The perceived lack of security in transacting and communicating online continues to be seen as an obstacle to the uptake of e-business. This guide gives a brief overview of the subject.
Security products and services
There are three main security issues relevant to doing business online:
- Verifying the identity of the person you are doing business with.
- Ensuring that messages you send and receive have not been tampered with.
- Obtaining evidence of the date, time and place at which a contract was made.
These three issues are addressed by a variety of means including:
The process of encryption underpins many information and communications technology security arrangements. Generally, the encryption process involves encoding a message using an encryption algorithm so that only the sender and intended recipients can access it. The encryption algorithm uses a key that at the receiving end is used to decode the message.
Traditionally, encryption used a secret key of which both the sender and receiver were aware. However, when transacting online, it could not be guaranteed that the secret key could be transmitted securely to the recipient. For this reason, public key cryptography is now often used for secure internet communication. Each recipient has a secret private key, and a public key that is published. The sender looks up the recipient's public key and uses it to encrypt the message, and the recipient uses a private key to decrypt the message.
Encryption not only protects the content of the message; the use of an encrypted digital signature may also be used to provide evidence of the sender and of the integrity of the message.
These are primarily intended to serve the same purpose as 'wet' ink-on-paper signatures – to allow the recipient of a document to confirm the sender's identity (although they also serve to show that a document has not been tampered with). They are authenticated by means of digital certificates. A digital certificate is simply the owner's public key, which a certificate authority has digitally signed.
Laws governing the use of digital (and other forms of electronic) signatures are changing. Our guide on the European Commission's proposal for a new Regulation on electronic identification and trust services for electronic transactions outlines what has been proposed.
Certification authorities (CAs) are independent third parties which issue digital certificates to individuals after verifying that a public key belongs to an individual. The process of certification varies depending on the certification authority and the level of certification. The more rigorous the CA's identity-checking procedures, the more reliable the certificates which it issues.
Laws on electronic signatures
There are laws in the UK on electronic signatures, at European level and even at an international level. In the UK, the Electronic Communications Act was passed in June 2000. The following month, the part dealing with electronic signatures came into force.
The UN adopted in 2005 the Convention on the Use of Electronic Communications in International Contracts, building on the the UNCITRAL Model Law on Electronic Signatures. You may notice that the word 'digital' is replaced here by 'electronic', because digital signatures are just one of the many types of electronic signature.
Digital signatures are a particular type of electronic signature and most legislation is drafted to include electronic signatures which utilise means other than digital signatures (for example, biometrics).
UK Electronic Communications Act
The parties involved in e-business need to know that, if a dispute arises, the Courts will treat electronic evidence in a similar fashion to the way they treat paper evidence for paper-based transactions. The Electronic Communications Act states that an electronic signature shall be admissible in evidence in court in relation to any question as to the authenticity of the communication with which the signature is associated.
EU Directive on a Community Framework for Electronic Signatures
The European Commission adopted this Directive in December 1999. The aim of the Directive is to harmonise the rules relating to electronic signatures across the member states of the European Union and to promote the inter-operability of electronic signature products.
The Directive has the following key features:
- it lays down guidelines for the use of electronic signatures;
- it establishes that electronic signatures meeting certain criteria are deemed to satisfy the legal requirements for signatures in the same manner as hand-written signatures;
- it establishes that electronic signatures meeting certain criteria are admissible as evidence in legal proceedings.
The Directive distinguishes between different types of electronic signatures, giving greater effect to digital signatures.
As noted above, laws governing electronic signatures are changing. Our guide on the European Commission's proposal for a new Regulation on electronic identification and trust services for electronic transactions outlines what has been proposed.
United Nations Convention on the Use of Electronic Communications in International Contracts
The United Nations adopted the Convention in 2005 as a means of facilitating international e-commerce by ensuring that electronic signatures do not invalidate a contract and the admissibility of electronic signatures in court. The Convention applies to most types of electronic communications exchanged between parties, (although a number of financial transactions are excluded from the Convention's scope of application), whose places of business are in different States when at least one party has its place of business in a Contracting State, or by parties' choice. Less than 20 States have signed the Convention, most of which are developing nations. The Convention enters into force for ratifying countries on 1 March 2013, although at this stage there appears to be only three such countries.
Although the Convention does not specifically address the issue of security in online transacting, it does give users a right to refuse to fulfill contractual obligations where they have accidentally input data into automated processing systems. The Convention provides that if someone makes an input error in seeking to purchase goods or services through a website, where the website incorporates an automated processing system (for example, requesting 30,000 boxes instead of 3,000) and the website does not also give the user an opportunity to correct the input error, then the user under the Convention would have the right to withdraw the portion of the electronic communication in which the input error was made, if the user notifies the provider of the goods or services (through the website) of the error as soon as possible after having learned of the error. Users will only be entitled to rely on this right if they have not used or received any material benefit or value from the goods or services unintentionally purchased on the website.
Other laws and guidelines relevant to security
The UK Regulation of Investigatory Powers Act controls, among other matters, the powers of authorities such as the police and Customs & Excise to intercept electronic communications. The Act, which came into force in July 2000, defines the circumstances in which the police may demand access to encryption keys. Failure to comply with such a demand is a criminal offence.
On 14 June 2012 a draft Communications Data Bill was published. It is intended that the Bill introduce new powers that will enable law enforcement agencies to access 'communications data ', often described as the 'who, where and when' of communication but not the 'what' (that is, the content of the communication).
Since its publication, the Bill has undergone pre-legislative scrutiny with reviews having been carried out by both a parliamentary Joint Committee and the Intelligence and Security Committee (ISC) (a body established under legislation for the purposes of examining the policies, administration and expenditure of the Security Service, Secret Intelligence Service (SIS) and the Government Communications Headquarters (GCHQ)).
Lord Blencathra, Chair of the Joint Committee has stated that "There needs to be some substantial re-writing of the Bill before it is brought before Parliament..." and that the Bill is too wide in respect of the types of data to which it extends. Instead, according to Lord Blencathra the Bill should be limited to only
- "...data matching IP addresses to specific users,
- data showing which internet services a user has accessed, and
- data from overseas communications providers providing services in the UK."
The ISC has recommended that security agencies be provided with further powers to enable them to covertly inspect data when overseas communications service providers (CSPs) are unwilling or unable to respond to requests for access. The ISC has supported the view that the Bill should be amended to enable security agencies to leverage the support of UK CSPs in order to use Deep Packet Inspection technologies to collect communications data from overseas CSPs.
The Data Protection Act 1998 sets out eight principles which data controllers must follow in relation to the data which they hold. You can find these and more information about the Act in our Data Protection guide. In terms of security, the 7th data protection principle is the most relevant.
The 7th data protection principle states that 'appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data'. It is important to note that data controllers must take into account both the harm that might result from unauthorised processing and the nature of the data to be protected.
The ICO have ordered numerous bodies to use encryption techniques after personal data was leaked, and in some cases have imposed a fine.
Information Security Management Systems
In the early 1990s the British Standards Institution laid down recommendations and guidance for identifying the range of controls needed for most situations where information systems are used in industry and commerce. This code of practice, formerly known as BS7799, has now been developed into an international standard known worldwide as ISO/IEC 27001. In the UK it is usually referred to as BS ISO/IEC 27001. The Standard has three key bases:
- Confidentiality – prevention of unauthorised access to data, incorporating data protection and encryption principles;
- Integrity – how to ensure the accuracy of information and control data processing; and
- Availability – how to allow individuals to have access to information.
Businesses can be certified to show they comply with the standards, as a way of promoting trust and confidence between traders and customers.
Controls considered to be common best practice for information security include:
- information security policy document;
- allocation of information security responsibilities;
- information security education and training;
- reporting security incidents;
- business continuity management.