998.
- H. Meredith, 'Internet customers warned against banking on
encryption', The Australian Financial Review, 26 June
1998.
- M. Banaghan, 'Visa plays a smart card to stop new services from
getting all the credit', Business Review Weekly, 12
October 1998, p. 98.
- Carson, 'Hackers leave calling card', The Melbourne
Age, 21 July 1998, p. 3.
- Fox, 'Spam scam nets newbies', New Scientist, 31
October 1998, p. 7.
- DSD, The National Information Infrastructure: Threats and
Vulnerabilities, Defence Signals Directorate, Department of
Defence, Canberra, February 1997, 16pp, unpublished.
- Cobb, 'Thinking about the Unthinkable: Australian
Vulnerabilities to High-Tech Risks', Research Paper no.
18, Department of the Parliamentary Library, Parliament of
Australia, Canberra, 29 June 1998.
- G. Barker, 'The next big crash', Australian Financial
Review, 6 April 1998, p. 16.
- I-Ways: Digest of Electronic Commerce Policy and
Regulation, Second Quarter, Virginia, 1998.
- ACCC, 'The Global Enforcement Challenge: Enforcement of
consumer protection laws in a global marketplace', Discussion
Paper, Australian Competition and Consumer Commission, AGPS,
August 1997.
- G. Walsh, Review of Policy Relating to Encryption
Technologies, Attorney-General's Department, Canberra, 10
October 1996.
- Connolly, 'Back door code curbs', The Australian, 11
November 1997.
- AUSTRAC, Report of the Electronic Commerce Task Force to
the Commonwealth Law Enforcement Board, Australian
Transactions and Reports Analysis Centre, November 1996.
- G. Taylor, 'Cryptography Policy: Overdue for Reform',
Communications Law Bulletin, vol. 17, no. 3, pp. 18-20,
1998.
- OECD, Cryptography Policy: the Guidelines and the
Issues, Organisation for Economic Co-operation and
Development, Paris, 1988, p. 22.
- OECD Emerging Market Economy Forum: Report of the Workshop on
Cryptography, OECD Working Papers, no. 1, Paris, 1998.
- JCPAA, Internet Commerce: To buy or not to buy?,
Parliament of Australia, Joint Committee of Public Accounts and
Audit, Report 360, Canberra, May 1998.
- Caeli, 'Privacy, Cryptography and Global e-Commerce',
Telecommunication Journal of Australia, vol. 48, no. 2,
Telecommunication Society of Australia, Sydney, 1998, pp. 15-20.
- N. Waters, 'Privacy under Pressure: Competing Public Interests
in Cryptography and Related Policy', Telecommunication Journal
of Australia, vol. 48, no. 2, Telecommunication Society of
Australia, Sydney, 1998, pp. 53-9.
- S. Singh and C. Slegers, 'The Story of Small Business and
Electronic Commerce', Policy Research Paper no. 43, Centre
for International Research on Communication and Information
Technologies, Melbourne, June 1998.
- S. Singh and C. Slegers, 'Trust and Electronic Money'
CIRCIT Policy Research Paper no 42, Centre for
International Research on Communication and Information
Technologies, June 1997.
- W. Diffie and S. Landau, Privacy On The Line: The Politics
of Wiretapping and Encryption, MIT Press, Cambridge 1998 and
P. E. Agre and M. Rotenberg, (eds), Technology and Privacy: The
New Landscape, MIT Press, Cambridge, 1998.
- Johnson, 'Encryption Policies remain controversial',
I-Ways: Digest of Electronic Commerce Policy and
Regulation, Second Quarter, Virginia, 1998, pp. 26-33.
- T. Bridis, 'US Experts Break Widely Used Data-Scrambling
Method', AAP, 18 July 1998.
- T. Flew, 'The Goldsworthy Report: Credibility and Australian
Information Policy', Media Information Australia, no. 87,
May 1998, pp. 15-22.
- M. L. James, 'Date with Destiny: The Year 2000 Computer Bug',
Research Note no. 35, Department of the Parliamentary
Library, Parliament of Australia, Canberra, March 1998.
- IPAC, A national policy framework for structural adjustment
within the new "Commonwealth of Information", Information
Policy Advisory Council, Department of Communications and the Arts,
Canberra, August 1997.
- Goldsworthy, The Global Information Economy - The Way
Ahead, Report of the Information Industries Task Force,
Department of Industry, Science and Tourism, August. 1997.
- DFAT, Putting Australia on the New Silk Road: The Role of
Trade Policy in Advancing Electronic Commerce, Department of
Foreign Affairs and Trade, Canberra, 1997, pp. 23-37.
- Stewart, 'National Office for the Information Economy:
Cross-Portfolio Implications', Canberra Bulletin of Public
Administration, no. 88, Institute of Public Administration
Australia (ACT Division), Manuka, May 1998, pp. 83-6.
- Treasury, Corporate Law Economic Reform Program: Proposals
for Reform: Paper no.5, "Electronic Commerce: Cutting
cybertape - building business", AGPS, Canberra, 1997.
- S. Wallis, Financial Systems Inquiry: Final Report,
AGPS, Canberra, March 1997.
- ATO, 'Tax and the Internet', Discussion Report of the ATO
Electronic Commerce Project, Australian Taxation Office, AGPS,
August 1997.
- JCPAA, Internet Commerce: To buy or not to buy?,
Parliament of Australia, Joint Committee of Public Accounts and
Audit, Report 360, Canberra, May 1998.
- NOIE, Annual Report 1997-98, The National Office for
the Information Economy, Canberra, 1998.
- OGIT, Annual Report 1997-98, Office of Government
Information Technology, Canberra, 1998.
- DIST, Getting Business Online, Prepared by the
Information Industries and Online Taskforce, Canberra, May
1998.