©1998-2004 ITU Telecommunication Development Bureau (BDT) E-Strategies. Page - 1 Policy Issues for e-Applications (e-Commerce) Alexander NTOKO Chief, E-Strategies.

©1998-2004 ITU Telecommunication Development Bureau (BDT) E-Strategies. Page - 1

Policy Issues fore-Applications (e-Commerce)

Alexander NTOKO

Chief, E-Strategies Unit

ITU Telecommunication Development Bureau (BDT)

Email: [email protected] Web: http://www.itu.int/ITU-D

ITU/BDT Arab Regional Workshop on “e-Services Policies”

Damascus, Syria 27-29 April 2004

o Legal Issues• Privacy • Data protection• Liabilities of Service Providers• Intellectual property rights, copyright • Digital signatures • Electronic contracts• Consumer protection• Jurisdiction for Cross-border transactions

o Financial Issues• Customs• Taxation• Revenue implication for Governments • Monetary Policies • Banking Regulations• Currencies

o Technology issues• Security• Encryption• Authentication• Telecommunications infrastructure• Internet: Bandwidth, Affordability,

Accessibility and QoS. • Standards, interoperability• Electronic payment systems

o Economic issues• Impact on workforce

• des-intermediation• re-intermediation• Effects of automation

• Market access • Micro Businesses • Skills availability• Revenue implications

o Cultural issues• Content Diversity• Multilingualism • Cultural diversity• Censorship• Cultural implications – indigenous

people

o Governance issues• International coordination of the Internet

• Internet cc Domain Names and

• IP Address Management

• Information and Network Security

• Payment of international links

• Certification Authorities

• Root certification,

• Hierarchy of CAs

• Cross Certification

• International coordination

o Trade issues (e-business)• WTO Agreements – Impact on Global E-

commerce?• Duty-free entry of goods in electronic

form• Free Trade Zones• Market Access in a Borderless World• Tangible vs. Electronic Goods

“Near consensus”: paperless

o Paperless transactions: Law has traditionally presumed the presence of paper records “in writing”. Near consensus that governments need to make amendments to laws in order to bring media-neutrality of statutes, evidence rules for electronic records (note: email evidence was used in Clinton and Microsoft legal battles), recognition of electronic signatures combined with a reliable certification authority.

o Many countries now enacting laws to recognize electronic media as valid for e-transactions.

o But what about interoperability of the technology requirements and legal frameworks?

“Near consensus” proposalso Privacy

• only self-regulation – So far, has not worked. Governments are becoming more active in by proposing new regulations.

o Encryption – Export Restrictionso Jurisdiction for Cross-border Transactions o Role of private sector, government and

international organizations – Being discussed in WSIS process.

o Content – Censorship and Cultural Diversityo Internet governance and domain nameso Liability of intermediaries

“Near consensus”: Privacy

Bad practices:o Keep track of user browsing and choices

without his/her consento Sell user data (e.g., e-mail addresses) to be

used for Spamming and Spimming. o US and EU Regulations being put in place.o Use spending profile for advertisement.o Pull user data from “cookies” stored in the

user’s computer

“Near consensus”: Encryption

o Recommended key lengths• public key systems: 1024 bits keys• symmetric systems: 128 bits keys

o Export Restrictions and Usage for encryption with long keys (e.g. more than 512 bits for RSA and 40-56 bits for symmetric) now solved for most countries (except 6).

o New algorithms developed to replace DES gaining worldwide adoption.

Encryption: key length problem

o US Data Encryption Standard (DES) 56-bit keys is now inadequate

o Triple-DES is one “improvement”: encrypting the output of DES twice using three keys

o AES now replacing DES as main symmetric algorithm.

o Long term (20 years): 128-bits symmetric keys are adequate and difficult to break

o Must distinguish “authentication and integrity services” from “confidentiality services”

o Quantum Cryptography seen as response to growing computing power (used for cracking encryption).

Encryption: key length problem

o RSA RC5 56-bit key crack challenge, early 1997o Bovine RC5 Effort: tens of thousands computers

linked over Internet, more than 4,000 teams

o 72 quadrillion (72,057,594,037,927,936) possible keys to test

o 268 million key blocks distributed to teamso Peak rate of processing: 7 billion keys/secondo Oct 22, 1997: RSA announces successful cracko Conclusion: 56-bit key not sufficiento Remember Moore’s law: computing power doubles

every 18 months – How long before computing power makes 128 bit Key length insufficient???

Cost and time of brute force attacks

o Assumption: 3 years equipment life and continual useo Authors: Blaze, Diffie,Rivest, Schneier, Shinomura,Thompson

“No consensus”: Encryption

o Should citizen’s rights to privacy take precedence over law enforcement concerns?

o “… not possible to prevent criminals from using encryption … little point in preventing legal users from protecting themselves”

“No consensus”: Encryption

o Key escrow: copy of any secret key is deposited with Trusted Third Party (TTP)

o National law might require that TTP hands over secret key on certain situations

o Key recovery: encryption system allows authorized organizations to rebuild key on request (“back door” access to private key)

o Both schemes allow access to encrypted data

“No consensus”: Encryption

o Some European companies are concerned about using US-based Trusted Third Parties (TTPs), since they may contravene their own country’s data protection laws

o A number of countries are becoming concerned about maintaining national root TTPs, to prevent dominance of their national economies by foreign brands

o National security and sovereignty in dealing with encrypted data.

Certification Authority Issues

o Issuing certificates is relatively easyo Managing effectively and securely is

difficult: CAs must maintain a Certification Revocation List (CRL), must not store private keys (risk of “identity theft”), ...

o Trust depends on integrity and security of CA’s practices and procedures

o Users will have many certificates (e.g., one for Intranet, one for Extranet, one at home)

o Interoperability: Need for harmonized policies for generic identity certificates.

Role of Governments, International Organizations and Private sector

o Some e-applications “frameworks” ignore the role of governments & international organizations: everything should be private-sector driven

o Jeffrey Ritter, the chairman of the American Bar Association's committee on Internet law, seeks a middle ground between industry and public policy. "The private sector will be mistaken if they believe they can formulate the rules for e-commerce without the input and consultation of governments," he said.

International coordination frameworks Considering that time is ripe to:

1. seek a better international understanding on how to achieve a friction free and borderless information society while meeting general public interest objectives

2. define the key issues that require strengthened international coordination

3. many organizations are proposing frameworks for global e-applications coordination

Need for a global framework

The global information society requires an appropriate framework covering technical, policies, commercial, and legal aspects. This should foster interoperable technical solutions, competitive business practices and consistent rules. It does not need to consist of detailed and harmonised rules on all relevant aspects.

What is required is a concerted examination of the problems and the priorities, in order to allow the international community to address them in a substantive and coordinated manner.

Need for global framework

o Building trust in electronic transactions by ensuring the security and privacy of transactions and data, and the protection of users.

o Establishing ground rules so that national laws, government policies,customs tariffs, standards, market access, and intellectual property measures create a level playing field for electronic transactions.

Need for global framework

o Enhancing the information infrastructure through common interoperable standards, and access to open networks.

o Maximizing the benefits of electronic transactions by developing awareness and skills, encouraging widespread SME adoption, and ensuring participation and use by all countries.

Conclusion

While waiting for all these issues to be addressed, it is important for Governments to work with the relevant stakeholders (international organizations, public and private sector and civil society) to promote policies that will enhance the development and use of e-applications.

ITU, within the framework of its E-strategies Programme is working with governments, private sector and other entities to address some of the technology policy issues related to fostering the development and use of e-services/applications.

Thank you for your attention