©1998-2002 Telecommunication Development Bureau (BDT) E-Strategies. Page - 1 E-commerce Issues for Policy Makers Alexander NTOKO Head, E-Strategy Unit.

©1998-2002 Telecommunication Development Bureau (BDT) E-Strategies. Page - 1

E-commerce Issues for Policy Makers

Alexander NTOKO Head, E-Strategy UnitITU Telecommunication Development Bureau (BDT)Email: [email protected] Web: http://www.itu.int/ITU-D

Regional Seminar on E-Commerce for CEE, CIS and the Baltic States

Bucharest, Romania 14-17 May 2002

o Legal Issues• Privacy • Data protection• Liabilities of Service Providers• Intellectual property rights, copyright • Digital signatures • Electronic contracts• Consumer protection• Jurisdiction for Cross-border

transactions

o Financial Issues• Customs• Taxation• Revenue implication for

Governments • Monetary Policies • Banking Regulations• Currencies

o Technology issues• Security• Encryption• Authentication• Telecommunications infrastructure• Internet: cost, quality of service,

speed, ...• Standards, interoperability• Electronic payment systems

o Economic issues• Impact on workforce

• des-intermediation• re-intermediation• Effects of automation

• Market access • Micro Businesses • Skills availability•Revenue implications

o Cultural issues• Content• Multilingualism • Cultural diversity• Censorship

o Governance issues• International coordination of the

Internet• Domain Names and • Address Management• Payment of international links

• Certification Authorities• Root certification, • Hierarchy of CAs• International coordination

o Trade issues• WTO Agreements• Duty-free entry of goods in

electronic form• Free Trade Zones

“Near consensus”: paperless

o Paperless transactions: Law has traditionally presumed the presence of paper records “in writing”. Near consensus that governments need to make amendments to laws in order to bring media-neutrality of statutes, evidence rules for electronic records (note: email evidence was used in Clinton and Microsoft legal battles), recognition of electronic signatures combined with a reliable certification authority.

“No consensus” proposals

o Privacy• only self-regulation ??

o Encryptiono Jurisdiction (consensus ??)o Role of private sector, government and

international organizationso Contento Internet governance and domain nameso Liability of intermediaries

“No consensus”: Privacy

Bad practices:o Keep track of user browsing and choices

without his/her consento Sell user data (e.g., e-mail addresses)o Use spending profile for advertisemento Pull user data from “cookies” stored in

the user’s computer

“No consensus”: Encryption

o Recommended key lengths• public key systems: 1024 bits keys• symmetric systems: 128 bits keys

o Export Restrictions and Usage for encryption with long keys (e.g. more than 512 bits for RSA and 40-56 bits for symmetric)

Encryption: key length problem

o US Data Encryption Standard (DES) 56-bit keys is becoming inadequate

o Triple-DES is one “improvement”: encrypting the output of DES twice using three keys

o Long term (20 years): 90-bits symmetric keys are adequate

o 128-bit keys: “impossible” to breako Must distinguish “authentication and integrity

services” from “confidentiality services”

Encryption: key length problem

o RSA RC5 56-bit key crack challenge, early 1997o Bovine RC5 Effort: tens of thousands computers

linked over Internet, more than 4,000 teamso 72 quatrillion (72,057,594,037,927,936) possible

keys to testo 268 million key blocks distributed to teamso Peak rate of processing: 7 billion keys/secondo Oct 22, 1997: RSA announces successful cracko Conclusion: 56-bit key not sufficiento Remember Moore’s law: computing power

doubles every 18 months (no longer valid)

Cost and time of brute force attacks

o Assumption: 3 years equipment life and continual useo Authors: Blaze, Diffie,Rivest, Schneier, Shinomura,Thompson


o Should citizen’s rights to privacy take precedence over law enforcement concerns?

o “… not possible to prevent criminals from using encryption … little point in preventing legal users from protecting themselves” (Bangemann, European Commission)


o Key escrow: copy of any secret key is deposited with Trusted Third Party (TTP)

o National law might require that TTP hands over secret key on certain situations

o Key recovery: encryption system allows authorized organizations to rebuild key on request (“back door” access to private key)

o Both schemes allow access to encrypted data


o Some European companies are concerned about using US-based Trusted Third Parties (TTPs), since they may contravene their own country’s data protection laws

o A number of countries are becoming concerned about maintaining national root TTPs, to prevent dominance of their national economies by foreign brands

Certification Authority Issues

o Issuing certificates is easyo Managing effectively and securely is

difficult: CAs must maintain a Certification Revocation List (CRL), must not store private keys (risk of “identity theft”), ...

o Trust depends on integrity and security of CA’s practices and procedures

o Users will have many certificates (e.g., one for Intranet, one for Extranet, one at home)

o Interoperability: need for standard

Hierarchy of Certification Authorities

Source: BYTE Magazine

Role of Governments, International Organizations and Private sector

o Some E-Commerce “frameworks” ignore the role of governments & international organizations: everything should be private-sector driven

o Jeffrey Ritter, the chairman of the American Bar Association's committee on Internet law, seeks a middle ground between industry and public policy. "The private sector will be mistaken if they believe they can formulate the rules for e-commerce without the input and consultation of governments," he said.


Role of ITU in Global E-Business

Framework for GlobalCo-ordination Policy and Regulatory

Assisting Developing Countries The ITU VAP and ISAP

Building Global Connections The ITU Standards


ITU Role: Policy and Regulatory

Global Forum for Policy and Regulatory Issues

• ITU World Telecom Development Conferences

• ITU Regional and Global TELECOM events

• ITU World Policy Forum

• World Summit on the Information Society (WSIS)

• ITU Regional E-Commerce Events

• Workshops to provide national policy guidance

• Strategic Planning Workshops for Regulators

• Case Studies, Surveys and Policy Analysis


ITU Role: Regional and Global TELECOM


ITU Role – Policy Analysis

Results of an ITU survey on the use of certification for building global trust


ITU-T and ITU-R Recommendations

Access to E-Business Services, Security and Trust

Users and Consumers: Digital, Analogue and cable modem standards for user access to the Internet (V.90 and ISDN standards)

Businesses and Service Providers: Broadband Internet Access for e-business and service providers (DWDM)

Building Global Trust and Security - Standards to establish identities of parties in e-transactions, Digital and Attribute Certificates, Digital Signatures, Certification Authorities and Certificate Distribution Systems

M-Business and Wireless Internet (IMT-2000)Global Standards for high speed 3G digital mobile Fair and equitable access to the radio-frequency spectrum


ITU-T and ITU-R Recommendations

Digital, Analogue and Cable modem standards

High speed digital mobile (IMT 2000)

Broadband IP standards

CertificationStandards

Digital Certificates


Framework for Global Trust

Establishing the identities of entities in

electronic transactions…

… ITU-T X.509enables

authenticationfor e-businesse-governmente-learning ande-procurement

etc…


Through IMT-2000, ITU is laying the foundation for high-speed mobile Internet access and services

… Rapid evolution towards Mobile Internet as high speed digital mobile (3G ITU IMT-2000) networks, services and solutions are scheduled to roll-out...


Third Generation Networks – ITU IMT-2000


ITU-D :Assisting Developing Countries

Creating Digital Opportunities

International coordination frameworks

Considering that time is ripe to:

1. seek a better international understanding on how to achieve a friction free and borderless marketplace while meeting general public interest objectives

2. define the key issues that require strengthened international coordination

3. many organizations are proposing frameworks for global E-commerce coordination

Need for a global framework

The global electronic marketplace requires an appropriate framework covering technical, commercial, and legal aspects. This should foster interoperable technical solutions, competitive business practices and consistent rules. It does not need to consist of detailed and harmonised rules on all relevant aspects.

What is required is a concerted examination of the problems and the priorities, in order to allow the international community to address them in a substantive and coordinated manner.

Need for global framework

o Building trust in electronic commerce by ensuring the security and privacy of transactions and data, and the protection of consumers.

o Establishing ground rules so that commercial laws, tax and customs tariffs, trade policy and market access, and intellectual property measures create a level playing field for electronic transactions.

Need for global framework

o Enhancing the information infrastructure through common interoperable standards, and access to open networks.

o Maximizing the benefits of electronic commerce by developing awareness and skills, encouraging widespread SME adoption, and ensuring participation and use by all countries.

Conclusion

While waiting for all these issues to be addressed, it is important for Governments

to work with the relevant stakeholders (international organizations, public and

private sector and civil society) to promote policies that will enhance the development

and use of electronic commerce.

Thank you for your attention

©1998-2002 Telecommunication Development Bureau (BDT) E-Strategies. Page - 1 E-commerce Issues for Policy Makers Alexander NTOKO Head, E-Strategy Unit.

Documents

o trust

sufficient o

easy o

keyssecond o

private key o

encryption o key escrow

procedures o users

home o interopera