Clinton's radical move to mandate key escrow is not just about the FBI spying on our private communications and our financial and medical records. It's state-sponsored terrorism that will fatally undermine the emerging Net economy. Because public key crypto is the only way to protect your identity - to establish who is really making the transaction. And that is the very foundation of commerce.
If commerce rests on any single concept, it must be identity. There can be no business without ownership, and no ownership without an "I" to do the owning. To regulate that commerce, there must be a legal system with accountability - and there can be no such accountability without very precisely identified individuals. Not surprisingly, politicians hoping to promote digital commerce are rushing to pass laws, spelling out what it means to be someone in cyberspace. And as usual when politicians rush to do something they all suddenly agree is good, they are likely instead to do much harm.
Certainly cyberspace is the place where, famously, "nobody knows you're a dog." To start handing out dog tags, the states of Utah and Washington, among others, have passed laws defining "digital signatures" to identify cyberspace's disembodied citizenry. The governments of Britain and the United States are both debating ways to follow suit nationally. But to one degree or another, attempts at legislating digital identity fall foul of two conceptual errors.
The most basic problem is rooted in the technology itself. Public key encryption - a method for making virtually unbreakable codes using complementary encoding keys, one public and the other private - has two crucial but sometimes contradictory capabilities: securing communications and establishing identity. Security agencies such as the FBI and the NSA, which make their livings in large part from listening to other people's conversations, are encouraging governments to keep the full strength of public key encryption (indeed, encryption of all kinds) out of the hands of private citizens. But the same technology is crucial to creating "unbreakable" identities in cyberspace - the certain knowledge of who is who. Thus, any compromise of people's ability to control their communications also undermines their control of their own digital identities: Is that your signature? Or some dishonest dog's? And that uncertainty in turn undermines the notions of commitment and responsibility that are fundamental to lawful commerce.
That's problem number one. There is also the danger of oversimplifying identity. In the physical world, the rituals of recognition are both subtle and complex - everything from the human memory of a face to a biometric scanner. That cyberspace needs something similarly sophisticated is undeniable. But in trying to create a quick and easy, one-size-fits-all solution to digital identity, politicians threaten to disrupt the very web of commerce they say they want to foster.
Michael Froomkin, an associate professor of law at the University of Miami, points out that the designers of digital-signature technology have been addressing an abstraction. Their goal is an airtight way for two people who have never met, never will meet, and know no one in common to "sign" a cybercontract every bit as secure as one signed with pomp, pen and ink, and lawyers gathered round. In the real world, of course, people are seldom at such remove. Real people and companies are bound by a web of overlapping relationships based on trust, contract, or both.
The Information Security Committee of the American Bar Association, which drew up the guidelines underlying most legislation in the US so far, is now debating how the simple, theoretical model of digital signatures can be adapted to real-world complications. And as usual with new technology, the task of incorporating digital signatures into shops, schools, governments, finance companies, and all the other bodies that might use them is proving more complex than everyone assumed. All the more daunting, it is not just people who will have digital signatures. Credit-card companies, for example, propose giving computers their own signatures, to make sure payments are sent to the right place. Regulation needs to allow for a nearly limitless variety of uses - no easy task when nobody is sure what those uses will be. The keys to the highway
"Public keys talk in cyberspace." Though elliptical, this statement by Butler Lampson, a researcher at Microsoft and MIT, sums up the problems of establishing identity in cyberspace. With public key systems, identity is established by a linked pair of encryption keys. One is listed in a public directory, like a telephone book; the other is private. Each can decode messages encoded with the other - and only messages encoded with the other. So, to establish identity, the sender encodes a message with his or her private key. The recipient then looks up the sender's public key in the directory. If that key decodes the message, then the recipient can be confident the sender really is who he says he is - and that the message has not been tampered with.
At least in theory. The crucial assumption in all of this is that the directory is accurate, that the names attached to public keys are the right ones. Without some care, it is all too easy to create digital fake IDs, which look every bit as good as real ones. A large part of the motivation behind digital-signature legislation is to ensure that care is indeed taken by those who manage public key directories - that their services will be accurate, easy to use, and secure. The idea that care should be taken in these matters is pretty uncontroversial. The idea that official regulation will be the best way to achieve this is debatable - to say the least.
Where politicians' confusions begin is that the same technologies that can positively establish identity in cyberspace also make it easier for people to communicate in ways that governments cannot intercept. Secure communication is simply the identification process run in reverse: encrypt the message with the public key of the recipient and it can be read only by the holder of the corresponding private key. While in practice people are likely to use different keys for signing and secrecy, the twin uses of the basic technology are for all practical purposes inseparable.
FBI director Louis Freeh and his security colleagues have convinced the Clinton administration that secure private communications will further facilitate drug dealing, terrorism, and global disorder, and that encryption's use must therefore be limited and controlled. Weird, unreasonable, and immoral (not to mention probably futile) though these beliefs may be, they confront American officials - and, through them, all the global allies they have busily lobbied about encryption over the past few years - with a deep conflict about how public keys should be managed. Which should take priority: the needs of the individual, or state security? Inevitably, politicians have given in to their own - or their voters' - worst instincts.
Two remarkably similar pieces of proposed legislation, one in Britain and one in the United States, show just how bad the worst can be.
Last March, during its final months in power, John Major's Conservative government put forward proposals for mandatory licensing of "trusted third parties," as the British call the managers of public key directories. (Americans tend to say "certificate authorities.") The licensing requirements would include key escrow - the third parties would hold private keys corresponding to any public key in their directory, and be prepared to surrender them to security agencies on request.
In the US, the bipartisan McCain-Kerry bill, proposed shortly after the British draft, contains more or less the same requirements. The key difference is that McCain-Kerry would make key escrow voluntary for the certificate authorities - but then proceeds to stipulate arm-twisting incentives for "volunteers," including eased export restrictions and reduced liability.
Whatever twisted sense key escrow might make for regulating communications, it makes complete nonsense for establishing identity. And that is deeply threatening to the digital economy, on two levels.
Alastair Kelman, a scholar at the London School of Economics and a practicing barrister, points out that key escrow makes it significantly easier for an individual to repudiate a digitally signed document. Signatures - digital or otherwise - provide compelling legal evidence precisely because they are under an individual's complete and singular control. By introducing another party - trusted, licensed, whatever - key escrow breaches that. And that, in turn, inevitably weakens any contract the escrowed signatures create.
At the global level, key escrow puts a lot of (allegedly) private keys in one place, creating some very scary risks. If only because the cost of regulation tends to keep smaller firms out of the market, public key directories are likely to be concentrated in the hands of fairly large companies. Those companies, in turn, will be required to keep escrowed keys readily accessible, in order to be able to hand them over to security authorities. (The British proposals, for example, talk about requiring keys to be released within a few hours.)
The risks - and the allure for mischief-makers - are plain. Should hackers, for instance, ever break into an escrowed key cache, they could instantly control the digital identities of thousands - or tens or hundreds of thousands - of people and institutions. They could make some quick money. Or they could wait six months before revealing themselves. Any transaction during that period undertaken with any of the keys the hackers held would be questionable - and the resulting confusion and lawsuits could dwarf the damage from the original theft.
None of this seems to worry the FBI and the rest of Washington's key escrow crowd. In the House of Representatives, the relatively liberal Security and Freedom through Encryption Act, which would have guaranteed a broad array of strong encryption products, was gutted in committee. In the Senate, Dianne Feinstein (D-California) and some of her colleagues are saying that McCain-Kerry is too liberal, and that key escrow should be mandatory. And in September, the FBI began circulating its own draft legislation, including an extraordinary proposal to prohibit the manufacture, sale, or distribution within the United States of any encryption product that does not contain a "spare key" feature or other trapdoor allowing "immediate" decryption of a user's messages or files.
In Britain at least, the arrival of Prime Minister Tony Blair's Labor government has set off a new round of questioning about how, when, or even whether to regulate trusted third parties. Civil servants now admit privately that mandatory licensing "would face enormous difficulties." And they don't just mean the escrow process - they mean figuring out to whom and how the regulations should be applied. One set of issues revolves around the limitations of national laws in global electronic markets. The current UK draft regulations, for instance, would forbid Britons from using unlicensed overseas trusted third parties; foreigners doing business in Britain would be required to use trusted third parties licensed by their own governments. (Without this, the notion of "mandatory" becomes pretty meaningless.) But the British government has no way of controlling what, if any, licensing procedures its foreign counterparts put into place - creating a raft of potential problems. The man with a thousand names
Ultimately, the toughest set of problems may be to define exactly what the proposed laws are meant to control. As would-be regulators are only slowly coming to realize, the potential applications of digital-signature technology are far more ubiquitous and more varied than pen-and-ink scrawls. Not all can be usefully regulated. But drawing distinctions between those that regulation might help and those that it would certainly harm is proving next to impossible.
Take the Secure Electronic Transactions protocol (SET), recently defined by a consortium that includes MasterCard, Visa, Microsoft, and other software and consumer finance heavyweights. The goal of SET is to make credit-card transactions over the Net more secure. Each signature it specifies demonstrates the authenticity of a different party in a transaction: the merchant, the computer that processes payments, the bank that issued the card, and so on. The published standard doesn't identify the cardholder - it merely establishes that the card itself is valid.
SET poses exactly the regulatory dilemmas that British civil servants would like to avoid - if only they could see how. Official regulation adds to the bureaucracy - and therefore, the costs - of doing business electronically. And the credit-card companies already have every incentive to get this right - they bear much of the financial liability if it goes wrong. But if SET were exempted, the officials need to figure out on what grounds - and that is easier said than done.
The original British proposals would regulate only services offered to the public at large. That would exempt most of SET - on the grounds that it is an internal, business-to-business process - but not quite all of it. An option for cardholder certificates is one gray area. So is any "enhanced" service created by putting digital-signature technology onto smartcards. As civil servants survey the range of possible digital-signature applications, they increasingly despair at finding any clear distinction between those like SET, which they don't want to regulate, and other applications that they do. Worse, companies seem to be trying to use the technology more in ways that probably don't need regulation than in ways that do. But how to distinguish between them?
Charles Merrill, a New Jersey attorney, and his colleagues on the ABA's Information Security Committee have debated various models of public key infrastructure (PKI). They have identified several, distinguished not by technology but by their relationships to commercial risk, and to existing relationships of contract, legal jurisdiction, and trust. The list includes:
-Open PKI. These are what most legislators have assumed they are dealing with: services that act as a global notary public, proving the identity of people and companies to whomever might want to know.
-Closed PKI. At the other extreme lie organizations that could use digital signatures internally. The state of Massachusetts, for example, is considering using digital signatures to secure the delivery of some services; so are Reuters and Dow Jones, for financial information.
-Contractual PKI. These operate under existing contracts and business relationships. SET, for example, uses digital signatures largely to perform credit-card verification by another means.
-Membership PKI. These use digital signatures to provide evidence that an individual belongs to some group. In theory, doctors, lawyers, and other professionals could certify their credentials in this way. In practice, other organizations - including the London School of Economics - are considering certificate services to boost a sense of belonging and raise their profiles.
-Interdomain PKI. These link and crosslink the certificates provided by separate hierarchies - both for convenience and to provide the greater certainty that comes with amalgamating different demonstrations of identity.
Of these, the first, open type seems to be the least interesting commercially. Verisign, based in Mountain View, California, probably comes closest to applying it. But even Verisign is trying to bring its Web-based operations under the aegis of a contract - in its case an instant clickthrough type, created when users either register their own name and public key, or check someone else's identity. The pop-up contract specifies the claims Verisign makes about its certificates and seeks to limit any liabilities the company might incur.
But if certificate authorities are in fact going to grow up under the aegis of contracts - either traditional contracts, like the credit-card agreements that cover SET, or clickthrough contracts like Verisign's - the key regulatory issues will be turned on their heads. In a contractual setting, there is no need for government to define rights, duties, and responsibilities; competition should create a more or less stable set of compromises, embodied in model contracts and, if necessary, verified through the sort of audit procedures companies use to check performance in everything from accounting to quality assurance. (Indeed, one likely outcome of the ABA committee's list of types of authorities is a set of recommendations on the level of auditing suitable for each.)
The Clinton administration has already argued that just this sort of dynamic should guide the development of ecommerce. At July's "cyber" summit in Bonn, regulation-minded European politicians reluctantly accepted the arguments of US Internet czar Ira Magaziner that contracts should govern the evolution of cyberspace - at least until governments have clear evidence of problems a market-based system cannot solve. At the same time, Magaziner's colleagues, seemingly without noting the hypocrisy, were berating the Europeans for failing to enact stiffer crypto regulations, digital signatures included.
This inconsistency concerning encryption is doubly dangerous. It encourages politicians to endorse regulations that would undermine the technical and legal foundations of electronic identity. And it leads them to ignore what could be real regulatory issues - particularly about privacy - looming just over the horizon. What's in a name?
Given that digital signatures will most likely evolve within the web of existing business relationships, the identity defined by each signature will inevitably be as fragmentary as its real-world counterpart. One will define John Browning-as-American Express-cardholder; another, John Browning-as-British Airways-frequent flier; and so on. David Birch, a founder of the British ecommerce consultancy Hyperion, has dubbed this the "pseudonymous economy." Each signature does not by itself define a flesh-and-blood individual, and in many cases companies will probably have no desire to note which digital signatures refer to the same people. So each effectively becomes a pseudonym, a partial identity created for a specific purpose.
Such pseudonyms do not have to be gathered together by a giant cyber-Equifax - run, no doubt, by Bill Gates - to be useful. On the contrary, argues Carl Ellison, a crypto guru at CyberCash Inc. in Reston, Virginia: for most transactions such pseudonyms will be easier to deal with than true names. A merchant does not really need to know the true identity of a credit-card holder - he can rest assured that the credit-card company does.
But useful as digital pseudonyms will be, they are not the whole story. There is also a different sort of value in linking partial identities. Marketers already spend billions trying to cross-index credit-card transactions, memberships in professional organizations, and so on to find would-be customers. Sitting astride a flow of electronic transactions, each digital certificate authority controls a deep but very narrow stream of information. Data-mining firms are already spending millions to find the most obscure statistical correlations between different information streams. Digital certificates could make that even easier - or they could help put to rest worries about electronic commerce's potential for strip-mining personal privacy.
Together with Microsoft's Butler Lampson, MIT professor Ronald Rivest - the R in RSA, the Redwood City, California, company that holds the patent for the most commonly used public key encryption algorithm - has published research showing how partial, pseudonymous identities can be linked to create a new, overarching digital signature. The technology is straightforward, just a bit more software. But the legal and regulatory questions are challenging: Who controls the linking? The credit-card companies? Banks, shops, and others managing the certificates? Or the individuals whose various digital identities are involved?
The answers could do at least as much for personal privacy as they do for electronic commerce. At minimum, signature-linking technology can give individuals the power to prevent companies from creating amalgamated identities - correlating all the information from, say, frequent-flier travel, supermarket loyalty points, and credit-card sales. Or, more aggressively, it could allow people to bar companies from releasing any digitally signed information without permission.
The more legal control individuals have over their digital identifiers, the more they can choose how much (or how little) information about themselves they present to the world in each transaction. They may want the convenience that comes with an amalgamated key. Or they can give out only the minimum, and ensure that the information goes no further. They can keep different partial identities in isolation from each other, or they can merge them into one - or several.
At the other extreme, giving companies control over the linking could make the world significantly less private - even by today's falling standards. If banks, supermarkets, gas stations, and credit-card companies all share personal data, they know how much you make, where you go, what you eat, and what you buy. And the more they share, the more they know. Surely, people should be able to choose whether they are comfortable with this.
There are two broad possible approaches to controlling digitally signed information. One is privacy regulation. Europeans typically try to boost the rights of individuals with data-protection registrars and other privacy bureaucracy. But whatever the intentions, the task all too often proves too much for the bureaucrats to do effectively - often leaving individuals with the worst of both worlds, at the mercy of prying officials and companies alike.
The other approach is to encourage markets to provide privacy. As in most things except encryption, US policymakers generally hope that individuals will be able to negotiate their own privacy deals. But so far most have shied away from the one step that would truly bring commercial forces to bear: establishing formal ownership rights over personal data.
Those questions of ownership and privacy are what legislators should really be debating. At best, existing proposals for digital identity threaten to hinder companies trying to build an infrastructure for electronic commerce. At worst, they represent a lie created by security agencies, trying desperately to maintain the right to eavesdrop on anyone they want, whenever they want. Even if they have to undermine the nascent digital economy to do it.
Either way, proposals to regulate digital-signature technology should be dropped, and debate refocused on the very real issues of privacy and individual rights that technology creates. At the end of the day, there may prove no need for regulation at all. But the issues are real and discussion necessary. The best way to start is by bringing today's counterproductive sideshow to an end, quickly.
