INFORMATION TECHNOLOGY BRIEFLY
September 1998 Issue No 2
INTERNET PAYMENT MECHANISMS
Last month we reported on the nature of ecommerce and where it is likely to go. In this edition we will canvass some of the payment mechanisms available which are relevant to on-line commerce and in following editions look at the impact on businesses and the legal systems' which need to adjust to new technology.
Electronic cash - what is it?
Represented by electronic impulses, ecash can be used to make purchases over the Internet. The best known of the cash systems available is the "DigiCash" system.
How it works
You purchase software and open an account with a bank that deals in ecash. You make your deposit into that account in the traditional fashion.
When you want to access some ecash you contact the issuing bank via the Internet and nominate the cash you want. Assuming you have sufficient funds available in your account, the bank then deducts the nominated amount from the account and sends an electronic message representing that amount back to you. You store that message on your hard drive or other storage device. Encryption protects the communications between your issuing bank and you. The ecash which you now hold carries the issuing bank's digital signature. You are able to keep track of how much ecash you currently hold by tracking mechanisms on the DigiCash software.
When you want to make a purchase you contact an ecash accepting merchant's home page and choose your product. Again, assuming you have enough ecash, an electronic message representing the price of the product is sent to the merchant. The merchant then checks the issuing bank's digital signature on the ecash and confirms the sale to you. The merchant then redeems the ecash for real money at an ecash issuing bank with which it has an account.
Smart Card
A variation on the theme of ecash is transfer via the Internet of value stored on smart cards. Smart cards are embedded with a microchip which is capable of storing, and occasionally processing, a vast array of information about the holder of the smart card. The main use of smart cards , to date at least, is as stored
value cards - in other words, value can be downloaded from a bank account and stored electronically on the card - in a similar fashion to value stored on phone cards.
Electronic Cheques
Electronic cheque systems operate much the same way as normal cheques: if you are an authorised electronic cheque issuer or receiver you are able to write electronic cheques to other participants which, when the deposit is electronically made, allows the transfer of funds from the account against which the cheque was drawn to the deposit account. Here, a digital signature is used to create an electronic cheque which the receiver endorses (again digitally) which transforms into an order to a computer at a bank to transfer the nominated funds. Unlike the stored value systems, with electronic cheques no electronic money equivalent is used.
At whose risk?
One of the contentious issues in electronic payment mechanisms is how risk will be allocated between the user, the merchant, the issuing bank and the system designers where "non-conforming" events occur such as in unlawful interception, system failure, forgery and fraud.
By and large those issues are controlled by the contract between the parties that make up the system. Not surprisingly, system designers try to contract out of risks that arise from the use of their systems, and generally do so on the basis that risk allocation is a matter for the users of the system - the banks, the consumers and the merchants, rather than the system designers.
Commonly disclaimers read that -
".......... the system designer will not accept liability for any damages, including loss of data, lost profits, cost of cover or other special, incidental, consequential or indirect damages .... howsoever arising............ and howsoever caused............... on any theory of liability."
While it is reasonable to accept that system designers would want to limit their exposure to risk where fraud or forgery occur it seems an imbalance of power to seek to avoid that liability where a system failure occurs. [Courts will consider normal commercial standards and who is best placed to guard against the particular risks at issue when deciding what is a "reasonable" allocation of risk].This of course leads to an obvious question about how well (or otherwise) existing law is able to deal with developing electronic payment mechanisms and the legal issues arising out of these and further developments in electronic payments. [More on this in later issues].
ENCRYPTION
Essentially encryption is the means of dealing with security by temporarily giving information meaningless form by virtue of an algorithm (a mathematical formula).
This protects the information from an unlawful third party interceptor. Encryption itself is certainly not new. Indeed, Julius Ceasar was a masterful encryptor.
What is new is encryption technology which can be applied to encrypt a communication simply by activating an encryption "key" derived from a software package.
The use of the key determines the difference between the two types of encryption available. The key can be a short sequence of characters or numbers in combination which will determine how text is encrypted or decrypted. The strength of an encryption ("a cipher") is determined by the length of the key. The longer the key, the more difficult the encrypted information is to decipher without the key. A short, or weak key can be overcome in a matter of hours by a suitably powerful system. A strong key - anything greater than about 56 bits in length - would be very difficult to overcome. In relative terms, a bit key double the length of another bit key might in fact be exponentially "stronger" (or more difficult to "crack") by a factor of several million.
Private Key
Imagine that both the sender and the receiver rely on an encryption system which is dependent on a single key kept confidential by both of them. They are each able to send and receive encoded messages in a reasonably secure forum subject only to ensuring a secure means of transferring the key between the sender and the receiver. If you don't ever meet the other party to transfer the key you cannot be absolutely sure that unlawful interception of your messages can be avoided. Private key encryption is not recommended for large environments or businesses because it can be difficult to monitor and control.
Public key encryption uses different but complementary keys to encode and decode messages and it is not possible to derive one key from the other since the two keys are not related. This has significant advantages over the private key but it is still not fault free. It is possible, for example, for a third person to pirate communications and replace a public key with his own public key so that the pirate is the only one with the correct private key. Public key encryption is a versatile form of security for use in a vast range of business and organisational structures. You can master it to involve trusted users who form part of a "web of trust". Authentication is a key issue in the electronic age of information exchange and will be further reported on in this publication.
SIGN YOUR LIFE AWAY
Biometric technology is the replacement for digital signature technology. A biometric system allows the use of personal characteristics (such as voice patterns or fingerprints) to authenticate the user. The beauty of using a biometric system is that, unlike PINs, it cannot be forged, forgotten or mislaid and is not intrusive.
Recently, six biometric products (including fingerprint verification and facial recognition software) have been certified by ICSA, the International Computer Security Association, which is a voluntary industry body, sadly, without formal authority. Other biometric products under consideration include thermal body emissions, hand geometry and eye feature measurement. It is interesting to note that only three "body prints" are considered truly unique and they are fingerprints, retina scans and iris patterns.
If biometric systems do replace digital signature technology as quickly as is being forecast, a legislative framework within which such systems would operate, would need to follow too. Although biometrics could be considered an "electronic signature" they don't precisely fall within the current "digital signature" definition or proposed methods of operation. The required technological neutrality which might overcome some of the common difficulties will be covered in this publication over ensuing months.
For further information and advice, please contact Celine McInerney, Partner, by telephone on 61 8 8210 1206 or by e-mail at cmcinerney@normans.com.au.
