The perceived lack of security on the internet is seen as the major obstacle to the uptake of e-business. Various applications have been developed to provide consumers and businesses with the comfort they require. Legislation is being introduced with a similar aim. This guide gives a brief overview of the subject.
Security products and services
There are three main security issues relevant to doing business online:
- Verifying the identity of the person you are doing business with.
- Ensuring that messages you send and receive have not been tampered with.
- Obtaining evidence of the date, time and place at which a contract was made.
These three issues are addressed by a variety of means including:
Encryption
The process of encryption underpins most of the security products that are on the market. The encryption process encodes a message using an encryption algorithm so that only the sender and intended recipients can access it. The encryption algorithm uses a key. At the receiving end, the key is used to decode the message to the original data.
Traditionally, encryption uses a secret key which both the sender and receiver use. However, transmitting the secret key to the recipient is not secure. Instead, public key cryptography is now used in secure internet communication. Each recipient has a secret private key, and a public key that is published. The sender looks up the recipient's public key and uses it to encrypt the message, and the recipient uses the private key to decrypt the message. You can find out more about encryption by reading our Encryption and Digital Signatures guide.
Encryption not only protects the content of the message; the use of an encrypted digital signature also provides evidence of the sender and of the integrity of the message.
Digital signatures
These are primarily intended to serve the same purpose as ink-on-paper signatures – to allow the recipient of a document to confirm the sender's identity (although they also serve to show that a document has not been tampered with). They are authenticated by means of digital certificates. A digital certificate is simply the owner's public key, which a certificate authority has digitally signed.
Certification authorities
Certification authorities (CAs) are independent third parties which issue a digital certificate to an individual after verifying that a public key belongs to that individual. The process of certification varies depending on the certificate authority and the level of certification. The more rigorous the CA's identity-checking procedures, the more reliable the certificates which it issues.
Other security products
There are various products on the market which attempt to address security concerns. Some offer a greater level of security than others. By way of example, the SET (secure electronic transactions) Protocol offers a form of guarantee against credit card fraud. The system consists of a cardholder interface resident on the customer's PC, an electronic till at the retail level, and a payment mechanism located on the bank's server which processes the encrypted transaction messages.
In contrast, SSL (secure sockets layer) technology merely enables two devices to communicate privately but does not offer a guarantee against credit card fraud. However, many consider that the cost benefits of this technology outweigh any security risks and it is widely used in e-commerce projects.
Laws on electronic signatures
There are now laws in the UK on electronic signatures and there are also plans on a European and international level. You may notice that the word 'digital' is replaced here by 'electronic.' This is not the case in Hong Kong, where legislation requires use of digital signatures with public key infrastructure (PKI), not any other forms of electronic signatures. In the UK, the Electronic Communications Act was passed in June 2000. The following month, the part dealing with electronic signatures came into force. The European Union adopted a draft Directive on electronic signatures in December 1999. The United Nations Commission on International Trade Law has prepared draft Uniform Rules on Electronic Signatures.
Digital signatures are a particular type of electronic signature and most legislation is drafted to include electronic signatures which utilise means other than digital signatures (for example, biometrics).
UK Electronic Communications Act
The parties involved in e-business need to know that, if a dispute arises, the Courts will treat electronic evidence in a similar fashion to the way they treat paper evidence for paper-based transactions. The Electronic Communciations Act states that an electronic signature shall be admissable in evidence in court in relation to any question as to the authenticity of the communciation with which the signature is associated. You can learn more about this Act by reading our guide, UK and European Union Regulations.
EU Directive on a Community Framework for Electronic Signatures
The European Commission adopted this Directive in December 1999. The aim of the directive is to harmonise the rules relating to electronic signatures across the member states of the European Union and to promote the inter-operability of electronic signature products.
The Directive has the following key features:
- it lays down guidelines for the use of electronic signatures;
- it establishes that electronic signatures meeting certain criteria are deemed to satisfy the legal requirements for signatures in the same manner as hand-written signatures;
- it establishes that electronic signatures meeting certain criteria are admissible as evidence in legal proceedings.
The Directive distinguishes between different types of electronic signatures, giving greater effect to digital signatures.
UNCITRAL Draft Uniform Rules on Electronic Signatures
The United Nations Commission on International Trade Law (UNCITRAL) has prepared these draft Rules which identify three parties (key-holders, certification authorities and relying parties) and set out the responsibilities of each party. The Rules are likely to undergo further consideration before being put forward for implementation.
Other laws and guidelines relevant to security
UK Regulation of Investigatory Powers Act
The UK Regulation of Investigatory Powers Act controls, among other matters, the powers of authorities such as the police and Customs & Excise to intercept electronic communications. The Act, which came into force in July 2000, defines the circumstances in which the police may demand access to encryption keys. Failure to comply with such a demand is a criminal offence.
Data protection
The Data Protection Act 1998 sets out eight principles which data controllers must follow in relation to the data which they hold. You can find these and more information about the Act in our Data Protection guide. In terms of security, the 7th data protection principle is the most relevant.
The 7th data protection principle states that 'appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data'. It is important to note that data controllers must take into account both the harm that might result from unauthorised processing and the nature of the data to be protected.
BS 7799 – Code of Practice for Information Security Management
This code of practice, issued by the British Standards Institution, lays down recommendations and guidance for identifying the range of controls needed for most situations where information systems are used in industry and commerce. A number of controls are highlighted as guiding principles, providing a good starting point for implementing information security. They are based either on essential legislative requirements or considered to be common best practice.
Controls considered to be essential to an organisation from a legislative point of view include:
- intellectual property rights;
- safeguarding of organisational records;
- data protection and privacy of personal information.
Controls considered to be common best practice for information security include:
- information security policy document;
- allocation of information security responsibilities;
- information security education and training;
- reporting security incidents;
- business continuity management.
Contacts