Business

E-commerce agreement with US next week

President Clinton's visit to Dublin next week will probably provide the opportunity for the signing, at last, of a symbolic joint…

By KARIN LILLINGTON
Fri Aug 28 1998 - 01:00

President Clinton's visit to Dublin next week will probably provide the opportunity for the signing, at last, of a symbolic joint communique on e-commerce between the Irish and US governments.

The document is unlikely to waver from general e-commerce principles already given the nod by the US and the EU. And it is not, as reported elsewhere, an agreement on encryption policy (the Government has already issued a framework document outlining its encryption position). But the planned communique does indirectly impinge upon encryption issues.

An obvious way of sealing an agreement relating to e-commerce would be to use the medium of e-commerce - the Internet. But using the Internet would require a digital signature - a method of signing a document electronically that guarantees the person signing it is who they say they are. Digital signatures demand the use of encryption. And encryption is at the centre of a political row in the US.

Ironically, the signing of a document designed to promote online trade may instead pinpoint one of the key barriers to global e-commerce: the Clinton administration's continuing restrictions on the use of the most powerful and secure products for encoding data that's sent across the Internet.

READ MORE

Without adequate ways of encoding information such as message contents (which might contain personal information like credit card numbers) and their accompanying digital signatures, e-commerce will remain a stunted possibility rather than a key facilitator of domestic and global trade.

US law enforcement, concerned about potential criminal activity on the Internet, wants to require Americans using the stronger encryption products to hand over (place in `escrow') one of their digital `keys' - the code which allows them unlock messages sent to them in scrambled form, and which enables them to scramble messages they wish to send.

Technology companies and privacy rights groups strongly oppose this plan, which would mean someone, somewhere could gain access to your escrowed key. At the same time, the US has limited the kinds of encryption products that US companies can sell - or even give away for free to anyone outside the US. US companies can only export encryption products with keys which are 40 bits in length (a bit is the smallest unit of digital data). But products are available which use 128, 192 and 256 bits. Obviously, a key which has 256 elements that can be reordered in millions of different ways is far more secure than one which has 40 elements.

In fact, analysts estimate a 256-bit key would take millenia to crack. On the other hand, just last month a 56-bit key was cracked in three days. That makes 40-bit products laughable. However, you can buy so-called strong encryption products - those which exceed 40 bit keys - legally outside the US, if manufactured by non-US companies. Digital signatures, though, are not subject to the 40-bit rule, because the US wants to encourage global e-commerce. But most people don't want to send an open, unencoded message and an encoded signature. Most encryption products combine both elements.

So back to the communique. Suppose the two government leaders wish to use the medium of e-commerce to make a hugely symbolic statement about e-commerce. There are three options: Firstly, Mr Clinton could use a US 40-bit product, but this would hardly be an acceptable level of security for transmitting an international agreement. Of course, the US government itself can use strong encryption without restrictions - but using it in this case would be blatantly hypocritical. Either way, US technology companies would use the event for further broadsides at US policy.

Or Mr Clinton could just use a digital signature. But this would also give fuel to the opposition, happy to point out that signatures on their own are a truncated form of the digital security which industry, individuals and privacy advocates are demanding for trustworthy e-commerce.

Finally, Mr Clinton could use a secure product made by a non-US manufacturer, but that would underline the failure of his administration's policies, and again, draw down the fury of the US technology lobby.

Ireland, according to its encryption framework document, has no such troublesome limitations on its actions.

The US government seems unlikely to change its policy in the next week. However, they could realise the symbolic significance of an electronic signature outweighs any short term controversy such a decision would cause, given that US policy will ultimately change in this area anyway. In that case the communique will immediately move from being a friendly handshake over already-existing policy to a document of international importance. Karlin Lillington is at klillington@irish- times.ie

Business Today

Business Today

Get the latest business news and commentary from our expert business team in your inbox every weekday morning