- Email: [email protected]
Technology and Electronic Communications Act 2000
Technology and Electronic Communications Act 2000 Babatunde Jayeju-akinsiku CEO/CTO Secure World Ltd www.secureworld.uk.com [email protected]
Introduction The advent of the Internet and its associated and complementary technology has become a facet of modern life, paving the way for better and more efficient ways of doing things. This technology embraces information sharing, capacity utilization, multiple, parallel and concurrent processing. It also encompasses cost efficiency and economic advantage including automation. To date, the full utilization and potential of the technology has not been fully realized. Technology is being financed by commercial industry because of the inherent cost advantage and potential. Modern man is being bred with this technology, and our way of life in the physical bricks and mortar world is being transmuted in the electronic world. In the electronic world (which here implies the Internet) anonymity is allowed, which is not the case in physical world. In the physical world, you can choose to call yourself whatever you like as long as you remain liable for all action under that name. You have an abode and whoever you are dealing with in the physical world has a link to you either geographically or by documentation. However, on the Internet there is no barrier of any sort, physical presence is not needed, it is in fact a no-man’s land and hence, no-man’s law or jurisdiction. It is not surprising that these characteristics entail problems which are not new to the human race, but the medium is new. Those criminally minded ones among us are cashing in on the problems that are making us all very wary of the Internet and its power, hence stemming its growth and the realization of its full potential. These issues vary from trust and anonymity issues, to hardware and software vulnerabilities, to ignorance and lack of education.
624
0167-4048/02US$22.00 ©2002 Elsevier Science Ltd
Unfortunately, technology does not have the answers to man’s socio-cultural problems. It is with the aim of trying to take control and put some sense into the otherwise anarchic world of the Internet, that governments all over the world are trying to put some form of law in place. Unless we all wake up to the challenges it presents, our world may be doomed forever. The Electronic Communications Act is a part of a collection of laws created to deal with the issue of identification, and bind people to whatever they have done and signed to electronically. Others acts in the UK include the Regulation of Investigatory Powers Act, Human Right Acts, the Data Protection Act, and the Anti-terrorist Acts.
The Internet and its potential I shall here explore the significance of the Electronic Communications Act to technology. I shall also look at the consequences of nonrepudiation, data and information integrity, the new face of commerce and industry, and social interactions which are the primary objectives of this law. The Internet landscape has brought along with it a lot of issues, some new and some old. However, the world and commerce is in a Catch 22 situation because we cannot ‘backout’ of the technology race. To do so will bankrupt the world economy since major multinationals, businesses and states have committed a large amount of funds and resources to technology. Many IT and telecoms companies are today in debt, suffer from cash-flow crises, and have had to make job cuts. Such organizations, when investing money in the new economy, were making projections in untested markets, based on scant research but perceived markets and consumer needs. Because
Babatunde Jayeju-akinsiku Technology and Electronic Communications Act 2000
of the pace of the Internet, sometimes the basic tenets of business were ignored and the speed to market became the name of the game. But alas, this is a different environment, it is not the physical world. Even then, in the physical world we don’t take chances so why should we take those chances in cyberspace? In the physical world we consider business and social interactions as relationships which have to be built. We don’t trust people just because they say we should; trust is built, it is earned, nurtured and allowed to grow. We check out references of people we are trying to do business with, to be sure they are not fraudsters. We meet with them to be sure that we can put a face to a name. We calculate and manage the business risks even when we go to the shops to buy goods. We ensure that the sales person does not go to the back room with our credit card, we keep the receipts of the things we buy and sometimes make a mental note of who served us, the check-out assistant cross-checks our signature against the one on the plastic and some other security measure of some sort may be in place. The advent of the Internet and its potential has, I think, made us naïve. Several of us are so unaware of the implications of where we are, that we go ‘nude’ in the market or circus. The Internet’s architecture was not primarily designed for secrecy/privacy, but rather for information and resource sharing. It is up to engineers and technologists to find ways to create a conduit for people to be able to share information, resources, do business and communicate so as to guarantee confidentiality, integrity, assurance and reliability so that nonrepudiation can be guaranteed. We would then have made the complete transmutation of physical world interaction to the cyber/electronic world. Technology has done its bit and it’s still doing more, however, what do we want out of technology and how much are we prepared to
give it? And what does the commerce and industry that is funding technology expect in return? The world is made of people who use technology and they have rights and liberties which can conflict with what they want from technology. The point is that security comes at a price on civil liberty. Is it okay for us to embrace technology on one hand and cry against globalization on another? Such is the way of the world. The public needs to understand more than it already does about technology in use, what it’s about and the security implications of connecting to the open Internet. For example, security needs to be considered especially while at work, as everyone can navely believe they are safe behind a firewall even though they plug in their modem on the other side, import and take files from complete strangers in the chat rooms on the Internet, download games etc. Having gone through the above it is obvious that security needs to be given more than lip service, but security from what exactly you may ask? And the answer is: • Confidentiality – to be sure that the information that you are sending or receiving is not being seen or read by unintended parties. • Integrity – to be sure that you have the correct information both in content and in source. This applies not only to individuals but also to computers and machines that give services on the network. If the integrity of a machine is in doubt let say it’s in the middle of the street and anyone can have access to it and input whatever he or she like into it, it goes to say whatever information you get from it cannot be taken seriously. • Availability – this addresses that once a service, or information is said to be secured it must be available to those who have or
625
Babatunde Jayeju-akinsiku Technology and Electronic Communications Act 2000
should have access to it i.e. they must not be denied.
associated with a particular electronic communication or particular electronic data is certified by any person if that person (whether before or after the making of the communication) has made a statement confirming that-
The Electronic Communications Act and its Implications “Electronic signature means any electronic/electrical, digital, magnetic, optical, electromagnetic or any other technology that is similar to these technologies used to or appended or attached to an electronic record, data or communication.” Below is an excerpt from the act as it relates to the Electronic signatures. PART II FACILITATION OF ELECTRONIC COMMERCE, DATA STORAGE, ETC. Electronic signatures and related certificates. 7. - (1) In any legal proceedings(a)
An electronic signature incorporated into or logically associated with a particular electronic communication or particular electronic data, and
(b)
The certification by any person of such a signature,
Shall each be admissible in evidence in relation to any question as to the authenticity of the communication or data or as to the integrity of the communication or data.
626
(2)
For the purposes of this section an electronic signature is so much of anything in electronic form as-
(a)
Is incorporated into or otherwise logically associated with any electronic communication or electronic data; and
(b)
Purports to be so incorporated or associated for the purpose of being used in establishing the authenticity of the communication or data, the integrity of the communication or data, or both.
(3)
For the purposes of this section an electronic signature incorporated into or
(a)
The signature,
(b)
A means of producing, communicating or verifying the signature, or
(c)
A procedure applied to the signature,
Is (either alone or in combination with other factors) a valid means of establishing the authenticity of the communication or data, the integrity of the communication or data, or both.
The Electronic Communications Act is giving teeth and recognition to the potential of technology, that once all the above can be “assured” in an electronic communication then it may be assumed to be secure and hence constitute a non-repudiable communication, data, information or transaction/contract and therefore admissible in court. The guidelines for its formations is contained in the European Directive to all member states. Technology has proffered solutions to ensure these assurances, but the “human factor appears to be the weakest link in the chain” . However, it is hoped that the Communications Act would send a clearer message home to users so that they know what they are doing and that disclaimers at the bottom of a quote that has been electronically signed for the purpose of a contract is useless because the contract is legally binding. The Act recognises Trusted Third Parties which may be called upon to settle disputes, their formation and regulation and bodies like the tScheme to manage the activities of the TTPs. However, in all it’s goodness and desirability, the Act fails to address the issue of liability. It seems the government is trying to tread softly especially as the interest of TTPs, who are mostly large corporates, may be jeopardised. The answer to the question of liability is that a contract needs
Babatunde Jayeju-akinsiku Technology and Electronic Communications Act 2000
to exist between the user of a certificate and a TTP, which will stipulate the level of liability or amount to the level that the certificate is covered, hence classification of certificates. Therefore if you do not have a contract with a CA and you choose to trust a certificate signed by it then, you do so at your own peril. This situation is unacceptable to a lot of people and it breaks the whole assurance principle on moral grounds.
Cryptography in security We cannot discuss electronic communication security without cryptography because this is the foundation on which it is based. For you to exchange a secure electronic communication with someone or a device on the network you need to either (a) share some form of secret (key) and agree on the algorithm (formula) or (b) you will both need to have public keys corresponding to each others private keys (both parties create a key pair called public and private using and algorithm, — this key may be created by a trusted third party which brings with it some other arguable issues). The public key then needs to be certified to give assurance that only the person with the corresponding private key can possibly own it, because they are the only ones that can decrypt any message encrypted with it. (The private key as the name implies is the identity of the owner hence its care and safety is paramount as you will have a hard time disproving in a court of law that you did not do it.) Also private keys are the part of the key used to sign messages. This assures us of the integrity of the message, i.e. it has not been changed or modified in transit or by any other means (note that signing alone does not guarantee confidentiality). In other words, you don’t care if anyone else sees the message, you just want to be sure or aware if it has not been altered or modified. As I stated earlier, technology offers a solution to human practice. Another example is a recent
incident at Verisign. They certified an individual who claimed to be an employee of Microsoft but who had never worked for Microsoft. The error was not discovered for about three months. So we get to the issue of ascertaining how is Verisign to know short of asking for an ID card or some form of legal papers. In any case, if the registration process goes wrong and someone gets away with claiming they are who they are not then you would not know. Note that certificates do not assure you of the person’s identity, it can only tell you that the public key belongs to a person who registered it with the certifying body which we call the CA or trusted third party (TTP). Certification Authorities (CAs) build public key infrastructure (PKI) that can generate and certify public keys (Identrus is one that the banks use in the UK, Verisign is all over the world). These CAs are subject to rigorous security and technology standards, audits, assessment, redundancy, and lots of other trust enabling codes and practices. (Trust which we hope they’ll earn with the passage of time and as things unfold.) However, technology, no matter how brilliant and clever, cannot give trust, assurances maybe, but trust is a different issue as the human, governmental and management factor of the technology has a big part in trust. A good example is the trust by the population of the government of the day, who we have voted for and in some ways given them some of our liberties to do whatever is necessary to protect and defend our nation state. Nonetheless, sometimes in their delivery of their function they may infringe on our rights and liberties. A number of schemes have been proposed by the Government to manage and police the CAs for some of the above reasons and also to ensure that the public are not defrauded by cowboy CAs. These include the tScheme, the now dead key escrow, and the new RIP Act.
627
Babatunde Jayeju-akinsiku Technology and Electronic Communications Act 2000
The CA or trusted third party has a public and private key. It uses its private key (like everyone else) to sign certificates which it issues to subscribers, and subscribers use its (CAs) public key to verify that the CA actually is the signer. “Please note that a certificate does not prove identity, it only proves that it knows the corresponding private key. The onus is on the user to be sure of the identity of the owner of the private key.” This statement is very true when you think that anyone can claim to be anyone or anything. Certification Authority enrols users called subscribers at their registration authority, before they are issued certificates by the CA. Here, physical presence may be necessary to ascertain identity, where proof of ID, address and other details may be used as well. The details are then passed to the CA for certification and/or to generate key pairs if the subscriber wants the CA to generate the keys. On the other hand, if the subscriber already has his key pair which he could have generated using software somewhere else, the registration authority would perform a simple check to be sure that the registering person has the private part of the key. This can be done by encrypting with the public key and getting the person to decrypt with the private key. Now there are two issues, the registration authority may have to register the subscriber online where they cannot be sure of their identity, as recently happened with Verisign, and, if the registration authority and the certification authority are not in the same
628
geographical location, getting the details across securely could be another problem. Lastly, after certificates are issued and/or revoked they would have to be published (in a directory accessible to the public) together with the public key. If a hacker takes control of the directory and replaces details therein, then the whole infrastructure is nonsense. However, if none of these happen because adequate security measures including management procedures are put in place, then communications made using the public and private key for encryption and signing are considered non-repudiable and are deemed legally binding provided also that the certificate is still valid. Note that the validity of certificates needs to be checked which is fine for humans, however, devices on the network also use the technology. Most of them (about 98%) do not have the capability to query certificate revocation lists (CRLs) once they are online and have established connection to each other. Most manufacturers of VPN devices and line encryptors are just about now looking into how they can put the code into their products.
Conclusion In conclusion, I would like to say that this Act is a step in the right direction though it still needs more modifications. We now need to put it to the test and be prepared to rise to its defence when the need presents itself. The fledging PKI and IDPKC industry needs to address issues of interoperability among themselves instead of fighting for supremacy.
Introduction The advent of the Internet and its associated and complementary technology has become a facet of modern life, paving the way for better and more efficient ways of doing things. This technology embraces information sharing, capacity utilization, multiple, parallel and concurrent processing. It also encompasses cost efficiency and economic advantage including automation. To date, the full utilization and potential of the technology has not been fully realized. Technology is being financed by commercial industry because of the inherent cost advantage and potential. Modern man is being bred with this technology, and our way of life in the physical bricks and mortar world is being transmuted in the electronic world. In the electronic world (which here implies the Internet) anonymity is allowed, which is not the case in physical world. In the physical world, you can choose to call yourself whatever you like as long as you remain liable for all action under that name. You have an abode and whoever you are dealing with in the physical world has a link to you either geographically or by documentation. However, on the Internet there is no barrier of any sort, physical presence is not needed, it is in fact a no-man’s land and hence, no-man’s law or jurisdiction. It is not surprising that these characteristics entail problems which are not new to the human race, but the medium is new. Those criminally minded ones among us are cashing in on the problems that are making us all very wary of the Internet and its power, hence stemming its growth and the realization of its full potential. These issues vary from trust and anonymity issues, to hardware and software vulnerabilities, to ignorance and lack of education.
624
0167-4048/02US$22.00 ©2002 Elsevier Science Ltd
Unfortunately, technology does not have the answers to man’s socio-cultural problems. It is with the aim of trying to take control and put some sense into the otherwise anarchic world of the Internet, that governments all over the world are trying to put some form of law in place. Unless we all wake up to the challenges it presents, our world may be doomed forever. The Electronic Communications Act is a part of a collection of laws created to deal with the issue of identification, and bind people to whatever they have done and signed to electronically. Others acts in the UK include the Regulation of Investigatory Powers Act, Human Right Acts, the Data Protection Act, and the Anti-terrorist Acts.
The Internet and its potential I shall here explore the significance of the Electronic Communications Act to technology. I shall also look at the consequences of nonrepudiation, data and information integrity, the new face of commerce and industry, and social interactions which are the primary objectives of this law. The Internet landscape has brought along with it a lot of issues, some new and some old. However, the world and commerce is in a Catch 22 situation because we cannot ‘backout’ of the technology race. To do so will bankrupt the world economy since major multinationals, businesses and states have committed a large amount of funds and resources to technology. Many IT and telecoms companies are today in debt, suffer from cash-flow crises, and have had to make job cuts. Such organizations, when investing money in the new economy, were making projections in untested markets, based on scant research but perceived markets and consumer needs. Because
Babatunde Jayeju-akinsiku Technology and Electronic Communications Act 2000
of the pace of the Internet, sometimes the basic tenets of business were ignored and the speed to market became the name of the game. But alas, this is a different environment, it is not the physical world. Even then, in the physical world we don’t take chances so why should we take those chances in cyberspace? In the physical world we consider business and social interactions as relationships which have to be built. We don’t trust people just because they say we should; trust is built, it is earned, nurtured and allowed to grow. We check out references of people we are trying to do business with, to be sure they are not fraudsters. We meet with them to be sure that we can put a face to a name. We calculate and manage the business risks even when we go to the shops to buy goods. We ensure that the sales person does not go to the back room with our credit card, we keep the receipts of the things we buy and sometimes make a mental note of who served us, the check-out assistant cross-checks our signature against the one on the plastic and some other security measure of some sort may be in place. The advent of the Internet and its potential has, I think, made us naïve. Several of us are so unaware of the implications of where we are, that we go ‘nude’ in the market or circus. The Internet’s architecture was not primarily designed for secrecy/privacy, but rather for information and resource sharing. It is up to engineers and technologists to find ways to create a conduit for people to be able to share information, resources, do business and communicate so as to guarantee confidentiality, integrity, assurance and reliability so that nonrepudiation can be guaranteed. We would then have made the complete transmutation of physical world interaction to the cyber/electronic world. Technology has done its bit and it’s still doing more, however, what do we want out of technology and how much are we prepared to
give it? And what does the commerce and industry that is funding technology expect in return? The world is made of people who use technology and they have rights and liberties which can conflict with what they want from technology. The point is that security comes at a price on civil liberty. Is it okay for us to embrace technology on one hand and cry against globalization on another? Such is the way of the world. The public needs to understand more than it already does about technology in use, what it’s about and the security implications of connecting to the open Internet. For example, security needs to be considered especially while at work, as everyone can navely believe they are safe behind a firewall even though they plug in their modem on the other side, import and take files from complete strangers in the chat rooms on the Internet, download games etc. Having gone through the above it is obvious that security needs to be given more than lip service, but security from what exactly you may ask? And the answer is: • Confidentiality – to be sure that the information that you are sending or receiving is not being seen or read by unintended parties. • Integrity – to be sure that you have the correct information both in content and in source. This applies not only to individuals but also to computers and machines that give services on the network. If the integrity of a machine is in doubt let say it’s in the middle of the street and anyone can have access to it and input whatever he or she like into it, it goes to say whatever information you get from it cannot be taken seriously. • Availability – this addresses that once a service, or information is said to be secured it must be available to those who have or
625
Babatunde Jayeju-akinsiku Technology and Electronic Communications Act 2000
should have access to it i.e. they must not be denied.
associated with a particular electronic communication or particular electronic data is certified by any person if that person (whether before or after the making of the communication) has made a statement confirming that-
The Electronic Communications Act and its Implications “Electronic signature means any electronic/electrical, digital, magnetic, optical, electromagnetic or any other technology that is similar to these technologies used to or appended or attached to an electronic record, data or communication.” Below is an excerpt from the act as it relates to the Electronic signatures. PART II FACILITATION OF ELECTRONIC COMMERCE, DATA STORAGE, ETC. Electronic signatures and related certificates. 7. - (1) In any legal proceedings(a)
An electronic signature incorporated into or logically associated with a particular electronic communication or particular electronic data, and
(b)
The certification by any person of such a signature,
Shall each be admissible in evidence in relation to any question as to the authenticity of the communication or data or as to the integrity of the communication or data.
626
(2)
For the purposes of this section an electronic signature is so much of anything in electronic form as-
(a)
Is incorporated into or otherwise logically associated with any electronic communication or electronic data; and
(b)
Purports to be so incorporated or associated for the purpose of being used in establishing the authenticity of the communication or data, the integrity of the communication or data, or both.
(3)
For the purposes of this section an electronic signature incorporated into or
(a)
The signature,
(b)
A means of producing, communicating or verifying the signature, or
(c)
A procedure applied to the signature,
Is (either alone or in combination with other factors) a valid means of establishing the authenticity of the communication or data, the integrity of the communication or data, or both.
The Electronic Communications Act is giving teeth and recognition to the potential of technology, that once all the above can be “assured” in an electronic communication then it may be assumed to be secure and hence constitute a non-repudiable communication, data, information or transaction/contract and therefore admissible in court. The guidelines for its formations is contained in the European Directive to all member states. Technology has proffered solutions to ensure these assurances, but the “human factor appears to be the weakest link in the chain” . However, it is hoped that the Communications Act would send a clearer message home to users so that they know what they are doing and that disclaimers at the bottom of a quote that has been electronically signed for the purpose of a contract is useless because the contract is legally binding. The Act recognises Trusted Third Parties which may be called upon to settle disputes, their formation and regulation and bodies like the tScheme to manage the activities of the TTPs. However, in all it’s goodness and desirability, the Act fails to address the issue of liability. It seems the government is trying to tread softly especially as the interest of TTPs, who are mostly large corporates, may be jeopardised. The answer to the question of liability is that a contract needs
Babatunde Jayeju-akinsiku Technology and Electronic Communications Act 2000
to exist between the user of a certificate and a TTP, which will stipulate the level of liability or amount to the level that the certificate is covered, hence classification of certificates. Therefore if you do not have a contract with a CA and you choose to trust a certificate signed by it then, you do so at your own peril. This situation is unacceptable to a lot of people and it breaks the whole assurance principle on moral grounds.
Cryptography in security We cannot discuss electronic communication security without cryptography because this is the foundation on which it is based. For you to exchange a secure electronic communication with someone or a device on the network you need to either (a) share some form of secret (key) and agree on the algorithm (formula) or (b) you will both need to have public keys corresponding to each others private keys (both parties create a key pair called public and private using and algorithm, — this key may be created by a trusted third party which brings with it some other arguable issues). The public key then needs to be certified to give assurance that only the person with the corresponding private key can possibly own it, because they are the only ones that can decrypt any message encrypted with it. (The private key as the name implies is the identity of the owner hence its care and safety is paramount as you will have a hard time disproving in a court of law that you did not do it.) Also private keys are the part of the key used to sign messages. This assures us of the integrity of the message, i.e. it has not been changed or modified in transit or by any other means (note that signing alone does not guarantee confidentiality). In other words, you don’t care if anyone else sees the message, you just want to be sure or aware if it has not been altered or modified. As I stated earlier, technology offers a solution to human practice. Another example is a recent
incident at Verisign. They certified an individual who claimed to be an employee of Microsoft but who had never worked for Microsoft. The error was not discovered for about three months. So we get to the issue of ascertaining how is Verisign to know short of asking for an ID card or some form of legal papers. In any case, if the registration process goes wrong and someone gets away with claiming they are who they are not then you would not know. Note that certificates do not assure you of the person’s identity, it can only tell you that the public key belongs to a person who registered it with the certifying body which we call the CA or trusted third party (TTP). Certification Authorities (CAs) build public key infrastructure (PKI) that can generate and certify public keys (Identrus is one that the banks use in the UK, Verisign is all over the world). These CAs are subject to rigorous security and technology standards, audits, assessment, redundancy, and lots of other trust enabling codes and practices. (Trust which we hope they’ll earn with the passage of time and as things unfold.) However, technology, no matter how brilliant and clever, cannot give trust, assurances maybe, but trust is a different issue as the human, governmental and management factor of the technology has a big part in trust. A good example is the trust by the population of the government of the day, who we have voted for and in some ways given them some of our liberties to do whatever is necessary to protect and defend our nation state. Nonetheless, sometimes in their delivery of their function they may infringe on our rights and liberties. A number of schemes have been proposed by the Government to manage and police the CAs for some of the above reasons and also to ensure that the public are not defrauded by cowboy CAs. These include the tScheme, the now dead key escrow, and the new RIP Act.
627
Babatunde Jayeju-akinsiku Technology and Electronic Communications Act 2000
The CA or trusted third party has a public and private key. It uses its private key (like everyone else) to sign certificates which it issues to subscribers, and subscribers use its (CAs) public key to verify that the CA actually is the signer. “Please note that a certificate does not prove identity, it only proves that it knows the corresponding private key. The onus is on the user to be sure of the identity of the owner of the private key.” This statement is very true when you think that anyone can claim to be anyone or anything. Certification Authority enrols users called subscribers at their registration authority, before they are issued certificates by the CA. Here, physical presence may be necessary to ascertain identity, where proof of ID, address and other details may be used as well. The details are then passed to the CA for certification and/or to generate key pairs if the subscriber wants the CA to generate the keys. On the other hand, if the subscriber already has his key pair which he could have generated using software somewhere else, the registration authority would perform a simple check to be sure that the registering person has the private part of the key. This can be done by encrypting with the public key and getting the person to decrypt with the private key. Now there are two issues, the registration authority may have to register the subscriber online where they cannot be sure of their identity, as recently happened with Verisign, and, if the registration authority and the certification authority are not in the same
628
geographical location, getting the details across securely could be another problem. Lastly, after certificates are issued and/or revoked they would have to be published (in a directory accessible to the public) together with the public key. If a hacker takes control of the directory and replaces details therein, then the whole infrastructure is nonsense. However, if none of these happen because adequate security measures including management procedures are put in place, then communications made using the public and private key for encryption and signing are considered non-repudiable and are deemed legally binding provided also that the certificate is still valid. Note that the validity of certificates needs to be checked which is fine for humans, however, devices on the network also use the technology. Most of them (about 98%) do not have the capability to query certificate revocation lists (CRLs) once they are online and have established connection to each other. Most manufacturers of VPN devices and line encryptors are just about now looking into how they can put the code into their products.
Conclusion In conclusion, I would like to say that this Act is a step in the right direction though it still needs more modifications. We now need to put it to the test and be prepared to rise to its defence when the need presents itself. The fledging PKI and IDPKC industry needs to address issues of interoperability among themselves instead of fighting for supremacy.