Case StudyPROMISES AND THREATS IN ELECTRONIC COMMERCE

ROGER CLARKEPrincipal, Xamax Consultancy Pty Ltd, CanberraVisiting Fellow, Department of Computer Science, Australian National University

Version of 13 August 1997© Xamax Consultancy Pty Ltd, 1997Notes for an interview by ABC Quantum, 15 August 1997The interview finally went to air as part of a program entitled 'Privacy on Line' on 11 June 1998This paper is at http://www.anu.edu.au/people/Roger.Clarke/EC/Quantum.html

INTRODUCTION

We've been doing business electronically for some time now. It started with the telephone, andthen there was instant telephone-ordering of goods and services advertised on television, andthen came EFT/POS.

More, and more sophisticated, forms of electronic commerce are arriving. Chip-based stored-value cards have already been successfully trialled. Cable-TV isn't very popular, but cable-basedmarketing, shopping and banking just might be. And of course the big mover is electronicbusiness on the Internet.

There's a lot of trust involved in buying things. You don't just trust that the quality of the goodsor services will be satisfactory; you may also have to trust that you'll even receive them.The question of trust may be even more important in the virtual world than it is in the real world.This is because the two parties aren't in the same place, and hence we can't depend on things likephysical proximity, hand-shakes and body-signals. In addition, the other party may be anothercountry, or even in cyberspace (i.e. it may not be practicable to work out where in physical spacethe other party actually is); hence a transaction might not be subject to the laws of any country orState at all.

TRUST IN CYBERSPACE

There are many different ways in which we can structure electronic commerce so as to achievesufficient trust between buyer and seller.

One approach is to only deal with organisations that you're confident in. You're likely to haveconfidence if you've been dealing with the same organisation over a period of time; and you candevelop confidence in a new one by commencing the relationship with a few low-risk purchases.Your confidence can be greatly enhanced if consumer protection laws are in place and effective,as they are in Australia in relation to conventional commerce (for example, goods are required tobe of 'merchantable' quality, and debts incurred by card-based payment cannot be enforcedunless the merchant can either provide the payer's signature, or evidence that the person's PIN

was keyed into an EFT/POS terminal). Some credit-card providers also offer consumerprotection features.

Another idea is to have both the seller and the buyer deposit their consideration (i.e. the moneyon one side of the bargain, and the goods on the other) with a third party. This third party(usually called an escrow agent) would undertake not to release the consideration to the otherparty, until both have been received and checked.

These approaches can be cumbersome, and businesses are searching for convenient ways ofbuilding trust into the purchasing process.

AUTHENTICATION

A lot of effort is being invested in developing trust through 'authentication'. There are severaldifferent ways that authentication can help.

One approach is 'value authentication'. This is much the same thing as biting a coin to see if itfeels like it's really 'coin of the realm', and holding up a banknote to the light to see if it lookslike the real thing. On the Internet, forgery of digital money is feasible, but not if the peopleminting it use the electronic equivalents of complex visual designs, watermarks and hiddenmetallic strips.

Another approach is called 'eligibility authentication'. This means checking that the personyou're dealing with actually has a particular capability they are claiming. For example, does theperson have a licence to sell those kinds of goods; are they a member of the relevant industry orprofessional association; do they have their company's authority to sign a contract of this nature;and do they qualify for a special tariff or price-list (e.g. because they're a tradesman who buys atwholesale price) or a discount (e.g. because they're an old-age or invalid pensioner). There is aneed for electronic equivalents of membership-cards, concessions-cards, letterheads, and call-backs to the company's premises, in order to establish confidence.

A further approach is 'person authentication'. This involves ensuring that the other person iswho they claim themselves to be. There are some kinds of transactions that only the person inquestion should be permitted to perform (such as access to personal data). Other interactionsnecessarily involve an ongoing relationship between the parties (such as health care, and theadvancing of credit).

These various authentication techniques are based on particular mathematical techniquescommonly referred to as 'cryptography'. The details are complex, and require mathematicalcapabilities that are well beyond most of the population. People involved in electronic commercegenerally depend on 'a web of trust', that is to say that they talk to such mathematicians as theyknow, and to other people involved in electronic commerce, and they commission audits fromspecialists and from well-known consultancy firms, and if they don't find any reason todisbelieve the claims that electronic commerce is secure, then they become believers.

The particular application of cryptography that most assists in authentication is the technology

called 'digital signatures'. These are long numbers that are able to demonstrate conclusively thata particular message must have come from a particular person or organisation, and, moreover,that the message has arrived without being modified along the way. This achieves a standard ofevidence for a court of law that is much higher than has ever been possible with conventionalsigned documents.

The way that digital signatures work is that the sender of a message 'signs' it using a 'privatekey' that only they should have (much as a medieval prince or pope applied a specially-designed'seal' to a written message). The key that unlocks the signature is different from the private key,and is widely available (and hence called the sender's 'public key'). Anyone who receives amessage can check that it decodes using the public key, and feel confident that only the personwho possesses that private key could possibly have sent the message.

DANGERS

These ideas for engendering trust in electronic commerce are well-motivated. Unfortunately,there is a serious risk that they will have some highly undesirable side-effects.Very few people in electronic commerce are discussing 'eligibility authentication'; becausealmost everyone is assuming that people should identify themselves if they want to buy and sellon the net.

So why shouldn't people be forced to identify themselves? Isn't anonymity something that isused by cheats and criminals? Well, yes; cheats and criminals generally act in ways that make itdifficult to find them, and to find evidence of their crimes, and that includes taking advantage ofanonymity.

On the other hand, consider the following:

1. most real-world transactions are undertaken using cash, and most of those areanonymous. Even if the buyer and seller recognise one another, the identity is notrecorded and stored for all time. Hence any move towards identification as arequirement for electronic transactions would reverse a long history of anonymity, andwould generate new trails of personal data that have never existed before. Moreover,these trails would be likely to be very intensive, i.e. to show a great deal about what eachperson is doing, and where they are, at every hour of the day;

2. the new trails would be very attractive to organisations of several different kinds, inparticular:

• consumer marketing companies, which are very interested in building up profilesof consumers. Their motivation is to inform each consumer about relevantproducts and services, in ways relevant to that particular consumer. To manypeople, that means the same thing as "to manipulate each consumer's behaviour";

• government agencies, which are increasingly applying data trails to build upcitizen profiles, in order to better exercise control over them; and

• criminal organisations, which are interested in miscreant profiles, so that theycan identify people to whom they can apply the well-established principles of

blackmail, extortion and protection rackets.

Even if most electronic commerce transactions remain anonymous, some will need to beidentified. Unfortunately, the kinds of identification mechanisms that many informationtechnology providers are enthusiastically developing, and that many organisations are looking toapply, are highly intrusive.

For digital signatures to assist in establishing trust in electronic commerce, a public key will haveto be reliably associated with a person. That person will need to present evidence of their identityto a 'certification authority' (CA). The CA will then post in a public place (an electronic publicplace, of course) certification that that particular public key is associated with an identifiedperson. People who have difficulties or discomfort producing documents that satisfy the 100-point rules applied to passports, driving licences, and more recently bank-accounts, are likely tofind themselves discomfited more often.

The next round of initiatives is much more forbidding. These are 'biometrics', which meansmeasures of some aspect of the individual's body. Fingerprints, once reserved for criminalinvestigations, are currently being applied to visitors to N.S.W. gaols. Scans of the retina, and theshape of the hand, finger and thumb, are all being applied. There are continuing attempts(although at this stage still ineffectual) to use genetics as a basis for human id, which would belikely to require the provision of body fluids or tissue.

There have already been serious proposals for the use of imposed features, in particular micro-chips, as a means of identifying not just animals (where it is a proven technology, cost-effectivefor expensive pets and breeding stock), but also humans. To date, these proposals have beenlimited to expensive, institutionalised people, primarily prisoners and senile dementia patients.For many people, such requirements are demeaning enough; but it gets worse. The operators ofid schemes in companies and government agencies will doubtless assume that these biometricmeasures should be stored in their databases. This is not technically necessary, but it seems likethe obvious thing to do. Government agencies have been working towards a population registerfor many years, and a reliable identification mechanism is an important element of such aregister.

There are four prerequisites for a controlled 'information society':

• multiple databases, each of which records details about a particular aspect of people andtheir activities;

• networks that enable the computers running the various databases to communicate withone another;

• a reliable identification scheme that enables the multiple sources of data about eachindividual to be combined into a single, virtual register; and

• a compliant populace, prepared to let it all happen.

During the last two decades, progress in information technology has delivered the first twoprerequisites. A widespread requirement for people to provide digital signatures on transactions,and the general application of biometric identifiers, could readily deliver the third. Once those

three are in place, it would become a condition of living in an ordered society that people becompliant with the dictates of government agencies; so the fourth condition appears to besatisfied pretty much automatically.

CONCLUSIONS

Electronic commerce is potentially a great boon to people generally. The endeavours to ensurethat people have sufficient trust in electronic commerce can easily lead our emergent'information society' down a path towards the tightly controlled State that George Orwell andothers foresaw. The bad news is that this is the line of least resistance, and that simple-mindedapplication of the technologies is all that is required to get us there.

The good news is that the technologies available to us are capable of being used in ways that cansustain freedoms at the same time as delivering sufficient trust. The question is whether we havesufficient understanding of our needs, and sufficient commitment to freedoms, to invest thenecessary effort, and arrest the dangerous slide towards increased identification of transactions,and increasingly transparent and externally controllable lives.

REFERENCES

My general pages on electronic commerce, and privacy and data surveillance provide access to anumber of relevant documents, including:

• an explanation of the basic concepts of electronic commerce;• an introduction to cryptography;• a discussion of identified, anonymous and pseudonymous transactions;• a compendium of data trails;• an overview of human identification in record systems;• a discussion of consumer profiling;• a detailed analysis of the privacy implications of digital signatures; and• a discussion of the freedoms that people are seeking when they conduct transactions on

the Internet.

These community service pages are a joint offering of the Australian National University (whichprovides the infrastructure), and Roger Clarke (who provides the content).

The Australian National UniversityVisiting Fellow, Faculty ofEngineering and Information Technology,Information Sciences Building Room 211

Xamax Consultancy Pty Ltd, ACN: 002 360 45678 Sidaway St

Chapman ACT 2611 AUSTRALIATel: +61 6 288 6916 Fax: +61 6 288 1472