May 1997
In the area of ICT (Information and Communications Technologies) EURIM is a link between Commerce and Industry, Parliamentarians, Whitehall and Brussels.
Introduction
Summary of Issues and Actions
The Current Situation
Need for a Common Framework
What are the key issues?
Annex 1 : What is Cryptography?
Annex 2 : Role of Trusted Third Parties (TTPs)
Annex 3 - Glossary
Annex - EURIM Response to DTI Consultation Paper on Licensing of TTPs
The continued economic well being of the UK and her European partners will depend on the ability to exploit electronic commerce effectively in the global marketplace. Electronic commerce operates over networks, both on privately owned and managed systems and over publicly accessible facilities such as the Internet. Networks are inherently insecure. The trust on which trade depends relies increasingly on the degree to which the actual content of stored or transmitted information can be protected from unauthorised access and alteration. Trusted means are also needed to establish other properties of information, such as who owns it, who sent it and that it was received.
The enabling tool for providing this trust technically is cryptography. Used in communications systems for many years, it was until recently tightly controlled and rarely used outside the military and Governments, and its civilian use is still illegal in some countries. Commercial pressure for use of cryptography to protect electronic information is increasing, as is the number of products using cryptography available in the marketplace. Governments are concerned to retain the ability to intercept and read communications for reasons of national security and therefore want to continue to limit the availability of cryptography. This conflict of interest could inhibit growth of secure electronic free trade.
Policy decisions must be made on whether the use of cryptography should be controlled and, if so, by whom and in what manner. Solutions must be internationally effective - but there will still be significant problems of jurisdiction. Suggestions such as that cryptography could make transmissions of pornography over the Internet difficult to trace, and make it difficult to counter terrorism and organised crime, has led to a growing pressure for "something to be done". EURIM is concerned lest over hasty legislation, triggered by the activities of one small sector of interested parties only, results in generic law that will hinder legitimate commerce.
1. There is a need for an internationally acceptable, practical, legal and commercial framework for establishing trust in electronic information.
2. The priority is to establish processes relating to integrity, authentication and non-repudiation as the basis for trust in electronic commerce.
3. A proper balance needs to be struck between the business need for an adequate level of security of information, and the requirements of national security and law enforcement.
4. Any regulations imposed should not unduly expose the honest trader or citizen to fraud resulting from them being unable to use controls of adequate strength.
5. A pan-European initiative is urgently needed to create a strong, consistent framework that encourages the unrestricted supply and use of security products across Europe that can counter the dominant US industry position.
6. Trusted Third Parties, while a key element of any solution, are themselves only part of that solution.
For electronic commerce to operate with trust between the various parties, two distinct sets of facilities are required. The first need relates to proving that the content of electronic information (documents, messages, etc.) has not been altered, and that the owner, originator and recipient can be linked positively to that information - requirements such as integrity, authentication and non-repudiation. This can, broadly, be compared to the company letterhead, the written signature and seals used on paper documents. The second need relates to ensuring that only those allowed to read information can do so - a requirement known as confidentiality. This need arises because of the ease with which documents can be copied and read in electronic form. The closest paper equivalent is controlling physical access to all copies of a document at all times. All these requirements can currently be met technically by use of cryptography. However, there are equally important issues relating to the legal and commercial recognition of electronic information so protected, and to the context within which they are used.
Although this paper focuses on the non-technical issues, a basic understanding of cryptography is useful. The essence of cryptography is that the sender uses an encryption key as input to a conversion routine (or algorithm) that makes the digital message being stored or transmitted (whether words, pictures or sound ) unintelligible. This can then be restored to its original form only by someone possessing the corresponding decryption key and algorithm. (See Annex 1 for a fuller description) This technique is already being used widely in the financial industry, for example to protect funds transfers and personal information during the process of withdrawing cash from an ATM. It is also used in consumer products designed to control access, such as the set-top boxes which control access to subscription television. Cryptography is a necessary tool for electronic commerce, where it provides the solution to the requirements for integrity, authentication, non-repudiation and confidentiality. Although these requirements have similar underlying technical solutions, they raise distinct legal and commercial issues.
All users of the electronic infrastructure require a reliable means of associating users with their information. Where public key methods are used, this usually involves certification of public keys as belonging to certain users. Some governments are proposing the use of Trusted Third Parties (TTPs) to provide such certification, but for this to be acceptable there must be a high degree of trust in such TTPs. Although TTPs may be set up as commercial operations on a national basis within national law, they must be trusted internationally. TTPs may provide additional services, including access under due process of law to secret keys used for confidentiality, which will require additional safeguards against misuse. A separate paper (Annex 2) describes in more detail the issues relating to Trusted Third Parties.
The UK Interception of Communications Act gives the law enforcement agencies the right to intercept some types of network traffic under legal and/or political oversight in the fight against serious crime and terrorism, and most other Member States have similar powers. The widespread use of cryptography for confidentiality could hinder this process, which is why business has in the past been discouraged by Governments from using the most effective forms of cryptography.
The policy challenge is to strike an acceptable balance between the ability to combat fraud, terrorism and other criminal activity, and the business and individual citizens' rights to use appropriate technologies in their legitimate activities, including the protection of privacy. This is not an issue that can be viewed by one State in isolation; it is a global problem requiring a global solution. However, there is no time to wait for international regulatory control to be formulated. Rapidly increasing exploitation of international information and communications networks and technologies requires more rapid solutions.
At present there is concern among the business community that there is no clear or consistent policy in either the UK or the EU on a framework for the availability or use of cryptographic methods. Business needs to purchase products best suited to their needs, whatever the country of origin. Current Government controls in most countries prevent product suppliers from selling products using strong cryptography outside their own national boundaries. Business needs to use these products, and develop now systems that require them, for use over the coming years. If widespread use of the most effective forms of cryptography is effectively prohibited by government controls, there will be significant "knock-on" effects in system design, operation and commercial practices generally, which the lack of a well-defined commercial and legal framework could further hinder. Growth of electronic commerce would be adversely affected.
It should be noted that the majority of relevant products are provided by US suppliers and, therefore, their availability outside the USA is subject to US Policy. US suppliers have a large, homogeneous home market in which to develop suitable secure products, and US Cryptography Policy is dictating the nature of technical controls on such products. Within Europe, although the total market is of comparable size, most countries prohibit the supply of products using strong cryptography outside their own country. This effectively constricts European suppliers to markets within their own country, and makes competition with US suppliers in Europe and, particularly, in the USA, difficult. It also tends to force European products and controls to follow US Cryptography Policy.
A start has been made in the OECD who have published a Guideline on Cryptography Policy. This sets out eight Principles that can be used as the basis for national laws on cryptography policy. They are:
These Principles will be open to interpretation. and laws will inevitably vary across the world as this is an issue where differing cultural attitudes are significant. The way in which the Internet, in particular, is likely to be used will create serious issues of jurisdiction and extra-territoriality - and Internet users are developing cultural attitudes of their own which transcend national boundaries and could become very powerful. While legislation may be a necessary part of the process, it is unlikely to be sufficient to ensure arrangements that are reliable, understood and in which users have confidence.
Few countries have any legislation at present that recognises electronic information legally or commercially. Apart from matters of national security, some regulation is needed to provide consumer protection, and to provide electronic equivalents to the current paper-based legal and commercial processes. However, a more comprehensive framework is needed within which individuals, businesses and governments can operate with trust. Until now these issues have been considered in separate fora by technologists, lawyers, government agencies, privacy advocates and business people. The right solutions will be found only if all the groups involved converge and discuss their problems together. There is no obvious global forum in which to do this at present, and there is evidence of those with a particular interest, such as control of pornography, "forum hopping" to try and force their particular solution.
Copyright EURIM 1997. All Rights reserved. For written permission to reproduce any part of this publication please contact the Administrative Secretary, EURIM, IDPM House, Edgington Way, Ruxley Corner, Sidcup, Kent DA15 5HR. This will normally be given provided EURIM is fully credited. Whilst EURIM has tried to ensure the accuracy of this publication, it cannot accept responsibility for any errors, omissions, mis-statements or mistakes.